1. No category

HP Intelligent Management Center – EAD Security Policy

HP Intelligent Management Center – EAD
Security Policy Administrator Guide
HP Part Number: 5998-3318
Software Version: 5.2 (0401)
Published: February 2013
Edition: 1.0
© Copyright 2013 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard
Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors
contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
Acknowledgments
Microsoft®, Windows®, and Windows® XP are U.S. registered trademarks of Microsoft Corporation.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Contents
1 EAD Security Policy overview.....................................................................18
EAD solution..........................................................................................................................18
EAD component.....................................................................................................................18
EAD service module...........................................................................................................18
DAM service module..........................................................................................................19
EAD component functions........................................................................................................19
Security policy...................................................................................................................19
Basic Information..........................................................................................................20
Terminal Access Control.................................................................................................20
Security check items for PCs............................................................................................21
Security check items for smart terminals............................................................................21
Hierarchical node management......................................................................................22
Desktop asset....................................................................................................................22
Asset registration...........................................................................................................22
Configuring DAM..........................................................................................................22
Desktop monitoring.......................................................................................................23
Asset audit...................................................................................................................23
Software deployment.....................................................................................................24
Internet access control........................................................................................................24
Service parameters............................................................................................................24
EAD service report.............................................................................................................24
EAD audit.........................................................................................................................25
EAD planning considerations...................................................................................................25
Physical location of the enterprise or organization..................................................................25
Identifying the number of access users..................................................................................26
Identifying the terminal types...............................................................................................26
Identifying available features when using the iNode client with EAD and DAM..........................26
Configuring security policies and desktop control policies........................................................26
2 Page navigation menus and aids................................................................28
3 Configuring security policies......................................................................33
Security policy management....................................................................................................33
Security policy list contents..................................................................................................33
Security policy details.........................................................................................................34
Basic Information area...................................................................................................34
Isolation Mode area......................................................................................................35
URL Control area...........................................................................................................36
Anti-Virus Software Control area......................................................................................36
Anti-Spyware Software Control area................................................................................36
Firewall Software Control area........................................................................................37
Anti-Phishing Software Control area.................................................................................37
Hard Disk Encryption Software Control area.....................................................................38
PC Software Control area...............................................................................................38
Smart Terminal Software Control area..............................................................................39
Patch Management Software Control area........................................................................40
Windows Patch Control area..........................................................................................40
Registry Control area.....................................................................................................41
Share Control area........................................................................................................42
Smart Terminal Policy area.............................................................................................42
Asset registration status check area..................................................................................42
Periodic check area.......................................................................................................42
Contents
3
Viewing the security policy list.............................................................................................42
Viewing security policy details.............................................................................................43
Adding a security policy.....................................................................................................43
Modifying a security policy.................................................................................................44
Deleting a security policy....................................................................................................44
Configuring real-time monitoring..........................................................................................45
Enabling real-time monitoring.........................................................................................45
Modifying the real-time monitoring parameters..................................................................46
Configuring the default security policy for roaming users.........................................................46
Assigning security policies...................................................................................................46
Assigning the default security policy to a service...............................................................46
Assigning a security policy to an access policy.................................................................47
Security level management.......................................................................................................47
Making a security level action take effect..............................................................................48
Special cases...............................................................................................................48
Abnormal traffic.......................................................................................................48
WSUS/SMS Server Collaboration Failure and Auto-Installation Failure............................48
Security level list contents....................................................................................................48
Security level details...........................................................................................................48
Basic Information area...................................................................................................49
Traffic Monitoring area..................................................................................................49
Anti-Virus Software area.................................................................................................49
Anti-Spyware Software area...........................................................................................50
Firewall Software area...................................................................................................50
Anti-Phishing Software area............................................................................................50
Hard Disk Encryption Software area................................................................................50
PC Software Control Group area.....................................................................................50
Smart Terminal Software Control Group area....................................................................50
Patch Management Software area...................................................................................51
Windows Patches area..................................................................................................51
Registry area................................................................................................................51
Share area...................................................................................................................51
Smart Terminal Configuration..........................................................................................51
Asset Registration Status area.........................................................................................52
Operating System Password area....................................................................................52
Viewing the security level list...............................................................................................52
Viewing security level details...............................................................................................52
Adding a security level.......................................................................................................52
Modifying a security level...................................................................................................53
Deleting a security level......................................................................................................53
Hierarchical node management................................................................................................54
Child node list contents.......................................................................................................54
Child node information details.............................................................................................55
Basic Information area...................................................................................................55
Real-time statistics on the number of users on the child node area........................................55
Real-time statistics on the number of user-services failing the security check on the child nodes
area............................................................................................................................56
Parent node information......................................................................................................57
Viewing the child node list..................................................................................................57
Modifying the name of the current node................................................................................57
Viewing child node details..................................................................................................57
Adding a child node..........................................................................................................58
Modifying a child node......................................................................................................58
Deleting a child node.........................................................................................................59
Confirming the parent node................................................................................................59
4
Contents
Deleting the parent node....................................................................................................59
Deploying services, security policies, and service parameters........................................................59
Deployment contents..........................................................................................................60
Configuring the services to be deployed................................................................................60
Scheduling automatic deployment........................................................................................60
Configuring manual deployment..........................................................................................60
Deployment and receipt history................................................................................................61
Deployment history list contents............................................................................................61
Receipt history list contents..................................................................................................61
Viewing the deployment history list.......................................................................................61
Viewing the receipt history list..............................................................................................61
Querying the deployment history.........................................................................................62
Querying the receipt history of a child node..........................................................................62
EAD global network monitoring diagram...................................................................................63
Accessing the EAD global network monitoring diagram..........................................................63
Toolbar contents............................................................................................................63
Right-click menu of the EAD global network monitoring diagram..........................................64
Right-click menu of a node..............................................................................................64
Left-click information of a node........................................................................................64
Adding a node to the EAD global network monitoring diagram...............................................64
Customizing the background picture with a local image..........................................................65
Setting a preloaded background picture...............................................................................65
Managing node icons........................................................................................................66
4 Configuring terminal access control............................................................67
Terminal access control...........................................................................................................67
Isolation mode...................................................................................................................67
URL access control.............................................................................................................68
Managing client ACLs.............................................................................................................68
Client ACL list contents........................................................................................................68
Client ACL details..............................................................................................................68
Viewing the client ACL list...................................................................................................69
Viewing client ACL details...................................................................................................69
Adding a client ACL...........................................................................................................70
Modifying a client ACL.......................................................................................................70
Deleting a client ACL..........................................................................................................71
Managing URL control policies.................................................................................................71
URL control policy list contents.............................................................................................71
URL control policy details....................................................................................................72
Viewing the URL control policy list........................................................................................72
Viewing the URL control policy details...................................................................................73
Adding a URL control policy................................................................................................73
Modifying a URL control policy............................................................................................73
Deleting a URL control policy...............................................................................................74
Managing domain URL classes.................................................................................................74
Domain URL class list contents.............................................................................................75
Domain URL class details....................................................................................................75
Domain URL item list contents..............................................................................................75
Viewing the domain URL class list.........................................................................................75
Viewing the domain URL class details...................................................................................75
Adding a domain URL class................................................................................................75
Configuring domain URL check items....................................................................................76
Modifying a domain URL class............................................................................................77
Deleting a domain URL class...............................................................................................77
Managing IP URL classes.........................................................................................................77
Contents
5
IP URL class list contents......................................................................................................78
IP URL class details.............................................................................................................78
Viewing the IP URL class list.................................................................................................78
Viewing the IP URL class details...........................................................................................78
Adding an IP URL class.......................................................................................................78
Modifying an IP URL class...................................................................................................79
Deleting an IP URL class......................................................................................................79
5 Configuring security check items for PCs......................................................81
Anti-virus software policy management......................................................................................81
Anti-virus software policy list contents....................................................................................81
Anti-virus software policy details..........................................................................................81
Basic information section................................................................................................82
Windows operating system, Linux operating system, and Mac OS operating system
sections.......................................................................................................................82
Viewing the anti-virus software policy list...............................................................................82
Viewing anti-virus software policy details...............................................................................83
Adding an anti-virus software policy.....................................................................................83
Modifying an anti-virus software policy.................................................................................85
Deleting an anti-virus software policy....................................................................................86
Anti-spyware software policy management.................................................................................86
Anti-spyware software policy list contents..............................................................................87
Anti-spyware software policy details.....................................................................................87
Basic information section................................................................................................87
Windows Operating System and Mac OS Operating System sections..................................87
Viewing the anti-spyware software policy list.........................................................................88
Viewing the anti-spyware software policy details....................................................................88
Adding an anti-spyware software policy...............................................................................88
Modifying an anti-spyware policy........................................................................................89
Deleting an anti-spyware software policy..............................................................................90
Firewall software policy management........................................................................................90
Firewall software policy list contents.....................................................................................91
Firewall software policy details............................................................................................91
Basic information section................................................................................................91
Windows Operating System, Linux Operating System, and Mac OS Operating System
sections.......................................................................................................................91
Viewing the firewall software policy list.................................................................................91
Viewing firewall software policy details.................................................................................91
Adding a firewall software policy.........................................................................................92
Modifying a firewall software policy.....................................................................................92
Deleting a firewall software policy........................................................................................92
Anti-phishing software policy management................................................................................93
Anti-phishing software policy list contents..............................................................................93
Anti-phishing software policy details.....................................................................................93
Basic information section................................................................................................93
Windows Operating System and Mac OS Operating System sections..................................93
Viewing the anti-phishing software policy list.........................................................................93
Viewing anti-phishing software policy details.........................................................................94
Adding an anti-phishing software policy...............................................................................94
Modifying an anti-phishing software policy...........................................................................94
Deleting an anti-phishing software policy..............................................................................95
Hard disk encryption software policy management.....................................................................95
Hard disk encryption software policy list contents...................................................................95
Hard disk encryption software policy details..........................................................................96
Basic information section................................................................................................96
6
Contents
Windows Operating System section.................................................................................96
Viewing the hard disk encryption software policy list..............................................................96
Viewing hard disk encryption software policy details..............................................................96
Adding a hard disk encryption software policy......................................................................96
Modifying a hard disk encryption software policy..................................................................97
Deleting a hard disk encryption software policy.....................................................................97
PC software control groups management...................................................................................98
PC software control group list contents..................................................................................98
Viewing the PC software control group list.............................................................................99
Querying PC software control groups...................................................................................99
Managing common software...............................................................................................99
Common software list....................................................................................................99
Viewing the common software list..................................................................................100
Querying the common software....................................................................................100
Adding a common software product..............................................................................100
Importing common software in batches..........................................................................100
Deleting a common software product.............................................................................101
Downloading and using the MD5 tool................................................................................101
Managing software-type PC software control groups............................................................102
Software-type PC software control group details..............................................................102
Basic information contents.......................................................................................102
Software list information..........................................................................................102
Viewing a software-type PC software control group..........................................................102
Adding a software-type PC software control group..........................................................103
Modifying a software-type PC software control group......................................................103
Deleting a software-type PC software control group.........................................................105
Managing process-type PC software control groups..............................................................105
Process-type PC software control group details................................................................105
Basic information contents.......................................................................................105
Process list information............................................................................................106
Viewing a process-type PC software control group...........................................................106
Adding a process-type PC software control group............................................................107
Modifying a process-type PC software control group........................................................107
Deleting a process-type PC software control group...........................................................108
Managing service-type PC software control groups...............................................................109
Service-type PC software control group details................................................................109
Basic information contents.......................................................................................109
Service list information............................................................................................109
Viewing a service-type PC software control group............................................................110
Adding a service-type PC software control group.............................................................110
Modifying a service-type PC software control group.........................................................110
Deleting a service-type PC software control group...........................................................111
Managing file-type PC software control groups....................................................................111
File-type PC software control group details......................................................................111
Basic information contents.......................................................................................111
File list information..................................................................................................112
Viewing a file-type PC software control group.................................................................112
Adding a file-type PC software control group..................................................................113
Modifying a file-type PC software control group..............................................................113
Deleting a file-type PC software control group.................................................................115
Patch management software management................................................................................115
Patch management software list contents.............................................................................115
Configuring patch management software management.........................................................115
Windows patch control.........................................................................................................115
Windows patch list contents..............................................................................................116
Contents
7
Windows patch information details....................................................................................116
Applicable Windows version list........................................................................................116
Viewing the Windows patch list.........................................................................................116
Querying the Windows patches.........................................................................................116
Adding a Windows patch.................................................................................................117
Modifying a Windows patch.............................................................................................117
Deleting a Windows patch................................................................................................117
Managing Windows versions.................................................................................................118
Windows version list contents............................................................................................118
Viewing a Windows version..............................................................................................118
Adding a Windows version...............................................................................................118
Deleting a Windows version..............................................................................................119
Registry control policy management........................................................................................119
Registry control list contents...............................................................................................119
Registry control list details.................................................................................................120
Basic information section..............................................................................................120
Registry entry section...................................................................................................120
Viewing the registry control list..........................................................................................121
Viewing a registry control.................................................................................................121
Querying the registry control.............................................................................................121
Adding a registry control..................................................................................................121
Modifying a registry control..............................................................................................122
Deleting a registry control.................................................................................................122
Share control management....................................................................................................123
Share control list contents..................................................................................................123
Share control details.........................................................................................................123
Viewing the share control list.............................................................................................124
Viewing share control details.............................................................................................124
Adding a share control.....................................................................................................124
Modifying a share control.................................................................................................124
Deleting a share control....................................................................................................125
Traffic control management....................................................................................................125
Traffic control list contents..................................................................................................125
Traffic control list details....................................................................................................125
Basic information section..............................................................................................125
IP Traffic Monitoring section..........................................................................................126
Broadcast Packet Monitoring section..............................................................................126
Packet Monitoring section.............................................................................................126
TCP/UDP Connection Monitoring section.......................................................................126
Viewing the traffic control list.............................................................................................126
Viewing traffic control details.............................................................................................126
Adding a traffic control.....................................................................................................126
Modifying a traffic control.................................................................................................127
Deleting a traffic control....................................................................................................127
Password control...................................................................................................................127
Modifying a password control...........................................................................................127
Asset registration status check.................................................................................................128
6 Configuring security check items for smart terminals....................................129
Anti-virus software policy management....................................................................................129
Anti-virus software policy list contents .................................................................................129
Anti-virus software policy details........................................................................................129
Viewing the anti-virus software policy list.............................................................................130
Viewing anti-virus software policy details.............................................................................130
Adding an anti-virus software policy...................................................................................130
8
Contents
Modifying an anti-virus software policy...............................................................................132
Deleting an anti-virus software policy..................................................................................133
Anti-spyware software policy management...............................................................................133
Anti-spyware software policy list contents............................................................................133
Anti-spyware software policy details...................................................................................133
Viewing the anti-spyware software policy list.......................................................................134
Viewing anti-spyware software policy details.......................................................................134
Adding an anti-spyware software policy.............................................................................134
Modifying an anti-spyware policy......................................................................................135
Deleting an anti-spyware software policy............................................................................136
Smart terminal software control management...........................................................................136
Smart terminal software control group list contents................................................................136
Smart terminal software control group details......................................................................137
Basic information contents............................................................................................137
Software list information...............................................................................................138
Viewing the smart terminal software control group list...........................................................138
Querying the smart terminal software control group..............................................................138
Viewing smart terminal software control group details...........................................................138
Adding a smart terminal software control group...................................................................139
Modifying a smart terminal software control group...............................................................139
Deleting a smart terminal software control group..................................................................140
Smart terminal policy management.........................................................................................140
Smart terminal policy list contents.......................................................................................140
Smart terminal policy details.............................................................................................140
Viewing the smart terminal policy list..................................................................................141
Viewing smart terminal policy details..................................................................................141
Adding smart terminal policy.............................................................................................141
Modifying a smart terminal policy......................................................................................141
Deleting a smart terminal policy.........................................................................................142
7 Controlling Internet access.......................................................................143
Managing Internet access configurations.................................................................................143
Viewing the Internet access configuration list........................................................................143
Viewing Internet access configuration details.......................................................................144
Adding an Internet access configuration..............................................................................144
Modifying an Internet access configuration..........................................................................145
Deleting an Internet access configuration............................................................................146
Managing Internet access audit policies..................................................................................146
Viewing the Internet access audit policy list.........................................................................146
Viewing Internet access audit policy details.........................................................................146
Adding an Internet access audit policy...............................................................................147
Modifying an Internet access audit policy...........................................................................147
Deleting an Internet access audit policy..............................................................................148
Managing Internet access audit logs.......................................................................................148
Viewing the Internet access audit log list.............................................................................148
Performing a basic query for Internet access audit logs.........................................................149
Performing an advanced query for Internet access audit logs.................................................149
Viewing Internet access audit log details.............................................................................150
Configuring Internet access logging parameters........................................................................151
Assigning Internet access configurations to services and access policies.......................................151
Assigning an Internet access configuration to a service.........................................................152
Assigning an Internet access configuration to an access policy...............................................152
8 Configuring DAM...................................................................................153
Managing asset groups.........................................................................................................153
Asset group list contents....................................................................................................154
Contents
9
Asset group details...........................................................................................................154
Basic information section..............................................................................................154
Asset group details section...........................................................................................154
Immediate parent group list section................................................................................155
Authorized operator section..........................................................................................155
Viewing the asset group list...............................................................................................155
Viewing asset group details...............................................................................................155
Adding asset groups........................................................................................................155
Manually adding an asset group...................................................................................156
Automatically adding asset groups based on user groups.................................................156
Adding a subgroup for an asset group...........................................................................156
Modifying an asset group.................................................................................................157
Deleting an asset group....................................................................................................157
Granting an operator privileges to manage asset groups.......................................................158
Managing assets..................................................................................................................158
Registering assets.............................................................................................................158
Asset list contents.............................................................................................................159
Asset details....................................................................................................................159
System information section............................................................................................159
Operating system information section.............................................................................160
Hardware information section.......................................................................................161
Screen saver information section...................................................................................162
IP address list section...................................................................................................162
Partition list section......................................................................................................162
Logical disk list section.................................................................................................162
Software list section.....................................................................................................162
Patch list section..........................................................................................................163
Process list section.......................................................................................................163
Service list section.......................................................................................................163
Share list section.........................................................................................................163
Port list section............................................................................................................164
Viewing the asset list........................................................................................................164
Viewing asset details........................................................................................................164
Accessing the Asset Details page..................................................................................164
Method 1..............................................................................................................164
Method 2..............................................................................................................165
Viewing hardware details.............................................................................................165
Performing actions.......................................................................................................165
Regroup................................................................................................................165
Modify..................................................................................................................165
Delete...................................................................................................................166
Scan.....................................................................................................................166
Viewing an asset's software deployment history..........................................................166
Software Deploy Task List........................................................................................166
USB Monitor..........................................................................................................166
USB Monitor List.....................................................................................................166
Printer Monitor.......................................................................................................167
Printer Monitor List..................................................................................................167
Check Asset Files....................................................................................................167
Change History......................................................................................................168
Asset Change History contents.................................................................................168
Refresh..................................................................................................................168
Querying assets...............................................................................................................168
Performing a basic query.............................................................................................168
Performing an advanced query.....................................................................................169
10
Contents
Adding an asset..............................................................................................................171
Batch importing assets......................................................................................................173
Modifying an asset..........................................................................................................174
Deleting an asset.............................................................................................................175
Regrouping an asset.........................................................................................................175
Exporting asset information....................................................................................................176
Asset export function asset list............................................................................................176
Exporting asset information...............................................................................................176
Managing the asset export history..........................................................................................177
Asset export history list contents.........................................................................................177
Viewing the asset export history.........................................................................................177
Downloading the asset export history record.......................................................................177
Deleting the asset export history record...............................................................................177
Collecting asset statistics........................................................................................................178
Collecting statistics by asset type........................................................................................178
Asset type statistics reports...........................................................................................178
Asset type statistics report—Pie chart.........................................................................178
Asset type statistics report—List.................................................................................179
Collecting statistics by CPU...............................................................................................179
CPU frequency statistics reports.....................................................................................179
CPU frequency statistics report—Pie chart..................................................................179
CPU frequency statistics report—List..........................................................................180
Collecting statistics by hard disk........................................................................................180
Hard disk capacity and type statistics reports..................................................................180
Hard disk capacity statistics report—Pie chart............................................................181
Hard disk capacity statistics report—List....................................................................181
Hard disk type statistics report—Pie chart..................................................................181
Hard disk type statistics report—List..........................................................................181
Collecting statistics by operating system..............................................................................182
Operating system version and language statistics reports..................................................182
Operating system version statistics report—Pie chart....................................................182
Operating system version statistics report—List............................................................183
Operating system language statistics report—Pie chart ...............................................183
Operating system language statistics report—List........................................................183
Collecting statistics by software installed.............................................................................184
Software installation statistics report...............................................................................184
Software installation statistics report..........................................................................184
Managing the export task......................................................................................................184
Export task list contents.....................................................................................................184
Viewing the export task management list.............................................................................185
Configuring the export task...............................................................................................185
9 Configuring desktop control schemes and policies.......................................186
Configuring desktop control schemes.......................................................................................186
Desktop control scheme list contents...................................................................................186
Desktop control scheme details..........................................................................................186
Basic information section..............................................................................................186
Policy list section.........................................................................................................187
Viewing the desktop control scheme list...............................................................................187
Viewing desktop control scheme details..............................................................................187
Adding a desktop control scheme......................................................................................187
Modifying a desktop control scheme..................................................................................188
Deleting a desktop control scheme.....................................................................................188
Configuring peripheral management policies............................................................................188
Peripheral management policy list contents..........................................................................188
Contents
11
Peripheral management policy details.................................................................................189
Basic information section..............................................................................................189
Disable devices section................................................................................................189
Viewing the peripheral management policy list....................................................................189
Viewing peripheral management policy details....................................................................190
Adding a peripheral management policy............................................................................190
Modifying a peripheral management policy........................................................................191
Deleting a peripheral management policy...........................................................................191
Configuring energy saving policies.........................................................................................191
Energy saving policy list contents.......................................................................................192
Viewing the energy saving policy list..................................................................................192
Adding an energy saving policy........................................................................................192
Modifying an energy saving policy....................................................................................192
Deleting an energy saving policy.......................................................................................193
Configuring monitoring alarm policies.....................................................................................193
Monitoring alarm policy list contents..................................................................................193
Monitoring alarm policy details.........................................................................................193
Basic information section..............................................................................................194
USB monitoring section................................................................................................194
Printer monitoring section.............................................................................................194
Hardware changes monitoring section...........................................................................194
Software changes monitoring section.............................................................................194
Viewing the monitoring alarm policy list..............................................................................195
Viewing monitoring alarm policy details..............................................................................195
Adding a monitoring alarm policy.....................................................................................195
Modifying a monitoring alarm policy..................................................................................196
Deleting a monitoring alarm policy....................................................................................197
10 Asset audit...........................................................................................198
Asset hardware change record audit.......................................................................................198
Asset hardware change information list contents...................................................................199
Asset hardware change record details................................................................................199
Viewing the asset hardware change information list..............................................................199
Viewing asset hardware change record details....................................................................200
Querying asset hardware change records...........................................................................200
Basic query................................................................................................................200
Advanced query.........................................................................................................200
Asset software change record audit.........................................................................................201
Asset software change information list contents....................................................................202
Asset software change record details..................................................................................203
Viewing the asset software change record list......................................................................203
Viewing the asset software change record details.................................................................203
Querying the asset software change records........................................................................204
Basic query................................................................................................................204
Advanced query.........................................................................................................204
USB monitoring record audit..................................................................................................205
USB monitor list contents...................................................................................................205
USB monitoring record details...........................................................................................206
Information of USB copied files section...........................................................................206
List of USB copied files section......................................................................................206
Viewing the USB monitoring record list...............................................................................206
Viewing the USB monitoring record details..........................................................................206
Querying the USB monitoring records.................................................................................207
Basic query................................................................................................................207
Advanced query.........................................................................................................207
12
Contents
Exporting the USB monitoring records.................................................................................208
USB monitor log export history list contents.....................................................................208
Exporting USB monitoring records.................................................................................208
Viewing the USB monitor log export history.........................................................................209
Printer monitoring record audit...............................................................................................209
Printer monitor list contents................................................................................................209
Printer monitoring record details........................................................................................210
Viewing the printer monitoring record list............................................................................210
Viewing the printer monitoring record details.......................................................................210
Querying the printer monitoring records..............................................................................211
Basic query................................................................................................................211
Advanced query.........................................................................................................211
Exporting the printer monitoring records.............................................................................212
Viewing the export history of the printer monitoring records...................................................212
Printer monitor log export history list contents.......................................................................213
Unauthorized peripheral use record audit................................................................................213
Illegal peripheral use report list contents..............................................................................213
Illegal peripheral use log export history list contents.............................................................214
Viewing the unauthorized peripheral use record list..............................................................214
Viewing the export history of the unauthorized peripheral use records.....................................214
Querying the unauthorized peripheral use records................................................................214
Basic query................................................................................................................214
Advanced query.........................................................................................................215
Exporting the unauthorized peripheral use records...............................................................216
Terminal file audit.................................................................................................................216
Asset file check list contents...............................................................................................216
Asset file check list details.................................................................................................217
Basic information section..............................................................................................217
File list section............................................................................................................217
Viewing the terminal file audit task list................................................................................217
Querying terminal file audit tasks.......................................................................................217
Auditing the terminal files..................................................................................................218
Viewing the terminal file audit results..................................................................................219
Exporting the terminal file audit results................................................................................219
11 Configuring software deployment............................................................221
Preparing to use the software deployment function....................................................................221
Configuring software deployment server settings.......................................................................221
Software server settings list contents...................................................................................221
Software deployment server settings details.........................................................................221
Viewing the software deployment server settings list..............................................................222
Viewing software deployment server settings details..............................................................222
Adding software deployment server settings........................................................................222
Modifying software deployment server settings....................................................................222
Deleting software deployment server settings.......................................................................223
Configuring software deploy tasks..........................................................................................223
Software deploy task list contents.......................................................................................223
Software deploy task details..............................................................................................223
Basic information section..............................................................................................224
Software deployment targets section .............................................................................225
Deploy group list contents........................................................................................225
Deploy asset list contents.........................................................................................225
Task execution result details...............................................................................................226
Viewing the software deploy task list..................................................................................226
Viewing software deploy task details..................................................................................226
Contents
13
Querying software deploy tasks.........................................................................................226
Basic query................................................................................................................226
Advanced query.........................................................................................................227
Adding a software deploy task..........................................................................................228
Modifying a software deploy task......................................................................................229
Deleting software deploy tasks...........................................................................................229
12 EAD audit............................................................................................230
Security logs........................................................................................................................230
Security log list contents....................................................................................................230
Security log details...........................................................................................................230
Basic information area.................................................................................................231
Details section............................................................................................................231
Viewing the security log list...............................................................................................231
Viewing security log details...............................................................................................231
Querying security logs......................................................................................................232
Basic query................................................................................................................232
Advanced query.........................................................................................................232
Client driver audit.................................................................................................................233
iNode driver list contents..................................................................................................233
Viewing client driver errors in the iNode Driver list................................................................233
Querying client drive errors...............................................................................................234
Security status audit for online and roaming users.....................................................................234
Online users list contents...................................................................................................234
Roaming online user list contents........................................................................................235
Viewing the online user list................................................................................................235
Viewing the roaming online user list...................................................................................235
Customizing the online user list..........................................................................................236
Performing a computer security check......................................................................................236
Computer security check result details.................................................................................236
Basic information section..............................................................................................237
Screen saver settings section.........................................................................................237
Hard disk partition table section....................................................................................237
Share list section.........................................................................................................237
Installed software section..............................................................................................238
Installed patches section...............................................................................................238
Running services section...............................................................................................238
Running processes section............................................................................................238
Performing a computer security check.................................................................................238
13 EAD service reports...............................................................................240
Real-time reports...................................................................................................................241
All-node online users 24-hour trend graph...........................................................................242
All-node online users 24-hour trend graph parameters......................................................243
All-node online users 24-hour trend graph fields..............................................................243
Asset information report....................................................................................................243
Asset information report parameters...............................................................................244
Asset information report fields.......................................................................................244
Asset type report..............................................................................................................244
Asset type report parameters........................................................................................245
Asset type statistics pie chart.........................................................................................245
Asset type statistics......................................................................................................245
Asset usage report...........................................................................................................246
Asset usage report parameters......................................................................................246
Asset usage report fields..............................................................................................246
CPU report......................................................................................................................247
14
Contents
CPU report parameters................................................................................................247
CPU report fields.........................................................................................................247
Hard-disk capability report................................................................................................248
Hard disk capacity report parameters............................................................................248
Hard disk capacity statistics pie chart............................................................................249
Hard disk type statistics................................................................................................249
Illegal peripheral use report..............................................................................................249
Illegal peripheral use report parameters.........................................................................250
Illegal peripheral use statistics pie chart..........................................................................251
Illegal peripheral usage type statistics............................................................................251
Insecurity category statistic report.......................................................................................251
Insecurity category statistic report parameters.................................................................252
Insecurity category statistic pie chart..............................................................................252
Insecurity category statistics..........................................................................................252
Multi-node certain security policy statistics report..................................................................253
Multi-node certain security policy statistics report parameters............................................254
Multi-node certain security policy statistics report fields.....................................................254
Multi-node online users comparison chart............................................................................254
Multi-node online users comparison chart parameters......................................................256
Multi-node online users comparison chart.......................................................................256
Multi-node security check items report.................................................................................256
Multi-node security check items report parameters...........................................................257
Multi-node security check items report fields....................................................................257
Multi-node single-security check item failures comparison chart..............................................258
Multi-node single-security check item failures comparison chart parameters.........................259
Multi-node single-security check item failures comparison chart..........................................259
Multi-node user counts comparison chart.............................................................................259
Multi-node user counts comparison chart parameters.......................................................260
Multi-node user counts comparison chart........................................................................261
Multi-node user data statistics report...................................................................................261
Multi-node user data statistics report parameters..............................................................261
Multi-node user data statistics report fields......................................................................261
Online user security status report........................................................................................262
Online user security status report parameters..................................................................262
Online user security status category statistics pie chart.....................................................262
Online user security status statistics................................................................................262
OS language report.........................................................................................................263
OS language report parameters....................................................................................264
OS language statistics pie chart....................................................................................264
Asset statistics.............................................................................................................264
OS version report............................................................................................................264
OS version report parameters.......................................................................................265
OS version statistics pie chart........................................................................................265
Asset statistics.............................................................................................................265
Safe log gather statistic report...........................................................................................265
Safe log gather statistic report parameters......................................................................267
Safe log gather statistic pie chart..................................................................................267
Insecurity category statistics..........................................................................................268
Single-node online users 24-hour trend graph......................................................................268
Single-node online users 24-hour trend graph parameters.................................................269
Single-node online users 24-hour trend graph.................................................................269
Single-node security check failure report.............................................................................269
Single-node security check failure bar chart....................................................................271
Software installation report................................................................................................271
Software installation report parameters..........................................................................272
Contents
15
Software installation report fields...................................................................................272
Scheduled reports.................................................................................................................272
Asset information report....................................................................................................273
Adding an asset information report................................................................................273
Viewing asset information reports..................................................................................275
Asset information report parameters..........................................................................275
Asset information report fields..................................................................................276
Asset type report..............................................................................................................276
Adding an asset type report.........................................................................................276
Viewing asset type reports............................................................................................278
Asset type report parameters....................................................................................278
Asset type statistics pie chart....................................................................................278
Asset usage report...........................................................................................................279
Adding an asset usage report.......................................................................................279
Viewing asset usage reports.........................................................................................280
Asset usage report parameters.................................................................................281
Asset usage report fields..........................................................................................281
CPU report......................................................................................................................281
Adding a CPU report...................................................................................................281
Viewing CPU reports...................................................................................................283
CPU report parameters............................................................................................283
CPU report fields....................................................................................................284
Hard-disk capacity report..................................................................................................284
Adding a hard disk capacity report...............................................................................284
Viewing hard disk capacity reports................................................................................286
Hard disk capacity report parameters.......................................................................286
Hard disk capacity statistics pie chart........................................................................286
Illegal peripheral use report..............................................................................................287
Adding an illegal peripheral use report..........................................................................287
Viewing illegal peripheral use reports............................................................................289
Illegal peripheral use report parameters.....................................................................290
Illegal peripheral use statistic pie chart......................................................................290
Insecurity category statistic report.......................................................................................291
Adding an insecurity category statistic report..................................................................291
Viewing insecurity category statistic reports....................................................................293
Insecurity category statistic report parameters.............................................................294
Insecurity category statistic pie chart.........................................................................294
Online user security status report........................................................................................294
Adding an online user security status report....................................................................294
Viewing online user security status reports......................................................................296
Online user security status report parameters..............................................................297
Online user security status category statistics pie chart.................................................297
OS language report.........................................................................................................297
Adding an OS language report....................................................................................297
Viewing OS language reports.......................................................................................298
OS language report parameters...............................................................................299
OS language statistics pie chart...............................................................................299
OS version report............................................................................................................299
Adding an OS version report........................................................................................299
Viewing OS version reports..........................................................................................301
OS version report parameters..................................................................................301
OS version statistics pie chart...................................................................................301
Safe log gather statistic report...........................................................................................302
Adding a safe log gather statistic report.........................................................................302
Viewing safe log gather statistic reports..........................................................................305
16
Contents
Safe log gather statistic report parameters.................................................................305
Safe log gather statistic pie chart..............................................................................306
Software installation report................................................................................................306
Adding a software installation report.............................................................................306
Viewing software installation reports..............................................................................308
Software installation report parameters......................................................................308
Software installation report fields..............................................................................309
14 Service parameters management............................................................310
EAD service parameters.........................................................................................................310
Configuring EAD service parameters..................................................................................311
Validating EAD service parameters.....................................................................................311
Method 1...................................................................................................................311
Method 2...................................................................................................................311
DAM service parameters.......................................................................................................312
Configuring DAM service parameters.................................................................................314
Validating DAM service parameters...................................................................................314
Method 1...................................................................................................................314
Method 2...................................................................................................................314
15 Support and other resources...................................................................315
Contacting HP......................................................................................................................315
New and changed information in this edition...........................................................................315
Typographic conventions.......................................................................................................315
16 Documentation feedback.......................................................................316
Index.......................................................................................................317
Contents
17
1 EAD Security Policy overview
The EAD Security Policy component is the terminal security management software developed on
the IMC platform.
The EAD component is the core of the EAD solution. It comprises the Endpoint Admission Defense
(EAD) service module and the Desktop Asset Manager (DAM) service module.
EAD solution
The EAD solution is a multiservice, client-server-based, secure access management solution that
integrates:
•
Authentication
•
Monitoring
•
Auditing
•
Service management
The EAD solution has the following components:
•
•
Server side
◦
UAM—Provides reliable user identity authentication, simple and practical user
management, and strict user privilege control.
◦
EAD—Provides strict endpoint security defense and powerful desktop management.
Client side
◦
Node client—Cooperates with the UAM and EAD components to implement these functions.
The UAM and EAD components depend on the IMC platform to provide services. The iNode client
is deployed at a user terminal as an agent.
IMC cooperates with various access devices, such as switches, routers, VPN gateways, and
firewalls, to offer identity authentication, user privilege control, access admission, and desktop
management in different network scenarios.
EAD component
This section describes the EAD service module and the DAM service module, referred to as the
EAD and DAM, respectively, unless otherwise specified.
EAD service module
EAD determines an access user's security status by checking the anti-virus software, OS patches,
registry, network traffic, and other items.
To protect network security, EAD isolates the access users that fail the security check, or forces
them offline.
EAD provides the following functions:
18
•
Security policy management
•
Terminal access control
•
Hierarchical node management
•
Internet access control
•
EAD service report
EAD Security Policy overview
•
EAD audit
•
EAD service parameter management
DAM service module
Terminals running the Windows operating system are assets of DAM. DAM collects for audit the
asset information of access users through the iNode client.
DAM provides the following functions:
•
Asset management
•
Desktop control policy
•
Asset audit
•
Software deployment
•
DAM report
•
DAM service parameter management
EAD component functions
EAD components are classified by the following functions:
•
“Security policy” (page 19)
•
“Desktop asset” (page 22)
•
“Internet access control” (page 24)
•
“Service parameters” (page 24)
•
“EAD service report” (page 24)
•
“EAD audit” (page 25)
Security policy
EAD allows you to configure and manage security policies. As shown in Figure 1, a security policy
typically consists of the following contents:
•
“Basic Information” (page 20)
•
“Terminal Access Control” (page 20)
•
“Security check items for PCs” (page 21)
•
“Security check items for smart terminals” (page 21)
In addition, EAD can be used to implement unified authentication and security policies in large
corporations or organizations (see “Hierarchical node management” (page 22)).
EAD component functions
19
Figure 1 Security policy contents
Basic Information
•
Security Level (required)—Security levels define the actions to be taken for security check
violations. The actions, from least severe to most severe, are Monitor, Inform, Isolate, and
Kick Out. When an access user violates multiple security check items that call for different
actions, EAD performs the most severe of the actions.
•
Real-Time Monitoring—By default, EAD verifies the security status of access users when they
complete identity authentication and are reauthenticated. With real-time monitoring enabled,
EAD verifies access users at the specified interval (60 seconds, by default).
•
Default Policy for Roaming Users—By default, neither roaming EAD nor local EAD verifies the
security status of roaming users. After you specify a default security policy for roaming users,
roaming EAD uses that security policy to check all roaming users.
For more information, see “Security policy management” (page 33).
Terminal Access Control
The basic security policy information comprises the following parameters:
Terminal Access Control comprises the following parameters:
20
EAD Security Policy overview
•
•
Isolation Mode—EAD provides the following isolation modes to isolate access users that fail
the security check:
◦
Deploy ACLs to Access Device—After deployment, the access device controls user behaviors
based on ACL rules.
◦
Deploy ACLs to iNode Client—After deployment, the iNode client controls user behaviors
based on ACL rules.
◦
Deploy VLANs to Access Device—After deployment, the access device controls user
behaviors based on VLANs.
URL Control—The iNode client examines the URLs in the HTTP packets of the local user and
reports to EAD in order to control access to sites. . URL control has the following parameters:
◦
Domain URL Class—Contains a group of domain names to be checked in the HTTP packets.
Operators can permit or deny the HTTP packets that match the domain URL class.
◦
IP URL Class—Contains a group of IP addresses to be checked in the HTTP packets.
Operators can permit or deny the HTTP packets that match the IP URL class.
◦
Check Hosts File—Contains a list of IP addresses that can appear on the Hosts file.
For more information, see “Configuring terminal access control” (page 67).
Security check items for PCs
You can define the following security check items for a security policy that is to be assigned to a
Windows, Linux, or Mac OS PC:
•
Anti-virus software—Verifies that the anti-virus software products installed on the PC meet
requirements.
•
Anti-spyware software—Verifies that the anti-spyware software products installed on the PC
meet requirements.
•
Firewall software—Verifies that the firewall products installed on the PC meet requirements.
•
Anti-phishing software—Verifies that the anti-phishing software products installed on the PC
meet requirements.
•
Hard disk encryption software—Verifies that the hard disk encryption software products
installed on the PC meet requirements.
•
PC software—Verifies that other software products, processes, services, and files on the PC
meet requirements.
•
Patch management software—Verifies that the Linux and Mac OS patch management software
installed on the PC meets requirements.
•
Windows patches—Verifies that all required Windows patches have been installed on the PC
and whether the PC can collaborate with Microsoft SMS and WSUS.
•
Registries—Verifies that the access user registries meet requirements.
•
Share directories—Verifies that the share directories of access users meet requirements.
•
Asset registration status—Verifies that the access user terminals (assets) are registered in DAM.
•
Network traffic—Verifies that the access user network usage meets requirements.
•
OS password—Verifies that the access user login passwords are robust.
For more information, see “Configuring security check items for PCs” (page 81).
Security check items for smart terminals
The following security check items can assigned to a security policy for an Android smart terminal:
EAD component functions
21
•
Anti-virus software—Verifies that the anti-virus software products on the smart terminal meet
requirements.
•
Anti-spyware software—Verifies that the anti-spyware software products on the smart terminal
meet requirements.
•
Smart terminal software—Verifies that other software products on the smart terminal meet
requirements.
•
Smart terminal policy—Verifies that the states of GPS, auto lock, and Bluetooth services of the
smart terminal meet the requirements.
For more information, see “Configuring security check items for smart terminals” (page 129).
Hierarchical node management
Hierarchical node management allows you to classify the UAM and EAD system of an enterprise
or organization into nodes of different levels. Upper-level nodes manage lower-level nodes, and
lower-level nodes are required to send security check results to upper-level nodes.
Hierarchical node management has two modes:
•
Centralized hierarchical management—A strict management mode that distributes configurations
level by level from the headquarters. Lower-level nodes are not allowed to configure services,
security policies, or security levels.
•
Noncentralized hierarchical management—A loose management mode that allows lower-level
nodes to configure services, security policies, and security levels. Lower-level nodes are required
to send security check results to upper-level nodes.
For more information, see “Hierarchical node management” (page 54).
Desktop asset
DAM manages and monitors desktop assets. DAM classifies Windows-based user terminals, such
as PCs or servers, as desktop assets, and assigns each asset a unique ID.
Before using DAM, operators must configure DAM for the enterprise or organization (see
“Configuring DAM” (page 22)). Operators can then use the following functions to manage and
monitor assets:
•
“Desktop monitoring” (page 23)
•
“Asset audit” (page 23)
•
“Software deployment” (page 24)
Asset registration
DAM registers an asset the first time it connects to DAM using the asset ID. DAM can then manage
and monitor the asset.
Configuring DAM
Perform the following DAM configurations (service parameters have the highest priority for
configuration):
22
•
Configure service parameters—Set parameters such as the automatic asset numbering mode
and how long DAM keeps asset logs.
•
Manage asset groups—Comprises the following:
◦
Manage assets through asset groups—Create asset groups in DAM by asset type and
location.
◦
Manage assets through user groups—Use user groups created on the IMC platform.
EAD Security Policy overview
•
Manage assets—View detailed software and hardware information for registered assets.
•
Collect asset statistics—Collect statistics on the asset type, CPU, hard disks, operating system,
and software installation information for registered assets.
•
Export monitoring records—Configure DAM to periodically export collected USB monitoring
records.
Desktop monitoring
DAM can monitor the following assets through the iNode client:
•
Illegal peripheral usage—Using a peripheral management policy, DAM can block use of the
following devices:
◦
1394 interfaces
◦
Bluetooth peripheral devices
◦
COM ports
◦
DVD/CD-ROM drives
◦
Floppy disk drives
◦
Infrared devices
◦
LPTs
◦
Modems
◦
PCMCIA interfaces
◦
USB storage and nonstorage devices
•
Scheduled shutdown—DAM can shut down an asset at the scheduled time by deploying an
energy-saving policy to the iNode client. The system displays an alert 10 minutes before it
performs a scheduled shutdown action.
•
Monitoring alarm—Based on a monitoring alarm policy from DAM, the iNode client reports
the following events to the DAM server:
◦
A software or hardware change is detected.
◦
A sensitive file is copied to a USB storage device or printed on a printer. The DAM server
sends the information to the syslog server as syslogs.
Asset audit
The asset audit functions follow:
•
Post audits—Operators can perform post audits for assets based on the following records
collected by DAM:
◦
Asset hardware change records
◦
Asset software change records
◦
USB monitoring records
EAD component functions
23
•
◦
Printer usage monitoring records
◦
Peripheral usage violation records
Real-time audits—DAM can check existing files on assets through the iNode client. Operators
can use the terminal file audit function to audit assets in real time.
Software deployment
This function allows you to deploy software to terminals quickly. DAM collects asset software
information through the iNode client, and deploys software to the assets according to the software
deployment task.
Before you configure a software deployment task, configure a software deployment server. The
iNode client uses the software deployment server configuration to access the server, and downloads
software according to the software deployment task.
Internet access control
For data security, EAD can restrict or block Internet access requests. In addition, EAD records users'
Internet access behaviors for auditing. For more information, see “Controlling Internet access”
(page 143).
Service parameters
You can configure the following service parameters:
•
EAD service parameters—Globally effective on the EAD service.
•
DAM service parameters—Globally effective on the DAM service.
For more information, see “Service parameters management” (page 310).
EAD service report
EAD reports and DAM reports are called EAD service reports. The EAD service report function is
implemented through the IMC platform report module. All reports on the Report tab are
template-driven and are generated from preloaded templates.
From the Report tab, you can access EAD service reports. Use the IMC platform report module to
view and export real-time reports and scheduled reports.
Table 1 lists the real-time reports and periodic reports that can be generated through EAD service
report templates.
Table 1 EAD service report templates
Module
Template name
Realtime report
Scheduled report
All-Node Online Users 24-Hour Trend Graph
Available
Unavailable
Insecurity Category Statistics Report
Available
Available
Multi-Node Certain Security Policy Statistics
Report
Available
Unavailable
Multi-Node Online Users Comparison Chart
Available
Unavailable
Multi-Node Security Check Items Report
Available
Unavailable
Multi-Node Single-Security Check Item Failures
Comparison Chart
Available
Unavailable
Multi-Node User Counts Comparison Chart
Available
Unavailable
Multi-Node User Data Statistics Report
Available
Unavailable
EAD
24
EAD Security Policy overview
Table 1 EAD service report templates (continued)
Module
DAM
Template name
Realtime report
Scheduled report
Online User Security Status Report
Available
Available
Safe Log Gather Statistics Report
Available
Available
Single-Node Online Users 24-Hour Trend Graph Available
Unavailable
Single-Node Security Check Failures
Available
Unavailable
Asset Information Report
Available
Available
Asset Type Report
Available
Available
Asset Usage Report
Available
Available
CPU Report
Available
Available
Hard Disk Capacity Report
Available
Available
Illegal Peripheral Use Report
Available
Available
OS Language Report
Available
Available
OS Version Report
Available
Available
Software Installation Report
Available
Available
EAD audit
The EAD audit functions follow:
•
Viewing access user security logs—Security logs record security events that occurred during
user authentication and network access. You can query security logs to see security events
that occurred in the internal network, identify network security risks, and take appropriate
action to enhance network security.
•
iNode driver audit—Many EAD functions require cooperation of the iNode client. When the
iNode client encounters drive errors, security functions do not work. The iNode client can
report these errors to the EAD server. You can query the drive errors to repair faulty terminals
promptly.
•
Viewing security status of online users and roaming users—View the security status of online
users and roaming users on the online and roaming user lists, respectively. The Online User
List also shows client ACLs, device ACLs, traffic status, and online asset information.
•
Online user security check—Perform a security check for online users at any time and view
the check result. Security check items include system information, screen-saver protection and
password setting, partition table, shared directory information, installed software, installed
patches, enabled services, and running processes.
EAD planning considerations
This section describes important considerations when deploying the EAD component.
Physical location of the enterprise or organization
Users at remote locations may experience slow authentication and security check processes when
the UAM and EAD components are deployed only at an organization's headquarters. To improve
efficiency, you can also deploy the UAM and EAD components at remote locations.
EAD supports hierarchical management, which allows you to manage services and policies centrally
when multiple UAM and EAD components are deployed. For more information, see “Hierarchical
node management” (page 54).
EAD planning considerations
25
Identifying the number of access users
Before deploying the EAD component, identify the number of access users that need security checks.
HP recommends that you purchase enough EAD licenses for access users, in order to reduce the
risk of terminal security threats.
Identifying the terminal types
EAD provides security checks on PCs and smart terminals. Be sure to identify all types of user
terminals on the network to be managed to ensure that the proper check items are configured for
each in the security policy.
Identifying available features when using the iNode client with EAD and DAM
The EAD and DAM features available for implementation with the iNode client vary based on the
OS of the user terminal. For more information, see Table 2.
Table 2 iNode client feature and OS compatibility
OS
Identity authentication methods
Security check
Desktop asset management
Windows
802.1X, portal, VPN, wireless
Supported
Supported
Linux
802.1X, portal
Supported
Not supported
Mac OS
802.1X, portal
Supported
Not supported
Android
Portal
Supported
Not supported
iOS
Portal
Not supported
Not supported
Configuring security policies and desktop control policies
HP recommends that you use the following procedure to configure enterprise or organization
security policies and desktop control policies:
1. Avoid legal exposure by identifying and complying with all applicable legal and business
requirements that affect security policies and asset configurations.
2. Identify the organizational structure of the enterprise and the security requirements of each
department in the enterprise.
Different departments can have different security requirements. For example, an enterprise's
requirements might state that the R&D department can access the R&D file servers but cannot
access the Internet; that the HR department can access the Internet but cannot access the R&D
file servers; and that no employees can use instant messaging software during work hours.
3.
4.
5.
6.
7.
26
Identify the software and hardware information of the enterprise, including:
•
Number of access users
•
Number, model, configuration, and OS type of the terminal devices
•
Usage information of the terminal security software
•
Business software for each department
Identify the network structure of the enterprise, including the vendor, model, VLAN, routing,
ACL, and QoS configuration of the network devices.
Create a security baseline, define security policies, and specify security policies for the services
that access users have applied for.
Verify that, after failing a security check, access users can access a third-party server to repair
the failed security check items.
Verify that access users passing a security check can access network resources, and that the
EAD component can take the appropriate action (Monitor, Inform, Isolate, or Kick Out) when
a user's security status changes from secure to insecure.
EAD Security Policy overview
8.
9.
10.
11.
Manage the desktop assets, including adding asset groups and registering assets.
Configure the asset monitoring policies to prevent unauthorized copying and printing.
Schedule regular audits of assets and security logs.
View and export EAD service reports at regular, scheduled intervals.
EAD planning considerations
27
2 Page navigation menus and aids
The EAD and DAM components have their respective menus in the left navigation tree.
Figure 2 EAD and DAM navigation menus
The EAD and DAM menu options are described in Table 2 and Table 3, respectively.
28
Page navigation menus and aids
Table 3 EAD navigation menu options
Navigation menu option
Description
Endpoint Admission Defense Home Page
Displays a general operation process for EAD security
policy and links to the configuration tasks.
Security Policy
Provides the ability to view, add, modify, and delete
security policies.
Security Level
Provides the ability to view, add, modify, and delete
security levels.
Terminal Access Control
Displays a general operation process for terminal access
control and links to the configuration tasks.
Client ACL Management
Provides the ability to view, add, modify, and delete ACLs
to deploy to the iNode client.
Internet Access Audit Policy
Provides the ability to view, add, modify, and delete
policies for auditing Internet access behaviors.
Internet Access Configuration
Provides the ability to view, add, modify, and delete
Internet access configurations.
URL Control Policy
Provides the ability to view, add, modify, and delete URL
control policies.
Domain URL Class
Provides the ability to view, add, modify, and delete
domain URL classes.
IP URL Class
Provides the ability to view, add, modify, and delete IP
URL classes.
Traffic Control
Provides the ability to view, add, modify, and delete traffic
control policies.
Terminal Security Software Policies
Displays all supported types of software products for
endpoint security check and links to their respective
configuration pages.
Anti-Virus Software Policy
Provides the ability to view, add, modify, and delete
anti-virus software policies.
Anti-Spyware Software Policy
Provides the ability to view, add, modify, and delete
anti-spyware software policies.
Firewall Software Policy
Provides the ability to view, add, modify, and delete
firewall software policies.
Anti-Phishing Software Policy
Provides the ability to view, add, modify, and delete
anti-phishing software policies.
Hard Disk Encryption Software Policy
Provides the ability to view, add, modify, and delete hard
disk encryption software policies.
Patch Control
Displays all supported patch check types for endpoint
security check and links to their respective configuration
pages.
Windows Patches
Provides the ability to query, add, modify, and delete
Windows patches.
Patch Management Software
Provides the ability to enable check for patch management
software products.
Software Control Group
Displays all supported types of software products for
endpoint security check and links to their respective
configuration pages.
29
Table 3 EAD navigation menu options (continued)
Navigation menu option
Description
PC Software Control Group
Provides the ability to query, view, add, modify, and delete
groups to control software products, services, processes,
and files for PCs.
Smart Terminal Software Control Group
Provides the ability to query, view, add, modify, and delete
groups to control software products for smart terminals.
Registry Control
Provides the ability to view, add, modify, and delete
registry control configurations.
Share Control
Provides the ability to view, add, modify, and delete share
control configurations.
Smart Terminal Policy
Provides the ability to view, add, modify, and delete smart
terminal policies.
Password Control
Provides the ability to view current password dictionary
and load a new password dictionary.
Hierarchical Node Management
Provides the ability to view, add, modify, and delete child
nodes and to confirm management from the parent node.
EAD Global Network Monitoring Diagram
Displays the global network monitoring diagram for
hierarchical node management.
Service Parameters
Displays links to EAD service parameter settings.
System Parameters Config
Provides the ability to configure EAD service parameters.
Validate
Provides the ability to validate latest EAD service parameter
settings.
Table 4 DAM navigation menu options
30
Navigation menu option
Description
Desktop Asset Manager Home Page
Displays a general operation process for the DAM service
and links to the configuration tasks.
Asset Group
Provides the ability to query, view, add, modify, and delete
asset groups.
All Assets
Provides the ability to query, view, add, modify, and delete
assets.
Asset Hardware Change
Provides the ability to query and view assets' hardware
changes.
Asset Software Change
Provides the ability to query and view assets' software
changes.
Control Scheme
Provides the ability to view, add, modify, and delete
schemes to control desktop assets.
Desktop Control Policy
Displays links to configure policies for controlling desktop
assets.
Peripheral Management Policy
Provides the ability to view, add, modify, and delete
peripheral management policies.
Energy-Saving Policy
Provides the ability to view, add, modify, and delete
energy-saving policies.
Monitoring Alarm Policy
Provides the ability to view, add, modify, and delete
monitoring alarm policies.
Desktop Control Audit
Displays desktop control audit functions and links to the
functions.
Page navigation menus and aids
Table 4 DAM navigation menu options (continued)
Navigation menu option
Description
USB Storage Device File Monitor Log
Provides the ability to query, view, and export USB file
transfer logs.
Printer Monitor
Provides the ability to query, view, and export printer
monitor logs.
Illegal Peripheral Use Report
Provides the ability to query, view, and export logs for
unauthorized use of peripheral devices.
Check Asset Files
Provides the ability to check suspicious files on assets in
real time.
Asset Statistics
Displays the asset statistics by asset type, CPU, hard disk,
OS, and software.
Software Deploy Task
Provides the ability to query, view, add, modify, and delete
Software Deploy Tasks.
Software Server Settings
Provides the ability to view, add, modify, and delete servers
for software distribution.
Service Parameters
Displays links to DAM service parameter settings.
System Parameters Config
Provides the ability to configure DAM service parameters.
Validate
Provides the ability to validate latest DAM service
parameter settings.
Export Task Management
Provides the ability to configure tasks to export USB file
transfer logs.
Each configuration page can contain one or more areas with navigation buttons and page links.
Figure 3 Page navigation aids
If a list contains enough entries, use the following navigational aids and fit the list to the screen:
•
Click
to page forward in the list.
•
Click
to page forward to the end of the list.
•
Click
to page backward in the list.
31
32
•
Click
•
Click 8, 15, 50, 100, or 200 at the upper right of the list area to configure how many items
per page you want to view.
to page backward to the beginning of the list.
Page navigation menus and aids
3 Configuring security policies
Configuring security policies involves the following:
•
Security policy management
Security policy management allows operators to configure and manage security policies,
including security level, real-time monitoring, default security policy for roaming users, isolation
mode, URL access control, and security check items.
•
Security level management
Security levels define the actions to be taken for security check violations. The actions, from
least severe to most severe, are Monitor, Inform, Isolate, and Kick Out. When an access user
violates multiple security check items that call for different actions, EAD performs the most
severe of the actions.
The security level management function allows operators to view, add, modify, and delete
security levels.
•
Hierarchical node management
Enterprises and organizations use hierarchical node management to improve the efficiency
and flexibility of the EAD security check.
Operators can implement either centralized policy management or noncentralized policy
management, as needed.
By default, EAD does not apply any security policy to roaming access users. Their identity is
authenticated by their home UAM servers without further security check. To improve security,
operators can manually configure a security policy as the default policy for roaming users.
Security policy management
A security policy comprises the following contents:
•
A security level.
•
At least one security check item.
•
Optional terminal access control settings. Terminal access control comprises ACL and URL
access control, both of which are optional.
Operators can do the following:
•
View, add, modify, and delete security policies.
•
Enable real-time monitoring in security policies.
The iNode client cooperates with the EAD server to perform periodic security checks on the
terminals of online users to detect violations and security threats in real time.
Security policy list contents
The security policy list comprises the following parameters:
•
Policy Name—Name of the security policy. Click the name to view its details.
•
Security Level—Name of the security level used by the security policy. Click the name to view
its details. For more information, see “Viewing security level details” (page 52).
•
Isolation Mode—Isolation mode of the security policy:
◦
Not Deploy—No isolation mode is specified.
◦
Deploy ACLs to Access Device—Isolates illegal users by using access device ACLs.
Security policy management
33
•
◦
Deploy ACLs to iNode Client—Isolates illegal users by using iNode client ACLs.
◦
Deploy VLANs to Access Device—Isolates illegal users by using VLANs.
Security ACL or VLAN—Security ACL or VLAN of the security policy. The security ACL or VLAN
applies to all online users who are not isolated. The parameter is based on the configured
isolation mode.
◦
Security ACL or VLAN—Security ACL or VLAN of the security policy. The security ACL or
VLAN applies to all online users who are not isolated. The parameter is based on the
configured isolation mode.
◦
To deploy ACLs to HP ProCurve devices, the parameter is the name of an access ACL
defined in UAM. Click the ACL name to view the ACL rules deployed to the access device.
◦
To deploy ACLs to the iNode client, the parameter is the name of a client ACL defined
in EAD. Click the ACL name to view the ACL rules deployed to the iNode client.
◦
To deploy VLANs to access devices, the parameter is a VLAN ID.
•
Isolation ACL or VLAN—Isolation ACL or VLAN of the security policy. The isolation ACL or
VLAN applies to online users who must be isolated. The parameter can be an ACL number
or name, access ACL name, client ACL name, or VLAN ID, based on the configured isolation
mode. (See the parameter descriptions for Security ACL or VLAN.)
•
Service Group—Service group to which the security policy belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the security policy settings.
to delete the security policy.
Security policy details
Security policy details comprise basic policy information and advanced security check settings.
This section describes parameters on each area of the security policy details.
EAD supports security checks on IPv6 hosts only when the Enable IPv6 parameter is set to Yes in
the UAM service parameter configuration. The default setting of this parameter is No. For more
information, see HP IMC User Access Manager Administrator Guide.
Basic Information area
•
Policy Name—Unique name of the security policy.
•
Service Group—Service group to which the security policy belongs.
•
Security Level—Name of the security level used in the security policy. Click the name to view
its details. For more information, see “Viewing security level details” (page 52).
•
Monitor in Real Time—When it is selected, this parameter enables real-time monitoring of user
terminals in the security policy. For more information, see “Configuring real-time monitoring”
(page 45).
•
Process After—The amount of time, in minutes, that the iNode client waits before it isolates
or kicks out an access user for whom a violation is detected in real-time monitoring. The iNode
client prompts the user to make the necessary remediation and initiate a new security check
to avoid being isolated or kicked out.
This parameter appears only when the Monitor in Real Time option is selected.
•
34
Set as Default Policy for Roaming Users—When it is selected, this parameter makes the security
policy the default security policy for roaming users. You can specify only one security policy
as the default security policy for roaming users. For more information, see “Configuring the
default security policy for roaming users” (page 46).
Configuring security policies
•
Description—Description of the security policy.
•
Check Passed Message—Message that the iNode client displays when an access user passes
the security check.
Isolation Mode area
•
Configure Isolation Mode—Indicates whether an isolation mode is configured. When this
parameter is not selected, the security policy does not have an isolation mode. When this
parameter is selected, the security policy uses any of the following isolation modes: Deploy
ACLs to Access Device, Deploy ACLs to iNode Client, or Deploy VLANs to Access Device.
The following parameters appear only when the Configure Isolation Mode option is selected. The
parameters vary by isolation mode. For more information, see “Configuring terminal access control”
(page 67).
•
Deploy ACLs to Access Device
This isolation mode deploys ACLs to access devices. For non-HP ProCurve devices, EAD deploys
ACL numbers or names through RADIUS packets. For HP ProCurve devices, EAD deploys
access ACL rules through extended RADIUS packets. The isolation mode contains the following
parameters:
•
◦
Security ACL (for non-HP ProCurve)—Number or name of the security ACL deployed to
non-HP ProCurve devices.
◦
Isolation ACL (for non-HP ProCurve)—Number or name of the isolation ACL deployed to
non-HP ProCurve devices.
◦
Security ACL (for HP ProCurve)—Name of the access ACL deployed to HP ProCurve
devices as the security ACL. Click the ACL name to view the ACL rules in the access ACL.
For information about access ACLs, see HP IMC User Access Manager Administrator
Guide.
◦
Isolation ACL (for HP ProCurve)—Name of the access ACL deployed to HP ProCurve
devices as the isolation ACL. Click the ACL name to view the ACL rules in the access ACL.
For information about access ACLs, see HP IMC User Access Manager Administrator
Guide.
Deploy ACLs to iNode Client
This isolation mode deploys ACL rules to the iNode client through EAD messages. For more
information, see “Managing client ACLs” (page 68). The isolation mode contains the following
parameters:
•
◦
Security ACL—Name of the security ACL deployed to the iNode client. Click the ACL
name to view the ACL rules in the client ACL. For more information, see “Managing client
ACLs” (page 68).
◦
Isolation ACL—Name of the isolation ACL deployed to the iNode client. Click the ACL
name to view the ACL rules in the client ACL. For more information, see “Managing client
ACLs” (page 68).
Deploy VLANs to Access Device
This isolation mode deploys VLAN IDs to access devices through RADIUS packets. The VLANs
corresponding to the VLAN IDs must exist on the devices.
◦
Security VLAN—ID of the security VLAN deployed to access devices.
◦
Isolation VLAN—ID of the isolation VLAN deployed to access devices.
Security policy management
35
URL Control area
•
Check URL—Indicates whether to check URLs accessed by the access users.
The following parameters appear only when the Check URL option is selected:
•
URL Control Policy—Name of the URL control policy used in the security policy. The URL control
policy controls user access to specified websites by domain name or IP address.
•
Check Hosts File—Indicates whether to check the Hosts file on the user terminal. When this
option is enabled, the iNode client checks the Hosts file against the IP address list located to
the right of the Check Hosts File field. When the Hosts file of a user terminal contains an IP
address that is not on the list, the iNode client forces the user to log out. This feature prevents
users from accessing unauthorized websites by modifying the Hosts file.
The Hosts file check can serve as a supplement to the URL control policy. A user might bypass
the URL control policy by modifying the Hosts file to access a prohibited URL. The Hosts file
check applies only to access users using Windows. For example, the path of the Hosts file on
Windows 7 is C:\WINDOWS\system32\drivers\etc\hosts.
Anti-Virus Software Control area
The anti-virus software check takes effect on Windows, Linux, and Mac OS PCs and Android smart
terminals.
•
Check Anti-Virus Software—Indicates whether to check the anti-virus software on the user
terminal. The check items include the anti-virus definition version, engine version, software
installation status, and software running status.
The following parameters appear only when the Check Anti-Virus Software option is selected:
•
Anti-Virus Software Policy—Name of the anti-virus software policy used in the security policy.
•
Server Address—IPv4 address of the server from which users can download anti-virus software
and update packages.
•
IPv6 Server Address—IPv6 address of the server from which users can download anti-virus
software and update packages.
•
Failure Notification—Message that the iNode client displays when an access user fails the
anti-virus software check.
When an access user fails the anti-virus software check, EAD sends the IPv4 address of the
server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6
address. Operators can configure a file server, HTTP server, or FTP server to provide the
download services.
Anti-Spyware Software Control area
The anti-spyware software check takes effect on Windows, Linux, and Mac OS PCs and Android
smart terminals.
•
Check Anti-Spyware Software—Indicates whether to check the anti-spyware software on the
user terminal. The check items include the anti-spyware definition version, engine version,
software installation status, and software running status.
The following parameters appear only when the Check Anti-Spyware Software option is selected:
36
•
Anti-Spyware Software Policy—Name of the anti-spyware software policy used in the security
policy.
•
Server Address—IPv4 address of the server from which users can download anti-spyware
software and update packages.
Configuring security policies
•
IPv6 Server Address—IPv6 address of the server from which users can download anti-spyware
software and update packages.
•
Failure Notification—Message that the iNode client displays when an access user fails the
anti-spyware software check.
When an access user fails the anti-spyware software check, EAD sends the IPv4 address of
the server to the user using IPv4 address, or the IPv6 address of the server to the user using
IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the
download services.
Firewall Software Control area
The firewall software check takes effect only on Windows, Linux, and Mac OS PCs.
•
Check Firewall Software—Indicates whether to check the firewall software on the user terminal.
The check items include the firewall installation status and running status.
The following parameters appear only when the Check Firewall Software option is selected:
•
Firewall Software Policy—Name of the firewall software policy used in the security policy.
•
Server Address—IPv4 address of the server from which users can download the firewall
software.
•
IPv6 Server Address—IPv6 address of the server from which users can download the firewall
software.
•
Failure Notification—Message that the iNode client displays when an access user fails the
firewall software check.
When an access user fails the firewall software check, EAD sends the IPv4 address of the
server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6
address. Operators can configure a file server, HTTP server, or FTP server to provide the
download services.
Anti-Phishing Software Control area
The anti-phishing software check takes effect only on Windows and Mac OS PCs.
•
Check Anti-Phishing Software—Indicates whether to check the anti-phishing software on the
user terminal. The check items include the anti-phishing software installation status and the
software running status.
The following parameters appear only when the Check Anti-Phishing Software option is selected:
•
Anti-Phishing Software Policy—Name of the anti-phishing software policy used in the security
policy.
•
Server Address—IPv4 address of the server from which users can download the anti-phishing
software and update packages.
•
IPv6 Server Address—IPv6 address of the server from which users can download the
anti-phishing software and update packages.
•
Failure Notification—Message that the iNode client displays when an access user fails the
anti-phishing software check.
When an access user fails the anti-phishing software check, EAD sends the IPv4 address of
the server to the user using IPv4 address, or the IPv6 address of the server to the user using
IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the
download services.
Security policy management
37
Hard Disk Encryption Software Control area
The hard disk encryption software check takes effect only on Windows PCs.
•
Check Hard Disk Encryption Software—Indicates whether to check the installation status of the
hard disk encryption software on the user terminal.
The following parameters appear only when the Check Hard Disk Encryption Software option is
selected:
•
Hard Disk Encryption Software Policy—Name of the hard disk encryption software policy used
in the security policy.
•
Server Address—IPv4 address of the server from which users can download the hard disk
encryption software.
•
IPv6 Server Address—IPv6 address of the server from which users can download the hard
disk encryption software.
•
Failure Notification—Message that the iNode client displays when an access user fails the
hard disk encryption software check.
When an access user fails the hard disk encryption software check, EAD sends the IPv4 address
of the server to the user using IPv4 address, or the IPv6 address of the server to the user using
IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the
download services.
PC Software Control area
The PC software control check takes effect only on Windows, Linux, and Mac OS PCs. The check
items include software, processes, services, and files.
This area lists the configurations of PC software control groups, including the group name, PC
software control type, and check type.
•
Check PC Software Control—Indicates whether to check the software, processes, services, and
files on the PC.
The following parameters appear only when the Check PC Software Control option is selected:
•
Group Name—Name of the PC software control group to be checked.
•
Type—Type of the PC software control group to be checked: Software, Process, Service, or
File.
•
Check Type—Check type of the PC software control group. The check type options vary with
the PC software control types, as described in Table 5.
•
Server Address—IPv4 address of the server from which access users can download the required
software, update files, and repair tools.
•
IPv6 Server Address—IPv6 address of the server from which access users can download the
required software, update files, and repair tools.
•
Failure Notification—Message that the iNode client displays when an access user fails the PC
software control group check.
When an access user fails the PC software control group check, EAD sends the IPv4 address
of the server to the user using IPv4 address, or the IPv6 address of the server to the user using
IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the
download services.
38
Configuring security policies
Table 5 PC software control groups and check types
Group type
Software
Check types
◦
Installed Forbidden—Prohibits any software products
in the control group from being installed on the user
terminal.
◦
Installed Required—Requires all software products
in the control group be installed on the user terminal.
◦
Installed Allowed—Allows only the software products
in the control group to be installed on the user
terminal. Only one control group can be set as
Installed Allowed.
◦
Running Forbidden—Prohibits any processes in the
control group from running on the user terminal.
◦
Running Required—Requires all processes in the
control group be running on the user terminal.
◦
Started Forbidden—Prohibits any services in the
control group from being started on the user terminal.
◦
Started Required—Requires all services in the control
group be started on the user terminal.
◦
Non-Existent—Prohibits any files in the control group
from being stored on the user terminal.
◦
Existent—Requires all files in the control group exist
on the user terminal.
Process
Service
File
Smart Terminal Software Control area
The smart terminal software control check takes effect only on Android smart terminals.
Security policy management
39
This area lists the configurations of smart terminal software control groups, including the group
name, smart terminal software control type, and check type.
•
Check Smart Terminal Software Control—Indicates whether to check the software, processes,
services, and files on the smart terminal.
The following parameters appear only when the Check Smart Terminal Software Control option is
selected:
•
Group Name—Name of the software control group to be checked for smart terminals.
•
Type—Type of the software control group to be checked for smart terminal, which is always
Software.
•
Check Type—Check type of the smart terminal software control group. Options are Installed
Forbidden and Installed Required.
•
◦
Installed Forbidden—Prohibits any software products in the control group from being
installed on the smart terminal.
◦
Installed Required—Requires all software products in the control group be installed on
the smart terminal.
Failure Notification—Message that the iNode client displays when an access user fails the
smart terminal software control group check.
Patch Management Software Control area
The patch management software control check takes effect only on Linux and Mac OS PCs.
•
Check Patch Management Software—Indicates whether to check the patch management
software on the user terminal.
•
Failure Notification—Message that the iNode client displays when an access user fails the
patch management software check. This parameter appears only when the Check Patch
Management Software option is selected.
Windows Patch Control area
The Windows patch control check takes effect only on Windows PCs.
This area displays the Windows patch check method adopted in the security policy. The check
methods are as follows:
•
Check Through Microsoft Server—Enables the iNode client to check the missing patches and
their severity levels by connecting to the Microsoft WSUS or SMS server. Patches are then
downloaded and installed automatically.
•
Check Manually—Enables the iNode client to check the missing patches and their severity
levels by connecting to the EAD server. The user can then download and install the required
patches manually.
This area has the following option:
•
Check Windows Patches—Indicates whether to check the Windows patches on the user terminal.
The following parameters appear only when the Check Windows Patches option is selected:
•
40
Patch Check Interval—Specifies how many days to omit patch checks for an access user after
the user has passed a patch check. When the Patch Check Interval is set to 0, EAD checks
patches in every security check. Otherwise, EAD excludes patch check items from security
checks for the user terminal for the number of days indicated by the Patch Check Interval. To
Configuring security policies
modify the interval, navigate to the Endpoint Admission Defense>Service Parameters>System
Parameters Config page.
•
Check Through Microsoft Server
The following parameters apply to the Windows patch check through the Microsoft server:
◦
Flexible Patching—Arranges the patch check and installation work for PCs at different
time of the week to improve efficiency and reduce workload on the patch server. For a
user who has not gone through a patch check for 21 days, patch check and installation
is performed for the user once the user gets online. When this option is selected, the Patch
Check Interval parameter becomes invalid and disappears from the page.
◦
Server Address—IPv4 address of the Microsoft WSUS or SMS server.
◦
IPv6 Server Address—IPv6 address of the Microsoft WSUS or SMS server.
When checking the Windows patches for an access user, EAD sends the IPv4 address of the
WSUS or SMS server to the user using IPv4 address, or the IPv6 address of the server to the
user using IPv6 address. The iNode client checks and repairs Windows according to the
address it receives.
•
Check Manually
The following parameters apply to the manual Windows patch check:
◦
Patch Level—Severity levels of the Windows patches: Critical, Important, Moderate, and
Low. EAD checks all patches of the selected severity levels.
◦
Patch Server Address—IPv4 address of the server from which users can download the
required patches.
◦
IPv6 Patch Server Address—IPv6 address of the server from which users can download
the required patches.
When an access user fails the Windows patch check, EAD sends the IPv4 address of the patch
server to the user using IPv4 address, or the IPv6 address of the patch server to the user using
IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the
download services.
•
Failure Notification—Message that the iNode client displays when an access user fails the
Windows patch check.
Registry Control area
The registry control check takes effect only on Windows PCs.
•
Check Registry—Indicates whether to check the registries on the user terminal.
The following parameters appear only when the Check Registry option is selected:
•
Registry Control Name—Name of the registry control policy used in the security policy. EAD
checks registries on the user terminal according to the selected registry control policies.
•
Failure Notification—Message that the iNode client displays when an access user fails the
registry control check.
Security policy management
41
Share Control area
The share control check takes effect only on Windows PCs.
•
Check Share—Indicates whether to check the share directories on the user terminal.
The following parameters appear only when the Check Share option is selected:
•
Share Control—Name of the share control policy used in the security policy.
•
Failure Notification—Message that the iNode client displays when an access user fails the
share check.
Smart Terminal Policy area
The smart terminal configuration check takes effect only on Android smart terminals.
•
Check Smart Terminal Configuration—Indicates whether to check the configuration of the smart
terminal.
The following parameters appear only when the Check Smart Terminal Configuration option is
selected:
•
Smart Terminal Policy—Name of the smart terminal policy used in the security policy.
•
Failure Notification—Message that the iNode client displays when an access user fails the
smart terminal configuration check.
Asset registration status check area
The asset registration status check takes effect only on Windows PCs.
•
Check Asset Registration Status—Indicates whether to check the asset registration status of the
user terminal.
•
Failure Notification—Message that the iNode client displays when an access user fails the
asset registration status check. This parameter appears only when the Check Asset Registration
Status option is selected.
Periodic check area
The traffic check and operating system password check take effect only on Windows PCs.
•
Traffic Control—Name of the traffic control policy used in the security policy.
•
Check Operating System Password—Indicates whether to check the operating system password
of the user terminal periodically. The EAD security policy determines the strength of a password
by consulting the password dictionary.
•
Failure Notification—Message that the iNode client displays when an access user fails the
operating system password check. This parameter appears only when the Check Operating
System Password option is selected.
Viewing the security policy list
To view the security policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Policy from the navigation tree.
The Security Policy List displays all security policies.
3.
4.
42
To sort the Security Policy List, click the Policy Name, Security Level, Isolation Mode, or Service
Group column label.
Click Refresh to refresh the Security Policy List.
Configuring security policies
Viewing security policy details
To view IPv6 configurations, operators must enable IPv6 address support on UAM and EAD
components by modifying UAM service parameters. For instructions on how to modify UAM service
parameters, see HP IMC User Access Manager Administrator Guide.
To view the details of a security policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Policy from the navigation tree.
The Security Policy List displays all security policies.
3.
Click the name of the security policy for which you want to view the detailed information.
The View Security Policy page appears.
4.
To go back to the Security Policy List, click Back.
Adding a security policy
To perform IPv6 configurations, operators must enable IPv6 address support on UAM and EAD
components by modifying UAM service parameters. For information about modifying UAM service
parameters, see HP IMC User Access Manager Administrator Guide.
To add a security policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Policy from the navigation tree.
The Security Policy List displays all security policies.
3.
Click Add.
The Add Security Policy page appears.
4.
5.
6.
Configure the basic information for the security policy. The policy name must be unique in
EAD.
Configure the parameters in the following areas:
•
Isolation Mode
•
URL Control
•
Anti-Virus Software Control
•
Anti-Spyware Software Control
•
Firewall Software Control
•
Anti-Phishing Software Control
•
Hard Disk Encryption Software Control
•
PC Software Control
•
Smart Terminal Software Control
•
Patch Management Software Control
•
Windows Patch Control
•
Registry Control
•
Share Control
•
Smart Terminal Policy
•
Asset Registration Status Check
•
Periodic Check
Click OK.
Security policy management
43
Modifying a security policy
To perform IPv6 configurations, operators must enable IPv6 address support on UAM and EAD
components by modifying UAM service parameters. For information about modifying UAM service
parameters, see HP IMC User Access Manager Administrator Guide.
To modify a security policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Policy from the navigation tree.
The Security Policy List displays all security policies.
3.
Click the Modify icon
for the security policy you want to modify.
The Modify Security Policy page appears.
4.
5.
Modify the basic information for the security policy. You cannot modify Policy Name or Service
Group.
Modify the parameters in the following areas as needed:
•
Isolation Mode
•
URL Control
•
Anti-Virus Software Control
•
Anti-Spyware Software Control
•
Firewall Software Control
•
Anti-Phishing Software Control
•
Hard Disk Encryption Software Control
•
PC Software Control
•
Smart Terminal Software Control
•
Patch Management Software Control
•
Windows Patch Control
•
Registry Control
•
Share Control
•
Smart Terminal Policy
•
Asset Registration Status Check
•
Periodic Check
Deleting a security policy
Before you delete a security policy that has been assigned to a service, you must cancel their
associations.
To delete a security policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Policy from the navigation tree.
The Security Policy List displays all security policies.
3.
Click the Delete icon
for the security policy you want to delete.
A confirmation dialog box appears.
4.
44
Click OK.
Configuring security policies
Configuring real-time monitoring
With the real-time monitoring function, the iNode client interacts with the EAD server to perform a
periodic security check for online users. To ensure network security, the iNode client processes in
real time any violation or abnormality detected on the user terminal.
The following check items support real-time monitoring. Operators must select the check items in
the security policy in order to have them monitored in real time. The check items include:
•
Anti-virus software
•
Anti-spyware software
•
Firewall software
•
Anti-phishing software
•
Hard disk encryption software
•
PC software control groups
•
Smart terminal software control groups
•
Registries
•
Share directories
•
Smart terminal configuration
The following check items do not support real-time monitoring:
•
Windows patches
•
Asset registration status
•
Traffic monitoring
•
Operating system password
With the exception of Windows patches, these items are checked at a system-defined interval that
cannot be modified. To ensure EAD security check efficiency, operators can define in the service
parameter configuration the interval at which Windows patches are checked.
Enabling real-time monitoring
To enable real-time monitoring in the security policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Policy from the navigation tree.
The Security Policy List displays all security policies.
3.
Click the Modify icon
monitoring.
for the security policy for which you want to enable real-time
The Modify Security Policy page appears.
4.
5.
Configure the following parameters in the Basic Information area:
•
Monitor in Real Time—Select this option to enable real-time monitoring of user terminals
in the security policy.
•
Process After—Specify the amount of time, in minutes, that the iNode client waits before
it isolates or kicks out an access user for whom a violation is detected in real-time
monitoring. The iNode client prompts the user to make the necessary remediation and
initiate a new security check to avoid being isolated or kicked out. This option is available
only when the Monitor in Real Time option is selected.
Click OK.
Security policy management
45
Modifying the real-time monitoring parameters
Operators can modify the Real-time Monitor Interval parameter in the service parameter
configuration to ensure both the efficiency of real-time monitoring and the performance of the user
terminal and EAD server.
EAD can forcibly check items that do not support real-time monitoring for users who stay online
for a long time. To do this, modify the Reauthentication Interval parameter in the service parameter
configuration.
To modify the real-time monitoring parameters:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Service Parameters > System Parameters from the
navigation tree.
The System Parameters Config page appears.
3.
4.
Modify the following real-time monitoring parameters:
•
Real-Time Monitor Interval—Enter, in seconds, the interval at which the real-time security
check is performed. The default setting is 60 seconds.
•
Reauthentication Interval—Enter, in hours, the interval at which an online user is forced
to be reauthenticated. The default setting is 24 hours.
Click OK.
Configuring the default security policy for roaming users
For roaming users, the EAD server on the visited network, not the local EAD server, checks their
security items.
You can configure only one security policy as the default security policy for roaming users. The
default security policy shows the [Default policy for roaming users] tag in the Policy Name field on
the Security Policy List.
To set the default security policy for roaming users:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Policy from the navigation tree.
The Security Policy List displays all security policies.
3.
4.
5.
Click the Modify icon
for the security policy you want to set as the default policy for roaming
users.
In the Basic Information area, select Set as Default Policy for Roaming Users.
Click OK.
Assigning security policies
When an endpoint user accesses the network, UAM determines the access scenario of the user,
and sends the matching security policy to the iNode client on the user's terminal. If the user matches
no access scenario, the default security policy is used. The iNode client performs security checks
on the user terminal according to the received security policy.
Assigning the default security policy to a service
You can assign a security policy to a service as the default security policy. When a user matches
no access scenarios defined for the access policies of the service, EAD deploys the default security
policy to the user.
To assign the default security policy to a service:
1. Click the Service tab.
2. Select User Access Manager > Service Configuration from the navigation tree.
46
Configuring security policies
3.
Click the Modify icon
for the service to which you want to assign a default security policy.
The Modify Service Configuration page appears.
4.
5.
In the Basic Information area, select the security policy you want to assign to the service from
the Default Security Policy list. Or select Disable Security Policy to disable security checks on
users matching no access scenarios in the service.
Click OK.
Assigning a security policy to an access policy
You can assign a security policy to individual access policies in a service. When a user matches
the access scenario defined for an access policy, EAD deploys the matching security policy to the
user.
To assign a security policy to an access policy in a service:
1. Click the Service tab.
2. Select User Access Manager > Service Configuration from the navigation tree.
3.
Click the Modify icon
for the target service.
The Modify Service Configuration page appears.
4.
In the Access Policy List, click the Modify icon
assign a security policy.
for the access policy to which you want to
The Modify Access Policy window appears.
5.
6.
Select a security policy from the Security Policy list. Or select Disable Security Policy to disable
security checks on users matching the access scenario of the policy.
Click OK.
The Modify Access Policy window closes.
7.
Click OK.
Security level management
A security level is a set of actions to be performed in response to security violations. A security
violation occurs when a terminal fails a security check item.
A security level takes effect after it is assigned to a security policy. Operators can view, add,
modify, and delete security levels.
EAD has the following system-defined security levels:
•
Monitor Mode—Monitors the access user who fails any security check item defined in the
security policy.
•
VIP Mode—Informs the access user who fails any security check item defined in the security
policy.
•
Isolate Mode—Isolates the access user who fails any security check item defined in the security
policy.
•
Kick Out Mode—Kicks out the access user who fails any security check item defined in the
security policy.
•
Guest Mode—Logs off the access user 5 minutes after the user fails any security check item
defined in the security policy.
EAD supports the following actions, in ascending order of severity:
•
Monitor—Allows the user to access the network without informing the user of any security
vulnerability on the user terminal, and generates a security log.
•
Inform—Allows the user to access the network, informs the user of the security vulnerability
on the user terminal and remediation methods, and generates a security log.
Security level management
47
•
Isolate—Isolates the user in a restricted area specified by the isolation ACL, informs the user
of the security vulnerability and remediation methods, and generates a security log.
•
Kick Out—Denies the access request of the user, informs the user of the security vulnerability
on the user terminal, and generates a security log.
You can also configure the Action After parameter to specify how long the access user with a
security check failure can access the network before being isolated or kicked out.
Making a security level action take effect
For the action specified for a check item in the security level to take effect, you must complete the
following tasks:
1. Enable the security check item.
2. Specify an associated control policy in the security policy.
For example, to perform the specified action on the access user who fails the anti-virus software
check:
1. Enable the anti-virus software check in the security policy.
2. Specify an anti-virus software policy.
Special cases
Abnormal traffic
For the action specified for abnormal traffic in the security level to take effect, you must enable the
traffic monitoring function in the security policy and specify the items to be checked in the traffic
monitoring policy.
For example, to enable the iNode client to perform the specified action on the access user whose
IP traffic running on the authenticated NIC exceeds the minor threshold or severe threshold:
1. Enable the traffic monitoring function in the security policy.
2. Set the IP traffic thresholds.
WSUS/SMS Server Collaboration Failure and Auto-Installation Failure
For the action specified in the security level for WSUS/SMS Server Collaboration Failure and
Auto-Installation Failure to take effect, enable the Check Through Microsoft Server feature in the
security policy.
Security level list contents
The security level list comprises the following parameters:
•
Security Level Name—Name of the security level. Click the name to view its details.
•
Description—Description of the security level.
•
Service Group—Service group to which the security level belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the security level settings.
to delete the security level.
Security level details
Security level details comprise basic security level information and advanced check settings. This
section describes parameters on each area of the security level details.
48
Configuring security policies
Basic Information area
•
Security Level Name—Name of the security level.
•
Action After—Amount of time, in minutes, that the access user with a security check failure
can access the network before being isolated or kicked out. During that time, the user can
make the necessary remediation and initiate a new security check to prevent being isolated
or kicked out. This parameter is available only when the Isolate or Kick Out action is configured
for a check item, excluding the traffic monitoring check and the operating system password
check.
•
Description—Description of the security level.
•
Service Group—Service group to which the security level belongs.
Traffic Monitoring area
•
IP Traffic Minor Threshold Exceeded—Action to take when the total IP traffic of all NICs on the
user terminal is above or equal to the IP Traffic Minor Threshold, and below the IP Traffic
Severe Threshold configured in the traffic control policy.
•
IP Traffic Severe Threshold Exceeded—Action to take when the total IP traffic of all NICs on
the user terminal is above or equal to the IP Traffic Severe Threshold configured in the traffic
control policy.
•
Broadcast Packets Minor Threshold Exceeded—Action to take when the total number of
broadcast packets sent by all NICs on the user terminal is above or equal to the Broadcast
Packets Minor Threshold, and below the Broadcast Packets Severe Threshold configured in
the traffic control policy.
•
Broadcast Packets Severe Threshold Exceeded—Action to take when the total number of
broadcast packets sent by all NICs on the user terminal is above or equal to the Broadcast
Packets Severe Threshold configured in the traffic control policy.
•
Packets Minor Threshold Exceeded—Action to take when the total number of packets passing
the authenticated NIC of the user terminal is above or equal to the Packets Minor Threshold,
and below the Packets Severe Threshold configured in the traffic control policy.
•
Packets Severe Threshold Exceeded—Action to take when the total number of packets passing
the authenticated NIC of the user terminal is above or equal to the Packets Severe Threshold
configured in the traffic control policy. The authenticated NIC is used by an access user to
pass identity authentication and to access the network.
•
TCP/UDP Connections Minor Threshold Exceeded—Action to take when the total number of
TCP/UDP connections of all NICs on the user terminal is above or equal to the TCP/UDP
Connections Minor Threshold, and below the TCP/UDP Connections Severe Threshold
configured in the traffic control policy.
•
TCP/UDP Connections Severe Threshold Exceeded—Action to take when the total number of
TCP/UDP connections of all NICs on the user terminal is above or equal to the TCP/UDP
Connections Severe Threshold configured in the traffic control policy.
Anti-Virus Software area
•
Anti-Virus Software Not Installed—Action to take on the access user whose terminal does not
have the anti-virus software installed.
•
Anti-Virus Client Runtime Error—Action to take on the access user whose anti-virus software
is faulty.
Security level management
49
•
Old Anti-Virus Software/Engine Version—Action to take on the access user whose anti-virus
software version on the smart terminal or anti-virus engine version on the PC is lower than the
version configured in the anti-virus software policy.
•
Old Virus Definition Version—Action to take on the access user whose virus definition version
is lower than the version configured in the anti-virus software policy.
Anti-Spyware Software area
•
Anti-Spyware Software Not Installed—Action to take on the access user whose terminal does
not have the anti-spyware software installed.
•
Anti-Spyware Client Runtime Error—Action to take on the access user whose anti-spyware
software is faulty.
•
Old Anti-Spyware Software/Engine Version—Action to take on the access user whose
anti-spyware software version on the smart terminal or anti-spyware engine version on the PC
is lower than the version configured in the anti-spyware software policy.
•
Old Spyware Definition Version—Action to take on the access user whose spyware definition
version is lower than the version configured in the anti-spyware software policy.
Firewall Software area
•
Firewall Software Not Installed—Action to take on the access user whose terminal does not
have the firewall software installed.
•
Firewall Client Runtime Error—Action to take on the access user whose firewall software is
faulty.
Anti-Phishing Software area
•
Anti-Phishing Software Not Installed—Action to take on the access user whose terminal does
not have the anti-phishing software installed.
•
Anti-Phishing Software Runtime Error—Action to take on the access user whose anti-phishing
software is faulty.
Hard Disk Encryption Software area
•
Hard Disk Encryption Software Not Installed—Action to take on the access user whose terminal
does not have the hard disk encryption software installed.
PC Software Control Group area
•
Global Security Mode—Action to take on the access user who violates any PC software control
group specified for check in the security policy. In global security mode, you cannot view the
names of the PC software control groups.
•
Security Mode of a PC Software Control Group—Action to take on the access user who violates
the PC software control group. When you configure actions specific to the PC software control
groups, the Global Security Mode option does not appear.
Smart Terminal Software Control Group area
50
•
Global Security Mode—Action to take on the access user who violates any smart terminal
software control group specified for check in the security policy. In global security mode, you
cannot view the names of the smart terminal software control groups.
•
Security Mode of a Smart Terminal Software Control Group—Action to take on the access user
who violates the smart terminal software control group. When you configure actions specific
to the smart terminal control groups, the Global Security Mode option does not appear.
Configuring security policies
Patch Management Software area
•
Patch Manager Software Not Installed—Action to take on the access user whose terminal does
not have the patch management software installed.
•
Patch Manager Software Runtime Error—Action to take on the access user whose patch
management software is faulty.
Windows Patches area
•
WSUS/SMS Server Collaboration Failure—Action to take on the access user when the iNode
client cannot connect to the Microsoft WSUS or SMS server.
•
Auto-Installation Failure—Action to take on the access user when automatic patch installation
fails on the user terminal.
•
Critical—Action to take on the access user whose terminal lacks a critical-level patch.
•
Important—Action to take on the access user whose terminal lacks an important-level patch.
•
Moderate—Action to take on the access user whose terminal lacks a moderate-level patch.
•
Low—Action to take on the access user whose terminal lacks a low-level patch.
Registry area
•
Global Security Mode—Action to take on the access user who violates any registry control
policies specified for check in the security policy. In global security mode, you cannot view
the names of the registry control policies.
•
Security Mode of a Specific Registry Control Policy—Action to take on the access user who
violates the registry control policies. When you configure actions specific to the registry control
policies, the Global Security Mode option does not appear.
Share area
•
Global Security Mode—Action to take on the access user who violates any share control policy
specified for check in the security policy. In global security mode, you cannot view the names
of the share control policies.
•
Security Mode of a Specific Share Control Policy—Action to take on the access user who
violates the share control policy. When you configure actions specific to each share control
policy, the Global Security Mode option does not appear.
Smart Terminal Configuration
•
GPS Service Not Enabled—Action to take on the smart terminal on which the GPS service is
disabled.
•
Bluetooth Service Not Disabled—Action to take on the smart terminal on which the Bluetooth
service is enabled.
•
Auto Lock Not Enabled—Action to take on the smart terminal on which the Auto Lock feature
is disabled.
Security level management
51
Asset Registration Status area
•
Unregistered Assets—Action to take on the access user who uses an unregistered asset for
network access.
Operating System Password area
•
Operating System Password Check Failed—Action to take on the access user who fails the
operating system password check.
Viewing the security level list
To view the security level list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Level from the navigation tree.
The Security Level List displays all security levels.
3.
4.
To sort the Security Level List, click the Security Level Name or Service Group column label.
Click Refresh to refresh the Security Level List.
Viewing security level details
To view the details of a security level:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Level from the navigation tree.
The Security Level List displays all security levels.
3.
Click the name of the security level for which you want to view the detailed information.
The View Security Level page appears.
4.
To go back to the Security Level List, click Back.
Adding a security level
To add a security level:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Level from the navigation tree.
The Security Level List displays all security levels.
3.
Click Add.
The Add Security Level page appears.
4.
5.
52
Configure the basic information for the security level. The name of the security level must be
unique in EAD.
Configure the parameters in the following areas:
•
Traffic Monitoring
•
Check Anti-Virus Software
•
Check Anti-Spyware Software
•
Check Firewall Software
•
Check Anti-Phishing Software
•
Check Hard Disk Encryption Software
•
Check PC Software Control Group
•
Check Smart Terminal Software Control
•
Check Patch Management Software
Configuring security policies
6.
•
Check Windows Patches
•
Check Registry
•
Check Share
•
Check Smart Terminal Configuration
•
Check Asset Registration Status
•
Check Operating System Password
Click OK.
Modifying a security level
The system-defined and user-defined security levels are displayed in the security level list and can
be modified. During the real-time check, the EAD server determines whether a user who fails the
check should be monitored, informed, isolated, or kicked out according to the modified security
level.
To modify a security level:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Level from the navigation tree.
The Security Level List displays all security levels.
3.
Click the Modify icon
for the security level you want to modify.
The Modify Security Level page appears.
4.
5.
6.
Modify the basic information for the security level. You cannot modify Security Level Name or
Service Group.
Configure the parameters in the following areas:
•
Traffic Monitoring
•
Check Anti-Virus Software
•
Check Anti-Spyware Software
•
Check Firewall Software
•
Check Anti-Phishing Software
•
Check Hard Disk Encryption Software
•
Check PC Software Control Group
•
Check Smart Terminal Software Control
•
Check Patch Management Software
•
Check Windows Patches
•
Check Registry
•
Check Share
•
Check Smart Terminal Configuration
•
Check Asset Registration Status
•
Check Operating System Password
Click OK.
Deleting a security level
You cannot delete a security level that is assigned to a security policy. To delete the security level,
you must first remove it from the security policy.
Security level management
53
To delete a security level:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Security Level from the navigation tree.
The Security Level List displays all security levels.
3.
Click the Delete icon
for the security level you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Hierarchical node management
Hierarchical node management applies to enterprises or organizations and their branches. By
allowing deployment of EAD servers at both the headquarters and the individual branches,
hierarchical node management helps to improve efficiency and flexibility of EAD security check
for all branches. Operators can implement either centralized policy management or noncentralized
policy management.
•
Centralized policy management—Uses a central EAD server located at the headquarters to
deploy security policies and services to every branch EAD server. The branch EAD servers
use the deployed security policies to control security check for access users and to report the
security data to the central EAD server. Operators can view the security statistics report for
the entire organization from the central EAD server.
•
Noncentralized policy management—Allows branches to define their security policies and to
report data to the central EAD server. Operators can view the security statistics report for every
branch from the central EAD server.
With hierarchical node management, each set of EAD components requires a license based on
the number of users to be authenticated. For more information, see “Service parameters
management” (page 310).
An EAD server can act as a parent node, child node, or both. Each EAD server can have multiple
child nodes but only one parent node.
Child node list contents
The child node list (<Current Node Name> Grade Node List) comprises the following parameters:
54
•
Policy Update Time—Time when the policy of the current node was last updated. This field is
available only when Centralized Policy Management is set to Enable.
•
Node Name—Name of the child node. Click the name to view its details.
•
Status—Status of the child node:
◦
Normal—Indicates that the communication between the child node and the current node
is normal.
◦
Abnormal—Indicates that the last report time is empty, the last report time was more than
40 minutes ago, or the last deployment failed.
•
IP Address—IP address of the child node.
•
Port—Listening port of the child node.
•
Protocol Type—Protocol type used to access the child node. Only HTTP is supported.
•
Last Report Time—Time when the child node last reported security data to the current node.
•
Last Deploy—Time when the current node last performed a deployment to its child nodes.
Configuring security policies
•
Operation Result—Operation result of the last deployment.
•
Operation—Provides the following icons:
◦
Configure
—Configure the services to be deployed to the child node. You can perform
this operation only when Centralized Policy Management is set to Enable.
◦
Deploy
—Deploy the selected services to the child node. You can perform this operation
only when Centralized Policy Management is set to Enable.
◦
Deployment History
—View the deployment history of the child node. You can perform
this operation only when Centralized Policy Management is set to Enable.
◦
Modify
◦
Delete
—Modify the settings of the child node.
—Delete the child node.
Child node information details
Child node information details comprise the following areas:
•
Basic Information
•
Real-time statistics on the number of users on the child node
•
Real-time statistics on the number of user-services failing the security check on the child nodes
Basic Information area
•
Node Name—Name of the child node.
•
Status—Status of the child node: Normal or Abnormal.
•
Reason for Abnormality—Reason why the child node is abnormal. When the child node is in
the normal state, this field is empty.
•
IP Address—IP address of the child node.
•
Port—Listening port of the child node.
•
Protocol Type—Protocol type used to access the child node. Only HTTP is supported.
•
AUTH for Accessing Child Node—Indicates whether identity authentication is required for
accessing the child node. Identity authentication is required in centralized policy management.
•
Login Name—User name used by the current node to access the child node. This field is
available only when AUTH for Accessing Child Node is set to Enable.
•
Last Report Time—Time when the child node last reported data to the current node.
•
Last Success Deploy—Time when the current node last performed a successful deployment on
the child node.
•
Last Deploy—Time when the current node last performed a deployment.
•
Operation Result—Result of the last deployment performed by the current node.
•
Reason—Reason why the last deployment performed by the current node failed. If the last
deployment was successful, this field is empty.
Real-time statistics on the number of users on the child node area
•
Number of access users allowed by license—Last reported maximum number of access users
permitted by the license on the child node.
•
Number of created access users—Last reported number of existing access users on the child
node.
Hierarchical node management
55
•
Number of EAD users allowed by license—Last reported maximum number of EAD users
permitted by the license on the child node.
•
Number of created EAD users—Last reported number of existing EAD users on the child node.
•
Number of online users—Last reported number of online users on the child node.
•
Number of secure online users—Last reported number of online users who passed the security
check on the child node.
•
Number of insecure online users—Last reported number of online users who failed the security
check on the child node. Insecure users include those who are monitored, informed, isolated,
and are to be kicked out.
•
Number of unknown online users—Last reported number of unknown online users on the child
node. Unknown users include those who are not required to pass the security check and those
who are currently going through the security check.
•
Number of blacklist users—Last reported number of blacklisted access users on the child node.
•
Number of guests—Last reported number of guests on the child node.
Real-time statistics on the number of user-services failing the security check on the child nodes area
56
•
Anti-virus software check failures—Number of access users who failed the anti-virus software
check.
•
Anti-phishing software check failures—Number of access users who failed the anti-phishing
software check.
•
Firewall software check failures—Number of access users who failed the firewall software
check.
•
Anti-spyware software check failures—Number of access users who failed the anti-spyware
software check.
•
Hard disk encryption software check failures—Number of access users who failed the hard
disk encryption software check.
•
Windows patch check failures—Number of access users who failed the Windows patch check.
•
Patch management software check failures—Number of access users who failed the patch
management software check.
•
Application check failures—Number of access users who failed the application check.
•
Number of users failing smart terminal software control group check—Number of access users
who failed the smart terminal software control group check.
•
Number of users failing smart terminal configuration check—Number of access users who
failed the smart terminal configuration check.
•
Registry check failures—Number of access users who failed the registry check.
•
Share directory check failures—Number of access users who failed the share directory check.
•
Traffic monitoring check failures—Number of access users who failed the traffic monitoring
check.
•
Operating system password check failures—Number of access users who failed the operating
system password check.
•
Asset registration check failures—Number of access users who failed the asset registration
check.
Configuring security policies
Parent node information
Parent node information comprises the following parameters:
•
IP Address—IP address of the parent node.
•
Port—Listening port of the parent node.
•
Protocol Type—Protocol type used by the parent node.
•
Confirmed or Not—Indicates whether the parent node has been confirmed.
Viewing the child node list
To view the child node list of the current node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
4.
To sort the <Current Node Name > Grade Node List, click the Node Name, Status, IP Address,
Port, Protocol Type, Last Report Time, Last Deploy, or Operation Result column label.
Click Refresh to refresh the <Current Node Name> Grade Node List.
Modifying the name of the current node
To modify the name of the current node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click Modify Self.
The Modify Self window appears.
4.
5.
Enter the name of the current node in the Node Name field.
Click OK.
The Grade Node List title bar displays the new name of the current node.
Viewing child node details
Operators can view detailed information about each child node immediately below the current
node.
To view child node details:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click the name of the child node for which you want to view the detailed information.
The Child Node Information page appears.
4.
To go back to the <Current Node Name> Grade Node List of the current node, click Back.
Hierarchical node management
57
Adding a child node
You cannot configure a node’s own parent node (or other node above it) as its child node.
To add a child node to the current node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click Add.
The Add Child Node window appears.
4.
5.
Configure the following parameters for the child node:
•
Node Name—Enter the name of the child node.
•
IP Address—Enter the IP address of the child node that is deployed with the EAD
component.
•
Port—Enter the listening port of the child node.
•
Protocol Type—Select the protocol type used to access the child node. Only HTTP is
supported.
•
AUTH for Accessing Child Node—Select this option to enable identity authentication for
accessing the child node. Identity authentication is required in centralized policy
management.
•
Login Name—Enter the user name used to access the child node. The user name must be
that of an administrator of the child node. This parameter is available only when AUTH
for Accessing Child Node is set to Enable.
•
Login Password—Enter the login password of the administrator. This parameter is available
only when AUTH for Accessing Child Node is set to Enable.
Click OK.
The new child node appears in the Grade Node List of the current node.
The current node cannot deploy services to this child node until an operator logs in to the child
node to confirm the current node as its parent node. For more information, see “Confirming the
parent node” (page 59).
Modifying a child node
To modify a child node of the current node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click the Modify icon
for the child node you want to modify.
The Modify Child Node window appears.
4.
Modify the parameters for the child node.
For more information, see “Adding a child node” (page 58).
5.
58
Click OK.
Configuring security policies
Deleting a child node
To remove the hierarchical relationship between two nodes, first delete the child node from its
parent node, and then delete the parent node. The statistics for the child node are not collected
when viewing the multi-node statistics report for the current node.
To delete a child node:
1. Click the Service tab.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
2.
Click the Delete icon
for the child node you want to delete.
A confirmation dialog box appears.
3.
Click OK.
Confirming the parent node
A node cannot receive deployment contents from the parent node if the parent node is not confirmed.
To confirm the parent node for the current node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click Confirm Parent Node.
The Confirm Parent Node page appears.
4.
5.
View the parent node information.
Click OK.
Deleting the parent node
To remove the hierarchical relationship between two nodes, first delete the child node from its
parent node, and then delete the parent node. The current node does not report data to the parent
node.
To delete the parent node for the current node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click Delete Parent.
The Delete Parent page appears.
4.
Click Delete.
Deploying services, security policies, and service parameters
Hierarchical node management offers automatic and manual deployment of services, security
policies used by the services, and EAD service parameters from a node to its child nodes. The
node deploys the EAD service parameters Data Reporting Time and Data Lifetime to its child nodes
because they cannot be configured on the individual child nodes. A child node uses the deployed
services and security policies for identity authentication and security check.
Deploying services, security policies, and service parameters
59
With automatic deployment, a node checks the Policy Update Time for child nodes daily at the
scheduled deployment time. The node performs the deployment when the Policy Update Time is
later than the last successful deployment time.
The policy update time is refreshed, as well as any changes to the service parameters, security
policies, and security check items.
Deployment contents
The contents of both automatic and manual deployment depend on the centralized policy
management status.
•
When centralized policy management is enabled, automatic and manual deployment both
deliver services, security policies, and service parameters to the child nodes.
•
When centralized policy management is disabled, automatic and manual deployment both
deliver only service parameters to the child nodes.
Configuring the services to be deployed
To configure the services to be deployed:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click the Configure icon
for the child node to which you want services to be deployed.
The Specify Services to Be Deployed page appears.
4.
5.
6.
View the following service information:
•
Service—Name of the service to be deployed.
•
Service Suffix—Suffix of the service to be deployed.
•
Security Policy—Default security policy used by the service.
Select one or more services you want to deploy.
Click OK.
Scheduling automatic deployment
To schedule automatic deployment:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click Auto Deployment.
The Configure Automatic Deployment page appears.
4.
5.
Enter the daily deployment time in the Deploy Everyday At field. The value must be an integer
in the range 0 to 23 in 24-hour notation.
Click OK.
Configuring manual deployment
To manually deploy policies:
1. Click the Service tab.
60
Configuring security policies
2.
Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
4.
Click the Deploy icon
Click OK.
for the node for which you want to start the deployment.
The node immediately starts the deployment, and then displays the deployment result page.
Deployment and receipt history
Deployment history list contents
The deployment history list comprises the following parameters:
•
Deployment Time—Time when the deployment was performed.
•
Deployment Type—How the deployment was performed: Manual or Auto.
•
Result—Result of the deployment: Succeeded or Failed.
•
Reason—Reason why the deployment failed.
•
Services—Names of the deployed services, separated by commas.
•
File Name—Name and path of the file that contains the deployed data.
Receipt history list contents
•
Receipt Time—Time when the current node received the deployment content from its parent
node.
•
Result—Result of the receipt: Succeeded or Failed.
•
Reason—Reason why the receipt failed.
•
Services—Names of the received services, separated by commas.
Viewing the deployment history list
Operators can view the deployment history of individual child nodes from the current node.
To view the deployment history list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click the Deployment History icon
to view.
for the child node whose deployment history you want
The Deployment History List displays all deployments performed on the child node.
4.
To go back to the Grade Node List of the current node, click Back.
Viewing the receipt history list
Operators can view the receipt history of a node only from its parent node.
To view the receipt history list:
1. Click the Service tab.
Deployment and receipt history
61
2.
Select Endpoint Admission Defense > Policy Receipt History from the navigation tree.
The Receipt History List displays the receipt history of the current node from its parent node.
Querying the deployment history
The parent node creates a deployment history record each time it executes a deployment. Operators
can use the query function to filter the deployment history of a parent node.
To query the deployment history of a node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation
tree.
The <Current Node Name> Grade Node List displays all child nodes immediately below the
current node.
3.
Click the Deployment History icon
to query.
for the child node whose deployment history you want
The Deployment History page of the child node appears.
4.
5.
Enter or select one or more of the following query criteria:
•
Deployment Time from/to—Specify a deployment time range. You can click the calendar
icon to select the time, or enter a date in YYYY-MM-DD format.
•
Deployment Type—Select the deployment type: Manual or Auto.
•
Result—Select the result of the deployment: Succeeded or Failed.
Click Query.
The Deployment History List displays the history records that match the query criteria.
6.
To reset the query criteria, click Reset.
The Deployment History List displays all deployments performed on the selected node.
Querying the receipt history of a child node
The child node creates a receipt history record each time it receives services, security policies, or
service parameters from its parent node. Operators can use the query function to filter the receipt
history records of a child node.
To filter the receipt history records of the current node:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Policy Receipt History from the navigation tree.
The Receipt History List displays all receipt history records of the current node.
3.
4.
Enter or select one or more of the following query criteria:
•
Receipt Time from/to—Specify a receipt time range. You can click the calendar icon
to select the time, or enter a date in YYYY-MM-DD format.
•
Result—Select the receipt result: Succeeded or Failed.
Click Query.
The Receipt History List displays the receipt history records that match the query criteria.
5.
To reset the query criteria, click Reset.
The Receipt History List displays all receipt history records of the current nodes.
62
Configuring security policies
EAD global network monitoring diagram
The EAD global network monitoring diagram provides a more straightforward way for operators
to monitor the running status of nodes and to view the security statistics. Operators can change
the background picture to a geographical image of the nodes.
Accessing the EAD global network monitoring diagram
To access the diagram:
1. Click the Service tab.
2. Select Endpoint Admission Defense > EAD Global Network Monitoring Diagram from the
navigation tree.
The diagram appears.
Toolbar contents
•
1:1
•
Zoom In —Magnify the diagram. A grayed-out icon indicates that the diagram cannot be
further magnified.
•
Zoom Out —Shrink a specified area of the diagram. A grayed-out icon indicates that the
diagram cannot be made any smaller.
•
Fit Content
—Automatically adjust the diagram to a size appropriate to the window size.
•
Magnifier
—Magnify the selected area of the diagram.
•
Over View
—Bring up or shut down a bird's-eye view of the diagram.
•
Full Screen
/Exit Full Screen
•
Hand Tool /Pointer Tool
Click the Pointer Tool icon
•
Add Background
•
Remove Background —Remove the background picture of the diagram. This icon is grayed
out when the diagram has no background.
•
Save
•
Save as Image
•
Add Node
•
Icon Management
•
Legend
•
Refresh
—Display the diagram in its original size.
—Enter or exit the full-screen view of the diagram.
—Click the Hand Tool icon to move the diagram in the window.
to select a node in the diagram and view its details.
—Add or change the background picture of the diagram.
—Save the modifications you have made to the diagram.
—Save the diagram as an image in PNG format.
—Add a current or child node to the diagram.
—Modify the type and description of the node icon.
—View the legends. Table 6 provides a detailed description of the legends.
—Refresh the diagram.
Table 6 Legends
Type
Node Status
Legends
Description
Abnormal nodes appear as red icons; normal nodes appear as green
icons.
Operators can assign different graphic icons to nodes for identification
purposes.
Node Icon
EAD global network monitoring diagram
63
Table 6 Legends (continued)
Type
Legends
Description
Right-click menu of the EAD global network monitoring diagram
•
Hide Node Name/Show Node Name—Hide or show the node names in the diagram.
•
Adjust Background>Manual Adjust—Manually adjust the size of the background picture.
•
Adjust Background>Resume Original Size—Restore the background picture of the diagram to
its original size.
•
Exit Background—Exit the manual size adjustment for the background picture.
Right-click menu of a node
•
Remove from Diagram—Remove the node from the diagram.
•
View Node—View details of the node. This option is available for child nodes only. For more
information, see “Viewing child node details” (page 57).
Left-click information of a node
•
Node Name—Name of the node.
•
Node Type—Type of the node icon.
•
Status—Status of the node: Normal or Abnormal.
•
IP Address—IP address of the node.
•
Total Access Users—Number of access users on the node.
•
Online Users—Number of online users on the node.
Adding a node to the EAD global network monitoring diagram
By default, the current node and all of its child nodes are displayed in the diagram. Operators
can add nodes that were previously deleted from the diagram.
To add a node to the diagram:
1. Click the Service tab.
2. Select Endpoint Admission Defense > EAD Global Network Monitoring Diagram from the
navigation tree.
The diagram appears.
3.
Click the Add Node icon
.
The Add Node window appears. The Node List displays all nodes that can be added to the
diagram.
64
Configuring security policies
4.
Filter the nodes by query:
a. Enter the name of the node in the Node Name field.
EAD supports fuzzy matching for this field.
b.
Click Query.
The Node List displays all nodes that match the query criteria.
c.
To clear the query criteria, click Reset.
The Node List displays all nodes.
5.
6.
7.
From the Node List, select one or more nodes that you want to add.
From the Node Type list, select an icon type for the node.
Click OK.
Customizing the background picture with a local image
To customize the background picture with a local image:
1. Click the Service tab.
2. Select Endpoint Admission Defense > EAD Global Network Monitoring Diagram from the
navigation tree.
The diagram appears.
3.
Click the Add Background icon
.
The Topology Background-picture Setting window appears.
4.
5.
Select the User Upload Picture option.
Click Browse to select the image you want to set as the background picture.
The following guidelines apply for image selection:
6.
7.
•
Use a GIF, JPG, JPEG, or PNG image. Images in other formats may not be displayed
properly.
•
The image file cannot exceed 10 MB, and the dimension cannot exceed 1000×1000.
•
The image file name can contain alphanumeric characters, spaces, underscores (_), and
hyphens (-) only.
Click Preview to see how the image looks as the background picture.
Click Set.
The selected picture is uploaded to the EAD server and set as the background picture of the
diagram.
8.
Click Close.
Setting a preloaded background picture
To set a preloaded background picture:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > EAD Global Network Monitoring
Diagram from the navigation tree.
The diagram appears.
3.
Click the Add Background icon
.
The Topology Background-picture Setting window appears.
4.
5.
Select the Select Picture From Server option.
Click Select Picture to select a picture.
The system automatically magnifies the selected picture as the preview.
EAD global network monitoring diagram
65
6.
7.
Click Set to set the picture as the background picture for the diagram.
Click Close.
Managing node icons
Operators can modify the type and description of the node icons. EAD provides five system-defined
icons; it does not support custom icons.
To manage a node icon:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > EAD Global Network Monitoring
Diagram from the navigation tree.
The diagram appears.
3.
Click the Icon Management icon
.
The Icon Management page appears. The Icon List displays the following parameters:
4.
5.
66
•
Node Icon—System-defined graphic icon, including rhombus ( ), square ( ), circle ( ),
star ( ), and triangle ( ). The default is rhombus ( ).
•
Node Icon Type—Type of the node icon.
•
Description—Description of the node icon.
Click the Modify icon
for the node icon you want to modify.
•
Node Icon—Graphic icon. You cannot modify this field.
•
Node Icon Type—Enter the type of the node icon.
•
Description—Description of the node icon.
Click OK.
Configuring security policies
4 Configuring terminal access control
This chapter describes terminal access control and discusses managing client ACLs, URL control
policies, domain URL classes, and IP URL classes.
Terminal access control
Terminal access control uses isolation mode and URL access control to provide security for terminal
access.
Isolation mode
Isolation mode isolates access users that fail the security check. EAD provides the following isolation
modes:
•
Deploy ACLs to access device
After deployment, the device controls user behaviors based on ACLs, which can be security
ACLs or isolation ACLs. Security ACLs allow access users to access resources only in the
restricted area to repair faults and then restart security check. Isolation ACLs apply to all online
access users that are not yet isolated.
ACLs can be deployed to non-HP ProCurve or HP ProCurve devices. The devices have different
mechanisms for processing the ACLs deployed by EAD.
•
◦
Non-HP ProCurve devices—EAD deploys the ACL number to the access device through
RADIUS packets (the specified ACL must exist on the device). Operators can manually
add, modify, or delete ACLs on the access device, or deploy ACLs to the access device
through the ACL management feature of the IMC Platform. For information about the ACL
management feature, see HP IMC Base Platform Administrator Guide.
◦
HP ProCurve devices—EAD deploys the ACL rules to the access device through extended
RADIUS packets. Operators must navigate to User Access Manager > Access ACL to
configure ACL rules. For information about configuring access ACLs, see HP IMC User
Access Manager Administrator Guide.
Deploy ACLs to iNode client
After deployment, the iNode client controls user behaviors based on ACLs, which can be
security ACLs or isolation ACLs. Their functions are similar to access device ACLs. For more
information, see “Managing client ACLs” (page 68).
•
Deploy VLANs to access device
After deployment, the device controls user behaviors based on VLANs, which can be security
VLANs or isolation VLANs. Security VLANs allow access users to access resources only in the
restricted area to repair faults and then restart security check. Isolation VLANs apply to all
online access users that are not yet isolated.
EAD deploys the VLAN ID to the access device through RADIUS packets (the specified VLAN
must exist on the device). Operators can manually add or delete VLANs on the access device,
or deploy VLANs to the access device through the VLAN management feature of the IMC
Platform. For information about the VLAN management feature, see HP IMC Base Platform
Administrator Guide.
Terminal access control
67
URL access control
URL access control can be implemented through a URL control policy and an optional Hosts file
check.
•
URL control policy
A URL control policy permits or denies a user's HTTP access to the specified website in the
system-defined domain classes or IP classes. Before configuring a URL control policy, you must
configure domain URL classes and IP URL classes. In a URL control policy, you can specify an
action (permit or deny) for an existing domain URL class or IP URL class, and specify an IP
URL default action and a domain URL default action. For information about configuring classes
and policies, see “Managing URL control policies” (page 71), “Managing IP URL classes”
(page 77), and “Managing domain URL classes” (page 74).
•
Hosts file check
A user might bypass the URL control policy by modifying the website URLs in the Hosts file.
You can enable the Hosts file check and configure the contents to be checked in the security
policy.
Managing client ACLs
Operators can use client ACLs to enhance network security for users connecting to access devices
that do not support receiving the ACLs or ACL numbers deployed by EAD. EAD deploys client ACLs
to terminals that have the iNode client installed. Client ACLs might not be protected as well as
device ACLs.
EAD deploys the client ACLs to terminals of access users that pass identify authentication, and
applies the client ACLs to the outgoing traffic of their respective authentication NICs. Client ACLs
can be classified as follows:
•
Isolation ACL—Allows unsecure users to access only a restricted area to rectify security problems
and reinitiate security authentication.
•
Security ACL—Applies to all online access users that are not isolated.
Operators can add, modify, and delete client ACLs. Configure client ACLs only when the iNode
client on the target user terminals supports the client ACL feature. Otherwise, the access users
cannot log in after the client ACL deployment. The client ACL feature is available for Windows
operating systems only.
Client ACL list contents
The client ACL list contains the following parameters:
•
ACL Name—Name of the client ACL. Click the name to view its details.
•
Service Group—Name of the service group to which the client ACL belongs.
•
Description—Description of the associated client ACL.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the client ACL settings.
to delete the client ACL.
Client ACL details
Client ACL details comprise the basic information area and an ACL rule list.
68
Configuring terminal access control
Basic Information area
•
ACL Name—Name of the client ACL.
•
Default Action of ACL Rule—Action to take on IP packets that do not match any ACL rule.
◦
Permit—Permits IP packets that do not match any ACL rule on the ACL rule list to pass
through.
◦
Deny—Drops IP packets that do not match any ACL rule on the ACL rule list.
•
Description—Description of the client ACL.
•
Service Group—Name of the service group to which the client ACL belongs.
ACL Rule List
•
Matching Action—Action to take on the IP packets that match the ACL rule.
◦
Permit—Permits the IP packets that match the ACL rule to pass through.
◦
Deny—Drops the IP packets that match the ACL rule.
•
Protocol—Transport-layer protocol that the ACL rule matches. A protocol name (ICMP, TCP,
or UDP) or protocol number matches the corresponding transport-layer protocol. This field
displays two hyphens (--) if the ACL rule matches all transport-layer protocols.
•
Dest IP—Destination IP address that the ACL rule matches.
•
Mask—Subnet mask of the destination IP address.
•
Dest Port—Destination port of IP packets. This field displays a value only when the
transport-layer protocol of the ACL rule is TCP or UDP (you selected TCP or UDP in the Protocol
list). Otherwise, this field displays two hyphens (--).
The default setting is 0, which matches all destination ports.
•
Source Port—Source port of IP packets. This field displays a value only when the transport-layer
protocol of the ACL rule is TCP or UDP (you selected TCP or UDP in the Protocol list). Otherwise,
this field displays two hyphens (--).
The default setting is 0, which matches all source ports.
•
Priority—Priority of the ACL rule. The ACL rules are arranged in descending priority order.
An ACL rule with a higher priority is preferentially matched. Click the Move Up icon or the
Move Down icon
to adjust the list.
Viewing the client ACL list
To view the client ACL list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from
the navigation tree.
The Client ACL List displays all client ACLs.
3.
4.
To sort the Client ACL List, click the ACL Name or Service Group column label.
Click Refresh to refresh the Client ACL List.
Viewing client ACL details
To view detailed information about a client ACL:
1. Click the Service tab.
Managing client ACLs
69
2.
Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from
the navigation tree.
The Client ACL List displays all client ACLs.
3.
Click the name of the client ACL for which you want to view its detailed information.
The View Client ACL page appears.
4.
Click Back to return to the Client ACL List.
Adding a client ACL
To add a client ACL:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from
the navigation tree.
The Client ACL List displays all client ACLs.
3.
Click Add.
The Add Client ACL page appears.
4.
5.
Configure basic information for the client ACL. The ACL name must be unique in EAD.
Click Add in the ACL Rule Information area.
The Add Client ACL Rule window appears.
6.
Configure the ACL rule parameters and click OK.
The new ACL rule appears on the ACL Rule List.
Repeat steps 5 and 6 to add more ACL rules, as needed.
7.
Adjust priorities for the ACL rules.
ACL rules are sorted in descending priority order. Click the Move Up icon
icon
to change rule positions on the ACL Rule List.
8.
or Move Down
Click OK.
Modifying a client ACL
To modify a client ACL:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from
the navigation tree.
The Client ACL List displays all client ACLs.
3.
Click the Modify icon
for the client ACL you want to modify.
The Modify Client ACL page appears.
4.
5.
6.
Modify the basic information for the client ACL. You cannot modify ACL Name or Service
Group.
Modify the ACL rules by using one or more of the following methods:
•
Click Add in the ACL Rule Information area to add an ACL rule.
•
Click Modify icon
•
Click the Delete icon
for an existing ACL rule on the ACL Rule List to modify its settings.
for an undesired ACL rule to delete the rule.
Adjust priorities for the ACL rules.
ACL rules are sorted in descending priority order. Click the Move Up icon
icon
to change rule positions on the ACL Rule List.
7.
70
Click OK.
Configuring terminal access control
or Move Down
Deleting a client ACL
Before deleting a client ACL that has been assigned to a security policy, you must remove their
associations.
To delete a client ACL:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from
the navigation tree.
The Client ACL List displays all client ACLs.
3.
Click the Delete icon
for the client ACL you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Managing URL control policies
An access user can access a website through one of the following methods:
•
IP address—Enter the IP address (for example, http://13.13.13.1) in the address bar of the
browser.
•
Domain name—Enter the domain name of the website (for example, http://www.hp.com) in
the address bar of the browser. The DNS translates the domain name into an IP address.
•
Hosts file—Add an entry (for example, 13.13.13.1 http://www.hp.com) to the Hosts file, and
then enter the domain name of the website (for example, http://www.hp.com) in the address
bar of the browser. The local Hosts file translates the domain name into an IP address without
a DNS lookup.
The iNode client parses the HTTP packets of access users according to the URL control policy, and
prevents users from accessing the specified websites by IP address and domain name.
Before configuring a URL control policy, you must configure domain URL classes and IP URL classes.
In the URL control policy, you can specify the following contents:
•
An action (permit or deny) for an IP URL class or domain URL class
•
An IP URL default action
•
A domain URL default action
For more information, see “Managing domain URL classes” (page 74) and “Managing IP URL
classes” (page 77).
An access user can bypass the URL control policy by modifying the website URLs in the Hosts file.
To prevent this, do the following:
1. Enable Check Hosts File in the URL control policy area of the security policy.
2. Configure the URL check items.
Periodically, the iNode client checks the contents of the Hosts file against the URL check items.
When the Hosts file contains items that are not URL check items, the iNode client immediately logs
out the user and displays a security violation message.
URL control policy list contents
The URL control policy list contains the following parameters:
•
URL Control Policy Name—Name of the URL control policy.
•
Description—Description of the URL control policy.
•
Service Group—Name of the service group to which the URL control policy belongs.
Managing URL control policies
71
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify settings of the URL control policy.
for the URL control policy you want to delete.
URL control policy details
URL control policy details comprise the basic information area, a domain URL check item list, and
an IP URL check item list.
Basic Information area
•
URL Control Policy Name—Name of the URL control policy.
•
Domain URL Default Action—Action to take on the domain URL accesses that do not match a
domain URL check item. The action can be Permit or Deny. The domain URL default action
will be applied to any domain URL accesses that do not match a domain URL check item.
•
IP URL Default Action—Action to take on the IP URL accesses that do not match an IP URL check
item. The action can be Permit or Deny. The IP URL default action applies to any IP URL accesses
that do not match an IP URL check item.
•
Service Group—Name of the service group to which the URL control policy belongs.
•
Description—Description of the URL control policy.
Domain URL Class List
•
Class Name—Name of the domain URL class. For more information, see “Adding a domain
URL class” (page 75).
•
Action—Action to take on the domain URL accesses that match the domain URL class. The
action can be Permit or Deny.
•
Description—Description of the domain URL class.
•
Priority (Descending)—Priority of the domain URL class. The domain URL classes are arranged
in descending priority order. When the domain URL of the website to be accessed matches
multiple classes, the domain URL class with the highest priority applies. Click the Move Up
icon or Move Down icon
to adjust the list.
IP URL Class List
•
IP URL Class—Name of the IP URL class. For more information, see “Adding an IP URL class”
(page 78).
•
Action—Action to take on the IP URL accesses that match the IP URL class. The action can be
Permit or Deny.
•
Description—Description of the IP URL check item.
•
Priority (Descending)—Priority of the IP URL check item. The IP URL check items are arranged
in descending priority order. When the IP URL of the website to be accessed matches multiple
classes, the IP URL check item with the highest priority applies. Click the Move Up icon or
Move Down icon
to adjust the list.
Viewing the URL control policy list
To view the URL control policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the
navigation tree.
The URL Control Policy List displays all URL control policies.
3.
4.
72
To sort the URL Control Policy List, click the URL Control Policy Name or Service Group column
label.
Click Refresh to refresh the URL Control Policy List.
Configuring terminal access control
Viewing the URL control policy details
To view detailed information about a URL control policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the
navigation tree.
The URL Control Policy List displays all URL control policies.
3.
Click the name of the URL control policy for which you want to view the detailed information.
The URL Control Policy Details page appears.
4.
Click Back to return to the URL Control Policy List.
Adding a URL control policy
To add a URL control policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the
navigation tree.
The URL Control Policy List displays all URL control policies.
3.
Click Add.
The Add URL Control Policy page appears.
4.
5.
Configure basic information for the URL control policy. The policy name must be unique in
EAD.
Click Add in the Domain URL Check Items area.
The Add Domain URL Check Item window appears.
6.
Configure the parameters and click OK.
The new domain URL check item appears on the Domain URL Check Item List.
Repeat steps 5 and 6 to add more domain URL check items, as needed.
7.
Adjust priorities for the domain URL check items.
Domain URL check items are sorted in descending priority order. Click the Move Up icon
or Move Down icon
to adjust the list.
8.
Click Add in the IP URL Check Items area.
The Add IP URL Check Item window appears.
9.
Configure the parameters and click OK.
The new IP URL check item appears on the IP URL Check Item List.
Repeat steps 8 and 9 to add more IP URL check items, as needed.
10. Adjust priorities for the IP URL check items.
IP URL check items are sorted in descending priority order. Click the Move Up icon
Down icon
to adjust the list.
or Move
11. Click OK.
Modifying a URL control policy
To modify a URL control policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the
navigation tree.
The URL Control Policy List displays all URL control policies.
Managing URL control policies
73
3.
Click the Modify icon
for the URL control policy you want to modify.
The Modify URL Control Policy page appears.
4.
5.
6.
Configure basic information for the URL control policy. You cannot modify URL Control Policy
Name or Service Group.
Modify the domain URL check items by using one or more of the following methods:
•
Click Add in the Domain URL Check Item Information area to add a domain URL check
item.
•
Click Modify icon
settings.
•
Click the Delete icon
for an existing item on the Domain URL Check Item List to modify its
for an undesired domain URL check item to delete the item.
Adjust priorities for the domain URL check items.
Domain URL check items are sorted in descending priority order. Click the Move Up icon
or Move Down icon
to adjust the list.
7.
8.
Modify the IP URL check items by using one or more of the following methods:
•
Click Add in the IP URL Check Item Information area to add an IP URL check item.
•
Click Modify icon
•
Click the Delete icon
for an existing item on the IP URL Check Item List to modify its settings.
for an undesired IP URL check item to delete the item.
Adjust priorities for the IP URL check items.
IP URL check items are sorted in descending priority order. Click the Move Up icon
to adjust the list.
Down icon
9.
or Move
Click OK.
Deleting a URL control policy
Before deleting a URL control policy that is assigned to a security policy, you must remove their
associations.
To delete a URL control policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the
navigation tree.
The URL Control Policy List displays all URL control policies.
3.
Click the Delete icon
for the URL control policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Managing domain URL classes
A domain URL class is a set of website domain names. The iNode client parses the HTTP packets
of access users, compares the domain names to be accessed with the domain URL check items in
the URL control policy, and permits or denies user access based on the comparison results.
The domain URL check supports fuzzy matching. For example, when you specify yahoo in the
domain URL class, a user's access to the websites www.yahoo.com, mail.yahoo.com, and
www.yahoo.org, which contain yahoo, is permitted or denied as configured.
This section describes how to view, add, modify, and delete the domain URL classes and their URL
items.
74
Configuring terminal access control
Domain URL class list contents
The domain URL class list contains the following parameters:
•
Domain URL Class Name—Name of the domain URL class.
•
Description—Description of the domain URL class.
•
Service Group—Name of the service group to which the domain URL class belongs.
•
Config—Click the Config icon
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to configure URL check items for the domain URL class.
to modify the domain URL class settings.
to delete the domain URL class.
Domain URL class details
Domain URL class details comprise the following basic information:
•
Domain URL Class Name—Name of the domain URL class.
•
Service Group—Name of the service group to which the domain URL class belongs.
•
Description—Description of the domain URL class.
Domain URL item list contents
Domain URL item list contents comprise the following basic information:
•
Domain—Domain name of the website.
•
Description—Description of the domain name.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the domain URL check item.
to delete the domain URL check item.
Viewing the domain URL class list
To view the domain URL class list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the
navigation tree.
The Domain URL Class List displays all domain URL classes.
3.
4.
To sort the Domain URL Class List, click the Domain URL Class Name or Service Group column
label.
Click Refresh to refresh the Domain URL Class List.
Viewing the domain URL class details
To view the domain URL class details:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the
navigation tree.
The Domain URL Class List displays all domain URL classes.
3.
Click the name of a domain URL class for which you want to view the detailed information.
The Domain URL Class Details page appears.
4.
Click Back to return to the Domain URL Class List.
Adding a domain URL class
To add a domain URL class:
Managing domain URL classes
75
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the
navigation tree.
The Domain URL Class List displays all domain URL classes.
3.
Click Add.
The Add Domain URL Class page appears.
4.
5.
Configure the basic information for the domain URL class.
Click OK.
Configuring domain URL check items
To configure domain URL check items for a domain URL class:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the
navigation tree.
The Domain URL Class List displays all domain URL classes.
3.
Click the Config icon
for the target domain URL class.
The Domain URL Item List displays all domain URL check items in the domain URL class.
4.
Click Add to add a domain URL check item.
a. Domain—Enter the domain name of the website, and enter a description of the domain
name in the Description field.
b. Click OK.
Repeat to add more domain URL check items, as needed.
5.
Click Import to import domain URL check items:
a. Browse to and select the file to be imported, and then select a column separator for the
file. Options are space, tab character, comma (,), colon (:), pound sign (#), and dollar
sign ($). The file must be in TXT format.
b. Click Next.
c. Select the column that contains the domain names from the Domain list, and then select
the column that contains the domain URL check item descriptions from the Description list.
When you select Not Import from File from the Description list, enter a description for all
imported domain URL check items in the field to the right.
d. Click Preview to preview the file import result.
e. Click OK.
f. Click Back to return to the Config Domain URL Class page.
6.
Query domain URL check items:
a. Enter the domain name of the website in the Domain field.
EAD supports fuzzy matching for this field.
b.
Click Query.
The Domain URL Item List displays all domain URL check items that match the query
criterion.
c.
Click Reset to clear the query criterion.
The Domain URL Item List displays all domain URL check items in the domain URL class.
76
Configuring terminal access control
7.
Modify a domain URL check item:
a.
Click the Modify icon
for the target domain URL check item.
The Modify Domain URL Item window appears.
b.
Modify the following parameters for the domain URL check item:
Domain—Modify the domain name of the website.
Description—Modify the description of the domain name.
c.
Click OK.
8.
To delete a domain URL check item:
a. Click the Delete icon
for the target domain URL check item.
b. Click OK.
9.
Click OK.
Modifying a domain URL class
To modify a domain URL class:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the
navigation tree.
The Domain URL Class List displays all domain URL classes.
3.
4.
5.
for the target domain URL class.
Click the Modify icon
Modify the domain URL class. The Domain URL Class Name and Service Group cannot be
modified.
Click OK.
Deleting a domain URL class
Before deleting a domain URL class that is assigned to a URL control policy, you must cancel their
associations. For more information, see “Modifying a URL control policy” (page 73).
To delete a domain URL class:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the
navigation tree.
The Domain URL Class List displays all domain URL classes.
3.
Click the Delete icon
for the domain URL class you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Managing IP URL classes
An IP URL class is a set of website IP addresses. Access users can access these websites through
IP addresses without DNS. The iNode client parses the HTTP packets of access users, compares
the IP addresses to be accessed with the IP URL check items in the URL control policy, and permits
or denies user access based on the comparison result.
This section describes how to view, add, modify, and delete the IP URL classes and their URL check
items.
Managing IP URL classes
77
IP URL class list contents
The IP URL class list contains the following parameters:
•
IP URL Class Name—Name of the IP URL class.
•
Description—Description of the IP URL class.
•
Service Group—Name of the service group to which the IP URL class belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the IP URL class settings.
to delete the IP URL class.
IP URL class details
IP URL class details comprise the basic information area and an IP URL item list.
Basic information section
•
IP URL Class Name—Name of the IP URL class.
•
Service Group—Name of the service group to which the IP URL class belongs.
•
Description—Description of the IP URL class.
IP URL item list section
•
Start IP—Start IP address of the IP URL check item.
•
End IP—End IP address of the IP URL check item.
•
Description—Description of the IP segment.
Viewing the IP URL class list
To view the IP URL class list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation
tree.
The IP URL Class List displays all IP URL classes.
3.
4.
To sort the IP URL Class List, click the IP URL Class Name or Service Group column label.
Click Refresh to refresh IP URL Class List.
Viewing the IP URL class details
To view the IP URL class details:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation
tree.
The IP URL Class List displays all IP URL classes.
3.
Click the name of an IP URL class for which you want to view the detailed information.
The IP URL Class Details page appears.
4.
Click Back to return to the IP URL Class List.
Adding an IP URL class
To add an IP URL class:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation
tree.
The IP URL Class List displays all IP URL classes.
78
Configuring terminal access control
3.
Click Add.
The Add IP URL Class page appears.
4.
5.
Configure the basic information for the IP URL class.
Add an IP URL check item:
a. Click Add.
The Add IP URL Item page appears.
b.
c.
6.
Configure the following parameters:
•
Start IP—Enter the start IP address of the website IP segment.
•
End IP—Enter the end IP address of the website IP segment.
•
Description—Enter the description of the website IP segment.
Click OK to add the IP URL check item.
Click OK.
Modifying an IP URL class
To modify an IP URL class:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation
tree.
The IP URL Class List displays all IP URL classes.
3.
4.
5.
Click the Modify icon
to modify the IP URL class. The IP URL Class Name and Service Group
cannot be modified.
Click Add to add an IP URL check item:
a. Start IP—Enter the start IP address of the website IP segment.
b. End IP—Enter the end IP address of the website IP segment.
c. Description—Enter the description of the website IP segment.
Click OK.
Repeat to add IP URL check items, as needed.
6.
Modify an IP URL check item:
a.
Click the Modify icon
for the target IP URL check item.
The Modify IP URL Item page appears.
b.
c.
Modify the following parameters for the IP URL:
•
Start IP—Modify the start IP address of the website IP segment.
•
End IP—Modify the end IP address of the website IP segment.
•
Description—Modify the description of the website IP segment.
Click OK.
7.
Delete an IP URL check item:
a. Click the Delete icon
for the target IP URL check item.
b. Click OK.
8.
Click OK.
Deleting an IP URL class
Before deleting an IP URL class that is assigned to a URL control policy, you must cancel their
associations. For more information, see “Modifying a URL control policy” (page 73).
To delete an IP URL class:
Managing IP URL classes
79
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation
tree.
The IP URL Class List displays all IP URL classes.
3.
Click the Delete icon
for the IP URL class you want to delete.
A confirmation dialog box appears.
4.
80
Click OK.
Configuring terminal access control
5 Configuring security check items for PCs
A security policy includes one or more security check items. Each item focuses on one security
threat on the access terminal. To enhance network security on Windows, Linux, and Mac OS PCs,
the following security check items must be configured for each security policy:
•
Anti-virus software control
•
Anti-spyware software control
•
Firewall software control
•
Anti-phishing software control
•
Hard disk encryption software control
•
PC software control
•
Patch management software control
•
Windows patch control
•
Registry control
•
Share control
•
Traffic control
•
Password control
•
Asset registration status check
Anti-virus software policy management
The system defines anti-virus software control for several types of anti-virus software in Windows,
Linux, Mac OS, and Android. You can enable anti-virus software control in a security policy and
specify an anti-virus software policy. The anti-virus software policy determines whether an anti-virus
software type application control is installed and running, and whether the anti-virus engine version
and virus definition version match the policy. When an access user is authenticated, the iNode
client checks the anti-virus software on the user terminal according to the configuration in the
security policy.
Anti-virus software policy management allows you to view, add, modify, and delete an anti-virus
software policy. You can specify the anti-virus software type application controls to be checked
and the anti-virus engine version and virus definition version.
Anti-virus software policy list contents
The anti-virus software policy list contains the following parameters:
•
Anti-Virus Software Policy Name—Name of the anti-virus software policy. Click the name to
view its details.
•
Service Group—Service group to which the anti-virus software policy belongs.
•
Description—Description of the anti-virus software policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the anti-virus software policy.
to delete the anti-virus software policy.
Anti-virus software policy details
Anti-virus software policy details comprise the basic information section and the Windows Operating
System, Linux Operating System, Mac OS Operating System, and Android Operating System
Anti-virus software policy management
81
sections. The Windows Operating System, Linux Operating System, and Mac OS Operating System
sections only take effect on PCs.
Basic information section
•
Policy Name—Name of the anti-virus software policy.
•
Service Group—Service group to which the anti-virus software policy belongs.
•
Description—Description of the anti-virus software policy.
Windows operating system, Linux operating system, and Mac OS operating system sections
The Windows operating system, Linux operating system, and Mac OS operating system sections
list the anti-virus software that can be checked by the iNode client.
•
Anti-Virus Software—Name of the anti-virus software.
•
Vendor—Vendor name of the anti-virus software.
•
Check Items—Indicates whether the anti-virus engine version and virus definition version are
checked for the corresponding anti-virus software.
•
◦
Check anti-virus engine version—When this parameter is selected, the anti-virus engine
version must be checked. Otherwise, the anti-virus engine version is not checked.
◦
Check virus definition version—When this parameter is selected, the virus definition version
must be checked. Otherwise, the virus definition version is not checked.
Restriction—Check rules for the anti-virus software policy. When this field is empty, no rules
are set for the anti-virus software.
◦
Anti-Virus Engine Adaptation Period (in days)—Adaptation period for the anti-virus engine.
This option is valid only when the anti-virus engine is in YYYY-MM-DD format. When the
anti-virus engine is updated within the adaptation period, the anti-virus engine version
check is passed.
◦
Lowest Version of Anti-Virus Engine—Lowest version of the anti-virus engine allowed by
the anti-virus software policy. An anti-virus software policy supports two anti-virus engine
version formats: YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit
month, and DD is the two-digit day; and XX.XX.XX, for example, 7.100.1003.
◦
Virus Definition Adaptation Period (in days)—Adaptation period for the virus definition
of the anti-virus software. This option is valid only when the virus definition is in
YYYY-MM-DD format. When the virus definition is updated within the adaptation period,
the virus definition version check is passed.
◦
Lowest Version of Virus Definition—Lowest version of the virus definition allowed by the
anti-virus software policy. An anti-virus software policy supports two virus definition version
formats: YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month,
and DD is the two-digit day; and XX.XX.XX, for example, 2.343.000.
•
Check—Indicates whether the corresponding anti-virus software is checked.
•
Priority—The iNode client checks the anti-virus software based on the priority. Items are listed
in descending priority order (most important first). Click the Move Up icon or Move Down
icon
to adjust the list.
Viewing the anti-virus software policy list
To view the anti-virus software policy list:
1. Click the Service tab.
82
Configuring security check items for PCs
2.
Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
4.
To sort the Anti-Virus Software Policy List, click the Anti-Virus Software Policy Name or Service
Group column label.
Click Refresh to refresh the Anti-Virus Software Policy List.
Viewing anti-virus software policy details
To view details of an anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software
Policies from the navigation tree.
3. Click the name of the anti-virus software policy for which you want to view the detailed
information.
The Anti-Virus Software Policy List displays all anti-virus software policies.
The View Anti-Virus Software Policy page appears.
4.
To go back to the Anti-Virus Software Policy List, click Back.
Adding an anti-virus software policy
To add an anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
Click Add.
The Add Anti-Virus Software Policy page appears.
4.
5.
6.
Configure the basic information for the anti-virus software policy.
To check an anti-virus software product in the anti-virus software policy, select the box in the
Check field for the anti-virus software.
Modify the anti-virus software check:
a.
Click the Modify icon
for the anti-virus software you want to modify.
The Anti-Virus Software Settings dialog box appears.
b.
c.
Modify the anti-virus software name in the Anti-Virus software field as needed.
To check the anti-virus engine version, select the box next to Check anti-virus engine
version, and select an anti-virus engine version format:
•
Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003.
•
Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year,
MM is the two-digit month, and DD is the two-digit day.
•
Date or dotted format—Dotted format and date format are valid.
Different version formats require different parameters, as described in Table 7.
Anti-virus software policy management
83
Table 7 Version formats and parameters
Version format
Date format
Dotted format
d.
Notification
Version check mode
Parameter
Specified Version
Lowest Version of
Anti-Virus Engine
Auto Adaptive
Adaptation Period (in
days)
Specified Version
Lowest Version of
Anti-Virus Engine
YYYY_MM_DD
XX.XX.XX
Select a version check mode, Specified Version or Auto Adaptive, from the Version Check
Mode list.
•
Specified Version—The version check is passed if the user terminal version is higher
than the specified version. If not, the version check fails.
When the version check mode is Specified Version and the version format is Date
format, either enter the date manually or click the Calendar icon next to the Lowest
Version of Anti-Virus Engine field to select a date.
When the version check mode is Specified Version and the version format is Dotted
format, enter the version in the Lowest Version of Anti-Virus Engine field. A valid
version format is XX.XX.XX, for example, 7.100.1003.
•
Auto Adaptive—The version check is passed if the user terminal version has been
updated within the adaptation period. If not, the version check fails.
When the version check mode is Auto Adaptive and the version format is When the
version check mode is Specified Version and the version format is Date format, either
enter the date manually or click the Calendar icon, manually enter the adaptation
period in the Adaptation Period (in days) field.
e.
To check the virus definition version, select the box next to Check virus definition version,
and select a virus definition version format:
•
Dotted format—Valid version format is XX.XX.XX, for example, 2.343.00.
•
Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year,
MM is the two-digit month, and DD is the two-digit day.
•
Date or dotted format—Dotted format and date format are valid.
Different version formats require different parameters, as described in Table 8.
Table 8 Version formats and parameters
Version format
Date format
Dotted format
f.
g.
7.
84
Notification
Version check mode
Parameter
Specified Version
Lowest Version of
Anti-Virus Definition
Auto Adaptive
Adaptation Period (in
days)
Specified Version
Lowest Version of
Anti-Virus Definition
YYYY_MM_DD
XX.XX.XX
Select a version check mode; Specified Version or Auto Adaptive, from the Version Check
Mode list. For more information about the check modes, see that for the Anti-Virus Engine
version.
Click OK.
In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon
Down icon
to adjust the anti-virus software position in the list.
Configuring security check items for PCs
or Move
8.
Click OK.
The anti-virus software policy you have added now appears in the configuration options when you
configure the security policy. For more information, see “Security policy management” (page 33).
Modifying an anti-virus software policy
To modifyan anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
Click the Modify icon
for the anti-virus software policy you want to modify.
The Modify Anti-Virus Software Policy page appears.
4.
5.
6.
Modify the basic information for the anti-virus software policy. You cannot modify Policy Name
or Service Group.
To check an anti-virus software product in the anti-virus software policy, select the box in the
Check field for the anti-virus software.
Modify the anti-virus software check:
a.
Click the Modify icon
for the anti-virus software you want to modify.
The Anti-Virus Software Settings dialog box appears.
b.
c.
Modify the anti-virus software name in the Anti-Virus software field as needed.
To check the anti-virus engine version, select the box next to Check anti-virus engine
version, and select an anti-virus engine version format:
•
Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003.
•
Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year,
MM is the two-digit month, and DD is the two-digit day.
•
Date or dotted format—Dotted format and date format are valid.
Different version formats require different parameters, as described in Table 9.
Table 9 Version formats and parameters
Version format
Date format
Dotted format
d.
Notification
Version check mode
Parameter
Specified Version
Lowest Version of
Anti-Virus Engine
Auto Adaptive
Adaptation Period (in
days)
Specified Version
Lowest Version of
Anti-Virus Engine
YYYY_MM_DD
XX.XX.XX
Select a version check mode, Specified Version or Auto Adaptive, from the Version Check
Mode list.
•
Specified Version—The version check is passed if the user terminal version is higher
than the specified version. If not, the version check fails.
When the version check mode is Specified Version and the version format is Date
format, either enter the date manually or click the Calendar icon next to the Lowest
Version of Anti-Virus Engine field to select a date.
Anti-virus software policy management
85
When the version check mode is Specified Version and the version format is Dotted
format, enter the version in the Lowest Version of Anti-Virus Engine field. A valid
version format is XX.XX.XX, for example, 7.100.1003.
•
Auto Adaptive—The version check is passed if the user terminal version has been
updated within the adaptation period. If not, the version check fails
When the version check mode is Auto Adaptive and the version format is Date format,
manually enter the adaptation period in the Adaptation Period (in days) field.
e.
To check the virus definition version, select the box next to Check virus definition version,
and select a virus definition version format:
•
Dotted format—Valid version format is XX.XX.XX, for example, 2.343.00.
•
Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year,
MM is the two-digit month, and DD is the two-digit day.
•
Date or dotted format—Dotted format and date format are valid.
Different version formats require different parameters, as described in Table 10.
Table 10 Version formats and parameters
Version format
Notification
Date format
g.
7.
8.
Parameter
Specified Version
Lowest Version of
Anti-Virus Definition
Auto Adaptive
Adaptation Period (in
days)
Specified Version
Lowest Version of
Anti-Virus Definition
YYYY_MM_DD
Dotted format
f.
Version check mode
XX.XX.XX
Select a version check mode; Specified Version or Auto Adaptive, from the Version Check
Mode list. For more information about the check modes, see that for the Anti-Virus Engine
version.
Click OK.
In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon
Down icon
to adjust the anti-virus software position in the list.
Click OK.
or Move
Deleting an anti-virus software policy
Before deleting an anti-virus software policy that has been assigned to a security policy, you must
cancel their associations. For more information, see “Modifying a security policy” (page 44).
To delete an anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
Click the Delete icon
for the anti-virus software policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Anti-spyware software policy management
The system defines anti-spyware software control for several types of anti-spyware software in the
Windows, Mac OS, and Android operating systems. You can enable anti-spyware software control
86
Configuring security check items for PCs
in a security policy, and specify an anti-spyware software policy. The anti-spyware software policy
determines whether an anti-spyware software type application control is installed and running,
and whether the anti-spyware engine version and spyware definition version match the policy.
When an access user is authenticated, the iNode client checks the anti-spyware software on the
user terminal according to the configuration in the security policy.
Anti-spyware software policy management allows you to view, add, modify, and delete an
anti-spyware software policy. You can specify the anti-spyware products to be checked and the
spyware definition version and anti-spyware engine version.
Anti-spyware software policy list contents
The anti-spyware software policy list contains the following parameters:
•
Anti-Spyware Software Policy Name—Name of the anti-spyware software policy. Click the
name to view its details.
•
Service Group—Service group to which the anti-spyware software policy belongs.
•
Description—Description of the anti-spyware software policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the anti-spyware software policy.
to delete the anti-spyware software policy.
Anti-spyware software policy details
Anti-spyware software policy details comprise the basic information section and the Windows
Operating System, Mac OS Operating System, and Android Operating System sections. The
Windows Operating System and Mac OS Operating System sections only take effect on PCs.
Basic information section
•
Policy Name—Name of the anti-spyware software policy.
•
Service Group—Service group to which the anti-spyware software policy belongs.
•
Description—Description of the associated anti-spyware software policy.
Windows Operating System and Mac OS Operating System sections
These sections list the anti-spyware software that can be checked by the iNode client on the
corresponding operating system.
•
Anti-Spyware Software—Name of the anti-spyware software.
•
Vendor—Vendor name of the anti-spyware software.
•
Check Items—Indicates whether the engine version and spyware definition version of the
anti-spyware software are checked.
•
◦
Check anti-spyware engine version—When this parameter is selected, the engine version
must be checked. Otherwise, engine version is not checked.
◦
Check spyware definition version—When this parameter is selected, the spyware definition
version must be checked. Otherwise, the spyware definition version is not checked.
Restriction—Check rules for the anti-spyware software policy. When this field is empty, no
rules are set for the anti-spyware software.
◦
Lowest Version of Anti-Spyware Engine—Lowest version of the anti-spyware engine
allowed by the anti-spyware software policy. An anti-spyware software policy supports
the format XX.XX.XX, for example, 2009.6.18.169.
◦
Lowest Version of Anti-Spyware Definition—Lowest version of the anti-spyware definition
allowed by the anti-spyware software policy. An anti-spyware software policy supports
Anti-spyware software policy management
87
the format YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month,
and DD is the two-digit day.
•
Check—Indicates whether the corresponding anti-spyware software is checked.
•
Priority—Order (descending) in which the iNode client checks the anti-spyware software.
Viewing the anti-spyware software policy list
To view the anti-spyware software policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
4.
To sort the Anti-Spyware Software Policy List, click the Anti-Spyware Software Policy Name
or Service Group column label.
Click Refresh to refresh the Anti-Spyware Software Policy List.
Viewing the anti-spyware software policy details
To view details of an anti-spyware software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
Click the name of the anti-spyware software policy for which you want to view the detailed
information.
The View Anti-Spyware Software Policy page appears.
4.
To go back to the Anti-Spyware Software Policy List, click Back.
Adding an anti-spyware software policy
To add an anti-spyware software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
4.
5.
6.
Click Add.
Configure the basic information for the anti-spyware software policy.
To check an anti-spyware software product in the anti-spyware software policy, select the box
in the Check field for the anti-spyware software.
Modify the anti-spyware software check:
a.
b.
c.
d.
Click the Modify icon
for the anti-spyware software you want to modify.
To check the anti-spyware engine version, select the box next to Check anti-spyware
engine version.
Select Specified Version from the Version Check Mode list.
Enter the anti-spyware engine version in the Lowest Version of Anti-Spyware Engine field,
in the format XX.XX.XX, for example, 2009.6.18.169.
You must use dotted format for an anti-spyware engine version.
e.
88
To check the anti-spyware definition version, select the box next to Check spyware
definition version.
Configuring security check items for PCs
f.
Select a version check mode, Specified Version or Auto Adaptive, from the Version Check
Mode list.
•
Specified Version—When the anti-spyware definition version of an access user is
higher than the specified version, the anti-spyware definition version check is passed;
if not, the anti-spyware definition version check fails.
When the anti-spyware definition version check mode is Specified Version, either
enter the date manually or click the Calendar icon next to the Lowest Version of
Spyware Definition field to select a date. The valid date format is YYYY-MM-DD,
where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit
day.
•
Auto Adaptive—When the anti-spyware definition version of an access user has
been updated within the adaptation period, the anti-spyware definition version check
is passed; if not, the anti-spyware definition version check fails.
When the anti-spyware definition version check mode is Auto Adaptive, manually
enter the adaptation period in the Adaptation Period (in days) field.
g.
7.
Click OK.
Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move
the anti-spyware software up one position in the list, or click the Move Down icon
to move
the anti-spyware software down one position in the list.
The iNode client checks the anti-spyware software of access users based on descending
priority order (most important first).
8.
Click OK.
The anti-spyware software policy you have added now appears in the configuration options when
you configure the security policy. For more information, see “Security policy management”
(page 33).
Modifying an anti-spyware policy
To modify an anti-spyware software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
Click the Modify icon
for the anti-spyware software policy you want to modify.
The Modify Anti-Spyware Software Policy page appears.
4.
5.
6.
Modify the basic information for the anti-spyware software policy. You cannot modify Policy
Name or Service Group.
To check an anti-spyware software product in the anti-spyware software policy, select the box
in the Check field for the anti-spyware software.
Modify the anti-spyware software check:
a.
b.
c.
d.
Click the Modify icon
for the anti-spyware software you want to modify.
To check the anti-spyware engine version, select the box next to Check anti-spyware
engine version.
Select Specified Version from the Version Check Mode list.
Enter the anti-spyware engine version in the Lowest Version of Anti-Spyware Engine field,
in the format XX.XX.XX, for example, 2009.6.18.169.
You must use dotted format for an anti-spyware engine version.
Anti-spyware software policy management
89
e.
f.
To check the anti-spyware definition version, select the box next to Check spyware
definition version.
Select a version check mode, Specified Version or Auto Adaptive, from the Version Check
Mode list.
•
Specified Version—When the anti-spyware definition version of an access user is
higher than the specified version, the anti-spyware definition version check is passed;
if not, the anti-spyware definition version check fails.
When the anti-spyware definition version check mode is Specified Version, either
enter the date manually or click the Calendar icon next to the Lowest Version of
Spyware Definition field to select a date. The valid date format is YYYY-MM-DD,
where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit
day.
•
Auto Adaptive—When the anti-spyware definition version of an access user has
been updated within the adaptation period, the anti-spyware definition version check
is passed; if not, the anti-spyware definition version check fails.
When the anti-spyware definition version check mode is Auto Adaptive, manually
enter the adaptation period in the Adaptation Period (in days) field.
g.
7.
Click OK.
Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move
the anti-spyware software up one position in the list, or click the Move Down icon
to move
the anti-spyware software down one position in the list.
The iNode client checks the anti-spyware software of access users based on descending
priority order (most important first).
8.
Click OK.
Deleting an anti-spyware software policy
Before deleting an anti-spyware software policy that has been assigned to a security policy, you
must cancel their associations. For more information, see “Modifying a security policy” (page 44).
To delete an anti-spyware software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
Click the Delete icon
for the anti-spyware policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Firewall software policy management
The system defines firewall software control for several types of firewall software in the Windows,
Linux, and Mac OS operating systems. You can enable firewall software control in a security policy,
and specify a firewall software policy. The firewall software policy determines whether a firewall
software product is installed and running. When an access user is authenticated, the iNode client
checks the firewall software on the user terminal according to the configuration in the security
policy.
Firewall software policy management allows you to view, add, modify, and delete a firewall
software policy. You can specify the firewall software to be checked as needed.
90
Configuring security check items for PCs
Firewall software policy list contents
The firewall software policy list contains the following parameters:
•
Firewall Software Policy Name—Name of the firewall software policy. Click the name to view
its details.
•
Service Group—Service group to which the firewall software policy belongs.
•
Description—Description of the firewall software policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the firewall software policy.
to delete the firewall software policy.
Firewall software policy details
Firewall software policy details comprise the basic information section and the Windows Operating
System, Linux Operating System, and Mac OS Operating System sections.
Basic information section
•
Policy Name—Name of the firewall software policy.
•
Service Group—Service group to which the firewall software policy belongs.
•
Description—Description of the firewall software policy.
Windows Operating System, Linux Operating System, and Mac OS Operating System sections
These sections list the firewall software that can be checked by the iNode client on the corresponding
operating system.
•
Firewall Software—Name of the firewall software.
•
Vendor—Vendor name of the firewall software.
•
Check—Indicates whether the corresponding firewall software is checked.
•
Priority—Order (descending) in which the iNode client checks the firewall software.
Viewing the firewall software policy list
To view the firewall software policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software
Policies from the navigation tree.
The Firewall Software Policy List displays all firewall software policies.
3.
4.
To sort the Firewall Software Policy List, click the Firewall Software Policy Name or Service
Group column label.
Click Refresh to refresh the Firewall Software Policy List.
Viewing firewall software policy details
To view details of a firewall software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software
Policies from the navigation tree.
The Firewall Software Policy List displays all Firewall software policies.
3.
Click the name of the firewall software policy for which you want to view the detailed
information.
The View Firewall Software Policy page appears.
Firewall software policy management
91
4.
To go back to the Firewall Software Policy List, click Back.
Adding a firewall software policy
To add a firewall software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software
Policies from the navigation tree.
The Firewall Software Policy List displays all firewall software policies.
3.
Click Add.
The Add Firewall Software Policy page appears.
4.
5.
6.
Configure the basic information for the firewall software policy.
To configure checking a firewall software product in the firewall software policy, select the
box in the Check field for the firewall software.
Click the Move Up icon in the Priority field of the Firewall Software Policy List to move the
firewall software up one position in the list, or click the Move Down icon to move the firewall
software down one position in the list.
The iNode client checks the firewall software of access users based on descending priority
order (most important first).
7.
Click OK.
The firewall software policy you have added now appears in the configuration options when you
configure the security policy. For more information, see “Security policy management” (page 33).
Modifying a firewall software policy
To modify a firewall software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software
Policies from the navigation tree.
The Firewall Software Policy List displays all firewall software policies.
3.
Click the Modify icon
for the firewall software policy you want to modify.
The Modify Firewall Software Policy page appears.
4.
5.
6.
Modify the basic information for the firewall software policy. You cannot modify Policy Name
or Service Group.
To configure checking a firewall software product in the firewall software policy, select the
box in the Check field for the firewall software.
Click the Move Up icon in the Priority field of the Firewall Software Policy List to move the
firewall software up one position in the list, or click the Move Down icon to move the firewall
software down one position in the list.
The iNode client checks the firewall software of access users based on descending priority
order (most important first).
7.
Click OK.
Deleting a firewall software policy
Before deleting a firewall software policy that has been assigned to a security policy, you must
cancel their associations. For more information, see “Modifying a security policy” (page 44).
To delete a firewall software policy:
1. Click the Service tab.
92
Configuring security check items for PCs
2.
Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software
Policies from the navigation tree.
The Firewall Software Policy List displays all firewall software policies.
3.
Click the Delete icon for the firewall software policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Anti-phishing software policy management
The system defines anti-phishing software control for several types of anti-phishing software in the
Windows and Mac OS operating systems. You can enable anti-phishing software control in a
security policy, and specify an anti-phishing software policy. The anti-phishing software policy
determines whether an anti-phishing software type application control is installed and running.
When an access user is authenticated, the iNode client checks the anti-phishing software on the
user terminal according to the configuration in the security policy.
Anti-phishing software policy management allows you to view, add, modify, and delete an
anti-phishing software policy. You can specify the anti-phishing software to be checked as needed.
Anti-phishing software policy list contents
•
Anti-Phishing Software Policy Name—Name of the anti-phishing software policy. Click the
name to view its details.
•
Service Group—Service group to which the anti-phishing software policy belongs.
•
Description—Description of the anti-phishing software policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the anti-phishing software policy.
to delete the anti-phishing software policy.
Anti-phishing software policy details
Anti-phishing software policy details comprise the basic information section, Windows Operating
System section, and Mac OS Operating System section.
Basic information section
•
Policy Name—Name of the anti-phishing software policy.
•
Service Group—Service group to which the anti-phishing software policy belongs.
•
Description—Description of the anti-phishing software policy.
Windows Operating System and Mac OS Operating System sections
These sections list the anti-phishing software that can be checked by the iNode client on the
corresponding operating system.
•
Anti-Phishing Software—Name of the anti-phishing software.
•
Vendor—Vendor name of the anti-phishing software.
•
Check—Indicates whether the corresponding anti-phishing software is checked.
•
Priority—Order (descending) in which the iNode client checks the anti-phishing software.
Viewing the anti-phishing software policy list
To view the anti-phishing software policy list:
1. Click the Service tab.
Anti-phishing software policy management
93
2.
Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing
Software Policies from the navigation tree.
The Anti-Phishing Software Policy List displays all anti-phishing software policies.
3.
4.
To sort the Anti-Phishing Software Policy List, click the Anti-Phishing Software Policy Name or
Service Group column label.
Click Refresh to refresh the Anti-Phishing Software Policy List.
Viewing anti-phishing software policy details
To view details of an anti-phishing software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing
Software Policies from the navigation tree.
The Anti-Phishing Software Policy List displays all anti-phishing software policies.
3.
Click the name of the anti-phishing software policy for which you want to view the detailed
information.
The View Anti-Phishing Software Policy page appears.
4.
To go back to the Anti-Phishing Software Policy List, click Back.
Adding an anti-phishing software policy
To add an anti-phishing software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing
Software Policies from the navigation tree.
The Anti-Phishing Software Policy List displays all anti-phishing software policies.
3.
Click Add.
The Add Anti-Phishing Software Policy page appears.
4.
5.
6.
Configure the basic information for the anti-phishing software policy.
To check an anti-phishing software product in the anti-virus software policy, select the box in
the Check field for the anti-virus software.
Click the Move Up icon in the Priority field of the Anti-Phishing Software Policy List to move
the anti-phishing software up one position in the list, or click the Move Down icon
to move
the anti-phishing software down one position in the list.
The iNode client checks the anti-phishing software of access users based on descending
priority order (most important first).
7.
Click OK.
The anti-phishing software policy you have added now appears in the configuration options when
you configure the security policy. For more information, see “Security policy management”
(page 33).
Modifying an anti-phishing software policy
To modify an anti-phishing software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing
Software Policies from the navigation tree.
The Anti-Phishing Software Policy List displays all anti-phishing software policies.
94
Configuring security check items for PCs
3.
Click the Modify icon
for the anti-phishing software policy you want to modify.
The Modify Anti-Phishing Software Policy page appears.
4.
5.
6.
Modify the basic information for the anti-phishing software policy. You cannot modify Policy
Name or Service Group.
To check an anti-phishing software product in the anti-phishing software policy, select the box
in the Check field for the anti-phishing software.
Click the Move Up icon in the Priority field of the Anti-Phishing Software Policy List to move
the anti-phishing software up one position in the list, or click the Move Down icon
to move
the anti-phishing software down one position in the list.
The iNode client checks the anti-phishing software of access users based on descending
priority order (most important first).
7.
Click OK.
Deleting an anti-phishing software policy
Before deleting an anti-phishing software policy that has been assigned to a security policy, you
must cancel their associations. For more information, see “Modifying a security policy” (page 44).
To delete an anti-phishing software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing
Software Policies from the navigation tree.
The Anti-Phishing Software Policy List displays all anti-phishing software policies.
3.
Click the Delete icon
for the anti-phishing software policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Hard disk encryption software policy management
The system defines hard disk encryption software control for several types of hard disk encryption
software in the Windows operating system. You can enable hard disk encryption software control
for a security policy, and specify a hard disk encryption software policy.
The hard disk encryption software policy determines whether the hard disk encryption software is
installed on a user terminal. When an access user is authenticated, the iNode client checks the
hard disk encryption software on the user terminal according to the configuration in the security
policy.
Hard disk encryption software policy management allows you to view, add, modify, and delete
a hard disk encryption software policy. You can specify the hard disk encryption policies to be
checked as needed.
Hard disk encryption software policy list contents
•
Hard Disk Encryption Software Policy Name—Name of the hard disk encryption software
policy. Click the name to view its details.
•
Service Group—Service group to which the hard disk encryption software policy belongs.
•
Description—Description of the associated hard disk encryption software policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the hard disk encryption software policy.
to delete the hard disk encryption software policy.
Hard disk encryption software policy management
95
Hard disk encryption software policy details
Hard disk encryption software policy details comprise the basic information section and the
Windows Operating System section.
Basic information section
•
Policy Name—Name of the hard disk encryption software policy.
•
Service Group—Service group to which the hard disk encryption software policy belongs.
•
Description—Description of the hard disk encryption software policy.
Windows Operating System section
This section lists the hard disk encryption software that can be checked by the iNode client on the
Windows operating system.
•
Hard Disk Encryption Software—Name of the hard disk encryption software.
•
Vendor—Vendor name of the hard disk encryption software.
•
Check—Indicates whether the corresponding hard disk encryption software is checked.
•
Priority—Order (descending) in which the iNode client checks the hard disk encryption
software.
Viewing the hard disk encryption software policy list
To view the hard disk encryption software policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption
Software Policies from the navigation tree.
The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies.
3.
4.
To sort the Hard Disk Encryption Software Policy List, click the Hard Disk Encryption Software
Policy Name or Service Group column label.
Click Refresh to refresh the Hard Disk Encryption Software Policy List.
Viewing hard disk encryption software policy details
To view details of a hard disk encryption software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption
Software Policies from the navigation tree.
The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies.
3.
Click the name of the hard disk encryption software policy for which you want to view the
detailed information.
The View Hard Disk Encryption Software Policy page appears.
4.
To go back to the Hard Disk Encryption Software Policy List, click Back.
Adding a hard disk encryption software policy
To add a hard disk encryption software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption
Software Policies from the navigation tree.
The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies.
96
Configuring security check items for PCs
3.
Click Add.
The Add Hard Disk Encryption Software Policy page appears.
4.
5.
6.
Configure the basic information for the hard disk encryption software policy.
To configure checking a hard disk encryption software product in the firewall software policy,
select the box in the Check field for the hard disk encryption software.
To adjust the position of the hard disk encryption software in the list, click the Move Up icon
or the Move Down icon
in the Priority field.
The iNode client checks the hard disk encryption software of access users based on descending
priority order (most important first).
7.
Click OK.
The hard disk encryption software policy you have added now appears in the configuration options
when you configure the security policy. For more information, see “Security policy management”
(page 33).
Modifying a hard disk encryption software policy
To modify a hard disk encryption software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption
Software Policies from the navigation tree.
The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies.
3.
Click the Modify icon
for the hard disk encryption software policy you want to modify.
The Modify Hard Disk Encryption Software Policy page appears.
4.
5.
6.
Modify the basic information for the hard disk encryption software policy. You cannot modify
Policy Name or Service Group.
To configure checking a hard disk encryption software product in the hard disk encryption
software policy, click the box in the Check field for the hard disk encryption software.
To adjust the position of the hard disk encryption software in the list, click the Move Up icon
or the Move Down icon
in the Priority field.
The iNode client checks the hard disk encryption software of access users based on descending
priority order (most important first).
7.
Click OK.
Deleting a hard disk encryption software policy
Before deleting a hard disk encryption software policy that has been assigned to a security policy,
you must cancel their associations. For more information, see “Modifying a security policy”
(page 44).
To delete a hard disk encryption software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption
Software Policies from the navigation tree.
The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies.
3.
Click the Delete icon
for the hard disk encryption software policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Hard disk encryption software policy management
97
PC software control groups management
You can enable PC software control in a security policy and specify PC software control groups
to be checked. When an access user is authenticated, the iNode client checks software, processes,
services, and files on the PC according to the configuration in the security policy.
PC software control management allows you to view, add, modify, and delete a PC software
control group. Table 11 describes the check type for each type of PC software control group.
Table 11 PC software control groups and check types
PC software control group type Check types
• Installed Forbidden—Blocks any software products in the control group from being
installed on the user terminal.
Software
• Installed Required—Requires all software products in the control group be installed
on the user terminal.
• Installed Allowed—Allows only the software products in the control group to be
installed on the user terminal. Only one control group can be set as Installed
Allowed.
Process
Service
• Running Forbidden—Blocks any processes in the control group from running on the
user terminal.
• Running Required—Requires all processes in the control group be running on the
user terminal.
• Started Forbidden—Blocks any services in the control group from being started on
the user terminal.
• Started Required—Requires all services in the control group be started on the user
terminal.
• Non-Existent—Blocks any files in the control group from being stored on the user
terminal.
File
• Existent—Requires all files in the control group exist on the user terminal.
A software type PC software control group can check only the software installed on the Windows
operating system.
PC software control group list contents
98
•
Group Name—Name of the PC software control group. Click the name to view its details.
•
Type—Type of the PC software control group: Software, Process, Service, or File.
•
Description—Description of the PC software control group.
•
Default Action for Check Failure—Default action of the PC software control group check failure:
◦
Monitor (default)—The user is not informed of security problems after going online, and
can access the network. Security check results are recorded in the security logs.
◦
Inform—The user is informed of security problems after going online, the system prompts
the user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—The user is informed of security problems after going online, the system prompts
the user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick Out—The user is informed of security problems after going online, fails the
authentication, and is forced to log off. Security check results are recorded in the security
logs.
Configuring security check items for PCs
A new PC software control group uses the default action you configured for PC software control
group check failure. When you select Global Security Mode in Security Level configuration, the
default action of the PC software control group check failure is invalid.
•
Local Data—Indicates whether the PC software control group is created by the EAD server.
When the value is No, the PC software control group is deployed by an upper-level node.
For more information, see “Hierarchical node management” (page 22).
•
Service Group—Service group to which the PC software control group belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
•
Common Software Definition—Click the Common Software Definition link to go to the Common
Software Definition page.
to modify the PC software control group.
to delete the PC software control group.
Viewing the PC software control group list
To view the PC software control group list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
Querying PC software control groups
To query PC software control groups:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
3. Enter your query criteria in the Query PC Software Control Group section:
4.
5.
•
Group Name—Enter the name of the PC software control group.
•
Software/Process/Service/File Name—Enter the software name, process name, service
name, or file name of the PC software control group.
Click Query.
To reset both the query values and the search results, and to restore the full PC Software Control
Group List, click Reset and re-enter your query criteria.
Managing common software
The PC software control group function allows you to manage common software. You can query,
add, or delete a common software product in the common software list. When you add or modify
a common software product, you can add software information in batches to the common software
list. DAM automatically collects information about the software installed on the registered assets.
Common software list
The common software list contains the following parameters:
•
Software Name—Name of the software.
•
Alias—Alias of the software. When an access user fails the access control check, the iNode
client uses the alias of the software as the name of the software on the Security Check Result
page.
•
Version Number—Version of the software.
•
Description—Description of the software.
PC software control groups management
99
Viewing the common software list
To view the common software list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
3. Click the Common Software Definition link at the upper right of the PC Software Control Group
List section.
The Common Software List is displayed in the main pane of the Common Software Definition
page.
4.
5.
To sort the Common Software List, click the Software Name, Alias, or Version Number column
label.
To go back to the Common Software List, click Back.
Querying the common software
To query the common software:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
3. Click the Common Software Definition link at the upper right of the PC Software Control Group
List section.
4. Enter your search criteria in the Query Condition section.
5. Click Query.
6. To reset both the query values and the search results, and to restore the full Common Software
List, click Reset and re-enter your query criteria.
Adding a common software product
To add a common software product:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
3. Click the Common Software Definition link at the upper right of the PC Software Control Group
List section.
The Common Software List is displayed in the main pane of the Common Software Definition
page.
4.
Click Add.
The Add Common Software Definition page appears.
5.
6.
Configure the common software information.
Click OK.
The software appears in the Common Software List.
7.
To go back to the Common Software List, click Back.
Importing common software in batches
The PC software control group function allows you to import common software in batches. DAM
allows you to import the software information of assets to the common software list.
To import common software in batches:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
100 Configuring security check items for PCs
3.
4.
Click the Common Software Definition link at the upper right of the PC Software Control Group
List section.
Click Import from Asset.
The Import Common Software page appears.
5.
6.
7.
8.
Enter your query criteria in the Query Condition section:
•
Software Name—Enter the software asset name.
•
Software Version—Enter the software asset version.
•
Asset Number—Enter the software asset number.
Click Query.
Select the box next to Software Name in the Common Software List for the software asset you
want to import.
Click OK.
The software appears in the Common Software List.
9.
To go back to the Common Software List, click Back.
Deleting a common software product
To delete a common software product:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group ManagementPC Software Control
Group from the navigation tree.
3. Click the Common Software Definition link at the upper right of the PC Software Control Group
List section.
The Common Software List is displayed in the main pane of the Common Software Definition
page.
4.
Select the box next to Software Name in the Common Software List for the common software
you want to delete.
A confirmation dialog box appears.
5.
Click OK.
Downloading and using the MD5 tool
The PC software control group function provides the MD5 tool, which you can use to calculate the
MD5 digest of an .exe file, and check the PC software control group configuration.
Only Windows operating systems support MD5 check. Each process in a Windows operating
system associates with an .exe file. You can identify the .exe files on a user terminal by MD5 check.
To download and use the MD5 tool:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
3. Click the MD5 Tool link at the upper right of the PC Software Control Group List section.
4. Download the MD5 tool file:
a. Decompress the file FileMD5Digest.zip.
b. Double-click FileMD5Digest.exe to run the MD5 tool.
c. Click Select Executable File and select an .exe file.
d. Click Calculate MD5 Digest.
e. Click Copy to copy the MD5 digest to the clipboard.
f. Click Close.
PC software control groups management
101
Managing software-type PC software control groups
A software-type PC software control group can check software installation. You can configure the
following check types in the security policy configuration:
•
Installation Required
•
Installation Prohibited
•
Installation Allowed
Software-type PC software control group details
Software-type PC software control group details comprise the basic information and software list
information.
Basic information contents
•
Group Name—Name of the PC software control group.
•
Type—Type of the PC software control group, Software.
•
Description—Description of the PC software control group.
•
Default Action for Check Failure—Default action of the PC software control group check failure:
◦
Monitor (default)—The user is not informed of security problems after going online, and
can access the network. Security check results are recorded in the security logs.
◦
Inform—The user is informed of security problems after going online, the system prompts
the user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—The user is informed of security problems after going online, the system prompts
the user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick out—The user is informed of security problems after going online, fails the
authentication, and is forced to log off. Security check results are recorded in the security
logs.
A new PC software control group uses the default action you configured for PC software
control group check failure. You can modify the action for PC software control group
check failure in the security policy. When you select Global Security Mode in Security
Level configuration, the default action of the PC software control group failure is invalid.
•
Service Group—Service group to which the PC software control group belongs.
Software list information
•
Software Name—Name of the software. The software name must be the same as that in
Windows>Control Panel>Add or Delete Programs.
•
Alias—Alias of the software. When an access user fails the access control check, the iNode
client uses the alias of the software as the name of the software on the Security Check Result
page.
•
Version Number—Version number of the software. The software version must be the same as
that in Windows>Control Panel>Add or Delete Programs.
•
Description—Description of the software.
Viewing a software-type PC software control group
To view a software-type PC software control group:
1. Click the Service tab.
102 Configuring security check items for PCs
2.
Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the group name of the PC software control group you want to view.
The View PC Software Control Group page appears.
4.
To go back to the PC Software Control Group List, click Back.
Adding a software-type PC software control group
To add a software-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click Add.
The Add PC Software Control Group page appears.
4.
5.
Configure the basic information for the PC software control group.
Add a software product to the Software List:
a. Click Add.
The Add Software dialog box appears.
b.
c.
Enter the Software Name, Alias, Version Number, and Description.
Click OK.
The added software appears in the Software List.
6.
Add software to the Software List in batches:
a. Click Batch Add.
The Batch Add Software dialog box appears.
b.
Enter your query criteria:
•
Software Name—Enter the software name.
•
Version Number—Enter the software version number.
•
Description—Enter the software description.
To reset both the query values and the search results, and to restore the full Common
Software List, click Reset and re-enter your query criteria.
c.
Click Query.
The query results appear in the Common Software List.
d.
e.
Select the box next to Software Name in the Common Software List for the software you
want to add.
Click OK.
The added software is displayed in the Software List.
7.
Click OK.
The software-type PC software control group you have added now appears in the configuration
options when you configure the security policy. For more information, see “Security policy
management” (page 33).
Modifying a software-type PC software control group
To modify a software-type PC software control group:
PC software control groups management 103
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Modify icon
for the software-type PC software control group you want to modify.
The Modify PC Software Control Group page appears.
4.
5.
Modify the basic information for the software-type PC software control group. You cannot
modify Group Name, Type, or Service Group.
Add a software product to the Software List:
a. Click Add.
The Add Software dialog box appears.
b.
c.
d.
e.
f.
Software Name—Enter the name of the software. The software name must be the same
as that in Control Panel>Programs and Features in the Windows operating system.
Alias—Enter the software alias. When an access user fails the access control check, the
iNode client uses the alias of the software as the name of the software on the Security
Check Result page.
Version Number—Enter the version of the software. The software version must be the
same as that in Control Panel>Programs and Features in the Windows operating system.
Description—Enter a description of the software.
Click OK.
The added software is displayed in the Software List.
6.
Add software to the Software List in batches:
a. Click Batch Add.
The Batch Add Software dialog box appears.
b.
Enter your query criteria.
To reset both the query values and the search results, and to restore the full Common
Software List, click Reset and re-enter your query criteria.
c.
Click Query.
The query results appear in the Common Software List.
d.
e.
Select the box next to Software Name in the Common Software List for the software you
want to add.
Click OK.
The added software is displayed in the Software List.
7.
Modify the software in the Software List:
a.
Click the Modify icon
for the software you want to modify.
The Modify Software dialog box appears.
b.
•
Policy Name—Modify the software name.
•
Alias—Modify the software alias. When an access user fails the access control check,
the iNode client uses the alias of the software as the name of the software on the
Security Check Result page.
•
Version Number—Modify the version of the software.
•
Description—Enter a new description for the software.
Click OK.
The modified software appears in the Software List.
104 Configuring security check items for PCs
8.
Delete the software in the Software List:
a. Click the Delete icon
for the software you want to delete.
b. Click OK in the dialog box that appears.
9.
Click OK.
Deleting a software-type PC software control group
Before deleting a software-type PC software control group that has been assigned to a security
policy, you must cancel their associations. For more information, see “Modifying a security policy”
(page 44).
To delete a software-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Delete icon
for the software-type PC software control group you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Managing process-type PC software control groups
A process-type PC software control group can check the running status of a process. A process is
generated after a program starts running. You can determine which software is running on a user
terminal by checking the processes. You can configure the following check types in the security
policy configuration: Running Required and Running Forbidden.
Process-type PC software control group details
The process-type PC software control group details comprise the basic information and process list
information.
Basic information contents
•
Group Name—Name of the PC software control group.
•
Type—Type of the PC software control group, Process.
•
Description—Description of the PC software control group.
•
Default Action for Check Failure—Default action for the PC software control group check
failure:
◦
Monitor—The user is not informed of security problems after going online, and can access
the network. Security check results are recorded in the security logs.
◦
Inform—The user is informed of security problems after going online, the system prompts
the user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—The user is informed of security problems after going online, the system prompts
the user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick out—The user is informed of security problems after going online, fails the
authentication, and is forced to log off. Security check results are recorded in the security
logs.
A new PC software control group uses the default action you configured for PC software
control group check failure. When you select Global Security Mode in Security Level
PC software control groups management 105
configuration, the default action of the PC software control group failure is invalid. You can
specify whether Global Security Mode is used and the default action of the PC software control
group failure for each PC software control group.
•
Service Group—Service group to which the PC software control group belongs.
Process list information
•
Process Name—Name of the process.
◦
For the Windows operating system, the process name must be the same as that in Windows
Task Manager > Processes.
◦
For the Linux operating system, the process name must be the same as that after the ps
-ef command is executed.
◦
For the Mac OS operating system, the process name must be the same as that after the
ps -awwx -o command is executed.
•
Alias—Alias of the process. When an access user fails the access control check, the iNode
client uses the alias of the process as the name of the process on the Security Check Result
page.
•
Operating System—Operating system of a process: Windows, Linux, or Mac OS.
•
Check Type—Process check method: Simple, Complex, and MD5. You can configure all of
them on a Windows operating system; you can configure only Simple on a Linux or Mac OS
operating system.
◦
Simple—Used where the process name is the same as the source file name of a program.
◦
Complex—Used where the process name is different from the source file name of a
program. A process is generated for each program; typically, the process name is the
same as the source file name of the program. In some cases (for example, the program
name is changed manually), the process name is different from the source file name.
◦
MD5—Used where a process name has no corresponding source file name, or one process
name corresponds to multiple programs. The iNode client determines whether the software
corresponding to the MD5 digest is running on the user terminal according to the process
name and MD5 digest sent by the EAD server.
NOTE:
MD5 check rules are as follows:
–
Running Required process—Check the name of the process in the Windows task
manager, and check the MD5 digest of the process in the PC software control group.
If both are matched, the security check is passed; if they are not matched, the security
check fails.
–
Running Forbidden process—Check the name of the process in the Windows task
manager, and check the MD5 digest of the process in the PC software control group.
If either is matched, the security check failed; if neither is matched, the security check
is passed.
•
MD5 Digest—MD5 digest for the process. This column is not empty only when the check mode
for a process is MD5.
•
Description—Description of the process.
Viewing a process-type PC software control group
To view a process-type PC software control group:
1. Click the Service tab.
106 Configuring security check items for PCs
2.
Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the group name of the PC software control group you want to view.
The PC Software Control Group page appears.
4.
To go back to the PC Software Control Group List, click Back.
Adding a process-type PC software control group
To add a process-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click Add.
The Add PC Software Control Group page appears.
4.
5.
Configure the basic information for the PC software control group.
Add a process to the Process List:
a. Click Add.
The Add Process dialog box appears.
b.
c.
d.
e.
Enter the process name in the Process Name field.
Enter the software alias in the Alias field.
Select an operating system from the Operating System list: Windows, Linux, or Mac OS.
Select a check type from the Check Type list: Simple, Complex, or MD5.
When you select the Windows operating system and the MD5 check type, enter the MD5
digest of the process in the MD5 Digest field. You can use the MD5 tool to calculate the
MD5 digest of a process.
f.
g.
Enter a description of the process in the Description field.
Click OK.
The process appears in the Software List.
6.
Click OK.
The process-type PC software control group you have added now appears in the configuration
options when you configure the security policy. For more information, see “Security policy
management” (page 33).
Modifying a process-type PC software control group
To modify a process-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Modify icon
for the process-type PC software control groups you want to modify.
The Modify Software Control Group page appears.
4.
5.
Modify the basic information for the process-type PC software control group. You cannot
modify Group Name, Type, or Service Group.
Add a process to the Process List:
PC software control groups management 107
a.
Click Add.
The Add Process dialog box appears.
b.
c.
d.
e.
Enter the process name in the Process Name field.
Enter the software alias in the Alias field.
Select an operating system from the Operating System list: Windows, Linux, or Mac OS.
Select a check type from the Check Type list: Simple, Complex, or MD5.
When you select the Windows operating system and the MD5 check type, enter the MD5
digest of the process in the MD5 Digest field. You can use the MD5 tool to calculate the
MD5 digest of a process.
f.
g.
Enter a description of the process in the Description field.
Click OK.
The modified process appears in the Process List.
6.
Modify the process in the Process List.
a.
Click the Modify icon
for the process you want to modify.
The Modify Process dialog box appears.
b.
c.
d.
e.
Modify the process name in the Process Name field.
Enter the process alias in the Alias field.
Select an operating system from the Operating System list: Windows, Linux, or Mac OS.
Select a check type from the Check Type list: Simple, Complex, or MD5.
When you select the Windows operating system and the MD5 check type, enter the MD5
digest of the process in the MD5 Digest field. You can use the MD5 tool to calculate the
MD5 digest of a process.
f.
g.
Modify the description of the process in the Description field.
Click OK.
The modified process appears in the Process List.
7.
Delete the process in the Process List:
a. Click the Delete icon
for the process you want to delete.
b. Click OK.
8.
Click OK.
Deleting a process-type PC software control group
Before deleting a process-type PC software control group that has been assigned to a security
policy, you must cancel their associations. For more information, see “Modifying a security policy”
(page 44).
To delete a process-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Delete icon
for the process-type PC software control groups you want to delete.
A confirmation dialog box appears.
4.
Click OK.
108 Configuring security check items for PCs
Managing service-type PC software control groups
A service-type PC software control group can check the startup status of services. You can configure
the following check types in the security policy configuration: Started Required and Started
Forbidden.
Service-type PC software control group details
Service-type PC software control group details comprise the basic information and service list
information.
Basic information contents
•
Group Name—Name of the PC software control group.
•
Type—Type of the PC software control group, Service.
•
Description—Description of the PC software control group.
•
Default Action for Check Failure—Default action for the PC software control group check
failure:
◦
Monitor (default)—The user is not informed of security problems after going online, and
can access the network. Security check results are recorded in the security logs.
◦
Inform—The user is informed of security problems after going online, the system prompts
the user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—The user is informed of security problems after going online, the system prompts
the user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick out—The user is informed of security problems after going online, fails the
authentication, and is forced to log off. Security check results are recorded in the security
logs.
A new PC software control group uses the default action you configured for PC software
control group check failure. When you select Global Security Mode in Security Level
configuration, the default action of the PC software control group failure is invalid.
•
Service Group—Service group to which the PC software control group belongs.
Service list information
•
Service Name—Name of the service.
◦
For the Windows operating system, the service name must be the same as that in Control
Panel > All Control Panel Items > Administrative Tools > Services > Properties.
◦
For the Linux operating system, the service name must be the same as that after the service
--status-all command is executed.
◦
For the Mac OS operating system, the service name must be the same as that after the
service --list command is executed.
•
Alias—Alias of the service. When an access user fails the access control check, the iNode
client uses the alias of the service as the name of the service on the Security Check Result
page.
•
Operating System—Operating system type of a process: Windows, Linux, or Mac OS.
PC software control groups management 109
•
Process Name—Processes on the Linux and Mac OS operating systems. Each service has a
corresponding process. The PC software control group checks the services running on the
Linux and Mac OS operating systems by process.
•
Description—Description of the service.
Viewing a service-type PC software control group
To view a service-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the group name of the PC software control group you want to view.
The View PC Software Control Group page appears.
4.
To go back to the PC Software Control Group List, click Back.
Adding a service-type PC software control group
To add a service-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click Add.
The Add PC Software Control Group page appears.
4.
5.
Configure the basic information for the PC software control groups.
Add a service to the Service List:
a. Click Add.
The Add Service dialog box appears.
b.
c.
Enter the service information.
Click OK.
The service appears in the Service List.
6.
Click OK.
The service you have added now appears in the configuration options when you configure the
security policy. For more information, see “Security policy management” (page 33).
Modifying a service-type PC software control group
To modify a service-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Modify icon
for the service-type PC software control group you want to modify.
The Modify PC Software Control Group page appears.
4.
110
Modify the basic information for the service-type PC software control group. You cannot modify
Group Name, Type, or Service Group.
Configuring security check items for PCs
5.
Add a service to the Service List:
a. Click Add.
The Add Service dialog box appears.
b.
c.
Enter the service information.
Click OK.
The service appears in the Service List.
6.
Modify the service in the Service List:
a.
Click the Modify icon
for the service you want to modify.
The Modify Service dialog box appears.
b.
c.
Modify the information.
Click OK.
The modified service appears in the Service List.
7.
Delete the service in the Service List:
a. Click the Delete icon
for the service you want to delete.
b. Click OK.
8.
Click OK.
Deleting a service-type PC software control group
Before deleting a service-type PC software control group that has been assigned to a security
policy, you must cancel their associations. For more information, see “Modifying a security policy”
(page 44).
To delete a service-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Delete icon for the service-type PC software control group you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Managing file-type PC software control groups
A file-type PC software control group can determine whether a file exists. You can configure the
following check types in the security policy configuration: Existent or Non-Existent.
File-type PC software control group details
File-type PC software control group details comprise the basic information and file list information.
Basic information contents
•
Group Name—Name of the PC software control group.
•
Type—Type of the PC software control group, File.
•
Description—Description of the PC software control group.
PC software control groups management
111
•
Default Action for Check Failure—Default action for the PC software control group check
failure:
◦
Monitor (default)—The user is not informed of security problems after going online, and
can access the network. Security check results are recorded in the security logs.
◦
Inform—The user is informed of security problems after going online, the system prompts
the user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—The user is informed of security problems after going online, the system prompts
the user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick out—The user is informed of security problems after going online, fails the
authentication, and is forced to log off. Security check results are recorded in the security
logs.
A new PC software control group uses the default action you configured for PC software
control group check failure. When you select Global Security Mode in Security Level
configuration, the default action of the PC software control group failure is invalid.
•
Service Group—Service group to which the PC software control group belongs.
File list information
•
File Path and Name—Path and name of the file.
•
Alias—Alias of the file. When an access user fails the access control check, the iNode client
uses the alias of the file as the path and name of the file on the Security Check Result page.
•
Operating System—Operating system type of a file: Windows, Linux, or Mac OS.
•
Check Type—Match mode for the file content check:
•
•
◦
None—No keyword check is performed for the file content.
◦
Keyword Include—File is matched when the file content contains the specified keyword.
◦
Keyword Exclude—File is matched when the file content does not contain the specified
keyword.
Keyword Type—Keyword type for the file content check: String or Binary. This field does not
appear when None is selected for Check Type.
◦
String—Used for a text file content check.
◦
Binary—Used for a file content check of other types of files.
Description—Description of the file.
Viewing a file-type PC software control group
To view a file-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the group name of the PC software control group you want to view.
The View PC Software Control Group page appears.
4.
112
To go back to the PC Software Control Group List, click Back.
Configuring security check items for PCs
Adding a file-type PC software control group
To add a file-type PC software control group:
1. Click the Service tab
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click Add.
The Add PC Software Control Group page appears.
4.
5.
Configure the basic information for the PC software control group.
Add a file to the File List:
a. Click Add.
The Add File dialog box appears.
b.
c.
Enter the file path and name in the File Path and Name field.
Enter the file alias in the Alias field.
When an access user fails the access control check, the iNode client uses the alias of the
file as the path and name of the file on the Security Check Result page.
d.
e.
f.
g.
Select an operating system from the Operating System list: Windows, Linux, or Mac OS.
Select the radio button next to the keyword match mode for the file content check: None,
Keyword Include, or Keyword Exclude.
When the keyword match method is Keyword Include or Keyword Exclude, select the
radio button next to the keyword type:
•
String—Used for a text file content check.
•
Binary—Used for a file content check of other types of files.
Enter the keyword in the Keyword field.
For a text file, the keyword is in the text file. For other types of files, you can use the file
editor to view the file; the keyword is hexadecimal digits.
h.
i.
Enter a description of the file in the Description field.
Click OK.
The file appears in the File List.
6.
Click OK.
The file-type PC software control group you have added now appears in the configuration options
when you configure the security policy. For more information, see “Security policy management”
(page 33).
Modifying a file-type PC software control group
To modify a file-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Modify icon
for the file-type PC software control group you want to modify.
The Modify PC Software Control Group page appears.
4.
5.
Modify the basic information for the file-type PC software control group. You cannot modify
Group Name, Type, or Service Group.
Add a file to the File List:
PC software control groups management
113
a.
Click Add.
The Add File dialog box appears.
b.
c.
Enter the file path and name in the File Path and Name field.
Enter the file alias in the Alias field.
When an access user fails the access control check, the iNode client uses the alias of the
file as the path and name of the file on the Security Check Result page.
d.
e.
f.
g.
Select an operating system from the Operating System list: Windows, Linux, or Mac OS.
Select the radio button next to the keyword match mode for the file content check: None,
Keyword Include, or Keyword Exclude.
When the keyword match method is Keyword Include or Keyword Exclude, select the
radio button next to the keyword type:
•
String—Used for a text file content check.
•
Binary—Used for a file content check of other types of files.
Enter the keyword in the Keyword field.
For a text file, the keyword is in the text file. For other types of files, you can use the file
editor to view the file; the keyword is hexadecimal digits.
h.
i.
Enter a description of the file in the Description field.
Click OK.
The file appears in the File List.
6.
Modify the file in the File List:
a.
Click the Modify icon
for the file you want to modify.
The Modify File dialog box appears.
b.
c.
Modify the file path and name in the File Path and Name field.
Modify the file alias in the Alias field.
When an access user fails the access control check, the iNode client uses the alias of the
file as the path and name of the file on the Security Check Result page.
d.
e.
f.
g.
Select an operating system from the Operating System list: Windows, Linux, or Mac OS.
Select the radio button next to the keyword match mode for the file content check: None,
Keyword Include, or Keyword Exclude.
When the keyword match method is Keyword Include or Keyword Exclude, select the
radio button next to the keyword type:
•
String—Used for a text file content check.
•
Binary—Used for a file content check of other types of files.
Enter the keyword in the Keyword field.
For a text file, the keyword is in the text file. For other types of files, you can use the file
editor to view the file; the keyword is hexadecimal digits.
h.
i.
Modify the description of the file in the Description field.
Click OK.
The file appears in the File List.
114
7.
Delete the file in the File List:
a. Click the Delete icon
for the file you want to delete.
b. Click OK.
8.
Click OK.
Configuring security check items for PCs
Deleting a file-type PC software control group
Before deleting a file-type PC software control group that has been assigned to a security policy,
you must cancel their associations. For more information, see “Modifying a security policy”
(page 44).
To delete a file-type PC software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > PC Software
Control Group from the navigation tree.
The PC Software Control Group List displays all PC software control groups.
3.
Click the Delete icon
for the file-type PC software control group you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Patch management software management
Access users that use the Linux or Mac OS operating system must use the patch management
software to update patches on the operating system. You can enable patch management software
control in a security policy. When an access user is authenticated, the iNode client checks the
patch management software on the user terminal according to the configuration in the security
policy. You can configure the patch management software as needed. You can specify the patch
management software to be checked, and then enable patch management software check in the
security policy.
Patch management software list contents
The Linux Operating System and Mac OS Operating System sections list the patch management
software supported by the corresponding operating system.
The patch management software list contains the following parameters:
•
Patch Management Software—Name of the patch management software.
•
Check—Indicates whether the corresponding patch management software is checked.
•
Priority—Provides the Move Up icon
down in a list.
and Move Down icon
for moving items up and
Configuring patch management software management
To configure patch management software management:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Patch Management Software from the
navigation tree.
The Patch Management Software List page appears.
3.
To check the patch management software, select Check for the associated patch management
software. To cancel checking the patch management software, clear Check.
Windows patch control
Windows patch check through the Windows server is an automatic check, download, and
installation process. You only need to enable Windows patch control check in the security policy.
This section describes the Windows patch check configuration on the EAD server, such as querying,
adding, modifying, and deleting Windows patches, and managing Windows versions.
Patch management software management
115
Users must download and install the patches. For access users using Windows for authentication,
you can enable Windows patch control in a security policy. Access users can ensure timely update
of Windows patches by using the Microsoft server check function or by checking patches manually.
•
Microsoft server check function—The iNode client collaborates with WSUS or SMS to check
the missing patches and the patch level, and installs the patches automatically.
•
Manual check—The iNode client cooperates with the EAD server to check the missing patches.
You can configure the Windows patches to be checked and the patch level. For more information,
see “Adding a security policy” (page 43).
Windows patch list contents
•
Patch Name—Name of the Windows patch.
•
Message—Message for the associated Windows patch. When the iNode client detects that
the user terminal lacks the patch, it displays this message.
•
Applicable Windows Version—Windows version for the associated Windows patch.
•
Patch Level—Patch level for the associated Windows patch: Critical, Important, Moderate, or
Low.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the Windows patch.
to delete the Windows patch.
Windows patch information details
Windows patch information comprises the following basic information:
•
Patch Name—Enter the patch name (for example, KB2508429, KB2509553).
•
Message—Enter the prompt. When the iNode client detects that the user terminal lacks the
patch, it displays this message.
•
Patch Level—Select a patch level: Critical, Important, Moderate, or Low.
Applicable Windows version list
The applicable Windows version list shows the following information for the Windows versions to
which the patch applies:
•
Operating System—Operating system type: Windows.
•
Version—Windows version.
•
Language—Language of the Windows operating system.
•
Patch List—Patch list for the associated Windows version. The patches are separated by
commas.
Viewing the Windows patch list
To view the Windows patch list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
3. To reset the query values and search results, and to restore the full Patch List, click Reset.
Querying the Windows patches
To query the Windows patches:
1. Click the Service tab.
116
Configuring security check items for PCs
2.
Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
The Windows Patch Control page appears.
3.
4.
5.
Enter one or more of the following query criteria:
•
Patch Name—Enter the patch name.
•
Version—Enter the operating system version.
•
Language—Enter the language: ALL, Native Language, or English.
Click Query.
To reset the query values and the search results, and to restore the full Patch List, click Reset.
Adding a Windows patch
To add a Windows patch:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
3. Click Add.
The Add Windows Patch Control page appears.
4.
5.
6.
Configure the basic information.
•
Patch Name—Enter the patch name (for example, KB2508429, KB2509553).
•
Message—Enter the prompt. When the iNode client detects that the user terminal lacks
the patch, it displays this message.
•
Patch Level—Select a patch level: Critical, Important, Moderate, or Low.
Select an operating system version in the Applicable Windows Version section.
Click OK.
Modifying a Windows patch
To modify a Windows patch:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
The Windows Patch Control page appears.
3.
4.
5.
for the patch you want to modify.
Click the Modify icon
Modify the basic information for the patch. You cannot modify Patch Control Name or Service
Group.
Select an operating system version in the Applicable Windows Version section.
To remove the Windows version, clear Operating System.
6.
Click OK.
Deleting a Windows patch
To delete a Windows patch:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
The Windows Patch Control page appears.
Windows patch control
117
3.
Click the Delete icon
in the Patch List for the target patch.
A confirmation dialog box appears.
4.
Click OK.
Managing Windows versions
You can configure the applicable Windows versions when you add or modify Windows patches.
Windows version list contents
•
Operating System—Operating system type.
•
Version—Operating system version.
•
Language—Language for the associated Windows version.
•
Patch List—Patch list for the associated Windows version.
•
Delete—Icon
for deleting the Windows version.
Viewing a Windows version
To view a Windows version:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
The Windows Patch Control page appears.
3.
Click the Windows Version link located at the upper right of the Patch List.
The Windows Version List displays all Windows versions.
4.
Click Refresh to refresh the Windows Version List.
Adding a Windows version
To add a Windows version:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
The Patch List displays all Windows patches.
3.
Click the Windows Version link located at the upper right of the Patch List.
The Windows Version List displays all Windows versions.
4.
5.
Click Add.
The Add Windows Version page appears.
You cannot modify the operating system version except by removing the old configured version
and entering the correct version.
6.
118
Configure the basic information for the Windows version:
•
Version—Enter the Windows version. The spelling must exactly match that provided by
Microsoft, such as XP or Windows 7 Professional Service Pack 1.
•
Language—Select one of the following options:
◦
All—All languages, including English and non-English versions.
◦
Native Language—All non-English versions.
◦
English—English versions.
Configuring security check items for PCs
NOTE: To change the Windows version, you must first remove the old configured version,
and then enter the correct version. You cannot modify the old configured version without
removing it.
7.
Click OK.
Deleting a Windows version
Only Windows version items without patch configurations can be deleted. To delete the items with
patches, delete the patches first.
1. Click the Service tab.
2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation
tree.
The Patch List displays all Windows patches.
3.
Click the Windows Version link located at the upper right of the Patch List.
The Windows Version List displays all Windows versions.
4.
5.
Click the Delete icon
Click OK.
for the target Windows version.
Registry control policy management
You can enable registry control in a security policy, and specify the registry controls to be checked.
To check the security of an access user, the iNode client checks the user terminal according to the
registry control policy configured in the security policy. You can specify the registries and their
respective key names or values in the registry control policy.
Registry control management allows you to query, view, add, modify, and delete a registry control
policy. You can configure a registry control policy as needed.
Registry control list contents
•
Registry Control Name—Name of the registry control. Click the name to view its details.
•
Description—Description for the associated registry control.
•
Registry Entry Location—Registry entry location for the associated registry control.
•
Default Action for Check Failure—A new registry control policy uses the default action you
configured for registry control check failure.
◦
Monitor (default)—User is not informed about security problems after going online, and
the user can access the network. Security check results are recorded in the security logs.
◦
Inform—User is informed of security problems after going online, the system prompts the
user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—User is informed of security problems after going online, the system prompts the
user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick Out—User is informed of security problems after going online, fails the authentication,
and is forced to log off. Security check results are recorded in the security logs.
Registry control policy management
119
When you select Global Security Mode in Security Level configuration, the default action of the
registry control check failure is invalid. You can set whether Global Security Mode is used and the
default action of the registry control check failure for each registry control policy.
•
Service Group—Service group to which the registry control belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the registry control.
to delete the registry control.
Registry control list details
Registry control list details comprise a basic information section and a registry entry section.
Basic information section
•
Registry Control Name—Name of the registry control.
•
Registry Entry Location—Registry entry location for the registry control.
•
Description—Description for the associated registry control.
•
Failure Notification (Check Failure Message)—Message for the registry control check failure.
•
Default Action for Check Failure—Default action for the registry control check failure:
◦
Monitor (default)—User can access the network, and is not informed of security problems
after going online. Security check results are recorded in the security logs.
◦
Inform—User is informed of security problems after going online, the system prompts the
user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—User is informed of security problems after going online, the system prompts the
user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick out—User is informed of security problems after going online, fails the authentication,
and is forced to log off. Security check results are recorded in the security logs.
A new registry control uses the default action you configured for registry control check failure.
When you select Global Security Mode in Security Level configuration, the default action of
the registry control failure is invalid. You can set whether Global Security Mode is used and
the default action of the registry control failure for each registry control.
•
Service Group—Service group to which the registry control belongs.
Registry entry section
•
Key Name—The name of the registry key. When the registry key name is (Default), you must
select Default Key. The key type of a default key must be REG_SZ.
•
Alias—When an access user fails the registry control check, the iNode client uses the alias
of the registry key as the name of the registry key on the Security Check Result page.
•
Check Type—Select a match mode: Value Matched, Value Not Matched, Key Existent, or Key
Not Existent.
•
Compatible Operating Systems—Select an operating system: Win2000, WinXP, Win2003,
WinVista, or Win7. Only the selected operating system checks the registry key.
•
Key Value Type—Select a key value type: REG_SZ or REG_DWORD.
120 Configuring security check items for PCs
•
Key Value—Enter the key value of the registry key.
•
Failure Notification—Enter the failure notification for the registry control. When the registry
entry check for an access user fails, this failure notification is displayed on the Security Check
Result page.
Viewing the registry control list
To view the registry control list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Registry Control from the navigation tree.
The Registry Control List displays all registry controls.
3.
To sort the Registry Control List, click the Registry Control Name, Registry Entry Location,
Service Group, or Default Action for Check Failure column label.
Viewing a registry control
To view a registry control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Registry Control from the navigation tree.
The Registry Control List displays all registry controls.
3.
Click the name of a registry control to view its information.
Querying the registry control
To query the registry control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Registry Control from the navigation tree.
The Registry Control List displays all registry controls.
3.
4.
Enter one or both of the following query criteria:
•
Registry Control Name—Enter the name of the registry control.
•
Registry Entry Location—Enter the location of the registry control.
Click Query.
The Registry Control List displays the registry controls that match the query criteria.
5.
To reset the query values and search results, and to restore the full Registry Control List, click
Reset.
Adding a registry control
To add a registry control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Registry Control from the navigation tree.
The Registry Control List displays all registry controls.
3.
Click Add.
The Add Registry Control page appears.
4.
Configure the basic information.
Registry control policy management
121
5.
Add a registry entry to the Registry Entry List:
a. Click Add.
The Add Registry Entry dialog box appears.
b.
c.
Specify the Registry Entry information.
Click OK.
The new registry entry is displayed in the Registry Entry List.
6.
Click OK.
The registry control entry you have added now appears in the configuration options when
configuring the security policy. For more information, see “Security policy management” (page 33).
Modifying a registry control
To modify a registry control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Registry Control from the navigation tree.
The Registry Control List displays all registry controls.
3.
4.
5.
Click the Modify icon
for the target registry control.
Modify the basic information. You cannot modify Registry Control Name or Service Group.
Add a registry entry to the Registry Entry List:
a. Click Add.
The Add Registry Entry dialog box appears.
b.
c.
Specify the Registry Entry information.
Click OK.
The added registry entry is displayed in the Registry Entry List.
6.
Modify a registry control entry:
a.
Click the Modify icon
for the target registry entry.
The Modify Registry Entry dialog box appears.
b.
c.
Modify the Registry Entry information as needed.
Click OK.
The modified registry entry is displayed in the Registry Entry List.
7.
Delete a registry control entry:
a. Click the Delete icon
for the target registry entry.
b. Click OK.
8.
Click OK.
Deleting a registry control
Before deleting a registry control that has been assigned to a security policy, you must cancel its
associations. For more information, see “Modifying a security policy” (page 44).
To delete a registry control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Registry Control from the navigation tree.
The Registry Control List displays all registry controls.
3.
Click the Delete icon
for the target registry entry.
A confirmation dialog box appears.
4.
122
Click OK.
Configuring security check items for PCs
Share control management
You can enable share control check for a security policy, and specify a share control policy. When
an access user is authenticated, the iNode client checks the user terminal according to the share
control policy configured in the security policy.
Share control policy management allows you to view, add, modify, and delete a share control
policy. You can configure a share control policy as needed.
Share control list contents
•
Share Control Name—Name of the share control. Click the name to view its details.
•
Share—Indicates whether the share control allows folder share.
•
Default Share—Indicates whether the share control allows default share.
•
Windows XP Simple Share—Indicates whether the share control allows Windows XP simple
share.
•
Service Group—Service group to which the share control belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the share control.
to delete the share control.
NOTE: To sort the Share Control List, click the Share Control Name, Share, Default Share, Windows
XP Simple Share, or Service Group column label.
Share control details
The share control details comprise the following basic information:
•
Share Control Name—Name of the share control. Click the name to view its details.
•
Service Group—Service group to which the share control belongs.
•
Default Action for Check Failure—Default action of the share control check failure:
◦
Monitor (default)—User is not informed of security problems after going online, and can
access the network. Security check results are recorded in the security logs.
◦
Inform—User is informed of security problems after going online, the system prompts the
user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—User is informed of security problems after going online, the system informs the
user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick out—User is informed of security problems after going online, fails the authentication,
and is forced to log off. Security check results are recorded in the security logs.
A new share control uses the default action you configured for share control check failure. When
you select Global Security Mode in Security Level configuration, the default action of the share
control failure is invalid.
•
Description—Description for the associated registry control.
•
Allow Share—Select this option when the share control allows an access user to use the share
function.
•
Forbid Default Share—Select this option when the share control prohibits an access user from
using default share. The option is available only when the access user is allowed to use the
share function.
Share control management
123
•
Forbid Windows XP Simple Share—Select this option when the share control prohibits an
access user from using Windows XP simple share. The option is available only when the access
user is allowed to use the share function.
•
Exclude Groups or Users from Sharing—Folder share right is not assigned to the Windows
users and groups. Enter the user name and group name to which the share right cannot be
assigned. Domain user names are in the format domain name\user name. User names are
separated by commas and are case sensitive.
Viewing the share control list
To view the share control list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Share Control from the navigation tree.
The Share Control List displays all share controls.
3.
Click Refresh to refresh the Share Control List.
Viewing share control details
To view a share control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Share Control from the navigation tree.
The Share Control List displays all share controls.
3.
4.
Click the name of the share control you want to view.
To go back to the Share Control List, click Back.
Adding a share control
To add a share control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Share Control from the navigation tree.
The Share Control List displays all share controls.
3.
Click Add.
The Add Share Control page appears.
4.
5.
Configure the basic information.
Click OK.
The share control you have added now appears in the configuration options when configuring the
security policy. For more information, see “Security policy management” (page 33).
Modifying a share control
To modify a share control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Share Control from the navigation tree.
The Share Control List displays all share controls.
3.
4.
5.
124
Click the Modify icon
for the target share control.
Modify the share control. You cannot modify Registry Control Name or Service Group.
Click OK.
Configuring security check items for PCs
Deleting a share control
Before deleting a share control that has been assigned to a security policy, you must cancel their
associations. For more information, see “Modifying a security policy” (page 44).
To delete a share control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Share Control from the navigation tree.
The Share Control List displays all share controls.
3.
Click the Delete icon
for the target share control.
A confirmation dialog box appears.
4.
Click OK.
Traffic control management
You can specify a traffic control policy for a security policy. When an access user passes the
authentication, the iNode client periodically checks the traffic on the user terminal according to
the traffic control policy configured in the security policy.
You can configure the sampling interval, IP traffic monitoring, broadcast monitoring, packet number
monitoring, and TCP/UDP connection monitoring in the traffic control policy.
Traffic control policy management allows you to view, add, modify, and delete a traffic control
policy. You can configure a traffic control policy as needed.
Traffic control list contents
•
Name—Name of the traffic control. Click the name to view its details.
•
Description—Description for the associated traffic control.
•
Service Group—Service group to which the traffic control belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the traffic control.
to delete the traffic control.
Traffic control list details
Traffic control details comprise the following sections:
•
Basic information
•
IP Traffic Monitoring
•
Broadcast Packet Monitoring
•
Packet Monitoring
•
TCP/UDP Connection Monitoring
Basic information section
•
Name—Name of the traffic control.
•
Sampling Interval—Traffic sampling interval on the iNode client.
•
Description—Description for the associated traffic control.
•
Service Group—Service group to which the traffic control belongs.
Traffic control management
125
IP Traffic Monitoring section
•
Monitor IP Traffic—Indicates whether IP traffic monitoring is enabled for the traffic control.
•
Minor Threshold—Minor threshold for IP traffic abnormality.
•
Severe Threshold—Severe threshold for IP traffic abnormality.
Broadcast Packet Monitoring section
•
Monitor Broadcast Packets—Indicates whether broadcast packet monitoring is enabled for
the traffic control.
•
Minor Threshold—Minor threshold for abnormal broadcast packets.
•
Severe Threshold—Severe threshold for abnormal broadcast packets.
Packet Monitoring section
•
Monitor Packets—Indicates whether packet monitoring is enabled for the traffic control.
•
Minor Threshold—Minor threshold for abnormal packets.
•
Severe Threshold—Severe threshold for abnormal packets.
TCP/UDP Connection Monitoring section
•
Monitor TCP/UDP Connections—Indicates whether TCP/UDP connection monitoring is enabled
for the traffic control.
•
Minor Threshold—Minor threshold for abnormal TCP/UDP connections.
•
Severe Threshold—Severe threshold for abnormal TCP/UDP connections.
Viewing the traffic control list
To view the traffic control list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Traffic Control from the navigation tree.
The Traffic Control List displays all traffic controls.
3.
4.
Click Refresh to refresh the Traffic Control List.
To sort the Traffic Control List, click the Name, Share, or Service Group column label.
Viewing traffic control details
To view a traffic control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Traffic Control from the navigation tree.
The Traffic Control List displays all traffic controls.
3.
4.
Click the name of the traffic control to view its information.
To go back to the Traffic Control List, click Back.
Adding a traffic control
To add a traffic control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Traffic Control from the navigation tree.
The Traffic Control List displays all traffic controls.
3.
4.
126
Click Add.
Configure the basic information.
Configuring security check items for PCs
5.
6.
Select and enter a Minor Threshold and Severe Threshold for each type of monitoring that
must be enabled:
•
Monitor IP Traffic
•
Monitor Broadcast Packets
•
Monitor Packets
•
Monitor TCP/UDP Connections
Click OK.
The traffic control you have added now appears in the configuration options when configuring the
security policy. For more information, see “Security policy management” (page 33).
Modifying a traffic control
To modify a traffic control:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Traffic Control from the navigation tree.
The Traffic Control List displays all traffic controls.
3.
4.
5.
6.
for the target traffic control.
Click the Modify icon
Modify the basic information. You cannot modify the name or service group.
Modify the parameters for each monitoring category of as needed (Monitor IP Traffic, Monitor
Broadcast Packets, Monitor Packets, and Monitor TCP/UDP Connections):
•
Select a monitoring category to disable it.
•
Unselect a monitoring category to enable it.
•
Modify each minor threshold or major threshold as needed.
Click OK.
Deleting a traffic control
Before deleting a traffic control that has been assigned to a security policy, you must cancel their
associations. For more information, see “Modifying a security policy” (page 44).
To delete a traffic control:
1. Select Endpoint Admission Defense > Traffic Control from the navigation tree.
The Traffic Control List displays all traffic controls.
2.
Click the Delete icon
for the target share control.
A confirmation dialog box appears.
3.
Click OK.
Password control
You can enable password control for a security policy. When an access user is authenticated, the
iNode client checks the password according to the built-in password check rules and password
dictionary, and determines the security of the password.
Password check rules are built in the iNode client. You only need to specify the password dictionary.
The default password dictionary includes common weak passwords, such as names and company
IDs. You can define new passwords as needed to enhance system security.
Modifying a password control
To modify a password control:
Password control
127
1.
Select Endpoint Admission Defense > Password Control from the navigation tree.
The Modify Password Control page appears.
2.
3.
4.
Click the download link located to the right of Download URL to download the current password
dictionary.
Use a text editor to edit the password dictionary to add self-defined weak passwords.
Select Upload Password Dictionary.
The Password Dictionary File field appears.
Click Browse to locate the password dictionary file to be uploaded, select the file, and then
click OK.
The file name must be PasswordDic.txt.
5.
6.
7.
From the Default Action for Check Failure list, select the default action for password check
failure. A new password control uses the default action you configured for password control
check failure.
•
Monitor (default)—User is not informed of security problems after going online, and can
access the network. Security check results are recorded in the security logs.
•
Inform—User is informed of security problems after going online, the system prompts the
user for modification, and the user can access the network. Security check results are
recorded in the security logs.
•
Isolate—User is informed of security problems after going online, the system prompts the
user to solve the problems, and the user can access the resources in the isolation area
according to the configured ACL. Security check results are recorded in the security logs.
•
Kick out—User is informed of security problems after going online, fails the authentication,
and is forced to log off. Security check results are recorded in the security logs.
Click OK.
Click the Test link located to the right of Download URL to test whether the password dictionary
can be used properly.
Asset registration status check
You can enable asset registration status check in a security policy. When an access user is
authenticated, the iNode client cooperates with DAM to check the asset registration status. DAM
manages each access user by using the Windows operating system as a desktop asset. DAM can
monitor and audit registered assets and deploy software to the assets. For more information see
“Managing assets” (page 158).
128
Configuring security check items for PCs
6 Configuring security check items for smart terminals
Just as security checks items can be selected to enhance security on PCs, they can also be selected
for a security policy that is assigned to smart terminals. The items are as follows:
•
Anti-virus software control
•
Anti-spyware software control
•
Smart Terminal Software Control
•
Smart Terminal Policy
Anti-virus software policy management
The system defines anti-virus software control for several types of anti-virus software in Android.
You can enable anti-virus software control in a security policy and specify an anti-virus software
policy. The anti-virus software policy determines whether an anti-virus software type application
control is installed, and whether the software version matches the policy. When an access user is
authenticated, the iNode client verifies the anti-virus software on the smart terminal according to
the security policy configurations.
Anti-virus software policy management allows you to view, add, modify, and delete an anti-virus
software policy. You can specify the anti-virus software type application controls to be checked
and the anti-virus software version.
Anti-virus software policy list contents
The anti-virus software policy list contains the following parameters:
•
Anti-Virus Software Policy Name—Name of the anti-virus software policy. Click the name to
view its details.
•
Service Group—Service group to which the anti-virus software policy belongs.
•
Description—Description of the anti-virus software policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the anti-virus software policy.
to delete the anti-virus software policy.
Anti-virus software policy details
Anti-virus software policy details comprise the basic information section and the Windows Operating
System, Linux Operating System, Mac OS Operating System, and Android Operating System
sections. The Windows Operating System, Linux Operating System, and Mac OS Operating System
sections do not take effect on smart terminals.
Basic information section
•
Policy Name—Name of the anti-virus software policy.
•
Service Group—Service group to which the anti-virus software policy belongs.
•
Description—Description of the anti-virus software policy.
Android operating system section
The Android operating system section lists the anti-virus software that can be examined by the
iNode client.
•
Anti-Virus Software—Name of the anti-virus software.
•
Vendor—Vendor name of the anti-virus software.
Anti-virus software policy management
129
•
Check Items—Indicates whether the software version is checked for the corresponding anti-virus
software.
◦
•
Check software version—When this parameter is selected, the anti-virus software version
be checked. Otherwise, the anti-virus software version is not checked.
Restriction—Check rules for the anti-virus software policy. When this field is empty, no rules
are set for the anti-virus software.
◦
Delay Time (Days)—Adaptation period for the software version. This option is valid only
when the anti-virus software version is in YYYY-MM-DD format. When the anti-virus software
version is updated within the adaptation period, the anti-virus engine version check is
passed.
◦
Lowest Software Version—Lowest anti-virus software version allowed by the anti-virus
software policy. An anti-virus software policy supports two anti-virus software version
formats: YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month,
and DD is the two-digit day; and XX.XX.XX, for example, 3.8.0.
•
Check—Indicates whether the corresponding anti-virus software is checked.
•
Priority—The iNode client checks the anti-virus software based on the priority. Items are listed
in descending priority order (most important first). Click the Move Up icon or Move Down
icon
to adjust the list.
Viewing the anti-virus software policy list
To view the anti-virus software policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
4.
To sort the Anti-Virus Software Policy List, click the Anti-Virus Software Policy Name or Service
Group column label.
Click Refresh to refresh the Anti-Virus Software Policy List.
Viewing anti-virus software policy details
To view details of an anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
Click the name of the anti-virus software policy for which you want to view the detailed
information.
The View Anti-Virus Software Policy page appears.
4.
To go back to the Anti-Virus Software Policy List, click Back.
Adding an anti-virus software policy
To add an anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
130 Configuring security check items for smart terminals
3.
Click Add.
The Add Anti-Virus Software Policy page appears.
4.
5.
6.
Configure the basic information for the anti-virus software policy.
To check an anti-virus software product in the anti-virus software policy, select the box in the
Check field for the anti-virus software. Make sure you configure the anti-virus software products
in the Android Operating System section. Anti-virus software products in other operating system
sections do not take effect on smart terminals.
Modify the anti-virus software check:
a.
Click the Modify icon
for the anti-virus software you want to modify.
The Anti-Virus Software Settings dialog box appears.
b.
c.
Modify the anti-virus software name in the Anti-Virus software field, as needed.
To check the anti-virus software version, select the box next to Check software version,
and select an anti-virus software version format:
•
Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003.
•
Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year,
MM is the two-digit month, and DD is the two-digit day.
•
Date or dotted format—Dotted format and date format are valid.
Different version formats require different parameters, as described in Table 12.
Table 12 Version formats and parameters
Version format
Date format
Dotted format
d.
Notification
Version check mode
Parameter
Specified Version
Lowest Version of
Anti-Virus Software
Auto Adaptive
Adaptation Period (in
days)
Specified Version
Lowest Version of
Anti-Virus Software
YYYY-MM-DD
XX.XX.XX
Select a version check mode, Specified Version or Auto Adaptive, from the Version Check
Mode list.
•
Specified Version—The version check is passed if the user terminal version is higher
than the specified version. If not, the version check fails.
When the version check mode is Specified Version and the version format is Date
format, either enter the date manually or click the Calendar icon next to the Lowest
Version of Anti-Virus Software field to select a date.
When the version check mode is Specified Version and the version format is Dotted
format, enter the version in the Lowest Version of Anti-Virus Software field. A valid
version format is XX.XX.XX, for example, 7.100.1003.
•
e.
f.
7.
8.
Auto Adaptive—The version check is passed if the user terminal version has been
updated within the adaptation period. If not, the version check fails.
When the version check mode is Auto Adaptive and the version format is Date format,
manually enter the adaptation period in the Adaptation Period (in days) field.
Click OK.
In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon
to adjust the anti-virus software position in the list.
Down icon
Click OK.
or Move
Anti-virus software policy management
131
The anti-virus software policy you have added now appears in the configuration options when you
configure the security policy. For more information, see “Security policy” (page 19).
Modifying an anti-virus software policy
To modify an anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
Click the Modify icon
for the anti-virus software policy you want to modify.
The Modify Anti-Virus Software Policy page appears.
4.
5.
6.
Modify the basic information for the anti-virus software policy. You cannot modify Policy Name
or Service Group.
To check an anti-virus software product in the anti-virus software policy, select the box in the
Check field for the anti-virus software. Make sure you configure the anti-virus software products
in the Android Operating System section. Anti-virus software products in other operating system
sections do not take effect on smart terminals.
Modify the anti-virus software check:
a.
Click the Modify icon
for the anti-virus software you want to modify.
The Anti-Virus Software Settings dialog box appears.
b.
c.
Modify the anti-virus software name in the Anti-Virus software field, as needed.
To check the anti-virus software version, select the box next to Check software version,
and select an anti-virus software version format:
•
Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003.
•
Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year,
MM is the two-digit month, and DD is the two-digit day.
•
Date or dotted format—Dotted format and date format are valid.
Different version formats require different parameters, as described in Table 13.
Table 13 Version formats and parameters
Version format
Date format
Dotted format
d.
Notification
Version check mode
Parameter
Specified Version
Lowest Version of
Anti-Virus Software
Auto Adaptive
Adaptation Period (in
days)
Specified Version
Lowest Version of
Anti-Virus Software
YYYY-MM-DD
XX.XX.XX
Select a version check mode, Specified Version or Auto Adaptive, from the Version Check
Mode list.
•
Specified Version—The version check is passed if the user terminal version is higher
than the specified version. If not, the version check fails.
When the version check mode is Specified Version and the version format is Date
format, either enter the date manually or click the Calendar icon next to the Lowest
Version of Anti-Virus Software field to select a date.
132
Configuring security check items for smart terminals
When the version check mode is Specified Version and the version format is Dotted
format, enter the version in the Lowest Version of Anti-Virus Software field. A valid
version format is XX.XX.XX, for example, 7.100.1003.
•
e.
7.
8.
Auto Adaptive—The version check is passed if the user terminal version has been
updated within the adaptation period. If not, the version check fails.
Click OK.
In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon
to adjust the anti-virus software position in the list.
Down icon
Click OK.
or Move
Deleting an anti-virus software policy
Before deleting an anti-virus software policy that has been assigned to a security policy, you must
cancel their associations. For more information, see “Modifying a security policy” (page 44).
To delete an anti-virus software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software
Policies from the navigation tree.
The Anti-Virus Software Policy List displays all anti-virus software policies.
3.
Click the Delete icon
for the anti-virus software policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Anti-spyware software policy management
The system defines anti-spyware software control for several types of anti-spyware software in
Android operating systems. You can enable anti-spyware software control in a security policy, and
specify an anti-spyware software policy. The anti-spyware software policy determines whether an
anti-spyware software type application control is installed and whether the anti-spyware software
version matches the policy. When an access user is authenticated, the iNode client checks the
anti-spyware software on the smart terminal according to the configuration in the security policy.
Anti-spyware software policy management allows you to view, add, modify, and delete an
anti-spyware software policy. You can specify the anti-spyware products to be checked and the
spyware definition version and anti-spyware engine version.
Anti-spyware software policy list contents
The anti-spyware software policy list contains the following parameters:
•
Anti-Spyware Software Policy Name—Name of the anti-spyware software policy. Click the
name to view its details.
•
Service Group—Service group to which the anti-spyware software policy belongs.
•
Description—Description of the anti-spyware software policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the anti-spyware software policy.
to delete the anti-spyware software policy.
Anti-spyware software policy details
Anti-spyware software policy details comprise the basic information section and the Windows
Operating System, Mac OS Operating System, and Android Operating System sections. The
Windows and Mac OS Operating System sections do not take effect on smart terminals.
Anti-spyware software policy management
133
Basic information section
•
Policy Name—Name of the anti-spyware software policy.
•
Service Group—Service group to which the anti-spyware software policy belongs.
•
Description—Description of the associated anti-spyware software policy.
Android Operating System sections
The Android operating system sections list the anti-spyware software that can be checked by the
iNode client.
•
Anti-Spyware Software—Name of the anti-spyware software.
•
Vendor—Vendor name of the anti-spyware software.
•
Check Items—Indicates whether the anti-spyware software version is checked.
◦
•
Check software version—When this parameter is selected, the anti-spyware software
version must be checked. Otherwise, software version is not checked.
Restriction—Check rules for the anti-spyware software policy. When this field is empty, no
rules are set for the anti-spyware software.
◦
Lowest software version—Lowest anti-spyware software version allowed by the
anti-spyware software policy. An anti-spyware software policy supports the format
XX.XX.XX, for example, 1.3.11.
•
Check—Indicates whether the corresponding anti-spyware software is checked.
•
Priority—Order (descending) in which the iNode client checks the anti-spyware software.
Viewing the anti-spyware software policy list
To view the anti-spyware software policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
4.
To sort the Anti-Spyware Software Policy List, click the Anti-Spyware Software Policy Name
or Service Group column label.
Click Refresh to refresh the Anti-Spyware Software Policy List.
Viewing anti-spyware software policy details
To view details of an anti-spyware software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
Click the name of the anti-spyware software policy for which you want to view the detailed
information.
The View Anti-Spyware Software Policy page appears.
4.
To go back to the Anti-Spyware Software Policy List, click Back.
Adding an anti-spyware software policy
To add an anti-spyware software policy:
1. Click the Service tab.
134
Configuring security check items for smart terminals
2.
Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
Click Add.
The Add Anti-Spyware Software Policy page appears.
4.
5.
6.
Configure the basic information for the anti-spyware software policy.
To check an anti-spyware software product in the anti-spyware software policy, select the box
in the Check field for the anti-spyware software. Make sure you configure the anti-spyware
software products in the Android Operating System section. Anti-spyware software products
in other operating system sections do not take effect on smart terminals.
Modify the anti-spyware software check:
a.
Click the Modify icon
for the anti-spyware software you want to modify.
The Anti-Spyware Software Settings dialog box appears.
b.
c.
To check the anti-spyware software version, select the box next to Check software version.
Select Specified Version from the Version Check Mode list.
When the anti-spyware engine version of an access user is higher than the specified
version, the anti-spyware engine version check is passed.
d.
Enter the anti-spyware engine version in the Lowest Software Version field, in the format
XX.XX.XX, for example, 1.3.11.
You must use dotted format for an anti-spyware engine version.
e.
7.
Click OK.
Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move
the anti-spyware software up one position in the list, or click the Move Down icon
to move
the anti-spyware software down one position in the list.
The iNode client checks the anti-spyware software of access users based on descending
priority order (most important first).
8.
Click OK.
The anti-spyware software policy you have added now appears in the configuration options when
you configure the security policy. For more information, see “Security policy” (page 19).
Modifying an anti-spyware policy
To modify an anti-spyware software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
Click the Modify icon
for the anti-spyware software policy you want to modify.
The Modify Anti-Spyware Software Policy page appears.
4.
Modify the basic information for the anti-spyware software policy.
You cannot modify Policy Name or Service Group.
5.
6.
To check an anti-spyware software product in the anti-spyware software policy, select the box
in the Check field for the anti-spyware software. Make sure you configure the anti-spyware
software products in the Android Operating System section. Anti-spyware software products
in other operating system sections do not take effect on smart terminals.
Modify the anti-spyware software check:
Anti-spyware software policy management
135
a.
Click the Modify icon
for the anti-spyware software you want to modify.
The Anti-Spyware Software Settings dialog box appears.
b.
c.
To check the anti-spyware software version, select the box next to Check software version.
Select Specified Version from the Version Check Mode list.
When the anti-spyware engine version of an access user is higher than the specified
version, the anti-spyware engine version check is passed.
d.
Enter the anti-spyware engine version in the Lowest Software Version field, in the format
XX.XX.XX, for example, 1.3.11.
You must use dotted format for an anti-spyware engine version.
e.
7.
Click OK.
Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move
the anti-spyware software up one position in the list, or click the Move Down icon
to move
the anti-spyware software down one position in the list.
The iNode client checks the anti-spyware software of access users based on descending
priority order (most important first).
8.
Click OK.
Deleting an anti-spyware software policy
Before deleting an anti-spyware software policy that has been assigned to a security policy, you
must cancel their associations. For more information, see “Modifying a security policy” (page 44).
To delete an anti-spyware software policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware
Software Policies from the navigation tree.
The Anti-Spyware Software Policy List displays all anti-spyware software policies.
3.
Click the Delete icon
for the anti-spyware software policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Smart terminal software control management
You can enable smart terminal software control in a security policy and specify software control
groups to be checked. When an access user is authenticated, the iNode client checks software on
the smart terminal according to the configuration in the security policy.
Operators can view, add, modify, and delete software control groups for smart terminals. A smart
terminal software control group can use either of the following check types:
•
Installed Forbidden—The smart terminal is prohibited from installing any software defined in
the smart terminal software control group.
•
Installed Required—The smart terminal must install one or more software defined in the smart
terminal software control group.
Smart terminal software control group list contents
136
•
Group Name—Name of the smart terminal software control group. Click the name to view its
details.
•
Type—Type of the smart terminal software control group. The field always displays Software.
•
Description—Description of the smart terminal software control group.
Configuring security check items for smart terminals
•
Default Action for Check Failure—Default action of the smart terminal software check failure:
◦
Monitor (default)—The user is not informed of security problems after going online, and
can access the network. Security check results are recorded in the security logs.
◦
Inform—The user is informed of security problems after going online, the system prompts
the user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—The user is informed of security problems after going online, the system prompts
the user to solve the problems, and the user can access the resources in the isolation area.
Security check results are recorded in the security logs.
◦
Kick Out—The user is informed of security problems after going online, fails the
authentication, and is forced to log off. Security check results are recorded in the security
logs.
A new smart terminal software control group uses the default action you configured for smart
terminal software control check failure. When you select Global Security Mode in Security
Level configuration, the default action of the smart terminal software control check failure is
invalid.
•
Local Data—Indicates whether the smart terminal software control group is created by the EAD
server. When the value is No, the smart terminal software control group is deployed by an
upper-level node. For more information, see “Hierarchical node management” (page 54).
•
Service Group—Service group to which the smart terminal software control group belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the smart terminal software control group.
to delete the smart terminal software control group.
Smart terminal software control group details
Smart terminal software control group details comprise the basic information and software list
information.
Basic information contents
•
Group Name—Name of the smart terminal software control group.
•
Type—Type of the smart terminal software control group, Software.
•
OS—Name of the OS on the smart terminal. Only Android is supported.
•
Description—Description of the smart terminal software control group.
•
Default Action for Check Failure—Default action of the smart terminal software control check
failure:
◦
Monitor (default)—The user is not informed of security problems after going online, and
can access the network. Security check results are recorded in the security logs.
◦
Inform—The user is informed of security problems after going online, the system prompts
the user for modification, and the user can access the network. Security check results are
recorded in the security logs.
◦
Isolate—The user is informed of security problems after going online, the system prompts
the user to solve the problems, and the user can access the resources in the isolation area
according to configured ACL. Security check results are recorded in the security logs.
◦
Kick out—The user is informed of security problems after going online, fails the
authentication, and is forced to log off. Security check results are recorded in the security
logs.
Smart terminal software control management
137
A new smart terminal software control group uses the default action you configured for smart
terminal software control check failure. When you select Global Security Mode in Security
Level configuration, the default action of the smart terminal software control check failure is
invalid.
•
Service Group—Service group to which the smart terminal software control group belongs.
Software list information
•
Software Name—Name of the software. The software name must be the same as that in
Android.
•
Alias—Alias of the software. When an access user fails the access control check, the iNode
client uses the alias of the software as the name of the software on the Security Check Result
page.
•
Version Number—Version number of the software. The software version must be the same as
that in Android.
•
Description—Description of the software.
Viewing the smart terminal software control group list
To view the smart terminal software control group list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal
Software Control Group from the navigation tree.
The Smart Terminal Software Control Group List displays all smart terminal software control
groups.
Querying the smart terminal software control group
To query the smart terminal software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal
Software Control Group from the navigation tree.
3. Enter your query criteria in the Query Smart Terminal Software Control Group section:
4.
5.
•
Group Name—Enter the name of the smart terminal software control group.
•
Software Name—Enter the software name of the smart terminal software control group.
Click Query.
To reset both the query values and the search results, and to restore the full Smart Terminal
Software Control Group List, click Reset and re-enter your query criteria.
Viewing smart terminal software control group details
To view a smart terminal software control group details:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal
Software Control Group from the navigation tree.
The Smart Terminal Software Control Group List displays all smart terminal software control
groups.
3.
Click the smart terminal software control group name for which you want to view the detailed
information.
The View Smart Terminal Software Control Group page appears.
4.
138
To go back to the Smart Terminal Software Control Group List, click Back.
Configuring security check items for smart terminals
Adding a smart terminal software control group
To add a smart terminal software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal
Software Control Group from the navigation tree.
The Smart Terminal Software Control Group List displays all smart terminal software control
groups.
3.
Click Add.
The Add Smart Terminal Software Control Group page appears.
4.
5.
Configure the basic information for the smart terminal software control group.
Add a software to the Software List:
a. Click Add.
The Add Software dialog box appears.
b.
c.
Enter the Software Name, Alias, Version Number, and Description.
Click OK.
The added software appears in the Software List.
6.
Click OK.
The smart terminal software control group you have added now appears in the configuration
options when you configure the security policy. For more information, see “Security policy”
(page 19).
Modifying a smart terminal software control group
To modify a smart terminal software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal
Software Control Group from the navigation tree.
The Smart Terminal Software Control Group List displays all smart terminal software control
groups.
3.
Click the Modify icon
for the smart terminal software control groups you want to modify.
The Modify Smart Terminal Software Control Group page appears.
4.
Modify the basic information for the smart terminal software control group.
You cannot modify Group Name, Type, or Service Group.
5.
Add a software to the Software List:
a. Click Add.
The Add Software dialog box appears.
b.
c.
Enter the Software Name, Alias, Version Number, and Description.
Click OK.
The added software is displayed in the Software List.
6.
Modify the software in the Software List:
a.
Click the Modify icon
for the software you want to modify.
The Modify Software dialog box appears.
b.
c.
Modify the Software Name, Alias, Version Number, and Description.
Click OK.
The modified software appears in the Software List.
Smart terminal software control management
139
7.
Delete the software in the Software List:
a. Click the Delete icon
for the software you want to delete.
b. Click OK in the dialog box that appears.
8.
Click OK.
Deleting a smart terminal software control group
Before deleting a smart terminal software control group that has been assigned to a security policy,
you must cancel their associations. For more information, see “Modifying a security policy”
(page 44).
To delete a smart terminal software control group:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal
Software Control Group from the navigation tree.
The Smart Terminal Software Control Group List displays all smart terminal software control
groups.
3.
Click the Delete icon
for the smart terminal software control group you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Smart terminal policy management
You can enable Smart Terminal Configuration Check in a security policy and specify a smart
terminal policy. The smart terminal policy checks the status of GPS, auto locking, and Bluetooth
services on the smart terminal that attempts to access the network.
Smart terminal policy management allows you to view, add, modify, and delete a smart terminal
policy.
Smart terminal policy list contents
The smart terminal policy contains the following parameters:
•
Smart Terminal Policy Name—Name of the smart terminal policy. Click the name to view its
details.
•
Enable GPS Service—Whether the GPS service must be enabled on the smart terminal.
•
Enable Auto Lock—Whether the auto lock function must be enabled on the smart terminal.
•
Disable Bluetooth—Whether the Bluetooth service must be disabled on the smart terminal.
•
Service Group—Service group to which the smart terminal policy belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the smart terminal policy.
to delete the smart terminal policy.
Smart terminal policy details
The smart terminal policy details page contains the following parameters:
•
Smart Terminal Policy Name—Name of the smart terminal policy.
•
Service Group—Service group to which the smart terminal policy belongs.
•
Enable GPS Service—Whether the GPS service must be enabled on the smart terminal.
•
Enable Auto Lock—Whether the auto lock function must be enabled on the smart terminal.
140 Configuring security check items for smart terminals
•
Disable Bluetooth—Whether the Bluetooth service must be disabled on the smart terminal.
•
Description—Description of the smart terminal policy.
Viewing the smart terminal policy list
To view the smart terminal policy list:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation
tree.
The Smart Terminal Policy List displays all smart terminal policy.
3.
4.
To sort the Smart Terminal Policy List, click any column label except the Modify and Delete
fields.
Click Refresh to refresh the Smart Terminal Policy List.
Viewing smart terminal policy details
To view details of a smart terminal policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation
tree.
The Smart Terminal Policy List displays all smart terminal policy.
3.
Click the name of the smart terminal policy for which you want to view the detailed information.
The View Smart Terminal Policy page appears.
4.
To go back to the Smart Terminal Policy List, click Back.
Adding smart terminal policy
To add a smart terminal policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation
tree.
The Smart Terminal Policy List displays all smart terminal policies.
3.
Click Add.
The Add Smart Terminal Policy page appears.
4.
5.
Configure the smart terminal policy.
Click OK.
The smart terminal policy you have added now appears in the configuration options when you
configure the security policy. For more information, see “Security policy” (page 19).
Modifying a smart terminal policy
To modify a smart terminal policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation
tree.
The Smart Terminal Policy List displays all smart terminal policies.
3.
Click the Modify icon
for the smart terminal policy you want to modify.
The Modify Smart Terminal Policy page appears.
4.
Modify the smart terminal policy.
Smart terminal policy management
141
5.
Click OK.
Deleting a smart terminal policy
Before deleting a smart terminal policy that has been assigned to a security policy, you must cancel
their associations. For more information, see “Modifying a security policy” (page 44).
To delete a smart terminal policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation
tree.
The Smart Terminal Policy List displays all smart terminal policies.
3.
Click the Delete icon
for the smart terminal policy you want to delete.
A confirmation dialog box appears.
4.
142
Click OK.
Configuring security check items for smart terminals
7 Controlling Internet access
Internet access refers to an organization's or enterprise's user access to the Internet. Depending
on whether the user terminal is authenticated, Internet access is divided into authenticated Internet
access and unauthenticated Internet access.
•
Authenticated Internet access—Uses two or more NICs to access multiple networks at the same
time after passing the authentication, one of which is the Internet.
•
Unauthenticated Internet access—Accesses the Internet by using an unauthenticated host,
usually a portable device.
Internet access must be regulated to avoid sensitive information leakage and to improve security.
EAD offers access control for both authenticated and unauthenticated Internet access. For
authenticated Internet access, EAD deploys ACLs to all but the authenticated NIC. For
unauthenticated Internet access, EAD deploys ACLs to all NICs on the unauthenticated host.
EAD also provides the logging capabilities for Internet access control. It instructs the iNode client
to log specified Internet access behaviors of users and collects and stores the logs in its database
for future retrieval and audit.
For EAD to implement Internet access control on user terminals, operators must enable the Lock
Internet Access Ability feature on the iNode client. Otherwise, a user cannot pass authentication
if the user tries to access the Internet by using a service that contains Internet access control
configuration.
Internet access control comprises the following:
•
Internet access configurations.
With Internet access configuration, you can specify whether and how to control and audit users'
Internet access behaviors. EAD enables you to implement flexible Internet access control by assigning
different Internet access configurations specific to services and access policies.
•
Internet access audit policies.
An Internet access audit policy specifies the rules for generating Internet access audit logs, which
applies only to authenticated users. The policies must be assigned to Internet access configurations
to take effect.
•
Internet access audit logs.
An Internet access audit log records detailed information about a user's Internet access behaviors.
EAD enables you to query the Internet access audit logs through basic query or advanced query.
•
Internet access logging parameters.
You can specify the lifetime of an Internet access audit log and the maximum number of Internet
access audit logs that can be kept in the system. This helps improve log query efficiency and prevent
accumulated Internet access logs from degrading system performance.
Managing Internet access configurations
An Internet access configuration specifies whether and how to control and audit users' access to
the Internet. From the Internet access configuration management page, you can view, add, modify,
and delete an Internet access configuration.
Viewing the Internet access configuration list
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration
Management from the navigation tree.
The Internet Access Configuration Management page appears.
Managing Internet access configurations
143
Internet Access Configuration List contents
3.
•
Internet Access Configuration Name—Name of the Internet access configuration. Click
the name to view its details.
•
Service Group—Service group to which the Internet access configuration belongs.
•
Description—Description of the Internet access configuration.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the Internet access configuration.
to delete the Internet access configuration.
Click Refresh to refresh the Internet Access Configuration List.
Viewing Internet access configuration details
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration
Management from the navigation tree.
The Internet Access Configuration Management page appears.
3.
Click the name of the Internet access configuration whose detailed information you want to
view.
The page showing detailed information about the Internet access configuration appears.
Internet Access Configuration Details contents
Basic Information
•
Internet Access Configuration Name—Name of the Internet access configuration.
•
Service Group—Service group to which the Internet access configuration belongs.
•
Description—Description of the Internet access configuration.
Internet Access Configuration Information
•
•
4.
Lock Internet Access Ability—Whether to enable Internet access control. If enabled, you
must select the client ACLs for the All but Authenticated NIC and Unauthenticated Hosts
options. The iNode client applies the specified ACLs to the hosts accessing the Internet
to implement access control.
◦
All but Authenticated NIC—ACL applied to all but the authenticated NIC. An empty
field indicates no Internet access control is applied.
◦
Unauthenticated Hosts—ACL applied to all NICs on unauthenticated hosts. If no ACL
is specified, the default ACL is used. The default ACL is configured when the
installation package of the iNode client was customized in iNode Management
Center.
Enable Internet Access Audit—Whether to enable Internet access audit. If this option is
selected, specify the following parameters:
◦
Audit Policy—Audit policy assigned to the Internet access configuration. The iNode
client generates Internet access audit logs based on the ACL rules in the specified
audit policy, and reports the generated logs to EAD.
◦
Report Interval (Minutes)—Specifies the interval in minutes at which the iNode client
reports Internet access audit logs to EAD.
Click Back to return to the Internet Access Configuration Management page.
Adding an Internet access configuration
1.
Click the Service tab.
144 Controlling Internet access
2.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration
Management from the navigation tree.
The Internet Access Configuration Management page appears.
3.
Click Add.
The Add Internet Access Configuration page appears.
4.
Configure the basic information for the Internet access configuration:
•
Internet Access Configuration Name—Enter the Internet access configuration name.
•
Service Group—Select the service group to which the Internet access configuration belongs.
•
Description—Enter the description of the Internet access configuration. Detailed description
can help facilitate maintenance.
•
Lock Internet Access Ability—Select this option if you want to enable Internet access
control. When this option is selected, you must select the client ACLs for the All but
Authenticated NIC and Unauthenticated Hosts options. The iNode client applies the
specified client ACLs to the hosts accessing the Internet to implement access control. For
information about client ACLs, see “Managing client ACLs” (page 68).
•
5.
◦
All but Authenticated NIC—Select the ACL applied to all but the authenticated NIC.
Leave this field empty to apply no Internet access control.
◦
Unauthenticated Hosts—Select the ACL applied to unauthenticated hosts. If no ACL
is specified, the default ACL is used. The default ACL is configured when the
installation package of the iNode client is customized in iNode Management center.
Enable Internet Access Audit—Select this option if you want to enable Internet access
audit. When this option is selected, you can specify the Audit Policy and Report Interval.
◦
Audit Policy—Select an audit policy. The iNode client generates Internet access audit
logs based on the audit ACL rules specified in the audit policy, and reports the logs
to EAD at specified report interval. For information about configuring audit policies,
see “Managing Internet access audit policies” (page 146).
◦
Report Interval (Minutes)—Specifies a report interval in minutes. The value range is
10 to 60 and the default is 30. The iNode client reports the Internet access audit
logs to EAD at the specified interval and when user logs off.
Click OK.
Modifying an Internet access configuration
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration
Management from the navigation tree.
The Internet Access Configuration Management page appears.
3.
Click the Modify icon
for the Internet access configuration you want to modify.
The page for modifying the Internet access configuration appears.
4.
Modify the Internet access configuration parameters.
You can modify all parameters except Service Group.
5.
Click OK.
Managing Internet access configurations
145
Deleting an Internet access configuration
Before deleting an Internet access configuration that has been assigned to a service, you must
cancel their associations. For more information, see HP IMC User Access Manager Administrator
Guide.
To delete an Internet access configuration:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration
Management from the navigation tree.
The Internet Access Configuration Management page appears.
3.
4.
Click the Delete icon
Click OK.
for the Internet access configuration you want to delete.
Managing Internet access audit policies
An Internet access audit policy specifies the rules for generating Internet access audit logs, which
applies only to authenticated users. With Internet access audit policy management, you can view,
add, modify, and delete an Internet access audit policy.
Viewing the Internet access audit policy list
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy
from the navigation tree.
The Internet Access Audit Policy List displays all Internet access audit policies.
Internet Access Audit Policy List contents
3.
•
Policy Name—Internet access audit policy name. Click the name to view its details.
•
Service Group—Service group to which the Internet access audit policy belongs.
•
Description—Description of the Internet access audit policy.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the Internet access audit policy.
to delete the Internet access audit policy.
Click Refresh to refresh the Internet Access Audit Policy List.
Viewing Internet access audit policy details
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy
from the navigation tree.
The Internet Access Audit Policy List displays all Internet access audit policies.
3.
Click the name of the Internet access audit policy whose detailed information you want to
view.
The page showing detailed information about the Internet access audit policy appears.
Internet Access Audit Policy details contents
Basic Information
146
•
Name—Name of the Internet access audit policy.
•
Default Action—Action to take on packets that do not match any ACL rule, Audit or Not
Audit.
•
Description—Description of the Internet access audit policy.
•
Service Group—Service group to which the Internet access audit policy belongs.
Controlling Internet access
Audit ACL Rule List
4.
•
Enable Audit—Whether to enable the iNode client to send Internet access audit logs to
EAD when the ACL rule is matched.
•
Protocol—Name or number of the transport layer protocol.
•
Destination IP/Mask—Destination network IP address and mask length. The value of
0.0.0.0 matches all IP addresses.
•
Destination Port—Destination port number.
Click Back to return to the Internet Access Audit Policy List.
Adding an Internet access audit policy
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy
from the navigation tree.
The Internet Access Audit Policy List displays all Internet access audit policies.
3.
Click Add.
The Add Internet Access Audit Policy page appears.
4.
5.
Configure basic information:
•
Name—Enter the name of the Internet access audit policy.
•
Default Action—Select the default action to apply to packets that do not match any ACL
rule, Audit or Not Audit.
◦
Audit—Sends Internet access logs to EAD.
◦
Not Audit—Does not send Internet access audit logs to EAD.
•
Description—Enter the description of the Internet access audit policy.
•
Service Group—Select the service group to which the Internet access audit policy belongs.
Add audit ACL rules to the Internet access policy:
a. Click Add.
b. Configure the following parameters for the ACL rule:
c.
•
Enable Audit—Select Audit or Not Audit to specify whether or not to enable the
iNode client to send Internet access audit logs to EAD when the ACL rule is matched.
•
Protocol—Select the name or number of the transport layer protocol.
•
Destination IP/Mask—Specifies the destination network IP address and mask length.
The value of 0.0.0.0 matches all IP addresses.
•
Destination Port—Specifies the destination port number.
Click the Move up icon
rule.
/ Move down icon
to raise or reduce the priority of an ACL
The ACL rules displayed in the ACL Rule List are in descending order of priority. The rule
with a higher priority is matched against first. Once a match is found for a packet, the
remaining rules are ignored.
d.
6.
Click OK.
Click OK.
Modifying an Internet access audit policy
1.
Click the Service tab.
Managing Internet access audit policies
147
2.
Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy
from the navigation tree.
The Internet Access Audit Policy List displays all Internet access audit policies.
3.
Click the Modify icon
of the Internet access audit policy you want to modify.
The page for modifying the Internet access audit policy appears.
4.
Modify the basic information for the Internet access audit policy.
You can modify all the parameters except Policy Name and Service Group.
5.
Modify the ACL rules of the Internet access audit policy.
a.
b.
c.
Click the Modify icon of an ACL rule to modify its settings.
to delete the ACL rule.
Click the Delete icon
Click the Move up icon / Move down icon to raise or reduce the priority of an ACL
rule.
The ACL rules displayed in the ACL Rule List are in descending order of priority. The rule with
a higher priority is matched against first.
6.
Click OK.
Deleting an Internet access audit policy
Before deleting an Internet access configuration that has been assigned to an Internet access
configuration, you must cancel their associations. For more information, see HP IMC User Access
Manager Administrator Guide.
To delete an Internet access audit policy:
1. Click the Service tab.
2. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy
from the navigation tree.
The Internet Access Audit Policy List displays all Internet access audit policies.
3.
Click the Delete icon
of the Internet access audit policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Managing Internet access audit logs
Internet access audit logs record users' access to the Internet. Operators can filter Internet access
audit logs through basic query or advanced query.
Viewing the Internet access audit log list
1.
148
Click the User tab.
Controlling Internet access
2.
Select Access User View > Log Management > Internet Access Audit Log from the navigation
tree.
The Internet Access Audit Log List displays all Internet access audit logs.
Internet Access Audit Log List contents
•
Account Name—Account name used by the user to access the Internet.
•
User Name—Name of the IMC Platform user to which the access account is attached.
•
Start Time (Server)—Logging start time recorded by the EAD server.
•
End Time (Server)—Logging end time recorded by the EAD server, which is the time when
the EAD server received the Internet access audit log.
•
Destination IP—Destination IP address the user accessed.
•
Source IP—Source IP address used by the user to access the Internet.
•
Destination Port—Destination port accessed by the user.
•
Protocol Number—Number of the transport layer protocol used by the user. Common
transport layer protocol numbers include 1 (ICMP), 6 (TCP), and 17 (UDP).
•
NIC Name—Name of the NIC used by the user to access the Internet.
•
MAC Address—MAC address used by the user to access the Internet.
•
Packet Number—Total number of packets sent by the user that match the ACL rule for
auditing.
•
Details—Click the Details icon to view detailed information about an Internet access
audit log.
Performing a basic query for Internet access audit logs
1.
2.
Click the User tab.
Select Access User View > Log Management > Internet Access Audit Log from the navigation
tree.
The Internet Access Audit Log List displays all Internet access audit logs.
3.
Enter or select one or multiple of the following query criteria:
•
Account Name—Enter the account name used by the user to access the Internet. EAD
supports fuzzy matching for this field.
•
User Name—Enter the name of the IMC Platform user to which the access account is
attached. EAD supports fuzzy matching for this field.
•
Start Time (Server) From/To—Specify the range of the logging start time recorded by the
EAD server, in the format of YYYY-MM-DD hh:mm. You can manually enter the time range,
or click the Calendar icon to select the time range. The default is 00:00 to 23:59.
•
Destination IP From/To—Specify the destination IP address range the user accessed.
An empty field does not serve as a query criterion.
4.
Click Query. The Internet Access Audit Log List displays all Internet access audit logs that match
the query criteria. Click Reset to clear all the query criteria and display all logs.
Performing an advanced query for Internet access audit logs
1.
2.
Click the User tab.
Select Access User View > Log Management > Internet Access Audit Log from the navigation
tree.
The Internet Access Audit Log List displays all Internet access audit logs.
Managing Internet access audit logs
149
3.
4.
Click Advanced Query on the upper right corner of the Query Internet Access Audit Logs area.
Enter or select one or multiple of the following query criteria:
•
Account Name—Enter the account name used by the user to access the Internet. EAD
supports fuzzy matching for this field.
•
User Name—Enter the name of the IMC Platform user to which the access account is
attached. EAD supports fuzzy matching for this field.
•
User Group—Enter the user group to which the user belongs. EAD supports fuzzy matching
for this field.
•
Service Name—Enter the name of the service used by the user.
•
Start Time (Server) From/To—Specify the range of the logging start time recorded by the
EAD server, in the format of YYYY-MM-DD hh:mm. You can manually enter the time range,
or click the Calendar icon to select the time range. The default is 00:00 to 23:59.
•
Start Time (Client) From/To—Specify the range of the logging start time recorded by the
iNode client, in the format of YYYY-MM-DD hh:mm. You can manually enter the time
range, or click the Calendar icon to select the time range.
•
Destination IP From/To—Specify the destination IP address range the user accessed.
•
Destination Port From/To—Specify the destination port range the user accessed.
•
Source IP From/To—Specify the source IP address range of the user.
•
Packet Number From/To—Specify the range of the total number of packets sent by the
user that the match ACL rule for auditing.
•
Protocol Number—Select the number of the transport layer protocol used by the user to
access the Internet.
•
NIC Name—Enter the name of the NIC used by the user to access the Internet. EAD
supports fuzzy matching for this field.
•
MAC Address—Enter a partial or complete MAC address used by the user to access the
Internet. Valid MAC address formats include XX-XX-XX-XX-XX-XX, XXXX-XXXX-XXXX, and
XX:XX:XX:XX:XX:XX. EAD supports fuzzy matching for this field.
An empty field does not serve as a query criterion.
5.
Click Query. The Internet Access Audit Log List displays all Internet access audit logs that match
the query criteria. Click Reset to clear all the query criteria and display all logs.
Viewing Internet access audit log details
1.
2.
Click the User tab.
Select Access User View > Log Management > Internet Access Audit Log from the navigation
tree.
The Internet Access Audit Log List displays all Internet access audit logs.
3.
Click the Details icon
to view.
of the Internet access audit log whose detailed information you want
The page showing detailed information about the Internet access audit log appears.
Internet Access Audit Log details contents
150
•
Account Name—Account name used by the user to access the Internet.
•
User Name—Name of the IMC Platform user to which the access account is attached.
•
Service Name—Name of the service used by the user.
•
User Group—User group to which the user belongs.
•
Start Time (Server)—Logging start time recorded by the EAD server.
Controlling Internet access
4.
•
End Time (Server)—Logging end time recorded by the EAD server, which is the time when
the EAD server received the log.
•
Start Time (Client)—Logging start time recorded by the iNode client.
•
End Time (Client)—Logging end time recorded by the iNode client.
•
Destination IP—Destination IP address the user accessed.
•
Source IP—Source IP address used by the user.
•
Destination Port—Destination port accessed by the user.
•
Protocol Number—Number of the transport layer protocol used by the user. Common
transport layer protocol numbers include 1 (ICMP), 6 (TCP), and 17 (UDP).
•
NIC Name—Name of the NIC used by the user to access the Internet.
•
MAC Address—MAC address used by the user to access the Internet.
•
Packet Number—Total number of packets sent by the user that match the ACL rule whose
Enable Audit is set to Audit.
Click Back to return to the Internet Access Audit Log List.
Configuring Internet access logging parameters
From the EAD System Parameter Config page, you can specify the lifetime of an Internet access
audit log and the maximum number of Internet access audit logs that can be kept in the system.
This helps improve log query efficiency and prevent accumulated Internet access logs from degrading
system performance.
To configure Internet access logging parameters:
1. Click the User tab.
2. Select Endpoint Admission Defense > Service Parameters> System Parameters Config from
the navigation tree.
The System Parameters Config page appears.
3.
4.
Configure the Internet access log keeping parameters:
•
Internet Access Audit Log Keeping Time (Days)—Specify the maximum number of days
an Internet access audit log can be kept in the system. The system automatically deletes
the logs whose lifetime exceeds the specified keeping time every morning. The default is
30 days.
•
Max Internet Access Audit Logs (10000)—Specify the maximum number of Internet access
audit logs (in ten thousand) that can be kept in the system. The system automatically
deletes logs from the earliest record when the specified number is reached. The default
is ten million.
Click OK.
Assigning Internet access configurations to services and access policies
An Internet access configuration must be assigned to a service or an audit policy to take effect.
EAD deploys the Internet access configuration along with other settings in the service to the iNode
client of the user accessing the Internet.
A service can comprise multiple access policies. If a user matches one access scenario of an access
policy, EAD deploys to the user the Internet access configuration assigned to the policy. If no
matching access scenario is found for the user, EAD deploys the default Internet access configuration
of the service to the user.
Configuring Internet access logging parameters
151
Assigning an Internet access configuration to a service
You can assign an Internet access configuration to a service as the default Internet access
configuration. When a user matches no access scenarios defined for the access policies of the
service, EAD deploys the default Internet access configuration to the user.
To assign the default Internet access configuration to a service:
1. Click the User tab.
2. Select User Access Manager > Service Configuration from the navigation tree.
The Service Configuration page appears.
3.
Click the Modify icon
of the target service.
The page for modifying the service appears.
4.
5.
In the Basic Information area, select the Internet access configuration you want to assign to
the service from the Default Internet Access Configuration list. Or select Do not use to apply
no default Internet access configuration.
Click OK.
Assigning an Internet access configuration to an access policy
1.
2.
Click the User tab.
Select User Access Manager > Service Configuration from the navigation tree.
The Service Configuration page appears.
3.
Click the Modify icon
of a service.
The page for modifying the service appears.
4.
In the Access Policy List, click the Modify icon
an Internet access configuration.
the access policy to which you want to assign
The Modify Access Policy window appears.
5.
6.
152
Select the Internet access configuration from the Default Internet Access Configuration list. Or
select Do not use to assign no Internet access configuration to the policy.
Click OK.
Controlling Internet access
8 Configuring DAM
DAM manages and monitors desktop assets, including PCs and servers running Windows, and
assigns each asset a unique asset number. DAM uses the iNode client to collect hardware and
software information for each asset, and then implements asset management and statistics collection,
desktop control, asset audit, and software deployment.
To implement these functions, operators must complete the following tasks:
•
Configure service parameters.
•
Create asset groups.
•
Add assets to DAM.
•
Implement asset statistics.
•
Configure asset export tasks.
In this document, a server deployed with the DAM service component is referred to as the DAM
server.
Operators must first set the asset numbering mode for DAM in the service parameter settings. The
numbering mode can be automatic or manual (the default). The service parameters also include
Asset Change Record Lifetime, Life of Log, and Send Syslogs. For more information, see “DAM
service parameters” (page 312).
To facilitate asset management, DAM allows operators to manage assets by group. Operators can
manually create asset groups and subgroups in DAM, or allow DAM to automatically create asset
groups and subgroups based on existing user groups on the IMC platform. For more information,
see “Managing asset groups” (page 153).
DAM provides several asset management functions, including:
•
Querying, viewing, adding, modifying, and deleting assets
•
Moving assets between groups
•
Exporting asset information
•
Viewing the asset export history
Assets use assigned asset numbers for registration. DAM manages registered assets only, using
the iNode client to collect information for each asset. After registered asset information is collected,
operators can view system, OS, software, and hardware information to monitor asset usage and
troubleshoot problems. For more information, see “Managing assets” (page 158).
DAM asset statistics can list or display in a pie chart asset statistics by asset type, CPU, hard disk,
operating system, or software installed. For more information, see “Collecting asset statistics”
(page 178).
DAM export task management allows operators to manage all scheduled tasks for periodic exporting
of USB monitoring records. For more information, see “Managing the export task” (page 184).
Managing asset groups
DAM allows operators to add, modify, and delete asset groups; assign asset groups to specified
operators for management; and organize the assets by asset groups or user groups.
Operators can manually create asset groups and subgroups in DAM, or allow DAM to automatically
create asset groups and subgroups based on existing user groups on the IMC platform. When
assets are automatically created based on user groups, every asset is automatically added to the
group to which its owner belongs. Assets that do not have an owner are added to Ungrouped,
which is a special asset group automatically created by the system.
DAM supports an asset group hierarchy of a maximum of five levels.
Managing asset groups
153
Asset group list contents
•
Expand All/Collapse All—Click the Expand All icon
to expand the asset group. Click the
Collapse All icon to collapse the asset group. The Expand All icons are grayed out for asset
groups that have no subgroups.
•
Group Name—Displays the name of the asset group. Click the name to view its details. This
field also shows the group level. For a top-level asset group, this field displays only the group
name. For a middle-level asset group that has subgroups and a parent group, this field displays
the group name and a Group icon
next to the name. For bottom-level asset groups that
have only a parent group, this field displays the group name and a Group icon
next to the
name.
•
Control Scheme—Displays the name of the desktop control scheme assigned to the asset group.
Click the name to view details of the scheme, which contains a set of control policies. For
more information, see “Configuring desktop control schemes” (page 186).
•
Asset List—Click the Asset List icon
•
Add Sub-Group—Click the Add Sub-Group icon
to add a subgroup to the asset group.
This link is not available for Ungrouped, which is a system-defined asset group that cannot
have a subgroup.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to view assets in the asset group.
to modify the asset group.
to delete the asset group.
Asset group details
Asset group details comprise the following sections:
•
Basic information
•
Asset group details
•
Immediate parent group list
•
Authorized operator
Basic information section
•
Group Name—Enter the asset group name.
•
Control Scheme—Select an existing desktop control scheme for the asset group, or select
Disable Control Scheme when you do not want to apply any control scheme to the asset group.
For more information, see “Configuring desktop control schemes” (page 186).
•
Group Description—Enter the description of the asset group.
Asset group details section
•
Group Name—Name of the asset group.
•
Control Scheme—Name of the desktop control scheme assigned to the asset group. Click the
name to view details of the scheme, which is a set of control policies. You can select an existing
desktop control scheme for a group or subgroup, or select Disable Control Scheme when you
do not want to apply any control scheme to the asset group. When you skip this step, the
subgroup inherits control schemes from its parent group. For more information, see “Configuring
desktop control schemes” (page 186).
154 Configuring DAM
•
Parent Group Name—Name of the parent group. When you add a subgroup, this field is
automatically populated with the name of the parent group. This field is not available when
the asset group has no parent group.
•
Group Description—Description of the asset group. You can modify this parameter only when
the Use Asset Groups option is selected.
Immediate parent group list section
This section is available only for asset groups that have parent groups.
•
Group Name—Name of the parent group.
•
Control Scheme—Name of the desktop control scheme assigned to the parent group. With
no control scheme configured, a subgroup inherits the control scheme from its parent group.
•
Group Description—Description of the parent group.
Authorized operator section
This section is not available when the asset is created based on existing user groups on the IMC
platform.
•
Username—Name of the operator authorized to manage the asset group.
•
Full Name—Full name of the operator.
•
Privilege—Privilege level assigned to the operator: Admin, Maintainer, or Viewer.
•
Description—Description of the operator.
Viewing the asset group list
To view the asset group list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
Click Refresh to refresh the Asset Group List.
When you configure DAM to automatically create and delete asset groups along with existing user
groups on the IMC platform, the Asset Group List does not contain the Add Sub-Group and Delete
fields.
Viewing asset group details
To view details of an asset group:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
Click the name of the asset group for which you want to view the detailed information.
The Asset Group Details page appears.
4.
To go back to the Asset Group List, click Back.
Adding asset groups
Operators can manually create asset groups and subgroups in DAM, or allow DAM to automatically
create asset groups and subgroups based on existing user groups on the IMC platform. DAM
supports an asset group hierarchy of a maximum of five levels. After an asset group/subgroup is
added, DAM creates an asset group/subgroup branch under the All Assets node on the left
navigation tree.
Managing asset groups
155
Manually adding an asset group
When the Use Asset Groups option is selected on the Asset Group List page, you can manually
add asset groups using the following procedure:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
Click Add Group.
The Add Asset Group page appears.
4.
5.
6.
Configure the basic information.
Select operators to manage the asset group in the Authorized Operators section.
Select the box for the operator you want to manage the asset group.
Operators with the Admin privilege are selected automatically.
7.
Click OK.
Automatically adding asset groups based on user groups
DAM can automatically create asset groups and subgroups based on existing user groups on the
IMC platform. This function is available only when DAM contains no manually added asset groups
except the system-defined asset group, Ungrouped.
To enable DAM to automatically create asset groups based on user groups:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
Click Use User Groups.
The Asset Group page is refreshed to display the asset groups added based on user groups.
When the Use User Groups option is selected, DAM automatically creates asset groups based on
existing user groups on the IMC platform, adjusts the asset groups along with the user groups, and
prohibits operators from manually adding asset groups.
When all asset groups are automatically created, you can select the Use Asset Groups option to
manually add more asset groups. However, you must reselect operators for each asset group,
except operators with the Admin privilege who are automatically selected.
Adding a subgroup for an asset group
DAM allows operators to manually add subgroups for asset groups. However, when the Use User
Groups option is selected, DAM automatically maintains the same group structure as that of the
user groups, and prohibits operators from manually adding asset groups or subgroups.
To manually add a subgroup for an asset group:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
Click the Add Sub-Group icon
for the asset group to which you want to add a subgroup.
The Add Asset Group page appears. When you configure DAM to automatically create and
delete asset groups along with existing user groups on the IMC platform, the Asset Group List
does not contain the Add Sub-Group field.
4.
156
Configure the basic information/asset group details for the subgroup.
Configuring DAM
5.
Confirm the control scheme for the current group in the Immediate Parent Group List section.
When no control scheme is configured, the asset group inherits control schemes from its parent
group.
6.
7.
Select operators to manage the asset group in the Authorized Operators section.
Select the box for the operator you want to manage the asset group.
Operators with the Admin privilege are selected automatically.
8.
Click OK.
Modifying an asset group
To modify an asset group:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
4.
5.
Click the Modify icon
for the asset group you want to modify.
Modify the basic information/asset group details for the asset group.
•
Group Name—Enter the group name. You cannot modify this parameter when the Use
Asset Groups option is selected.
•
Control Scheme—Select an existing desktop control scheme for the asset group, or select
Disable Control Scheme when you do not want to apply any control scheme to the asset
group. When no control scheme is configured, the asset group inherits control schemes
from its parent group. For more information, see “Configuring desktop control schemes”
(page 186).
•
Group Description—Enter the description of the group. You can modify this parameter
only when the Use Asset Groups option is selected.
Select operators to manage the asset group in the Authorized Operators section.
This section is not available when the Use User Groups option is selected.
6.
Select the box for the operator you want to manage the asset group.
Operators with the Admin privilege are selected automatically.
7.
Click OK.
Deleting an asset group
DAM allows operators to delete an asset group. However, when the Use User Groups option is
selected, DAM automatically maintains the same group structure as that of the user groups, and
prohibits operators from manually deleting asset groups or subgroups. Before deleting an asset
group, you must remove all of its assets. When the asset group has subgroups, delete its subgroups
first.
To delete an asset group:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
Click the Delete icon
for the asset group you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Managing asset groups
157
Granting an operator privileges to manage asset groups
You can grant operators privileges to manage specific asset groups. When assets are grouped
based on user groups, the operators are automatically granted privileges to manage their respective
asset groups, and their granted asset group privileges change along with the user group settings.
When you switch from the Use User Groups option to the Use Asset Groups option, DAM keeps
all asset groups created based on user groups. You must grant privileges to operators again to
manage their asset groups, unless they have the Admin privilege, in which case they are granted
privileges automatically.
To grant an operator privileges to manage specific asset groups:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Group from the navigation tree.
The Asset Group List displays all asset groups.
3.
Click Operator Privileges.
The Operator List displays all operators and their respective privileges.
4.
Click the Modify icon
for the operator to modify privileges.
The Modify Privileges page appears.
5.
6.
Select the asset groups that you want the operator to manage.
Click OK.
Managing assets
DAM uses the iNode client to collect information about registered assets for desktop monitoring,
asset audit, and software deployment. DAM manages only the registered assets. Operators can
configure EAD security policies so that EAD checks the asset status of access users, and monitors,
informs, isolates, or blocks access users that use unregistered assets.
Operators can query, view, add, modify or delete assets; move assets between groups; batch
export assets; and view the asset export history.
Registering assets
DAM manages only the registered assets.
DAM assigns each asset a unique asset number for registration. The asset registration mode varies
based on the asset numbering mode: manual or automatic.
158
•
Manual numbering mode—Operators must manually add asset information to DAM, such as
the asset number, owner, and asset group to which the asset belongs. When an access user
logs in, the iNode client prompts the user to enter the asset number to complete asset
registration.
•
Automatic numbering mode—Operators must enable automatic numbering and specify a
prefix. When an access user logs in, DAM automatically numbers the asset and prompts the
user to enter the model, position, vendor, type, and description of the asset to complete asset
registration.
Configuring DAM
Asset list contents
•
Status—Status of the asset:
◦
Online—Asset is managed and online.
◦
Offline—Asset is managed and offline.
◦
Unmanaged—Asset is not managed by DAM.
•
Asset Number—Asset number of the asset. Click the asset number to view the asset details.
•
Asset Name—Name of the asset.
•
Group Name—Name of the asset group to which the asset belongs. Click the name to view
the group details.
•
Model—Model of the asset.
•
ACK Status—Indicates whether an operator has acknowledged the asset information. This
field appears only when Auto Number is set to Enable.
•
Owner—Owner of the asset. Click the owner to view the owner details.
•
Inserted at—Time when the asset was manually added to DAM or automatically numbered
by DAM.
•
Modify—Click the Modify icon
to modify the asset information.
Asset details
Asset details comprise the following sections:
•
System information
•
Operating system information
•
Hardware information
•
Screen saver information
•
IP address list
•
Partition list
•
Logical disk list
•
Software list
•
Patch list
•
Process list
•
Service list
•
Share list
•
Port list
System information section
•
Asset Number—Asset number of the asset.
•
•
Asset Name—Name of the asset.
Status—Status of the asset:
◦
Online—Asset is managed and online.
◦
Offline—Asset is managed and offline.
◦
Unmanaged—Asset is not managed by DAM.
Managing assets
159
•
Asset Group—Asset group to which the asset belongs.
•
Group Control Scheme—Desktop control scheme assigned to the asset group. Click the control
scheme name to view its details. An empty field indicates that no desktop control scheme is
assigned to the asset group.
•
Asset Control Scheme—Desktop control scheme assigned to the asset. This scheme applies to
the asset regardless of whether a desktop control scheme is assigned to the asset group where
it resides. An empty field indicates that no desktop control scheme is assigned to the asset,
and in this case, the asset must use the desktop control scheme assigned to the asset group
where it resides.
•
Owner—Owner of the asset. Click the owner name to view the owner details.
•
User—User who last used the asset or is currently using the asset for network access. Click
the user name to view the detailed user information. An empty field indicates that no user has
passed identity authentication by using the asset.
•
Login Name—Windows account name used to log in to the asset, which can be a local account
or a domain account.
•
Operating System—Operating system running on the asset.
•
Asset Type—Asset type: PC, Laptop, Server, Workstation, and Others.
•
Vendor—Vendor of the asset.
•
Model—Model of the asset.
•
Client Language—Language used by the iNode client on the asset.
•
Client Version—Version of the iNode client installed on the asset.
•
Inserted at—Time when the asset was manually added to DAM or automatically numbered
by DAM.
•
Managed at—Time when the asset completed registration after being added to DAM.
•
Updated at—Time when the asset software or hardware was last updated after registration.
•
Login at—Time when the asset last logged in after registration.
•
Location—Location information of the asset.
•
Remarks—Comments on the asset.
•
ACK Status—Indicates whether an operator has acknowledged the asset information. In manual
numbering mode, the ACK Status is Yes for all assets. In automatic numbering mode, the ACK
Status is Yes for acknowledged assets, and is No for unacknowledged assets.
Operating system information section
•
Operating System—Name of the operating system running on the asset.
•
Version—Version of the operating system running on the asset.
•
Patch—Patch version of the operating system running on the asset.
•
Installed at—Time when the operating system was installed on the asset.
•
Operating System Language—Language of the operating system running on the asset.
160 Configuring DAM
Hardware information section
To view detailed hardware information, click the Details link in the section title area. For more
information, see “Viewing hardware details” (page 165).
•
•
•
•
BIOS Information
◦
Caption—Caption of the BIOS.
◦
Vendor—Vendor of the BIOS.
◦
Release Date—Release date of the BIOS.
◦
Version—Version of the BIOS.
Mainboard Information
◦
Vendor—Vendor of the main board.
◦
Model—Model of the main board.
Memory Information
◦
Total Memory—Total memory size of the asset.
◦
Free Memory—Free memory size of the asset.
CPU Information
Information for different CPUs is separated by a comma.
•
◦
CPU No—Local serial number of the CPU assigned by Windows.
◦
CPU Model SN—Serial number of the CPU model.
◦
CPU Name—Name of the CPU.
◦
CPU Classification—Classification of the CPU: Family, Model, or Stepping.
◦
Current Frequency—Current working frequency of the CPU, in MHz.
◦
Clock Frequency—Clock frequency of the CPU, in MHz.
NIC Information
Information for different NICs is separated by a comma.
•
◦
Caption—Caption of the NIC.
◦
Device Instance Path—Device instance path of the NIC.
◦
MAC Address—MAC address of the NIC.
Hard Disk Information
Information for different hard disks is separated by a comma.
◦
Hard Disk Number—Hard disk number of the asset.
◦
Interface Type—Interface type of the hard disk.
◦
SN—Serial number of the hard disk.
◦
Model—Model of the hard disk.
Managing assets
161
•
◦
Total Partitions—Total number of logical partitions on the hard disk.
◦
Hard Disk Size—Hard disk capacity, in GB.
DVD/CD-ROM
◦
Caption—Caption of the DVD/CD-ROM.
◦
Type—Type of the DVD/CD-ROM.
◦
Device Instance Path—Device instance path of the DVD/CD-ROM.
Screen saver information section
•
Screen Saver—Indicates whether the screen saver is enabled for the asset.
•
Display Logon Screen on Resume—Indicates whether password protection is enabled for the
screen saver.
•
Idle Timeout—Maximum idle time, in seconds, before the asset enters the screen-saver state.
IP address list section
•
Enable DHCP—Indicates whether the NIC can obtain an IP address from a DHCP server.
•
IP Address—IP address of the NIC.
•
MAC Address—MAC address of the NIC.
•
Gateway IP Address—Gateway IP address of the NIC.
•
Subnet Address—Subnet address of the NIC.
Partition list section
•
Partition Number—Number of the partition.
•
Hard Disk Number—Number of the hard disk on the partition. The combination of a partition
number and a hard disk number uniquely identifies a partition on an asset.
•
Partition Type—Type of the partition.
•
Boot Partition—Indicates whether the partition is the boot partition.
•
Size—Size of the partition, in GB.
Logical disk list section
•
Name—Name of the logical disk.
•
Description—Volume label of the logical disk and DVD/CD-ROM. When the logical disk has
no volume label, this field displays Local Disk.
•
File System—File system of the logical disk.
•
SN—Serial number assigned to the logical disk by the operating system.
•
Total Size—Total size of the logical disk, in GB. The total size of a logical disk is the sum of
the free space and the used space.
Software list section
162
•
Software Name—Name of the software.
•
Software Version—Version of the software.
•
Installed on—Date on which the software was installed on the asset.
Configuring DAM
Patch list section
•
Software Name—Name of the software for which the patch is installed. A single software
product might have multiple patches installed.
•
Software Version—Version of the software for which the patch is installed.
•
Patch Name—Name of the patch.
•
Installed on—Date on which the patch was installed.
•
Patch Type—Type of the patch.
•
Description—Description of the patch.
Process list section
•
Process Name—Name of the process.
•
Created at—Time when the process was executed on the asset.
Service list section
•
Service Name—Name of the service.
•
Service Display Name—Description of the service.
•
Startup Type—Startup type for the service: Auto, Manual, or Disabled.
•
Service Status—Status of the service: Running, Stopped, Paused, Starting, Stopping, Waiting,
Pausing, or Unknown.
Share list section
•
Share Number—Share number assigned by the DAM server.
•
Share Name—Name of the shared directory.
•
Local Path—Path of the shared directory.
•
Share Type—Type of the shared directory:
◦
Common Share—A share type securing the shared file by specifying the permitted users
or user groups and setting the permission level. When using this share type, the user
should delete Everyone from the Group or user names list to prevent unauthorized users
from accessing the shared file.
◦
Default Share—The default share type provided by Windows. This share type is vulnerable
to attacks.
◦
Others—IPC$ share used in Windows.
•
Object Domain—Domain name of the user or user group of the share. This parameter is
available only when the share type is Common Share. An empty field indicates that the share
user or user group does not belong to any domain.
•
Object Name—Name of the user or user group of the share. This parameter is available only
when the share type is Common Share.
Managing assets
163
•
Object Type—Type of the user or user group of the share. An empty field indicates that the
share user or user group does not belong to any object type.
◦
System Group—Object permitted or denied access to the share is a system-defined
operating system user group.
◦
Custom Group—Object permitted or denied access to the share is a user-defined operating
system user group.
◦
User—Object permitted or denied access to the share is a user.
•
Right of Object—Permission that the user or user group has to the share. This field is available
only when the share type is Common Share. The permission can be Read Only, Read Write,
or All.
•
Control Type—Control type of the object: Permit or Deny. This parameter is available only
when the share type is Common Share.
Port list section
This section displays all processes associated with the active ports on the asset, including the
processes that use a local port as a listening port, and the processes that use a local port to connect
to a remote host.
•
Process Name—Name of the process that listens for a local port or has connected to a remote
host using a local port.
•
Process ID—ID of the process, which is assigned by the operating system of the asset.
•
Local IP—IP address of the asset.
•
Local port—Listening port of the asset used by the process.
•
Remote IP—IP address of the host to which the asset has connected.
•
Remote Port—Port used by the remote host to connect to the asset.
•
Status—Connection status of the process.
•
Protocol—Protocol type used by the process: TCP or UDP.
•
Process Path—Local path of the process on the asset.
Viewing the asset list
To view the asset list:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
To view the asset list of a specific asset group, click the asset group name under Desktop Asset
Manager > All Assets in the navigation tree.
Viewing asset details
DAM uses the iNode client to collect and report information about registered assets to the EAD
server. Asset information is displayed on the Asset Details page. The Action menu on this page
allows operators to perform various operations for assets.
Accessing the Asset Details page
Method 1
1.
Click the Service tab.
164 Configuring DAM
2.
Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
Click the asset number for the asset to view its detailed information.
The Asset Details page appears.
Method 2
1.
2.
Click the Service tab.
Click an asset group name located under the All Assets branch in the navigation tree.
The Asset List displays only the assets that belong to the asset group.
3.
Click the asset number for the asset to view its detailed information.
The Asset Details page appears.
Viewing hardware details
To display the Hardware Details page, click the Details link in the Hardware Information section.
Performing actions
The Action menu on the upper right corner on the Asset Details page enables you to apply
management and configuration options to the selected asset. Use the menu options to refresh the
current Asset Details page, scan and modify the selected asset, and delete the asset from DAM.
You can also view the software deployment history, USB monitor and printer monitor information,
and change history of asset software and hardware.
Regroup
Use the Regroup option to move a selected asset from its current group to another group.
1. Click Regroup in the Action menu.
The Regroup Assets page appears.
2.
Click the Select Asset Group icon
next to the Group Name field.
The Select Asset Group window appears.
3.
Select a group and click OK.
The Group Name field is populated with the selected asset group.
4.
Click OK.
For more information, see “Regrouping an asset” (page 175).
Modify
Use the Modify option to modify the owner, group control scheme, asset control scheme, location,
asset type, vendor, model, and remarks for the selected asset.
1. Click Modify in the Action menu.
The Modify Asset page appears.
2.
Modify the following parameters for the asset:
•
Owner—Click Select next to the Owner field. The Select User dialog box appears. Select
a new owner for the asset and click OK.
•
Group Control Scheme—You cannot modify the control scheme assigned to the asset
group where the asset resides.
•
Asset Control Scheme—Select a control scheme for the asset.
•
Location—Enter the location of the asset.
Managing assets
165
3.
•
Asset Type—Select an asset type.
•
Vendor—Enter the asset vendor.
•
Model—Enter the asset model.
•
Remarks—Enter remarks for the asset.
Click OK.
The top of the Asset Details page is updated to reflect the modifications.
Delete
Use the Delete option to delete an asset from DAM. This option is not available for online assets.
1. Click Delete in the Action menu.
2. Click OK in the dialog box that appears.
Scan
Use the Scan option to have the iNode client report the latest asset information to DAM.
1. Click Scan in the Action menu.
The top of the Asset Details page is updated to show initiation of the scan process.
2.
Use the Refresh option on the right navigation tree to view any updates to asset details.
Viewing an asset's software deployment history
Use the SW Deployment option to view the software deployment history for an asset.
1. Click SW Deployment in the Action menu.
The Software Deploy Task List displays all software deploy tasks that include the asset in their
deployment targets.
2.
To go back to the Asset Details page, click Back.
Software Deploy Task List
•
Task Name—Name of the software deploy task.
•
Execution time—Time when the software deploy task was executed.
•
Software Name—Name of the software deployed in the task.
•
Status—Status of the software deploy task: Not Executed, Deployment Succeeded, Deployment
Failed, Download Succeeded, or Download Failed.
USB Monitor
Use the USB Monitor option to view the USB monitoring information for the asset.
1. Click USB Monitor in the Action menu.
The USB Monitor List displays the USB monitoring information.
2.
To go back to the Asset Details page, click Back.
USB Monitor List
•
Asset Number—Number of the asset on which a USB storage device is used.
•
Asset Name—Name of the asset on which a USB storage device is used.
•
Owner—Owner of the asset on which a USB storage device is used.
•
Logic Drive—Drive letter of the USB storage device displayed on the asset.
•
USB Plugged (Server)—Time recorded by the DAM server when the USB storage device was
plugged into the asset.
166 Configuring DAM
•
USB Unplugged (Server)—Time recorded by the DAM server when the USB storage device
was unplugged from the asset.
•
Details—Click the Details
icon to view detailed USB storage device usage information.
Printer Monitor
Use the Printer Monitor option to view the printer usage information for an asset.
1. Click Printer Monitor in the Action menu.
The Printer Monitor List displays the printer usage information.
2.
To go back to the Asset Details page, click Back.
Printer Monitor List
•
Asset Number—Number of the asset that submitted a printer task.
•
Asset Name—Name of the asset that submitted a printer task.
•
Owner—Owner of the asset that submitted a printer task.
•
Printer Name—Name of the printer used by the asset.
•
File Name—Name of the printed file.
•
Printed Pages—Number of printed pages.
•
Report Time—Time recorded by the DAM server when the asset used the printer.
•
Share Printer—Indicates whether the printer is a shared printer.
Check Asset Files
Use the Check Asset Files option to search files on the asset for auditing.
1. Click Check Asset Files in the Action menu.
The Audit page appears.
2.
Configure the following parameters:
•
Check Files in—Enter the absolute path of the file you want to audit, ending with a
backward slash (\).
•
File Name Includes—Enter a partial or complete file name.
•
3.
◦
The file name can contain the wildcard characters asterisk (*) and question mark
(?). An asterisk matches zero or more characters.
◦
A question mark matches any character except the dot (.), and matches zero
characters or one character when it is placed in front of the dot, or one character
when it is placed after the dot.
◦
The file name cannot contain four or more consecutive question marks or any of the
following characters: angle brackets (< >), quotation mark ("), forward slash (/),
backward slash (\), and vertical bar (|).
◦
Do not use file names that comprise only the wildcard characters and dot, such as
?*.*?.
Description—Enter a description of the audit.
Click Start.
The Asset File Check List displays all asset file check tasks that have been executed.
•
To export the audit result, click the Export icon
•
To view detailed audit information, click the Details icon
for the asset file check task.
for the asset file check task.
Managing assets
167
For more information, see “Terminal file audit” (page 216).
Change History
Use the Change History option to view the change history of software and hardware on the asset.
1. Click Change History in the Action menu.
The Asset Change History displays the change history of the asset.
2.
To go back to the Asset Details page, click Back.
Asset Change History contents
•
Change Type—Type of the change.
•
Change Item—Name of the changed item. Click the content of this field to display the Asset
Software Change Details page or Asset Hardware Change Details page.
•
Changed on—Time when the change occurred.
Refresh
Use the Refresh option to reload the current Asset Details page, and capture any updates to the
asset details.
Querying assets
DAM allows operators to query assets through a basic query or an advanced query. A basic query
has several key criteria for a quick search. An advanced query has query criteria for a precise
match.
Performing a basic query
To perform a basic query for assets:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
Click Basic Query at the upper right of the page.
When Advanced Query is displayed at the upper right of the page, you are already in basic
query mode. Skip this step.
4.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number. DAM supports fuzzy matching for this field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field.
•
Group Name—Click the Select Asset Group icon
Select Asset Group window.
, select a group and click OK in the
The Group Name field is automatically populated with the selected asset group.
When a field is empty, it does not serve as a query criterion.
5.
Click Query.
The Asset List displays all assets that match the query criteria.
6.
To clear the query criteria, click Reset.
The Asset List displays all assets.
168 Configuring DAM
Performing an advanced query
To perform an advanced query for assets:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets.
3.
Click Advanced Query at the upper right of the page.
When Basic Query is displayed at the upper right of the page, you are already in advanced
query mode. Skip this step.
4.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number. DAM supports fuzzy matching for this field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Status—Select the asset status:
•
◦
Online—Asset is managed and online.
◦
Offline—Asset is managed and offline.
◦
Unmanaged—Asset is not managed by DAM.
Group Name—Click the Select Asset Group icon
.
The Select Asset Group window appears.
Select a group and click OK.
The Group Name field is automatically populated with the selected asset group.
5.
•
Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field.
•
User—Enter a user name. All assets that the user has recently used or is currently using
are queried. DAM supports fuzzy matching for this field.
•
Inserted at from/to—Specify the range of time when the asset was manually added to
DAM or automatically numbered by DAM. You can click the Select Date and Time icon
to select the time, or enter a date in YYYY-MM-DD format.
•
Last Logoff from/to—Specify the range of time when the asset last went offline. You can
click the Select Date and Time icon to select the time, or enter a date in YYYY-MM-DD
format.
•
Asset Type—Select an asset type to be queried. Options are PC, Laptop, Server,
Workstation, and Others.
•
Vendor—Enter the vendor of the asset. DAM supports fuzzy matching for this field.
•
Model—Enter the model of the asset. DAM supports fuzzy matching for this field.
•
ACK Status—Select the acknowledgment status of the asset. Use this criterion in automatic
numbering mode. In manual numbering mode, the ACK Status is Yes for all assets.
Specify operating system criteria for query. Select the By Operating System box, and then
enter or select one or more of the following query criteria:
•
Operating System—Enter the operating system version, for example, Windows Vista or
Windows 7. DAM supports fuzzy matching for this field.
•
Operating System Language—Select an operating system language: Chinese (PRC) or
English. DAM supports fuzzy matching for this field.
Managing assets
169
6.
•
Operating System Patch—Enter the operating system patch, for example, Service Pack
1, Service Pack 2, or R2.
•
Multiple Operating Systems—Select this option to allow multiple operating systems to be
installed on the asset to be queried.
Specify main-board criteria for query. Select the By Mainboard box, and then enter the
following query criterion:
•
7.
8.
9.
Model—Enter the model of the main board. DAM supports fuzzy matching for this field.
Specify software criteria for query. Select the By Software box, and then enter or select one
or more of the following query criteria:
•
Software Name—Enter the software name. DAM supports fuzzy matching for this field.
•
Software Version—Enter the software version. DAM supports fuzzy matching for this field.
•
Installation Status—Specify whether the software is installed on the asset: Installed or
Uninstalled.
Specify patch criteria for query. Select the By Patch box, and then enter or select one or more
of the following query criteria:
•
Patch Name—Enter the patch name, for example, KB911565. DAM supports fuzzy
matching for this field.
•
Installation Status—Specify whether the patch is installed on the asset: Installed or Not
installed.
Specify screen-saver criteria for query. Select the By Screen Saver box, and then select one
or more of the following query criteria:
•
Screen Saver—Specify whether the screen saver is enabled: Yes or No.
•
Display Logon Screen on Resume—Specify whether the password is specified for the
screen saver: Yes or No.
10. Specify memory criteria for query. Select the By Memory box, and then enter the following
query criterion:
•
Total Memory from/to—Specify a range of the total memory for the asset, in MB.
11. Specify CPU criteria for query. Select the By Processor box, and then enter one or both of the
following query criteria:
•
Number of Processors from/to—Specify the range of the total number of CPUs for the
asset.
•
Processing Frequency from/to—Specify a range of CPU frequency for the asset.
12. Specify NIC criteria for query. Select the By NIC box, and then enter one or both of the
following query criteria:
•
Number of NICs from/to—Specify a range of the total number of NICs installed on the
asset.
•
MAC Address—Enter the MAC address of a NIC installed on the asset. DAM support
fuzzy matching for this field.
13. Specify hard disk drive criteria for query. Select the By Hard Disk Drive box, and then enter
or select one or more of the following query criteria:
170
•
Number of Hard Disk Drives from/to—Specify a range of the total number of hard disk
drives installed on the asset.
•
Total Disk Capacity from/to—Specify a range of total disk capacity, in GB.
Configuring DAM
14. Specify IP address criteria for query. Select the By IP Address box, and then enter the following
query criterion:
•
IP Address from/to—Specify a range of IP addresses. All assets with IP addresses last
reported by the iNode client in the range are queried.
15. Specify process criteria for query. DAM queries assets by the process information last reported
by the iNode client. Select the By Process box, and then enter or select one or more of the
following query criteria:
•
Process Name—Enter the name of the process. DAM supports fuzzy matching for this
field.
•
Process Status—Select the status of the process: Running or Stopped.
16. Specify service criteria for query. DAM queries assets by the service information last reported
by the iNode client. Select the By Service box, and then enter or select one or more of the
following query criteria:
•
Service Name—Enter the service name. DAM supports fuzzy matching for this field. A
service has both a service name and a service display name. Operators can view the
service name in the Service Control Manager of the operating system.
•
Service Display Name—Enter the service display name. DAM supports fuzzy matching
for this field. A service has both a service name and a service display name. Operators
can view the service display name in the Service Control Manager of the operating
system.
•
Installation Status—Select the installation status of the service: Installed or Uninstalled.
•
Service Status—Select the running status of the service: Running or Other. The following
states are categorized as Other: Stopped, Paused, Starting, Stopping, Waiting, Pausing,
and Unknown.
17. Click Query.
The Asset List displays all assets that match the query criteria.
18. To clear the query criteria, click Reset.
The Asset List displays all assets.
To query assets in a specific asset group, click the asset group name located under Desktop Asset
Manager > All Assets in the navigation tree, and then specify the query criteria.
Adding an asset
In manual numbering mode, operators must manually add asset information, such as asset numbers
(required), owners, asset groups, and desktop control schemes in DAM. When an access user logs
in, the iNode client prompts the user to enter the asset number to complete registration.
In automatic numbering mode, assets are displayed automatically in DAM. When an access user
logs in, DAM automatically numbers the asset of the user, and prompts the user to enter the asset
information—asset model, position, vendor, type, and description—to complete registration.
To manually add an asset:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
Click Add.
The Add Asset page appears.
4.
5.
Asset Number—Enter the asset number.
Owner—Select an owner for the asset.
Managing assets
171
a.
Click Select next to the Owner field.
The Select User window appears.
b.
Filter users using basic query or advanced query.
The Query Asset feature is displayed above the Asset List. The Advanced Query link is a
toggle switch between Basic Query and Advanced Query. When the link is Advanced
Query, you are in basic query mode, and vice versa.
c.
Enter or select one or more of the following query criteria:
•
User Name—Enter the user name. DAM supports fuzzy matching for this field.
•
Identity Number—Enter the user identity number. DAM supports fuzzy matching for
this field.
•
Contact Address—Enter the contact address of the user. DAM supports fuzzy matching
for this field. This field is available for advanced queries only.
•
Telephone—Enter the telephone number of the user. DAM supports fuzzy matching
for this field. This field is available for advanced queries only.
•
Email—Enter the email address of the user. DAM supports fuzzy matching for this
field. This field is available for advanced queries only.
•
User Group—Click the Select User Group icon
appears. Select a group and click OK.
•
Open Account—Select this option to create a self-service account for the user. A
self-service account on the IMC platform allows a user to access the SOM console.
•
Account Name—Enter the user account name. DAM supports fuzzy matching for this
field.
. The Select User Group window
When a field is empty, it does not serve as a query criterion.
d.
Click Query.
The User List displays all users matching the query criteria.
e.
f.
6.
7.
172
Select a user from the list.
Click OK.
Configure the following parameters:
•
. The Select Asset Group window
Group Name—Click the Select Asset Group icon
appears. Select a group and click OK. When the Use User Groups option is selected, the
system automatically populates this field with the user group to which the asset owner
belongs.
•
Group Control Scheme—Automatically populated with the same desktop control scheme
that is assigned to the asset group.
•
Asset Control Scheme—Select a desktop control scheme for the asset, or select Disable
Control Scheme when you do not want to apply any control scheme to the asset. The
desktop control scheme configuration can be on a group basis or an asset basis. The
group basis configuration applies to all assets in the same group, but can be overridden
by the asset basis configuration.
•
Location—Enter the location of the asset.
•
Asset Name—Enter the asset name.
•
Asset Type—Select an asset type from the list: PC, Laptop, Server, Workstation, or Others.
•
Model—Enter the asset model.
•
Remarks—Enter remarks for the asset.
Click OK.
Configuring DAM
Batch importing assets
Operators can batch import assets from a file that contains asset information. Asset information
can be separated by a space, tab, comma (,), colon (:), pound sign (#), or dollar sign ($). The file
can use only one type of separator.
To batch import assets:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
Click Batch Import.
The Batch Import Assets page appears.
4.
5.
Configure the following parameters:
•
Import File—Click Browse next to the Import File field. The Choose File window appears.
Browse to the target file that contains the asset information. The file must be a text file
with columns separated by delimiters. The system automatically populates the field with
the file path and name.
•
Column Separator—Select the column separator to use as the delimiter in the file. Options
are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($).
Click Next.
The Basic Information page appears.
6.
7.
Configure the basic information for the import task:
•
Asset Number—Select the column in the file that contains the asset number.
•
. The Select Asset Group window
Asset Group—Click the Select Asset Group icon
appears. Select a group and click OK. The group name is automatically populated in the
Asset Group field.
•
Owner—Select the column in the file that contains the asset owner, or select Not Import
from File.
•
Owner ID Number—Select the column in the file that contains the owner ID, or select Not
Import from File. This field is not available when the Owner field is set to Not Import from
File. The Owner ID Number uniquely identifies a user as the asset owner in case of
duplicated user names.
•
Asset Name—Select the column in the file that contains the asset name, or select Not
Import from File. To configure the same asset name for all assets, select Not Import from
File and enter the settings manually.
•
Location—Select the column in the file that contains the asset location, or select Not Import
from File to set the same location for all imported assets manually.
•
Asset Type—Select the column in the file that contains the asset type, or select Not Import
from File and then select an asset type for all imported assets. Options are PC, Laptop,
Workstation, Server, and Others (any other asset type).
•
Vendor—Select the column in the file that contains the asset vendor, or select Not Import
from File to set the same vendor for all imported assets manually.
•
Model—Select the column in the file that contains the asset model, or select Not Import
from File to set the same asset model for all imported assets manually.
•
Remarks—Select the column in the file that contains remarks for the asset, or select Not
Import from File to enter the remarks manually.
To view the first 10 assets imported according to your settings, click Preview.
Managing assets
173
8.
To import all assets in the file to DAM, click OK.
The Import Asset Result page appears.
9. Click Download to download the result.
10. To go back to the Asset List, click Back.
Modifying an asset
To modify an asset:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
Click the Modify icon
for the asset you want to modify.
The Modify Asset page appears.
4.
Owner—Select an owner for the asset.
a. Click Select next to the Owner field.
The Select User window appears.
b.
Filter users through basic query or advanced query.
The Query Asset feature is displayed above the Asset List. The Advanced Query link is a
toggle switch between Basic Query and Advanced Query. When the link is Advanced
Query, you are in basic query mode, and vice versa.
c.
Enter or select one or more of the following query criteria:
•
User Name—Enter the user name. DAM supports fuzzy matching for this field.
•
Identity Number—Enter the user identity number. DAM supports fuzzy matching for
this field.
•
Contact Address—Enter the contact address of the user. DAM supports fuzzy matching
for this field. This field is available for advanced queries only.
•
Telephone—Enter the telephone number of the user. DAM supports fuzzy matching
for this field. This field is available for advanced queries only.
•
Email—Enter the email address of the user. DAM supports fuzzy matching for this
field. This field is available for advanced queries only.
•
User Group—Click the Select User Group icon
appears. Select a group and click OK.
•
Open Account—Select this option to create a self-service account for the user. A
self-service account on the IMC platform allows a user to access the SOM console.
•
Account Name—Enter the user account name. DAM supports fuzzy matching for this
field.
. The Select User Group window
When a field is empty, it does not serve as a query criterion.
d.
Click Query.
The User List displays all users matching the query criteria.
e.
f.
5.
Configure the following parameters:
•
174
Select a user from the list.
Click OK.
Group Name—Click the Select Asset Group icon
. The Select Asset Group window
appears. Select a group and click OK. When the Use User Groups option is selected, the
Configuring DAM
system automatically populates this field with the user group to which the asset owner
belongs.
6.
•
Group Control Scheme—Automatically populated with the same desktop control scheme
as that assigned to the asset group.
•
Asset Control Scheme—Select a desktop control scheme for the asset, or select Disable
Control Scheme when you do not want to apply any control scheme to the asset. The
desktop control scheme configuration can be on a group basis or an asset basis. The
group basis configuration applies to all assets in the same group, but can be overridden
by the asset basis configuration.
•
Location—Enter the location of the asset.
•
Asset Name—Enter the asset name.
•
Asset Type—Select an asset type from the list. Options are PC, Laptop, Server, Workstation,
and Others.
•
Model—Enter the asset model.
•
Remarks—Enter remarks for the asset.
Click OK.
Deleting an asset
After deleting an asset, the asset number and all other asset information is removed permanently
from the DAM database. To resubmit this asset to DAM management, you must re-register the
asset.
To delete an asset:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
4.
Select the box next to the Status field for the asset you want to delete.
Click Delete.
Regrouping an asset
Operators can manually move assets between asset groups. However, if the Use User Groups
option is selected, DAM automatically assigns each asset to the user group to which its owner
belongs, and prohibits operators from manually moving assets between asset groups
To regroup an asset:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
4.
Select the box next to the Status field for the asset you want to regroup.
Click Regroup.
The Regroup Assets page appears.
5.
In the Target Group area, click the Select Asset Group icon
.
The Select Asset Group window appears.
6.
Select an asset group and click OK.
The Select Asset Group window closes.
7.
On the Regroup Assets page, click OK.
Managing assets
175
Exporting asset information
The asset export function allows operators to use the query function to produce a list of assets to
be exported, and then export those assets to an export file. Operators can either export basic
information or all information for the asset.
The basic information includes the contents of the System Information section on the Asset Details
page; it can be exported to a text file. All information is exported to a zip file that contains multiple
HTML files, including the Asset List page and Asset Details page. The Asset List page provides
export information, export criteria, and hyperlinks to the assets. The Asset Details page contains
detailed information about the assets. For more information, see “Viewing asset details” (page 164).
Asset export function asset list
•
Asset Number—Asset number of the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset.
•
Asset Group—Group to which the asset belongs.
•
Inserted at—Time when the asset was manually added to DAM or automatically numbered
by DAM.
•
Group Name—Click the Select Asset Group icon
. The Select Asset Group window appears.
Select a group and click OK. The selected asset group is automatically populated in the Group
Name field.
Exporting asset information
To export asset information:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in DAM.
3.
Filter the assets using basic query or advanced query in the Query Asset area.
For more information, see “Querying assets” (page 168).
4.
Click Export.
The Export Contents page appears. All listed assets that match the query criteria are exported.
5.
Configure the following parameters:
•
Export Contents—Select the content to be exported: Basic Information or All Information.
When you select All Information, the File Type and File Column Separator fields do not
appear.
When you select Basic Information, you can export asset information only to a text file,
and you must select a column separator.
6.
•
File Type—When Export Contents is set to Basic Information, this field appears and
displays TXT, which cannot be modified.
•
File Column Separator—Select the column separator to use as the delimiter in the file.
Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). This
field does not appear when Export Contents is set to All Information.
Click OK.
The Asset Export Results page appears.
7.
8.
176
Click Download to download the result.
To go back to the Asset List, click Back.
Configuring DAM
NOTE: To ensure fast and stable user authentication, do not perform any batch operations if
there are several user authentication processes running.
Managing the asset export history
DAM records the export history of asset information in the Asset Export History List. Operators can
view, download, and delete the asset export history.
Asset export history list contents
•
Export File Name—Name of the export file.
•
Export File Path—Path of the export file.
•
Operator—Operator who exported the asset information.
•
Exported at—Time when the asset information was exported.
•
Download File—Click the Download link to download the export file.
•
Delete—Click the Delete
icon to delete the asset export file.
Viewing the asset export history
To view the asset export history:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The Asset List displays all assets in the DAM database.
3.
Click Export History on the upper right corner of the Assets List.
The Asset Export History Listdisplays the export history of asset information.
4.
To go back to the Asset List, click Back.
Downloading the asset export history record
To download the asset export history record:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The All Assets page appears.
3.
Click Export History in the Asset List area.
The Asset Export History List displays all asset export history records.
4.
5.
Click the Download link for the export history record you want to download.
Open or save the export history record.
Deleting the asset export history record
To delete the asset export history record:
1. Click the Service tab.
2. Select Desktop Asset Manager > All Assets from the navigation tree.
The All Assets page appears.
3.
Click Export History in the Asset List area.
The Asset Export History List displays all asset export history records.
4.
Click the Delete icon
for the export history record you want to delete.
A confirmation dialog box appears.
Managing the asset export history 177
5.
Click OK.
Collecting asset statistics
DAM allows operators to collect statistics for registered assets by asset type, CPU frequency, hard
disk size and type, operating system version and language, and software installed.
The data collection target can be all assets or a specific asset group and its subgroups. Operators
can collect statistics only for groups and subgroups for which they have privileges.
Collecting statistics by asset type
Operators can collect statistics for all assets or a specific asset group by asset type, which can be
PC, Laptop, Server, Workstation, or Others.
To collect statistics by asset type:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Statistics from the navigation tree.
The Asset Statistics page appears.
3.
Click the Type icon
in the Asset Statistics section.
The Statistics of Types page appears. By default, the report displays statistics for all asset
groups to which the operator has privileges.
4.
Click the Select Asset Group icon
next to the Group Name field.
The Select Asset Group window appears.
5.
Select a group and click OK.
The Group Name field is populated with the selected asset group.
6.
7.
Select a report type from the list: Pie Chart or List.
Click Query.
The query results appear under the Asset Query section.
8.
Click Reset to restore the default.
The report displays statistics for all asset groups to which the operator has privileges.
Asset type statistics reports
The asset type statistics reports can be displayed in a pie chart or a list.
Asset type statistics report—Pie chart
This report displays, in a pie chart, the number of assets of each asset type and their proportion.
Figure 4 Asset type statistics report—Pie chart
178
Configuring DAM
Asset type statistics report—List
This report lists the number of assets of each asset type and their proportion.
Figure 5 Asset type statistics report—List
Collecting statistics by CPU
Operators can collect statistics for all assets or a specific asset group by CPU frequency.
To collect statistics by CPU frequency:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Statistics from the navigation tree.
The Asset Statistics page appears.
3.
Click the CPU icon
in the Asset Statistics section.
The Statistics of CPU page appears. By default, the report displays statistics for all asset groups
to which the operator has privileges.
4.
Click the Select Asset Group icon
next to the Group Name field.
The Select Asset Group window appears.
5.
6.
7.
Select a group and click OK.
Select a report type from the list: Pie Chart or List.
Click Query.
The query results appear under the Asset Query section.
8.
Click Reset to restore the default.
The report displays statistics for all asset groups to which the operator has privileges.
CPU frequency statistics reports
The CPU frequency statistics reports can be displayed in a pie chart or a list.
CPU frequency statistics report—Pie chart
This report displays, in a pie chart, the number of CPUs in each frequency range and their
proportion.
Collecting asset statistics
179
Figure 6 CPU frequency statistics report—Pie chart
CPU frequency statistics report—List
This report lists the number of CPUs in each frequency range and their proportion.
Figure 7 CPU frequency statistics report—List
Collecting statistics by hard disk
Operators can collect statistics for all assets or a specific asset group by hard disk capacity and
type.
To collect statistics by hard disk capacity and type:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Statistics from the navigation tree.
The Asset Statistics page appears.
3.
Click the Hard Disk
icon in the Asset Statistics section.
The Hard Disk Statistics page appears. The report displays statistics for assets in all asset
groups to which the operator has privileges.
4.
Click the Select Asset Group icon
next to the Group Name field.
The Select Asset Group window appears.
5.
Select a group and click OK.
The Group Name field is populated with the selected asset group.
6.
7.
Select a report type from the list: Pie Chart or List.
Click Query to submit your filter criteria.
The results of your filter or search query are displayed under the Asset Query section.
8.
Click Reset to restore the default.
The report displays statistics for all asset groups to which the operator has privileges.
Hard disk capacity and type statistics reports
The hard disk capacity and type statistics report can be displayed in a pie chart or a list.
180 Configuring DAM
Hard disk capacity statistics report—Pie chart
This report displays, in a pie chart, the number of hard disks in each capacity range and their
proportion.
Figure 8 Statistics report by hard disk capacity—Pie chart
Hard disk capacity statistics report—List
This report lists the number of hard disks in each capacity range and their proportion.
Figure 9 Statistics report by hard disk capacity—List
Hard disk type statistics report—Pie chart
This report displays, in a pie chart, the number of hard disks of each type and their proportion.
Figure 10 Statistics report by hard disk type—Pie chart
Hard disk type statistics report—List
This report lists the number of hard disks of each type and their proportion.
Collecting asset statistics
181
Figure 11 Statistics report by hard disk type—List
Collecting statistics by operating system
Operators can collect statistics for all assets or a specific asset group by operating system version
and language.
To collect statistics by operating system version and language:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Statistics from the navigation tree.
The Asset Statistics page appears.
3.
Click the OS
icon in the Asset Statistics section.
The Statistics of OS page appears. The report displays statistics for assets in all asset groups
to which the operator has privileges.
4.
Group Name—Click the Select Asset Group icon
next to the Group Name field.
The Select Asset Group window appears.
5.
Select a group and click OK.
The Group Name field is populated with the selected asset group.
6.
7.
Select a report type from the list: Pie Chart or List.
Click Query to submit your filter criteria.
The results of your filter or search query are displayed under the Asset Query section.
8.
Click Reset to restore the default.
The report displays statistics for all asset groups to which the operator has privileges.
Operating system version and language statistics reports
Operating system version and language statistics reports can be displayed as a pie chart or in a
list.
Operating system version statistics report—Pie chart
This report displays, in a pie chart, the number of operating systems of each version and their
proportion.
182
Configuring DAM
Figure 12 Statistics report by operating system version—Pie chart
Operating system version statistics report—List
This report lists the number of operating systems of each version and their proportion.
Figure 13 Statistics report by operating system version—List
Operating system language statistics report—Pie chart
This report displays, in a pie chart, the number of operating systems using each language and
their proportion.
Figure 14 Statistics report by operating system language—Pie chart
Operating system language statistics report—List
This report lists the number of operating systems using each language and their proportion.
Figure 15 Statistics report by operating system language—List
Collecting asset statistics 183
Collecting statistics by software installed
Operators can use the Asset Statistics function to collect statistics for all assets or a specific asset
group by software installed.
To collect statistics by software installed:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset Statistics from the navigation tree.
The Asset Statistics page appears.
3.
Click the Software
icon in the Asset Statistics section.
The Statistics of Software page appears. By default, the report displays statistics for all asset
groups to which the operator has privileges.
4.
Click the Select Asset Group icon
next to the Group Name field.
The Select Asset Group window appears.
5.
Select a group and click OK.
The Group Name field is populated with the selected asset group.
6.
7.
Select List from the Report Type field.
Click Query to submit your filter criteria.
The results of your filter or search query are displayed under the Asset Query section.
8.
Click Reset to restore the default.
The report displays statistics for all asset groups to which the operator has privileges.
Software installation statistics report
The software installation statistics report is displayed in a list.
Software installation statistics report
This report lists statistics for software installed on all assets or assets in selected asset groups.
Figure 16 Software installation statistics report
Managing the export task
Operators can schedule a task to export and save all USB monitoring records to a directory or FTP
server as a CSV file or TXT file.
Export task list contents
•
Task Name—Name of the export task: USB Monitor.
•
Export file path (iMC installation directory)—Export file path of the USB monitoring records in
the IMC installation directory.
184 Configuring DAM
•
Status—Indicates whether the export task is enabled. By default, this field displays Disabled.
•
Config—Click the Config icon
to configure the export task.
Viewing the export task management list
To view the export task management list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Export Task Management from the navigation tree.
The Export Task List displays the USB monitor task.
Configuring the export task
To configure the export task:
1. Click the Service tab.
2. Select Desktop Asset Manager > Export Task Management from the navigation tree.
The Export Task List displays all export tasks.
3.
Click the Config
icon for the USB monitor task you want to configure.
The USB Monitor page appears.
4.
Select Enable Automatic Export to enable automatic export of USB monitoring records.
When you skip this step, the scheduled export task is not executed.
Configure the following parameters for the export task:
5.
6.
•
Export Interval—Select the interval at which the task is executed: Daily or Monthly.
•
File Type—Select the type of the export file: TXT or CSV. When you select TXT, you must
select a separator for the file.
•
Task Description—Enter a brief description of the task.
•
Prefix of Export File—Enter a prefix for the name of the export file. The export file name
is composed of the prefix and the system time when the file was exported. For example,
when you set the prefix to Backup, the export file name may be
Backup20120316033010, where 20120316033010 indicates the time when the file
was exported, to the second.
•
Separator—Specify the delimiter to use for the data fields in the exported file. Options
are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). This field appears
only when the File Type is set to TXT.
Select Export to FTP Server field when you want to export the USB monitoring records to an
FTP server. Configure the following parameters for the FTP server:
•
FTP Username—Enter the user name used to log in to the FTP server.
•
FTP Password—Enter the password used to log in to the FTP server.
•
FTP Server IP—Enter the IP address of the FTP server.
Click OK.
Managing the export task 185
9 Configuring desktop control schemes and policies
A desktop control scheme contains a set of policies distributed by the DAM server to each iNode
client for controlling desktop assets. The policies are classified as follows:
•
Peripheral management policies—Disables peripheral devices and monitors the use of USB
storage devices and printers. The iNode client immediately reports an event to the DAM server
for auditing when a peripheral device is enabled, a USB storage device is used, or a print
task is submitted. Operators can view, add, modify, and delete peripheral management
policies. For more information, see “Configuring peripheral management policies” (page 188).
•
Energy-saving policies—Implements scheduled shutdown of assets. According to the
energy-saving policy, the iNode client displays a message 10 minutes before the scheduled
shutdown time, requesting that the user shut down the computer, and forcibly shuts down the
computer when the user does not respond. Operators can view, add, modify, and delete
energy-saving policies. For more information, see “Configuring energy saving policies” (page
191).
•
Monitoring alarm policies—Allows the DAM server to encapsulate monitoring information in
syslogs and send them to the specified syslog server. The monitoring information is reported
by the iNode client and includes software and hardware changes of assets, unauthorized
copying, and printing of sensitive files. Operators can view, add, modify, and delete monitoring
alarm policies. For more information, see “Configuring monitoring alarm policies” (page 193).
Configuring desktop control schemes
You can view, add, modify, and delete desktop control schemes. The desktop control scheme
configuration can be on a group basis or asset basis. The group basis configuration applies to all
assets in the same group, but can be overridden by the asset basis configuration.
Desktop control scheme list contents
•
Name—Name of the desktop control scheme. Click the name to view its details.
•
Peripheral Management Policy—Name of the peripheral management policy assigned to the
desktop control scheme.
•
Energy-Saving Policy—Name of the energy-saving policy assigned to the desktop control
scheme.
•
Monitoring Alarm Policy—Name of the monitoring alarm policy assigned to the desktop control
scheme.
•
Description—Description of the desktop control scheme.
•
Service Group—Service group to which the desktop control scheme belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the desktop control scheme settings.
to delete the desktop control scheme.
Desktop control scheme details
Desktop control scheme details comprise the basic information section and the policy list section.
Basic information section
•
Name—Name of the desktop control scheme.
•
Service Group—Service group to which the desktop control scheme belongs.
•
Description—Description of the desktop control scheme.
186 Configuring desktop control schemes and policies
Policy list section
•
Policy Name—Name of the policy assigned to the desktop control scheme. Click the name to
view its details.
•
Policy Type—Policy type: Peripheral Management Policy, Energy-Saving Policy, or Monitoring
Alarm Policy.
•
Description—A description of the policy.
•
Service Group—Service group to which the policy belongs.
Viewing the desktop control scheme list
To view the desktop control scheme list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Control Scheme from the navigation tree.
The Control Scheme List displays all desktop control schemes.
3.
4.
Click Refresh to refresh the Control Scheme List.
To sort the Control Scheme List, click the Name or Service Group column label.
Viewing desktop control scheme details
To view details of a desktop control scheme:
1. Click the Service tab.
2. Select Desktop Asset Manager > Control Scheme from the navigation tree.
The Control Scheme List displays all desktop control schemes.
3.
Click the name of the desktop control scheme for which you want to view the detailed
information.
The Control Scheme Details page appears.
4.
To go back to the Control Scheme List, click Back.
Adding a desktop control scheme
Each desktop control scheme can contain one peripheral management policy, one energy-saving
policy, and one monitoring alarm policy. You must create the policies before you add them to a
desktop control scheme. For more information about the configuration procedure, see “Adding a
peripheral management policy” (page 190), “Adding an energy saving policy” (page 192), and
“Adding a monitoring alarm policy” (page 195).
To add a desktop control scheme:
1. Click the Service tab.
2. Select Desktop Asset Manager > Control Scheme from the navigation tree.
The Control Scheme List displays all desktop control schemes.
3.
Click Add.
The Add Control Scheme page appears.
4.
5.
Configure the basic information for the desktop control scheme.
Assign policies to the desktop control scheme in the Policy List section.
Select the box for the policy you want to assign to the desktop control scheme. You can select
one peripheral management policy, one energy-saving policy, and one monitoring alarm
policy.
6.
Click OK.
After adding the desktop control scheme, you can assign it to a single asset or a group of assets.
The group basis configuration applies to all assets in the same group, but can be overridden by
Configuring desktop control schemes
187
the asset basis configuration. For more information, see “Modifying an asset group” (page 157)
and “Modifying an asset” (page 174).
Modifying a desktop control scheme
To modify a desktop control scheme:
1. Click the Service tab.
2. Select Desktop Asset Manager > Control Scheme from the navigation tree.
The Control Scheme List displays all desktop control schemes.
3.
4.
5.
Click the Modify icon
for the desktop control scheme you want to modify.
Modify the description for the desktop control scheme. You cannot modify other basic
information.
Reassign policies to the desktop control scheme in the Policy List section.
Select the box for the policy you want to assign to the desktop control scheme. To cancel a
policy, clear its box.
6.
Click OK.
Deleting a desktop control scheme
When you delete a desktop control scheme, the scheme is removed from all associated assets and
asset groups. To assign new schemes, modify the assets and asset groups.
To delete a desktop control scheme:
1. Click the Service tab.
2. Select Desktop Asset Manager > Control Scheme from the navigation tree.
The Control Scheme List displays all desktop control schemes.
3.
Click the Delete icon
for the desktop control scheme you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Configuring peripheral management policies
A peripheral management policy is used to disable peripheral devices and monitor the use of USB
storage devices and printers. The iNode client immediately reports an event to the DAM server for
auditing when a peripheral device is enabled, a USB storage device is used, or a print task is
submitted. Operators can view, add, modify, and delete peripheral management policies.
Peripheral management policy list contents
•
Policy Name—Name of the peripheral management policy. Click the name to view its details.
•
Description—Description of the peripheral management policy.
•
Illegal—Types of peripheral devices prohibited by the peripheral management policy.
•
Report—Indicates whether the iNode client reports to the DAM server that a prohibited
peripheral device is enabled on the asset. If so, this field displays Report; if not, this field is
empty.
•
Service Group—Service group to which the peripheral management policy belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
188 Configuring desktop control schemes and policies
to modify the policy settings.
to delete the peripheral management policy.
Peripheral management policy details
Peripheral management policy details comprise a basic information section and a disable devices
section.
Basic information section
•
Policy Name—Name of the peripheral management policy.
•
Service Group—Service group to which the peripheral management policy belongs.
•
Report—Indicates whether the iNode client reports to the DAM server that a peripheral device
selected in the Disable Devices section is enabled on the asset. Operators can audit the
peripheral use violations on the DAM server. For more information, see “Unauthorized
peripheral use record audit” (page 213).
•
Monitor USB Storage Devices—Indicates whether USB storage device monitoring is enabled.
When enabled, the iNode client reports the plug/unplug and write events of USB storage
devices to the DAM server for auditing. For more information, see “USB monitoring record
audit” (page 205).
•
Printer Use Monitor—Indicates whether printer monitoring is enabled. When enabled, the
iNode client monitors the printers in use, and reports the following information to the DAM
server for auditing: printer name, printer type (shared or not shared), printed file names,
printed file pages, and printed file size. For more information, see “Printer monitoring record
audit” (page 209).
•
Description—Description of the peripheral management policy.
Disable devices section
Select the peripheral devices for the DAM server to disable:
•
USB Storage—USB storage devices
•
USB Nonstorage—USB nonstorage devices
•
USB Storage Device Whitelist—USB storage devices that are not disabled
•
DVD/CD-ROM—DVD/CD-ROM drives
•
Floppy—Floppy disk drives
•
PCMCIA—PCMCIA interfaces
•
COM—COM interfaces
•
LPT—LPTs
•
Infrared—Infrared devices
•
Bluetooth—Bluetooth peripheral devices
•
1394—1394 interfaces
•
Modem—Modems
Viewing the peripheral management policy list
To view the peripheral management policy list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from
the navigation tree.
The Peripheral Management Policy List displays all peripheral management policies.
3.
Click Refresh to refresh the Peripheral Management Policy List.
Configuring peripheral management policies 189
4.
To sort the Peripheral Management Policy List, click the Policy Name or Service Group column
label.
Viewing peripheral management policy details
To view details of a peripheral management policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from
the navigation tree.
The Peripheral Management Policy List displays all peripheral management policies.
3.
Click the name of the peripheral management policy you want to view.
The Peripheral Management Policy Details page appears.
4.
To go back to the Peripheral Management Policy List, click Back.
Adding a peripheral management policy
To add a peripheral management policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from
the navigation tree.
The Peripheral Management Policy List displays all peripheral management policies.
3.
Click Add.
The Add Peripheral Management Policy page appears.
4.
Configure the basic information for the peripheral management policy.
•
Policy Name—Enter a unique name for the peripheral management policy.
•
Service Group—Select the service group to which the peripheral management policy
belongs.
•
Report—Select the box next to the Report field to report peripheral use violations for
auditing.
•
Monitor USB Storage Devices—Select the box next to the Monitor USB Storage Devices
field to monitor use of USB storage devices for auditing.
•
Printer Use Monitor—Select the box next to the Printer Use Monitor field to monitor use
of printers for auditing.
•
Description—Enter a description for the peripheral management policy to facilitate
maintenance.
NOTE: When you select the Monitor USB Storage Devices option, the USB Storage option
in the Disable Devices section turns gray. You cannot disable the USB storage devices for the
asset.
5.
6.
7.
In the Disable Devices section, reselect the peripheral device types to disable for the asset:
USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM, LPT, Infrared, Bluetooth,
1394, and Modem.
If the USB storage device is disabled, you can enter the device ID in the USB Storage Device
Whitelist field. Only one device ID is allowed per line. A device ID comprises a vendor ID
(VID) and a product ID (PID), separated by a slash (/), which uniquely identifies a USB storage
device.
Click OK.
The new peripheral management policy appears in the Peripheral Management Policy List and in
the Policy List on the Add Control Scheme page.
190 Configuring desktop control schemes and policies
Modifying a peripheral management policy
To modify a peripheral management policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from
the navigation tree.
The Peripheral Management Policy List displays all peripheral management policies.
3.
4.
5.
6.
7.
Click the Modify icon
for the peripheral management policy you want to modify.
Modify the basic information for the peripheral management policy. You cannot modify Policy
Name or Service Group.
•
Report—Select the box next to the Report field to report peripheral use violations for
auditing, or clear the box to disable the function.
•
Monitor USB Storage Devices—Select the box next to the Monitor USB Storage Devices
field to monitor use of USB storage devices for auditing, or clear the box to disable the
function.
•
Printer Use Monitor—Select the box next to the Printer Use Monitor field to monitor use
of printers for auditing, or clear the box to disable the function.
•
Description—Enter a new description for the peripheral management policy.
In the Disable Devices section, reselect the peripheral device types to disable for the asset:
USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM, LPT, Infrared, Bluetooth,
1394, and Modem.
If the USB storage device is disabled, you can enter the device ID in the USB Storage Device
Whitelist field. Only one device ID is allowed per line. A device ID comprises a vendor ID
(VID) and a product ID (PID), separated by a slash (/), which uniquely identifies a USB storage
device.
Click OK.
Deleting a peripheral management policy
You cannot delete a peripheral management policy that is assigned to a desktop control scheme.
You must remove the association between the policy and the desktop control scheme by reassigning
policies for the scheme. For more information about the configuration procedure, see “Modifying
a desktop control scheme” (page 188).
To delete a peripheral management policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from
the navigation tree.
The Peripheral Management Policy List displays all peripheral management policies.
3.
Click the Delete icon
for the peripheral management policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Configuring energy saving policies
Use an energy-saving policy to implement a scheduled shutdown of assets. According to the
energy-saving policy, the iNode client displays a message 10 minutes before the scheduled
shutdown time, requesting that the user shut down the computer, and forcibly shuts down the
computer when the user does not respond. Operators can view, add, modify, and delete
energy-saving policies.
Configuring energy saving policies
191
Energy saving policy list contents
•
Policy Name—Name of the energy-saving policy.
•
Auto Shutdown at—Automatic shutdown time configured for the asset.
•
Description—Description of the energy-saving policy.
•
Service Group—Service group to which the energy-saving policy belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the policy settings.
to delete the energy-saving policy.
Viewing the energy saving policy list
To view the energy-saving policy list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the
navigation tree.
The Energy-Saving Policy List displays all energy-saving policies.
3.
4.
Click Refresh to refresh the Energy-Saving Policy List.
To sort the Energy-Saving Policy List, click the Policy Name or Service Group column label.
Adding an energy saving policy
To add an energy-saving policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the
navigation tree.
The Energy-Saving Policy List displays all energy-saving policies.
3.
Click Add.
The Add Energy-Saving Policy page appears.
4.
5.
Configure the following parameters for the energy-saving policy:
•
Policy Name—Enter a unique name for the energy-saving policy.
•
Service Group—Select the service group to which the energy-saving policy belongs.
•
Auto Shutdown at—Enter the automatic shutdown time in the format hh:mm, where hh
represents the two-digit hour in 24-hour format, and mm represents the two-digit minute.
•
Description—Enter a description for the energy-saving policy to facilitate maintenance.
Click OK.
The new energy-saving policy appears in the Energy-Saving Policy List and in the Policy List
on the Add Control Scheme page.
Modifying an energy saving policy
To modify an energy-saving policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the
navigation tree.
The Energy-Saving Policy List displays all energy-saving policies.
3.
Click the Modify icon
for the energy-saving policy you want to modify.
The Modify Energy-Saving Policy page appears.
192 Configuring desktop control schemes and policies
4.
5.
Modify the following parameters for the energy-saving policy. You cannot modify the policy
name or service group.
•
Auto Shutdown at—Enter a new automatic shutdown time in the format hh:mm, where
hh represents the two-digit hour in 24-hour format, and mm represents the two-digit minute.
•
Description—Enter a new description for the energy-saving policy.
Click OK.
Deleting an energy saving policy
You cannot delete an energy-saving policy while it is still assigned to a desktop control scheme.
First you must remove the association between the policy and the desktop control scheme, by
reassigning policies for the scheme. For more information about the configuration procedure, see
“Modifying a desktop control scheme” (page 188).
To delete an energy-saving policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the
navigation tree.
The Energy-Saving Policy List displays all energy-saving policies.
3.
Click the Delete icon
for the energy-saving policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Configuring monitoring alarm policies
Monitoring alarm policies enable the DAM server to encapsulate monitoring information in syslogs
and send them to the specified syslog server. The monitoring information is reported by the iNode
client, and includes software and hardware changes of assets, unauthorized copying, and printing
of sensitive files. Operators can view, add, modify, and delete monitoring alarm policies.
Before you configure monitoring alarm policies, select Enable for Send Syslogs on the Service
Parameters page. Otherwise, the DAM server cannot send syslogs to the specified syslog server.
For more information about the configuration procedure, see “DAM service parameters” (page 312).
The IMC platform can serve as the syslog server to receive syslogs from the DAM server. For more
information about syslog management, see HP IMC Base Platform Administrator Guide.
Monitoring alarm policy list contents
•
Policy Name—Name of the monitoring alarm policy. Click the name to view its details.
•
Description—Description of the monitoring alarm policy.
•
Service Group—Service group to which the monitoring alarm policy belongs.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the policy settings.
to delete the monitoring alarm policy.
Monitoring alarm policy details
Monitoring alarm policy details comprise the following sections:
•
Basic information
•
USB monitoring
•
Printer monitoring
Configuring monitoring alarm policies
193
•
Hardware changes monitoring
•
Software changes monitoring
Basic information section
•
Policy Name—Name of the monitoring alarm policy.
•
Service Group—Service group to which the monitoring alarm policy belongs.
•
Description—Description of the monitoring alarm policy.
USB monitoring section
Keywords to Trigger Alarms—List of keywords for triggering alarms. When the DAM server receives
information about files written from the asset to a USB storage device, it checks the file names for
keywords. When a keyword is found, the DAM server encapsulates the information in syslogs and
sends them to the specified syslog server. Operators can view the following information on the
syslog server: asset number, asset name, owner, time when the USB storage device was connected
to the asset, and name, size, and write time of each file written to the USB storage device.
Printer monitoring section
Keywords to Trigger Alarms—List of keywords for triggering alarms. When the DAM server receives
information about files printed by the asset, it checks the file names for keywords. When a keyword
is found, the DAM server encapsulates the information in syslogs and sends them to the specified
syslog server. Operators can view the following information on the syslog server: asset number,
asset name, owner, printer name, and name, number of pages, size, and print time of each printed
file.
Hardware changes monitoring section
This section contains the hardware items to be monitored. When the content of a selected item
changes, the DAM server encapsulates the changes in syslogs and sends them to the specified
syslog server.
•
CPU—CPU number and name.
•
Memory—Total memory of the asset.
•
Mainboard—Vendor and product model of the main board.
•
DVD/CD-ROM—Device instance path of the DVD/CD-ROM drive.
•
NIC—Device instance path.
•
Hard Disk—Hard-disk interface type and device instance path.
•
BIOS—BIOS caption, vendor, release date, and version.
Software changes monitoring section
This section contains the software items to be monitored. When the content of a selected item
changes, the DAM server encapsulates the changes in syslogs and sends them to the specified
syslog server.
•
Logical Disk—Logical disk name, description, file system, serial number, and total size. The
logical disks are scanned and checked only when the asset starts up.
•
IP Address—NIC serial number, IP address, DHCP status, gateway IP address, asset MAC
address, and subnet mask.
•
Operating System—Operating system name, version, service pack, installation date, and
language.
Screen Saver—Screen-saver status (enabled or disabled), display of logon screen on resume
(enabled or disabled), and idle time.
•
194
Configuring desktop control schemes and policies
•
System Information—Login name of the asset.
•
Computer Name—Computer name of the asset.
•
Partition—Hard disk number, partition number, partition type, boot partition (yes or no), and
partition capacity.
•
Software—Software name and version.
•
Reinstall OS or Other Update—Operating system reinstallation and recovery.
Viewing the monitoring alarm policy list
To view the monitoring alarm policy list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the
navigation tree.
The Monitoring Alarm Policy List displays all monitoring alarm policies.
3.
4.
Click Refresh to refresh the Monitoring Alarm Policy List.
To sort the Monitoring Alarm Policy List, click the Policy Name or Service Group column label.
Viewing monitoring alarm policy details
To view details of a monitoring alarm policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the
navigation tree.
The Monitoring Alarm Policy List displays all monitoring alarm policies.
3.
Click the name of the monitoring alarm policy you want to view.
The Monitoring Alarm Policy Details page appears.
4.
To go back to the Monitoring Alarm Policy List, click Back.
Adding a monitoring alarm policy
To add a monitoring alarm policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the
navigation tree.
The Monitoring Alarm Policy List displays all monitoring alarm policies.
3.
Click Add.
The Add Monitoring Alarm Policy page appears.
4.
5.
Configure the basic information for the monitoring alarm policy:
•
Policy Name—Enter a unique name for the monitoring alarm policy.
•
Service Group—Select the service group to which the monitoring alarm policy belongs.
•
Description—Enter a description for the monitoring alarm policy to facilitate maintenance.
Enter the keywords in the Keywords to Trigger Alarms field of the USB Monitoring section.
You can enter up to 100 keywords per line, with each keyword containing up to 32 characters.
When the DAM server receives information about files written from the asset to a USB storage
device, it checks the file names for keywords. When a keyword is found, the DAM server
encapsulates the information in syslogs and sends them to the specified syslog server. You
can view the following information on the syslog server: asset number, asset name, owner,
Configuring monitoring alarm policies 195
and time when the USB storage device was connected to the asset; and name, size, and write
time of each file written to the USB storage device.
6.
Enter the keywords in the Keywords to Trigger Alarms field of the Printer Monitoring section.
You can enter up to 100 keywords per line, with each keyword containing up to 32 characters.
When the DAM server receives information about files printed by the asset, it checks the file
names for keywords. When a keyword is found, the DAM server encapsulates the information
within syslogs and sends them to the specified syslog server. You can view the following
information on the syslog server: asset number, asset name, owner, and printer name; and
name, number of pages, size, and print time of each printed file.
7.
Select the hardware items to monitor in the Hardware Changes Monitoring section.
Click the boxes next to the target items to monitor. When the content of a selected item changes,
the DAM server encapsulates the changes within syslogs and sends them to the specified
syslog server.
8.
9.
•
CPU—CPU number and CPU name.
•
Memory—Total memory of the asset.
•
Mainboard—Vendor and product model of the main board.
•
DVD/CD-ROM—Device instance path of the DVD/CD-ROM drive.
•
NIC—Device instance path.
•
Hard Disk—Hard-disk interface type and device instance path.
•
BIOS—BIOS caption, vendor, release date, and version.
Select the software items to monitor in the Software Changes Monitoring section. Click the
boxes next to the target items to monitor. When the content of a selected item changes, the
DAM server encapsulates the changes within syslogs and sends them to the specified syslog
server.
•
Logical Disk—Logical disk name, description, file system, serial number, and total size.
The logical disks are only scanned and checked when the asset starts up.
•
IP Address—NIC serial number, IP address, DHCP status, gateway IP address, asset MAC
address, and subnet mask.
•
Operating System—Operating system name, version, service pack, installation date, and
language.
•
Screen Saver—Screen saver status (enabled or disabled), display of logon screen on
resume (enabled or disabled), and idle time.
•
System Information—Login name of the asset.
•
Computer Name—Computer name of the asset.
•
Partition—Hard disk number, partition number, partition type, boot partition (yes or no),
and partition capacity.
•
Software—Software name and version.
•
Reinstall OS or Other Update—Operating system reinstallation and recovery.
Click OK.
The new monitoring alarm policy appears in the Monitoring Alarm Policy List and the Policy
List on the Add Control Scheme page.
Modifying a monitoring alarm policy
To modify a monitoring alarm policy:
1. Click the Service tab.
196
Configuring desktop control schemes and policies
2.
Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the
navigation tree.
The Monitoring Alarm Policy List displays all monitoring alarm policies.
3.
Click the Modify icon
for the monitoring alarm policy you want to modify.
The Modify Monitoring Alarm Policy page appears.
4.
5.
Modify the description for the monitoring alarm policy. You cannot modify other basic
information.
Modify the keywords in the Keywords to Trigger Alarms field of the USB Monitoring section.
You can enter up to 100 keywords per line with each keyword containing up to 32 characters.
When the DAM server receives information about files written from the asset to a USB storage
device, it checks the file names for keywords. When a keyword is found, the DAM server
encapsulates the information within syslogs and sends them to the specified syslog server.
You can view the following information on the syslog server: asset number, asset name, owner,
and time when the USB storage device was connected to the asset; and name, size, and write
time of each file written to the USB storage device.
6.
Modify the keywords in the Keywords to Trigger Alarms field in the Printer Monitoring section.
You can enter up to 100 keywords per line, with each keyword containing up to 32 characters.
When the DAM server receives information about files printed by the asset, it checks the file
names for keywords. When a keyword is found, the DAM server encapsulates the information
in syslogs and sends them to the specified syslog server. You can view the following information
on the syslog server: asset number, asset name, owner, and printer name; and name, number
of pages, size, and print time of each printed file.
7.
Reselect the hardware items to monitor in the Hardware Changes Monitoring section.
Select the boxes next to the items to monitor. To cancel an item, clear its box. When the content
of a selected item changes, the DAM server encapsulates the changes in syslogs and sends
them to the specified syslog server.
8.
Reselect the software items to monitor in the Software Changes Monitoring section.
Select the boxes next to the items to monitor. To cancel an item, clear its box. When the content
of a selected item changes, the DAM server encapsulates the changes in syslogs and sends
them to the specified syslog server.
9.
Click OK.
Deleting a monitoring alarm policy
You cannot delete a monitoring alarm policy that is assigned to a desktop control scheme. You
must remove the association between the policy and the desktop control scheme by reassigning
policies for the scheme. For more information about the configuration procedure, see “Modifying
a desktop control scheme” (page 188).
To delete a monitoring alarm policy:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the
navigation tree.
The Monitoring Alarm Policy List displays all monitoring alarm policies.
3.
Click the Delete icon
for the monitoring alarm policy you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Configuring monitoring alarm policies
197
10 Asset audit
DAM supports the following asset audit functions:
•
•
Post audits—Post-audit data shows the asset usage based on the asset history records stored
in DAM, including:
◦
Asset hardware changes
◦
Asset software changes
◦
Use of USB storage devices
◦
Printers
◦
Use of unauthorized peripherals
Real-time audits—Real-time audit data shows asset information in real time. DAM provides
the terminal file audit function to show in real time whether a terminal asset contains specified
files.
Asset hardware change record audit
DAM works with the iNode client to support the asset hardware change record audit function. The
iNode client automatically collects the asset hardware changes shown in Table 14 and reports
them to the DAM server. Operators can view the change time and change content by auditing
these changes.
Operators can configure the hardware items to be monitored in a monitoring alarm policy, assign
the policy to a desktop control scheme, and assign the desktop control scheme to the target asset
or asset group. The DAM server collects the hardware changes from the monitored asset or each
asset in the monitored asset group, and then sends them in syslogs to the specified syslog server.
DAM and the syslog server both are aware of the asset hardware changes.Operators can configure
the hardware items to be monitored in a monitoring alarm policy, assign the policy to a desktop
control scheme, and assign the desktop control scheme to the target asset or asset group. The DAM
server collects the hardware changes from the monitored asset or each asset in the monitored asset
group, and then sends them in syslogs to the specified syslog server. DAM and the syslog server
both are aware of the asset hardware changes.
By default, asset hardware change records can be kept for 1,825 days (about five years). Operators
can modify the record lifetime through the Asset Change Record Lifetime parameter. For more
information about modifying the record lifetime, see “DAM service parameters” (page 312).
Table 14 Asset hardware changes
Item
Changes
CPU
• CPU number
• CPU name
Mainboard
• Vendor
• Product model
BIOS
• Caption
• Vendor
• Release date
• Version
Memory
198 Asset audit
Total memory
Table 14 Asset hardware changes (continued)
Item
Changes
Hard Disk
• Interface type
• Device instance path
NIC
Device instance path
DVD/CD-ROM
Device instance path
Asset hardware change information list contents
•
Asset Number—Asset number of the asset. Click the asset number to view detailed information
about the asset.
•
Asset Name—Name of the asset.
•
Change Type—Change type of the asset hardware. Options are Common Update, Reinstall
OS, and Other Update.
•
Change Contents—Content of the changed hardware. Options are CPU, Memory, Mainboard,
DVD/CD-ROM, NIC, Hard Disk, and BIOS.
•
Owner—Owner of the asset. Click the owner to view its details.
•
Changed on—System time of the server when the asset hardware was changed.
•
Details—Click the Details icon
to view detailed information about the asset hardware change.
Asset hardware change record details
Asset hardware change record details comprise the following parameters:
•
CPU Change Information—Appears only when the CPU number or the CPU name has changed.
Operators can view the CPU changes by comparing the new list with the old list.
•
BIOS Change Information—Appears only when the BIOS caption, vendor, release date, or
version has changed. Operators can view the BIOS changes by comparing the new list with
the old list.
•
Mainboard Change Information—Appears only when the vendor or product model of the main
board has changed. Operators can view the main-board changes by comparing the new list
with the old list.
•
Memory Change Information—Appears only when the total memory of the asset has changed.
Operators can view the memory changes by comparing the new list with the old list.
•
Hard Disk Change Information—Appears only when the hard-disk interface type or device
instance path has changed. Operators can view the asset hard-disk changes by comparing
the old list with the new list.
•
NIC Change Information—Appears only when the device instance path of the NIC has changed.
Operators can view the NIC changes by comparing the new list with the old list. The device
instance path changes when the NIC or the position of the NIC PCI is changed.
•
DVD/CD-ROM Change Information—Appears only when the device instance path of the
DVD/CD-ROM drive has changed. Operators can view the asset DVD/CD-ROM drive changes
by comparing the old list with new list.
Viewing the asset hardware change information list
To view the asset hardware change records list:
1. Click the Service tab.
Asset hardware change record audit 199
2.
Select Desktop Asset Manager > Asset HW Change from the navigation tree.
The Asset Hardware Change Information list displays all asset hardware change records.
3.
To sort the Asset Hardware Change Information list, click the Asset Number, Asset Name,
Change Type, Owner, or Changed on column label.
Viewing asset hardware change record details
To view details of an asset hardware change record:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset HW Change from the navigation tree.
The Asset Hardware Change Information list displays all asset hardware change records.
3.
Click the Details icon
for the asset hardware change information you want to view.
The Asset Hardware Change Details page appears.
4.
To go back to the Asset Hardware Change Information list, click Back.
Querying asset hardware change records
DAM allows operators to filter detailed asset hardware change records by using basic query mode
or advanced query mode.
Basic query
To query asset hardware change records by using basic query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset HW Change from the navigation tree.
The Asset Hardware Change Information list displays all asset hardware change records.
3.
Click Basic Query at the upper right of the page.
When Advanced Query is displayed at the upper right of the page, you are already in basic
query mode. Skip this step.
4.
5.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Changed from/to—Set the range of time when the asset hardware was changed. You
can enter the time range, or click the Select Date and Time icon to bring up the time
control window and select the time range. The time range must be in the format
YYYY-MM-DD hh:mm:ss.
Click Query.
The Asset Hardware Change Information list displays all asset hardware change records
matching the query criteria.
6.
To clear the query criteria, click Reset.
The Asset Hardware Change Information list displays all hardware change records.
Advanced query
To query asset hardware change records by using advanced query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset HW Change from the navigation tree.
The Asset Hardware Change Information list displays all asset hardware change records.
200 Asset audit
3.
Click Advanced Query at the upper right of the page.
When Basic Query is displayed at the upper right of the page, you are already in advanced
query mode. Skip this step.
4.
5.
Enter or select one or more of the following query criteria:
•
Asset Numberr—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Asset Namer—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field.
•
Group Name—Click the Select Asset Group icon
asset is located.
•
Change Type—Select the change type from the list:
to select the asset group where the
◦
Common Update—Ordinary hardware changes on the asset, such as adding a
memory bar to the computer, are categorized into this type. The iNode client collects
and reports to DAM the asset hardware change information.
◦
Reinstall OS—All hardware information about the asset that the user re-registers
through the iNode client. The user re-registers the asset only after its operating system
is reinstalled. The iNode client re-collects and reports to DAM all asset information.
◦
Other Update—Hardware changes that are not categorized into Common Update
or Reinstall OS are categorized into Other Update, such as registering the asset on
multiple DAMs.
•
Change Contents—Select the content of changed hardware from the list. Options are
CPU, Memory, Mainboard, DVD/CD-ROM, NIC, Hard Disk, and BIOS.
•
Changed from/to—Set the range of time when the asset hardware was changed. You
can enter the time range, or click the Select Date and Time icon to bring up the time
control window and select the time range. The time range must be in the format
YYYY-MM-DD hh:mm:ss.
Click Query.
The Asset Hardware Change Information list displays all asset hardware change records
matching the query criteria.
6.
To clear the query criteria, click Reset.
The Asset Hardware Change Information list displays all hardware change records.
Asset software change record audit
DAM supports the asset software change record audit function with the cooperation of the iNode
client. The iNode client automatically collects the asset software changes shown in Table 15 and
reports them to the DAM server. Operators can view the change time and change content by
auditing these changes.
Operators can configure the software items to be monitored in a monitoring alarm policy, assign
the policy to a desktop control scheme, and assign the desktop control scheme to the target asset
or asset group. The DAM server collects the software changes from the monitored asset or each
asset in the monitored asset group, and then sends them in syslogs to the specified syslog server.
DAM and the syslog server are both notified of the asset software changes.
By default, asset software change records can be kept for 1,825 days (approximately five years).
Operators can modify the record lifetime using the Asset Change Record Lifetime parameter. For
more information about modifying the record lifetime, see “DAM service parameters” (page 312).
Asset software change record audit 201
Table 15 Asset software change records
Item
Changes
Login Name
Computer login name
Computer Name
Computer name
Logical Disk
• Name
• Description
• File system
• Serial number
• Total size
Operating System
• Name
• Version
• Service pack
• Installation date
• Language
Screen Saver
• Screen-saver status (enabled or disabled)
• Display of logon screen on resume (enabled or disabled)
• Idle time
Partition
• Hard disk number
• Partition number
• Partition type
• Boot partition (yes or no)
• Partition capacity
Network Connections
• NIC serial number
• IP address
• DHCP status
• Gateway IP address
• NIC MAC address
• Subnet mask
Software
• Software name
• Software version
Asset software change information list contents
•
Asset Number—Number of the asset. Click the asset number to view detailed information
about the asset.
•
Asset Name—Name of the asset.
•
Change Type—Change type of the asset software. Options are Common Update, Reinstall
OS, and Other Update.
•
Change Contents—Content of the changed software. Options are Login Name, Computer
Name, Logical Disk, Operating System, Screen Saver, Partition, Network Connections, and
Software.
•
Owner—Owner of the asset. Click the owner to view its details.
202 Asset audit
•
Changed on—System time of the server when the asset software was changed.
•
Details—Click the Details icon
to view detailed information about the asset software change.
Asset software change record details
Asset software change record details comprise the following parameters:
•
Login Name Change Information—Appears only when the computer login name has changed.
Operators can view the computer login name change by comparing the new list with the old
list.
•
Computer Name Change Information—Appears only when the computer name has changed.
Operators can view the computer name change by comparing the new list with the old list.
•
Logical Disk Change Information—Appears only when the logical disk name, description, file
system, serial number, or total size has changed. Operators can view the logical disk change
by comparing the new list with the old list.
•
Network Connection Change Information—Appears only when the NIC serial number, IP
address, DHCP status, gateway IP address, MAC address, or subnet mask has changed.
Make sure that the DAM service parameter Report Network Connection Changes is configured
as Yes. Operators can view the network configuration change by comparing the new list with
the old list.
•
Operating System Change Information—Appears only when the operating system name,
version, service pack, installation time, or language has changed. Operators can view the
asset OS change by comparing the new list with the old list.
•
Screen Saver Change Information—Appears only when the status of the screen saver (enable
or disable), display of logon screen on resume (enabled or disabled), or the idle time length
has changed. Operators can view the screen saver changes of the asset by comparing the
new list with the old list.
•
Partition Change Information—Appears only when the hard disk number, partition number,
partition type, boot partition (yes or no), or partition capacity of the asset has changed.
Operators can view the partition changes by comparing the new list with the old list.
•
Software Change Information—Appears only when the name or version of the software installed
on the asset has changed. Operators can view the installed software changes of the asset by
comparing the new list with the old list.
Viewing the asset software change record list
To view the asset software change record list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset SW Change from the navigation tree.
The Asset Software Change Information list displays all asset software change records.
3.
To sort the list, click the Asset Number, Asset Name, Change Type, Owner, or Changed on
column label.
Viewing the asset software change record details
To view details of an asset software change record:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset SW Change from the navigation tree.
The Asset Software Change Information list displays all asset software change records.
3.
Click the Details icon
for the asset software change information you want to view.
The Asset Software Change Details page appears.
Asset software change record audit 203
4.
To go back to the Asset Software Change Information list, click Back.
Querying the asset software change records
DAM allows operators to filter detailed asset software change records by using basic query mode
or advanced query mode.
Basic query
To query asset software change records by using basic query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset SW Change from the navigation tree.
The Asset Software Change Information list displays all asset software change records.
3.
Click Basic Query at the upper right of the page.
When Advanced Query is displayed at the upper right of the page, you are already in basic
query mode. Skip this step.
4.
5.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Changed from/to—Set the range of time when the asset software was changed. You can
enter the time range, or click the Calendar icon to bring up the time control window
and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss.
Click Query.
The Asset Software Change Information list displays all asset software change records matching
the query criteria.
6.
Click Reset to clear the query criteria.
The Asset Software Change Information list displays all software change records.
Advanced query
To query asset software change records by using advanced query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Asset SW Change from the navigation tree.
The Asset Software Change Information list displays all asset software change records.
3.
Click Advanced Query at the upper right of the page.
When Basic Query is displayed at the upper right of the page, you are already in advanced
query mode. Skip this step.
4.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Owner—Enter owner of the asset. DAM supports fuzzy matching for this field.
•
Software Name—Enter the name of software. DAM supports fuzzy matching for this field.
204 Asset audit
•
5.
Change type—Select the change type from the list:
◦
Common Update—Ordinary software changes on the asset, such as installing or
uninstalling software, are categorized into this type. The iNode client collects and
reports to DAM the asset software change information.
◦
Reinstall OS—All software information about the asset that the user re-registers through
the iNode client. The user re-registers the asset only after its operating system is
reinstalled. The iNode client re-collects and reports to DAM all the asset information.
◦
Other Update—Software changes that are not categorized into Common Update or
Reinstall OS are categorized into Other Update, such as registering the asset on
multiple DAMs.
•
Group Name—Click the Select Asset Group icon
asset is located.
•
Changed from/to—Set the range of time when the asset software was changed. You can
enter the time range, or click the Calendar icon to bring up the time control window
and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss.
to select an asset group where the
Click Query.
The Asset Software Change Information list displays all asset software change records matching
the query criteria.
6.
Click Reset to clear the query criteria.
The Asset Software Change Information list displays all software change records.
USB monitoring record audit
DAM supports the USB monitoring record audit function. To use this function, operators must
configure the USB storage device monitoring function in a peripheral management policy, assign
the policy to a desktop control scheme, and assign the desktop control scheme to the target asset
or asset group.
The USB monitoring record audit function enables operators to view the time when the USB storage
device was plugged in or out, and to view the logical drive letter of and the contents written to the
USB storage device. By default, the monitoring records can be kept for 90 days, and operators
can modify the record lifetime using the Life of Log parameter. For more information, see “DAM
service parameters” (page 312).
USB monitor list contents
•
Asset Number—Asset number of the asset. Click the asset number to view detailed information
about the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset. Click the owner to view its details.
•
Logic Drive—Logical disk letter of the USB storage device.
•
USB Plugged (Server)—System time of the DAM server when the USB storage device was
plugged into the asset.
•
USB Unplugged (Server)—System time of the DAM server when the USB storage device was
unplugged from the asset.
•
Details—Click the Details icon
to view detailed information about the USB monitoring record.
USB monitoring record audit 205
USB monitoring record details
USB monitoring record details comprise the Information of USB Copied Files section and the List
of USB Copied Files section.
Information of USB copied files section
•
Owner—Owner of the asset. Click the owner to view its details.
•
Asset Name—Name of the asset.
•
Asset Number—Asset number of the asset. Click the asset number to view detailed information
about the asset.
•
Logic Drive—Logical disk letter of the USB storage device.
•
USB Plugged (Client)—System time of the client when the USB storage device was plugged
into the asset.
•
USB Plugged (Server)—System time of the DAM server when the USB storage device was
plugged into the asset.
•
USB Unplugged (Server)—System time of the DAM server when the USB storage device was
plugged from the asset.
•
Number of Copied Files—Number of the files copied to the USB storage device.
•
Size of Copied Files (Byte)—Total size of the files copied to the USB storage device, in bytes.
List of USB copied files section
•
File Name—Name of the file copied to the USB storage device.
•
Operation Type—Operation type of the file copied to the USB storage device, which can only
be Write.
•
File Size (Byte)—Total size of the file copied to the USB storage device, in bytes.
•
Operation Time (Client)—System time of the client when the file was copied to the USB storage
device.
•
Operation Time (Server)—System time of the server when the file was copied to the USB storage
device.
Viewing the USB monitoring record list
To view the USB monitoring record list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation
tree.
The USB Monitor List displays the USB monitoring records of all assets.
3.
To sort the list, click the Asset Number, Asset Name, Owner, USB Plugged (Server), or USB
Unplugged (Server) column label.
Viewing the USB monitoring record details
To view details of a USB monitoring record:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation
tree.
The USB Monitor List displays the USB monitoring records of all assets.
206 Asset audit
3.
Click the Details icon
for the USB monitor you want to view.
The USB Monitor Details page appears.
4.
5.
6.
To go back to the USB Monitor List, click Back.
Click Refresh to refresh the List of USB Copied Files.
To sort the list, click the File Name, Operation type, File Size (Byte), Operation Time (Client),
or Operation Time (Server) column label.
Querying the USB monitoring records
DAM allows operators to filter the USB monitoring records using either basic query mode or
advanced mode. The USB monitoring records include when the USB storage device was plugged
in or out, and files copied to the USB storage device.
Basic query
1.
2.
Click the Service tab.
Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation
tree.
The USB Monitor List displays the USB monitoring records of all assets.
3.
Click Basic Query at the upper right of the page.
When Advanced Query is displayed at the upper right of the page, you are already in basic
query mode. Skip this step.
4.
5.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
USB Plugged from/to—Set the range of time when the USB storage device was plugged
into the asset. You can enter the time range, or click the Calendar icon to bring up the
time control window and select the time range. The time range must be in the format
YYYY-MM-DD hh:mm:ss.
Click Query.
The USB Monitor List displays all USB monitoring records matching the query criteria.
6.
Click Reset to clear the query criteria.
The USB Monitor List displays the USB monitoring records of all assets.
Advanced query
To query USB monitoring records by using advanced query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation
tree.
The USB Monitor List displays the USB monitoring records of all assets.
3.
Click Advanced Query at the upper right of the page.
When Basic Query is displayed at the upper right of the page, you are already in advanced
query mode. Skip this step.
4.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
USB monitoring record audit 207
5.
•
Owner—Enter the name of the asset owner. DAM supports fuzzy matching for this field.
•
File Name—Enter the name of the file copied to the USB storage device. DAM supports
fuzzy matching for this field.
•
USB Plugged from/to—Set the range of time when the USB storage device was plugged
into the asset. You can enter the time range, or click the Calendar icon to bring up the
time control window and select the time range. The time range must be in the format
YYYY-MM-DD hh:mm:ss.
•
Minimum File Size—Enter the bytes of the file copied to the USB storage device. The USB
monitoring records whose file size is greater than or equal to this value is filtered out.
Click Query.
The USB Monitor List displays all USB monitoring records matching the query criteria.
6.
Click Reset to clear the query criteria.
The USB Monitor List displays the USB monitoring records of all assets.
Exporting the USB monitoring records
DAM supports exporting the USB monitoring records. By default, the USB monitoring records can
be kept for 90 days. When the record lifetime expires, DAM automatically deletes the records. To
avoid the records from being deleted, operators can keep the records for a longer time by modifying
the record lifetime through the Life of Log parameter.
Operators can also save the USB monitoring records by exporting the USB monitoring records
manually or automatically. This section only focuses on manually exporting the USB monitoring
records. For more information, see “Managing the export task” (page 184).
USB monitor log export history list contents
•
Export File Name—Name of the file that stores the export results. The file-name extension must
be .zip.
•
Export File Path—Path of the export file. The export file is located in the installation path of
IMC. In distributed deployment, the export file is located in the IMC installation path on the
master server.
•
Operator—Name of the operator who exported the USB monitoring records.
•
Exported at—Time when the USB monitoring records were exported.
•
Download File—Click Download to save the export results.
•
Delete—Click the Delete icon
to delete the export history of the USB monitoring records.
Exporting USB monitoring records
To export the USB monitoring records:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation
tree.
The USB Monitor List displays the USB monitoring records of all assets.
3.
Click Export.
The Exporting File Format page appears.
208 Asset audit
4.
5.
Set the export file attributes:
•
File Type—Select the format of the file you want to export USB monitoring records to.
Options are TXT and CSV.
•
File Column Separator—Select the separator for the text file when TXT is selected as the
format of the export file. Options are space, tab, comma (,), colon (:), pound sign (#),
and dollar sign ($).
Click OK.
The Result of exporting USB monitor page appears.
6.
7.
Click Download to save the export results.
To go back to the USB monitoring record list, click Back.
Viewing the USB monitor log export history
DAM supports viewing the export history of the USB monitoring records. DAM automatically
generates an export history record each time the USB monitoring records are exported manually.
Operators can download the export results or delete the export history.
To view the export history of USB monitoring records:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation
tree.
The USB Monitor List displays the USB monitoring records of all assets.
3.
Click Export History next to the USB Monitor List.
The Export History page appears.
4.
To go back to the USB Monitor List, click Back.
Printer monitoring record audit
DAM supports the printer monitoring record audit function. To use this function, operators must
configure the printer monitoring function in a peripheral management policy, assign the policy to
a desktop control scheme, and assign the desktop control scheme to the target asset or asset group.
The printer monitoring record audit function enables operators to view the name and pages of
each printed file. By default, the printer monitoring records can be kept for 90 days, and operators
can modify the record lifetime through the Life of Log parameter. For more information about
modifying the record lifetime, see “DAM service parameters” (page 312).
Printer monitor list contents
•
Asset Number—Asset number of the asset. Click the asset number to view detailed information
about the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset. Click the owner to view its details.
•
Printer Name—Name of the printer.
•
File Name—Name of the printed file.
•
Printed Pages—Number of the pages of the printed file.
•
Report Time—Time when the DAM server received the file printing message from the asset.
•
Share Printer—Indicates whether the file was printed on a shared printer.
•
Details—Click the Details icon
record.
to view detailed information about the printer monitoring
Printer monitoring record audit 209
Printer monitoring record details
Printer monitoring record details comprise the following parameters:
•
Asset Number—Asset number of the asset. Click the asset number to view detailed information
about the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset. Click the owner to view its details.
•
Printer Name—Name of the printer.
•
Share Printer—Indicates whether the file was printed on a shared one.
•
File Name—Name of the printed file.
•
Name of the Computer Initiating Printing—Computer name of the asset where the shared
printer locates. This option appears only when the shared printer is used for printing.
•
Asset Number of the Computer Initiating Printing—Asset number of the asset where the shared
printer is located. This option appears only when the file is printed by the shared printer.
•
Owner of the Computer Initiating Printing—Owner of the asset where the shared printer is
located. This option appears only when the file is printed by the shared printer.
•
Print Time—System time of the client when the printer was used.
•
Report Time—System time of the DAM server when the printer was used.
•
File Total Pages—Total pages of the printed file.
•
Printed Pages—Number of the printed pages.
•
File Total Size—Total size of the printed file, in bytes.
•
Printed Size—Size of the printed data, in bytes.
•
Driver Info.—Driver information of the printer.
•
Port—Computer port that the printer is connected to.
Viewing the printer monitoring record list
To view the printer monitoring record list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation
tree.
The Printer Monitor List displays the printer monitoring records of all assets.
3.
To sort the list, click the Asset Number, Asset Name, Owner, Printer Name, File Name, Printed
Pages, Report Time, or Share Printer column label.
Viewing the printer monitoring record details
To view the printer monitoring record details:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation
tree.
The Printer Monitor List displays the printer monitoring records of all assets.
3.
Click the Details icon
for the printer monitoring record you want to view.
The Printer Monitor Details page appears.
4.
210
To go back to the Printer Monitor List, click Back.
Asset audit
Querying the printer monitoring records
DAM allows operators to filter the printer monitoring records by using basic query mode or
advanced mode. The printer monitoring records include the use of printers by assets.
Basic query
To query the printer monitoring records by using basic query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation
tree.
The Printer Monitor List displays the printer monitoring records of all assets.
3.
Click Basic Query at the upper right of the page.
When Advanced Query is displayed at the upper right of the page, you are already in basic
query mode. Skip this step.
4.
5.
Enter one or both of the following query criteria:
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
Click Query.
The Printer Monitor List displays all printer monitoring records matching the query criteria.
6.
Click Reset to clear the query criteria.
The Printer Monitor List displays the printer monitoring records of all assets.
Advanced query
To query the printer monitoring records by using advanced query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation
tree.
The Printer Monitor List displays the printer monitoring records of all assets.
3.
Click Advanced Query at the upper right of the page.
When Basic Query is displayed at the upper right of the page, you are already in advanced
query mode. Skip this step.
4.
Enter or select one or more of the following query criteria:
•
Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field.
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Owner—Enter the name of the asset owner. DAM supports fuzzy matching for this field.
•
File Name—Enter the name of the printed file, which must be exactly the same as that in
the Windows printer task list.
•
Name of the Computer Initiating Printing—Enter the name of the computer where the
shared printer is located. DAM supports fuzzy matching for this field. This field is empty
unless the file is printed on a shared printer.
•
Asset Number of the Computer Initiating Printing—Enter the asset number of the asset
where the shared printer is located. DAM supports fuzzy matching for this field. This field
is empty unless the file is printed on a shared printer.
Printer monitoring record audit
211
5.
•
Report Time from/to—Set the range of time when the printer monitoring record was
reported. You can enter the time range, or click the Calendar icon to bring up the time
control window and select the time range. The time range must be in the format
YYYY-MM-DD hh:mm:ss.
•
Printer Name—Enter the name of the printer. DAM supports fuzzy matching for this field.
•
Share Printer—Select whether the printer is a shared one.
•
Printed Pages from/to—Enter the range of pages of the printed file.
•
Printed Size from/to—Enter the data size of the printed file.
•
Port—Enter the port of the computer that the printer is connected to.
•
Driver Info.—Enter the driver information of the printer.
Click Query.
The Printer Monitor List displays all printer monitoring records matching the query criteria.
6.
Click Reset to clear the query criteria.
The Printer Monitor List displays the printer monitoring records of all assets.
Exporting the printer monitoring records
DAM supports exporting the printer monitoring records. By default, the printer monitoring records
can be kept for 90 days. When the record lifetime expires, DAM automatically deletes the records.
To avoid the records from being deleted, operators can keep the records for a longer time by
modifying the record lifetime through the Life of Log parameter. Operators can also save the printer
monitoring records by exporting them.
To export the printer monitoring records:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation
tree.
The Printer Monitor List displays the printer monitoring records of all assets.
3.
Click Export.
The Exporting File Format page appears.
4.
5.
Set the export file attributes:
•
File Type—Select the format of the file you want to export printer monitoring records to.
Options are TXT and CSV.
•
File Column Separator—Select the separator for the text file when TXT is selected as the
format of the export file. Options are space, tab, comma (,), colon (:), pound sign (#),
and dollar sign ($).
Click OK.
The Result of exporting USB monitor page appears.
6.
7.
Click Download to save the export results.
To go back to the Printer Monitor List, click Back.
Viewing the export history of the printer monitoring records
DAM supports viewing the export history of the printer monitoring records. DAM automatically
generates an export history record each time the printer monitoring records are exported. Operators
can download the export results or delete the export history.
To view the export history of the printer monitoring records:
1. Click the Service tab.
212
Asset audit
2.
Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation
tree.
The Printer Monitor List displays the printer monitoring records of all assets.
3.
Click the Export History next to the Printer Monitor List.
The Export History page appears.
4.
To go back to the Printer Monitor List, click Back.
Printer monitor log export history list contents
•
Export File Name—Name of the file that stores the export results. The file-name extension must
be .zip.
•
Export File Path—Path of the export file. The export file is located in the installation path of
IMC. In distributed deployment, the export file is located in the IMC installation path on the
master server.
•
Operator—Name of the operator who exported the printer monitoring records.
•
Content Exported—Content description of the exported file.
•
Exported at—Time and date when the printer monitoring records were exported.
•
Download File—Click Download to save the export results.
•
Delete—Click the Delete icon
to delete the export history of the printer monitoring records.
Unauthorized peripheral use record audit
DAM supports the unauthorized peripheral use record audit function. To use this function, operators
must configure the unauthorized peripheral items in a peripheral management policy, assign the
policy to a desktop control scheme, and assign the desktop control scheme to the target asset or
asset group.
The unauthorized peripheral use record audit function enables operators to view the type of
unauthorized peripherals, time, asset owner, and the unauthorized desktop control scheme. By
default, the unauthorized peripheral use record can be kept for 90 days, and operators can modify
the record lifetime through the Life of Log parameter. For more information about modifying the
record lifetime, see “DAM service parameters” (page 312).
Illegal peripheral use report list contents
•
Asset Number—Asset number of the asset. Click the asset number to view detailed information
about the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset. Click the owner to view its details.
•
Device Type—Types of unauthorized peripheral types. Options are DVD/CD-ROM, FloppyDisk,
Modem, COM/LPT, 1394, USB, Infrared, Bluetooth, and PCMCIA.
•
Operation Time (Server)—Time when the DAM server detected the unauthorized peripheral
use.
•
Description—Description of the unauthorized devices.
•
Disable Result—Indicates whether the authorized devices are disabled.
•
Details—Click the Details icon
use record.
to view detailed information about the unauthorized peripheral
Unauthorized peripheral use record audit
213
Illegal peripheral use log export history list contents
•
Export File Name—Name of the export that stores the export results. The file-name extension
must be .zip.
•
Export File Path—Path of the export file. The export file is located in the installation path of
IMC. In distributed deployment, the export file is located in the IMC installation path on the
master server.
•
Operator—Name of the operator who exported the unauthorized peripheral use records.
•
Content Exported—Content description of the exported file.
•
Exported at—Time and date when the unauthorized peripheral use records were exported.
•
Download File—Click Download to save the export results.
•
Delete—Click the Delete icon
use records.
to delete the export history of the unauthorized peripheral
Viewing the unauthorized peripheral use record list
To view the unauthorized peripheral use record list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from
the navigation tree.
The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all
assets.
3.
To sort the list, click the Asset Number, Asset Name, Owner, Device Type, Operation Time
(Server), Description, or Disable Result column label.
Viewing the export history of the unauthorized peripheral use records
DAM supports viewing the export history of the unauthorized peripheral use records. DAM
automatically generates an export history record each time the unauthorized peripheral use records
are manually exported. Operators can download the export results and delete the export history.
To view the export history of unauthorized peripheral use records:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from
the navigation tree.
The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all
assets.
3.
Click the Export History next to the Illegal Peripheral Use Report List.
The Export History page appears.
4.
5.
View the Illegal Peripheral Use Log Export History List.
To go back to the Illegal Peripheral Use Report List, click Back.
Querying the unauthorized peripheral use records
DAM allows operators to filter the unauthorized peripheral use records by using basic query mode
or the advanced mode. The unauthorized peripheral use records include the use of peripherals by
assets.
Basic query
To query the unauthorized peripheral use records by using basic query mode:
1. Click the Service tab.
214
Asset audit
2.
Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from
the navigation tree.
The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all
assets.
3.
Click Basic Query at the upper right of the page.
When Advanced Query is displayed at the upper right of the page, you are already in basic
query mode. Skip this step.
4.
5.
Enter one or both of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this field.
•
Owner—Enter the name of the asset owner. DAM supports fuzzy matching for this field.
Click Query.
The Illegal Peripheral Use Report List displays all unauthorized peripheral use records matching
the query criteria.
6.
Click Reset to clear the query criteria.
The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all
assets.
Advanced query
To query the unauthorized peripheral use records by using advanced query mode:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from
the navigation tree.
The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all
assets.
3.
Click Advanced Query at the upper right of the page.
When Basic Query is displayed at the upper right of the page, you are already in advanced
query mode. Skip this step.
4.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy criteria for this
field.
•
Asset Name—Enter the name of the asset. DAM supports fuzzy criteria for this field.
•
Owner—Enter the name of the asset owner. DAM supports fuzzy criteria for this field.
•
Group Name—Click the Select Asset Group icon
asset is located.
•
Operation Time (Server) from/to—Set the range of time when the unauthorized peripheral
use record was reported. You can enter the time range, or click the Calendar icon to
bring up the time control window and select the time range. The time range must be in
the format YYYY-MM-DD hh:mm:ss.
•
Peripheral Management Policy—Select the peripheral management policy that is violated.
•
Device Type—Select the type of the peripheral device. Options are DVD/CD-ROM,
FloppyDisk, Modem, COM/LPT, 1394, USB, Infrared, Bluetooth, and PCMCIA.
•
Device Instance Path—Enter the device instance path of the peripheral device. DAM
supports fuzzy matching for this filed.
to select the asset group where the
Unauthorized peripheral use record audit
215
5.
Click Query.
The Illegal Peripheral Use Report List displays all unauthorized peripheral use records matching
the query criteria.
6.
Click Reset to clear the query criteria.
The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all
assets.
Exporting the unauthorized peripheral use records
DAM supports exporting the unauthorized peripheral use records. By default, the unauthorized
peripheral use records can be kept for 90 days. When the record lifetime expires, DAM
automatically deletes the records. To avoid the records from being deleted, operators can keep
the record for a longer time by modifying the record lifetime through the Life of Log parameter.
Operators can also save the unauthorized peripheral use records by exporting them.
To export the unauthorized peripheral use records:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from
the navigation tree.
The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all
assets.
3.
Click Export.
The Exporting File Format page appears.
4.
5.
Select the export file attributes:
•
File Type—Select the format of the file you want to export unauthorized peripheral use
records to. Options are TXT and CSV.
•
File Column Separator—Select the separator for the text file when TXT is selected as the
format of the export file. Options are space, tab, comma (,), colon (:), pound sign (#),
and dollar sign ($).
Click OK.
The Result of exporting illegal peripheral use report page appears.
6.
7.
Click Download to save the export results.
To go back to the Illegal Peripheral Use Report List, click Back.
Terminal file audit
DAM supports the terminal file audit function to show whether a terminal asset contains specified
files in real time. DAM creates and immediately executes an audit task for each terminal file audit
operation, and allows operators to view or export the audit results.
Asset file check list contents
216
•
Asset Number—Asset number of the asset. Click the asset number to view detailed information
about the asset.
•
Group Name—Group that the asset belongs to.
•
Owner—Owner of the asset. Click the owner to view its details.
•
File Name Includes—Check path of the audit task.
•
Check Time—Time when the audit task was created.
•
Status—Current status of the audit task.
Asset audit
•
Export—Click the Export icon
to export the audit results of the terminal file audit task.
•
Details—Click the Details icon
to view detailed information about terminal file audit task.
Asset file check list details
Asset file check list details comprise the basic information section and the file list section.
Basic information section
•
Asset Number—Asset number of the asset.
•
Asset Name—Name of the asset.
•
Asset User—User of the asset.
•
Report Time—Time when the audit results of the terminal file was submitted to the DAM server.
•
Owner—Owner of the asset.
•
Check Time—Time when the audit task was created.
•
Status—Status of the audit task: Reported or Not Reported.
◦
Reported—Indicates that the audit task is complete and the audit result has been submitted
to the DAM server.
◦
Not Reported—Indicates that the audit result has not been submitted to the DAM server.
•
Check Files in—Absolute path of the check files in the audit task list. The file path includes the
directory and all subdirectories, which must end with a backslash (\).
•
File Name Includes—Name of the audited file. The file name can contain the wildcard
characters asterisk (*) or question mark (?). An asterisk can match none or many characters.
A question mark can match only one character when it is placed after the dot (.), and can
match all characters except the dot (.) when it is placed before the dot.
•
Description—Description of the audit task.
File list section
•
File Name—Name of the file.
•
File Path—Absolute path of the file.
•
File Size—Size of the file, in bytes.
Viewing the terminal file audit task list
To view the terminal file audit task list:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation
tree.
The Asset File Check List displays the terminal file audit tasks of all assets.
3.
To sort the list, click the Asset Number, Group Name, Owner, File Name Includes, Check Time,
or Status column label.
Querying terminal file audit tasks
Operators can filter the terminal file audit tasks through a query.
To query terminal file audit tasks:
1. Click the Service tab.
Terminal file audit
217
2.
Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation
tree.
The Asset File Check List displays the terminal file audit tasks of all assets.
3.
4.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for
this filed.
•
Owner—Enter owner of the asset. DAM supports fuzzy matching for this filed.
•
Check Time from/to—Set the range of time when the terminal file audit task was performed.
You can enter the time range, or click the Calendar icon to bring up the time control
window and select the time range. The time range must be in the format YYYY-MM-DD
hh:mm:ss.
Click Query.
The Asset File Check List displays all terminal file audit tasks matching the query criteria.
5.
To clear the query criteria, click Reset.
The Asset File Check List displays the terminal file audit tasks of all assets.
Auditing the terminal files
To audit the terminal files:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation
tree.
The Asset File Check List displays the terminal file audit tasks of all assets.
3.
Click Audit.
The Audit page appears.
4.
Select the asset whose terminal files you want to audit:
a. Click Select Asset.
The Asset List dialog box appears.
b.
Filter assets through a basic query or advanced query.
The Query Asset feature appears above the Asset List. The Advanced Query link is a
toggle between Basic Query and Advanced Query. When the link is Advanced Query,
then you are in basic query mode, and vice versa.
Enter or select one or more of the following query criteria:
218
Asset audit
•
Asset Number—Enter the asset number of the asset. DAM supports for fuzzy matching
for this field.
•
Asset Name—Enter the name of the asset. DAM supports for fuzzy matching for this
field.
•
Owner—Enter the name of the asset owner. DAM supports for fuzzy matching for
this field.
•
Group Name—Click the Select Asset Group icon
to select an asset group. In the
Select Asset Group window that appears, select a group and click OK.
•
Operating System—Enter the name of the operating system. DAM supports for fuzzy
matching for this field. This field is available only for advance queries.
c.
d.
e.
•
Operating System Language—Select the operating system language: Chinese (PRC)
or English. This field is available only for advance queries.
•
Operating System Patch—Enter the version of the service pack of the operating
system, such as Service Pack 3. This field is available only for advance queries.
Click Query.
Select the asset you want to add in the Asset List.
Click OK.
The selected asset appears in the Asset Number field.
5.
6.
Enter the following parameters for the audit task:
•
Check Files in—Enter the absolute path of the files you want to check.
•
File Name Includes—Enter a partial of the file name. The file name can contain the wildcard
characters asterisk (*) or question mark (?). An asterisk can match none or many
characters. A question mark can match only one character when it is placed after the dot
(.), and can match all characters except the dot (.) when it is placed before the dot.
•
Description—Enter the description of the audit.
Click Start.
Viewing the terminal file audit results
To view the result of a terminal file audit task:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation
tree.
The Asset File Check List displays the terminal file audit tasks of all assets.
3.
Click the Details icon
for the terminal file audit to view its details.
The Asset File Check List page appears.
4.
5.
To go back to the Asset File Check List, click Back.
To save the audit results, click Export.
Exporting the terminal file audit results
To export the terminal file audit results:
1. Click the Service tab.
2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation
tree.
The Asset File Check List displays the terminal file audit tasks of all assets.
3.
Click Export icon
export.
in the Asset File Check List for the terminal file audit result you want to
The Exporting File Format page appears.
4.
Select a format for the export file from the File Format list.
Options are TXT and CSV. TXT indicates that the terminal file audit results are exported to the
text file of the *.txt type. Excel indicates that the terminal file audit result is exported to the text
file of the *.csv type.
5.
Select the separator for the terminal file audit results that are exported to the text file of *.txt
type.
Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($).
Terminal file audit
219
6.
Click OK.
After the operation is complete, the Export Result page appears.
7.
Click Download to save the export results.
220 Asset audit
11 Configuring software deployment
The software deployment function allows operators to batch deploy the same software product to
multiple assets.
Preparing to use the software deployment function
To use this function, complete the following tasks:
1. Set up a software deployment server, which can be an HTTP, FTP, or file share server. The
server must be properly configured to allow assets to download software.
2. Add the server settings to DAM, such as the IP address, port, and username/password.
3. Configure a software deploy task in DAM. The task settings include the software deployment
server, name and version of the software to be deployed, download path, installation mode,
and deployment target (individual assets or asset groups).
DAM sends the software deploy task to the iNode client for execution, and then the iNode client
downloads and installs software from the software deployment server as specified in the task.
Configuring software deployment server settings
DAM supports the following types of software deployment servers: HTTP, FTP, and file share.
Operators can add the server settings to DAM for management.
Software server settings list contents
•
Server Name—Name of the software deployment server. Click the name to view its details.
•
Deployment Method—Software deployment method: HTTP, FTP, or Share File.
•
IP Address—IP address of the software deployment server.
•
Modify—Click the Modify icon
•
Delete—Click the Delete icon
to modify the server settings.
to delete the server settings.
Software deployment server settings details
Software deployment server settings details comprise the following parameters:
•
•
Server Name—Name of the software deployment server.
Deployment Method—Software deployment method: HTTP, FTP, or Share File.
When the deployment method is HTTP, the page also contains the following parameter:
◦
Port Number—Listening port of the HTTP server, 80 by default.
When the deployment method is FTP, the page also contains the following parameters:
◦
Port Number—Listening port of the FTP server, 21 by default.
◦
Transmission Mode—FTP transfer mode to use when a firewall or NAT device exists
between the FTP server and the iNode client. The value can be PORT or PASV.
–
PORT—When the FTP server is protected by the firewall or NAT device, select the
PORT mode.
–
PASV—When the iNode client is protected by the firewall or NAT device, select the
PASV mode.
◦
Anonymous User—Indicates whether to allow anonymous login to the FTP server.
◦
User Name—User name used to access the FTP server. This field appears only when
Anonymous User is set to No.
Preparing to use the software deployment function 221
When the deployment method is Share File, the page also contains the following parameters:
•
◦
Anonymous User—Indicates whether to allow anonymous login to the file share server.
◦
User Name—The user name used to access the file share server, in the format prefix\user
ID. If the software deployment server has been assigned to a domain, use the domain
name as the prefix; if not, use the computer name as the prefix. This parameter appears
only when Anonymous User is set to No.
IP Address—IP address of the software deployment server.
Viewing the software deployment server settings list
To view the software deployment server settings list:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Server Settings from the navigation tree.
The Software Server Settings List displays all software deployment server settings.
3.
4.
Click Refresh to refresh the Software Server Settings List.
To sort the Software Server Settings List, click the Server Name, Deployment Method, or IP
Address column label.
Viewing software deployment server settings details
To view details of software deployment server settings:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Server Settings from the navigation tree.
The Software Server Settings List displays all software deployment server settings.
3.
Click the name of the software deployment server for which you want to view the detailed
settings.
The Software Server Settings Details page appears.
4.
To go back to the Software Server Settings List, click Back.
Adding software deployment server settings
To add software deployment server settings:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Server Settings from the navigation tree.
The Software Server Settings List displays all software deployment server settings.
3.
Click Add.
The Add Software Server Settings page appears.
4.
5.
6.
Configure the basic server information.
Configure parameters related to the deployment method.
Click OK.
Modifying software deployment server settings
To modify the software deployment server settings:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Server Settings from the navigation tree.
The Software Server Settings List displays all software deployment server settings.
3.
Click the Modify icon
for the software deployment server settings you want to modify.
The Modify Software Server Settings page appears.
222 Configuring software deployment
4.
5.
6.
Modify the basic server settings.
Modify parameters related to the deployment method.
Click OK.
Deleting software deployment server settings
You cannot delete the settings of a software deployment server when the server name is selected
for a software deploy task. To delete the server settings, you must first delete all software deploy
tasks that use the server. For more information about deleting software deploy tasks, see “Deleting
software deploy tasks” (page 229).
To delete software deployment server settings:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Server Settings from the navigation tree.
The Software Server Settings List displays all software deployment server settings.
3.
Click the Delete icon
for the software deployment server settings you want to delete.
A confirmation dialog box appears.
4.
Click OK.
Configuring software deploy tasks
Operators must first add software deployment server settings before they can create software
deploy tasks. The software deploy task settings include the software deployment server, name and
version of the software to be deployed, download path, installation mode, and deployment target
(assets or asset groups). The task is sent to the iNode client for execution, which downloads and
installs the software from the software deployment server as specified in the task.
Operators can query, add, modify, and delete software deploy tasks.
Software deploy task list contents
•
Task Name—Name of the software deploy task. Click the name to view its details.
•
Created at—Time when the task was created.
•
Software Name—Name of the software to be deployed in the task.
•
Server Name—Name of the software deployment server used in the task.
•
Installation Type—The type of installation:
•
◦
Quiet Installation—Installs software automatically after it is downloaded, without any user
intervention. Make sure that the software supports quiet installation. The iNode client can
display a task message when the quiet installation is complete.
◦
Interactive Installation—Interacts with the user to obtain the necessary information, such
as the download path and serial number for installation. The iNode client can display a
task message when the software requiring an interactive installation is downloaded.
◦
Portable Software—Requires no installation and allows the user to use the software
immediately after it is downloaded and decompressed. The iNode client can display a
task message when the portable software is downloaded.
Modify—Click the Modify icon
to modify the task settings.
Software deploy task details
Software deploy task details comprise the basic information section and the software deployment
targets section.
Configuring software deploy tasks 223
Basic information section
•
Task Name—Name of the software deploy task. The name must be unique in DAM.
•
Software Server—Name of the software deployment server. Click the name to view the detailed
server settings.
•
Task Message—Prompt message that the iNode client displays when a quiet software installation
or a software download process is complete.
•
Created at—Time when the software deploy task was created.
•
Execution Time—Time when the software deploy task is to be executed.
•
Download Delay—Time delay for the software deploy task, in minutes. To avoid massive
downloading from the server at the same time, this parameter allows the iNode client to
download software at a random delay between 0 and the specified value.
•
Software Name—Name of the software to be deployed in the software deploy task. The name
the name of the software to be deployed, which must be the same as that in the Add or Remove
Programs tool of the Windows Control Panel. This field is available only when the Installation
Type is set to Quiet Installation or Interactive Installation.
•
Software Version—Version of the software to be deployed in the software deploy task. The
version must be the same as that in the Add or Remove Programs tool of the Windows Control
Panel. This field is available only when the Installation Type is set to Quiet Installation or
Interactive Installation.
•
Execute Task—When the software deploy task is executed: Execute Immediately or Later.
◦
Execute Immediately—Task starts immediately after the configuration is complete.
◦
Later—Task starts at a specified time after the configuration is complete.
•
Test Method—Select Test Method to test whether the software download path is valid.
•
Installation Type—The type of installation:
•
◦
Quiet Installation—Installs software automatically after it is downloaded, without any user
intervention. Make sure that the software supports quiet installation. The iNode client can
display a task message when the quiet installation is complete.
◦
Interactive Installation—Interacts with the user to obtain the necessary information, such
as the download path and serial number for installation. The iNode client can display a
task message when the software requiring an interactive installation is downloaded.
◦
Portable Software—Requires no installation and allows the user to use the software
immediately after it is downloaded and decompressed. The iNode client can display a
task message when the portable software is downloaded.
Software Name and Path—Download path and source file name of the software:
◦
For an HTTP server, the value is in the following format:
http://<IP address>:<Port>/<Path>/<Software name>
For example:
http://192.168.10.1:80/tools/MD5.exe
◦
For an FTP server, the value is in the following format:
ftp://<IP address>:<Port>/<Path>/<Software name>
For example:
224 Configuring software deployment
ftp://192.168.10.1:21/tools/MD5.exe
◦
For a file-share server, the value is in the following format:
\\<IP address>\<Path>\<Software name>
For example:
\\192.168.10.1\tools\MD5.exe
•
CLI Parameters—Enter the CLI script to perform a quiet software installation. This field is
available only when the Installation Type is set to Quiet Installation.
•
Setup File—How the setup file is handled after the software installation process is complete,
which can be Deleted after Installation or Kept after Installation. This parameter is available
only when the Installation Type is set to Quiet Installation or Interactive Installation.
◦
Deleted after Installation—The setup file is automatically deleted after the software
installation process is complete.
◦
Kept after Installation—The setup file is kept after the software installation process is
complete.
Software deployment targets section
The deployment targets include asset groups and individual assets. For a target asset group, the
software is downloaded to and installed on all assets in the asset group.
Deploy group list contents
•
All Asset Groups—Name of the asset group. Click the Expand All icon
to expand all asset
groups. Click the Collapse All icon
to collapse all asset groups. When the group name
carries an icon on the left, the group has subgroups. Click the icon to view software
deployment information of the subgroups. Click the group name to enter the asset group details
page.
•
Success Downloads—Number of assets in the asset group that have successfully downloaded
the software.
•
Total Deployed—Number of assets in the asset group that are required to download the
software.
•
Details—Click the Details icon
to view the deploy task status of all assets in the asset group.
Deploy asset list contents
•
Asset Number—Asset number of the asset. Click the asset number to view its details.
•
Asset Name—Name of the asset.
•
Group Name—Name of the group the asset belongs to. Click the group name to enter the
asset group details page.
•
Asset Owner—Owner of the asset.
•
Task Status—Execution status of the task, which can be Not Executed, Deployment Succeeded,
Deployment Failed, Download Succeeded, or Download Failed. Click the content of this field
to view the task execution result for the asset.
When you click the content in the Task Status field for an asset in the Deploy Group List section
or on the Asset List of an asset group, you can view the list of all assets in the group.
•
Redeploy—Click the Redeploy
icon to deploy the task again. This field is available only
when the task status of the asset is Download Failed.
Configuring software deploy tasks 225
Task execution result details
•
Task Name—Name of the software deploy task.
•
Task Status—Execution status of the task, which can be Not Executed, Deployment Succeeded,
Deployment Failed, Download Succeeded, or Download Failed.
•
Asset Name—Name of the asset.
•
Asset Number—Asset number of the asset.
•
Asset Owner—Owner of the asset.
•
Asset Group—Asset group to which the asset belongs.
•
Execution Time—Time when the software deploy task started.
•
Finish Time—Time when the software deploy task finished. This field is available only when
the task status of the asset is Download Succeeded or Download Failed.
Viewing the software deploy task list
To view the software deploy task list:
1. Click the Service tab.
2. Select Desktop Asset Manager>SW Deploy Task from the navigation tree.
The Software Deploy Task List displays all software deploy tasks.
3.
4.
Click Refresh to refresh the Software Deploy Task List.
To sort the Software Deploy Task List, click the Task Name, Created at, Software Name, or
Server Name column label.
Viewing software deploy task details
To view the software deploy task list:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Deploy Task from the navigation tree.
The Software Deploy Task List displays all software deploy tasks.
3.
Click the name for the software deploy task you want to view.
The Software Deploy Task Details page appears.
4.
5.
To view a list of all assets in a group, click the Details icon
Group List section.
To go back to the Software Deploy Task List, click Back.
for the asset group in the Deploy
Querying software deploy tasks
You can filter software deploy tasks through basic query or advanced query. Basic query criteria
include several key parameters for quick search. Advanced query offers various query criteria for
precise match.
Basic query
To perform a basic query for software deploy tasks:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Deploy Task from the navigation tree.
The Software Deploy Task List displays all software deploy tasks.
3.
Click Basic Query at the upper right of the page.
When Advanced Query is at the upper right of the page, you are already in basic query
mode. Skip this step.
226 Configuring software deployment
4.
Enter or select one or more of the following query criteria:
•
Task Name—Enter the software deploy task name. DAM supports fuzzy matching for this
field.
•
Asset Number—Enter the asset number, which uniquely identifies an asset in DAM. All
tasks that include the asset as the deployment target are queried. DAM supports fuzzy
matching for this field.
•
. The Select Asset Group window
Group Name—Click the Select Asset Group icon
appears. Select a group and click OK. The Group Name field is automatically populated
with the selected asset group.
•
Software Name—Enter the name of the software deployed in the task. DAM supports
fuzzy matching for this field.
When a field is empty, this field does not serve as a query criterion.
5.
Click Query.
The Software Deploy Task List displays all the software deploy tasks that match the query
criteria.
6.
Click Reset to clear the query criteria.
The Software Deploy Task List displays all software deploy tasks.
Advanced query
To perform an advanced query for software deploy tasks:
1. Click the Service tab.
2. Select Desktop Asset Manager>SW Deploy Task from the navigation tree.
The Software Deploy Task List displays all software deploy tasks.
3.
Click Advanced Query at the upper right of the page.
When Basic Query is at the upper right of the page, you are already in advanced query
mode. Skip this step.
4.
Enter or select one or more of the following query criteria:
•
Task Name—Enter the software deploy task name. DAM supports fuzzy matching for this
field.
•
Asset Number—Enter the asset number. All tasks that include the asset as the deployment
target are queried. DAM supports fuzzy matching for this field.
•
Created From/To—Set the time range when the software deploy task was created. You
can click the Select Date and Time icon
enter the value in YYYY-MM-DD format.
to select the date and time, or manually
•
Group Name—Click the Select Asset Group
icon. The Select Asset Group window
appears. Select a group and click OK. The Group Name field is automatically populated
with the selected asset group.
•
Server Name—Enter the name of the software deployment server.
•
Software Name—Enter the name of the software deployed in the task. DAM supports
fuzzy matching for this field.
When a field is empty, this field does not serve as a query criterion.
5.
Click Query.
The Software Deploy Task List displays all the software deploy tasks that match the query
criteria.
Configuring software deploy tasks 227
6.
Click Reset to clear the query criteria.
The Software Deploy Task List displays all software deploy tasks.
Adding a software deploy task
To add a software deploy task:
1. Click the Service tab.
2. Select Desktop Asset Manager>SW Deploy Task from the navigation tree.
The Software Deploy Task List displays all software deploy tasks.
3.
Click Add.
The Add Software Deploy Task page appears.
4.
5.
Configure basic task information. The task name must be unique in EAD.
Select target asset groups in the Deploy Group List area.
Click the Expand All icon to display all asset groups. A group name with an icon on the
left indicates that the group contains subgroups. Click the icon to display all subgroups of
the group.
6.
Select target assets in the Deploy Asset List area:
a. Click Add Asset.
The Asset List dialog box appears.
b.
Filter assets through basic query or advanced query.
The Query Asset feature is displayed above the Asset List. The Advanced Query link is a
toggle switch between Basic Query and Advanced Query. When the link is Advanced
Query, you are in the basic query mode, and vice versa.
Enter or select one or more of the following query criteria:
•
Asset Number—Enter the asset number. Each asset is assigned a unique asset number.
DAM supports fuzzy matching for this field.
•
Asset Name—Enter the asset name. DAM supports fuzzy matching for this field.
•
Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field.
•
Group Name—Click the Select Asset Group icon
. The Select Asset Group window
appears. Select a group and click OK. The Group Name field is automatically
populated with the selected asset group.
•
Operating System—Enter the name of the operating system. DAM supports fuzzy
matching for this field. This field is available only for advance queries.
•
Operating System Language—Select the operating system language, Chinese (PRC)
or English. This field is available only for advance queries.
•
Operating System Patch—Enter the version of the operating system patch. DAM
supports fuzzy matching for this field. This field is available only for advance queries.
•
Status—Select the status of the asset. Options are Online, Offline, and Unmanaged.
This field is available only for advance queries.
When a field is empty, this field does not serve as a query criterion
c.
d.
e.
Click Query.
Select the assets you want to add in the Asset List.
Click OK.
All selected assets appear in the Deploy Asset List.
7.
Click OK.
228 Configuring software deployment
Modifying a software deploy task
1.
2.
Click the Service tab.
Select Desktop Asset Manager > SW Deploy Task from the navigation tree.
The Software Deploy Task List displays all software deploy tasks.
3.
Click the Modify icon
for the software deploy task you want to modify.
The Modify Software Deploy Task page appears.
4.
5.
6.
7.
Modify basic task information.
Modify the target asset groups in the Deploy Group List area.
Modify the target assets in the Deploy Asset List area by using one or both of the following
methods:
•
Click Add Asset to select assets for the task.
•
Click the Delete icon
for the undesired assets to remove them from the task.
Click OK.
Deleting software deploy tasks
Deleting a software deploy task does not affect execution of the task on the client host when the
task is already received by the iNode client. The iNode client can continue to download and install
the software specified in the task.
To delete one or more software deploy tasks:
1. Click the Service tab.
2. Select Desktop Asset Manager > SW Deploy Task from the navigation tree.
The Software Deploy Task List displays all software deploy tasks.
3.
4.
Select one or more software deploy tasks you want to delete.
Click Delete.
A confirmation dialog box appears.
5.
Click OK.
Configuring software deploy tasks 229
12 EAD audit
EAD audit includes the following functions:
•
Viewing access user security logs—Record the access information of access users and the
detailed information of security events. Operators can query security logs to identify security
risks in the network, and take actions to enhance network security.
•
Client driver audit—Allows operators to query the driver errors to repair faulty terminals in
time.
•
Viewing security status of online and roaming users—Use the online and roaming user lists.
The Online User List also displays the client ACLs, device ACLs, traffic status, and online asset
information.
•
Online user security check—Perform a security check for online user terminals at any time.
Security check items include system information, screen saver protection and password setting,
drive list information, shared directory information, installed software, installed patches,
enabled services, and running processes. Performing a security check for an online user does
not affect the security status of the user.
Many EAD functions require cooperation of the iNode client. When the iNode client encounters
driver errors, the security functions cannot work. The iNode client can send these errors to the EAD
server.
Security logs
EAD records security logs for the following security events:
•
Assigning ACLs to users
•
Security check
•
Security recheck
•
Real-time monitoring
By default, EAD records security logs only for access users failing security check. For EAD to record
security logs for access users passing security check, enable the Generate logs after the security
check is passed feature. For more information, see “Service parameters management” (page 310).
Security log list contents
•
Account Name—Name of the account. Click the name to view detailed information about the
user account.
•
Service Name—Service assigned to the access user. Click the name to view contents of the
service configuration.
•
Login Date/Time—Date and time when the access user logged in.
•
User MAC Address—MAC address that the access user used for a security check.
•
User IP Address—IP address that the access user used for a security check.
•
Details—Click the Details icon
to view detailed information about the security log.
Security log details
Security log details comprise the basic information area and the details area to present access
information and security log contents for an access user.
230 EAD audit
Basic information area
•
Account Name—Name of the account. This field serves as a link for navigating to the Access
Account Info page. For more information, see HP IMC User Access Manager Administrator
Guide.
•
Service Name—Service assigned to the access user. This field serves as a link for navigating
to the Service Configuration Details page. For more information, see HP IMC User Access
Manager Administrator Guide.
•
Login Time—Time when the user logged in.
•
User IP Address—IP address that the access user used for security check.
•
User MAC Address—MAC address that the access user used for security check.
Details section
•
Log Type—Possible security log types include Security Check, Real-Time Monitoring, Security
Re-Check, and Action.
◦
Security Check—EAD performs security check for an access user when the user logs in.
When such a security event occurs, EAD records the event as a Security Check log.
◦
Real-Time Monitoring—EAD performs real-time monitoring for online access users. When
an access user fails a check during real-time monitoring, EAD records the security event
as a Real-Time Monitoring log.
◦
Security Re-Check—EAD performs another security check for an access user that has
stayed online for a long time. EAD records such a security event as a Security Re-Check
log.
◦
Action—EAD records a security ACL or an isolation ACL assignment action as an Action
log.
•
Alarm Time—Time when EAD logs a security event/action.
•
Security Policy Name—Security policy used for the access user security check.
•
Security Status—Security status of the access user can be Passed Security Check, Monitored,
Informed, Isolated, or Kicked out.
•
Details—Detailed reason for a security check failure of the access user. This field is empty for
access users whose security status is Passed security check.
Viewing the security log list
To view the security log list:
1. Click the User tab.
2. Select Access User View > Log Management > Security Log from the navigation tree.
The Security Log List displays the security logs generated for all access users on the current
day.
3.
To sort the list, click the Account Name, Login Date/Time, User MAC Address, or User IP
Address column label.
Viewing security log details
Security log details include the access information of a user and the specific security log information
recorded for the user during the online period, including the security ACL or isolation ACL assigned
to the access user, security check information, security recheck information, real-time monitoring
check result, and the security check failure reason.
To view security log details:
Security logs
231
1.
2.
Click the User tab.
Select Access User View > Log Management > Security Log from the navigation tree.
The Security Log List displays the security logs generated for all access users on the current
day.
3.
Click the Details icon
for a security log for which you want to view the details.
The Security Log Details page appears.
4.
To go back to the Security Log List, click Back.
Querying security logs
EAD provides the basic query and advanced query functions for you to search for security logs.
Basic query
To query security logs by using basic query mode:
1. Click the User tab.
2. Select Access User View > Log Management > Security Log from the navigation tree.
The Security Log List displays the security logs generated for all access users on the current
day.
3.
Click Basic Query at the upper right corner of the page.
When Advanced Query is at the upper right corner of the page, you are already in basic
query mode. Skip this step.
4.
5.
Enter or select one or more of the following query criteria:
•
Account Name—Enter an account name string. EAD supports for fuzzy matching for this
field.
•
Service Name—Select a service from the service list.
•
Time Range From/To—Set a security log generation time range or click the Calendar icon
to select one. The date and time settings must be in the format YYYY-MM-DD hh:mm.
Click Query.
The Security Log List displays the security logs that match the query criteria.
6.
Click Reset to reset the query criteria.
The Security Log List displays the security logs generated for all access users on the current
day.
Advanced query
To query security logs by using advanced query mode:
1. Click the User tab.
2. Select Access User View > Log Management > Security Log from the navigation tree.
The Security Log List displays the security logs generated for all access users on the current
day.
3.
Click Advanced Query at the upper right corner of the page.
When Basic Query is at the upper right corner of the page, you are already in advanced
query mode. Skip this step.
4.
232 EAD audit
Enter or select one or more of the following query criteria:
•
Account Name—Enter an account name string. EAD supports fuzzy matching for this field.
•
User Name—Enter a user name string. One user can have multiple accounts.
5.
•
User Group—Click the Select User Group icon
to select a user group. In the Select User
Group window that appears, select a group and click OK.
•
Service Name—Select a service from the service list.
•
User IP Address From/To—Enter an IPv4 address range to match access users.
•
Security Policy Name—Select a security policy from the security policy list.
•
User MAC Address—Enter a MAC address string to match access users. This field supports
these commonly used MAC address formats: XX-XX-XX-XX-XX-XX, XX:XX:XX:XX:XX:XX, and
XXXX-XXXX-XXXX. For example, 02-50-F2-00-00-02, 02:50:F2:00:00:02, and
0250-F200-0002.
•
Time Range From/To—Set a security log generation time range or click the Calendar icon
to select one. The date and time settings must be in the format YYYY-MM-DD hh:mm.
•
Security Status—Select the security status of access users. Options are Passed security
check, Monitored, Informed, Isolated, and Kicked out. When an access user's log details
include multiple security statuses, the security log of the access user displays only when
one security status matches the selected one.
•
Security Check Item—Select a security check item from the security check item list. Options
are Anti-virus software, Anti-spyware software, Firewall software, Anti-phishing software,
Hard disk encrypt software, Patches, Patch Manager, Applications – software, Applications
– processes, Applications – services, Applications – files, Registry, Traffic, OS password,
Sharing, and Asset registration.
Click Query.
The Security Log List displays the security logs that match the query criteria.
6.
Click Reset to reset the query criteria.
The Security Log List displays the security logs generated for all access users on the current
day.
Client driver audit
Many EAD functions require cooperation of the iNode client, such as client ACL, locking Internet
access, illegal ARP packet filtering, and illegal DHCP packet filtering. When a client driver error
occurs, for example, because the access user uninstalled the client driver by accident, the iNode
client sends the error to the EAD server. Operators can use the iNode Driver Audit function to view
iNode client errors and repair the erroneous user terminal in time.
iNode driver list contents
•
Account Name—Account name of the access user who encountered a client driver error. Click
the name to view detailed information about the user account.
•
Login Time—Date and time when the access user logged in.
•
Description—Description of the client driver error.
Viewing client driver errors in the iNode Driver list
To view client driver errors:
1. Click the User tab.
2. Select Access User View > Log Management > iNode Driver Audit from the navigation tree.
The iNode Driver List displays the client driver errors generated by all access users on the
current month.
Client driver audit 233
Querying client drive errors
To query client driver errors:
1. Click the User tab.
2. Select Access User View > Log Management > iNode Driver Audit from the navigation tree.
The iNode Driver List displays the client driver errors generated by all access users on the
current day.
3.
4.
Enter or select one or more of the following query criteria:
•
Account Name—Enter an account name string.
•
to select a user group. In the Select User
User Group—Click the Select User Group icon
Group window that appears, select a group and click OK. The User Group field is
automatically populated with the selected user group.
•
Start Time/End Time—Set a query time range or click the Calendar icon
The date and time settings must be in the format YYYY-MM-DD hh:mm.
to select one.
Click Query.
The iNode Driver List displays the iNode driver error logs that match the query criteria.
5.
Click Reset to reset the query criteria.
The iNode Driver List displays the client driver errors generated by all access users on the
current month.
Security status audit for online and roaming users
Operators can view the security status of online and roaming users on the online and roaming
user lists. The Online User List also displays the client ACLs, device ACLs, traffic status, and online
asset information.
Online users list contents
After the EAD service component is deployed, the Security Status column is automatically added
to the Online User List. Operators can customize the Online User List to display the Traffic Status,
Client ACL, and Device ACL columns. The Security Check of Computer icon is added to the
Operation column. After the DAM service component is deployed, the Asset details icon
added to the Operation column.
•
234 EAD audit
is
Security Status—Security status of an online user:
◦
No Security Authentication—The online user needs no security check.
◦
For Security Authentication—Security check is ongoing for the online user.
◦
Secure—The online user has passed all security check items and can access network
resources properly.
◦
Monitored—The online user fails some security check items but can access network
resources properly. EAD only records security logs for users in this security status.
◦
Informed—The online user fails some security check items, but can access network
resources properly. EAD informs users of the failures for repair.
◦
Isolated—The online user fails some security check items and is required to repair the
failures. Users in this security status are isolated and can access only the network resources
permitted by the isolation ACL.
◦
Offline—The online user fails some security check items and is logged off immediately.
◦
For Isolation—The online user fails some security check items and is to be isolated. Users
in this security status are isolated when the configured waiting time is reached.
◦
For Offline—The online user fails some security check items and is to be logged off. Users
in this security status are logged off when the configured waiting time is reached.
•
Client ACL—Client ACL assigned to an online user.
•
Device ACL—Device ACL assigned to an online user.
•
Operation—This field contains five links: Details , Security Check of Computer
Connect
, Add to Blacklist
or Release from Blacklist
, and Asset details
, Remote
.
◦
Click the Security Check of Computer icon to perform a security check for the computer
of an online user. This icon is available only after the EAD service component is deployed.
For more information, see “Performing a computer security check” (page 238).
◦
Click the Asset details icon
to view detailed asset information about an online user.
This icon is available only after the DAM service component is deployed. For more
information, see “Viewing asset details” (page 164).
Roaming online user list contents
The Roaming Online User List contents are the same as the Online User List contents.
After the EAD service component is deployed, the Roaming Online User List displays the Security
Status column.
Viewing the online user list
After the EAD service component is deployed, operators can view the security status, traffic status,
client ACL, and device ACL of an online user. Operators can also perform a security check for the
user on the Online User List. After the DAM service component is deployed, operators can also
view the asset information of a user on the Online User List.
To view the Online User List:
1. Click the User tab.
2. Select Access User View > All Online Users from the navigation tree.
The Online User List displays all online users.
3.
Click Refresh to refresh the Online User List.
NOTE: UAM provides the functions of viewing online user details, remote desktop connection,
and adding online users to or removing online users from the blacklist. For more information, see
HP IMC User Access Manager Administrator Guide.
Viewing the roaming online user list
After the EAD service component is deployed, operators can view the security status of the roaming
users on the Roaming Online User List.
To view the Roaming Online User List:
1. Click the User tab.
2. Select Access User View > Roaming Online Users from the navigation tree.
The Roaming Online User List displays all online roaming users.
3.
Click Refresh to refresh the Roaming Online User List.
Security status audit for online and roaming users 235
Customizing the online user list
After the EAD service component is deployed, the Security Status column is automatically added
to the online user list. Operators can use the Customize GUI function to add Traffic Status, Client
ACL, and Device ACL columns to the Online User List.
To customize the Online User List:
1. Click the User tab.
2. Select Access User View > All Online Users from the navigation tree.
The Online User List displays all online users.
3.
Click Customize GUI.
The Customize GUI page appears. The Option List includes the columns that can be displayed
on the Online User List. The Output List includes the columns that have been already displayed
on the Online User List. You can select one or more items at a time. To select multiple items,
press and hold down the Ctrl key and then select the items.
•
Click
to add all items on the Option List to the Output List.
•
Click
to add one or more items on the Option List to the Output List.
•
Click
to remove one or more items from the Output List.
•
Click
to remove all items from the Output List.
•
Click
to move one or more items on the Output List to the top of the list.
•
Click
to move up one or more items by one line on the Output List.
•
Click
to move down one or more items by one line on the Output List.
•
Click
to move one or more items on the Output List to the bottom of the list.
The position of an item on the Output List determines the position of the item on the Online
User List. The topmost item on the Output List displays in the first column of the Online User
List, and so forth.
4.
5.
Select Traffic Status, Client ACL, and Device ACL on the Option List, and click
add them to the Output List.
Click OK.
to
The Online User List displays the Traffic Status, Client ACL, and Device ACL columns.
Performing a computer security check
By using the computer security check function, operators can perform a security check for online
user terminals at any time without affecting the security status of the user.
Computer security check result details
Computer security check result details comprise the following sections:
•
Basic information
•
Screen saver settings
•
Hard disk partition table
•
Share list
•
Installed software
•
Installed patches
236 EAD audit
•
Running services
•
Running processes
Basic information section
•
Account Name—Account name of the access user.
•
Checked at—Time when the security check is finished.
•
Computer Name—Computer name of the online user terminal.
•
User Name—Online user name.
•
OS—Name of the operating system used by the online user terminal.
Screen saver settings section
•
Screen Saver—Indicates whether the online user terminal enables the screen saver.
•
Display Logon Screen on Resume—Indicates whether password protection is enabled for the
screen saver.
•
Screen Saver Startup Timeout—Screen idle timeout (in seconds) to start the screen saver.
•
Password Length—Length of the screen saver password, effective only for Windows 98.
Hard disk partition table section
•
Hard Disk Number—Physical disk number of a partition.
•
Partition Number—Number of the partition.
•
Type—Number of the partition type.
•
Type Name—Name of the partition type.
•
Startup Partition—Indicates whether the partition is the startup partition.
•
Size—Size of the partition in MB.
Share list section
•
No.—Number of a shared directory. This number is assigned by EAD.
•
Share Name—Name of the shared directory.
•
Local Path—Path of the shared directory.
•
Share Type—Type of the shared directory:
◦
Common Share—A relatively secure share type. The user can share files with the specified
users or user groups and set the permission level. The user must delete the Everyone group
from the Group or user names list to prevent unauthorized users from accessing the shared
files.
◦
Default Share—An insecure share type. The default shares of Windows are likely to be
used by attackers to attack the user terminal.
◦
Others—This type includes only one share named IPC$, which is used by Windows.
•
Type—Permission type for the specified user or user group to the shared directory. Options
are Allow and Deny. This parameter is available only when the share type is Common Share.
•
Object—Name of the user or user group of the share. This parameter is available only when
the share type is Common Share.
Performing a computer security check 237
•
Domain of Object—Domain name of the user or user group of the share. This parameter is
available only when the share type is Common Share. This field is empty when the user or
user group has not joined a domain.
•
Object Type—Type of the user or user group of the share. This parameter is available only
when the share type is Common Share. Object type can be System Group, Custom Group, or
User. This field is empty when the user or user group does not have this parameter.
•
◦
System Group—The object permitted or denied access to the shared directory is a
system-defined operating system group.
◦
Custom Group—The object permitted or denied access to the shared directory is a
user-defined operating system group.
◦
User—The object permitted or denied access to the shared directory is a user.
Right of Object—Permission that the user or user group has to the shared directory. This field
is not empty only when the share type is Common Share. The permission can be Read-Only,
Read-Write, or All.
Installed software section
•
No.—Number of the software. This number is assigned by EAD.
•
Name—Name of the software.
•
Version—Version of the software.
•
Installed on—Time when the software was installed.
Installed patches section
•
No.—Number of a patch. This number is assigned by EAD.
•
Software Name—Name of the software for which the patch is installed.
•
Software Version—Version of the software for which the patch is installed.
•
Name—Name of the patch.
•
Description—Description of the patch.
•
Installed at—Time when the patch was installed.
•
Type—Type of the patch.
Running services section
•
No.—Number of a service. This number is assigned by EAD.
•
Name—Name of a service.
Running processes section
•
No.—Number of a process. This number is assigned by EAD.
•
Name—Name of the process.
Performing a computer security check
To perform a computer security check for an online user:
1. Click the User tab.
2. Select Access User View > All Online Users from the navigation tree.
The Online User List displays all online users.
238 EAD audit
3.
Click the Security Check of Computer icon
a security check.
for an online user for which you want to perform
The Computer Security Check page appears.
4.
5.
Click Select All to select all check items or select the boxes
next to the check items that you
want to execute. Check items are Check System Information, Check Screen Saver and Password,
Check Partition Table, Check Shares, Check Installed Software, Check Installed Patches, Check
Running Services, and Check Running Processes.
Click OK.
The Computer Security Check Result page appears.
6.
To go back to the Computer Security Check page, click Back.
Performing a computer security check 239
13 EAD service reports
The EAD service report function is implemented through the report feature of the IMC platform. All
reports on the Report tab are template driven; they are generated from system or user-defined
templates.
IMC platform offers various reporting options. From the Report tab, you can quickly and easily
access EAD service reports. Through the report feature of the IMC platform, you can view and
export real-time reports and scheduled reports. The EAD component provides the system-defined
service report templates shown in Table 16.
Table 16 EAD service report templates
Dependent service
component
Real-time report
Scheduled report
All-Node Online Users
24-Hour Trend Graph
EAD
Available
Unavailable
Asset Information Report
DAM
Available
Available
Asset Type Report
DAM
Available
Available
Asset Usage Report
DAM
Available
Available
CPU Report
DAM
Available
Available
Hard Disk Capacity Report
DAM
Available
Available
Illegal Peripheral Use Report DAM
Available
Available
Insecurity Category Statistic EAD
Report
Available
Available
Multi-Node Certain Security EAD
Policy Statistics Report
Available
Unavailable
Multi-Node Online Users
Comparison Chart
EAD
Available
Unavailable
Multi-Node Security Check
Items Report
EAD
Available
Unavailable
Multi-Node Single-Security
Check Item Failures
Comparison Chart
EAD
Available
Unavailable
Multi-Node User Counts
Comparison Chart
EAD
Available
Unavailable
Multi-Node User Data
Statistics Report
EAD
Available
Unavailable
Online User Security Status
Report
EAD
Available
Available
OS Language Report
DAM
Available
Available
OS Version Report
DAM
Available
Available
Safe Log Gather Statistic
Report
EAD
Available
Available
Single-Node Online Users
24-Hour Trend Graph
EAD
Available
Unavailable
Template name
240 EAD service reports
Table 16 EAD service report templates (continued)
Template name
Dependent service
component
Real-time report
Scheduled report
Single-Node Security Check EAD
Failure Report
Available
Unavailable
Software Installation Report
Available
Available
DAM
With the real-time report feature, you can configure your Report main page to include any of the
real-time reports IMC offers for quick and easy access to the report.
With the scheduled report feature, you can schedule real-time report to run daily, weekly, monthly,
quarterly, semi-annually, or annually.
You can define the start dates of data collection for generating scheduled reports and the end
dates and times for the corresponding scheduled report tasks. Scheduled reports are stored on the
IMC server for later viewing and downloading. Finally, you can include email recipients for all
scheduled reports.
In addition, you can configure the report format with options for:
•
Adobe Acrobat Portal Document Format (PDF)
•
Comma-Separated Value (CSV)
•
Microsoft Excel (XLS)
The Report main page, accessed using the Report tab, is a blank page that every IMC operator
can customize to meet individual reporting needs. For more information about the IMC platform
reports, see HP IMC Base Platform Administrator Guide.
Real-time reports
Real-time reports offer historical reporting capabilities on the EAD and DAM service components.
Table 17 lists the real-time reports generated based on the system-defined report templates provided
by the EAD component. IMC allows you to define new templates as needed.
Table 17 Real-time reports provided by EAD
Real-time reports
Service component
All-Node Online Users 24-Hour Trend Graph
EAD
Asset Information report
DAM
Asset Type Report
DAM
Asset Usage Report
DAM
CPU Report
DAM
Hard Disk Capacity Report
DAM
Illegal Peripheral Use Report
DAM
Insecurity Category Statistic Report
EAD
Multi-Node Certain Security Policy Statistics Report
EAD
Multi-Node Online Users Comparison Chart
EAD
Multi-Node Security Check Items Report
EAD
Multi-Node Single-Security Check Item Failures Comparison EAD
Chart
Multi-Node User Counts Comparison Chart
EAD
Real-time reports
241
Table 17 Real-time reports provided by EAD (continued)
Real-time reports
Service component
Multi-Node User Data Statistics Report
EAD
Online User Security Status Report
EAD
OS Language Report
DAM
OS Version Report
DAM
Safe Log Gather Statistic Report
EAD
Single-Node Online Users 24-Hour Trend Graph
EAD
Single-Node Security Check Failure Report
EAD
Software Installation Report
DAM
All-node online users 24-hour trend graph
This report collects statistics about the number of online users at each of the 24 hours of a day for
the current node and all its child nodes. The online users fall into secure online users, insecure
online users, and unknown online users.
To view the all-node online users 24-hour trend graph:
1. Click the Report tab.
2. Click All-Node Online Users 24-Hour Trend Graph link in the My Real-Time Reports [Edit Mode]
section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
Click the Calendar icon
in the Query Time section.
A popup calendar appears. Select the day for querying the report statistics from the calendar.
4.
Click OK.
The all-node online users 24-hour trend graph appears in an Intelligent Analysis Report Viewer
window.
Figure 17 All-node online users 24-hour trend graph
242 EAD service reports
All-node online users 24-hour trend graph parameters
•
Statistics Time—Day when statistics are collected by the report.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
All-node online users 24-hour trend graph fields
•
Number of online users—Displays the number of online users at each of the 24 hours of a
day for all nodes, including the secure online users, insecure online users, and unknown online
users.
•
Number of secure online users—Displays the number of secure online users at each of the 24
hours of a day for all nodes.
•
Number of insecure online users—Displays the number of insecure online users at each of the
24 hours of a day for all nodes.
•
Number of secure online users—Displays the number of unknown online users at each of the
24 hours of a day for all nodes.
Asset information report
This report collects statistics about the newly added and existing assets, memory size, and hard-disk
capacity of an asset group (excluding its subgroups) in each month in a specified time range. The
report displays only the statistics of the asset groups to which the current operator has privileges,
and does not display the asset statistics in the current month.
To view the asset information report:
1. Click the Report tab.
2. Click Asset Information Report link in the My Real-Time Reports [Edit Mode] section. (Verify
that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
In the Start Month area, select the start month for report statistics collection; in the End Month
area, select the end month for report statistics collection.
The asset statistics of the current month are not displayed in the report.
4.
Click OK.
The asset information report appears in an Intelligent Analysis Report Viewer window.
Figure 18 Asset information report
Real-time reports 243
Asset information report parameters
•
Start Month—Start month for report statistics collection.
•
End Month—End month for report statistics collection.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Asset information report fields
This report displays the per-month asset statistics. Table 18 describes the fields in the report.
Table 18 Statistical items
Statistical item
Description
Asset Group
Name of the asset group.
New
Number of newly added assets in the asset group in a specified time range.
Total
Total number of assets in the asset group in a specified time range.
New
(GB)
Size of newly added memory in the asset group in a specified time range.
Total
(GB)
Total size of memory in the asset group in a specified time range.
New
(GB)
Capacity of newly added hard disks in the asset group in a specified time range.
Total
(GB)
Total capacity of hard disks in the asset group in a specified time range.
Asset
Memory
Hard
disk
Asset type report
This report collects statistics about the asset types and the number of assets of each type for all
registered assets in the specified asset group (including its subgroups). The asset types are Laptop,
PC, Server, Workstation, and Others. The report displays only the statistics of the asset group to
which the current operator has privileges.
To view the asset type report:
1. Click the Report tab.
2. Click Asset Type Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this
link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
In the Asset Group area, select the asset group whose statistics are to be collected.
The system then collects statistics about the types of assets in the asset group and its subgroups.
244 EAD service reports
4.
Click OK.
The asset type report appears in an Intelligent Analysis Report Viewer window.
Figure 19 Asset type report
Asset type report parameters
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. The report collects statistics about the asset types
and the number of assets of each type for all registered assets in an asset group (including its
subgroups). All indicates all asset groups. The report collects statistics about only the asset
groups to which the current operator has privileges.
•
Description—A brief description of the report.
Asset type statistics pie chart
The asset type statistics pie chart displays the distribution of asset types. The asset type can be PC,
Workstation, Laptop, Server, or Others. Click a slice in the pie chart to see statistics about the type
of assets.
Asset type statistics
Figure 20 shows the statistics for asset types.
Figure 20 Asset type statistics
•
Asset Type—Type of assets whose statistics are collected.
•
Amount—Number of assets belonging to this type.
•
Asset Number—Asset number of the asset.
•
Asset Name—Name of the asset.
•
Status—Status of the asset. Options are Online and Offline.
•
Owner—Owner of the asset.
•
Managed at—Time when the asset began to be managed.
Real-time reports 245
•
Location—Room where the asset resides.
•
Remarks—Remarks on the asset.
Asset usage report
This report collects statistics about the assets which have been offline for more than the specified
days. This report displays the statistics about only the asset groups to which the current operator
has privileges.
To view the asset usage report:
1. Click the Report tab.
2. Click Asset Usage Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this
link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
In the Min. Idle Time field, enter the minimum number of idle days.
The system collects statistics about the assets that have been offline for more than the specified
days.
4.
Click OK.
The asset usage report appears in an Intelligent Analysis Report Viewer window.
Figure 21 Asset usage report
Asset usage report parameters
•
Report Time—Time when the report is generated.
•
Min. Idle Time—Minimum number of idle days. Statistics about assets that have been offline
for more than the specified days are displayed in the report.
•
Description—A brief description of the report.
Asset usage report fields
•
Asset Number—Asset number of the idle asset.
•
Asset Group—Asset group of the idle asset.
•
Owner—Owner of the asset.
•
Management Time—Time when the asset began to be managed.
•
Last Off-line—Time when the asset went offline last time.
•
Idle Period—Days for which the asset has been idle.
246 EAD service reports
CPU report
This report collects statistics about the assets whose CPU frequencies meet the specified conditions
in the specified asset group (including its subgroups). This report displays the statistics about only
the asset groups to which the current operator has privileges.
To view the CPU report:
1. Click the Report tab.
2. Click CPU Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link
displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
In the Minimum Frequency (MHz) field, enter the minimum frequency value for the CPU frequency
range; in the Maximum Frequency (MHz) field, enter the maximum frequency value for the
CPU frequency range.
The CPU frequencies shown in the report must meet the following criteria:
Minimum Frequency ≤ CPU Frequency < Maximum Frequency.
4.
From the Asset Group list, select the asset group whose statistics are to be collected.
The system then collects CPU statistics about the assets in the asset group and its subgroups.
5.
Click OK.
The CPU report appears in an Intelligent Analysis Report Viewer window.
Figure 22 CPU report
CPU report parameters
•
Minimum Frequency—Minimum frequency (in MHz) of the CPU frequency range.
•
Maximum Frequency—Maximum frequency (in MHz) of the CPU frequency range.
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. The report collects CPU statistics about the registered
assets in an asset group (including its subgroups). All indicates all asset groups. The report
collects statistics about only the asset groups to which the current operator has privileges.
•
Description—A brief description of the report.
CPU report fields
•
Asset Number—Asset number of the asset.
•
Asset Name—Name of the asset.
Real-time reports 247
•
Owner—Owner of the asset.
•
CPU SN—Number of the CPU in the operating system.
•
CPU Name—Product name of the CPU.
•
Frequency—Frequency (in MHz) of the asset's CPU.
Hard-disk capability report
This report collects statistics about the number of hard disks in the specified asset group (including
its subgroups), and classifies the hard disks according to their capacity: <80 GB, [80 GB to 160
GB), [160 GB to 250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), and >=1024 GB.
The report displays the hard disk capacity statistics of only the asset groups to which the current
operator has privileges.
To view the hard disk capacity report:
1. Click the Report tab.
2. Click Hard Disk Capacity Report link in the My Real-Time Reports [Edit Mode] section. (Verify
that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
From the Asset Group list, select the asset group whose statistics are to be collected.
The system collects hard disk capacity statistics about the assets in the asset group and its
subgroups.
4.
Click OK.
The hard disk capacity report appears in an Intelligent Analysis Report Viewer window.
Figure 23 Hard disk capacity report
Hard disk capacity report parameters
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. The report collects hard-disk capacity statistics about
the registered assets in an asset group (including its subgroups). All indicates all asset groups.
248 EAD service reports
The report collects statistics about only the asset groups to which the current operator has
privileges.
•
Description—A brief description of the report.
Hard disk capacity statistics pie chart
The hard disk capacity statistics pie chart displays the distribution of hard-disk capacity. The
hard-disk capacity is classified into the following levels: <80 GB, [80 GB to 160 GB), [160 GB to
250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), and >=1024 GB. Click a slice in the pie chart
to see statistics about the type of hard disks.
Hard disk type statistics
Figure 24 shows statistics for a type of hard disk.
Figure 24 Hard disk type statistics
•
Hard Disk Capacity—Capacity level of hard disks whose statistics are collected.
•
Amount—Number of hard disks belonging to this capacity level.
•
Asset Number—Asset number of the asset where the hard disk resides.
•
Asset Name—Name of the asset where the hard disk resides.
•
Owner—Owner of the asset where the hard disk resides.
•
Hard Disk Number—Number of the hard disk in the operating system.
•
Interface Type—Interface type of the hard disk.
•
Model—Model of the hard disk.
•
Total Partitions—Number of partitions on the hard disk.
•
Hard Disk Size—Size of the hard disk (in GB).
Illegal peripheral use report
This report collects statistics about the illegal peripheral usage types and the times of each type
for the specified asset group (including its subgroups) in a specified time range. The peripheral
types are USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM/LPT, Infrared,
Bluetooth, 1394, and Modem. The report displays the illegal peripheral usage types and the times
of each type for only the asset groups to which the current operator has privileges.
To view the illegal peripheral use report:
1. Click the Report tab.
2. Click Illegal Peripheral Use Report link in the My Real-Time Reports [Edit Mode] section. (Verify
that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
In the Start Time and End Time area, select a time range for the report.
Options are Last Five Minutes, Last Ten Minutes, Last Thirty Minutes, and Custom Range. When
you select Custom Range, the Start Time and End Time fields appear.
Real-time reports 249
4.
Click the Calendar icon
in the Start Time field to select the start time.
This parameter sets the start date for the specific time range in a data collection period.
5.
Click the Calendar icon
in the End Time field to select the end time.
This parameter sets the end date for the specific time range in a data collection period.
6.
From the Asset Group list, select the asset group whose statistics are to be collected.
The system then collects statistics about the illegal peripheral usage types and the times of
each type for the asset group and its subgroups.
7.
Click OK.
The illegal peripheral use report appears in an Intelligent Analysis Report Viewer window.
Figure 25 Illegal peripheral use report
Illegal peripheral use report parameters
•
Start Time—Start time for the report statistics.
•
End Time—End time for the report statistics.
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. This report collects statistics about the illegal peripheral
usage types and the times of each type for the specified asset group (including its subgroups)
in a specified time range. All indicates all asset groups. The report collects statistics about
only the asset groups to which the current operator has privileges.
•
Description—A brief description of the report.
250 EAD service reports
Illegal peripheral use statistics pie chart
The pie chart displays the distribution of illegal peripheral usage types in a specified time range.
The illegal peripheral usage types are USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy,
PCMCIA, COM/LPT, Infrared, Bluetooth, 1394, and Modem. Click a slice in the pie chart to see
statistics about the type of illegal peripheral usage.
Illegal peripheral usage type statistics
Figure 26 shows statistics about the illegal peripheral usage type.
Figure 26 Illegal peripheral usage type statistics
•
Peripheral—Type of peripheral usage whose statistics are collected.
•
Amount—Times of the type of illegal peripheral uses.
•
Asset Number—Asset number of the asset.
•
Owner—Owner of the asset.
•
Operation Time—Time when the server records the illegal peripheral usage.
•
Disable Result—Indicates whether the iNode client successfully disables the illegal peripheral.
•
Device Description—Description of the peripheral illegally used.
Insecurity category statistic report
This report collects statistics about the security check failures of each insecurity category for the
current EAD node in a specified time range. The insecurity category refers to the reason for the
security check failures:
•
Anti-Virus Software
•
Anti-Spyware Software
•
Firewall Software
•
Anti-Phishing Software
•
Hard Disk Encryption Software
•
Windows Patches
•
Patch Manager
•
Applications - Software
•
Applications - Processes
•
Applications - Services
•
Applications - Files
•
Registry
•
Traffic
•
OS Password Sharing
•
Asset Registration
Real-time reports
251
To view the insecurity category statistic report:
1. Click the Report tab.
2. Click Insecurity Category Statistic Report link in the My Real-Time Reports [Edit Mode] section.
(Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
Click the Calendar icon
in the Begin Time field to select the begin time.
This parameter sets the start date for the specific time range in a data collection period.
4.
Click the Calendar icon
in the End Time field to select the end time.
This parameter sets the end date for the specific time range in a data collection period.
5.
Click OK.
The insecurity category statistic report appears in an Intelligent Analysis Report Viewer window.
Figure 27 Insecurity category statistic report
Insecurity category statistic report parameters
•
Start Time—Start time for the report statistics.
•
End Time—End time for the report statistics.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Insecurity category statistic pie chart
The insecurity category statistic pie chart displays the percentage of the security check failures of
each insecurity category to the total security check failures. Click a slice in the pie chart to see
statistics about the specified insecurity category.
Insecurity category statistics
Figure 28 shows the statistics for an insecurity category.
252 EAD service reports
Figure 28 Insecurity category statistics
•
Insecurity Category—Insecurity category whose statistics are collected.
•
Count—Number of insecurity check failures belonging to the insecurity category.
•
Account—Account name of the access user.
•
Full Name—Full name of the access user.
•
User Group—User group to which the access user belongs.
•
Service Name—Name of the service which the access user applies for.
•
Strategy Name—Name of the security policy that the access user uses.
•
User IP Address—IP address of the access user.
•
User MAC Address—MAC address of the access user.
•
Date—Date when the security check failure occurs.
•
Insecurity Description—Description of the security check failure.
Multi-node certain security policy statistics report
This report collects statistics about the security policies of multiple EAD nodes (the current node
and its child nodes). You can filter the security policy statistics according to the status (enabled or
disabled) of the specified security check items in the security policies.
To view the multi-node certain security policy statistics report:
1. Click the Report tab.
2. Click Multi-Node Certain Security Policy Statistics Report link in the My Real-Time Reports [Edit
Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view
mode.)
The Set Parameter dialog box appears.
3.
Configure the security check items whose statistics are to be collected.
The security check items follow:
•
Check Anti-Virus Software
•
Check Anti-Spyware Software
•
Check Firewall Software
•
Check Anti-Phishing Software
•
Check Hard Disk Encryption Software
•
Check Applications
•
Check Patch Management Software
Real-time reports 253
•
Check Windows Patches
•
Check Registry
•
Check Share
•
Enable Traffic Control
•
Check Operating System Password
Options are Unlimited, Enabled, and Disabled.
4.
◦
Unlimited—Does not limit the related security check items. The security policies with
the specified security check items enabled and the security policies with the specified
security check items disabled are all displayed.
◦
Enabled—Displays only the security policies with the specified security check items
enabled.
◦
Disabled—Displays only the security policies with the specified security check items
disabled.
Click OK.
The multi-node certain security policy statistics report appears in an Intelligent Analysis Report
Viewer window.
Figure 29 Multi-node certain security policy statistics report
Multi-node certain security policy statistics report parameters
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Multi-node certain security policy statistics report fields
•
Node Name—Name of the current node or child node.
•
IP Address—IP address of the current node or child node.
•
Status—Status of the current node or child node.
•
Security Policy Name—Security policy matching the filtering conditions.
•
Report Time—Time when the node reported the statistics.
Multi-node online users comparison chart
This report compares the number of online users of multiple EAD nodes (the current node and its
child nodes) at a specific time. The online users fall into secure online users, insecure online users,
and unknown online users. The total number of online users is the sum of the number of users of
each type. When no data is received from a node, the report does not show the node.
To view the multi-node online users comparison chart:
1. Click the Report tab.
254 EAD service reports
2.
Click Multi-Node Online Users Comparison Chart link in the My Real-Time Reports [Edit Mode]
section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
4.
Click the Calendar icon in the Query Time field to select the time for querying the report
statistics.
Click the radio button to the left of delay time, and set the delay to 5 minutes or 10 minutes.
The system collects the number of online users for the current node and its child nodes and
generates a chart to compare the online users of multiple nodes of the statistics time. The
statistics time is calculated as follows: the system deducts the delay from the query time, and
then rounds the result down to a multiple of half an hour. For example, when the query time
is 2011-07-01 08:07:00 and the delay is 5 minutes, the report collects the statistics of
2011-07-01 08:00:00. When you modify the delay to 10 minutes, the system collects the
statistics of 2011-07-01 07:30:00.
5.
Select the nodes that you want to compare.
The available node list contains the nodes that can be compared. The selected node list
contains the nodes that are to be compared. You can hold down Ctrl and use the mouse to
select multiple nodes.
6.
•
Click the Copy all icon
node list.
•
Click the Copy icon
the selected node list.
to add one or more nodes on the available node list to
•
Click the Remove icon
list.
to remove one or more nodes from the selected node
•
Click the Remove all icon
to add all nodes on the available node list to the selected
to remove all nodes from the selected node list.
Click OK.
The multi-node online users comparison chart appears in an Intelligent Analysis Report Viewer
window.
Figure 30 Multi-node online users comparison chart
Real-time reports 255
Multi-node online users comparison chart parameters
•
Statistics Time—Time when statistics are collected by the report.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Multi-node online users comparison chart
•
Number of online users—Displays the number of online users of the specified node at the
specified time in a histogram. The online users include the secure online users, insecure online
users, and unknown online users.
•
Number of secure online users—Displays the number of secure online users of the specified
node at the specified time in a histogram.
•
Number of insecure online users—Displays the number of insecure online users of the specified
node at the specified time in a histogram.
•
Number of unknown online users—Displays the number of unknown online users of the specified
node at the specified time in a histogram.
Multi-node security check items report
This report collects statistics about the security policy configuration of multiple EAD nodes (the
current node and its child nodes). You can filter the security check items in security policies according
to the status (enabled or disabled) of security check items.
To view the multi-node security check items report:
1. Click the Report tab.
2. Click Multi-Node Security Check Items Report link in the My Real-Time Reports [Edit Mode]
section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
Configure the security check items to be filtered.
The security check items follow:
•
Check Anti-Virus Software
•
Check Anti-Spyware Software
•
Check Firewall Software
•
Check Anti-Phishing Software
•
Check Hard Disk Encryption Software
•
Check Applications
•
Check Patch Management Software
•
Check Windows Patches
•
Check Registry
•
Check Share
•
•
Check Operating System Password
Traffic Control
Options are Display and Hide.
◦
Display—Displays the status (enabled or disabled) of the specified security check
items.
◦
Hide—Not displays the status (enabled or disabled) of the specified security check
items.
256 EAD service reports
4.
Select the nodes whose security policy configurations are to be compared.
The available node list contains the nodes that can be compared. The selected node list
contains the nodes that are to be compared. You can hold down Ctrl and use the mouse to
select multiple nodes.
5.
•
Click the Copy all icon
node list.
•
Click the Copy icon
the selected node list.
•
Click the Remove icon
list.
•
Click the Remove all icon
to add all nodes on the available node list to the selected
to add one or more nodes on the available node list to
to remove one or more nodes from the selected node
to remove all nodes from the selected node list.
Click OK.
The multi-node security check items report appears in an Intelligent Analysis Report Viewer
window.
Figure 31 Multi-node security check items report
Multi-node security check items report parameters
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Multi-node security check items report fields
•
Node Name—Name of the current node or child node.
•
Security Policy Name—Name of the security policy of the node.
•
Report Time—Time when the node reported the statistics.
•
Security Check Item—Displays the enabled security check items and disabled security check
items.
◦
Enabled—Security check items enabled in the security policy.
◦
Disabled—Security check items disabled in the security policy.
Real-time reports 257
Multi-node single-security check item failures comparison chart
This report compares the check results of the specified security check item on multiple EAD nodes
(the current node and its child nodes), and collects the statistics on a per-day, per-week, or per-month
basis in the query time. When no data is received from a node, the report does not show the node.
To view the multi-node single-security check item failures comparison chart:
1. Click the Report tab.
2. Click Multi-Node Single-Security Check Item Failures Comparison Chart link in the My Real-Time
Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you
are in view mode.)
The Set Parameter dialog box appears.
3.
Select a report type from the Report Type list.
Options are Daily report, Weekly report, and Monthly report.
4.
Click the Calendar icon
in the Query Time field to select the query time for the report statistics.
The generated report collects statistics about Security check results on the specified nodes on
a per-day, per-week, or per-month basis in the query time.
5.
Select a security check item from the Query Item list.
The security check items follow:
6.
•
Anti-virus software
•
Anti-spyware software
•
Firewall software
•
Anti-phishing software
•
Hard disk encrypt software
•
Application control group check
•
Patch Management Software
•
Patches
•
Registry
•
Sharing
•
Traffic
•
OS password
•
Asset registration
Select the nodes whose statistics are to be collected and compared.
The available node list contains the nodes whose statistics can be collected and compared.
The selected node list contains the nodes whose statistics are to be collected and compared.
You can hold down Ctrl and use the mouse to select multiple nodes.
•
Click the Copy all icon
selected node list.
to add all nodes on the available node list to the
•
Click the Copy icon
the selected node list.
to add one or more nodes on the available node list to
•
Click the Remove icon
list.
to remove one or more nodes from the selected node
•
Click the Remove all icon
258 EAD service reports
to remove all nodes from the selected node list.
7.
Click OK.
The multi-node single-security check item failures comparison chart appears in an Intelligent
Analysis Report Viewer window.
Figure 32 Multi-node single-security check item failures comparison chart
Multi-node single-security check item failures comparison chart parameters
•
Start Date—Start date for the report statistics.
•
End Date—End date for the report statistics.
•
Report Time—Time when the report is generated.
•
Security Check Item—Security check item whose statistics are collected in the report.
•
Description—A brief description of the report.
Multi-node single-security check item failures comparison chart
The chart displays the failure times of a security check item on each node in a specified time range
in a histogram.
Multi-node user counts comparison chart
This report compares the number of users of multiple EAD nodes (the current node and its child
nodes) at a specific time. The users include access users created, blacklist users, and guests. When
no data is received from a node, the report does not show the node.
To view the multi-node user counts comparison chart:
1. Click the Report tab.
2. Click Multi-Node User Counts Comparison Chart link in the My Real-Time Reports [Edit Mode]
section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
Click the Calendar icon
statistics.
in the Query Time field to select the time for querying the report
Real-time reports 259
4.
Click the radio button to the left of delay time, and set the delay to 5 minutes or 10 minutes.
The system collects the number of users for the current node and its child nodes and generates
a chart to compare the users of multiple nodes of the statistics time.
The statistics time is calculated as follows: the system deducts the delay from the query time,
and then rounds the result down to a multiple of half an hour. For example, when the query
time is 2011-07-01 08:07:00 and the delay is 5 minutes, the report collects the statistics of
2011-07-01 08:00:00. When you modify the delay to 10 minutes, the system collects the
statistics of 2011-07-01 07:30:00.
5.
Select the nodes whose user counts you want to compare.
The available node list contains the nodes whose statistics can be collected and compared.
The selected node list contains the nodes whose statistics are to be collected and compared.
You can hold down Ctrl and use the mouse to select multiple nodes.
6.
•
Click the Copy all icon
node list.
•
Click the Copy icon
the selected node list.
•
Click the Remove icon
list.
•
Click the Remove all icon
to add all nodes on the available node list to the selected
to add one or more nodes on the available node list to
to removes one or more nodes from the selected node
to remove all nodes from the selected node list.
Click OK.
The multi-node user counts comparison chart appears in an Intelligent Analysis Report Viewer
window.
Figure 33 Multi-node user counts comparison chart
Multi-node user counts comparison chart parameters
•
Statistics Time—Time when statistics are collected by the report.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
260 EAD service reports
Multi-node user counts comparison chart
The chart displays the number of users for multiple nodes at a specific time in a histogram.
•
Number of created access users—Number of access users created on the node in a specified
time range.
•
Number of blacklist users—Number of users added to the blacklist on the node in a specified
time range.
•
Number of guests—Number of guests on the node in a specified time range.
Multi-node user data statistics report
This report collects and compares the user data statistics of the current EAD node and all its child
EAD nodes. The user data statistics include the number of access users, blacklisted users, guests,
online users, secure online users, insecure online users, and unknown online users.
To view the multi-node user data statistics report:
1. Click the Report tab.
2. Click Multi-Node User Data Statistics Report link in the My Real-Time Reports [Edit Mode]
section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The multi-node user data statistics report appears in an Intelligent Analysis Report Viewer
window.
Figure 34 Multi-node user data statistics report
Multi-node user data statistics report parameters
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Multi-node user data statistics report fields
•
Node Name—Name of the node. This column displays the name of the current node and its
child node.
•
Access Users—Number of access users on the node.
•
Blacklisted Users—Number of blacklisted users on the node.
•
Guests—Number of guests on the node.
•
Online Users—Number of online users on the node.
•
Secure Online Users—Number of secure online users on the node.
•
Insecure Online Users—Number of insecure online users on the node.
•
Unknown Online Users—Number of unknown online users on the node.
•
Statistics Time—Time when statistics are collected.
Real-time reports
261
Online user security status report
This report collects statistics about the security status of all users in a specified user group (including
its subgroups). The report collects statistics about only the user groups to which the current operator
has privileges. The security status of an online user can be no security authentication needed,
waiting for security authentication, secure, insecure, or others.
To view the online user security status report:
1. Click the Report tab.
2. Click Online User Security Status Report link in the My Real-Time Reports [Edit Mode] section.
(Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
From the User Group list, select the user group whose statistics are to be collected.
The system then collects user security status statistics about the users in the user group and its
subgroups.
4.
Click OK.
The online user security status report appears in an Intelligent Analysis Report Viewer window.
Figure 35 Online user security status report
Online user security status report parameters
•
User Group—Name of the user group. This report collects statistics about the security status
of all users in a user group (including its subgroups). All indicates all user groups. The report
collects statistics about only the user groups to which the current operator has privileges.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Online user security status category statistics pie chart
This report displays the distribution of the security status of all users in a user group (including its
subgroups). The security status of an online user can be No Security Authentication Needed, Waiting
for Security Authentication, Secure, Insecure, or Others. Click a slice in the pie chart to see statistics
about online users in the specified security status.
Online user security status statistics
Figure 36 shows the statistics about online users in the specified security status.
262 EAD service reports
Figure 36 Online user security status statistics
•
Security Status—Security status whose statistics are collected.
•
Count—Number of online users in the specified security status.
•
Service—Name of the service that the user uses for login.
•
Device IP—Access device IP address of the user.
•
User IP—IP address of the online user.
•
Access Time—Time when the user logs in.
OS language report
This report collects statistics about the OS language types and the number of assets using each
OS language type for all registered assets in the specified asset group (including its subgroups).
The report collects statistics about only the asset groups to which the current operator has privileges.
The language types are Chinese (PRC), English, and Others.
To view the OS language report:
1. Click the Report tab.
2. Click OS Language Report link in the My Real-Time Reports [Edit Mode] section. (Verify that
this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
From the Asset Group list, select the asset group whose statistics are to be collected.
The system collects statistics about the OS language types and the number of assets using
each OS language type for all registered assets in the asset group (including its subgroups).
4.
Click OK.
The OS language report appears in an Intelligent Analysis Report Viewer window.
Figure 37 OS language report
Real-time reports 263
OS language report parameters
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
•
Group Name—Name of the asset group. This report collects statistics about the OS language
types and the number of assets using each OS language type for all registered assets in the
specified asset group (including its subgroups). All indicates all asset groups. The report collects
statistics about only the asset groups to which the current operator has privileges.
OS language statistics pie chart
This report displays the distribution of the OS language types of all registered assets in the specified
asset group (including its subgroups). The recognizable language types are Chinese (PRC), English,
and Others. Click a slice in the pie chart to see asset statistics about the specified OS language
type.
Asset statistics
Figure 38 shows the asset statistics for an OS language type.
Figure 38 Asset statistics for an OS language type
•
OS language—OS language type whose asset statistics are collected.
•
Amount—Number of assets using the OS language type.
•
Asset Number—Asset number of the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset.
•
Operating System—Operating system running on the asset.
•
Version—Version of the operating system running on the asset.
•
Patch—Service pack version of the operating system running on the asset.
•
Installed on—Time when the operating system is installed on the asset.
OS version report
This report collects statistics about the OS versions and the number of assets running each OS
version for all registered assets, and displays the distribution of top five OS versions. The report
collects statistics about only the asset groups to which the current operator has privileges.
To view the OS version report:
1. Click the Report tab.
2. Click OS Version Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this
link displays [Edit Mode] as this confirms that you are in view mode.)
3. Click OK.
The OS version report appears in an Intelligent Analysis Report Viewer window.
264 EAD service reports
Figure 39 OS version report
OS version report parameters
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
OS version statistics pie chart
The pie chart displays the distribution of top five OS versions for all the registered assets. Click a
slice in the pie chart to see asset statistics for the specified OS version.
Asset statistics
Figure 40 shows the asset statistics for an OS version
Figure 40 Asset statistics for an OS version
•
Version—OS version whose asset statistics are collected.
•
Amount—Number of assets running the OS version.
•
Asset Number—Asset number of the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset.
•
OS Language—OS language type of the asset.
•
Patch—Service pack version of the operating system running on the asset.
•
Installed on—Time when the operating system is installed on the asset.
Safe log gather statistic report
This report collects statistics about the security logs of the current EAD node and all of its child
nodes, and displays the distribution of the following types of insecurity events:
•
Anti-virus software
•
Anti-spyware software
Real-time reports 265
•
Firewall software
•
Anti-phishing software
•
Hard disk encryption software
•
Windows patches
•
Patch manager
•
Applications - software
•
Applications - processes
•
Applications - services
•
Applications - files
•
Registry
•
Traffic
•
OS password
•
Sharing
•
Asset registration
To view the safe log gather statistic report:
1. Click the Report tab.
2. Click Safe Log Gather Statistic Report link in the My Real-Time Reports [Edit Mode] section.
(Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
Click the Calendar icon
in the Begin Time field to select the begin time.
This parameter sets the start date for the specific time range in a data collection period.
4.
Click the Calendar icon
in the End Time field to select the end time.
This parameter sets the end date for the specific time range in a data collection period.
5.
From the Grade Node list, select the node whose statistics are to be collected.
The system collects statistics about the security logs of the current EAD node and all its child
nodes, and displays the distribution of each type of insecurity events.
266 EAD service reports
6.
Click OK.
The safe log gather statistic report appears in an Intelligent Analysis Report Viewer window.
Figure 41 Safe log gather statistic report
Safe log gather statistic report parameters
•
Start Time—Start time for the report statistics.
•
End Time—End time for the report statistics.
•
Report Time—Time when the report is generated.
•
Grade Node—Name of the node whose statistics are collected by the report. All indicates all
nodes. The report collects statistics about only the nodes to which the current operator has
privileges.
•
Description—A brief description of the report.
Safe log gather statistic pie chart
The pie chart displays the distribution of insecurity events on a node and all of its child nodes. The
insecurity events follow:
•
Anti-virus software
•
Anti-spyware software
•
Firewall software
•
Anti-phishing software
•
Hard disk encryption software
•
Windows patches
•
Patch manager
•
Applications - software
•
Applications - processes
•
Applications - services
•
Applications - files
Real-time reports 267
•
Registry
•
Traffic
•
OS password
•
Sharing
•
Asset registration
Click a slice in the pie chart to see statistics for the specified insecurity category.
Insecurity category statistics
Figure 42 shows the statistics for an insecurity category.
Figure 42 Insecurity category statistics
•
Insecurity Category—Insecurity category whose statistics are collected.
•
Count—Number of insecurity events belonging to the insecurity category.
•
Node Name—Name of the current node or child node.
•
Statistics Date—Date when the statistics are collected.
•
Amount—Number of insecurity events.
Single-node online users 24-hour trend graph
This report displays the number of online users on a single EAD node at each of the 24 hours in
the specified day. The online users fall into secure online users, insecure online users, and unknown
online users. The total number of online users is the sum of the number of online users of each type.
To view the single-node online users 24-hour trend graph:
1. Click the Report tab.
2. Click Single-Node Online Users 24-Hour Trend Graph link in the My Real-Time Reports [Edit
Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view
mode.)
The Set Parameter dialog box appears.
3.
4.
Click the Calendar icon in the Query Time field to select the date for the report statistics.
From the Grade Node list, select the node whose statistics are to be collected.
The system collects the number of online users on the node at each of the 24 hours in the day.
268 EAD service reports
5.
Click OK.
The single-node online users 24-hour trend graph appears in an Intelligent Analysis Report
Viewer window.
Figure 43 Single-node online users 24-hour trend graph
Single-node online users 24-hour trend graph parameters
•
Statistics Time—Day when statistics are collected by the report.
•
Report Time—Time when the report is generated.
•
Node Name—Name of the node whose statistics are collected.
Description—A brief description of the report.
Single-node online users 24-hour trend graph
•
Number of online users—Number of online users of the specified node at each of the 24 hours
in the specified day. The online users include the secure online users, insecure online users,
and unknown online users.
•
Number of secure online users—Number of secure online users at each of the 24 hours in the
specified day.
•
Number of insecure online users—Number of insecure online users at each of the 24 hours
in the specified day.
•
Number of unknown online users—Number of unknown online users at each of the 24 hours
in the specified day.
Single-node security check failure report
This report collects statistics about the security check failures of a single EAD node (the current
node or its child node). The report statistics can be collected on a per-day, per-week, or per-month
basis of the specified query time. The security check failure reasons follow:
•
Anti-virus software check failures
•
Anti-phishing software check failures
•
Firewall software check failures
Real-time reports 269
•
Anti-spyware software check failures
•
Hard disk encryption software check failures
•
Windows patch check failures
•
Patch management software check failures
•
Application check failures
•
Registry check failures
•
Shared-directory check failures
•
Traffic monitoring check failures
•
Operating system password check failures
•
Asset registration check failures
To view the single-node security check failure report:
1. Click the Report tab.
2. Click Single-Node Security Check Failure Report link in the My Real-Time Reports [Edit Mode]
section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
From the Grade Node list, select the node whose statistics are to be collected.
The system collects statistics about the security check failure reasons and the number of security
check failures for the access users on the node.
4.
5.
Click the Calendar icon in Query Time field to select the time for the report statistics.
From the Report Type list, select a report type.
The report types include Daily Report, Weekly Report, and Monthly Report. The report statistics
can be collected on a per-day, per-week, or per-month basis in the specified time range.
6.
Click OK.
The single-node security check failure report appears in an Intelligent Analysis Report Viewer
window.
Figure 44 Single-node security check failure report
270 EAD service reports
Single-node security check failure report parameters.
•
Start Date—Start date for the report statistics.
•
End Date—End date for the report statistics.
•
Report Time—Time when the report is generated.
•
Node Name—Name of the node whose statistics are collected.
•
Description—A brief description of the report.
Single-node security check failure bar chart
This chart displays the statistics about the security check failures of a single EAD node (the current
node or its child node). The security check failure reasons follow:
•
Anti-virus software check failures
•
Anti-phishing software check failures
•
Firewall software check failures
•
Anti-spyware software check failures
•
Hard disk encryption software check failures
•
Windows patch check failures
•
Patch management software check failures
•
Application check failures
•
Registry check failures
•
Shared-directory check failures
•
Traffic monitoring check failures
•
Operating system password check failures
•
Asset registration check failures
The security check failure statistics are collected by account, service, and security check item. For
example, when an account uses the same service and security check item to encounter two security
check failures, the report considers them as one failure; when an account uses different services
and the same security check item to encounter two security check failures, the report considers
them as two failures.
Software installation report
This report collects statistics about the software names and the number of assets with each type of
software installed for all registered assets in the specified asset group (including its subgroups).
The report collects statistics only about the asset groups to which the current operator has privileges.
To view the software installation report:
1. Click the Report tab.
2. Click Software Installation Report link in the My Real-Time Reports [Edit Mode] section. (Verify
that this link displays [Edit Mode] as this confirms that you are in view mode.)
The Set Parameter dialog box appears.
3.
From the Asset Group list, select the asset group whose statistics are to be collected.
The system collects statistics about the software names and the number of assets with each
type of software installed for all registered assets in the asset group (including its subgroups).
Real-time reports
271
4.
Click OK.
The software installation report appears in an Intelligent Analysis Report Viewer window.
Figure 45 Software installation report
Software installation report parameters
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group.
This report collects statistics about the software names and the number of assets with each
type of software installed for all registered assets in the specified asset group (including its
subgroups).All indicates all asset groups. The report collects statistics about only the asset
groups to which the current operator has privileges.
•
Description—A brief description of the report.
Software installation report fields
•
Software Name—Name of the software installed on the assets.
•
Software Version—Version of the software. The software installation report separately collects
statistics about the software products with the same name but different versions.
•
Assets—Number of assets with the software installed.
Scheduled reports
You can schedule any real-time report to run daily, weekly, monthly, quarterly, semi-annually, or
annually. You can define the start dates of data collection for generating scheduled reports and
272 EAD service reports
the end dates and times for the corresponding scheduled report tasks. You can also configure the
report format with options for the following:
•
Adobe Acrobat Portal Document Format (PDF)
•
Comma Separated Value (CSV)
•
Microsoft Excel (XLS)
You can include email recipients for all scheduled reports.
When reports are scheduled, IMC generates the reports in the specified report format, emails them
to specified recipients, and stores the reports for future access.
You can also access reports generated by IMC scheduling. IMC retains all scheduled reports
indefinitely. Retention of all historical reports must be managed manually.
Table 19 Scheduled reports for the EAD service component
Scheduled report
Service component
Asset Information Report
DAM
Asset Type Report
DAM
Asset Usage Report
DAM
CPU Report
DAM
Hard Disk Capacity Report
DAM
Illegal Peripheral Use Report
DAM
Insecurity Category Statistic Report
EAD
Online User Security Status Report
EAD
OS Language Report
DAM
OS Version Report
DAM
Safe Log Gather Statistic Report
EAD
Software Installation Report
DAM
Asset information report
This report collects statistics about the number of newly added assets, the size of newly added
memory, the newly added hard-disk capacity, the number of existing assets, the size of existing
memory, and the existing hard-disk capacity in all asset groups (excluding the subgroups) in the
specified time range.
The report collects statistics about only the asset groups to which the current operator has privileges,
and does not collect the asset statistics of the current month.
Adding an asset information report
1.
2.
Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Asset Information Report and click OK.
Scheduled reports 273
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report.
Select an operator group, and all operators in the group can view the report. To know operators
in an operator group, click the Operator Group Information icon
to the right of Access
Right, and the Operator Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators contained in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Asset information report supports the options Weekly, Monthly, Quarterly,
Half Yearly, and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Set the start month and end month.
The asset information report collects statistics about the number of newly added assets, the
size of newly added memory, the newly added hard-disk capacity, the number of existing
assets, the size of existing memory, and the existing hard-disk capacity in all asset groups
(excluding the subgroups) in the specified time range.
274
EAD service reports
a.
Click the Set Parameter icon
Parameter Value list.
for the start month, and select a start month from the
The options range from 2000-01 to 2050-12.
b.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
start month.
c.
Click the Set Parameter icon
Parameter Value list.
to
. The end month must be later than the
for the end month, and select an end month from the
The options range from 2000-01 to 2050-12.
d.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
start month.
to
. The end month must be later than the
10. Click OK.
Viewing asset information reports
To view asset information reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the asset information reports to enter the History Report
page.
Click the View link to open a statistics report, or save the statistics report.
Figure 46 Asset information report
Asset information report parameters
•
Start Month—Start month for the report statistics.
•
End Month—End month for the report statistics.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Scheduled reports 275
Asset information report fields
The asset information report collects statistics on a per-month basis.Table 20 describes the fields
in the report.
Table 20 Statistical items
Statistical item
Description
Asset Group
Name of the asset group.
Asset
Memory
New
Number of newly added assets in the asset group in a specified time range.
Total
Total number of assets in the asset group in a specified time range.
New (GB) Size of newly added memory in the asset group in a specified time range.
Total (GB) Total size of memory in the asset group in a specified time range.
Hard disk
New (GB) Newly added hard-disk capacity in the asset group in a specified time range.
Total (GB) Existing hard-disk capacity in the asset group in a specified time range.
Asset type report
This report collects statistics about the asset types and the number of assets of each type for all
registered assets in the specified asset group (including its subgroups). The asset types are Laptop,
PC, Server, Workstation, and Others. The report collects statistics about only the asset groups to
which the current operator has privileges.
Adding an asset type report
To add an asset type report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Asset Type Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report:
Select an operator group, and all operators in the group can view the report. To know operators
to the right of Access
in an operator group, click the Operator Group Information icon
Right, and the Operator Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators contained in the operator groups are displayed.
b.
Click Close to the return to the page for adding a report.
276 EAD service reports
5.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year.
For example, when you set the report start date to 2011-08-10, the first half yearly report
is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the
day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day, and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
Scheduled reports 277
9.
Set the asset group.
The asset type report collects statistics about the asset types and the number of assets of each
type for all registered assets in the specified asset group (including its subgroups).
a.
b.
Click the Set Parameter icon
for the asset group.
Select an asset group from the Parameter Value list.
The options are asset group names.
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
10. Click OK.
Viewing asset type reports
To view asset type reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the asset type reports to enter the History Report page.
Click the View link to open a statistics report, or save the statistics report.
Figure 47 Asset type report
Asset type report parameters
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. This report collects statistics about asset types and
the number of assets of each type for all registered assets in the specified asset group (including
its subgroups). All indicates all asset groups. The report collects statistics about only the asset
groups to which the current operator has privileges.
•
Description—A brief description of the report.
Asset type statistics pie chart
The asset type statistics pie chart displays the distribution of asset types. Asset types are PC,
Workstation, Laptop, Server, and Others.
278 EAD service reports
Asset usage report
This report collects statistics about assets which have been offline for more than the specified days.
The report displays the asset statistics of only the asset groups to which the current operator has
privileges.
Adding an asset usage report
To add an asset usage report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Asset Usage Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report:
Select an operator group, and all operators in the group can view the report. To know operators
to the right of Access
in an operator group, click the Operator Group Information icon
Right, and the Operator Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators contained in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
Scheduled reports 279
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Set the asset idle period.
The asset usage report collects statistics about assets which have been offline for more than
the specified days.
a.
b.
c.
to set the idle period.
Click the Set Parameter icon
In the Parameter Value field, enter the minimum number of idle days.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
10. Click OK.
Viewing asset usage reports
To view asset usage reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the asset usage reports to enter the History Report page.
Click the View link to open a statistics report, or save the statistics report.
Figure 48 Asset usage report
280 EAD service reports
Asset usage report parameters
•
Report Time—Time when the report is generated.
•
Min. Idle Time—Minimum number of idle days. Assets which have been offline for more than
the specified days are displayed in the report.
•
Description—A brief description of the report.
Asset usage report fields
•
Asset Number—Asset number of the idle asset.
•
Asset Group—Name of the asset group to which the asset belongs.
•
Owner—Owner of the asset.
•
Management Time—Time when the asset began to be managed.
•
Last Off-line—Last time when the asset went offline.
•
Idle Period—Period for which the asset has been idle.
CPU report
This report collects statistics about the assets whose CPU frequencies match certain criteria in the
specified asset group (including its subgroups). The report displays the CPU statistics of only the
asset groups to which the current operator has privileges.
Adding a CPU report
To add a CPU report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select CPU Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report:
Select an operator group, and all operators in the group can view the report. To know operators
in an operator group, click the Operator Group Information icon
to the right of Access
Right, and the Operator Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators contained in the operator groups are displayed.
b.
Click Close to the return to the page for adding a report.
Scheduled reports
281
5.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Set the minimum CPU frequency (in MHz) and maximum CPU frequency (in MHz).
The CPU report collects statistics about assets whose CPU frequencies are between the minimum
frequency and the maximum frequency.
a.
b.
Click the Set Parameter icon
for the Minimum Frequency.
In the Parameter Value field, enter the minimum CPU frequency.
282 EAD service reports
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
d.
e.
f.
to
.
Click the Set Parameter icon
for the Maximum Frequency.
In the Parameter Value field, enter the maximum CPU frequency.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
10. Set the asset group.
The CPU report collects statistics about the CPU frequencies of all registered assets in the
specified asset group (including its subgroups).
a.
b.
Click the Set Parameter icon
for the asset group.
Select an asset group from the Parameter Value list.
The options are asset group names.
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
11. Click OK.
Viewing CPU reports
To view CPU reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the CPU reports to enter the History Report page.
Click the View link to open a statistics report, or save the statistics report.
Figure 49 CPU report
CPU report parameters
•
Minimum Frequency—Minimum frequency (in MHz) of the CPU frequency range.
•
Maximum Frequency—Maximum frequency (in MHz) of the CPU frequency range.
Scheduled reports 283
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. This report collects the CPU frequency statistics for
the specified asset group (including its subgroups). All indicates all asset groups. The report
collects statistics about only the asset groups to which the current operator has privileges.
•
Description—A brief description of the report.
CPU report fields
•
Asset Number—Asset number of the asset.
•
Asset Name—Name of the asset.
•
Owner—Owner of the asset.
•
CPU SN—Number of the CPU in the operating system.
•
CPU Name—Product name of the CPU.
•
Frequency—CPU frequency (in MHz) of the asset.
Hard-disk capacity report
This report collects statistics about the number of hard disks of assets in the specified asset group
(including its subgroups), and classifies the hard disks according to their capacity: <80 GB, [80
GB to 160 GB), [160 GB to 250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), or >=1024 GB.
The report displays the hard disk capacity statistics of only the asset groups to which the current
operator has privileges.
Adding a hard disk capacity report
1.
Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the
2.
Select a template:
a. Click Select to the right of Template Name
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Hard Disk Capacity Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report.
Select an operator group, and all operators in the group can view the report. To know operators
in an operator group, click the Operator Group Information icon
to the right of Access
Right, and the Operator Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators contained in the operator groups are displayed.
b.
Click Close to the return to the page for adding a report.
284 EAD service reports
5.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
Scheduled reports 285
9.
Set the asset group.
The hard disk capacity report collects the hard disk capacity statistics of all registered assets
in the specified asset group (including its subgroups).
a.
b.
c.
Click the Set Parameter icon
for the asset group.
Select an asset group from the Parameter Value list.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
10. Click OK.
Viewing hard disk capacity reports
To view hard disk capacity reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3. Click the History Report icon for the hard disk capacity reports to enter the History Report
page.
4. Click the View link to open a statistics report, or save the statistics report.
Figure 50 Hard disk capacity report
Hard disk capacity report parameters
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. This report collects the hard disk capacity statistics
for the specified asset group (including its subgroups). All indicates all asset groups. The report
collects statistics about only the asset groups to which the current operator has privileges.
•
Description—A brief description of the report.
Hard disk capacity statistics pie chart
The hard disk capacity statistics pie chart displays the distribution of hard-disk capacity. The
hard-disk capacity is classified into the following levels: <80 GB, [80 GB to 160 GB), [160 GB to
250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), and >=1024 GB.
286 EAD service reports
Illegal peripheral use report
This report collects statistics about the illegal peripheral usage types and the times of each type
for the specified asset group (including its subgroups) in a specified time range. The peripheral
types are USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM/LPT, Infrared,
Bluetooth, 1394, and Modem. The report displays the illegal peripheral usage types and the times
of each type for only the asset groups to which the current operator has privileges.
Adding an illegal peripheral use report
To add an illegal peripheral use report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Illegal Peripheral Use Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report:
Select an operator group, and all operators in the group can view the report. To know operators
in an operator group, click the Operator Group Information icon
to the right of Access
Right, and the Operator Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators contained in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
Scheduled reports 287
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Set the begin time and end time.
The illegal peripheral use report collects statistics about the illegal peripheral usage types and
the times of each type in a specified time range.
a.
Click the Set Parameter icon
for the start time.
The options on the list depend on the schedule type configured in step 5.
b.
Select a begin time from the Schedule Parameter list.
The options on the list depend on the schedule type configured in step 5.
c.
•
Daily— Options are Begin time, One hour after begin time through Twenty-three
hours after begin time, and End time.
•
Weekly— Options are Begin time, One day after begin time through Six days after
begin time, and End time.
•
Monthly— Options are Begin time, One day after begin time through Thirty days
after begin time, and End time.
•
Quarterly— Options are Begin time, One month after begin time, Two months after
begin time, and End time.
•
Half Yearly— Options are Begin time, One month after begin time, Five months after
begin time, and End time.
•
Yearly— Options are Begin time, One month after begin time, Eleven months after
begin time, and End time.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
d.
Click the Set Parameter icon
288 EAD service reports
to
.
for the end time.
e.
Select a begin time from the Schedule Parameter list.
The options on the list depend on the schedule type configured in step 5.
f.
•
Daily— Options are Begin time, One hour after begin time through Twenty-three
hours after begin time, and End time.
•
Weekly— Options are Begin time, One day after begin time through Six days after
begin time, and End time.
•
Monthly— Options are Begin time, One day after begin time through Thirty days
after begin time, and End time.
•
Quarterly— Options are Begin time, One month after begin time, Two months after
begin time, and End time.
•
Half Yearly— Options are Begin time, One month after begin time, Five months after
begin time, and End time.
•
Yearly— Options are Begin time, One month after begin time, Eleven months after
begin time, and End time.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
begin time.
to
. The end time must be later than the
10. Set the asset group.
The illegal peripheral use report collects statistics about the illegal peripheral usage types and
the times of each type for assets in the specified asset group (including its subgroups).
a.
b.
for the asset group.
Click the Set Parameter icon
Select an asset group from the Parameter Value list.
The options are asset group names.
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
11. Click OK.
Viewing illegal peripheral use reports
To view illegal peripheral use reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the illegal peripheral use reports to enter the History
Report page.
Click the View link to open a statistics report, or save the statistics report.
Scheduled reports 289
Figure 51 Illegal peripheral use report
Illegal peripheral use report parameters
•
Start Time—Start time for the report statistics.
•
End Time—End time for the report statistics.
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. This report collects statistics about the illegal peripheral
usage types and the times of each type for the specified asset group (including its subgroups)
in a specified time range. All indicates all asset groups. The report collects statistics about
only the asset groups to which the current operator has privileges.
•
Description—A brief description of the report.
Illegal peripheral use statistic pie chart
The pie chart displays the distribution of illegal peripheral usage types and the times of each type
in a specified time range. The illegal peripheral usage types follow:
•
USB Storage
•
USB Nonstorage
•
DVD/CD-ROM
•
Floppy
•
PCMCIA
•
COM/LPT
•
Infrared
•
Bluetooth
290 EAD service reports
•
1394
•
Modem
Insecurity category statistic report
This report collects statistics about the security check failures of each insecurity category for the
current EAD node in a specified time range. An insecurity category refers to the type of the reason
for security check failures. The insecure categories follow:
•
Anti-Virus Software
•
Anti-Spyware Software
•
Firewall Software
•
Anti-Phishing Software
•
Hard Disk Encryption Software
•
Windows Patches
•
Patch Manager
•
Applications - Software
•
Applications - Processes
•
Applications - Services
•
Applications - Files
•
Registry
•
Traffic
•
OS Password
•
Sharing
•
Asset Registration
Adding an insecurity category statistic report
To add an insecurity category statistic report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Insecurity Category Statistic Report and click OK.
3.
Enter the report name in the Scheduled Report Name field.
Scheduled reports
291
4.
Select an operator group.
All operators in the group can view the report. To view the operators in an operator group,
click the Operator Group Information icon
to the right of Access Right. The Operator
Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
292 EAD service reports
9.
Set the begin time and end time.
The insecurity category statistic report collects statistics about the security check failures of
each insecurity category in a specified time range. An insecurity category refers to the type
of the reason for security check failures.
a.
b.
Click the Set Parameter icon
for the start time.
Select a begin time from the Schedule Parameter list.
The options on the list depend on the schedule type configured in step 5.
c.
•
Daily— Options are Begin time, One hour after begin time through Twenty-three
hours after begin time, and End time.
•
Weekly— Options are Begin time, One day after begin time through Six days after
begin time, and End time.
•
Monthly— Options are Begin time, One day after begin time through Thirty days
after begin time, and End time.
•
Quarterly— Options are Begin time, One month after begin time, Two months after
begin time, and End time.
•
Half Yearly— Options are Begin time, One month after begin time, Five months after
begin time, and End time.
•
Yearly— Options are Begin time, One month after begin time, Eleven months after
begin time, and End time.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
d.
e.
to
.
Click the Set Parameter icon
for the end time.
Select a begin time from the Schedule Parameter list.
The options on the list depend on the schedule type configured in step 5.
f.
•
Daily— Options are Begin time, One hour after begin time through Twenty-three
hours after begin time, and End time.
•
Weekly— Options are Begin time, One day after begin time through Six days after
begin time, and End time.
•
Monthly— Options are Begin time, One day after begin time through Thirty days
after begin time, and End time.
•
Quarterly— Options are Begin time, One month after begin time, Two months after
begin time, and End time.
•
Half Yearly— Options are Begin time, One month after begin time, Five months after
begin time, and End time.
•
Yearly— Options are Begin time, One month after begin time, Eleven months after
begin time, and End time.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
begin time.
to
. The end time must be later than the
10. Click OK.
Viewing insecurity category statistic reports
To view insecurity category statistic reports:
Scheduled reports 293
1.
2.
Click the Report tab.
Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
Click the History Report icon
for the insecurity category statistic reports to enter the
History Report page.
Click the View link to open a statistics report, or save the statistics report.
4.
Figure 52 Insecurity category statistic report
Insecurity category statistic report parameters
•
Start Time—Start time for the report statistics.
•
End Time—End time for the report statistics.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Insecurity category statistic pie chart
The insecurity category statistic pie chart displays the percentage of the security check failures of
each insecurity category to the total security check failures.
Online user security status report
This report collects statistics about the security status of all users in a user group (including its
subgroups). The report collects statistics about only the user groups to which the current operator
has privileges. The security status of an online user can be No Security Authentication Needed,
Waiting for Security Authentication, Secure, Insecure, or Others.
Adding an online user security status report
To add an insecurity category statistic report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
294 EAD service reports
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Online User Security Status Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report.
All operators in the group can view the report. To view the operators in an operator group,
click the Operator Group Information icon
to the right of Access Right. The Operator
Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
Scheduled reports 295
6.
Set the time when a report becomes invalid. The EAD component does not generate any
scheduled report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Set the begin time and end time.
The insecurity category statistic report collects statistics about the security check failures of
each insecurity category in a specified time range. An insecurity category refers to the type
of the reason for security check failures.
a.
b.
Click the Set Parameter icon
for the start time.
Select a user group from the Parameter Value list.
The options are user group names.
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
10. Click OK.
Viewing online user security status reports
To view online user security status reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the online user security status reports to enter the History
Report page.
Click the View link to open a statistics report, or save the statistics report.
Figure 53 Online user security status report
296 EAD service reports
Online user security status report parameters
•
User Group—Name of the user group. This report collects statistics about the security status
of all users in a user group (including its subgroups). All indicates all user groups. The report
collects statistics about only the user groups to which the current operator has privileges.
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
Online user security status category statistics pie chart
This report displays the distribution of the security status of all users in a user group (including its
subgroups). The security status of an online user can be No Security Authentication Needed, Waiting
for Security Authentication, Secure, Insecure, or Others.
OS language report
This report collects statistics about the OS language types and the number of assets using each
OS language type for all registered assets in the specified asset group (including its subgroups).
The report collects statistics about only the asset groups to which the current operator has privileges.
The language types include Chinese (PRC), English, and Others.
Adding an OS language report
To add an OS language report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select OS Language Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report.
All operators in the group can view the report. To view the operators in an operator group,
click the Operator Group Information icon
to the right of Access Right. The Operator
Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
Scheduled reports 297
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Set the asset group.
The OS language report collects statistics about the OS language types and the number of
assets using each OS language type for all registered assets in the specified asset group
(including its subgroups).
a.
b.
for the asset group.
Click the Set Parameter icon
Select an asset group from the Parameter Value list.
The options are asset group names.
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
10. Click OK.
Viewing OS language reports
To view OS language reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
298 EAD service reports
3.
4.
Click the History Report icon
for the OS language reports to enter the History Report
page.
Click the View link to open a statistics report, or save the statistics report.
Figure 54 OS language report
OS language report parameters
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
•
Group Name—Name of the asset group.
This report collects statistics about the OS language types and the number of assets using each
OS language type for all registered assets in the specified asset group (including its subgroups).
All indicates all asset groups. The report collects statistics about only the asset groups to which
the current operator has privileges.
OS language statistics pie chart
This report displays the distribution of the OS language types of all registered assets in the specified
asset group (including its subgroups). The recognizable language types include Chinese (PRC),
English, and Others.
OS version report
This report collects statistics about the OS versions and the number of assets running each OS
version for all registered assets. It displays the distribution of top five OS versions. The report
collects statistics about only the asset groups to which the current operator has privileges.
Adding an OS version report
To add an OS version report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
Scheduled reports 299
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Online User Security Status Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report.
All operators in the group can view the report. To view the operators in an operator group,
click the Operator Group Information icon
to the right of Access Right. The Operator
Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
300 EAD service reports
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Click OK.
Viewing OS version reports
To view OS version reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
for the OS version reports to enter the History Report page.
Click the History Report icon
Click the View link to open a statistics report, or save the statistics report.
Figure 55 OS version report
OS version report parameters
•
Report Time—Time when the report is generated.
•
Description—A brief description of the report.
OS version statistics pie chart
The pie chart displays the distribution of the top five OS versions for all registered assets.
Scheduled reports 301
Safe log gather statistic report
This report collects statistics about the security logs of the current EAD node and all its child nodes,
and displays the distribution of each type of insecurity event in a specified time range. The insecurity
event types follow:
•
Anti-virus software
•
Anti-spyware software
•
Firewall software
•
Anti-phishing software
•
Hard disk encryption software
•
Windows patches
•
Patch manager
•
Applications - software
•
Applications - processes
•
Applications - services
•
Applications - files
•
Registry
•
Traffic
•
OS password
•
Sharing
•
Asset registration
Adding a safe log gather statistic report
To add a safe log gather statistic report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Safe Log Gather Statistic Report and click OK.
3.
4.
Enter the report name in the Scheduled Report Name field.
Select an operator group that can view the report.
All operators in the group can view the report. To view the operators in an operator group,
click the Operator Group Information icon
to the right of Access Right. The Operator
Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators in the operator groups are displayed.
b.
Click Close to the return to the page for adding a report.
302 EAD service reports
5.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
9.
Set the begin time and end time.
The insecurity category statistic report collects statistics about the security check failures of
each insecurity category in a specified time range. An insecurity category refers to the type
of the reason for security check failures.
a.
Click the Set Parameter icon
for the start time.
Scheduled reports 303
b.
Select a begin time from the Schedule Parameter list.
The options on the list depend on the schedule type configured in step 5.
c.
•
Daily— Options are Begin time, One hour after begin time through Twenty-three
hours after begin time, and End time.
•
Weekly— Options are Begin time, One day after begin time through Six days after
begin time, and End time.
•
Monthly— Options are Begin time, One day after begin time through Thirty days
after begin time, and End time.
•
Quarterly— Options are Begin time, One month after begin time, Two months after
begin time, and End time.
•
Half Yearly— Options are Begin time, One month after begin time, Five months after
begin time, and End time.
•
Yearly— Options are Begin time, One month after begin time, Eleven months after
begin time, and End time.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
d.
e.
to
.
for the end time.
Click the Set Parameter icon
Select a begin time from the Schedule Parameter list.
The options on the list depend on the schedule type configured in step 5.
f.
•
Daily— Options are Begin time, One hour after begin time through Twenty-three
hours after begin time, and End time.
•
Weekly— Options are Begin time, One day after begin time through Six days after
begin time, and End time.
•
Monthly— Options are Begin time, One day after begin time through Thirty days
after begin time, and End time.
•
Quarterly— Options are Begin time, One month after begin time, Two months after
begin time, and End time.
•
Half Yearly— Options are Begin time, One month after begin time, Five months after
begin time, and End time.
•
Yearly— Options are Begin time, One month after begin time, Eleven months after
begin time, and End time.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
begin time.
304 EAD service reports
to
. The end time must be later than the
10. Set the grade node.
Safe log gather statistic report collects statistics about the security logs of the node and all its
child nodes.
a.
b.
Click the Set Parameter icon
for the grade node.
Select a grade node from the Parameter Value list.
The options are EAD grade node names.
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
11. Click OK.
Viewing safe log gather statistic reports
To view safe log gather statistic reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the safe log gather statistic reports to enter the History
Report page.
Click the View link to open a statistics report, or save the statistics report.
Figure 56 Safe log gather statistic report
Safe log gather statistic report parameters
•
Start Time—Start time for the report statistics.
•
End Time—End time for the report statistics.
•
Report Time—Time when the report is generated.
•
Grade Node—Name of the asset group whose statistics are collected by the report. The report
collects statistics about only the nodes to which the current operator has privileges.
•
Description—A brief description of the report.
Scheduled reports 305
Safe log gather statistic pie chart
The pie chart displays the distribution of the insecurity events on the specified node and all its child
nodes. The insecurity event types follow:
•
Anti-virus software
•
Anti-spyware software
•
Firewall software
•
Anti-phishing software
•
Hard disk encryption software
•
Windows patches
•
Patch manager
•
Applications - software
•
Applications - processes
•
Applications - services
•
Applications - files
•
Registry
•
Traffic
•
OS password
•
Sharing
•
Asset registration
Software installation report
This report collects statistics about the software names and the number of assets with each type of
software installed for all registered assets in the specified asset group (including its subgroups).
The report collects statistics about only the asset groups to which the current operator has privileges.
Adding a software installation report
To add a software installation report:
1. Enter the page for adding a scheduled report in one of the following ways:
•
Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree.
•
Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation
tree to enter the All Scheduled Reports page, and click Add.
2.
Select a template:
a. Click Select to the right of Template Name.
b. Select EAD Service Report from the Type list in the Query Template section, and click
Query.
c. Select Software Installation Report and click OK.
3.
Enter the report name in the Scheduled Report Name field.
306 EAD service reports
4.
Select an operator group that can view the report.
All operators in the group can view the report. To view the operators in an operator group,
click the Operator Group Information icon
to the right of Access Right. The Operator
Group Information window appears.
a. Select one or more operator groups in the Group Name section.
The operators in the operator groups are displayed.
b.
5.
Click Close to the return to the page for adding a report.
Specify the period a report is generated.
A scheduled report period is determined by both the schedule type and schedule time settings.
•
Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly,
and Yearly.
•
Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or
click the Calendar icon to select a start date.
When you select the Daily schedule type, reports of the previous day are generated every
day. For example, when you set the report start date to 2011-08-10, the first daily report
is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data
collected till 00:00 on the day that the report was generated.
When you select the Weekly schedule type, reports of the previous seven days are
generated every seven days. For example, when you set the report start date to
2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and
the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report.
When you select the Monthly schedule type, reports of the previous month are generated
every month. For example, when you set the report start date to 2011-08-10, the first
monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till
00:00 on the day that the report was generated is displayed in the report.
When you select the Quarterly schedule type, reports of the previous three months are
generated every three months. For example, when you set the report start date to
2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and
the data collected till 00:00 on the day that the report was generated is displayed in the
report.
When you select the Half Yearly schedule type, reports of the last half year are generated
every half year. For example, when you set the report start date to 2011-08-10, the first
half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected
till 00:00 on the day that the report was generated is displayed in the report.
When you select the Yearly schedule type, reports of the last year are generated every
year. For example, when you set the report start date to 2011-08-10, the first yearly
report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on
the day that the report was generated is displayed in the report.
6.
Set the time when a report becomes invalid and the EAD component does not generate the
report.
Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the
Calendar icon to select an end day and then enter an end time at the lower part.
7.
From the Report File Format list, select a report file format.
Options are PDF, CSV, MSExcel, and MSExcel (Data-only).
8.
Send a report by email.
Click the Send by Email box, and enter the email address of the receiver. Reports can be sent
to one email address.
Scheduled reports 307
9.
Set the asset group.
The OS language report collects statistics about the OS language types and the number of
assets using each OS language type for all registered assets in the specified asset group
(including its subgroups).
a.
b.
Click the Set Parameter icon
for the asset group.
Select an asset group from the Parameter Value list.
The options are asset group names.
c.
Click OK to return to the page for adding a report.
The Set Parameter icon changes from
to
.
10. Click OK.
Viewing software installation reports
To view software installation reports:
1. Click the Report tab.
2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All
Scheduled Reports page.
3.
4.
Click the History Report icon
for the software installation reports to enter the History
Report page.
Click the View link to open a statistics report, or save the statistics report.
Figure 57 Software installation report
Software installation report parameters
•
Report Time—Time when the report is generated.
•
Group Name—Name of the asset group. This report collects statistics about the software names
and the number of assets with each type of software installed for all registered assets in the
308 EAD service reports
specified asset group (including its subgroups). All indicates all asset groups. The report collects
statistics about only the asset groups to which the current operator has privileges.
•
Description—A brief description of the report.
Software installation report fields
•
Software Name—Name of the software installed on the assets.
•
Software Version—Version of the software. The software installation report collects separately
collects statistics about the software products with the same name but different versions.
•
Assets—Number of assets with the software installed.
Scheduled reports 309
14 Service parameters management
You can configure the following service parameters:
•
EAD service parameters—Globally effective on the EAD service.
•
DAM service parameters—Globally effective on the DAM service.
This chapter describes how to configure and tune these service parameters, as well as how to
manually validate new service parameters.
EAD service parameters
EAD service parameters comprise the following:
310
•
Patch Check Interval—Enter a number of days. When the Patch Check Interval is set to 0, EAD
checks patches for the user in every security check. Otherwise, after an access user passes a
patch check, EAD excludes patch check items from security checks for that user for the number
of days indicated by the Patch Check Interval. The default setting is 7 days.
•
Reauthentication Interval—Enter the maximum online time for users, in hours. EAD forcibly
reauthenticates the users whose online time exceeds the interval. The default setting is 24
hours. Set this parameter so that EAD can promptly check security items that do not support
real-time monitoring.
•
Real-Time Monitor Interval—Enter the interval, in seconds, at which EAD performs security
check in real time for online users, except for users who are isolated. The default setting is 60
seconds. Consider the performance of the EAD server and terminal users when you set this
parameter. A shorter interval requires higher performance. For more information, see
“Configuring real-time monitoring” (page 45).
•
EAD Service Group—Select this option to enable the EAD service group function. This parameter
is available only when the UAM service group function is enabled.
◦
Enable—Enables the EAD service group function.
◦
Disable—Disables the EAD service group function.
◦
Center Control—Enables administrators to centrally manage the EAD service, and allows
the maintainers and viewers to view the EAD service only.
•
Alarm Server IP—Enter the IP address of the server to which EAD sends SNMP alarms. SNMP
alarms are generated when the traffic on the user terminal exceeds the traffic thresholds defined
in the traffic control policy.
•
Listening Port of Alarm Server—Enter the number of the port that the alarm server uses to listen
to SNMP alarms from EAD. The default value is 162.
•
Send Security Syslog—Specify whether to enable EAD to send syslogs. When you select
Enable, EAD checks for new security logs every hour, encapsulates them in syslogs, and sends
them to the specified syslog server. The IP address of the syslog server is configured in UAM
service parameters. For more information, see HP IMC User Access Manager Administrator
Guide.
•
Centralized Policy Management—Select this option to centrally manage security policies in
hierarchical node management.
•
Data Reporting Time—Enter the time when a node reports data to its parent node each day.
The default setting is 10:00. In centralized policy management, a child node must obtain the
value of this parameter from its parent node; it cannot modify the value.
Service parameters management
•
Data Lifetime—Enter how long a node keeps the data reported from a child node. The default
setting is 90 days. In centralized policy management, a child node must obtain the value of
this parameter from its parent node; it cannot modify the value.
•
Query Security Logs Before V3.60—Specify whether operators can query security logs generated
by IMC V3.60 and earlier versions. When your IMC system is upgraded from V3.60 to V5.0,
the security logs of the two versions use different structures and are stored separately.
◦
When you select Yes, EAD offers a separate query module for security logs generated
by IMC V3.60 and earlier versions.
◦
When you select No, EAD does not offer the query module, and only allows query for
security logs generated by IMC V5.0 and later versions.
•
Security Logs Lifetime—Specify how many days EAD keeps security logs. The default setting
is 30 days. Expired logs are deleted automatically.
•
Internet Access Audit Log Keeping Time (Days)—Specify the maximum number of days an
Internet access audit log can be kept in the system. The system automatically deletes the logs
whose lifetime exceeds the specified keeping time every morning. The default is 30 days.
•
Max Internet Access Audit Logs (10000)—Specify the maximum number of Internet access
audit logs (in ten thousand) that can be kept in the system. The system automatically deletes
logs from the earliest record when the specified number is reached. The default is ten million.
•
Generate logs after the security check is passed—Select this option to enable EAD to generate
security logs for access users after they pass the security check. By default, EAD does not
generate security logs for those users.
Configuring EAD service parameters
To configure EAD service parameters:
1. Click the Service tab.
2. Select Endpoint Admission Defense>System Parameters>System Parameters Config from the
navigation tree.
The System Parameters Config page appears.
3.
4.
Configure the EAD service parameters.
Click OK.
Typically, the new EAD service parameters take effect immediately.
Validating EAD service parameters
If EAD service parameters in distributed IMC deployment do not take effect immediately after they
are modified, for example, because of a network failure, use one of the methods in this section to
validate the parameters manually.
Method 1
1.
2.
Click the Service tab.
Select Endpoint Admission Defense > System Parameters > Validate from the navigation tree.
The Validate page appears, displaying the validation result.
Method 2
1.
2.
3.
Click the Service tab.
Select Endpoint Admission Defense > Service Parameters from the navigation tree.
Click the Validate link located in the Service Parameters area.
The Validate page appears, displaying the validation result.
EAD service parameters
311
DAM service parameters
DAM service parameters comprise the following:
•
Auto Number—Select the asset numbering mode.
The asset numbering mode can be modified only when there is no asset entity in the system
database. Therefore, operators must delete all assets from the system database before they
can change the asset numbering mode. For more information, see “Managing assets”
(page 158).
◦
Enable—Use the automatic numbering mode. In this mode, when an access user logs in,
DAM automatically numbers the asset of the user and prompts the user to enter the asset
information, including the asset model, position, vendor, type, and description, to complete
registration.
◦
Disable—Use the manual numbering mode. In this mode, operators manually specify the
number, owner, and asset group for assets in DAM. When an access user logs in, the
iNode client prompts the user to enter the asset number to complete registration.
•
Number Prefix—Enter the prefix for automatic numbering. This parameter appears only when
Auto Number is set to Enable. Changes to this field do not affect existing asset numbers that
are automatically assigned by DAM.
•
Auto Register—Select the asset registration mode. This field appears only when Auto Number
is set to Enable.
◦
Enable—Use the automatic registration mode. In this mode, when an access user logs in,
DAM automatically numbers the asset to complete asset registration without manual
intervention.
◦
Disable—Use the manual registration mode. In this mode, when an access user logs in,
DAM automatically numbers the asset and prompts the user to enter the asset model,
position, vendor, type, and description to complete registration.
•
Scan Interval—Enter the interval, in minutes, at which the iNode client scans assets for software
and hardware changes.
•
Heartbeat Interval—Enter the interval, in minutes, at which the iNode client sends a heartbeat
packet to the DAM server.
•
Heartbeat Retries—Enter the maximum number of times the iNode client can try to send a
heartbeat packet.
•
Heartbeat Retry Interval—Enter the number of seconds the iNode client can wait before it
retransmits a heartbeat packet to the DAM server.
The iNode client for an online asset sends heartbeat packets to the DAM server at heartbeat
retry intervals. The DAM server responds to the heartbeat packet within the heartbeat retry
interval to determine that the asset is online. When the iNode client receives no response from
the DAM server within that interval, it retransmits the heartbeat packet until the Heartbeat Retry
Interval value is reached. The iNode client then disconnects from the DAM server, and the
DAM server waits one more interval to determine that the asset is offline.
312
•
Life of Log—Enter the number of days DAM keeps logs in the database, including peripheral
monitoring logs, printer monitoring logs, and USB monitoring logs. The DAM server deletes
expired logs on a daily basis.
•
Asset Change Record Lifetime—Enter the number of days DAM keeps records of asset hardware
and software changes in the database. The DAM server deletes expired records on a daily
basis.
Service parameters management
•
Asset Policy Request Period—Enter the interval, in minutes, at which the iNode client requests
are sent for the latest asset policy information from the DAM server.
For assets that stay online for a long period of time, the iNode client sends requests for
up-to-date asset policy information at a specified interval. Examples include new DAM service
parameters and software deploy tasks.
•
Server Port—Enter the listening port of the DAM server. DAM uses this port to listen for packets
about changes made by the operator on the IMC GUI to the DAM settings, and adjusts itself
accordingly. The value must be the same as that in the configuration file.
•
Proxy Server Port—Enter the port used by the DAM proxy server to listen to requests from the
iNode client. The value must be the same as that in the configuration file.
To modify the DAM server port and proxy server port in the configuration file:
a. Locate the file \dam\conf\server.xml in the installation path of IMC.
b. Open the file with a text editor such as Notepad.
c. Search Service name="Dam Server" and change the value of the notifyPort parameter.
d. Search Service name="DAM Proxy" and change the value of the listenPort parameter.
e. Restart the damserver process.
•
Packets Encrypted—Select this option to enable encryption and compression of packets
exchanged between the DAM server and the iNode client. Enable this function to protect data
transmission.
•
DAM Asset Server Log Level—Select the lowest level of logs to be recorded by DAM. Options
are Fatal, Error, Warning, Info, and Debugging, in descending order of severity. The DAM
server records logs of the selected level and above. Do not use the debugging level except
for troubleshooting because it consumes system resources.
•
Send Syslogs—Select this option to allow DAM to send syslogs to a syslog server.
•
Syslog Server IP—Enter the IP address of the syslog server. This field appears only when Send
Syslogs is set to Enable.
Monitoring alarm policies requires a syslog server. The policies allow the DAM server to
encapsulate monitoring information within syslogs and send them to the syslog server. The
monitoring information is reported by the iNode client; it includes changes to software and
hardware assets, and unauthorized copying and printing of sensitive files. For more information,
see “Configuring monitoring alarm policies” (page 193).
•
Report Network Connection Changes—Select this option to enable the iNode client to report
asset network connection changes to DAM. These include changes to NIC serial numbers, IP
addresses, DHCP statuses, gateways, MAC addresses, and subnet masks. DAM records them
as asset software changes for auditing. For more information, see “Asset software change
record audit” (page 201).
•
Asset-Access Account Binding—Specify whether DAM checks the access account bound to
each asset for authentication. This parameter is available only in manual numbering mode.
•
◦
Enable—Allows DAM to check the access account bound to each asset for registration.
When an owner is bound to the asset, DAM allows only the access account of the owner
to register the asset. When no owner is bound to the asset, DAM sets the first access
account that passes authentication and completes registration for the asset as the owner.
◦
Disable—Prevents DAM from checking the access account bound to each asset for
authentication. When this option is selected, DAM does not restrict the access account
that registers an asset.
Asset File Check Records Lifetime—Enter the number of days the asset file check records are
kept in the database. The DAM server deletes expired records on a daily basis.
DAM service parameters
313
•
Display Asset Monitoring Information—Select this option to display the query feature for asset
monitoring records on the asset owner's Access Account Info page. Operators can query the
asset monitoring records by hour. Enable this feature with caution because it may cause serious
delays to the Access Account Info page if there are large numbers of asset monitoring records
in the DAM database. For more information about the Access Account Info page, see HP IMC
User Access Manager Administrator Guide.
•
DAM Service Group—Select this option to allow operators to group DAM services together
for flexible management.
Configuring DAM service parameters
To configure DAM service parameters:
1. Click the Service tab.
2. Select Desktop Asset Manager > Service Parameters > System Parameters Config from the
navigation tree.
The System Parameters Config page appears.
3.
4.
Configure the DAM service parameters.
Click OK.
In general, the new DMA service parameters take effect immediately.
Validating DAM service parameters
If DAM service parameters in distributed IMC deployment do not take effect immediately after they
are modified, for example, because of a network failure, use one of the methods in this section to
validate the parameters manually.
Method 1
1.
2.
Click the Service tab.
Select Desktop Asset Manager > System Parameters > Validate from the navigation tree.
The Validate page appears, displaying the validation result.
Method 2
1.
2.
3.
Click the Service tab.
Select Desktop Asset Manager > Service Parameters from the navigation tree.
Click the Validate link located in the Service Parameters area.
The Validate page appears, displaying the validation result.
314
Service parameters management
15 Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
•
Product model names and numbers
•
Technical support registration number (if applicable)
•
Product serial numbers
•
Error messages
•
Operating system type and revision level
•
Detailed questions
New and changed information in this edition
•
A new "Support and other resources" chapter has been added.
Typographic conventions
This section describes the conventions used in this documentation set.
Table 21 Document conventions
Convention
Element
Blue text: Table 21 (page 315)
Cross-reference links and e-mail addresses
Blue, underlined text: http://www.hp.com
Website addresses
Bold text
• Keys that are pressed
• Text typed into a GUI element, such as a box
• GUI elements that are clicked or selected, such as menu
and list items, buttons, tabs, and check boxes
Italic text
Text emphasis
Monospace text
• File and directory names
• System output
• Code
• Commands, their arguments, and argument values
Monospace, italic text
• Code variables
• Command variables
Monospace, bold text
NOTE:
Emphasized monospace text
Provides additional information.
Contacting HP
315
16 Documentation feedback
HP is committed to providing documentation that meets your needs. To help us improve the
documentation, send any errors, suggestions, or comments to Documentation Feedback
([email protected]). Include the document title and part number, version number, or the URL
when submitting your feedback.
316
Documentation feedback
Index
A
anti-phishing software policy
adding, 94
deleting, 95
details, 93
basic information section, 93
Mac OS section, 93
windows operating system section, 93
list contents, 93
management, 93
modifying, 94
viewing
details, 94
list, 93
anti-spyware software policy
adding, 88, 134
deleting, 90, 136
details, 87, 133
basic information section, 87
Mac OS section, 87
windows operating system section, 87
list contents, 87, 133
management, 86, 133
modifying, 89, 135
viewing
details, 88
list, 88
policy details, 134
policy list, 134
anti-virus software policy
adding, 83, 130
deleting, 86, 133
details, 81, 129
basic information section, 82
linux operating system section, 82
Mac OS section, 82
windows operating system section, 82
list contents, 81, 129
management, 81, 129
modifying, 85, 132
viewing
details, 83, 130
list, 82, 130
asset audit, 198
asset file check list
details
basic information section, 217
file list section, 217
asset groups
adding, 155
automatically based on user groups, 156
manually, 156
subgroup, 156
deleting, 157
details, 154
asset group details section, 154
authorized operator section, 155
basic information section, 154
immediate parent group list section, 155
granting operator privileges to manage, 158
list contents, 154
managing, 153
modifying, 157
viewing
details, 155
list, 155
asset hardware change
information list contents, 199
querying, 200
advanced, 200
basic, 200
record audit, 198
record details, 199
viewing
list, 199
record details, 200
asset registration status check, 128
asset software change
information list contents, 202
querying, 204
advanced, 204
basic, 204
record audit, 201
record details, 203
viewing
record details, 203
record list, 203
asset statistics
asset type statistics reports
list, 179
pie chart, 178
collecting, 178
asset type statistics reports, 178
by asset type, 178
by CPU, 179
by hard disk, 180
by operating system, 182
by software installed, 184
CPU frequency statistics reports, 179
hard disk capacity statistics reports, 180
operating system language, 182
operating system version, 182
software installation statistics report, 184
type statistics reports, 180
CPU frequency statistics reports
list, 180
pie chart, 179
hard disk capacity statistics reports
list, 181
pie chart, 181
operating system language
317
list, 183
pie chart, 183
operating system version
list, 183
pie chart, 182
software installation statistics report
list, 184
type statistics reports
list, 181
pie chart, 181
assets
accessing details page
method 1, 164
method 2, 165
adding, 171
batch importing, 173
deleting, 175
details, 159
hardware information section, 161
IP address list section, 162
logical disk list section, 162
operating system information section, 160
partition list section, 162
patch list section, 163
port list section, 164
process list section, 163
screen saver information section, 162
service list section, 163
share list section, 163
software list section, 162
system information section, 159
export history
deleting record, 177
downloading record, 177
list contents, 177
viewing, 177
exporting, 176
function asset list, 176
information, 176
list contents, 159
managing, 158
export history, 177
modifying, 174
performing actions
asset change history contents, 168
change history, 168
check asset files, 167
delete, 166
modify, 165
printer monitor, 167
printer monitor list, 167
refresh, 168
regroup, 165
scan, 166
software deploy task list, 166
USB monitor, 166
USB monitor list, 166
viewing software deployment history, 166
querying, 168
318
Index
performing advanced query, 169
performing basic query, 168
registering, 158
regrouping, 175
viewing
details, 164
list, 164
viewing details
accessing details page, 164
hardware, 165
performing actions, 165
C
child node information details, 55
basic information area, 55
real-time statistics
on number of user-services failing security check, 56
on number of users, 55
client ACLs
adding, 70
deleting, 71
details, 68
viewing, 69
list
contents, 68
viewing, 69
managing, 68
modifying, 70
client driver
EAD audit, 233
iNode driver list contents, 233
querying errors, 234
viewing errors in iNode driver list, 233
computer security check
performing, 236, 238
result details, 236
basic information section, 237
hard disk partition table section, 237
installed patches section, 238
installed software section, 238
running processes section, 238
running services section, 238
screen saver settings section, 237
share list section, 237
contacting HP, 315
conventions
document, 315
D
DAM
collecting
asset statistics, 178
configuring, 153
exporting
asset information, 176
managing
asset, 158
asset export history, 177
asset groups, 153
export task, 184
service parameters, 312
DAM service parameters
configuring, 314
validating, 314
method 1, 314
method 2, 314
deploy asset
list contents, 225
deploy group
list contents, 225
deployment, 59
configuring
manual, 60
services, 60
contents, 60
scheduling automatic, 60
deployment history, 61
list
contents, 61
viewing, 61
querying, 62
desktop asset management
desktop monitoring, 23
software deployment, 24
desktop control policies
configuring, 186
desktop control schemes
adding, 187
configuring, 186
deleting, 188
details, 186
basic information section, 186
policy list section, 187
list contents, 186
modifying, 188
viewing
details, 187
list, 187
document
conventions, 315
documentation, providing feedback on, 316
domain URL classes
adding, 75
configuring check items, 76
deleting, 77
details, 75
item list contents, 75
list contents, 75
managing, 74
modifying, 77
viewing
class list, 75
details, 75
E
EAD
audit, 230
service parameters, 310
configuring, 311
validating, 311
EAD audit
client driver, 233
performing computer security check, 236
security logs, 230
security status audit, 234
EAD component, 18
DAM service module, 19
EAD service module, 18
EAD component functions, 19
desktop asset, 22
ead audit, 25
EAD service report, 24
internet access control, 24
security policy, 19
service parameters, 24
EAD global network monitoring diagram
accessing, 63
adding, 64
customizing background picture, 65
left-click menu
of a node, 64
managing node icons, 66
right-click menu, 64
right-click menu of a node, 64
setting preloaded background picture, 65
toolbar contents, 63
EAD planning considerations, 25
configuring
desktop control policies, 26
security policies, 26
identifying
available features using iNode client with EAD and
DAM, 26
number of access users, 26
terminal types, 26
physical location of the enterprise or organization, 25
EAD security policy
EAD component, 18
EAD component functions, 19
EAD planning considerations, 25
EAD solution, 18
overview, 18
EAD service parameters
configuring, 311
validating, 311
method 1, 311
method 2, 311
EAD service reports, 240
real-time reports, 241
all-node online users 24-hour trend graph, 242
asset information report, 243
asset type report, 244
asset usage report, 246
CPU report, 247
hard-disk capability report, 248
illegal peripheral use report, 249
insecurity category statistic report, 251
319
multi-node certain security policy statistics report, 253
multi-node online users comparison chart, 254
multi-node security check items report, 256
multi-node single-security check item failures
comparison chart, 258
multi-node user counts comparison chart, 259
multi-node user data statistics report, 261
online user security status report, 262
OS language report, 263
OS version report, 264
safe log gather statistic report, 265
single-node online users 24-hour trend graph, 268
single-node security check failure report, 269
software installation report, 271
scheduled reports, 272
asset information report, 273
asset type report, 276
asset usage report, 279
CPU report, 281
hard-disk capacity report, 284
illegal peripheral use report, 287
insecurity category statistic report, 291
online user security status report, 294
OS language report, 297
OS version report, 299
safe log gather statistic report, 302
software installation report, 306
EAD solution, 18
energy saving policies
adding, 192
configuring, 191
deleting, 193
list contents, 192
modifying, 192
viewing list, 192
export task
configuring, 185
list contents, 184
managing, 184
viewing management list, 185
F
file-type PC software control groups
adding, 113
deleting, 115
details, 111
basic information contents, 111
file list information, 112
modifying, 113
viewing, 112
firewall software policy
adding, 92
deleting, 92
details, 91
basic information section, 91
linux operating system section, 91
Mac OS section, 91
windows operating system section, 91
list contents, 91
320 Index
management, 90
modifying, 92
viewing
details, 91
list, 91
H
hard disk encryption software policy
adding, 96
deleting, 97
details, 96
basic information section, 96
windows operating system section, 96
list contents, 95
management, 95
modifying, 97
viewing
details, 96
list, 96
help
obtaining, 315
hierarchical node management, 54
child node
adding, 58
deleting, 59
information details, 55
modifying, 58
child node details, viewing, 57
child node list
contents, 54
viewing, 57
modifying name of the current node, 57
parent node
confirming, 59
deleting, 59
information, 57
HP
technical support, 315
I
internet access
controlling, 143
internet access audit logs
managing, 148
performing
advanced query, 149
basic query, 149
viewing
details, 150
list, 148
internet access audit policies
adding, 147
deleting, 148
managing, 146
modifying, 147
viewing
details, 146
list, 146
internet access configuration
adding, 144
assigning, 151
access policy, 152
services, 152
deleting, 146
managing, 143
modifying, 145
viewing
details, 144
list, 143
internet access logging parameters
configuring, 151
IP URL classes
adding, 78
deleting, 79
details, 78
list contents, 78
managing, 77
modifying, 79
viewing
details, 78
list, 78
M
monitoring alarm policies
adding, 195
configuring, 193
deleting, 197
details, 193
basic information section, 194
hardware changes monitoring section, 194
printer monitoring section, 194
software changes monitoring section, 194
USB monitoring section, 194
list contents, 193
modifying, 196
viewing
details, 195
list, 195
O
online users
customizing, 236
list contents, 234
viewing list, 235
P
page navigation
aids, 28
menus, 28
password control, 127
modifying, 127
patch management software
configuring, 115
list contents, 115
management, 115
PC software control groups
downloading and using the MD5 tool, 101
list contents, 98
management, 98
managing
adding common software list, 100
common software, 99
common software list, 99
deleting common software product, 101
file-type, 111
importing common software in batches, 100
process-type, 105
querying common software list, 100
service-type, 109
software-type, 102
viewing common software list, 100
querying, 99
viewing list, 99
peripheral management policies
adding, 190
configuring, 188
deleting, 191
details, 189
basic information section, 189
disable devices section, 189
list contents, 188
modifying, 191
viewing
details, 190
list, 189
printer monitoring record
audit, 209
details, 210
exporting, 212
list contents, 209
printer monitor log export history list contents, 213
querying, 211
advanced, 211
basic, 211
viewing
details, 210
export history of printer monitoring records, 212
list, 210
process-type PC software control group
adding, 107
deleting, 108
details, 105
basic information contents, 105
process list information , 106
modifying, 107
viewing, 106
R
real-time monitoring
configuring, 45
enabling, 45
modifying parameters, 46
real-time reports
all-node online users 24-hour trend graph
fields, 243
parameters, 243
asset information report
321
fields, 244
parameters, 244
asset type report
parameters, 245
asset type statistics
list, 245
pie chart, 245
asset usage report
fields, 246
parameters, 246
CPU report
fields, 247
parameters, 247
hard-disk capability report
parameters, 248
hard-disk capability statistics
pie chart, 249
hard-disk type statistics, 249
illegal peripheral use report
parameters, 250
statistics pie chart, 251
usage type statistics list, 251
insecurity category statistic report
list, 252
parameters, 252
pie chart, 252
multi-node certain security policy statistics report
fields, 254
parameters, 254
multi-node online users comparison chart
fields, 256
parameters, 256
multi-node security check items report
fields, 257
parameters, 257
multi-node single-security check item failures comparison
chart
fields, 259
parameters, 259
multi-node user counts comparison chart
fields, 261
parameters, 260
multi-node user data statistics report
fields, 261
parameters, 261
online user security status report
parameters, 262
statistics list, 262
statistics pie chart, 262
OS language report
asset statistics, 264
parameters, 264
statistics pie chart, 264
OS version report
asset statistics, 265
parameters, 265
statistics pie chart, 265
safe log gather statistic report
insecurity category statistics, 268
322 Index
parameters, 267
statistic pie chart, 267
single-node online users 24-hour trend graph
fields, 269
parameters, 269
single-node security check failure report
bar chart, 271
software installation report
fields, 272
parameters, 272
receipt history, 61
list
contents, 61
viewing, 61
querying, 62
registry control
adding, 121
deleting, 122
list
contents, 119
details, 120
list details
basic information section, 120
registry entry section, 120
modifying, 122
policy management, 119
querying, 121
viewing, 121
list, 121
roaming online users
list contents, 235
viewing list, 235
S
scheduled reports
asset information report
adding, 273
fields, 276
parameters, 275
viewing, 275
asset type report
adding, 276
parameter, 278
statistics pie chart, 278
viewing, 278
asset usage report
adding, 279
fields, 281
parameters, 281
viewing, 280
CPU report
adding, 281
fields, 284
parameters, 283
viewing, 283
hard-disk capacity report
adding, 284
parameter, 286
statistics pie chart, 286
viewing, 286
illegal peripheral use report
adding, 287
parameters, 290
statistics pie chart, 290
viewing, 289
insecurity category statistic report
adding, 291
parameters, 294
pie chart, 294
viewing, 293
online user security status report
adding, 294
parameters, 297
statistics pie chart, 297
viewing, 296
OS language report
adding, 297
parameters, 299
statistics pie chart, 299
viewing, 298
OS version report
adding, 299
parameters, 301
statistics pie chart, 301
viewing, 301
safe log gather statistic report
adding, 302
parameters, 305
statistic pie chart, 306
viewing, 305
software installation report
adding, 306
fields, 309
parameters, 308
viewing, 308
security check items
configuring for PCs, 81
security level details, 48
anti-phishing software area, 50
anti-spyware software area, 50
anti-virus area, 49
asset registration status area, 52
basic information area, 49
firewall software area, 50
hard disk encryption software area, 50
operating system password area, 52
patch management software area, 51
PC software control group area, 50
registry area, 51
share area, 51
smart terminal
configuration, 51
software control group area, 50
traffic monitoring area, 49
windows patches area, 51
security level management, 47
security level
adding, 52
deleting, 53
details, 48
list contents, 48
making action take effect, 48
modifying, 53
viewing details, 52
viewing list, 52
security logs
details, 230
basic information area, 231
details section, 231
EAD audit, 230
list contents, 230
querying, 232
advanced, 232
basic, 232
viewing
details, 231
list, 231
security policies
assigning, 46
assigning security policy to an access policy, 47
configuring, 33
security level management, 47
security policy management, 33
default security policy to a service, assigning, 46
deploying security policies, 59
deploying services, 59
parameters, 59
deployment history, 61
EAD global network monitoring diagram, 63
hierarchical node management, 54
receipt history, 61
security policy details, 34
ant-virus software control area, 36
anti-phishing software control area, 37
anti-spyware software control area, 36
asset registration status check area, 42
basic information area, 34
firewall software control area, 37
hard disk encryption software control area, 38
isolation mode area, 35
patch management software control area, 40
periodic check area, 42
registry control area, 41
share control area, 42
smart terminal policy area, 42
smart terminal software control area, 39
software control area, 38
URL control area, 36
windows patch control area, 40
security policy management, 33
configuring
default security policy for roaming users, 46
real-time monitoring, 45
security policy
adding, 43
assigning, 46
deleting, 44
323
modifying, 44
security policy details, 34
viewing, 43
security policy list
contents, 33
viewing, 42
security status audit
online users, 234
roaming online users, 234
service parameters
DAM, 312
EAD, 310
management, 310
service-type PC software control group
adding, 110
basic information contents, 109
deleting, 111
details, 109
service list information, 109
modifying, 110
viewing, 110
share control
adding, 124
deleting, 125
details, 123
list contents, 123
management, 123
modifying, 124
viewing
details, 124
list, 124
smart terminal policy
adding, 141
deleting, 142
details, 140
list contents, 140
management, 140
modifying, 141
viewing
details, 141
list, 141
smart terminal software control
group
details, 137
list contents, 136
group details
basic information contents, 137
software list information, 138
management, 136
smart terminal software control group
adding, 139
deleting, 140
modifying, 139
querying, 138
viewing
details, 138
list, 138
smart terminals
configuring security check items, 129
324 Index
software deploy task
adding, 228
configuring, 223
deleting, 229
details, 223
basic information section, 224
software deployment targets section, 225
list contents, 223
modifying, 229
querying, 226
advanced, 227
basic, 226
viewing
details, 226
list, 226
software deployment
configuring, 221
server settings, 221
preparing to use, 221
software deployment server settings
adding, 222
configuring, 221
deleting, 223
details, 221
list contents, 221
modifying, 222
viewing
details, 222
list, 222
software-type PC software control group
adding, 103
deleting, 105
details, 102
basic information contents, 102
software list information, 102
modifying, 103
viewing, 102
T
task execution result
details, 226
technical support
HP, 315
terminal access control, 67
client ACLs
managing, 68
configuring, 67
isolation mode, 67
managing
domain URL classes, 74
IP URL classes, 77
URL control policies, 71
URL access control , 68
terminal file
asset file check list
contents, 216
details, 217
audit, 216
auditing, 218
exporting audit results, 219
querying, 217
viewing
audit results, 219
audit task list, 217
traffic control
adding, 126
deleting, 127
list
contents, 125
details, 125
list details
basic information section, 125
broadcast packet monitoring section, 126
IP traffic monitoring section, 126
packet monitoring section, 126
TCP/UDP connection monitoring section, 126
management, 125
modifying, 127
viewing
details, 126
list, 126
typographic conventions, 315
basic, 207
viewing
details, 206
list, 206
viewing USB monitor log export history, 209
W
windows patch control , 115
adding windows patch, 117
applicable windows version list, 116
deleting windows patch, 117
information details, 116
list contents, 116
modifying windows patch, 117
querying windows patches, 116
viewing windows patch list, 116
windows versions
adding, 118
deleting, 119
list contents, 118
managing, 118
viewing, 118
U
unauthorized peripheral use record
audit, 213
exporting, 216
illegal peripheral use
log export history list contents, 214
report list contents, 213
querying, 214
advanced, 215
basic, 214
viewing
export history of the unauthorized peripheral use
records, 214
list, 214
URL control policies
adding, 73
deleting, 74
details, 72
list contents, 71
managing, 71
modifying, 73
viewing
details, 73
list, 72
USB monitoring record
audit, 205
details, 206
information of USB copied files section, 206
list of USB copied files section, 206
exporting, 208
USB monitor log export history list contents, 208
USB monitoring records, 208
list, 205
querying, 207
advanced, 207
325

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz