HP Intelligent Management Center – EAD Security Policy Administrator Guide HP Part Number: 5998-3318 Software Version: 5.2 (0401) Published: February 2013 Edition: 1.0 © Copyright 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgments Microsoft®, Windows®, and Windows® XP are U.S. registered trademarks of Microsoft Corporation. Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated. Contents 1 EAD Security Policy overview.....................................................................18 EAD solution..........................................................................................................................18 EAD component.....................................................................................................................18 EAD service module...........................................................................................................18 DAM service module..........................................................................................................19 EAD component functions........................................................................................................19 Security policy...................................................................................................................19 Basic Information..........................................................................................................20 Terminal Access Control.................................................................................................20 Security check items for PCs............................................................................................21 Security check items for smart terminals............................................................................21 Hierarchical node management......................................................................................22 Desktop asset....................................................................................................................22 Asset registration...........................................................................................................22 Configuring DAM..........................................................................................................22 Desktop monitoring.......................................................................................................23 Asset audit...................................................................................................................23 Software deployment.....................................................................................................24 Internet access control........................................................................................................24 Service parameters............................................................................................................24 EAD service report.............................................................................................................24 EAD audit.........................................................................................................................25 EAD planning considerations...................................................................................................25 Physical location of the enterprise or organization..................................................................25 Identifying the number of access users..................................................................................26 Identifying the terminal types...............................................................................................26 Identifying available features when using the iNode client with EAD and DAM..........................26 Configuring security policies and desktop control policies........................................................26 2 Page navigation menus and aids................................................................28 3 Configuring security policies......................................................................33 Security policy management....................................................................................................33 Security policy list contents..................................................................................................33 Security policy details.........................................................................................................34 Basic Information area...................................................................................................34 Isolation Mode area......................................................................................................35 URL Control area...........................................................................................................36 Anti-Virus Software Control area......................................................................................36 Anti-Spyware Software Control area................................................................................36 Firewall Software Control area........................................................................................37 Anti-Phishing Software Control area.................................................................................37 Hard Disk Encryption Software Control area.....................................................................38 PC Software Control area...............................................................................................38 Smart Terminal Software Control area..............................................................................39 Patch Management Software Control area........................................................................40 Windows Patch Control area..........................................................................................40 Registry Control area.....................................................................................................41 Share Control area........................................................................................................42 Smart Terminal Policy area.............................................................................................42 Asset registration status check area..................................................................................42 Periodic check area.......................................................................................................42 Contents 3 Viewing the security policy list.............................................................................................42 Viewing security policy details.............................................................................................43 Adding a security policy.....................................................................................................43 Modifying a security policy.................................................................................................44 Deleting a security policy....................................................................................................44 Configuring real-time monitoring..........................................................................................45 Enabling real-time monitoring.........................................................................................45 Modifying the real-time monitoring parameters..................................................................46 Configuring the default security policy for roaming users.........................................................46 Assigning security policies...................................................................................................46 Assigning the default security policy to a service...............................................................46 Assigning a security policy to an access policy.................................................................47 Security level management.......................................................................................................47 Making a security level action take effect..............................................................................48 Special cases...............................................................................................................48 Abnormal traffic.......................................................................................................48 WSUS/SMS Server Collaboration Failure and Auto-Installation Failure............................48 Security level list contents....................................................................................................48 Security level details...........................................................................................................48 Basic Information area...................................................................................................49 Traffic Monitoring area..................................................................................................49 Anti-Virus Software area.................................................................................................49 Anti-Spyware Software area...........................................................................................50 Firewall Software area...................................................................................................50 Anti-Phishing Software area............................................................................................50 Hard Disk Encryption Software area................................................................................50 PC Software Control Group area.....................................................................................50 Smart Terminal Software Control Group area....................................................................50 Patch Management Software area...................................................................................51 Windows Patches area..................................................................................................51 Registry area................................................................................................................51 Share area...................................................................................................................51 Smart Terminal Configuration..........................................................................................51 Asset Registration Status area.........................................................................................52 Operating System Password area....................................................................................52 Viewing the security level list...............................................................................................52 Viewing security level details...............................................................................................52 Adding a security level.......................................................................................................52 Modifying a security level...................................................................................................53 Deleting a security level......................................................................................................53 Hierarchical node management................................................................................................54 Child node list contents.......................................................................................................54 Child node information details.............................................................................................55 Basic Information area...................................................................................................55 Real-time statistics on the number of users on the child node area........................................55 Real-time statistics on the number of user-services failing the security check on the child nodes area............................................................................................................................56 Parent node information......................................................................................................57 Viewing the child node list..................................................................................................57 Modifying the name of the current node................................................................................57 Viewing child node details..................................................................................................57 Adding a child node..........................................................................................................58 Modifying a child node......................................................................................................58 Deleting a child node.........................................................................................................59 Confirming the parent node................................................................................................59 4 Contents Deleting the parent node....................................................................................................59 Deploying services, security policies, and service parameters........................................................59 Deployment contents..........................................................................................................60 Configuring the services to be deployed................................................................................60 Scheduling automatic deployment........................................................................................60 Configuring manual deployment..........................................................................................60 Deployment and receipt history................................................................................................61 Deployment history list contents............................................................................................61 Receipt history list contents..................................................................................................61 Viewing the deployment history list.......................................................................................61 Viewing the receipt history list..............................................................................................61 Querying the deployment history.........................................................................................62 Querying the receipt history of a child node..........................................................................62 EAD global network monitoring diagram...................................................................................63 Accessing the EAD global network monitoring diagram..........................................................63 Toolbar contents............................................................................................................63 Right-click menu of the EAD global network monitoring diagram..........................................64 Right-click menu of a node..............................................................................................64 Left-click information of a node........................................................................................64 Adding a node to the EAD global network monitoring diagram...............................................64 Customizing the background picture with a local image..........................................................65 Setting a preloaded background picture...............................................................................65 Managing node icons........................................................................................................66 4 Configuring terminal access control............................................................67 Terminal access control...........................................................................................................67 Isolation mode...................................................................................................................67 URL access control.............................................................................................................68 Managing client ACLs.............................................................................................................68 Client ACL list contents........................................................................................................68 Client ACL details..............................................................................................................68 Viewing the client ACL list...................................................................................................69 Viewing client ACL details...................................................................................................69 Adding a client ACL...........................................................................................................70 Modifying a client ACL.......................................................................................................70 Deleting a client ACL..........................................................................................................71 Managing URL control policies.................................................................................................71 URL control policy list contents.............................................................................................71 URL control policy details....................................................................................................72 Viewing the URL control policy list........................................................................................72 Viewing the URL control policy details...................................................................................73 Adding a URL control policy................................................................................................73 Modifying a URL control policy............................................................................................73 Deleting a URL control policy...............................................................................................74 Managing domain URL classes.................................................................................................74 Domain URL class list contents.............................................................................................75 Domain URL class details....................................................................................................75 Domain URL item list contents..............................................................................................75 Viewing the domain URL class list.........................................................................................75 Viewing the domain URL class details...................................................................................75 Adding a domain URL class................................................................................................75 Configuring domain URL check items....................................................................................76 Modifying a domain URL class............................................................................................77 Deleting a domain URL class...............................................................................................77 Managing IP URL classes.........................................................................................................77 Contents 5 IP URL class list contents......................................................................................................78 IP URL class details.............................................................................................................78 Viewing the IP URL class list.................................................................................................78 Viewing the IP URL class details...........................................................................................78 Adding an IP URL class.......................................................................................................78 Modifying an IP URL class...................................................................................................79 Deleting an IP URL class......................................................................................................79 5 Configuring security check items for PCs......................................................81 Anti-virus software policy management......................................................................................81 Anti-virus software policy list contents....................................................................................81 Anti-virus software policy details..........................................................................................81 Basic information section................................................................................................82 Windows operating system, Linux operating system, and Mac OS operating system sections.......................................................................................................................82 Viewing the anti-virus software policy list...............................................................................82 Viewing anti-virus software policy details...............................................................................83 Adding an anti-virus software policy.....................................................................................83 Modifying an anti-virus software policy.................................................................................85 Deleting an anti-virus software policy....................................................................................86 Anti-spyware software policy management.................................................................................86 Anti-spyware software policy list contents..............................................................................87 Anti-spyware software policy details.....................................................................................87 Basic information section................................................................................................87 Windows Operating System and Mac OS Operating System sections..................................87 Viewing the anti-spyware software policy list.........................................................................88 Viewing the anti-spyware software policy details....................................................................88 Adding an anti-spyware software policy...............................................................................88 Modifying an anti-spyware policy........................................................................................89 Deleting an anti-spyware software policy..............................................................................90 Firewall software policy management........................................................................................90 Firewall software policy list contents.....................................................................................91 Firewall software policy details............................................................................................91 Basic information section................................................................................................91 Windows Operating System, Linux Operating System, and Mac OS Operating System sections.......................................................................................................................91 Viewing the firewall software policy list.................................................................................91 Viewing firewall software policy details.................................................................................91 Adding a firewall software policy.........................................................................................92 Modifying a firewall software policy.....................................................................................92 Deleting a firewall software policy........................................................................................92 Anti-phishing software policy management................................................................................93 Anti-phishing software policy list contents..............................................................................93 Anti-phishing software policy details.....................................................................................93 Basic information section................................................................................................93 Windows Operating System and Mac OS Operating System sections..................................93 Viewing the anti-phishing software policy list.........................................................................93 Viewing anti-phishing software policy details.........................................................................94 Adding an anti-phishing software policy...............................................................................94 Modifying an anti-phishing software policy...........................................................................94 Deleting an anti-phishing software policy..............................................................................95 Hard disk encryption software policy management.....................................................................95 Hard disk encryption software policy list contents...................................................................95 Hard disk encryption software policy details..........................................................................96 Basic information section................................................................................................96 6 Contents Windows Operating System section.................................................................................96 Viewing the hard disk encryption software policy list..............................................................96 Viewing hard disk encryption software policy details..............................................................96 Adding a hard disk encryption software policy......................................................................96 Modifying a hard disk encryption software policy..................................................................97 Deleting a hard disk encryption software policy.....................................................................97 PC software control groups management...................................................................................98 PC software control group list contents..................................................................................98 Viewing the PC software control group list.............................................................................99 Querying PC software control groups...................................................................................99 Managing common software...............................................................................................99 Common software list....................................................................................................99 Viewing the common software list..................................................................................100 Querying the common software....................................................................................100 Adding a common software product..............................................................................100 Importing common software in batches..........................................................................100 Deleting a common software product.............................................................................101 Downloading and using the MD5 tool................................................................................101 Managing software-type PC software control groups............................................................102 Software-type PC software control group details..............................................................102 Basic information contents.......................................................................................102 Software list information..........................................................................................102 Viewing a software-type PC software control group..........................................................102 Adding a software-type PC software control group..........................................................103 Modifying a software-type PC software control group......................................................103 Deleting a software-type PC software control group.........................................................105 Managing process-type PC software control groups..............................................................105 Process-type PC software control group details................................................................105 Basic information contents.......................................................................................105 Process list information............................................................................................106 Viewing a process-type PC software control group...........................................................106 Adding a process-type PC software control group............................................................107 Modifying a process-type PC software control group........................................................107 Deleting a process-type PC software control group...........................................................108 Managing service-type PC software control groups...............................................................109 Service-type PC software control group details................................................................109 Basic information contents.......................................................................................109 Service list information............................................................................................109 Viewing a service-type PC software control group............................................................110 Adding a service-type PC software control group.............................................................110 Modifying a service-type PC software control group.........................................................110 Deleting a service-type PC software control group...........................................................111 Managing file-type PC software control groups....................................................................111 File-type PC software control group details......................................................................111 Basic information contents.......................................................................................111 File list information..................................................................................................112 Viewing a file-type PC software control group.................................................................112 Adding a file-type PC software control group..................................................................113 Modifying a file-type PC software control group..............................................................113 Deleting a file-type PC software control group.................................................................115 Patch management software management................................................................................115 Patch management software list contents.............................................................................115 Configuring patch management software management.........................................................115 Windows patch control.........................................................................................................115 Windows patch list contents..............................................................................................116 Contents 7 Windows patch information details....................................................................................116 Applicable Windows version list........................................................................................116 Viewing the Windows patch list.........................................................................................116 Querying the Windows patches.........................................................................................116 Adding a Windows patch.................................................................................................117 Modifying a Windows patch.............................................................................................117 Deleting a Windows patch................................................................................................117 Managing Windows versions.................................................................................................118 Windows version list contents............................................................................................118 Viewing a Windows version..............................................................................................118 Adding a Windows version...............................................................................................118 Deleting a Windows version..............................................................................................119 Registry control policy management........................................................................................119 Registry control list contents...............................................................................................119 Registry control list details.................................................................................................120 Basic information section..............................................................................................120 Registry entry section...................................................................................................120 Viewing the registry control list..........................................................................................121 Viewing a registry control.................................................................................................121 Querying the registry control.............................................................................................121 Adding a registry control..................................................................................................121 Modifying a registry control..............................................................................................122 Deleting a registry control.................................................................................................122 Share control management....................................................................................................123 Share control list contents..................................................................................................123 Share control details.........................................................................................................123 Viewing the share control list.............................................................................................124 Viewing share control details.............................................................................................124 Adding a share control.....................................................................................................124 Modifying a share control.................................................................................................124 Deleting a share control....................................................................................................125 Traffic control management....................................................................................................125 Traffic control list contents..................................................................................................125 Traffic control list details....................................................................................................125 Basic information section..............................................................................................125 IP Traffic Monitoring section..........................................................................................126 Broadcast Packet Monitoring section..............................................................................126 Packet Monitoring section.............................................................................................126 TCP/UDP Connection Monitoring section.......................................................................126 Viewing the traffic control list.............................................................................................126 Viewing traffic control details.............................................................................................126 Adding a traffic control.....................................................................................................126 Modifying a traffic control.................................................................................................127 Deleting a traffic control....................................................................................................127 Password control...................................................................................................................127 Modifying a password control...........................................................................................127 Asset registration status check.................................................................................................128 6 Configuring security check items for smart terminals....................................129 Anti-virus software policy management....................................................................................129 Anti-virus software policy list contents .................................................................................129 Anti-virus software policy details........................................................................................129 Viewing the anti-virus software policy list.............................................................................130 Viewing anti-virus software policy details.............................................................................130 Adding an anti-virus software policy...................................................................................130 8 Contents Modifying an anti-virus software policy...............................................................................132 Deleting an anti-virus software policy..................................................................................133 Anti-spyware software policy management...............................................................................133 Anti-spyware software policy list contents............................................................................133 Anti-spyware software policy details...................................................................................133 Viewing the anti-spyware software policy list.......................................................................134 Viewing anti-spyware software policy details.......................................................................134 Adding an anti-spyware software policy.............................................................................134 Modifying an anti-spyware policy......................................................................................135 Deleting an anti-spyware software policy............................................................................136 Smart terminal software control management...........................................................................136 Smart terminal software control group list contents................................................................136 Smart terminal software control group details......................................................................137 Basic information contents............................................................................................137 Software list information...............................................................................................138 Viewing the smart terminal software control group list...........................................................138 Querying the smart terminal software control group..............................................................138 Viewing smart terminal software control group details...........................................................138 Adding a smart terminal software control group...................................................................139 Modifying a smart terminal software control group...............................................................139 Deleting a smart terminal software control group..................................................................140 Smart terminal policy management.........................................................................................140 Smart terminal policy list contents.......................................................................................140 Smart terminal policy details.............................................................................................140 Viewing the smart terminal policy list..................................................................................141 Viewing smart terminal policy details..................................................................................141 Adding smart terminal policy.............................................................................................141 Modifying a smart terminal policy......................................................................................141 Deleting a smart terminal policy.........................................................................................142 7 Controlling Internet access.......................................................................143 Managing Internet access configurations.................................................................................143 Viewing the Internet access configuration list........................................................................143 Viewing Internet access configuration details.......................................................................144 Adding an Internet access configuration..............................................................................144 Modifying an Internet access configuration..........................................................................145 Deleting an Internet access configuration............................................................................146 Managing Internet access audit policies..................................................................................146 Viewing the Internet access audit policy list.........................................................................146 Viewing Internet access audit policy details.........................................................................146 Adding an Internet access audit policy...............................................................................147 Modifying an Internet access audit policy...........................................................................147 Deleting an Internet access audit policy..............................................................................148 Managing Internet access audit logs.......................................................................................148 Viewing the Internet access audit log list.............................................................................148 Performing a basic query for Internet access audit logs.........................................................149 Performing an advanced query for Internet access audit logs.................................................149 Viewing Internet access audit log details.............................................................................150 Configuring Internet access logging parameters........................................................................151 Assigning Internet access configurations to services and access policies.......................................151 Assigning an Internet access configuration to a service.........................................................152 Assigning an Internet access configuration to an access policy...............................................152 8 Configuring DAM...................................................................................153 Managing asset groups.........................................................................................................153 Asset group list contents....................................................................................................154 Contents 9 Asset group details...........................................................................................................154 Basic information section..............................................................................................154 Asset group details section...........................................................................................154 Immediate parent group list section................................................................................155 Authorized operator section..........................................................................................155 Viewing the asset group list...............................................................................................155 Viewing asset group details...............................................................................................155 Adding asset groups........................................................................................................155 Manually adding an asset group...................................................................................156 Automatically adding asset groups based on user groups.................................................156 Adding a subgroup for an asset group...........................................................................156 Modifying an asset group.................................................................................................157 Deleting an asset group....................................................................................................157 Granting an operator privileges to manage asset groups.......................................................158 Managing assets..................................................................................................................158 Registering assets.............................................................................................................158 Asset list contents.............................................................................................................159 Asset details....................................................................................................................159 System information section............................................................................................159 Operating system information section.............................................................................160 Hardware information section.......................................................................................161 Screen saver information section...................................................................................162 IP address list section...................................................................................................162 Partition list section......................................................................................................162 Logical disk list section.................................................................................................162 Software list section.....................................................................................................162 Patch list section..........................................................................................................163 Process list section.......................................................................................................163 Service list section.......................................................................................................163 Share list section.........................................................................................................163 Port list section............................................................................................................164 Viewing the asset list........................................................................................................164 Viewing asset details........................................................................................................164 Accessing the Asset Details page..................................................................................164 Method 1..............................................................................................................164 Method 2..............................................................................................................165 Viewing hardware details.............................................................................................165 Performing actions.......................................................................................................165 Regroup................................................................................................................165 Modify..................................................................................................................165 Delete...................................................................................................................166 Scan.....................................................................................................................166 Viewing an asset's software deployment history..........................................................166 Software Deploy Task List........................................................................................166 USB Monitor..........................................................................................................166 USB Monitor List.....................................................................................................166 Printer Monitor.......................................................................................................167 Printer Monitor List..................................................................................................167 Check Asset Files....................................................................................................167 Change History......................................................................................................168 Asset Change History contents.................................................................................168 Refresh..................................................................................................................168 Querying assets...............................................................................................................168 Performing a basic query.............................................................................................168 Performing an advanced query.....................................................................................169 10 Contents Adding an asset..............................................................................................................171 Batch importing assets......................................................................................................173 Modifying an asset..........................................................................................................174 Deleting an asset.............................................................................................................175 Regrouping an asset.........................................................................................................175 Exporting asset information....................................................................................................176 Asset export function asset list............................................................................................176 Exporting asset information...............................................................................................176 Managing the asset export history..........................................................................................177 Asset export history list contents.........................................................................................177 Viewing the asset export history.........................................................................................177 Downloading the asset export history record.......................................................................177 Deleting the asset export history record...............................................................................177 Collecting asset statistics........................................................................................................178 Collecting statistics by asset type........................................................................................178 Asset type statistics reports...........................................................................................178 Asset type statistics report—Pie chart.........................................................................178 Asset type statistics report—List.................................................................................179 Collecting statistics by CPU...............................................................................................179 CPU frequency statistics reports.....................................................................................179 CPU frequency statistics report—Pie chart..................................................................179 CPU frequency statistics report—List..........................................................................180 Collecting statistics by hard disk........................................................................................180 Hard disk capacity and type statistics reports..................................................................180 Hard disk capacity statistics report—Pie chart............................................................181 Hard disk capacity statistics report—List....................................................................181 Hard disk type statistics report—Pie chart..................................................................181 Hard disk type statistics report—List..........................................................................181 Collecting statistics by operating system..............................................................................182 Operating system version and language statistics reports..................................................182 Operating system version statistics report—Pie chart....................................................182 Operating system version statistics report—List............................................................183 Operating system language statistics report—Pie chart ...............................................183 Operating system language statistics report—List........................................................183 Collecting statistics by software installed.............................................................................184 Software installation statistics report...............................................................................184 Software installation statistics report..........................................................................184 Managing the export task......................................................................................................184 Export task list contents.....................................................................................................184 Viewing the export task management list.............................................................................185 Configuring the export task...............................................................................................185 9 Configuring desktop control schemes and policies.......................................186 Configuring desktop control schemes.......................................................................................186 Desktop control scheme list contents...................................................................................186 Desktop control scheme details..........................................................................................186 Basic information section..............................................................................................186 Policy list section.........................................................................................................187 Viewing the desktop control scheme list...............................................................................187 Viewing desktop control scheme details..............................................................................187 Adding a desktop control scheme......................................................................................187 Modifying a desktop control scheme..................................................................................188 Deleting a desktop control scheme.....................................................................................188 Configuring peripheral management policies............................................................................188 Peripheral management policy list contents..........................................................................188 Contents 11 Peripheral management policy details.................................................................................189 Basic information section..............................................................................................189 Disable devices section................................................................................................189 Viewing the peripheral management policy list....................................................................189 Viewing peripheral management policy details....................................................................190 Adding a peripheral management policy............................................................................190 Modifying a peripheral management policy........................................................................191 Deleting a peripheral management policy...........................................................................191 Configuring energy saving policies.........................................................................................191 Energy saving policy list contents.......................................................................................192 Viewing the energy saving policy list..................................................................................192 Adding an energy saving policy........................................................................................192 Modifying an energy saving policy....................................................................................192 Deleting an energy saving policy.......................................................................................193 Configuring monitoring alarm policies.....................................................................................193 Monitoring alarm policy list contents..................................................................................193 Monitoring alarm policy details.........................................................................................193 Basic information section..............................................................................................194 USB monitoring section................................................................................................194 Printer monitoring section.............................................................................................194 Hardware changes monitoring section...........................................................................194 Software changes monitoring section.............................................................................194 Viewing the monitoring alarm policy list..............................................................................195 Viewing monitoring alarm policy details..............................................................................195 Adding a monitoring alarm policy.....................................................................................195 Modifying a monitoring alarm policy..................................................................................196 Deleting a monitoring alarm policy....................................................................................197 10 Asset audit...........................................................................................198 Asset hardware change record audit.......................................................................................198 Asset hardware change information list contents...................................................................199 Asset hardware change record details................................................................................199 Viewing the asset hardware change information list..............................................................199 Viewing asset hardware change record details....................................................................200 Querying asset hardware change records...........................................................................200 Basic query................................................................................................................200 Advanced query.........................................................................................................200 Asset software change record audit.........................................................................................201 Asset software change information list contents....................................................................202 Asset software change record details..................................................................................203 Viewing the asset software change record list......................................................................203 Viewing the asset software change record details.................................................................203 Querying the asset software change records........................................................................204 Basic query................................................................................................................204 Advanced query.........................................................................................................204 USB monitoring record audit..................................................................................................205 USB monitor list contents...................................................................................................205 USB monitoring record details...........................................................................................206 Information of USB copied files section...........................................................................206 List of USB copied files section......................................................................................206 Viewing the USB monitoring record list...............................................................................206 Viewing the USB monitoring record details..........................................................................206 Querying the USB monitoring records.................................................................................207 Basic query................................................................................................................207 Advanced query.........................................................................................................207 12 Contents Exporting the USB monitoring records.................................................................................208 USB monitor log export history list contents.....................................................................208 Exporting USB monitoring records.................................................................................208 Viewing the USB monitor log export history.........................................................................209 Printer monitoring record audit...............................................................................................209 Printer monitor list contents................................................................................................209 Printer monitoring record details........................................................................................210 Viewing the printer monitoring record list............................................................................210 Viewing the printer monitoring record details.......................................................................210 Querying the printer monitoring records..............................................................................211 Basic query................................................................................................................211 Advanced query.........................................................................................................211 Exporting the printer monitoring records.............................................................................212 Viewing the export history of the printer monitoring records...................................................212 Printer monitor log export history list contents.......................................................................213 Unauthorized peripheral use record audit................................................................................213 Illegal peripheral use report list contents..............................................................................213 Illegal peripheral use log export history list contents.............................................................214 Viewing the unauthorized peripheral use record list..............................................................214 Viewing the export history of the unauthorized peripheral use records.....................................214 Querying the unauthorized peripheral use records................................................................214 Basic query................................................................................................................214 Advanced query.........................................................................................................215 Exporting the unauthorized peripheral use records...............................................................216 Terminal file audit.................................................................................................................216 Asset file check list contents...............................................................................................216 Asset file check list details.................................................................................................217 Basic information section..............................................................................................217 File list section............................................................................................................217 Viewing the terminal file audit task list................................................................................217 Querying terminal file audit tasks.......................................................................................217 Auditing the terminal files..................................................................................................218 Viewing the terminal file audit results..................................................................................219 Exporting the terminal file audit results................................................................................219 11 Configuring software deployment............................................................221 Preparing to use the software deployment function....................................................................221 Configuring software deployment server settings.......................................................................221 Software server settings list contents...................................................................................221 Software deployment server settings details.........................................................................221 Viewing the software deployment server settings list..............................................................222 Viewing software deployment server settings details..............................................................222 Adding software deployment server settings........................................................................222 Modifying software deployment server settings....................................................................222 Deleting software deployment server settings.......................................................................223 Configuring software deploy tasks..........................................................................................223 Software deploy task list contents.......................................................................................223 Software deploy task details..............................................................................................223 Basic information section..............................................................................................224 Software deployment targets section .............................................................................225 Deploy group list contents........................................................................................225 Deploy asset list contents.........................................................................................225 Task execution result details...............................................................................................226 Viewing the software deploy task list..................................................................................226 Viewing software deploy task details..................................................................................226 Contents 13 Querying software deploy tasks.........................................................................................226 Basic query................................................................................................................226 Advanced query.........................................................................................................227 Adding a software deploy task..........................................................................................228 Modifying a software deploy task......................................................................................229 Deleting software deploy tasks...........................................................................................229 12 EAD audit............................................................................................230 Security logs........................................................................................................................230 Security log list contents....................................................................................................230 Security log details...........................................................................................................230 Basic information area.................................................................................................231 Details section............................................................................................................231 Viewing the security log list...............................................................................................231 Viewing security log details...............................................................................................231 Querying security logs......................................................................................................232 Basic query................................................................................................................232 Advanced query.........................................................................................................232 Client driver audit.................................................................................................................233 iNode driver list contents..................................................................................................233 Viewing client driver errors in the iNode Driver list................................................................233 Querying client drive errors...............................................................................................234 Security status audit for online and roaming users.....................................................................234 Online users list contents...................................................................................................234 Roaming online user list contents........................................................................................235 Viewing the online user list................................................................................................235 Viewing the roaming online user list...................................................................................235 Customizing the online user list..........................................................................................236 Performing a computer security check......................................................................................236 Computer security check result details.................................................................................236 Basic information section..............................................................................................237 Screen saver settings section.........................................................................................237 Hard disk partition table section....................................................................................237 Share list section.........................................................................................................237 Installed software section..............................................................................................238 Installed patches section...............................................................................................238 Running services section...............................................................................................238 Running processes section............................................................................................238 Performing a computer security check.................................................................................238 13 EAD service reports...............................................................................240 Real-time reports...................................................................................................................241 All-node online users 24-hour trend graph...........................................................................242 All-node online users 24-hour trend graph parameters......................................................243 All-node online users 24-hour trend graph fields..............................................................243 Asset information report....................................................................................................243 Asset information report parameters...............................................................................244 Asset information report fields.......................................................................................244 Asset type report..............................................................................................................244 Asset type report parameters........................................................................................245 Asset type statistics pie chart.........................................................................................245 Asset type statistics......................................................................................................245 Asset usage report...........................................................................................................246 Asset usage report parameters......................................................................................246 Asset usage report fields..............................................................................................246 CPU report......................................................................................................................247 14 Contents CPU report parameters................................................................................................247 CPU report fields.........................................................................................................247 Hard-disk capability report................................................................................................248 Hard disk capacity report parameters............................................................................248 Hard disk capacity statistics pie chart............................................................................249 Hard disk type statistics................................................................................................249 Illegal peripheral use report..............................................................................................249 Illegal peripheral use report parameters.........................................................................250 Illegal peripheral use statistics pie chart..........................................................................251 Illegal peripheral usage type statistics............................................................................251 Insecurity category statistic report.......................................................................................251 Insecurity category statistic report parameters.................................................................252 Insecurity category statistic pie chart..............................................................................252 Insecurity category statistics..........................................................................................252 Multi-node certain security policy statistics report..................................................................253 Multi-node certain security policy statistics report parameters............................................254 Multi-node certain security policy statistics report fields.....................................................254 Multi-node online users comparison chart............................................................................254 Multi-node online users comparison chart parameters......................................................256 Multi-node online users comparison chart.......................................................................256 Multi-node security check items report.................................................................................256 Multi-node security check items report parameters...........................................................257 Multi-node security check items report fields....................................................................257 Multi-node single-security check item failures comparison chart..............................................258 Multi-node single-security check item failures comparison chart parameters.........................259 Multi-node single-security check item failures comparison chart..........................................259 Multi-node user counts comparison chart.............................................................................259 Multi-node user counts comparison chart parameters.......................................................260 Multi-node user counts comparison chart........................................................................261 Multi-node user data statistics report...................................................................................261 Multi-node user data statistics report parameters..............................................................261 Multi-node user data statistics report fields......................................................................261 Online user security status report........................................................................................262 Online user security status report parameters..................................................................262 Online user security status category statistics pie chart.....................................................262 Online user security status statistics................................................................................262 OS language report.........................................................................................................263 OS language report parameters....................................................................................264 OS language statistics pie chart....................................................................................264 Asset statistics.............................................................................................................264 OS version report............................................................................................................264 OS version report parameters.......................................................................................265 OS version statistics pie chart........................................................................................265 Asset statistics.............................................................................................................265 Safe log gather statistic report...........................................................................................265 Safe log gather statistic report parameters......................................................................267 Safe log gather statistic pie chart..................................................................................267 Insecurity category statistics..........................................................................................268 Single-node online users 24-hour trend graph......................................................................268 Single-node online users 24-hour trend graph parameters.................................................269 Single-node online users 24-hour trend graph.................................................................269 Single-node security check failure report.............................................................................269 Single-node security check failure bar chart....................................................................271 Software installation report................................................................................................271 Software installation report parameters..........................................................................272 Contents 15 Software installation report fields...................................................................................272 Scheduled reports.................................................................................................................272 Asset information report....................................................................................................273 Adding an asset information report................................................................................273 Viewing asset information reports..................................................................................275 Asset information report parameters..........................................................................275 Asset information report fields..................................................................................276 Asset type report..............................................................................................................276 Adding an asset type report.........................................................................................276 Viewing asset type reports............................................................................................278 Asset type report parameters....................................................................................278 Asset type statistics pie chart....................................................................................278 Asset usage report...........................................................................................................279 Adding an asset usage report.......................................................................................279 Viewing asset usage reports.........................................................................................280 Asset usage report parameters.................................................................................281 Asset usage report fields..........................................................................................281 CPU report......................................................................................................................281 Adding a CPU report...................................................................................................281 Viewing CPU reports...................................................................................................283 CPU report parameters............................................................................................283 CPU report fields....................................................................................................284 Hard-disk capacity report..................................................................................................284 Adding a hard disk capacity report...............................................................................284 Viewing hard disk capacity reports................................................................................286 Hard disk capacity report parameters.......................................................................286 Hard disk capacity statistics pie chart........................................................................286 Illegal peripheral use report..............................................................................................287 Adding an illegal peripheral use report..........................................................................287 Viewing illegal peripheral use reports............................................................................289 Illegal peripheral use report parameters.....................................................................290 Illegal peripheral use statistic pie chart......................................................................290 Insecurity category statistic report.......................................................................................291 Adding an insecurity category statistic report..................................................................291 Viewing insecurity category statistic reports....................................................................293 Insecurity category statistic report parameters.............................................................294 Insecurity category statistic pie chart.........................................................................294 Online user security status report........................................................................................294 Adding an online user security status report....................................................................294 Viewing online user security status reports......................................................................296 Online user security status report parameters..............................................................297 Online user security status category statistics pie chart.................................................297 OS language report.........................................................................................................297 Adding an OS language report....................................................................................297 Viewing OS language reports.......................................................................................298 OS language report parameters...............................................................................299 OS language statistics pie chart...............................................................................299 OS version report............................................................................................................299 Adding an OS version report........................................................................................299 Viewing OS version reports..........................................................................................301 OS version report parameters..................................................................................301 OS version statistics pie chart...................................................................................301 Safe log gather statistic report...........................................................................................302 Adding a safe log gather statistic report.........................................................................302 Viewing safe log gather statistic reports..........................................................................305 16 Contents Safe log gather statistic report parameters.................................................................305 Safe log gather statistic pie chart..............................................................................306 Software installation report................................................................................................306 Adding a software installation report.............................................................................306 Viewing software installation reports..............................................................................308 Software installation report parameters......................................................................308 Software installation report fields..............................................................................309 14 Service parameters management............................................................310 EAD service parameters.........................................................................................................310 Configuring EAD service parameters..................................................................................311 Validating EAD service parameters.....................................................................................311 Method 1...................................................................................................................311 Method 2...................................................................................................................311 DAM service parameters.......................................................................................................312 Configuring DAM service parameters.................................................................................314 Validating DAM service parameters...................................................................................314 Method 1...................................................................................................................314 Method 2...................................................................................................................314 15 Support and other resources...................................................................315 Contacting HP......................................................................................................................315 New and changed information in this edition...........................................................................315 Typographic conventions.......................................................................................................315 16 Documentation feedback.......................................................................316 Index.......................................................................................................317 Contents 17 1 EAD Security Policy overview The EAD Security Policy component is the terminal security management software developed on the IMC platform. The EAD component is the core of the EAD solution. It comprises the Endpoint Admission Defense (EAD) service module and the Desktop Asset Manager (DAM) service module. EAD solution The EAD solution is a multiservice, client-server-based, secure access management solution that integrates: • Authentication • Monitoring • Auditing • Service management The EAD solution has the following components: • • Server side ◦ UAM—Provides reliable user identity authentication, simple and practical user management, and strict user privilege control. ◦ EAD—Provides strict endpoint security defense and powerful desktop management. Client side ◦ Node client—Cooperates with the UAM and EAD components to implement these functions. The UAM and EAD components depend on the IMC platform to provide services. The iNode client is deployed at a user terminal as an agent. IMC cooperates with various access devices, such as switches, routers, VPN gateways, and firewalls, to offer identity authentication, user privilege control, access admission, and desktop management in different network scenarios. EAD component This section describes the EAD service module and the DAM service module, referred to as the EAD and DAM, respectively, unless otherwise specified. EAD service module EAD determines an access user's security status by checking the anti-virus software, OS patches, registry, network traffic, and other items. To protect network security, EAD isolates the access users that fail the security check, or forces them offline. EAD provides the following functions: 18 • Security policy management • Terminal access control • Hierarchical node management • Internet access control • EAD service report EAD Security Policy overview • EAD audit • EAD service parameter management DAM service module Terminals running the Windows operating system are assets of DAM. DAM collects for audit the asset information of access users through the iNode client. DAM provides the following functions: • Asset management • Desktop control policy • Asset audit • Software deployment • DAM report • DAM service parameter management EAD component functions EAD components are classified by the following functions: • “Security policy” (page 19) • “Desktop asset” (page 22) • “Internet access control” (page 24) • “Service parameters” (page 24) • “EAD service report” (page 24) • “EAD audit” (page 25) Security policy EAD allows you to configure and manage security policies. As shown in Figure 1, a security policy typically consists of the following contents: • “Basic Information” (page 20) • “Terminal Access Control” (page 20) • “Security check items for PCs” (page 21) • “Security check items for smart terminals” (page 21) In addition, EAD can be used to implement unified authentication and security policies in large corporations or organizations (see “Hierarchical node management” (page 22)). EAD component functions 19 Figure 1 Security policy contents Basic Information • Security Level (required)—Security levels define the actions to be taken for security check violations. The actions, from least severe to most severe, are Monitor, Inform, Isolate, and Kick Out. When an access user violates multiple security check items that call for different actions, EAD performs the most severe of the actions. • Real-Time Monitoring—By default, EAD verifies the security status of access users when they complete identity authentication and are reauthenticated. With real-time monitoring enabled, EAD verifies access users at the specified interval (60 seconds, by default). • Default Policy for Roaming Users—By default, neither roaming EAD nor local EAD verifies the security status of roaming users. After you specify a default security policy for roaming users, roaming EAD uses that security policy to check all roaming users. For more information, see “Security policy management” (page 33). Terminal Access Control The basic security policy information comprises the following parameters: Terminal Access Control comprises the following parameters: 20 EAD Security Policy overview • • Isolation Mode—EAD provides the following isolation modes to isolate access users that fail the security check: ◦ Deploy ACLs to Access Device—After deployment, the access device controls user behaviors based on ACL rules. ◦ Deploy ACLs to iNode Client—After deployment, the iNode client controls user behaviors based on ACL rules. ◦ Deploy VLANs to Access Device—After deployment, the access device controls user behaviors based on VLANs. URL Control—The iNode client examines the URLs in the HTTP packets of the local user and reports to EAD in order to control access to sites. . URL control has the following parameters: ◦ Domain URL Class—Contains a group of domain names to be checked in the HTTP packets. Operators can permit or deny the HTTP packets that match the domain URL class. ◦ IP URL Class—Contains a group of IP addresses to be checked in the HTTP packets. Operators can permit or deny the HTTP packets that match the IP URL class. ◦ Check Hosts File—Contains a list of IP addresses that can appear on the Hosts file. For more information, see “Configuring terminal access control” (page 67). Security check items for PCs You can define the following security check items for a security policy that is to be assigned to a Windows, Linux, or Mac OS PC: • Anti-virus software—Verifies that the anti-virus software products installed on the PC meet requirements. • Anti-spyware software—Verifies that the anti-spyware software products installed on the PC meet requirements. • Firewall software—Verifies that the firewall products installed on the PC meet requirements. • Anti-phishing software—Verifies that the anti-phishing software products installed on the PC meet requirements. • Hard disk encryption software—Verifies that the hard disk encryption software products installed on the PC meet requirements. • PC software—Verifies that other software products, processes, services, and files on the PC meet requirements. • Patch management software—Verifies that the Linux and Mac OS patch management software installed on the PC meets requirements. • Windows patches—Verifies that all required Windows patches have been installed on the PC and whether the PC can collaborate with Microsoft SMS and WSUS. • Registries—Verifies that the access user registries meet requirements. • Share directories—Verifies that the share directories of access users meet requirements. • Asset registration status—Verifies that the access user terminals (assets) are registered in DAM. • Network traffic—Verifies that the access user network usage meets requirements. • OS password—Verifies that the access user login passwords are robust. For more information, see “Configuring security check items for PCs” (page 81). Security check items for smart terminals The following security check items can assigned to a security policy for an Android smart terminal: EAD component functions 21 • Anti-virus software—Verifies that the anti-virus software products on the smart terminal meet requirements. • Anti-spyware software—Verifies that the anti-spyware software products on the smart terminal meet requirements. • Smart terminal software—Verifies that other software products on the smart terminal meet requirements. • Smart terminal policy—Verifies that the states of GPS, auto lock, and Bluetooth services of the smart terminal meet the requirements. For more information, see “Configuring security check items for smart terminals” (page 129). Hierarchical node management Hierarchical node management allows you to classify the UAM and EAD system of an enterprise or organization into nodes of different levels. Upper-level nodes manage lower-level nodes, and lower-level nodes are required to send security check results to upper-level nodes. Hierarchical node management has two modes: • Centralized hierarchical management—A strict management mode that distributes configurations level by level from the headquarters. Lower-level nodes are not allowed to configure services, security policies, or security levels. • Noncentralized hierarchical management—A loose management mode that allows lower-level nodes to configure services, security policies, and security levels. Lower-level nodes are required to send security check results to upper-level nodes. For more information, see “Hierarchical node management” (page 54). Desktop asset DAM manages and monitors desktop assets. DAM classifies Windows-based user terminals, such as PCs or servers, as desktop assets, and assigns each asset a unique ID. Before using DAM, operators must configure DAM for the enterprise or organization (see “Configuring DAM” (page 22)). Operators can then use the following functions to manage and monitor assets: • “Desktop monitoring” (page 23) • “Asset audit” (page 23) • “Software deployment” (page 24) Asset registration DAM registers an asset the first time it connects to DAM using the asset ID. DAM can then manage and monitor the asset. Configuring DAM Perform the following DAM configurations (service parameters have the highest priority for configuration): 22 • Configure service parameters—Set parameters such as the automatic asset numbering mode and how long DAM keeps asset logs. • Manage asset groups—Comprises the following: ◦ Manage assets through asset groups—Create asset groups in DAM by asset type and location. ◦ Manage assets through user groups—Use user groups created on the IMC platform. EAD Security Policy overview • Manage assets—View detailed software and hardware information for registered assets. • Collect asset statistics—Collect statistics on the asset type, CPU, hard disks, operating system, and software installation information for registered assets. • Export monitoring records—Configure DAM to periodically export collected USB monitoring records. Desktop monitoring DAM can monitor the following assets through the iNode client: • Illegal peripheral usage—Using a peripheral management policy, DAM can block use of the following devices: ◦ 1394 interfaces ◦ Bluetooth peripheral devices ◦ COM ports ◦ DVD/CD-ROM drives ◦ Floppy disk drives ◦ Infrared devices ◦ LPTs ◦ Modems ◦ PCMCIA interfaces ◦ USB storage and nonstorage devices • Scheduled shutdown—DAM can shut down an asset at the scheduled time by deploying an energy-saving policy to the iNode client. The system displays an alert 10 minutes before it performs a scheduled shutdown action. • Monitoring alarm—Based on a monitoring alarm policy from DAM, the iNode client reports the following events to the DAM server: ◦ A software or hardware change is detected. ◦ A sensitive file is copied to a USB storage device or printed on a printer. The DAM server sends the information to the syslog server as syslogs. Asset audit The asset audit functions follow: • Post audits—Operators can perform post audits for assets based on the following records collected by DAM: ◦ Asset hardware change records ◦ Asset software change records ◦ USB monitoring records EAD component functions 23 • ◦ Printer usage monitoring records ◦ Peripheral usage violation records Real-time audits—DAM can check existing files on assets through the iNode client. Operators can use the terminal file audit function to audit assets in real time. Software deployment This function allows you to deploy software to terminals quickly. DAM collects asset software information through the iNode client, and deploys software to the assets according to the software deployment task. Before you configure a software deployment task, configure a software deployment server. The iNode client uses the software deployment server configuration to access the server, and downloads software according to the software deployment task. Internet access control For data security, EAD can restrict or block Internet access requests. In addition, EAD records users' Internet access behaviors for auditing. For more information, see “Controlling Internet access” (page 143). Service parameters You can configure the following service parameters: • EAD service parameters—Globally effective on the EAD service. • DAM service parameters—Globally effective on the DAM service. For more information, see “Service parameters management” (page 310). EAD service report EAD reports and DAM reports are called EAD service reports. The EAD service report function is implemented through the IMC platform report module. All reports on the Report tab are template-driven and are generated from preloaded templates. From the Report tab, you can access EAD service reports. Use the IMC platform report module to view and export real-time reports and scheduled reports. Table 1 lists the real-time reports and periodic reports that can be generated through EAD service report templates. Table 1 EAD service report templates Module Template name Realtime report Scheduled report All-Node Online Users 24-Hour Trend Graph Available Unavailable Insecurity Category Statistics Report Available Available Multi-Node Certain Security Policy Statistics Report Available Unavailable Multi-Node Online Users Comparison Chart Available Unavailable Multi-Node Security Check Items Report Available Unavailable Multi-Node Single-Security Check Item Failures Comparison Chart Available Unavailable Multi-Node User Counts Comparison Chart Available Unavailable Multi-Node User Data Statistics Report Available Unavailable EAD 24 EAD Security Policy overview Table 1 EAD service report templates (continued) Module DAM Template name Realtime report Scheduled report Online User Security Status Report Available Available Safe Log Gather Statistics Report Available Available Single-Node Online Users 24-Hour Trend Graph Available Unavailable Single-Node Security Check Failures Available Unavailable Asset Information Report Available Available Asset Type Report Available Available Asset Usage Report Available Available CPU Report Available Available Hard Disk Capacity Report Available Available Illegal Peripheral Use Report Available Available OS Language Report Available Available OS Version Report Available Available Software Installation Report Available Available EAD audit The EAD audit functions follow: • Viewing access user security logs—Security logs record security events that occurred during user authentication and network access. You can query security logs to see security events that occurred in the internal network, identify network security risks, and take appropriate action to enhance network security. • iNode driver audit—Many EAD functions require cooperation of the iNode client. When the iNode client encounters drive errors, security functions do not work. The iNode client can report these errors to the EAD server. You can query the drive errors to repair faulty terminals promptly. • Viewing security status of online users and roaming users—View the security status of online users and roaming users on the online and roaming user lists, respectively. The Online User List also shows client ACLs, device ACLs, traffic status, and online asset information. • Online user security check—Perform a security check for online users at any time and view the check result. Security check items include system information, screen-saver protection and password setting, partition table, shared directory information, installed software, installed patches, enabled services, and running processes. EAD planning considerations This section describes important considerations when deploying the EAD component. Physical location of the enterprise or organization Users at remote locations may experience slow authentication and security check processes when the UAM and EAD components are deployed only at an organization's headquarters. To improve efficiency, you can also deploy the UAM and EAD components at remote locations. EAD supports hierarchical management, which allows you to manage services and policies centrally when multiple UAM and EAD components are deployed. For more information, see “Hierarchical node management” (page 54). EAD planning considerations 25 Identifying the number of access users Before deploying the EAD component, identify the number of access users that need security checks. HP recommends that you purchase enough EAD licenses for access users, in order to reduce the risk of terminal security threats. Identifying the terminal types EAD provides security checks on PCs and smart terminals. Be sure to identify all types of user terminals on the network to be managed to ensure that the proper check items are configured for each in the security policy. Identifying available features when using the iNode client with EAD and DAM The EAD and DAM features available for implementation with the iNode client vary based on the OS of the user terminal. For more information, see Table 2. Table 2 iNode client feature and OS compatibility OS Identity authentication methods Security check Desktop asset management Windows 802.1X, portal, VPN, wireless Supported Supported Linux 802.1X, portal Supported Not supported Mac OS 802.1X, portal Supported Not supported Android Portal Supported Not supported iOS Portal Not supported Not supported Configuring security policies and desktop control policies HP recommends that you use the following procedure to configure enterprise or organization security policies and desktop control policies: 1. Avoid legal exposure by identifying and complying with all applicable legal and business requirements that affect security policies and asset configurations. 2. Identify the organizational structure of the enterprise and the security requirements of each department in the enterprise. Different departments can have different security requirements. For example, an enterprise's requirements might state that the R&D department can access the R&D file servers but cannot access the Internet; that the HR department can access the Internet but cannot access the R&D file servers; and that no employees can use instant messaging software during work hours. 3. 4. 5. 6. 7. 26 Identify the software and hardware information of the enterprise, including: • Number of access users • Number, model, configuration, and OS type of the terminal devices • Usage information of the terminal security software • Business software for each department Identify the network structure of the enterprise, including the vendor, model, VLAN, routing, ACL, and QoS configuration of the network devices. Create a security baseline, define security policies, and specify security policies for the services that access users have applied for. Verify that, after failing a security check, access users can access a third-party server to repair the failed security check items. Verify that access users passing a security check can access network resources, and that the EAD component can take the appropriate action (Monitor, Inform, Isolate, or Kick Out) when a user's security status changes from secure to insecure. EAD Security Policy overview 8. 9. 10. 11. Manage the desktop assets, including adding asset groups and registering assets. Configure the asset monitoring policies to prevent unauthorized copying and printing. Schedule regular audits of assets and security logs. View and export EAD service reports at regular, scheduled intervals. EAD planning considerations 27 2 Page navigation menus and aids The EAD and DAM components have their respective menus in the left navigation tree. Figure 2 EAD and DAM navigation menus The EAD and DAM menu options are described in Table 2 and Table 3, respectively. 28 Page navigation menus and aids Table 3 EAD navigation menu options Navigation menu option Description Endpoint Admission Defense Home Page Displays a general operation process for EAD security policy and links to the configuration tasks. Security Policy Provides the ability to view, add, modify, and delete security policies. Security Level Provides the ability to view, add, modify, and delete security levels. Terminal Access Control Displays a general operation process for terminal access control and links to the configuration tasks. Client ACL Management Provides the ability to view, add, modify, and delete ACLs to deploy to the iNode client. Internet Access Audit Policy Provides the ability to view, add, modify, and delete policies for auditing Internet access behaviors. Internet Access Configuration Provides the ability to view, add, modify, and delete Internet access configurations. URL Control Policy Provides the ability to view, add, modify, and delete URL control policies. Domain URL Class Provides the ability to view, add, modify, and delete domain URL classes. IP URL Class Provides the ability to view, add, modify, and delete IP URL classes. Traffic Control Provides the ability to view, add, modify, and delete traffic control policies. Terminal Security Software Policies Displays all supported types of software products for endpoint security check and links to their respective configuration pages. Anti-Virus Software Policy Provides the ability to view, add, modify, and delete anti-virus software policies. Anti-Spyware Software Policy Provides the ability to view, add, modify, and delete anti-spyware software policies. Firewall Software Policy Provides the ability to view, add, modify, and delete firewall software policies. Anti-Phishing Software Policy Provides the ability to view, add, modify, and delete anti-phishing software policies. Hard Disk Encryption Software Policy Provides the ability to view, add, modify, and delete hard disk encryption software policies. Patch Control Displays all supported patch check types for endpoint security check and links to their respective configuration pages. Windows Patches Provides the ability to query, add, modify, and delete Windows patches. Patch Management Software Provides the ability to enable check for patch management software products. Software Control Group Displays all supported types of software products for endpoint security check and links to their respective configuration pages. 29 Table 3 EAD navigation menu options (continued) Navigation menu option Description PC Software Control Group Provides the ability to query, view, add, modify, and delete groups to control software products, services, processes, and files for PCs. Smart Terminal Software Control Group Provides the ability to query, view, add, modify, and delete groups to control software products for smart terminals. Registry Control Provides the ability to view, add, modify, and delete registry control configurations. Share Control Provides the ability to view, add, modify, and delete share control configurations. Smart Terminal Policy Provides the ability to view, add, modify, and delete smart terminal policies. Password Control Provides the ability to view current password dictionary and load a new password dictionary. Hierarchical Node Management Provides the ability to view, add, modify, and delete child nodes and to confirm management from the parent node. EAD Global Network Monitoring Diagram Displays the global network monitoring diagram for hierarchical node management. Service Parameters Displays links to EAD service parameter settings. System Parameters Config Provides the ability to configure EAD service parameters. Validate Provides the ability to validate latest EAD service parameter settings. Table 4 DAM navigation menu options 30 Navigation menu option Description Desktop Asset Manager Home Page Displays a general operation process for the DAM service and links to the configuration tasks. Asset Group Provides the ability to query, view, add, modify, and delete asset groups. All Assets Provides the ability to query, view, add, modify, and delete assets. Asset Hardware Change Provides the ability to query and view assets' hardware changes. Asset Software Change Provides the ability to query and view assets' software changes. Control Scheme Provides the ability to view, add, modify, and delete schemes to control desktop assets. Desktop Control Policy Displays links to configure policies for controlling desktop assets. Peripheral Management Policy Provides the ability to view, add, modify, and delete peripheral management policies. Energy-Saving Policy Provides the ability to view, add, modify, and delete energy-saving policies. Monitoring Alarm Policy Provides the ability to view, add, modify, and delete monitoring alarm policies. Desktop Control Audit Displays desktop control audit functions and links to the functions. Page navigation menus and aids Table 4 DAM navigation menu options (continued) Navigation menu option Description USB Storage Device File Monitor Log Provides the ability to query, view, and export USB file transfer logs. Printer Monitor Provides the ability to query, view, and export printer monitor logs. Illegal Peripheral Use Report Provides the ability to query, view, and export logs for unauthorized use of peripheral devices. Check Asset Files Provides the ability to check suspicious files on assets in real time. Asset Statistics Displays the asset statistics by asset type, CPU, hard disk, OS, and software. Software Deploy Task Provides the ability to query, view, add, modify, and delete Software Deploy Tasks. Software Server Settings Provides the ability to view, add, modify, and delete servers for software distribution. Service Parameters Displays links to DAM service parameter settings. System Parameters Config Provides the ability to configure DAM service parameters. Validate Provides the ability to validate latest DAM service parameter settings. Export Task Management Provides the ability to configure tasks to export USB file transfer logs. Each configuration page can contain one or more areas with navigation buttons and page links. Figure 3 Page navigation aids If a list contains enough entries, use the following navigational aids and fit the list to the screen: • Click to page forward in the list. • Click to page forward to the end of the list. • Click to page backward in the list. 31 32 • Click • Click 8, 15, 50, 100, or 200 at the upper right of the list area to configure how many items per page you want to view. to page backward to the beginning of the list. Page navigation menus and aids 3 Configuring security policies Configuring security policies involves the following: • Security policy management Security policy management allows operators to configure and manage security policies, including security level, real-time monitoring, default security policy for roaming users, isolation mode, URL access control, and security check items. • Security level management Security levels define the actions to be taken for security check violations. The actions, from least severe to most severe, are Monitor, Inform, Isolate, and Kick Out. When an access user violates multiple security check items that call for different actions, EAD performs the most severe of the actions. The security level management function allows operators to view, add, modify, and delete security levels. • Hierarchical node management Enterprises and organizations use hierarchical node management to improve the efficiency and flexibility of the EAD security check. Operators can implement either centralized policy management or noncentralized policy management, as needed. By default, EAD does not apply any security policy to roaming access users. Their identity is authenticated by their home UAM servers without further security check. To improve security, operators can manually configure a security policy as the default policy for roaming users. Security policy management A security policy comprises the following contents: • A security level. • At least one security check item. • Optional terminal access control settings. Terminal access control comprises ACL and URL access control, both of which are optional. Operators can do the following: • View, add, modify, and delete security policies. • Enable real-time monitoring in security policies. The iNode client cooperates with the EAD server to perform periodic security checks on the terminals of online users to detect violations and security threats in real time. Security policy list contents The security policy list comprises the following parameters: • Policy Name—Name of the security policy. Click the name to view its details. • Security Level—Name of the security level used by the security policy. Click the name to view its details. For more information, see “Viewing security level details” (page 52). • Isolation Mode—Isolation mode of the security policy: ◦ Not Deploy—No isolation mode is specified. ◦ Deploy ACLs to Access Device—Isolates illegal users by using access device ACLs. Security policy management 33 • ◦ Deploy ACLs to iNode Client—Isolates illegal users by using iNode client ACLs. ◦ Deploy VLANs to Access Device—Isolates illegal users by using VLANs. Security ACL or VLAN—Security ACL or VLAN of the security policy. The security ACL or VLAN applies to all online users who are not isolated. The parameter is based on the configured isolation mode. ◦ Security ACL or VLAN—Security ACL or VLAN of the security policy. The security ACL or VLAN applies to all online users who are not isolated. The parameter is based on the configured isolation mode. ◦ To deploy ACLs to HP ProCurve devices, the parameter is the name of an access ACL defined in UAM. Click the ACL name to view the ACL rules deployed to the access device. ◦ To deploy ACLs to the iNode client, the parameter is the name of a client ACL defined in EAD. Click the ACL name to view the ACL rules deployed to the iNode client. ◦ To deploy VLANs to access devices, the parameter is a VLAN ID. • Isolation ACL or VLAN—Isolation ACL or VLAN of the security policy. The isolation ACL or VLAN applies to online users who must be isolated. The parameter can be an ACL number or name, access ACL name, client ACL name, or VLAN ID, based on the configured isolation mode. (See the parameter descriptions for Security ACL or VLAN.) • Service Group—Service group to which the security policy belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the security policy settings. to delete the security policy. Security policy details Security policy details comprise basic policy information and advanced security check settings. This section describes parameters on each area of the security policy details. EAD supports security checks on IPv6 hosts only when the Enable IPv6 parameter is set to Yes in the UAM service parameter configuration. The default setting of this parameter is No. For more information, see HP IMC User Access Manager Administrator Guide. Basic Information area • Policy Name—Unique name of the security policy. • Service Group—Service group to which the security policy belongs. • Security Level—Name of the security level used in the security policy. Click the name to view its details. For more information, see “Viewing security level details” (page 52). • Monitor in Real Time—When it is selected, this parameter enables real-time monitoring of user terminals in the security policy. For more information, see “Configuring real-time monitoring” (page 45). • Process After—The amount of time, in minutes, that the iNode client waits before it isolates or kicks out an access user for whom a violation is detected in real-time monitoring. The iNode client prompts the user to make the necessary remediation and initiate a new security check to avoid being isolated or kicked out. This parameter appears only when the Monitor in Real Time option is selected. • 34 Set as Default Policy for Roaming Users—When it is selected, this parameter makes the security policy the default security policy for roaming users. You can specify only one security policy as the default security policy for roaming users. For more information, see “Configuring the default security policy for roaming users” (page 46). Configuring security policies • Description—Description of the security policy. • Check Passed Message—Message that the iNode client displays when an access user passes the security check. Isolation Mode area • Configure Isolation Mode—Indicates whether an isolation mode is configured. When this parameter is not selected, the security policy does not have an isolation mode. When this parameter is selected, the security policy uses any of the following isolation modes: Deploy ACLs to Access Device, Deploy ACLs to iNode Client, or Deploy VLANs to Access Device. The following parameters appear only when the Configure Isolation Mode option is selected. The parameters vary by isolation mode. For more information, see “Configuring terminal access control” (page 67). • Deploy ACLs to Access Device This isolation mode deploys ACLs to access devices. For non-HP ProCurve devices, EAD deploys ACL numbers or names through RADIUS packets. For HP ProCurve devices, EAD deploys access ACL rules through extended RADIUS packets. The isolation mode contains the following parameters: • ◦ Security ACL (for non-HP ProCurve)—Number or name of the security ACL deployed to non-HP ProCurve devices. ◦ Isolation ACL (for non-HP ProCurve)—Number or name of the isolation ACL deployed to non-HP ProCurve devices. ◦ Security ACL (for HP ProCurve)—Name of the access ACL deployed to HP ProCurve devices as the security ACL. Click the ACL name to view the ACL rules in the access ACL. For information about access ACLs, see HP IMC User Access Manager Administrator Guide. ◦ Isolation ACL (for HP ProCurve)—Name of the access ACL deployed to HP ProCurve devices as the isolation ACL. Click the ACL name to view the ACL rules in the access ACL. For information about access ACLs, see HP IMC User Access Manager Administrator Guide. Deploy ACLs to iNode Client This isolation mode deploys ACL rules to the iNode client through EAD messages. For more information, see “Managing client ACLs” (page 68). The isolation mode contains the following parameters: • ◦ Security ACL—Name of the security ACL deployed to the iNode client. Click the ACL name to view the ACL rules in the client ACL. For more information, see “Managing client ACLs” (page 68). ◦ Isolation ACL—Name of the isolation ACL deployed to the iNode client. Click the ACL name to view the ACL rules in the client ACL. For more information, see “Managing client ACLs” (page 68). Deploy VLANs to Access Device This isolation mode deploys VLAN IDs to access devices through RADIUS packets. The VLANs corresponding to the VLAN IDs must exist on the devices. ◦ Security VLAN—ID of the security VLAN deployed to access devices. ◦ Isolation VLAN—ID of the isolation VLAN deployed to access devices. Security policy management 35 URL Control area • Check URL—Indicates whether to check URLs accessed by the access users. The following parameters appear only when the Check URL option is selected: • URL Control Policy—Name of the URL control policy used in the security policy. The URL control policy controls user access to specified websites by domain name or IP address. • Check Hosts File—Indicates whether to check the Hosts file on the user terminal. When this option is enabled, the iNode client checks the Hosts file against the IP address list located to the right of the Check Hosts File field. When the Hosts file of a user terminal contains an IP address that is not on the list, the iNode client forces the user to log out. This feature prevents users from accessing unauthorized websites by modifying the Hosts file. The Hosts file check can serve as a supplement to the URL control policy. A user might bypass the URL control policy by modifying the Hosts file to access a prohibited URL. The Hosts file check applies only to access users using Windows. For example, the path of the Hosts file on Windows 7 is C:\WINDOWS\system32\drivers\etc\hosts. Anti-Virus Software Control area The anti-virus software check takes effect on Windows, Linux, and Mac OS PCs and Android smart terminals. • Check Anti-Virus Software—Indicates whether to check the anti-virus software on the user terminal. The check items include the anti-virus definition version, engine version, software installation status, and software running status. The following parameters appear only when the Check Anti-Virus Software option is selected: • Anti-Virus Software Policy—Name of the anti-virus software policy used in the security policy. • Server Address—IPv4 address of the server from which users can download anti-virus software and update packages. • IPv6 Server Address—IPv6 address of the server from which users can download anti-virus software and update packages. • Failure Notification—Message that the iNode client displays when an access user fails the anti-virus software check. When an access user fails the anti-virus software check, EAD sends the IPv4 address of the server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the download services. Anti-Spyware Software Control area The anti-spyware software check takes effect on Windows, Linux, and Mac OS PCs and Android smart terminals. • Check Anti-Spyware Software—Indicates whether to check the anti-spyware software on the user terminal. The check items include the anti-spyware definition version, engine version, software installation status, and software running status. The following parameters appear only when the Check Anti-Spyware Software option is selected: 36 • Anti-Spyware Software Policy—Name of the anti-spyware software policy used in the security policy. • Server Address—IPv4 address of the server from which users can download anti-spyware software and update packages. Configuring security policies • IPv6 Server Address—IPv6 address of the server from which users can download anti-spyware software and update packages. • Failure Notification—Message that the iNode client displays when an access user fails the anti-spyware software check. When an access user fails the anti-spyware software check, EAD sends the IPv4 address of the server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the download services. Firewall Software Control area The firewall software check takes effect only on Windows, Linux, and Mac OS PCs. • Check Firewall Software—Indicates whether to check the firewall software on the user terminal. The check items include the firewall installation status and running status. The following parameters appear only when the Check Firewall Software option is selected: • Firewall Software Policy—Name of the firewall software policy used in the security policy. • Server Address—IPv4 address of the server from which users can download the firewall software. • IPv6 Server Address—IPv6 address of the server from which users can download the firewall software. • Failure Notification—Message that the iNode client displays when an access user fails the firewall software check. When an access user fails the firewall software check, EAD sends the IPv4 address of the server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the download services. Anti-Phishing Software Control area The anti-phishing software check takes effect only on Windows and Mac OS PCs. • Check Anti-Phishing Software—Indicates whether to check the anti-phishing software on the user terminal. The check items include the anti-phishing software installation status and the software running status. The following parameters appear only when the Check Anti-Phishing Software option is selected: • Anti-Phishing Software Policy—Name of the anti-phishing software policy used in the security policy. • Server Address—IPv4 address of the server from which users can download the anti-phishing software and update packages. • IPv6 Server Address—IPv6 address of the server from which users can download the anti-phishing software and update packages. • Failure Notification—Message that the iNode client displays when an access user fails the anti-phishing software check. When an access user fails the anti-phishing software check, EAD sends the IPv4 address of the server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the download services. Security policy management 37 Hard Disk Encryption Software Control area The hard disk encryption software check takes effect only on Windows PCs. • Check Hard Disk Encryption Software—Indicates whether to check the installation status of the hard disk encryption software on the user terminal. The following parameters appear only when the Check Hard Disk Encryption Software option is selected: • Hard Disk Encryption Software Policy—Name of the hard disk encryption software policy used in the security policy. • Server Address—IPv4 address of the server from which users can download the hard disk encryption software. • IPv6 Server Address—IPv6 address of the server from which users can download the hard disk encryption software. • Failure Notification—Message that the iNode client displays when an access user fails the hard disk encryption software check. When an access user fails the hard disk encryption software check, EAD sends the IPv4 address of the server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the download services. PC Software Control area The PC software control check takes effect only on Windows, Linux, and Mac OS PCs. The check items include software, processes, services, and files. This area lists the configurations of PC software control groups, including the group name, PC software control type, and check type. • Check PC Software Control—Indicates whether to check the software, processes, services, and files on the PC. The following parameters appear only when the Check PC Software Control option is selected: • Group Name—Name of the PC software control group to be checked. • Type—Type of the PC software control group to be checked: Software, Process, Service, or File. • Check Type—Check type of the PC software control group. The check type options vary with the PC software control types, as described in Table 5. • Server Address—IPv4 address of the server from which access users can download the required software, update files, and repair tools. • IPv6 Server Address—IPv6 address of the server from which access users can download the required software, update files, and repair tools. • Failure Notification—Message that the iNode client displays when an access user fails the PC software control group check. When an access user fails the PC software control group check, EAD sends the IPv4 address of the server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the download services. 38 Configuring security policies Table 5 PC software control groups and check types Group type Software Check types ◦ Installed Forbidden—Prohibits any software products in the control group from being installed on the user terminal. ◦ Installed Required—Requires all software products in the control group be installed on the user terminal. ◦ Installed Allowed—Allows only the software products in the control group to be installed on the user terminal. Only one control group can be set as Installed Allowed. ◦ Running Forbidden—Prohibits any processes in the control group from running on the user terminal. ◦ Running Required—Requires all processes in the control group be running on the user terminal. ◦ Started Forbidden—Prohibits any services in the control group from being started on the user terminal. ◦ Started Required—Requires all services in the control group be started on the user terminal. ◦ Non-Existent—Prohibits any files in the control group from being stored on the user terminal. ◦ Existent—Requires all files in the control group exist on the user terminal. Process Service File Smart Terminal Software Control area The smart terminal software control check takes effect only on Android smart terminals. Security policy management 39 This area lists the configurations of smart terminal software control groups, including the group name, smart terminal software control type, and check type. • Check Smart Terminal Software Control—Indicates whether to check the software, processes, services, and files on the smart terminal. The following parameters appear only when the Check Smart Terminal Software Control option is selected: • Group Name—Name of the software control group to be checked for smart terminals. • Type—Type of the software control group to be checked for smart terminal, which is always Software. • Check Type—Check type of the smart terminal software control group. Options are Installed Forbidden and Installed Required. • ◦ Installed Forbidden—Prohibits any software products in the control group from being installed on the smart terminal. ◦ Installed Required—Requires all software products in the control group be installed on the smart terminal. Failure Notification—Message that the iNode client displays when an access user fails the smart terminal software control group check. Patch Management Software Control area The patch management software control check takes effect only on Linux and Mac OS PCs. • Check Patch Management Software—Indicates whether to check the patch management software on the user terminal. • Failure Notification—Message that the iNode client displays when an access user fails the patch management software check. This parameter appears only when the Check Patch Management Software option is selected. Windows Patch Control area The Windows patch control check takes effect only on Windows PCs. This area displays the Windows patch check method adopted in the security policy. The check methods are as follows: • Check Through Microsoft Server—Enables the iNode client to check the missing patches and their severity levels by connecting to the Microsoft WSUS or SMS server. Patches are then downloaded and installed automatically. • Check Manually—Enables the iNode client to check the missing patches and their severity levels by connecting to the EAD server. The user can then download and install the required patches manually. This area has the following option: • Check Windows Patches—Indicates whether to check the Windows patches on the user terminal. The following parameters appear only when the Check Windows Patches option is selected: • 40 Patch Check Interval—Specifies how many days to omit patch checks for an access user after the user has passed a patch check. When the Patch Check Interval is set to 0, EAD checks patches in every security check. Otherwise, EAD excludes patch check items from security checks for the user terminal for the number of days indicated by the Patch Check Interval. To Configuring security policies modify the interval, navigate to the Endpoint Admission Defense>Service Parameters>System Parameters Config page. • Check Through Microsoft Server The following parameters apply to the Windows patch check through the Microsoft server: ◦ Flexible Patching—Arranges the patch check and installation work for PCs at different time of the week to improve efficiency and reduce workload on the patch server. For a user who has not gone through a patch check for 21 days, patch check and installation is performed for the user once the user gets online. When this option is selected, the Patch Check Interval parameter becomes invalid and disappears from the page. ◦ Server Address—IPv4 address of the Microsoft WSUS or SMS server. ◦ IPv6 Server Address—IPv6 address of the Microsoft WSUS or SMS server. When checking the Windows patches for an access user, EAD sends the IPv4 address of the WSUS or SMS server to the user using IPv4 address, or the IPv6 address of the server to the user using IPv6 address. The iNode client checks and repairs Windows according to the address it receives. • Check Manually The following parameters apply to the manual Windows patch check: ◦ Patch Level—Severity levels of the Windows patches: Critical, Important, Moderate, and Low. EAD checks all patches of the selected severity levels. ◦ Patch Server Address—IPv4 address of the server from which users can download the required patches. ◦ IPv6 Patch Server Address—IPv6 address of the server from which users can download the required patches. When an access user fails the Windows patch check, EAD sends the IPv4 address of the patch server to the user using IPv4 address, or the IPv6 address of the patch server to the user using IPv6 address. Operators can configure a file server, HTTP server, or FTP server to provide the download services. • Failure Notification—Message that the iNode client displays when an access user fails the Windows patch check. Registry Control area The registry control check takes effect only on Windows PCs. • Check Registry—Indicates whether to check the registries on the user terminal. The following parameters appear only when the Check Registry option is selected: • Registry Control Name—Name of the registry control policy used in the security policy. EAD checks registries on the user terminal according to the selected registry control policies. • Failure Notification—Message that the iNode client displays when an access user fails the registry control check. Security policy management 41 Share Control area The share control check takes effect only on Windows PCs. • Check Share—Indicates whether to check the share directories on the user terminal. The following parameters appear only when the Check Share option is selected: • Share Control—Name of the share control policy used in the security policy. • Failure Notification—Message that the iNode client displays when an access user fails the share check. Smart Terminal Policy area The smart terminal configuration check takes effect only on Android smart terminals. • Check Smart Terminal Configuration—Indicates whether to check the configuration of the smart terminal. The following parameters appear only when the Check Smart Terminal Configuration option is selected: • Smart Terminal Policy—Name of the smart terminal policy used in the security policy. • Failure Notification—Message that the iNode client displays when an access user fails the smart terminal configuration check. Asset registration status check area The asset registration status check takes effect only on Windows PCs. • Check Asset Registration Status—Indicates whether to check the asset registration status of the user terminal. • Failure Notification—Message that the iNode client displays when an access user fails the asset registration status check. This parameter appears only when the Check Asset Registration Status option is selected. Periodic check area The traffic check and operating system password check take effect only on Windows PCs. • Traffic Control—Name of the traffic control policy used in the security policy. • Check Operating System Password—Indicates whether to check the operating system password of the user terminal periodically. The EAD security policy determines the strength of a password by consulting the password dictionary. • Failure Notification—Message that the iNode client displays when an access user fails the operating system password check. This parameter appears only when the Check Operating System Password option is selected. Viewing the security policy list To view the security policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Policy from the navigation tree. The Security Policy List displays all security policies. 3. 4. 42 To sort the Security Policy List, click the Policy Name, Security Level, Isolation Mode, or Service Group column label. Click Refresh to refresh the Security Policy List. Configuring security policies Viewing security policy details To view IPv6 configurations, operators must enable IPv6 address support on UAM and EAD components by modifying UAM service parameters. For instructions on how to modify UAM service parameters, see HP IMC User Access Manager Administrator Guide. To view the details of a security policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Policy from the navigation tree. The Security Policy List displays all security policies. 3. Click the name of the security policy for which you want to view the detailed information. The View Security Policy page appears. 4. To go back to the Security Policy List, click Back. Adding a security policy To perform IPv6 configurations, operators must enable IPv6 address support on UAM and EAD components by modifying UAM service parameters. For information about modifying UAM service parameters, see HP IMC User Access Manager Administrator Guide. To add a security policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Policy from the navigation tree. The Security Policy List displays all security policies. 3. Click Add. The Add Security Policy page appears. 4. 5. 6. Configure the basic information for the security policy. The policy name must be unique in EAD. Configure the parameters in the following areas: • Isolation Mode • URL Control • Anti-Virus Software Control • Anti-Spyware Software Control • Firewall Software Control • Anti-Phishing Software Control • Hard Disk Encryption Software Control • PC Software Control • Smart Terminal Software Control • Patch Management Software Control • Windows Patch Control • Registry Control • Share Control • Smart Terminal Policy • Asset Registration Status Check • Periodic Check Click OK. Security policy management 43 Modifying a security policy To perform IPv6 configurations, operators must enable IPv6 address support on UAM and EAD components by modifying UAM service parameters. For information about modifying UAM service parameters, see HP IMC User Access Manager Administrator Guide. To modify a security policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Policy from the navigation tree. The Security Policy List displays all security policies. 3. Click the Modify icon for the security policy you want to modify. The Modify Security Policy page appears. 4. 5. Modify the basic information for the security policy. You cannot modify Policy Name or Service Group. Modify the parameters in the following areas as needed: • Isolation Mode • URL Control • Anti-Virus Software Control • Anti-Spyware Software Control • Firewall Software Control • Anti-Phishing Software Control • Hard Disk Encryption Software Control • PC Software Control • Smart Terminal Software Control • Patch Management Software Control • Windows Patch Control • Registry Control • Share Control • Smart Terminal Policy • Asset Registration Status Check • Periodic Check Deleting a security policy Before you delete a security policy that has been assigned to a service, you must cancel their associations. To delete a security policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Policy from the navigation tree. The Security Policy List displays all security policies. 3. Click the Delete icon for the security policy you want to delete. A confirmation dialog box appears. 4. 44 Click OK. Configuring security policies Configuring real-time monitoring With the real-time monitoring function, the iNode client interacts with the EAD server to perform a periodic security check for online users. To ensure network security, the iNode client processes in real time any violation or abnormality detected on the user terminal. The following check items support real-time monitoring. Operators must select the check items in the security policy in order to have them monitored in real time. The check items include: • Anti-virus software • Anti-spyware software • Firewall software • Anti-phishing software • Hard disk encryption software • PC software control groups • Smart terminal software control groups • Registries • Share directories • Smart terminal configuration The following check items do not support real-time monitoring: • Windows patches • Asset registration status • Traffic monitoring • Operating system password With the exception of Windows patches, these items are checked at a system-defined interval that cannot be modified. To ensure EAD security check efficiency, operators can define in the service parameter configuration the interval at which Windows patches are checked. Enabling real-time monitoring To enable real-time monitoring in the security policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Policy from the navigation tree. The Security Policy List displays all security policies. 3. Click the Modify icon monitoring. for the security policy for which you want to enable real-time The Modify Security Policy page appears. 4. 5. Configure the following parameters in the Basic Information area: • Monitor in Real Time—Select this option to enable real-time monitoring of user terminals in the security policy. • Process After—Specify the amount of time, in minutes, that the iNode client waits before it isolates or kicks out an access user for whom a violation is detected in real-time monitoring. The iNode client prompts the user to make the necessary remediation and initiate a new security check to avoid being isolated or kicked out. This option is available only when the Monitor in Real Time option is selected. Click OK. Security policy management 45 Modifying the real-time monitoring parameters Operators can modify the Real-time Monitor Interval parameter in the service parameter configuration to ensure both the efficiency of real-time monitoring and the performance of the user terminal and EAD server. EAD can forcibly check items that do not support real-time monitoring for users who stay online for a long time. To do this, modify the Reauthentication Interval parameter in the service parameter configuration. To modify the real-time monitoring parameters: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Service Parameters > System Parameters from the navigation tree. The System Parameters Config page appears. 3. 4. Modify the following real-time monitoring parameters: • Real-Time Monitor Interval—Enter, in seconds, the interval at which the real-time security check is performed. The default setting is 60 seconds. • Reauthentication Interval—Enter, in hours, the interval at which an online user is forced to be reauthenticated. The default setting is 24 hours. Click OK. Configuring the default security policy for roaming users For roaming users, the EAD server on the visited network, not the local EAD server, checks their security items. You can configure only one security policy as the default security policy for roaming users. The default security policy shows the [Default policy for roaming users] tag in the Policy Name field on the Security Policy List. To set the default security policy for roaming users: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Policy from the navigation tree. The Security Policy List displays all security policies. 3. 4. 5. Click the Modify icon for the security policy you want to set as the default policy for roaming users. In the Basic Information area, select Set as Default Policy for Roaming Users. Click OK. Assigning security policies When an endpoint user accesses the network, UAM determines the access scenario of the user, and sends the matching security policy to the iNode client on the user's terminal. If the user matches no access scenario, the default security policy is used. The iNode client performs security checks on the user terminal according to the received security policy. Assigning the default security policy to a service You can assign a security policy to a service as the default security policy. When a user matches no access scenarios defined for the access policies of the service, EAD deploys the default security policy to the user. To assign the default security policy to a service: 1. Click the Service tab. 2. Select User Access Manager > Service Configuration from the navigation tree. 46 Configuring security policies 3. Click the Modify icon for the service to which you want to assign a default security policy. The Modify Service Configuration page appears. 4. 5. In the Basic Information area, select the security policy you want to assign to the service from the Default Security Policy list. Or select Disable Security Policy to disable security checks on users matching no access scenarios in the service. Click OK. Assigning a security policy to an access policy You can assign a security policy to individual access policies in a service. When a user matches the access scenario defined for an access policy, EAD deploys the matching security policy to the user. To assign a security policy to an access policy in a service: 1. Click the Service tab. 2. Select User Access Manager > Service Configuration from the navigation tree. 3. Click the Modify icon for the target service. The Modify Service Configuration page appears. 4. In the Access Policy List, click the Modify icon assign a security policy. for the access policy to which you want to The Modify Access Policy window appears. 5. 6. Select a security policy from the Security Policy list. Or select Disable Security Policy to disable security checks on users matching the access scenario of the policy. Click OK. The Modify Access Policy window closes. 7. Click OK. Security level management A security level is a set of actions to be performed in response to security violations. A security violation occurs when a terminal fails a security check item. A security level takes effect after it is assigned to a security policy. Operators can view, add, modify, and delete security levels. EAD has the following system-defined security levels: • Monitor Mode—Monitors the access user who fails any security check item defined in the security policy. • VIP Mode—Informs the access user who fails any security check item defined in the security policy. • Isolate Mode—Isolates the access user who fails any security check item defined in the security policy. • Kick Out Mode—Kicks out the access user who fails any security check item defined in the security policy. • Guest Mode—Logs off the access user 5 minutes after the user fails any security check item defined in the security policy. EAD supports the following actions, in ascending order of severity: • Monitor—Allows the user to access the network without informing the user of any security vulnerability on the user terminal, and generates a security log. • Inform—Allows the user to access the network, informs the user of the security vulnerability on the user terminal and remediation methods, and generates a security log. Security level management 47 • Isolate—Isolates the user in a restricted area specified by the isolation ACL, informs the user of the security vulnerability and remediation methods, and generates a security log. • Kick Out—Denies the access request of the user, informs the user of the security vulnerability on the user terminal, and generates a security log. You can also configure the Action After parameter to specify how long the access user with a security check failure can access the network before being isolated or kicked out. Making a security level action take effect For the action specified for a check item in the security level to take effect, you must complete the following tasks: 1. Enable the security check item. 2. Specify an associated control policy in the security policy. For example, to perform the specified action on the access user who fails the anti-virus software check: 1. Enable the anti-virus software check in the security policy. 2. Specify an anti-virus software policy. Special cases Abnormal traffic For the action specified for abnormal traffic in the security level to take effect, you must enable the traffic monitoring function in the security policy and specify the items to be checked in the traffic monitoring policy. For example, to enable the iNode client to perform the specified action on the access user whose IP traffic running on the authenticated NIC exceeds the minor threshold or severe threshold: 1. Enable the traffic monitoring function in the security policy. 2. Set the IP traffic thresholds. WSUS/SMS Server Collaboration Failure and Auto-Installation Failure For the action specified in the security level for WSUS/SMS Server Collaboration Failure and Auto-Installation Failure to take effect, enable the Check Through Microsoft Server feature in the security policy. Security level list contents The security level list comprises the following parameters: • Security Level Name—Name of the security level. Click the name to view its details. • Description—Description of the security level. • Service Group—Service group to which the security level belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the security level settings. to delete the security level. Security level details Security level details comprise basic security level information and advanced check settings. This section describes parameters on each area of the security level details. 48 Configuring security policies Basic Information area • Security Level Name—Name of the security level. • Action After—Amount of time, in minutes, that the access user with a security check failure can access the network before being isolated or kicked out. During that time, the user can make the necessary remediation and initiate a new security check to prevent being isolated or kicked out. This parameter is available only when the Isolate or Kick Out action is configured for a check item, excluding the traffic monitoring check and the operating system password check. • Description—Description of the security level. • Service Group—Service group to which the security level belongs. Traffic Monitoring area • IP Traffic Minor Threshold Exceeded—Action to take when the total IP traffic of all NICs on the user terminal is above or equal to the IP Traffic Minor Threshold, and below the IP Traffic Severe Threshold configured in the traffic control policy. • IP Traffic Severe Threshold Exceeded—Action to take when the total IP traffic of all NICs on the user terminal is above or equal to the IP Traffic Severe Threshold configured in the traffic control policy. • Broadcast Packets Minor Threshold Exceeded—Action to take when the total number of broadcast packets sent by all NICs on the user terminal is above or equal to the Broadcast Packets Minor Threshold, and below the Broadcast Packets Severe Threshold configured in the traffic control policy. • Broadcast Packets Severe Threshold Exceeded—Action to take when the total number of broadcast packets sent by all NICs on the user terminal is above or equal to the Broadcast Packets Severe Threshold configured in the traffic control policy. • Packets Minor Threshold Exceeded—Action to take when the total number of packets passing the authenticated NIC of the user terminal is above or equal to the Packets Minor Threshold, and below the Packets Severe Threshold configured in the traffic control policy. • Packets Severe Threshold Exceeded—Action to take when the total number of packets passing the authenticated NIC of the user terminal is above or equal to the Packets Severe Threshold configured in the traffic control policy. The authenticated NIC is used by an access user to pass identity authentication and to access the network. • TCP/UDP Connections Minor Threshold Exceeded—Action to take when the total number of TCP/UDP connections of all NICs on the user terminal is above or equal to the TCP/UDP Connections Minor Threshold, and below the TCP/UDP Connections Severe Threshold configured in the traffic control policy. • TCP/UDP Connections Severe Threshold Exceeded—Action to take when the total number of TCP/UDP connections of all NICs on the user terminal is above or equal to the TCP/UDP Connections Severe Threshold configured in the traffic control policy. Anti-Virus Software area • Anti-Virus Software Not Installed—Action to take on the access user whose terminal does not have the anti-virus software installed. • Anti-Virus Client Runtime Error—Action to take on the access user whose anti-virus software is faulty. Security level management 49 • Old Anti-Virus Software/Engine Version—Action to take on the access user whose anti-virus software version on the smart terminal or anti-virus engine version on the PC is lower than the version configured in the anti-virus software policy. • Old Virus Definition Version—Action to take on the access user whose virus definition version is lower than the version configured in the anti-virus software policy. Anti-Spyware Software area • Anti-Spyware Software Not Installed—Action to take on the access user whose terminal does not have the anti-spyware software installed. • Anti-Spyware Client Runtime Error—Action to take on the access user whose anti-spyware software is faulty. • Old Anti-Spyware Software/Engine Version—Action to take on the access user whose anti-spyware software version on the smart terminal or anti-spyware engine version on the PC is lower than the version configured in the anti-spyware software policy. • Old Spyware Definition Version—Action to take on the access user whose spyware definition version is lower than the version configured in the anti-spyware software policy. Firewall Software area • Firewall Software Not Installed—Action to take on the access user whose terminal does not have the firewall software installed. • Firewall Client Runtime Error—Action to take on the access user whose firewall software is faulty. Anti-Phishing Software area • Anti-Phishing Software Not Installed—Action to take on the access user whose terminal does not have the anti-phishing software installed. • Anti-Phishing Software Runtime Error—Action to take on the access user whose anti-phishing software is faulty. Hard Disk Encryption Software area • Hard Disk Encryption Software Not Installed—Action to take on the access user whose terminal does not have the hard disk encryption software installed. PC Software Control Group area • Global Security Mode—Action to take on the access user who violates any PC software control group specified for check in the security policy. In global security mode, you cannot view the names of the PC software control groups. • Security Mode of a PC Software Control Group—Action to take on the access user who violates the PC software control group. When you configure actions specific to the PC software control groups, the Global Security Mode option does not appear. Smart Terminal Software Control Group area 50 • Global Security Mode—Action to take on the access user who violates any smart terminal software control group specified for check in the security policy. In global security mode, you cannot view the names of the smart terminal software control groups. • Security Mode of a Smart Terminal Software Control Group—Action to take on the access user who violates the smart terminal software control group. When you configure actions specific to the smart terminal control groups, the Global Security Mode option does not appear. Configuring security policies Patch Management Software area • Patch Manager Software Not Installed—Action to take on the access user whose terminal does not have the patch management software installed. • Patch Manager Software Runtime Error—Action to take on the access user whose patch management software is faulty. Windows Patches area • WSUS/SMS Server Collaboration Failure—Action to take on the access user when the iNode client cannot connect to the Microsoft WSUS or SMS server. • Auto-Installation Failure—Action to take on the access user when automatic patch installation fails on the user terminal. • Critical—Action to take on the access user whose terminal lacks a critical-level patch. • Important—Action to take on the access user whose terminal lacks an important-level patch. • Moderate—Action to take on the access user whose terminal lacks a moderate-level patch. • Low—Action to take on the access user whose terminal lacks a low-level patch. Registry area • Global Security Mode—Action to take on the access user who violates any registry control policies specified for check in the security policy. In global security mode, you cannot view the names of the registry control policies. • Security Mode of a Specific Registry Control Policy—Action to take on the access user who violates the registry control policies. When you configure actions specific to the registry control policies, the Global Security Mode option does not appear. Share area • Global Security Mode—Action to take on the access user who violates any share control policy specified for check in the security policy. In global security mode, you cannot view the names of the share control policies. • Security Mode of a Specific Share Control Policy—Action to take on the access user who violates the share control policy. When you configure actions specific to each share control policy, the Global Security Mode option does not appear. Smart Terminal Configuration • GPS Service Not Enabled—Action to take on the smart terminal on which the GPS service is disabled. • Bluetooth Service Not Disabled—Action to take on the smart terminal on which the Bluetooth service is enabled. • Auto Lock Not Enabled—Action to take on the smart terminal on which the Auto Lock feature is disabled. Security level management 51 Asset Registration Status area • Unregistered Assets—Action to take on the access user who uses an unregistered asset for network access. Operating System Password area • Operating System Password Check Failed—Action to take on the access user who fails the operating system password check. Viewing the security level list To view the security level list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Level from the navigation tree. The Security Level List displays all security levels. 3. 4. To sort the Security Level List, click the Security Level Name or Service Group column label. Click Refresh to refresh the Security Level List. Viewing security level details To view the details of a security level: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Level from the navigation tree. The Security Level List displays all security levels. 3. Click the name of the security level for which you want to view the detailed information. The View Security Level page appears. 4. To go back to the Security Level List, click Back. Adding a security level To add a security level: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Level from the navigation tree. The Security Level List displays all security levels. 3. Click Add. The Add Security Level page appears. 4. 5. 52 Configure the basic information for the security level. The name of the security level must be unique in EAD. Configure the parameters in the following areas: • Traffic Monitoring • Check Anti-Virus Software • Check Anti-Spyware Software • Check Firewall Software • Check Anti-Phishing Software • Check Hard Disk Encryption Software • Check PC Software Control Group • Check Smart Terminal Software Control • Check Patch Management Software Configuring security policies 6. • Check Windows Patches • Check Registry • Check Share • Check Smart Terminal Configuration • Check Asset Registration Status • Check Operating System Password Click OK. Modifying a security level The system-defined and user-defined security levels are displayed in the security level list and can be modified. During the real-time check, the EAD server determines whether a user who fails the check should be monitored, informed, isolated, or kicked out according to the modified security level. To modify a security level: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Level from the navigation tree. The Security Level List displays all security levels. 3. Click the Modify icon for the security level you want to modify. The Modify Security Level page appears. 4. 5. 6. Modify the basic information for the security level. You cannot modify Security Level Name or Service Group. Configure the parameters in the following areas: • Traffic Monitoring • Check Anti-Virus Software • Check Anti-Spyware Software • Check Firewall Software • Check Anti-Phishing Software • Check Hard Disk Encryption Software • Check PC Software Control Group • Check Smart Terminal Software Control • Check Patch Management Software • Check Windows Patches • Check Registry • Check Share • Check Smart Terminal Configuration • Check Asset Registration Status • Check Operating System Password Click OK. Deleting a security level You cannot delete a security level that is assigned to a security policy. To delete the security level, you must first remove it from the security policy. Security level management 53 To delete a security level: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Security Level from the navigation tree. The Security Level List displays all security levels. 3. Click the Delete icon for the security level you want to delete. A confirmation dialog box appears. 4. Click OK. Hierarchical node management Hierarchical node management applies to enterprises or organizations and their branches. By allowing deployment of EAD servers at both the headquarters and the individual branches, hierarchical node management helps to improve efficiency and flexibility of EAD security check for all branches. Operators can implement either centralized policy management or noncentralized policy management. • Centralized policy management—Uses a central EAD server located at the headquarters to deploy security policies and services to every branch EAD server. The branch EAD servers use the deployed security policies to control security check for access users and to report the security data to the central EAD server. Operators can view the security statistics report for the entire organization from the central EAD server. • Noncentralized policy management—Allows branches to define their security policies and to report data to the central EAD server. Operators can view the security statistics report for every branch from the central EAD server. With hierarchical node management, each set of EAD components requires a license based on the number of users to be authenticated. For more information, see “Service parameters management” (page 310). An EAD server can act as a parent node, child node, or both. Each EAD server can have multiple child nodes but only one parent node. Child node list contents The child node list (<Current Node Name> Grade Node List) comprises the following parameters: 54 • Policy Update Time—Time when the policy of the current node was last updated. This field is available only when Centralized Policy Management is set to Enable. • Node Name—Name of the child node. Click the name to view its details. • Status—Status of the child node: ◦ Normal—Indicates that the communication between the child node and the current node is normal. ◦ Abnormal—Indicates that the last report time is empty, the last report time was more than 40 minutes ago, or the last deployment failed. • IP Address—IP address of the child node. • Port—Listening port of the child node. • Protocol Type—Protocol type used to access the child node. Only HTTP is supported. • Last Report Time—Time when the child node last reported security data to the current node. • Last Deploy—Time when the current node last performed a deployment to its child nodes. Configuring security policies • Operation Result—Operation result of the last deployment. • Operation—Provides the following icons: ◦ Configure —Configure the services to be deployed to the child node. You can perform this operation only when Centralized Policy Management is set to Enable. ◦ Deploy —Deploy the selected services to the child node. You can perform this operation only when Centralized Policy Management is set to Enable. ◦ Deployment History —View the deployment history of the child node. You can perform this operation only when Centralized Policy Management is set to Enable. ◦ Modify ◦ Delete —Modify the settings of the child node. —Delete the child node. Child node information details Child node information details comprise the following areas: • Basic Information • Real-time statistics on the number of users on the child node • Real-time statistics on the number of user-services failing the security check on the child nodes Basic Information area • Node Name—Name of the child node. • Status—Status of the child node: Normal or Abnormal. • Reason for Abnormality—Reason why the child node is abnormal. When the child node is in the normal state, this field is empty. • IP Address—IP address of the child node. • Port—Listening port of the child node. • Protocol Type—Protocol type used to access the child node. Only HTTP is supported. • AUTH for Accessing Child Node—Indicates whether identity authentication is required for accessing the child node. Identity authentication is required in centralized policy management. • Login Name—User name used by the current node to access the child node. This field is available only when AUTH for Accessing Child Node is set to Enable. • Last Report Time—Time when the child node last reported data to the current node. • Last Success Deploy—Time when the current node last performed a successful deployment on the child node. • Last Deploy—Time when the current node last performed a deployment. • Operation Result—Result of the last deployment performed by the current node. • Reason—Reason why the last deployment performed by the current node failed. If the last deployment was successful, this field is empty. Real-time statistics on the number of users on the child node area • Number of access users allowed by license—Last reported maximum number of access users permitted by the license on the child node. • Number of created access users—Last reported number of existing access users on the child node. Hierarchical node management 55 • Number of EAD users allowed by license—Last reported maximum number of EAD users permitted by the license on the child node. • Number of created EAD users—Last reported number of existing EAD users on the child node. • Number of online users—Last reported number of online users on the child node. • Number of secure online users—Last reported number of online users who passed the security check on the child node. • Number of insecure online users—Last reported number of online users who failed the security check on the child node. Insecure users include those who are monitored, informed, isolated, and are to be kicked out. • Number of unknown online users—Last reported number of unknown online users on the child node. Unknown users include those who are not required to pass the security check and those who are currently going through the security check. • Number of blacklist users—Last reported number of blacklisted access users on the child node. • Number of guests—Last reported number of guests on the child node. Real-time statistics on the number of user-services failing the security check on the child nodes area 56 • Anti-virus software check failures—Number of access users who failed the anti-virus software check. • Anti-phishing software check failures—Number of access users who failed the anti-phishing software check. • Firewall software check failures—Number of access users who failed the firewall software check. • Anti-spyware software check failures—Number of access users who failed the anti-spyware software check. • Hard disk encryption software check failures—Number of access users who failed the hard disk encryption software check. • Windows patch check failures—Number of access users who failed the Windows patch check. • Patch management software check failures—Number of access users who failed the patch management software check. • Application check failures—Number of access users who failed the application check. • Number of users failing smart terminal software control group check—Number of access users who failed the smart terminal software control group check. • Number of users failing smart terminal configuration check—Number of access users who failed the smart terminal configuration check. • Registry check failures—Number of access users who failed the registry check. • Share directory check failures—Number of access users who failed the share directory check. • Traffic monitoring check failures—Number of access users who failed the traffic monitoring check. • Operating system password check failures—Number of access users who failed the operating system password check. • Asset registration check failures—Number of access users who failed the asset registration check. Configuring security policies Parent node information Parent node information comprises the following parameters: • IP Address—IP address of the parent node. • Port—Listening port of the parent node. • Protocol Type—Protocol type used by the parent node. • Confirmed or Not—Indicates whether the parent node has been confirmed. Viewing the child node list To view the child node list of the current node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. 4. To sort the <Current Node Name > Grade Node List, click the Node Name, Status, IP Address, Port, Protocol Type, Last Report Time, Last Deploy, or Operation Result column label. Click Refresh to refresh the <Current Node Name> Grade Node List. Modifying the name of the current node To modify the name of the current node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click Modify Self. The Modify Self window appears. 4. 5. Enter the name of the current node in the Node Name field. Click OK. The Grade Node List title bar displays the new name of the current node. Viewing child node details Operators can view detailed information about each child node immediately below the current node. To view child node details: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click the name of the child node for which you want to view the detailed information. The Child Node Information page appears. 4. To go back to the <Current Node Name> Grade Node List of the current node, click Back. Hierarchical node management 57 Adding a child node You cannot configure a node’s own parent node (or other node above it) as its child node. To add a child node to the current node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click Add. The Add Child Node window appears. 4. 5. Configure the following parameters for the child node: • Node Name—Enter the name of the child node. • IP Address—Enter the IP address of the child node that is deployed with the EAD component. • Port—Enter the listening port of the child node. • Protocol Type—Select the protocol type used to access the child node. Only HTTP is supported. • AUTH for Accessing Child Node—Select this option to enable identity authentication for accessing the child node. Identity authentication is required in centralized policy management. • Login Name—Enter the user name used to access the child node. The user name must be that of an administrator of the child node. This parameter is available only when AUTH for Accessing Child Node is set to Enable. • Login Password—Enter the login password of the administrator. This parameter is available only when AUTH for Accessing Child Node is set to Enable. Click OK. The new child node appears in the Grade Node List of the current node. The current node cannot deploy services to this child node until an operator logs in to the child node to confirm the current node as its parent node. For more information, see “Confirming the parent node” (page 59). Modifying a child node To modify a child node of the current node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click the Modify icon for the child node you want to modify. The Modify Child Node window appears. 4. Modify the parameters for the child node. For more information, see “Adding a child node” (page 58). 5. 58 Click OK. Configuring security policies Deleting a child node To remove the hierarchical relationship between two nodes, first delete the child node from its parent node, and then delete the parent node. The statistics for the child node are not collected when viewing the multi-node statistics report for the current node. To delete a child node: 1. Click the Service tab. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 2. Click the Delete icon for the child node you want to delete. A confirmation dialog box appears. 3. Click OK. Confirming the parent node A node cannot receive deployment contents from the parent node if the parent node is not confirmed. To confirm the parent node for the current node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click Confirm Parent Node. The Confirm Parent Node page appears. 4. 5. View the parent node information. Click OK. Deleting the parent node To remove the hierarchical relationship between two nodes, first delete the child node from its parent node, and then delete the parent node. The current node does not report data to the parent node. To delete the parent node for the current node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click Delete Parent. The Delete Parent page appears. 4. Click Delete. Deploying services, security policies, and service parameters Hierarchical node management offers automatic and manual deployment of services, security policies used by the services, and EAD service parameters from a node to its child nodes. The node deploys the EAD service parameters Data Reporting Time and Data Lifetime to its child nodes because they cannot be configured on the individual child nodes. A child node uses the deployed services and security policies for identity authentication and security check. Deploying services, security policies, and service parameters 59 With automatic deployment, a node checks the Policy Update Time for child nodes daily at the scheduled deployment time. The node performs the deployment when the Policy Update Time is later than the last successful deployment time. The policy update time is refreshed, as well as any changes to the service parameters, security policies, and security check items. Deployment contents The contents of both automatic and manual deployment depend on the centralized policy management status. • When centralized policy management is enabled, automatic and manual deployment both deliver services, security policies, and service parameters to the child nodes. • When centralized policy management is disabled, automatic and manual deployment both deliver only service parameters to the child nodes. Configuring the services to be deployed To configure the services to be deployed: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click the Configure icon for the child node to which you want services to be deployed. The Specify Services to Be Deployed page appears. 4. 5. 6. View the following service information: • Service—Name of the service to be deployed. • Service Suffix—Suffix of the service to be deployed. • Security Policy—Default security policy used by the service. Select one or more services you want to deploy. Click OK. Scheduling automatic deployment To schedule automatic deployment: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click Auto Deployment. The Configure Automatic Deployment page appears. 4. 5. Enter the daily deployment time in the Deploy Everyday At field. The value must be an integer in the range 0 to 23 in 24-hour notation. Click OK. Configuring manual deployment To manually deploy policies: 1. Click the Service tab. 60 Configuring security policies 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. 4. Click the Deploy icon Click OK. for the node for which you want to start the deployment. The node immediately starts the deployment, and then displays the deployment result page. Deployment and receipt history Deployment history list contents The deployment history list comprises the following parameters: • Deployment Time—Time when the deployment was performed. • Deployment Type—How the deployment was performed: Manual or Auto. • Result—Result of the deployment: Succeeded or Failed. • Reason—Reason why the deployment failed. • Services—Names of the deployed services, separated by commas. • File Name—Name and path of the file that contains the deployed data. Receipt history list contents • Receipt Time—Time when the current node received the deployment content from its parent node. • Result—Result of the receipt: Succeeded or Failed. • Reason—Reason why the receipt failed. • Services—Names of the received services, separated by commas. Viewing the deployment history list Operators can view the deployment history of individual child nodes from the current node. To view the deployment history list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click the Deployment History icon to view. for the child node whose deployment history you want The Deployment History List displays all deployments performed on the child node. 4. To go back to the Grade Node List of the current node, click Back. Viewing the receipt history list Operators can view the receipt history of a node only from its parent node. To view the receipt history list: 1. Click the Service tab. Deployment and receipt history 61 2. Select Endpoint Admission Defense > Policy Receipt History from the navigation tree. The Receipt History List displays the receipt history of the current node from its parent node. Querying the deployment history The parent node creates a deployment history record each time it executes a deployment. Operators can use the query function to filter the deployment history of a parent node. To query the deployment history of a node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Hierarchical Node Management from the navigation tree. The <Current Node Name> Grade Node List displays all child nodes immediately below the current node. 3. Click the Deployment History icon to query. for the child node whose deployment history you want The Deployment History page of the child node appears. 4. 5. Enter or select one or more of the following query criteria: • Deployment Time from/to—Specify a deployment time range. You can click the calendar icon to select the time, or enter a date in YYYY-MM-DD format. • Deployment Type—Select the deployment type: Manual or Auto. • Result—Select the result of the deployment: Succeeded or Failed. Click Query. The Deployment History List displays the history records that match the query criteria. 6. To reset the query criteria, click Reset. The Deployment History List displays all deployments performed on the selected node. Querying the receipt history of a child node The child node creates a receipt history record each time it receives services, security policies, or service parameters from its parent node. Operators can use the query function to filter the receipt history records of a child node. To filter the receipt history records of the current node: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Policy Receipt History from the navigation tree. The Receipt History List displays all receipt history records of the current node. 3. 4. Enter or select one or more of the following query criteria: • Receipt Time from/to—Specify a receipt time range. You can click the calendar icon to select the time, or enter a date in YYYY-MM-DD format. • Result—Select the receipt result: Succeeded or Failed. Click Query. The Receipt History List displays the receipt history records that match the query criteria. 5. To reset the query criteria, click Reset. The Receipt History List displays all receipt history records of the current nodes. 62 Configuring security policies EAD global network monitoring diagram The EAD global network monitoring diagram provides a more straightforward way for operators to monitor the running status of nodes and to view the security statistics. Operators can change the background picture to a geographical image of the nodes. Accessing the EAD global network monitoring diagram To access the diagram: 1. Click the Service tab. 2. Select Endpoint Admission Defense > EAD Global Network Monitoring Diagram from the navigation tree. The diagram appears. Toolbar contents • 1:1 • Zoom In —Magnify the diagram. A grayed-out icon indicates that the diagram cannot be further magnified. • Zoom Out —Shrink a specified area of the diagram. A grayed-out icon indicates that the diagram cannot be made any smaller. • Fit Content —Automatically adjust the diagram to a size appropriate to the window size. • Magnifier —Magnify the selected area of the diagram. • Over View —Bring up or shut down a bird's-eye view of the diagram. • Full Screen /Exit Full Screen • Hand Tool /Pointer Tool Click the Pointer Tool icon • Add Background • Remove Background —Remove the background picture of the diagram. This icon is grayed out when the diagram has no background. • Save • Save as Image • Add Node • Icon Management • Legend • Refresh —Display the diagram in its original size. —Enter or exit the full-screen view of the diagram. —Click the Hand Tool icon to move the diagram in the window. to select a node in the diagram and view its details. —Add or change the background picture of the diagram. —Save the modifications you have made to the diagram. —Save the diagram as an image in PNG format. —Add a current or child node to the diagram. —Modify the type and description of the node icon. —View the legends. Table 6 provides a detailed description of the legends. —Refresh the diagram. Table 6 Legends Type Node Status Legends Description Abnormal nodes appear as red icons; normal nodes appear as green icons. Operators can assign different graphic icons to nodes for identification purposes. Node Icon EAD global network monitoring diagram 63 Table 6 Legends (continued) Type Legends Description Right-click menu of the EAD global network monitoring diagram • Hide Node Name/Show Node Name—Hide or show the node names in the diagram. • Adjust Background>Manual Adjust—Manually adjust the size of the background picture. • Adjust Background>Resume Original Size—Restore the background picture of the diagram to its original size. • Exit Background—Exit the manual size adjustment for the background picture. Right-click menu of a node • Remove from Diagram—Remove the node from the diagram. • View Node—View details of the node. This option is available for child nodes only. For more information, see “Viewing child node details” (page 57). Left-click information of a node • Node Name—Name of the node. • Node Type—Type of the node icon. • Status—Status of the node: Normal or Abnormal. • IP Address—IP address of the node. • Total Access Users—Number of access users on the node. • Online Users—Number of online users on the node. Adding a node to the EAD global network monitoring diagram By default, the current node and all of its child nodes are displayed in the diagram. Operators can add nodes that were previously deleted from the diagram. To add a node to the diagram: 1. Click the Service tab. 2. Select Endpoint Admission Defense > EAD Global Network Monitoring Diagram from the navigation tree. The diagram appears. 3. Click the Add Node icon . The Add Node window appears. The Node List displays all nodes that can be added to the diagram. 64 Configuring security policies 4. Filter the nodes by query: a. Enter the name of the node in the Node Name field. EAD supports fuzzy matching for this field. b. Click Query. The Node List displays all nodes that match the query criteria. c. To clear the query criteria, click Reset. The Node List displays all nodes. 5. 6. 7. From the Node List, select one or more nodes that you want to add. From the Node Type list, select an icon type for the node. Click OK. Customizing the background picture with a local image To customize the background picture with a local image: 1. Click the Service tab. 2. Select Endpoint Admission Defense > EAD Global Network Monitoring Diagram from the navigation tree. The diagram appears. 3. Click the Add Background icon . The Topology Background-picture Setting window appears. 4. 5. Select the User Upload Picture option. Click Browse to select the image you want to set as the background picture. The following guidelines apply for image selection: 6. 7. • Use a GIF, JPG, JPEG, or PNG image. Images in other formats may not be displayed properly. • The image file cannot exceed 10 MB, and the dimension cannot exceed 1000×1000. • The image file name can contain alphanumeric characters, spaces, underscores (_), and hyphens (-) only. Click Preview to see how the image looks as the background picture. Click Set. The selected picture is uploaded to the EAD server and set as the background picture of the diagram. 8. Click Close. Setting a preloaded background picture To set a preloaded background picture: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > EAD Global Network Monitoring Diagram from the navigation tree. The diagram appears. 3. Click the Add Background icon . The Topology Background-picture Setting window appears. 4. 5. Select the Select Picture From Server option. Click Select Picture to select a picture. The system automatically magnifies the selected picture as the preview. EAD global network monitoring diagram 65 6. 7. Click Set to set the picture as the background picture for the diagram. Click Close. Managing node icons Operators can modify the type and description of the node icons. EAD provides five system-defined icons; it does not support custom icons. To manage a node icon: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > EAD Global Network Monitoring Diagram from the navigation tree. The diagram appears. 3. Click the Icon Management icon . The Icon Management page appears. The Icon List displays the following parameters: 4. 5. 66 • Node Icon—System-defined graphic icon, including rhombus ( ), square ( ), circle ( ), star ( ), and triangle ( ). The default is rhombus ( ). • Node Icon Type—Type of the node icon. • Description—Description of the node icon. Click the Modify icon for the node icon you want to modify. • Node Icon—Graphic icon. You cannot modify this field. • Node Icon Type—Enter the type of the node icon. • Description—Description of the node icon. Click OK. Configuring security policies 4 Configuring terminal access control This chapter describes terminal access control and discusses managing client ACLs, URL control policies, domain URL classes, and IP URL classes. Terminal access control Terminal access control uses isolation mode and URL access control to provide security for terminal access. Isolation mode Isolation mode isolates access users that fail the security check. EAD provides the following isolation modes: • Deploy ACLs to access device After deployment, the device controls user behaviors based on ACLs, which can be security ACLs or isolation ACLs. Security ACLs allow access users to access resources only in the restricted area to repair faults and then restart security check. Isolation ACLs apply to all online access users that are not yet isolated. ACLs can be deployed to non-HP ProCurve or HP ProCurve devices. The devices have different mechanisms for processing the ACLs deployed by EAD. • ◦ Non-HP ProCurve devices—EAD deploys the ACL number to the access device through RADIUS packets (the specified ACL must exist on the device). Operators can manually add, modify, or delete ACLs on the access device, or deploy ACLs to the access device through the ACL management feature of the IMC Platform. For information about the ACL management feature, see HP IMC Base Platform Administrator Guide. ◦ HP ProCurve devices—EAD deploys the ACL rules to the access device through extended RADIUS packets. Operators must navigate to User Access Manager > Access ACL to configure ACL rules. For information about configuring access ACLs, see HP IMC User Access Manager Administrator Guide. Deploy ACLs to iNode client After deployment, the iNode client controls user behaviors based on ACLs, which can be security ACLs or isolation ACLs. Their functions are similar to access device ACLs. For more information, see “Managing client ACLs” (page 68). • Deploy VLANs to access device After deployment, the device controls user behaviors based on VLANs, which can be security VLANs or isolation VLANs. Security VLANs allow access users to access resources only in the restricted area to repair faults and then restart security check. Isolation VLANs apply to all online access users that are not yet isolated. EAD deploys the VLAN ID to the access device through RADIUS packets (the specified VLAN must exist on the device). Operators can manually add or delete VLANs on the access device, or deploy VLANs to the access device through the VLAN management feature of the IMC Platform. For information about the VLAN management feature, see HP IMC Base Platform Administrator Guide. Terminal access control 67 URL access control URL access control can be implemented through a URL control policy and an optional Hosts file check. • URL control policy A URL control policy permits or denies a user's HTTP access to the specified website in the system-defined domain classes or IP classes. Before configuring a URL control policy, you must configure domain URL classes and IP URL classes. In a URL control policy, you can specify an action (permit or deny) for an existing domain URL class or IP URL class, and specify an IP URL default action and a domain URL default action. For information about configuring classes and policies, see “Managing URL control policies” (page 71), “Managing IP URL classes” (page 77), and “Managing domain URL classes” (page 74). • Hosts file check A user might bypass the URL control policy by modifying the website URLs in the Hosts file. You can enable the Hosts file check and configure the contents to be checked in the security policy. Managing client ACLs Operators can use client ACLs to enhance network security for users connecting to access devices that do not support receiving the ACLs or ACL numbers deployed by EAD. EAD deploys client ACLs to terminals that have the iNode client installed. Client ACLs might not be protected as well as device ACLs. EAD deploys the client ACLs to terminals of access users that pass identify authentication, and applies the client ACLs to the outgoing traffic of their respective authentication NICs. Client ACLs can be classified as follows: • Isolation ACL—Allows unsecure users to access only a restricted area to rectify security problems and reinitiate security authentication. • Security ACL—Applies to all online access users that are not isolated. Operators can add, modify, and delete client ACLs. Configure client ACLs only when the iNode client on the target user terminals supports the client ACL feature. Otherwise, the access users cannot log in after the client ACL deployment. The client ACL feature is available for Windows operating systems only. Client ACL list contents The client ACL list contains the following parameters: • ACL Name—Name of the client ACL. Click the name to view its details. • Service Group—Name of the service group to which the client ACL belongs. • Description—Description of the associated client ACL. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the client ACL settings. to delete the client ACL. Client ACL details Client ACL details comprise the basic information area and an ACL rule list. 68 Configuring terminal access control Basic Information area • ACL Name—Name of the client ACL. • Default Action of ACL Rule—Action to take on IP packets that do not match any ACL rule. ◦ Permit—Permits IP packets that do not match any ACL rule on the ACL rule list to pass through. ◦ Deny—Drops IP packets that do not match any ACL rule on the ACL rule list. • Description—Description of the client ACL. • Service Group—Name of the service group to which the client ACL belongs. ACL Rule List • Matching Action—Action to take on the IP packets that match the ACL rule. ◦ Permit—Permits the IP packets that match the ACL rule to pass through. ◦ Deny—Drops the IP packets that match the ACL rule. • Protocol—Transport-layer protocol that the ACL rule matches. A protocol name (ICMP, TCP, or UDP) or protocol number matches the corresponding transport-layer protocol. This field displays two hyphens (--) if the ACL rule matches all transport-layer protocols. • Dest IP—Destination IP address that the ACL rule matches. • Mask—Subnet mask of the destination IP address. • Dest Port—Destination port of IP packets. This field displays a value only when the transport-layer protocol of the ACL rule is TCP or UDP (you selected TCP or UDP in the Protocol list). Otherwise, this field displays two hyphens (--). The default setting is 0, which matches all destination ports. • Source Port—Source port of IP packets. This field displays a value only when the transport-layer protocol of the ACL rule is TCP or UDP (you selected TCP or UDP in the Protocol list). Otherwise, this field displays two hyphens (--). The default setting is 0, which matches all source ports. • Priority—Priority of the ACL rule. The ACL rules are arranged in descending priority order. An ACL rule with a higher priority is preferentially matched. Click the Move Up icon or the Move Down icon to adjust the list. Viewing the client ACL list To view the client ACL list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from the navigation tree. The Client ACL List displays all client ACLs. 3. 4. To sort the Client ACL List, click the ACL Name or Service Group column label. Click Refresh to refresh the Client ACL List. Viewing client ACL details To view detailed information about a client ACL: 1. Click the Service tab. Managing client ACLs 69 2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from the navigation tree. The Client ACL List displays all client ACLs. 3. Click the name of the client ACL for which you want to view its detailed information. The View Client ACL page appears. 4. Click Back to return to the Client ACL List. Adding a client ACL To add a client ACL: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from the navigation tree. The Client ACL List displays all client ACLs. 3. Click Add. The Add Client ACL page appears. 4. 5. Configure basic information for the client ACL. The ACL name must be unique in EAD. Click Add in the ACL Rule Information area. The Add Client ACL Rule window appears. 6. Configure the ACL rule parameters and click OK. The new ACL rule appears on the ACL Rule List. Repeat steps 5 and 6 to add more ACL rules, as needed. 7. Adjust priorities for the ACL rules. ACL rules are sorted in descending priority order. Click the Move Up icon icon to change rule positions on the ACL Rule List. 8. or Move Down Click OK. Modifying a client ACL To modify a client ACL: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from the navigation tree. The Client ACL List displays all client ACLs. 3. Click the Modify icon for the client ACL you want to modify. The Modify Client ACL page appears. 4. 5. 6. Modify the basic information for the client ACL. You cannot modify ACL Name or Service Group. Modify the ACL rules by using one or more of the following methods: • Click Add in the ACL Rule Information area to add an ACL rule. • Click Modify icon • Click the Delete icon for an existing ACL rule on the ACL Rule List to modify its settings. for an undesired ACL rule to delete the rule. Adjust priorities for the ACL rules. ACL rules are sorted in descending priority order. Click the Move Up icon icon to change rule positions on the ACL Rule List. 7. 70 Click OK. Configuring terminal access control or Move Down Deleting a client ACL Before deleting a client ACL that has been assigned to a security policy, you must remove their associations. To delete a client ACL: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Client ACL Management from the navigation tree. The Client ACL List displays all client ACLs. 3. Click the Delete icon for the client ACL you want to delete. A confirmation dialog box appears. 4. Click OK. Managing URL control policies An access user can access a website through one of the following methods: • IP address—Enter the IP address (for example, http://13.13.13.1) in the address bar of the browser. • Domain name—Enter the domain name of the website (for example, http://www.hp.com) in the address bar of the browser. The DNS translates the domain name into an IP address. • Hosts file—Add an entry (for example, 13.13.13.1 http://www.hp.com) to the Hosts file, and then enter the domain name of the website (for example, http://www.hp.com) in the address bar of the browser. The local Hosts file translates the domain name into an IP address without a DNS lookup. The iNode client parses the HTTP packets of access users according to the URL control policy, and prevents users from accessing the specified websites by IP address and domain name. Before configuring a URL control policy, you must configure domain URL classes and IP URL classes. In the URL control policy, you can specify the following contents: • An action (permit or deny) for an IP URL class or domain URL class • An IP URL default action • A domain URL default action For more information, see “Managing domain URL classes” (page 74) and “Managing IP URL classes” (page 77). An access user can bypass the URL control policy by modifying the website URLs in the Hosts file. To prevent this, do the following: 1. Enable Check Hosts File in the URL control policy area of the security policy. 2. Configure the URL check items. Periodically, the iNode client checks the contents of the Hosts file against the URL check items. When the Hosts file contains items that are not URL check items, the iNode client immediately logs out the user and displays a security violation message. URL control policy list contents The URL control policy list contains the following parameters: • URL Control Policy Name—Name of the URL control policy. • Description—Description of the URL control policy. • Service Group—Name of the service group to which the URL control policy belongs. Managing URL control policies 71 • Modify—Click the Modify icon • Delete—Click the Delete icon to modify settings of the URL control policy. for the URL control policy you want to delete. URL control policy details URL control policy details comprise the basic information area, a domain URL check item list, and an IP URL check item list. Basic Information area • URL Control Policy Name—Name of the URL control policy. • Domain URL Default Action—Action to take on the domain URL accesses that do not match a domain URL check item. The action can be Permit or Deny. The domain URL default action will be applied to any domain URL accesses that do not match a domain URL check item. • IP URL Default Action—Action to take on the IP URL accesses that do not match an IP URL check item. The action can be Permit or Deny. The IP URL default action applies to any IP URL accesses that do not match an IP URL check item. • Service Group—Name of the service group to which the URL control policy belongs. • Description—Description of the URL control policy. Domain URL Class List • Class Name—Name of the domain URL class. For more information, see “Adding a domain URL class” (page 75). • Action—Action to take on the domain URL accesses that match the domain URL class. The action can be Permit or Deny. • Description—Description of the domain URL class. • Priority (Descending)—Priority of the domain URL class. The domain URL classes are arranged in descending priority order. When the domain URL of the website to be accessed matches multiple classes, the domain URL class with the highest priority applies. Click the Move Up icon or Move Down icon to adjust the list. IP URL Class List • IP URL Class—Name of the IP URL class. For more information, see “Adding an IP URL class” (page 78). • Action—Action to take on the IP URL accesses that match the IP URL class. The action can be Permit or Deny. • Description—Description of the IP URL check item. • Priority (Descending)—Priority of the IP URL check item. The IP URL check items are arranged in descending priority order. When the IP URL of the website to be accessed matches multiple classes, the IP URL check item with the highest priority applies. Click the Move Up icon or Move Down icon to adjust the list. Viewing the URL control policy list To view the URL control policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the navigation tree. The URL Control Policy List displays all URL control policies. 3. 4. 72 To sort the URL Control Policy List, click the URL Control Policy Name or Service Group column label. Click Refresh to refresh the URL Control Policy List. Configuring terminal access control Viewing the URL control policy details To view detailed information about a URL control policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the navigation tree. The URL Control Policy List displays all URL control policies. 3. Click the name of the URL control policy for which you want to view the detailed information. The URL Control Policy Details page appears. 4. Click Back to return to the URL Control Policy List. Adding a URL control policy To add a URL control policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the navigation tree. The URL Control Policy List displays all URL control policies. 3. Click Add. The Add URL Control Policy page appears. 4. 5. Configure basic information for the URL control policy. The policy name must be unique in EAD. Click Add in the Domain URL Check Items area. The Add Domain URL Check Item window appears. 6. Configure the parameters and click OK. The new domain URL check item appears on the Domain URL Check Item List. Repeat steps 5 and 6 to add more domain URL check items, as needed. 7. Adjust priorities for the domain URL check items. Domain URL check items are sorted in descending priority order. Click the Move Up icon or Move Down icon to adjust the list. 8. Click Add in the IP URL Check Items area. The Add IP URL Check Item window appears. 9. Configure the parameters and click OK. The new IP URL check item appears on the IP URL Check Item List. Repeat steps 8 and 9 to add more IP URL check items, as needed. 10. Adjust priorities for the IP URL check items. IP URL check items are sorted in descending priority order. Click the Move Up icon Down icon to adjust the list. or Move 11. Click OK. Modifying a URL control policy To modify a URL control policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the navigation tree. The URL Control Policy List displays all URL control policies. Managing URL control policies 73 3. Click the Modify icon for the URL control policy you want to modify. The Modify URL Control Policy page appears. 4. 5. 6. Configure basic information for the URL control policy. You cannot modify URL Control Policy Name or Service Group. Modify the domain URL check items by using one or more of the following methods: • Click Add in the Domain URL Check Item Information area to add a domain URL check item. • Click Modify icon settings. • Click the Delete icon for an existing item on the Domain URL Check Item List to modify its for an undesired domain URL check item to delete the item. Adjust priorities for the domain URL check items. Domain URL check items are sorted in descending priority order. Click the Move Up icon or Move Down icon to adjust the list. 7. 8. Modify the IP URL check items by using one or more of the following methods: • Click Add in the IP URL Check Item Information area to add an IP URL check item. • Click Modify icon • Click the Delete icon for an existing item on the IP URL Check Item List to modify its settings. for an undesired IP URL check item to delete the item. Adjust priorities for the IP URL check items. IP URL check items are sorted in descending priority order. Click the Move Up icon to adjust the list. Down icon 9. or Move Click OK. Deleting a URL control policy Before deleting a URL control policy that is assigned to a security policy, you must remove their associations. To delete a URL control policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > URL Control Policy from the navigation tree. The URL Control Policy List displays all URL control policies. 3. Click the Delete icon for the URL control policy you want to delete. A confirmation dialog box appears. 4. Click OK. Managing domain URL classes A domain URL class is a set of website domain names. The iNode client parses the HTTP packets of access users, compares the domain names to be accessed with the domain URL check items in the URL control policy, and permits or denies user access based on the comparison results. The domain URL check supports fuzzy matching. For example, when you specify yahoo in the domain URL class, a user's access to the websites www.yahoo.com, mail.yahoo.com, and www.yahoo.org, which contain yahoo, is permitted or denied as configured. This section describes how to view, add, modify, and delete the domain URL classes and their URL items. 74 Configuring terminal access control Domain URL class list contents The domain URL class list contains the following parameters: • Domain URL Class Name—Name of the domain URL class. • Description—Description of the domain URL class. • Service Group—Name of the service group to which the domain URL class belongs. • Config—Click the Config icon • Modify—Click the Modify icon • Delete—Click the Delete icon to configure URL check items for the domain URL class. to modify the domain URL class settings. to delete the domain URL class. Domain URL class details Domain URL class details comprise the following basic information: • Domain URL Class Name—Name of the domain URL class. • Service Group—Name of the service group to which the domain URL class belongs. • Description—Description of the domain URL class. Domain URL item list contents Domain URL item list contents comprise the following basic information: • Domain—Domain name of the website. • Description—Description of the domain name. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the domain URL check item. to delete the domain URL check item. Viewing the domain URL class list To view the domain URL class list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the navigation tree. The Domain URL Class List displays all domain URL classes. 3. 4. To sort the Domain URL Class List, click the Domain URL Class Name or Service Group column label. Click Refresh to refresh the Domain URL Class List. Viewing the domain URL class details To view the domain URL class details: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the navigation tree. The Domain URL Class List displays all domain URL classes. 3. Click the name of a domain URL class for which you want to view the detailed information. The Domain URL Class Details page appears. 4. Click Back to return to the Domain URL Class List. Adding a domain URL class To add a domain URL class: Managing domain URL classes 75 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the navigation tree. The Domain URL Class List displays all domain URL classes. 3. Click Add. The Add Domain URL Class page appears. 4. 5. Configure the basic information for the domain URL class. Click OK. Configuring domain URL check items To configure domain URL check items for a domain URL class: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the navigation tree. The Domain URL Class List displays all domain URL classes. 3. Click the Config icon for the target domain URL class. The Domain URL Item List displays all domain URL check items in the domain URL class. 4. Click Add to add a domain URL check item. a. Domain—Enter the domain name of the website, and enter a description of the domain name in the Description field. b. Click OK. Repeat to add more domain URL check items, as needed. 5. Click Import to import domain URL check items: a. Browse to and select the file to be imported, and then select a column separator for the file. Options are space, tab character, comma (,), colon (:), pound sign (#), and dollar sign ($). The file must be in TXT format. b. Click Next. c. Select the column that contains the domain names from the Domain list, and then select the column that contains the domain URL check item descriptions from the Description list. When you select Not Import from File from the Description list, enter a description for all imported domain URL check items in the field to the right. d. Click Preview to preview the file import result. e. Click OK. f. Click Back to return to the Config Domain URL Class page. 6. Query domain URL check items: a. Enter the domain name of the website in the Domain field. EAD supports fuzzy matching for this field. b. Click Query. The Domain URL Item List displays all domain URL check items that match the query criterion. c. Click Reset to clear the query criterion. The Domain URL Item List displays all domain URL check items in the domain URL class. 76 Configuring terminal access control 7. Modify a domain URL check item: a. Click the Modify icon for the target domain URL check item. The Modify Domain URL Item window appears. b. Modify the following parameters for the domain URL check item: Domain—Modify the domain name of the website. Description—Modify the description of the domain name. c. Click OK. 8. To delete a domain URL check item: a. Click the Delete icon for the target domain URL check item. b. Click OK. 9. Click OK. Modifying a domain URL class To modify a domain URL class: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the navigation tree. The Domain URL Class List displays all domain URL classes. 3. 4. 5. for the target domain URL class. Click the Modify icon Modify the domain URL class. The Domain URL Class Name and Service Group cannot be modified. Click OK. Deleting a domain URL class Before deleting a domain URL class that is assigned to a URL control policy, you must cancel their associations. For more information, see “Modifying a URL control policy” (page 73). To delete a domain URL class: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Domain URL Class from the navigation tree. The Domain URL Class List displays all domain URL classes. 3. Click the Delete icon for the domain URL class you want to delete. A confirmation dialog box appears. 4. Click OK. Managing IP URL classes An IP URL class is a set of website IP addresses. Access users can access these websites through IP addresses without DNS. The iNode client parses the HTTP packets of access users, compares the IP addresses to be accessed with the IP URL check items in the URL control policy, and permits or denies user access based on the comparison result. This section describes how to view, add, modify, and delete the IP URL classes and their URL check items. Managing IP URL classes 77 IP URL class list contents The IP URL class list contains the following parameters: • IP URL Class Name—Name of the IP URL class. • Description—Description of the IP URL class. • Service Group—Name of the service group to which the IP URL class belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the IP URL class settings. to delete the IP URL class. IP URL class details IP URL class details comprise the basic information area and an IP URL item list. Basic information section • IP URL Class Name—Name of the IP URL class. • Service Group—Name of the service group to which the IP URL class belongs. • Description—Description of the IP URL class. IP URL item list section • Start IP—Start IP address of the IP URL check item. • End IP—End IP address of the IP URL check item. • Description—Description of the IP segment. Viewing the IP URL class list To view the IP URL class list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation tree. The IP URL Class List displays all IP URL classes. 3. 4. To sort the IP URL Class List, click the IP URL Class Name or Service Group column label. Click Refresh to refresh IP URL Class List. Viewing the IP URL class details To view the IP URL class details: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation tree. The IP URL Class List displays all IP URL classes. 3. Click the name of an IP URL class for which you want to view the detailed information. The IP URL Class Details page appears. 4. Click Back to return to the IP URL Class List. Adding an IP URL class To add an IP URL class: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation tree. The IP URL Class List displays all IP URL classes. 78 Configuring terminal access control 3. Click Add. The Add IP URL Class page appears. 4. 5. Configure the basic information for the IP URL class. Add an IP URL check item: a. Click Add. The Add IP URL Item page appears. b. c. 6. Configure the following parameters: • Start IP—Enter the start IP address of the website IP segment. • End IP—Enter the end IP address of the website IP segment. • Description—Enter the description of the website IP segment. Click OK to add the IP URL check item. Click OK. Modifying an IP URL class To modify an IP URL class: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation tree. The IP URL Class List displays all IP URL classes. 3. 4. 5. Click the Modify icon to modify the IP URL class. The IP URL Class Name and Service Group cannot be modified. Click Add to add an IP URL check item: a. Start IP—Enter the start IP address of the website IP segment. b. End IP—Enter the end IP address of the website IP segment. c. Description—Enter the description of the website IP segment. Click OK. Repeat to add IP URL check items, as needed. 6. Modify an IP URL check item: a. Click the Modify icon for the target IP URL check item. The Modify IP URL Item page appears. b. c. Modify the following parameters for the IP URL: • Start IP—Modify the start IP address of the website IP segment. • End IP—Modify the end IP address of the website IP segment. • Description—Modify the description of the website IP segment. Click OK. 7. Delete an IP URL check item: a. Click the Delete icon for the target IP URL check item. b. Click OK. 8. Click OK. Deleting an IP URL class Before deleting an IP URL class that is assigned to a URL control policy, you must cancel their associations. For more information, see “Modifying a URL control policy” (page 73). To delete an IP URL class: Managing IP URL classes 79 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > IP URL Class from the navigation tree. The IP URL Class List displays all IP URL classes. 3. Click the Delete icon for the IP URL class you want to delete. A confirmation dialog box appears. 4. 80 Click OK. Configuring terminal access control 5 Configuring security check items for PCs A security policy includes one or more security check items. Each item focuses on one security threat on the access terminal. To enhance network security on Windows, Linux, and Mac OS PCs, the following security check items must be configured for each security policy: • Anti-virus software control • Anti-spyware software control • Firewall software control • Anti-phishing software control • Hard disk encryption software control • PC software control • Patch management software control • Windows patch control • Registry control • Share control • Traffic control • Password control • Asset registration status check Anti-virus software policy management The system defines anti-virus software control for several types of anti-virus software in Windows, Linux, Mac OS, and Android. You can enable anti-virus software control in a security policy and specify an anti-virus software policy. The anti-virus software policy determines whether an anti-virus software type application control is installed and running, and whether the anti-virus engine version and virus definition version match the policy. When an access user is authenticated, the iNode client checks the anti-virus software on the user terminal according to the configuration in the security policy. Anti-virus software policy management allows you to view, add, modify, and delete an anti-virus software policy. You can specify the anti-virus software type application controls to be checked and the anti-virus engine version and virus definition version. Anti-virus software policy list contents The anti-virus software policy list contains the following parameters: • Anti-Virus Software Policy Name—Name of the anti-virus software policy. Click the name to view its details. • Service Group—Service group to which the anti-virus software policy belongs. • Description—Description of the anti-virus software policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the anti-virus software policy. to delete the anti-virus software policy. Anti-virus software policy details Anti-virus software policy details comprise the basic information section and the Windows Operating System, Linux Operating System, Mac OS Operating System, and Android Operating System Anti-virus software policy management 81 sections. The Windows Operating System, Linux Operating System, and Mac OS Operating System sections only take effect on PCs. Basic information section • Policy Name—Name of the anti-virus software policy. • Service Group—Service group to which the anti-virus software policy belongs. • Description—Description of the anti-virus software policy. Windows operating system, Linux operating system, and Mac OS operating system sections The Windows operating system, Linux operating system, and Mac OS operating system sections list the anti-virus software that can be checked by the iNode client. • Anti-Virus Software—Name of the anti-virus software. • Vendor—Vendor name of the anti-virus software. • Check Items—Indicates whether the anti-virus engine version and virus definition version are checked for the corresponding anti-virus software. • ◦ Check anti-virus engine version—When this parameter is selected, the anti-virus engine version must be checked. Otherwise, the anti-virus engine version is not checked. ◦ Check virus definition version—When this parameter is selected, the virus definition version must be checked. Otherwise, the virus definition version is not checked. Restriction—Check rules for the anti-virus software policy. When this field is empty, no rules are set for the anti-virus software. ◦ Anti-Virus Engine Adaptation Period (in days)—Adaptation period for the anti-virus engine. This option is valid only when the anti-virus engine is in YYYY-MM-DD format. When the anti-virus engine is updated within the adaptation period, the anti-virus engine version check is passed. ◦ Lowest Version of Anti-Virus Engine—Lowest version of the anti-virus engine allowed by the anti-virus software policy. An anti-virus software policy supports two anti-virus engine version formats: YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day; and XX.XX.XX, for example, 7.100.1003. ◦ Virus Definition Adaptation Period (in days)—Adaptation period for the virus definition of the anti-virus software. This option is valid only when the virus definition is in YYYY-MM-DD format. When the virus definition is updated within the adaptation period, the virus definition version check is passed. ◦ Lowest Version of Virus Definition—Lowest version of the virus definition allowed by the anti-virus software policy. An anti-virus software policy supports two virus definition version formats: YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day; and XX.XX.XX, for example, 2.343.000. • Check—Indicates whether the corresponding anti-virus software is checked. • Priority—The iNode client checks the anti-virus software based on the priority. Items are listed in descending priority order (most important first). Click the Move Up icon or Move Down icon to adjust the list. Viewing the anti-virus software policy list To view the anti-virus software policy list: 1. Click the Service tab. 82 Configuring security check items for PCs 2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. 4. To sort the Anti-Virus Software Policy List, click the Anti-Virus Software Policy Name or Service Group column label. Click Refresh to refresh the Anti-Virus Software Policy List. Viewing anti-virus software policy details To view details of an anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software Policies from the navigation tree. 3. Click the name of the anti-virus software policy for which you want to view the detailed information. The Anti-Virus Software Policy List displays all anti-virus software policies. The View Anti-Virus Software Policy page appears. 4. To go back to the Anti-Virus Software Policy List, click Back. Adding an anti-virus software policy To add an anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. Click Add. The Add Anti-Virus Software Policy page appears. 4. 5. 6. Configure the basic information for the anti-virus software policy. To check an anti-virus software product in the anti-virus software policy, select the box in the Check field for the anti-virus software. Modify the anti-virus software check: a. Click the Modify icon for the anti-virus software you want to modify. The Anti-Virus Software Settings dialog box appears. b. c. Modify the anti-virus software name in the Anti-Virus software field as needed. To check the anti-virus engine version, select the box next to Check anti-virus engine version, and select an anti-virus engine version format: • Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003. • Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Date or dotted format—Dotted format and date format are valid. Different version formats require different parameters, as described in Table 7. Anti-virus software policy management 83 Table 7 Version formats and parameters Version format Date format Dotted format d. Notification Version check mode Parameter Specified Version Lowest Version of Anti-Virus Engine Auto Adaptive Adaptation Period (in days) Specified Version Lowest Version of Anti-Virus Engine YYYY_MM_DD XX.XX.XX Select a version check mode, Specified Version or Auto Adaptive, from the Version Check Mode list. • Specified Version—The version check is passed if the user terminal version is higher than the specified version. If not, the version check fails. When the version check mode is Specified Version and the version format is Date format, either enter the date manually or click the Calendar icon next to the Lowest Version of Anti-Virus Engine field to select a date. When the version check mode is Specified Version and the version format is Dotted format, enter the version in the Lowest Version of Anti-Virus Engine field. A valid version format is XX.XX.XX, for example, 7.100.1003. • Auto Adaptive—The version check is passed if the user terminal version has been updated within the adaptation period. If not, the version check fails. When the version check mode is Auto Adaptive and the version format is When the version check mode is Specified Version and the version format is Date format, either enter the date manually or click the Calendar icon, manually enter the adaptation period in the Adaptation Period (in days) field. e. To check the virus definition version, select the box next to Check virus definition version, and select a virus definition version format: • Dotted format—Valid version format is XX.XX.XX, for example, 2.343.00. • Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Date or dotted format—Dotted format and date format are valid. Different version formats require different parameters, as described in Table 8. Table 8 Version formats and parameters Version format Date format Dotted format f. g. 7. 84 Notification Version check mode Parameter Specified Version Lowest Version of Anti-Virus Definition Auto Adaptive Adaptation Period (in days) Specified Version Lowest Version of Anti-Virus Definition YYYY_MM_DD XX.XX.XX Select a version check mode; Specified Version or Auto Adaptive, from the Version Check Mode list. For more information about the check modes, see that for the Anti-Virus Engine version. Click OK. In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon Down icon to adjust the anti-virus software position in the list. Configuring security check items for PCs or Move 8. Click OK. The anti-virus software policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying an anti-virus software policy To modifyan anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. Click the Modify icon for the anti-virus software policy you want to modify. The Modify Anti-Virus Software Policy page appears. 4. 5. 6. Modify the basic information for the anti-virus software policy. You cannot modify Policy Name or Service Group. To check an anti-virus software product in the anti-virus software policy, select the box in the Check field for the anti-virus software. Modify the anti-virus software check: a. Click the Modify icon for the anti-virus software you want to modify. The Anti-Virus Software Settings dialog box appears. b. c. Modify the anti-virus software name in the Anti-Virus software field as needed. To check the anti-virus engine version, select the box next to Check anti-virus engine version, and select an anti-virus engine version format: • Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003. • Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Date or dotted format—Dotted format and date format are valid. Different version formats require different parameters, as described in Table 9. Table 9 Version formats and parameters Version format Date format Dotted format d. Notification Version check mode Parameter Specified Version Lowest Version of Anti-Virus Engine Auto Adaptive Adaptation Period (in days) Specified Version Lowest Version of Anti-Virus Engine YYYY_MM_DD XX.XX.XX Select a version check mode, Specified Version or Auto Adaptive, from the Version Check Mode list. • Specified Version—The version check is passed if the user terminal version is higher than the specified version. If not, the version check fails. When the version check mode is Specified Version and the version format is Date format, either enter the date manually or click the Calendar icon next to the Lowest Version of Anti-Virus Engine field to select a date. Anti-virus software policy management 85 When the version check mode is Specified Version and the version format is Dotted format, enter the version in the Lowest Version of Anti-Virus Engine field. A valid version format is XX.XX.XX, for example, 7.100.1003. • Auto Adaptive—The version check is passed if the user terminal version has been updated within the adaptation period. If not, the version check fails When the version check mode is Auto Adaptive and the version format is Date format, manually enter the adaptation period in the Adaptation Period (in days) field. e. To check the virus definition version, select the box next to Check virus definition version, and select a virus definition version format: • Dotted format—Valid version format is XX.XX.XX, for example, 2.343.00. • Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Date or dotted format—Dotted format and date format are valid. Different version formats require different parameters, as described in Table 10. Table 10 Version formats and parameters Version format Notification Date format g. 7. 8. Parameter Specified Version Lowest Version of Anti-Virus Definition Auto Adaptive Adaptation Period (in days) Specified Version Lowest Version of Anti-Virus Definition YYYY_MM_DD Dotted format f. Version check mode XX.XX.XX Select a version check mode; Specified Version or Auto Adaptive, from the Version Check Mode list. For more information about the check modes, see that for the Anti-Virus Engine version. Click OK. In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon Down icon to adjust the anti-virus software position in the list. Click OK. or Move Deleting an anti-virus software policy Before deleting an anti-virus software policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete an anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense>Terminal Security Software Policies>Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. Click the Delete icon for the anti-virus software policy you want to delete. A confirmation dialog box appears. 4. Click OK. Anti-spyware software policy management The system defines anti-spyware software control for several types of anti-spyware software in the Windows, Mac OS, and Android operating systems. You can enable anti-spyware software control 86 Configuring security check items for PCs in a security policy, and specify an anti-spyware software policy. The anti-spyware software policy determines whether an anti-spyware software type application control is installed and running, and whether the anti-spyware engine version and spyware definition version match the policy. When an access user is authenticated, the iNode client checks the anti-spyware software on the user terminal according to the configuration in the security policy. Anti-spyware software policy management allows you to view, add, modify, and delete an anti-spyware software policy. You can specify the anti-spyware products to be checked and the spyware definition version and anti-spyware engine version. Anti-spyware software policy list contents The anti-spyware software policy list contains the following parameters: • Anti-Spyware Software Policy Name—Name of the anti-spyware software policy. Click the name to view its details. • Service Group—Service group to which the anti-spyware software policy belongs. • Description—Description of the anti-spyware software policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the anti-spyware software policy. to delete the anti-spyware software policy. Anti-spyware software policy details Anti-spyware software policy details comprise the basic information section and the Windows Operating System, Mac OS Operating System, and Android Operating System sections. The Windows Operating System and Mac OS Operating System sections only take effect on PCs. Basic information section • Policy Name—Name of the anti-spyware software policy. • Service Group—Service group to which the anti-spyware software policy belongs. • Description—Description of the associated anti-spyware software policy. Windows Operating System and Mac OS Operating System sections These sections list the anti-spyware software that can be checked by the iNode client on the corresponding operating system. • Anti-Spyware Software—Name of the anti-spyware software. • Vendor—Vendor name of the anti-spyware software. • Check Items—Indicates whether the engine version and spyware definition version of the anti-spyware software are checked. • ◦ Check anti-spyware engine version—When this parameter is selected, the engine version must be checked. Otherwise, engine version is not checked. ◦ Check spyware definition version—When this parameter is selected, the spyware definition version must be checked. Otherwise, the spyware definition version is not checked. Restriction—Check rules for the anti-spyware software policy. When this field is empty, no rules are set for the anti-spyware software. ◦ Lowest Version of Anti-Spyware Engine—Lowest version of the anti-spyware engine allowed by the anti-spyware software policy. An anti-spyware software policy supports the format XX.XX.XX, for example, 2009.6.18.169. ◦ Lowest Version of Anti-Spyware Definition—Lowest version of the anti-spyware definition allowed by the anti-spyware software policy. An anti-spyware software policy supports Anti-spyware software policy management 87 the format YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Check—Indicates whether the corresponding anti-spyware software is checked. • Priority—Order (descending) in which the iNode client checks the anti-spyware software. Viewing the anti-spyware software policy list To view the anti-spyware software policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. 4. To sort the Anti-Spyware Software Policy List, click the Anti-Spyware Software Policy Name or Service Group column label. Click Refresh to refresh the Anti-Spyware Software Policy List. Viewing the anti-spyware software policy details To view details of an anti-spyware software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. Click the name of the anti-spyware software policy for which you want to view the detailed information. The View Anti-Spyware Software Policy page appears. 4. To go back to the Anti-Spyware Software Policy List, click Back. Adding an anti-spyware software policy To add an anti-spyware software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. 4. 5. 6. Click Add. Configure the basic information for the anti-spyware software policy. To check an anti-spyware software product in the anti-spyware software policy, select the box in the Check field for the anti-spyware software. Modify the anti-spyware software check: a. b. c. d. Click the Modify icon for the anti-spyware software you want to modify. To check the anti-spyware engine version, select the box next to Check anti-spyware engine version. Select Specified Version from the Version Check Mode list. Enter the anti-spyware engine version in the Lowest Version of Anti-Spyware Engine field, in the format XX.XX.XX, for example, 2009.6.18.169. You must use dotted format for an anti-spyware engine version. e. 88 To check the anti-spyware definition version, select the box next to Check spyware definition version. Configuring security check items for PCs f. Select a version check mode, Specified Version or Auto Adaptive, from the Version Check Mode list. • Specified Version—When the anti-spyware definition version of an access user is higher than the specified version, the anti-spyware definition version check is passed; if not, the anti-spyware definition version check fails. When the anti-spyware definition version check mode is Specified Version, either enter the date manually or click the Calendar icon next to the Lowest Version of Spyware Definition field to select a date. The valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Auto Adaptive—When the anti-spyware definition version of an access user has been updated within the adaptation period, the anti-spyware definition version check is passed; if not, the anti-spyware definition version check fails. When the anti-spyware definition version check mode is Auto Adaptive, manually enter the adaptation period in the Adaptation Period (in days) field. g. 7. Click OK. Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move the anti-spyware software up one position in the list, or click the Move Down icon to move the anti-spyware software down one position in the list. The iNode client checks the anti-spyware software of access users based on descending priority order (most important first). 8. Click OK. The anti-spyware software policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying an anti-spyware policy To modify an anti-spyware software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. Click the Modify icon for the anti-spyware software policy you want to modify. The Modify Anti-Spyware Software Policy page appears. 4. 5. 6. Modify the basic information for the anti-spyware software policy. You cannot modify Policy Name or Service Group. To check an anti-spyware software product in the anti-spyware software policy, select the box in the Check field for the anti-spyware software. Modify the anti-spyware software check: a. b. c. d. Click the Modify icon for the anti-spyware software you want to modify. To check the anti-spyware engine version, select the box next to Check anti-spyware engine version. Select Specified Version from the Version Check Mode list. Enter the anti-spyware engine version in the Lowest Version of Anti-Spyware Engine field, in the format XX.XX.XX, for example, 2009.6.18.169. You must use dotted format for an anti-spyware engine version. Anti-spyware software policy management 89 e. f. To check the anti-spyware definition version, select the box next to Check spyware definition version. Select a version check mode, Specified Version or Auto Adaptive, from the Version Check Mode list. • Specified Version—When the anti-spyware definition version of an access user is higher than the specified version, the anti-spyware definition version check is passed; if not, the anti-spyware definition version check fails. When the anti-spyware definition version check mode is Specified Version, either enter the date manually or click the Calendar icon next to the Lowest Version of Spyware Definition field to select a date. The valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Auto Adaptive—When the anti-spyware definition version of an access user has been updated within the adaptation period, the anti-spyware definition version check is passed; if not, the anti-spyware definition version check fails. When the anti-spyware definition version check mode is Auto Adaptive, manually enter the adaptation period in the Adaptation Period (in days) field. g. 7. Click OK. Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move the anti-spyware software up one position in the list, or click the Move Down icon to move the anti-spyware software down one position in the list. The iNode client checks the anti-spyware software of access users based on descending priority order (most important first). 8. Click OK. Deleting an anti-spyware software policy Before deleting an anti-spyware software policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete an anti-spyware software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. Click the Delete icon for the anti-spyware policy you want to delete. A confirmation dialog box appears. 4. Click OK. Firewall software policy management The system defines firewall software control for several types of firewall software in the Windows, Linux, and Mac OS operating systems. You can enable firewall software control in a security policy, and specify a firewall software policy. The firewall software policy determines whether a firewall software product is installed and running. When an access user is authenticated, the iNode client checks the firewall software on the user terminal according to the configuration in the security policy. Firewall software policy management allows you to view, add, modify, and delete a firewall software policy. You can specify the firewall software to be checked as needed. 90 Configuring security check items for PCs Firewall software policy list contents The firewall software policy list contains the following parameters: • Firewall Software Policy Name—Name of the firewall software policy. Click the name to view its details. • Service Group—Service group to which the firewall software policy belongs. • Description—Description of the firewall software policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the firewall software policy. to delete the firewall software policy. Firewall software policy details Firewall software policy details comprise the basic information section and the Windows Operating System, Linux Operating System, and Mac OS Operating System sections. Basic information section • Policy Name—Name of the firewall software policy. • Service Group—Service group to which the firewall software policy belongs. • Description—Description of the firewall software policy. Windows Operating System, Linux Operating System, and Mac OS Operating System sections These sections list the firewall software that can be checked by the iNode client on the corresponding operating system. • Firewall Software—Name of the firewall software. • Vendor—Vendor name of the firewall software. • Check—Indicates whether the corresponding firewall software is checked. • Priority—Order (descending) in which the iNode client checks the firewall software. Viewing the firewall software policy list To view the firewall software policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software Policies from the navigation tree. The Firewall Software Policy List displays all firewall software policies. 3. 4. To sort the Firewall Software Policy List, click the Firewall Software Policy Name or Service Group column label. Click Refresh to refresh the Firewall Software Policy List. Viewing firewall software policy details To view details of a firewall software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software Policies from the navigation tree. The Firewall Software Policy List displays all Firewall software policies. 3. Click the name of the firewall software policy for which you want to view the detailed information. The View Firewall Software Policy page appears. Firewall software policy management 91 4. To go back to the Firewall Software Policy List, click Back. Adding a firewall software policy To add a firewall software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software Policies from the navigation tree. The Firewall Software Policy List displays all firewall software policies. 3. Click Add. The Add Firewall Software Policy page appears. 4. 5. 6. Configure the basic information for the firewall software policy. To configure checking a firewall software product in the firewall software policy, select the box in the Check field for the firewall software. Click the Move Up icon in the Priority field of the Firewall Software Policy List to move the firewall software up one position in the list, or click the Move Down icon to move the firewall software down one position in the list. The iNode client checks the firewall software of access users based on descending priority order (most important first). 7. Click OK. The firewall software policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying a firewall software policy To modify a firewall software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software Policies from the navigation tree. The Firewall Software Policy List displays all firewall software policies. 3. Click the Modify icon for the firewall software policy you want to modify. The Modify Firewall Software Policy page appears. 4. 5. 6. Modify the basic information for the firewall software policy. You cannot modify Policy Name or Service Group. To configure checking a firewall software product in the firewall software policy, select the box in the Check field for the firewall software. Click the Move Up icon in the Priority field of the Firewall Software Policy List to move the firewall software up one position in the list, or click the Move Down icon to move the firewall software down one position in the list. The iNode client checks the firewall software of access users based on descending priority order (most important first). 7. Click OK. Deleting a firewall software policy Before deleting a firewall software policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a firewall software policy: 1. Click the Service tab. 92 Configuring security check items for PCs 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Firewall Software Policies from the navigation tree. The Firewall Software Policy List displays all firewall software policies. 3. Click the Delete icon for the firewall software policy you want to delete. A confirmation dialog box appears. 4. Click OK. Anti-phishing software policy management The system defines anti-phishing software control for several types of anti-phishing software in the Windows and Mac OS operating systems. You can enable anti-phishing software control in a security policy, and specify an anti-phishing software policy. The anti-phishing software policy determines whether an anti-phishing software type application control is installed and running. When an access user is authenticated, the iNode client checks the anti-phishing software on the user terminal according to the configuration in the security policy. Anti-phishing software policy management allows you to view, add, modify, and delete an anti-phishing software policy. You can specify the anti-phishing software to be checked as needed. Anti-phishing software policy list contents • Anti-Phishing Software Policy Name—Name of the anti-phishing software policy. Click the name to view its details. • Service Group—Service group to which the anti-phishing software policy belongs. • Description—Description of the anti-phishing software policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the anti-phishing software policy. to delete the anti-phishing software policy. Anti-phishing software policy details Anti-phishing software policy details comprise the basic information section, Windows Operating System section, and Mac OS Operating System section. Basic information section • Policy Name—Name of the anti-phishing software policy. • Service Group—Service group to which the anti-phishing software policy belongs. • Description—Description of the anti-phishing software policy. Windows Operating System and Mac OS Operating System sections These sections list the anti-phishing software that can be checked by the iNode client on the corresponding operating system. • Anti-Phishing Software—Name of the anti-phishing software. • Vendor—Vendor name of the anti-phishing software. • Check—Indicates whether the corresponding anti-phishing software is checked. • Priority—Order (descending) in which the iNode client checks the anti-phishing software. Viewing the anti-phishing software policy list To view the anti-phishing software policy list: 1. Click the Service tab. Anti-phishing software policy management 93 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing Software Policies from the navigation tree. The Anti-Phishing Software Policy List displays all anti-phishing software policies. 3. 4. To sort the Anti-Phishing Software Policy List, click the Anti-Phishing Software Policy Name or Service Group column label. Click Refresh to refresh the Anti-Phishing Software Policy List. Viewing anti-phishing software policy details To view details of an anti-phishing software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing Software Policies from the navigation tree. The Anti-Phishing Software Policy List displays all anti-phishing software policies. 3. Click the name of the anti-phishing software policy for which you want to view the detailed information. The View Anti-Phishing Software Policy page appears. 4. To go back to the Anti-Phishing Software Policy List, click Back. Adding an anti-phishing software policy To add an anti-phishing software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing Software Policies from the navigation tree. The Anti-Phishing Software Policy List displays all anti-phishing software policies. 3. Click Add. The Add Anti-Phishing Software Policy page appears. 4. 5. 6. Configure the basic information for the anti-phishing software policy. To check an anti-phishing software product in the anti-virus software policy, select the box in the Check field for the anti-virus software. Click the Move Up icon in the Priority field of the Anti-Phishing Software Policy List to move the anti-phishing software up one position in the list, or click the Move Down icon to move the anti-phishing software down one position in the list. The iNode client checks the anti-phishing software of access users based on descending priority order (most important first). 7. Click OK. The anti-phishing software policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying an anti-phishing software policy To modify an anti-phishing software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing Software Policies from the navigation tree. The Anti-Phishing Software Policy List displays all anti-phishing software policies. 94 Configuring security check items for PCs 3. Click the Modify icon for the anti-phishing software policy you want to modify. The Modify Anti-Phishing Software Policy page appears. 4. 5. 6. Modify the basic information for the anti-phishing software policy. You cannot modify Policy Name or Service Group. To check an anti-phishing software product in the anti-phishing software policy, select the box in the Check field for the anti-phishing software. Click the Move Up icon in the Priority field of the Anti-Phishing Software Policy List to move the anti-phishing software up one position in the list, or click the Move Down icon to move the anti-phishing software down one position in the list. The iNode client checks the anti-phishing software of access users based on descending priority order (most important first). 7. Click OK. Deleting an anti-phishing software policy Before deleting an anti-phishing software policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete an anti-phishing software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Phishing Software Policies from the navigation tree. The Anti-Phishing Software Policy List displays all anti-phishing software policies. 3. Click the Delete icon for the anti-phishing software policy you want to delete. A confirmation dialog box appears. 4. Click OK. Hard disk encryption software policy management The system defines hard disk encryption software control for several types of hard disk encryption software in the Windows operating system. You can enable hard disk encryption software control for a security policy, and specify a hard disk encryption software policy. The hard disk encryption software policy determines whether the hard disk encryption software is installed on a user terminal. When an access user is authenticated, the iNode client checks the hard disk encryption software on the user terminal according to the configuration in the security policy. Hard disk encryption software policy management allows you to view, add, modify, and delete a hard disk encryption software policy. You can specify the hard disk encryption policies to be checked as needed. Hard disk encryption software policy list contents • Hard Disk Encryption Software Policy Name—Name of the hard disk encryption software policy. Click the name to view its details. • Service Group—Service group to which the hard disk encryption software policy belongs. • Description—Description of the associated hard disk encryption software policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the hard disk encryption software policy. to delete the hard disk encryption software policy. Hard disk encryption software policy management 95 Hard disk encryption software policy details Hard disk encryption software policy details comprise the basic information section and the Windows Operating System section. Basic information section • Policy Name—Name of the hard disk encryption software policy. • Service Group—Service group to which the hard disk encryption software policy belongs. • Description—Description of the hard disk encryption software policy. Windows Operating System section This section lists the hard disk encryption software that can be checked by the iNode client on the Windows operating system. • Hard Disk Encryption Software—Name of the hard disk encryption software. • Vendor—Vendor name of the hard disk encryption software. • Check—Indicates whether the corresponding hard disk encryption software is checked. • Priority—Order (descending) in which the iNode client checks the hard disk encryption software. Viewing the hard disk encryption software policy list To view the hard disk encryption software policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption Software Policies from the navigation tree. The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies. 3. 4. To sort the Hard Disk Encryption Software Policy List, click the Hard Disk Encryption Software Policy Name or Service Group column label. Click Refresh to refresh the Hard Disk Encryption Software Policy List. Viewing hard disk encryption software policy details To view details of a hard disk encryption software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption Software Policies from the navigation tree. The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies. 3. Click the name of the hard disk encryption software policy for which you want to view the detailed information. The View Hard Disk Encryption Software Policy page appears. 4. To go back to the Hard Disk Encryption Software Policy List, click Back. Adding a hard disk encryption software policy To add a hard disk encryption software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption Software Policies from the navigation tree. The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies. 96 Configuring security check items for PCs 3. Click Add. The Add Hard Disk Encryption Software Policy page appears. 4. 5. 6. Configure the basic information for the hard disk encryption software policy. To configure checking a hard disk encryption software product in the firewall software policy, select the box in the Check field for the hard disk encryption software. To adjust the position of the hard disk encryption software in the list, click the Move Up icon or the Move Down icon in the Priority field. The iNode client checks the hard disk encryption software of access users based on descending priority order (most important first). 7. Click OK. The hard disk encryption software policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying a hard disk encryption software policy To modify a hard disk encryption software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption Software Policies from the navigation tree. The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies. 3. Click the Modify icon for the hard disk encryption software policy you want to modify. The Modify Hard Disk Encryption Software Policy page appears. 4. 5. 6. Modify the basic information for the hard disk encryption software policy. You cannot modify Policy Name or Service Group. To configure checking a hard disk encryption software product in the hard disk encryption software policy, click the box in the Check field for the hard disk encryption software. To adjust the position of the hard disk encryption software in the list, click the Move Up icon or the Move Down icon in the Priority field. The iNode client checks the hard disk encryption software of access users based on descending priority order (most important first). 7. Click OK. Deleting a hard disk encryption software policy Before deleting a hard disk encryption software policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a hard disk encryption software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Hard Disk Encryption Software Policies from the navigation tree. The Hard Disk Encryption Software Policy List displays all hard disk encryption software policies. 3. Click the Delete icon for the hard disk encryption software policy you want to delete. A confirmation dialog box appears. 4. Click OK. Hard disk encryption software policy management 97 PC software control groups management You can enable PC software control in a security policy and specify PC software control groups to be checked. When an access user is authenticated, the iNode client checks software, processes, services, and files on the PC according to the configuration in the security policy. PC software control management allows you to view, add, modify, and delete a PC software control group. Table 11 describes the check type for each type of PC software control group. Table 11 PC software control groups and check types PC software control group type Check types • Installed Forbidden—Blocks any software products in the control group from being installed on the user terminal. Software • Installed Required—Requires all software products in the control group be installed on the user terminal. • Installed Allowed—Allows only the software products in the control group to be installed on the user terminal. Only one control group can be set as Installed Allowed. Process Service • Running Forbidden—Blocks any processes in the control group from running on the user terminal. • Running Required—Requires all processes in the control group be running on the user terminal. • Started Forbidden—Blocks any services in the control group from being started on the user terminal. • Started Required—Requires all services in the control group be started on the user terminal. • Non-Existent—Blocks any files in the control group from being stored on the user terminal. File • Existent—Requires all files in the control group exist on the user terminal. A software type PC software control group can check only the software installed on the Windows operating system. PC software control group list contents 98 • Group Name—Name of the PC software control group. Click the name to view its details. • Type—Type of the PC software control group: Software, Process, Service, or File. • Description—Description of the PC software control group. • Default Action for Check Failure—Default action of the PC software control group check failure: ◦ Monitor (default)—The user is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—The user is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—The user is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick Out—The user is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. Configuring security check items for PCs A new PC software control group uses the default action you configured for PC software control group check failure. When you select Global Security Mode in Security Level configuration, the default action of the PC software control group check failure is invalid. • Local Data—Indicates whether the PC software control group is created by the EAD server. When the value is No, the PC software control group is deployed by an upper-level node. For more information, see “Hierarchical node management” (page 22). • Service Group—Service group to which the PC software control group belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon • Common Software Definition—Click the Common Software Definition link to go to the Common Software Definition page. to modify the PC software control group. to delete the PC software control group. Viewing the PC software control group list To view the PC software control group list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. Querying PC software control groups To query PC software control groups: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. 3. Enter your query criteria in the Query PC Software Control Group section: 4. 5. • Group Name—Enter the name of the PC software control group. • Software/Process/Service/File Name—Enter the software name, process name, service name, or file name of the PC software control group. Click Query. To reset both the query values and the search results, and to restore the full PC Software Control Group List, click Reset and re-enter your query criteria. Managing common software The PC software control group function allows you to manage common software. You can query, add, or delete a common software product in the common software list. When you add or modify a common software product, you can add software information in batches to the common software list. DAM automatically collects information about the software installed on the registered assets. Common software list The common software list contains the following parameters: • Software Name—Name of the software. • Alias—Alias of the software. When an access user fails the access control check, the iNode client uses the alias of the software as the name of the software on the Security Check Result page. • Version Number—Version of the software. • Description—Description of the software. PC software control groups management 99 Viewing the common software list To view the common software list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. 3. Click the Common Software Definition link at the upper right of the PC Software Control Group List section. The Common Software List is displayed in the main pane of the Common Software Definition page. 4. 5. To sort the Common Software List, click the Software Name, Alias, or Version Number column label. To go back to the Common Software List, click Back. Querying the common software To query the common software: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. 3. Click the Common Software Definition link at the upper right of the PC Software Control Group List section. 4. Enter your search criteria in the Query Condition section. 5. Click Query. 6. To reset both the query values and the search results, and to restore the full Common Software List, click Reset and re-enter your query criteria. Adding a common software product To add a common software product: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. 3. Click the Common Software Definition link at the upper right of the PC Software Control Group List section. The Common Software List is displayed in the main pane of the Common Software Definition page. 4. Click Add. The Add Common Software Definition page appears. 5. 6. Configure the common software information. Click OK. The software appears in the Common Software List. 7. To go back to the Common Software List, click Back. Importing common software in batches The PC software control group function allows you to import common software in batches. DAM allows you to import the software information of assets to the common software list. To import common software in batches: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. 100 Configuring security check items for PCs 3. 4. Click the Common Software Definition link at the upper right of the PC Software Control Group List section. Click Import from Asset. The Import Common Software page appears. 5. 6. 7. 8. Enter your query criteria in the Query Condition section: • Software Name—Enter the software asset name. • Software Version—Enter the software asset version. • Asset Number—Enter the software asset number. Click Query. Select the box next to Software Name in the Common Software List for the software asset you want to import. Click OK. The software appears in the Common Software List. 9. To go back to the Common Software List, click Back. Deleting a common software product To delete a common software product: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group ManagementPC Software Control Group from the navigation tree. 3. Click the Common Software Definition link at the upper right of the PC Software Control Group List section. The Common Software List is displayed in the main pane of the Common Software Definition page. 4. Select the box next to Software Name in the Common Software List for the common software you want to delete. A confirmation dialog box appears. 5. Click OK. Downloading and using the MD5 tool The PC software control group function provides the MD5 tool, which you can use to calculate the MD5 digest of an .exe file, and check the PC software control group configuration. Only Windows operating systems support MD5 check. Each process in a Windows operating system associates with an .exe file. You can identify the .exe files on a user terminal by MD5 check. To download and use the MD5 tool: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. 3. Click the MD5 Tool link at the upper right of the PC Software Control Group List section. 4. Download the MD5 tool file: a. Decompress the file FileMD5Digest.zip. b. Double-click FileMD5Digest.exe to run the MD5 tool. c. Click Select Executable File and select an .exe file. d. Click Calculate MD5 Digest. e. Click Copy to copy the MD5 digest to the clipboard. f. Click Close. PC software control groups management 101 Managing software-type PC software control groups A software-type PC software control group can check software installation. You can configure the following check types in the security policy configuration: • Installation Required • Installation Prohibited • Installation Allowed Software-type PC software control group details Software-type PC software control group details comprise the basic information and software list information. Basic information contents • Group Name—Name of the PC software control group. • Type—Type of the PC software control group, Software. • Description—Description of the PC software control group. • Default Action for Check Failure—Default action of the PC software control group check failure: ◦ Monitor (default)—The user is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—The user is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—The user is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick out—The user is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. A new PC software control group uses the default action you configured for PC software control group check failure. You can modify the action for PC software control group check failure in the security policy. When you select Global Security Mode in Security Level configuration, the default action of the PC software control group failure is invalid. • Service Group—Service group to which the PC software control group belongs. Software list information • Software Name—Name of the software. The software name must be the same as that in Windows>Control Panel>Add or Delete Programs. • Alias—Alias of the software. When an access user fails the access control check, the iNode client uses the alias of the software as the name of the software on the Security Check Result page. • Version Number—Version number of the software. The software version must be the same as that in Windows>Control Panel>Add or Delete Programs. • Description—Description of the software. Viewing a software-type PC software control group To view a software-type PC software control group: 1. Click the Service tab. 102 Configuring security check items for PCs 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the group name of the PC software control group you want to view. The View PC Software Control Group page appears. 4. To go back to the PC Software Control Group List, click Back. Adding a software-type PC software control group To add a software-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click Add. The Add PC Software Control Group page appears. 4. 5. Configure the basic information for the PC software control group. Add a software product to the Software List: a. Click Add. The Add Software dialog box appears. b. c. Enter the Software Name, Alias, Version Number, and Description. Click OK. The added software appears in the Software List. 6. Add software to the Software List in batches: a. Click Batch Add. The Batch Add Software dialog box appears. b. Enter your query criteria: • Software Name—Enter the software name. • Version Number—Enter the software version number. • Description—Enter the software description. To reset both the query values and the search results, and to restore the full Common Software List, click Reset and re-enter your query criteria. c. Click Query. The query results appear in the Common Software List. d. e. Select the box next to Software Name in the Common Software List for the software you want to add. Click OK. The added software is displayed in the Software List. 7. Click OK. The software-type PC software control group you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying a software-type PC software control group To modify a software-type PC software control group: PC software control groups management 103 1. 2. Click the Service tab. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Modify icon for the software-type PC software control group you want to modify. The Modify PC Software Control Group page appears. 4. 5. Modify the basic information for the software-type PC software control group. You cannot modify Group Name, Type, or Service Group. Add a software product to the Software List: a. Click Add. The Add Software dialog box appears. b. c. d. e. f. Software Name—Enter the name of the software. The software name must be the same as that in Control Panel>Programs and Features in the Windows operating system. Alias—Enter the software alias. When an access user fails the access control check, the iNode client uses the alias of the software as the name of the software on the Security Check Result page. Version Number—Enter the version of the software. The software version must be the same as that in Control Panel>Programs and Features in the Windows operating system. Description—Enter a description of the software. Click OK. The added software is displayed in the Software List. 6. Add software to the Software List in batches: a. Click Batch Add. The Batch Add Software dialog box appears. b. Enter your query criteria. To reset both the query values and the search results, and to restore the full Common Software List, click Reset and re-enter your query criteria. c. Click Query. The query results appear in the Common Software List. d. e. Select the box next to Software Name in the Common Software List for the software you want to add. Click OK. The added software is displayed in the Software List. 7. Modify the software in the Software List: a. Click the Modify icon for the software you want to modify. The Modify Software dialog box appears. b. • Policy Name—Modify the software name. • Alias—Modify the software alias. When an access user fails the access control check, the iNode client uses the alias of the software as the name of the software on the Security Check Result page. • Version Number—Modify the version of the software. • Description—Enter a new description for the software. Click OK. The modified software appears in the Software List. 104 Configuring security check items for PCs 8. Delete the software in the Software List: a. Click the Delete icon for the software you want to delete. b. Click OK in the dialog box that appears. 9. Click OK. Deleting a software-type PC software control group Before deleting a software-type PC software control group that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a software-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Delete icon for the software-type PC software control group you want to delete. A confirmation dialog box appears. 4. Click OK. Managing process-type PC software control groups A process-type PC software control group can check the running status of a process. A process is generated after a program starts running. You can determine which software is running on a user terminal by checking the processes. You can configure the following check types in the security policy configuration: Running Required and Running Forbidden. Process-type PC software control group details The process-type PC software control group details comprise the basic information and process list information. Basic information contents • Group Name—Name of the PC software control group. • Type—Type of the PC software control group, Process. • Description—Description of the PC software control group. • Default Action for Check Failure—Default action for the PC software control group check failure: ◦ Monitor—The user is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—The user is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—The user is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick out—The user is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. A new PC software control group uses the default action you configured for PC software control group check failure. When you select Global Security Mode in Security Level PC software control groups management 105 configuration, the default action of the PC software control group failure is invalid. You can specify whether Global Security Mode is used and the default action of the PC software control group failure for each PC software control group. • Service Group—Service group to which the PC software control group belongs. Process list information • Process Name—Name of the process. ◦ For the Windows operating system, the process name must be the same as that in Windows Task Manager > Processes. ◦ For the Linux operating system, the process name must be the same as that after the ps -ef command is executed. ◦ For the Mac OS operating system, the process name must be the same as that after the ps -awwx -o command is executed. • Alias—Alias of the process. When an access user fails the access control check, the iNode client uses the alias of the process as the name of the process on the Security Check Result page. • Operating System—Operating system of a process: Windows, Linux, or Mac OS. • Check Type—Process check method: Simple, Complex, and MD5. You can configure all of them on a Windows operating system; you can configure only Simple on a Linux or Mac OS operating system. ◦ Simple—Used where the process name is the same as the source file name of a program. ◦ Complex—Used where the process name is different from the source file name of a program. A process is generated for each program; typically, the process name is the same as the source file name of the program. In some cases (for example, the program name is changed manually), the process name is different from the source file name. ◦ MD5—Used where a process name has no corresponding source file name, or one process name corresponds to multiple programs. The iNode client determines whether the software corresponding to the MD5 digest is running on the user terminal according to the process name and MD5 digest sent by the EAD server. NOTE: MD5 check rules are as follows: – Running Required process—Check the name of the process in the Windows task manager, and check the MD5 digest of the process in the PC software control group. If both are matched, the security check is passed; if they are not matched, the security check fails. – Running Forbidden process—Check the name of the process in the Windows task manager, and check the MD5 digest of the process in the PC software control group. If either is matched, the security check failed; if neither is matched, the security check is passed. • MD5 Digest—MD5 digest for the process. This column is not empty only when the check mode for a process is MD5. • Description—Description of the process. Viewing a process-type PC software control group To view a process-type PC software control group: 1. Click the Service tab. 106 Configuring security check items for PCs 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the group name of the PC software control group you want to view. The PC Software Control Group page appears. 4. To go back to the PC Software Control Group List, click Back. Adding a process-type PC software control group To add a process-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click Add. The Add PC Software Control Group page appears. 4. 5. Configure the basic information for the PC software control group. Add a process to the Process List: a. Click Add. The Add Process dialog box appears. b. c. d. e. Enter the process name in the Process Name field. Enter the software alias in the Alias field. Select an operating system from the Operating System list: Windows, Linux, or Mac OS. Select a check type from the Check Type list: Simple, Complex, or MD5. When you select the Windows operating system and the MD5 check type, enter the MD5 digest of the process in the MD5 Digest field. You can use the MD5 tool to calculate the MD5 digest of a process. f. g. Enter a description of the process in the Description field. Click OK. The process appears in the Software List. 6. Click OK. The process-type PC software control group you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying a process-type PC software control group To modify a process-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Modify icon for the process-type PC software control groups you want to modify. The Modify Software Control Group page appears. 4. 5. Modify the basic information for the process-type PC software control group. You cannot modify Group Name, Type, or Service Group. Add a process to the Process List: PC software control groups management 107 a. Click Add. The Add Process dialog box appears. b. c. d. e. Enter the process name in the Process Name field. Enter the software alias in the Alias field. Select an operating system from the Operating System list: Windows, Linux, or Mac OS. Select a check type from the Check Type list: Simple, Complex, or MD5. When you select the Windows operating system and the MD5 check type, enter the MD5 digest of the process in the MD5 Digest field. You can use the MD5 tool to calculate the MD5 digest of a process. f. g. Enter a description of the process in the Description field. Click OK. The modified process appears in the Process List. 6. Modify the process in the Process List. a. Click the Modify icon for the process you want to modify. The Modify Process dialog box appears. b. c. d. e. Modify the process name in the Process Name field. Enter the process alias in the Alias field. Select an operating system from the Operating System list: Windows, Linux, or Mac OS. Select a check type from the Check Type list: Simple, Complex, or MD5. When you select the Windows operating system and the MD5 check type, enter the MD5 digest of the process in the MD5 Digest field. You can use the MD5 tool to calculate the MD5 digest of a process. f. g. Modify the description of the process in the Description field. Click OK. The modified process appears in the Process List. 7. Delete the process in the Process List: a. Click the Delete icon for the process you want to delete. b. Click OK. 8. Click OK. Deleting a process-type PC software control group Before deleting a process-type PC software control group that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a process-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Delete icon for the process-type PC software control groups you want to delete. A confirmation dialog box appears. 4. Click OK. 108 Configuring security check items for PCs Managing service-type PC software control groups A service-type PC software control group can check the startup status of services. You can configure the following check types in the security policy configuration: Started Required and Started Forbidden. Service-type PC software control group details Service-type PC software control group details comprise the basic information and service list information. Basic information contents • Group Name—Name of the PC software control group. • Type—Type of the PC software control group, Service. • Description—Description of the PC software control group. • Default Action for Check Failure—Default action for the PC software control group check failure: ◦ Monitor (default)—The user is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—The user is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—The user is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick out—The user is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. A new PC software control group uses the default action you configured for PC software control group check failure. When you select Global Security Mode in Security Level configuration, the default action of the PC software control group failure is invalid. • Service Group—Service group to which the PC software control group belongs. Service list information • Service Name—Name of the service. ◦ For the Windows operating system, the service name must be the same as that in Control Panel > All Control Panel Items > Administrative Tools > Services > Properties. ◦ For the Linux operating system, the service name must be the same as that after the service --status-all command is executed. ◦ For the Mac OS operating system, the service name must be the same as that after the service --list command is executed. • Alias—Alias of the service. When an access user fails the access control check, the iNode client uses the alias of the service as the name of the service on the Security Check Result page. • Operating System—Operating system type of a process: Windows, Linux, or Mac OS. PC software control groups management 109 • Process Name—Processes on the Linux and Mac OS operating systems. Each service has a corresponding process. The PC software control group checks the services running on the Linux and Mac OS operating systems by process. • Description—Description of the service. Viewing a service-type PC software control group To view a service-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the group name of the PC software control group you want to view. The View PC Software Control Group page appears. 4. To go back to the PC Software Control Group List, click Back. Adding a service-type PC software control group To add a service-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click Add. The Add PC Software Control Group page appears. 4. 5. Configure the basic information for the PC software control groups. Add a service to the Service List: a. Click Add. The Add Service dialog box appears. b. c. Enter the service information. Click OK. The service appears in the Service List. 6. Click OK. The service you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying a service-type PC software control group To modify a service-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Modify icon for the service-type PC software control group you want to modify. The Modify PC Software Control Group page appears. 4. 110 Modify the basic information for the service-type PC software control group. You cannot modify Group Name, Type, or Service Group. Configuring security check items for PCs 5. Add a service to the Service List: a. Click Add. The Add Service dialog box appears. b. c. Enter the service information. Click OK. The service appears in the Service List. 6. Modify the service in the Service List: a. Click the Modify icon for the service you want to modify. The Modify Service dialog box appears. b. c. Modify the information. Click OK. The modified service appears in the Service List. 7. Delete the service in the Service List: a. Click the Delete icon for the service you want to delete. b. Click OK. 8. Click OK. Deleting a service-type PC software control group Before deleting a service-type PC software control group that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a service-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Delete icon for the service-type PC software control group you want to delete. A confirmation dialog box appears. 4. Click OK. Managing file-type PC software control groups A file-type PC software control group can determine whether a file exists. You can configure the following check types in the security policy configuration: Existent or Non-Existent. File-type PC software control group details File-type PC software control group details comprise the basic information and file list information. Basic information contents • Group Name—Name of the PC software control group. • Type—Type of the PC software control group, File. • Description—Description of the PC software control group. PC software control groups management 111 • Default Action for Check Failure—Default action for the PC software control group check failure: ◦ Monitor (default)—The user is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—The user is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—The user is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick out—The user is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. A new PC software control group uses the default action you configured for PC software control group check failure. When you select Global Security Mode in Security Level configuration, the default action of the PC software control group failure is invalid. • Service Group—Service group to which the PC software control group belongs. File list information • File Path and Name—Path and name of the file. • Alias—Alias of the file. When an access user fails the access control check, the iNode client uses the alias of the file as the path and name of the file on the Security Check Result page. • Operating System—Operating system type of a file: Windows, Linux, or Mac OS. • Check Type—Match mode for the file content check: • • ◦ None—No keyword check is performed for the file content. ◦ Keyword Include—File is matched when the file content contains the specified keyword. ◦ Keyword Exclude—File is matched when the file content does not contain the specified keyword. Keyword Type—Keyword type for the file content check: String or Binary. This field does not appear when None is selected for Check Type. ◦ String—Used for a text file content check. ◦ Binary—Used for a file content check of other types of files. Description—Description of the file. Viewing a file-type PC software control group To view a file-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the group name of the PC software control group you want to view. The View PC Software Control Group page appears. 4. 112 To go back to the PC Software Control Group List, click Back. Configuring security check items for PCs Adding a file-type PC software control group To add a file-type PC software control group: 1. Click the Service tab 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click Add. The Add PC Software Control Group page appears. 4. 5. Configure the basic information for the PC software control group. Add a file to the File List: a. Click Add. The Add File dialog box appears. b. c. Enter the file path and name in the File Path and Name field. Enter the file alias in the Alias field. When an access user fails the access control check, the iNode client uses the alias of the file as the path and name of the file on the Security Check Result page. d. e. f. g. Select an operating system from the Operating System list: Windows, Linux, or Mac OS. Select the radio button next to the keyword match mode for the file content check: None, Keyword Include, or Keyword Exclude. When the keyword match method is Keyword Include or Keyword Exclude, select the radio button next to the keyword type: • String—Used for a text file content check. • Binary—Used for a file content check of other types of files. Enter the keyword in the Keyword field. For a text file, the keyword is in the text file. For other types of files, you can use the file editor to view the file; the keyword is hexadecimal digits. h. i. Enter a description of the file in the Description field. Click OK. The file appears in the File List. 6. Click OK. The file-type PC software control group you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy management” (page 33). Modifying a file-type PC software control group To modify a file-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Modify icon for the file-type PC software control group you want to modify. The Modify PC Software Control Group page appears. 4. 5. Modify the basic information for the file-type PC software control group. You cannot modify Group Name, Type, or Service Group. Add a file to the File List: PC software control groups management 113 a. Click Add. The Add File dialog box appears. b. c. Enter the file path and name in the File Path and Name field. Enter the file alias in the Alias field. When an access user fails the access control check, the iNode client uses the alias of the file as the path and name of the file on the Security Check Result page. d. e. f. g. Select an operating system from the Operating System list: Windows, Linux, or Mac OS. Select the radio button next to the keyword match mode for the file content check: None, Keyword Include, or Keyword Exclude. When the keyword match method is Keyword Include or Keyword Exclude, select the radio button next to the keyword type: • String—Used for a text file content check. • Binary—Used for a file content check of other types of files. Enter the keyword in the Keyword field. For a text file, the keyword is in the text file. For other types of files, you can use the file editor to view the file; the keyword is hexadecimal digits. h. i. Enter a description of the file in the Description field. Click OK. The file appears in the File List. 6. Modify the file in the File List: a. Click the Modify icon for the file you want to modify. The Modify File dialog box appears. b. c. Modify the file path and name in the File Path and Name field. Modify the file alias in the Alias field. When an access user fails the access control check, the iNode client uses the alias of the file as the path and name of the file on the Security Check Result page. d. e. f. g. Select an operating system from the Operating System list: Windows, Linux, or Mac OS. Select the radio button next to the keyword match mode for the file content check: None, Keyword Include, or Keyword Exclude. When the keyword match method is Keyword Include or Keyword Exclude, select the radio button next to the keyword type: • String—Used for a text file content check. • Binary—Used for a file content check of other types of files. Enter the keyword in the Keyword field. For a text file, the keyword is in the text file. For other types of files, you can use the file editor to view the file; the keyword is hexadecimal digits. h. i. Modify the description of the file in the Description field. Click OK. The file appears in the File List. 114 7. Delete the file in the File List: a. Click the Delete icon for the file you want to delete. b. Click OK. 8. Click OK. Configuring security check items for PCs Deleting a file-type PC software control group Before deleting a file-type PC software control group that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a file-type PC software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > PC Software Control Group from the navigation tree. The PC Software Control Group List displays all PC software control groups. 3. Click the Delete icon for the file-type PC software control group you want to delete. A confirmation dialog box appears. 4. Click OK. Patch management software management Access users that use the Linux or Mac OS operating system must use the patch management software to update patches on the operating system. You can enable patch management software control in a security policy. When an access user is authenticated, the iNode client checks the patch management software on the user terminal according to the configuration in the security policy. You can configure the patch management software as needed. You can specify the patch management software to be checked, and then enable patch management software check in the security policy. Patch management software list contents The Linux Operating System and Mac OS Operating System sections list the patch management software supported by the corresponding operating system. The patch management software list contains the following parameters: • Patch Management Software—Name of the patch management software. • Check—Indicates whether the corresponding patch management software is checked. • Priority—Provides the Move Up icon down in a list. and Move Down icon for moving items up and Configuring patch management software management To configure patch management software management: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Patch Management Software from the navigation tree. The Patch Management Software List page appears. 3. To check the patch management software, select Check for the associated patch management software. To cancel checking the patch management software, clear Check. Windows patch control Windows patch check through the Windows server is an automatic check, download, and installation process. You only need to enable Windows patch control check in the security policy. This section describes the Windows patch check configuration on the EAD server, such as querying, adding, modifying, and deleting Windows patches, and managing Windows versions. Patch management software management 115 Users must download and install the patches. For access users using Windows for authentication, you can enable Windows patch control in a security policy. Access users can ensure timely update of Windows patches by using the Microsoft server check function or by checking patches manually. • Microsoft server check function—The iNode client collaborates with WSUS or SMS to check the missing patches and the patch level, and installs the patches automatically. • Manual check—The iNode client cooperates with the EAD server to check the missing patches. You can configure the Windows patches to be checked and the patch level. For more information, see “Adding a security policy” (page 43). Windows patch list contents • Patch Name—Name of the Windows patch. • Message—Message for the associated Windows patch. When the iNode client detects that the user terminal lacks the patch, it displays this message. • Applicable Windows Version—Windows version for the associated Windows patch. • Patch Level—Patch level for the associated Windows patch: Critical, Important, Moderate, or Low. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the Windows patch. to delete the Windows patch. Windows patch information details Windows patch information comprises the following basic information: • Patch Name—Enter the patch name (for example, KB2508429, KB2509553). • Message—Enter the prompt. When the iNode client detects that the user terminal lacks the patch, it displays this message. • Patch Level—Select a patch level: Critical, Important, Moderate, or Low. Applicable Windows version list The applicable Windows version list shows the following information for the Windows versions to which the patch applies: • Operating System—Operating system type: Windows. • Version—Windows version. • Language—Language of the Windows operating system. • Patch List—Patch list for the associated Windows version. The patches are separated by commas. Viewing the Windows patch list To view the Windows patch list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. 3. To reset the query values and search results, and to restore the full Patch List, click Reset. Querying the Windows patches To query the Windows patches: 1. Click the Service tab. 116 Configuring security check items for PCs 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. The Windows Patch Control page appears. 3. 4. 5. Enter one or more of the following query criteria: • Patch Name—Enter the patch name. • Version—Enter the operating system version. • Language—Enter the language: ALL, Native Language, or English. Click Query. To reset the query values and the search results, and to restore the full Patch List, click Reset. Adding a Windows patch To add a Windows patch: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. 3. Click Add. The Add Windows Patch Control page appears. 4. 5. 6. Configure the basic information. • Patch Name—Enter the patch name (for example, KB2508429, KB2509553). • Message—Enter the prompt. When the iNode client detects that the user terminal lacks the patch, it displays this message. • Patch Level—Select a patch level: Critical, Important, Moderate, or Low. Select an operating system version in the Applicable Windows Version section. Click OK. Modifying a Windows patch To modify a Windows patch: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. The Windows Patch Control page appears. 3. 4. 5. for the patch you want to modify. Click the Modify icon Modify the basic information for the patch. You cannot modify Patch Control Name or Service Group. Select an operating system version in the Applicable Windows Version section. To remove the Windows version, clear Operating System. 6. Click OK. Deleting a Windows patch To delete a Windows patch: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. The Windows Patch Control page appears. Windows patch control 117 3. Click the Delete icon in the Patch List for the target patch. A confirmation dialog box appears. 4. Click OK. Managing Windows versions You can configure the applicable Windows versions when you add or modify Windows patches. Windows version list contents • Operating System—Operating system type. • Version—Operating system version. • Language—Language for the associated Windows version. • Patch List—Patch list for the associated Windows version. • Delete—Icon for deleting the Windows version. Viewing a Windows version To view a Windows version: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. The Windows Patch Control page appears. 3. Click the Windows Version link located at the upper right of the Patch List. The Windows Version List displays all Windows versions. 4. Click Refresh to refresh the Windows Version List. Adding a Windows version To add a Windows version: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. The Patch List displays all Windows patches. 3. Click the Windows Version link located at the upper right of the Patch List. The Windows Version List displays all Windows versions. 4. 5. Click Add. The Add Windows Version page appears. You cannot modify the operating system version except by removing the old configured version and entering the correct version. 6. 118 Configure the basic information for the Windows version: • Version—Enter the Windows version. The spelling must exactly match that provided by Microsoft, such as XP or Windows 7 Professional Service Pack 1. • Language—Select one of the following options: ◦ All—All languages, including English and non-English versions. ◦ Native Language—All non-English versions. ◦ English—English versions. Configuring security check items for PCs NOTE: To change the Windows version, you must first remove the old configured version, and then enter the correct version. You cannot modify the old configured version without removing it. 7. Click OK. Deleting a Windows version Only Windows version items without patch configurations can be deleted. To delete the items with patches, delete the patches first. 1. Click the Service tab. 2. Select Endpoint Admission Defense > Patch Control > Windows Patches from the navigation tree. The Patch List displays all Windows patches. 3. Click the Windows Version link located at the upper right of the Patch List. The Windows Version List displays all Windows versions. 4. 5. Click the Delete icon Click OK. for the target Windows version. Registry control policy management You can enable registry control in a security policy, and specify the registry controls to be checked. To check the security of an access user, the iNode client checks the user terminal according to the registry control policy configured in the security policy. You can specify the registries and their respective key names or values in the registry control policy. Registry control management allows you to query, view, add, modify, and delete a registry control policy. You can configure a registry control policy as needed. Registry control list contents • Registry Control Name—Name of the registry control. Click the name to view its details. • Description—Description for the associated registry control. • Registry Entry Location—Registry entry location for the associated registry control. • Default Action for Check Failure—A new registry control policy uses the default action you configured for registry control check failure. ◦ Monitor (default)—User is not informed about security problems after going online, and the user can access the network. Security check results are recorded in the security logs. ◦ Inform—User is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—User is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick Out—User is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. Registry control policy management 119 When you select Global Security Mode in Security Level configuration, the default action of the registry control check failure is invalid. You can set whether Global Security Mode is used and the default action of the registry control check failure for each registry control policy. • Service Group—Service group to which the registry control belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the registry control. to delete the registry control. Registry control list details Registry control list details comprise a basic information section and a registry entry section. Basic information section • Registry Control Name—Name of the registry control. • Registry Entry Location—Registry entry location for the registry control. • Description—Description for the associated registry control. • Failure Notification (Check Failure Message)—Message for the registry control check failure. • Default Action for Check Failure—Default action for the registry control check failure: ◦ Monitor (default)—User can access the network, and is not informed of security problems after going online. Security check results are recorded in the security logs. ◦ Inform—User is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—User is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick out—User is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. A new registry control uses the default action you configured for registry control check failure. When you select Global Security Mode in Security Level configuration, the default action of the registry control failure is invalid. You can set whether Global Security Mode is used and the default action of the registry control failure for each registry control. • Service Group—Service group to which the registry control belongs. Registry entry section • Key Name—The name of the registry key. When the registry key name is (Default), you must select Default Key. The key type of a default key must be REG_SZ. • Alias—When an access user fails the registry control check, the iNode client uses the alias of the registry key as the name of the registry key on the Security Check Result page. • Check Type—Select a match mode: Value Matched, Value Not Matched, Key Existent, or Key Not Existent. • Compatible Operating Systems—Select an operating system: Win2000, WinXP, Win2003, WinVista, or Win7. Only the selected operating system checks the registry key. • Key Value Type—Select a key value type: REG_SZ or REG_DWORD. 120 Configuring security check items for PCs • Key Value—Enter the key value of the registry key. • Failure Notification—Enter the failure notification for the registry control. When the registry entry check for an access user fails, this failure notification is displayed on the Security Check Result page. Viewing the registry control list To view the registry control list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Registry Control from the navigation tree. The Registry Control List displays all registry controls. 3. To sort the Registry Control List, click the Registry Control Name, Registry Entry Location, Service Group, or Default Action for Check Failure column label. Viewing a registry control To view a registry control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Registry Control from the navigation tree. The Registry Control List displays all registry controls. 3. Click the name of a registry control to view its information. Querying the registry control To query the registry control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Registry Control from the navigation tree. The Registry Control List displays all registry controls. 3. 4. Enter one or both of the following query criteria: • Registry Control Name—Enter the name of the registry control. • Registry Entry Location—Enter the location of the registry control. Click Query. The Registry Control List displays the registry controls that match the query criteria. 5. To reset the query values and search results, and to restore the full Registry Control List, click Reset. Adding a registry control To add a registry control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Registry Control from the navigation tree. The Registry Control List displays all registry controls. 3. Click Add. The Add Registry Control page appears. 4. Configure the basic information. Registry control policy management 121 5. Add a registry entry to the Registry Entry List: a. Click Add. The Add Registry Entry dialog box appears. b. c. Specify the Registry Entry information. Click OK. The new registry entry is displayed in the Registry Entry List. 6. Click OK. The registry control entry you have added now appears in the configuration options when configuring the security policy. For more information, see “Security policy management” (page 33). Modifying a registry control To modify a registry control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Registry Control from the navigation tree. The Registry Control List displays all registry controls. 3. 4. 5. Click the Modify icon for the target registry control. Modify the basic information. You cannot modify Registry Control Name or Service Group. Add a registry entry to the Registry Entry List: a. Click Add. The Add Registry Entry dialog box appears. b. c. Specify the Registry Entry information. Click OK. The added registry entry is displayed in the Registry Entry List. 6. Modify a registry control entry: a. Click the Modify icon for the target registry entry. The Modify Registry Entry dialog box appears. b. c. Modify the Registry Entry information as needed. Click OK. The modified registry entry is displayed in the Registry Entry List. 7. Delete a registry control entry: a. Click the Delete icon for the target registry entry. b. Click OK. 8. Click OK. Deleting a registry control Before deleting a registry control that has been assigned to a security policy, you must cancel its associations. For more information, see “Modifying a security policy” (page 44). To delete a registry control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Registry Control from the navigation tree. The Registry Control List displays all registry controls. 3. Click the Delete icon for the target registry entry. A confirmation dialog box appears. 4. 122 Click OK. Configuring security check items for PCs Share control management You can enable share control check for a security policy, and specify a share control policy. When an access user is authenticated, the iNode client checks the user terminal according to the share control policy configured in the security policy. Share control policy management allows you to view, add, modify, and delete a share control policy. You can configure a share control policy as needed. Share control list contents • Share Control Name—Name of the share control. Click the name to view its details. • Share—Indicates whether the share control allows folder share. • Default Share—Indicates whether the share control allows default share. • Windows XP Simple Share—Indicates whether the share control allows Windows XP simple share. • Service Group—Service group to which the share control belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the share control. to delete the share control. NOTE: To sort the Share Control List, click the Share Control Name, Share, Default Share, Windows XP Simple Share, or Service Group column label. Share control details The share control details comprise the following basic information: • Share Control Name—Name of the share control. Click the name to view its details. • Service Group—Service group to which the share control belongs. • Default Action for Check Failure—Default action of the share control check failure: ◦ Monitor (default)—User is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—User is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—User is informed of security problems after going online, the system informs the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick out—User is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. A new share control uses the default action you configured for share control check failure. When you select Global Security Mode in Security Level configuration, the default action of the share control failure is invalid. • Description—Description for the associated registry control. • Allow Share—Select this option when the share control allows an access user to use the share function. • Forbid Default Share—Select this option when the share control prohibits an access user from using default share. The option is available only when the access user is allowed to use the share function. Share control management 123 • Forbid Windows XP Simple Share—Select this option when the share control prohibits an access user from using Windows XP simple share. The option is available only when the access user is allowed to use the share function. • Exclude Groups or Users from Sharing—Folder share right is not assigned to the Windows users and groups. Enter the user name and group name to which the share right cannot be assigned. Domain user names are in the format domain name\user name. User names are separated by commas and are case sensitive. Viewing the share control list To view the share control list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Share Control from the navigation tree. The Share Control List displays all share controls. 3. Click Refresh to refresh the Share Control List. Viewing share control details To view a share control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Share Control from the navigation tree. The Share Control List displays all share controls. 3. 4. Click the name of the share control you want to view. To go back to the Share Control List, click Back. Adding a share control To add a share control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Share Control from the navigation tree. The Share Control List displays all share controls. 3. Click Add. The Add Share Control page appears. 4. 5. Configure the basic information. Click OK. The share control you have added now appears in the configuration options when configuring the security policy. For more information, see “Security policy management” (page 33). Modifying a share control To modify a share control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Share Control from the navigation tree. The Share Control List displays all share controls. 3. 4. 5. 124 Click the Modify icon for the target share control. Modify the share control. You cannot modify Registry Control Name or Service Group. Click OK. Configuring security check items for PCs Deleting a share control Before deleting a share control that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a share control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Share Control from the navigation tree. The Share Control List displays all share controls. 3. Click the Delete icon for the target share control. A confirmation dialog box appears. 4. Click OK. Traffic control management You can specify a traffic control policy for a security policy. When an access user passes the authentication, the iNode client periodically checks the traffic on the user terminal according to the traffic control policy configured in the security policy. You can configure the sampling interval, IP traffic monitoring, broadcast monitoring, packet number monitoring, and TCP/UDP connection monitoring in the traffic control policy. Traffic control policy management allows you to view, add, modify, and delete a traffic control policy. You can configure a traffic control policy as needed. Traffic control list contents • Name—Name of the traffic control. Click the name to view its details. • Description—Description for the associated traffic control. • Service Group—Service group to which the traffic control belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the traffic control. to delete the traffic control. Traffic control list details Traffic control details comprise the following sections: • Basic information • IP Traffic Monitoring • Broadcast Packet Monitoring • Packet Monitoring • TCP/UDP Connection Monitoring Basic information section • Name—Name of the traffic control. • Sampling Interval—Traffic sampling interval on the iNode client. • Description—Description for the associated traffic control. • Service Group—Service group to which the traffic control belongs. Traffic control management 125 IP Traffic Monitoring section • Monitor IP Traffic—Indicates whether IP traffic monitoring is enabled for the traffic control. • Minor Threshold—Minor threshold for IP traffic abnormality. • Severe Threshold—Severe threshold for IP traffic abnormality. Broadcast Packet Monitoring section • Monitor Broadcast Packets—Indicates whether broadcast packet monitoring is enabled for the traffic control. • Minor Threshold—Minor threshold for abnormal broadcast packets. • Severe Threshold—Severe threshold for abnormal broadcast packets. Packet Monitoring section • Monitor Packets—Indicates whether packet monitoring is enabled for the traffic control. • Minor Threshold—Minor threshold for abnormal packets. • Severe Threshold—Severe threshold for abnormal packets. TCP/UDP Connection Monitoring section • Monitor TCP/UDP Connections—Indicates whether TCP/UDP connection monitoring is enabled for the traffic control. • Minor Threshold—Minor threshold for abnormal TCP/UDP connections. • Severe Threshold—Severe threshold for abnormal TCP/UDP connections. Viewing the traffic control list To view the traffic control list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Traffic Control from the navigation tree. The Traffic Control List displays all traffic controls. 3. 4. Click Refresh to refresh the Traffic Control List. To sort the Traffic Control List, click the Name, Share, or Service Group column label. Viewing traffic control details To view a traffic control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Traffic Control from the navigation tree. The Traffic Control List displays all traffic controls. 3. 4. Click the name of the traffic control to view its information. To go back to the Traffic Control List, click Back. Adding a traffic control To add a traffic control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Traffic Control from the navigation tree. The Traffic Control List displays all traffic controls. 3. 4. 126 Click Add. Configure the basic information. Configuring security check items for PCs 5. 6. Select and enter a Minor Threshold and Severe Threshold for each type of monitoring that must be enabled: • Monitor IP Traffic • Monitor Broadcast Packets • Monitor Packets • Monitor TCP/UDP Connections Click OK. The traffic control you have added now appears in the configuration options when configuring the security policy. For more information, see “Security policy management” (page 33). Modifying a traffic control To modify a traffic control: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Traffic Control from the navigation tree. The Traffic Control List displays all traffic controls. 3. 4. 5. 6. for the target traffic control. Click the Modify icon Modify the basic information. You cannot modify the name or service group. Modify the parameters for each monitoring category of as needed (Monitor IP Traffic, Monitor Broadcast Packets, Monitor Packets, and Monitor TCP/UDP Connections): • Select a monitoring category to disable it. • Unselect a monitoring category to enable it. • Modify each minor threshold or major threshold as needed. Click OK. Deleting a traffic control Before deleting a traffic control that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a traffic control: 1. Select Endpoint Admission Defense > Traffic Control from the navigation tree. The Traffic Control List displays all traffic controls. 2. Click the Delete icon for the target share control. A confirmation dialog box appears. 3. Click OK. Password control You can enable password control for a security policy. When an access user is authenticated, the iNode client checks the password according to the built-in password check rules and password dictionary, and determines the security of the password. Password check rules are built in the iNode client. You only need to specify the password dictionary. The default password dictionary includes common weak passwords, such as names and company IDs. You can define new passwords as needed to enhance system security. Modifying a password control To modify a password control: Password control 127 1. Select Endpoint Admission Defense > Password Control from the navigation tree. The Modify Password Control page appears. 2. 3. 4. Click the download link located to the right of Download URL to download the current password dictionary. Use a text editor to edit the password dictionary to add self-defined weak passwords. Select Upload Password Dictionary. The Password Dictionary File field appears. Click Browse to locate the password dictionary file to be uploaded, select the file, and then click OK. The file name must be PasswordDic.txt. 5. 6. 7. From the Default Action for Check Failure list, select the default action for password check failure. A new password control uses the default action you configured for password control check failure. • Monitor (default)—User is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. • Inform—User is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. • Isolate—User is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to the configured ACL. Security check results are recorded in the security logs. • Kick out—User is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. Click OK. Click the Test link located to the right of Download URL to test whether the password dictionary can be used properly. Asset registration status check You can enable asset registration status check in a security policy. When an access user is authenticated, the iNode client cooperates with DAM to check the asset registration status. DAM manages each access user by using the Windows operating system as a desktop asset. DAM can monitor and audit registered assets and deploy software to the assets. For more information see “Managing assets” (page 158). 128 Configuring security check items for PCs 6 Configuring security check items for smart terminals Just as security checks items can be selected to enhance security on PCs, they can also be selected for a security policy that is assigned to smart terminals. The items are as follows: • Anti-virus software control • Anti-spyware software control • Smart Terminal Software Control • Smart Terminal Policy Anti-virus software policy management The system defines anti-virus software control for several types of anti-virus software in Android. You can enable anti-virus software control in a security policy and specify an anti-virus software policy. The anti-virus software policy determines whether an anti-virus software type application control is installed, and whether the software version matches the policy. When an access user is authenticated, the iNode client verifies the anti-virus software on the smart terminal according to the security policy configurations. Anti-virus software policy management allows you to view, add, modify, and delete an anti-virus software policy. You can specify the anti-virus software type application controls to be checked and the anti-virus software version. Anti-virus software policy list contents The anti-virus software policy list contains the following parameters: • Anti-Virus Software Policy Name—Name of the anti-virus software policy. Click the name to view its details. • Service Group—Service group to which the anti-virus software policy belongs. • Description—Description of the anti-virus software policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the anti-virus software policy. to delete the anti-virus software policy. Anti-virus software policy details Anti-virus software policy details comprise the basic information section and the Windows Operating System, Linux Operating System, Mac OS Operating System, and Android Operating System sections. The Windows Operating System, Linux Operating System, and Mac OS Operating System sections do not take effect on smart terminals. Basic information section • Policy Name—Name of the anti-virus software policy. • Service Group—Service group to which the anti-virus software policy belongs. • Description—Description of the anti-virus software policy. Android operating system section The Android operating system section lists the anti-virus software that can be examined by the iNode client. • Anti-Virus Software—Name of the anti-virus software. • Vendor—Vendor name of the anti-virus software. Anti-virus software policy management 129 • Check Items—Indicates whether the software version is checked for the corresponding anti-virus software. ◦ • Check software version—When this parameter is selected, the anti-virus software version be checked. Otherwise, the anti-virus software version is not checked. Restriction—Check rules for the anti-virus software policy. When this field is empty, no rules are set for the anti-virus software. ◦ Delay Time (Days)—Adaptation period for the software version. This option is valid only when the anti-virus software version is in YYYY-MM-DD format. When the anti-virus software version is updated within the adaptation period, the anti-virus engine version check is passed. ◦ Lowest Software Version—Lowest anti-virus software version allowed by the anti-virus software policy. An anti-virus software policy supports two anti-virus software version formats: YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day; and XX.XX.XX, for example, 3.8.0. • Check—Indicates whether the corresponding anti-virus software is checked. • Priority—The iNode client checks the anti-virus software based on the priority. Items are listed in descending priority order (most important first). Click the Move Up icon or Move Down icon to adjust the list. Viewing the anti-virus software policy list To view the anti-virus software policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. 4. To sort the Anti-Virus Software Policy List, click the Anti-Virus Software Policy Name or Service Group column label. Click Refresh to refresh the Anti-Virus Software Policy List. Viewing anti-virus software policy details To view details of an anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. Click the name of the anti-virus software policy for which you want to view the detailed information. The View Anti-Virus Software Policy page appears. 4. To go back to the Anti-Virus Software Policy List, click Back. Adding an anti-virus software policy To add an anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 130 Configuring security check items for smart terminals 3. Click Add. The Add Anti-Virus Software Policy page appears. 4. 5. 6. Configure the basic information for the anti-virus software policy. To check an anti-virus software product in the anti-virus software policy, select the box in the Check field for the anti-virus software. Make sure you configure the anti-virus software products in the Android Operating System section. Anti-virus software products in other operating system sections do not take effect on smart terminals. Modify the anti-virus software check: a. Click the Modify icon for the anti-virus software you want to modify. The Anti-Virus Software Settings dialog box appears. b. c. Modify the anti-virus software name in the Anti-Virus software field, as needed. To check the anti-virus software version, select the box next to Check software version, and select an anti-virus software version format: • Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003. • Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Date or dotted format—Dotted format and date format are valid. Different version formats require different parameters, as described in Table 12. Table 12 Version formats and parameters Version format Date format Dotted format d. Notification Version check mode Parameter Specified Version Lowest Version of Anti-Virus Software Auto Adaptive Adaptation Period (in days) Specified Version Lowest Version of Anti-Virus Software YYYY-MM-DD XX.XX.XX Select a version check mode, Specified Version or Auto Adaptive, from the Version Check Mode list. • Specified Version—The version check is passed if the user terminal version is higher than the specified version. If not, the version check fails. When the version check mode is Specified Version and the version format is Date format, either enter the date manually or click the Calendar icon next to the Lowest Version of Anti-Virus Software field to select a date. When the version check mode is Specified Version and the version format is Dotted format, enter the version in the Lowest Version of Anti-Virus Software field. A valid version format is XX.XX.XX, for example, 7.100.1003. • e. f. 7. 8. Auto Adaptive—The version check is passed if the user terminal version has been updated within the adaptation period. If not, the version check fails. When the version check mode is Auto Adaptive and the version format is Date format, manually enter the adaptation period in the Adaptation Period (in days) field. Click OK. In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon to adjust the anti-virus software position in the list. Down icon Click OK. or Move Anti-virus software policy management 131 The anti-virus software policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy” (page 19). Modifying an anti-virus software policy To modify an anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. Click the Modify icon for the anti-virus software policy you want to modify. The Modify Anti-Virus Software Policy page appears. 4. 5. 6. Modify the basic information for the anti-virus software policy. You cannot modify Policy Name or Service Group. To check an anti-virus software product in the anti-virus software policy, select the box in the Check field for the anti-virus software. Make sure you configure the anti-virus software products in the Android Operating System section. Anti-virus software products in other operating system sections do not take effect on smart terminals. Modify the anti-virus software check: a. Click the Modify icon for the anti-virus software you want to modify. The Anti-Virus Software Settings dialog box appears. b. c. Modify the anti-virus software name in the Anti-Virus software field, as needed. To check the anti-virus software version, select the box next to Check software version, and select an anti-virus software version format: • Dotted format—Valid version format is XX.XX.XX, for example, 7.100.1003. • Date format—Valid date format is YYYY-MM-DD, where YYYY is the four-digit year, MM is the two-digit month, and DD is the two-digit day. • Date or dotted format—Dotted format and date format are valid. Different version formats require different parameters, as described in Table 13. Table 13 Version formats and parameters Version format Date format Dotted format d. Notification Version check mode Parameter Specified Version Lowest Version of Anti-Virus Software Auto Adaptive Adaptation Period (in days) Specified Version Lowest Version of Anti-Virus Software YYYY-MM-DD XX.XX.XX Select a version check mode, Specified Version or Auto Adaptive, from the Version Check Mode list. • Specified Version—The version check is passed if the user terminal version is higher than the specified version. If not, the version check fails. When the version check mode is Specified Version and the version format is Date format, either enter the date manually or click the Calendar icon next to the Lowest Version of Anti-Virus Software field to select a date. 132 Configuring security check items for smart terminals When the version check mode is Specified Version and the version format is Dotted format, enter the version in the Lowest Version of Anti-Virus Software field. A valid version format is XX.XX.XX, for example, 7.100.1003. • e. 7. 8. Auto Adaptive—The version check is passed if the user terminal version has been updated within the adaptation period. If not, the version check fails. Click OK. In the Priority field of the Anti-Virus Software Policy List, click the Move Up icon to adjust the anti-virus software position in the list. Down icon Click OK. or Move Deleting an anti-virus software policy Before deleting an anti-virus software policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete an anti-virus software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Virus Software Policies from the navigation tree. The Anti-Virus Software Policy List displays all anti-virus software policies. 3. Click the Delete icon for the anti-virus software policy you want to delete. A confirmation dialog box appears. 4. Click OK. Anti-spyware software policy management The system defines anti-spyware software control for several types of anti-spyware software in Android operating systems. You can enable anti-spyware software control in a security policy, and specify an anti-spyware software policy. The anti-spyware software policy determines whether an anti-spyware software type application control is installed and whether the anti-spyware software version matches the policy. When an access user is authenticated, the iNode client checks the anti-spyware software on the smart terminal according to the configuration in the security policy. Anti-spyware software policy management allows you to view, add, modify, and delete an anti-spyware software policy. You can specify the anti-spyware products to be checked and the spyware definition version and anti-spyware engine version. Anti-spyware software policy list contents The anti-spyware software policy list contains the following parameters: • Anti-Spyware Software Policy Name—Name of the anti-spyware software policy. Click the name to view its details. • Service Group—Service group to which the anti-spyware software policy belongs. • Description—Description of the anti-spyware software policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the anti-spyware software policy. to delete the anti-spyware software policy. Anti-spyware software policy details Anti-spyware software policy details comprise the basic information section and the Windows Operating System, Mac OS Operating System, and Android Operating System sections. The Windows and Mac OS Operating System sections do not take effect on smart terminals. Anti-spyware software policy management 133 Basic information section • Policy Name—Name of the anti-spyware software policy. • Service Group—Service group to which the anti-spyware software policy belongs. • Description—Description of the associated anti-spyware software policy. Android Operating System sections The Android operating system sections list the anti-spyware software that can be checked by the iNode client. • Anti-Spyware Software—Name of the anti-spyware software. • Vendor—Vendor name of the anti-spyware software. • Check Items—Indicates whether the anti-spyware software version is checked. ◦ • Check software version—When this parameter is selected, the anti-spyware software version must be checked. Otherwise, software version is not checked. Restriction—Check rules for the anti-spyware software policy. When this field is empty, no rules are set for the anti-spyware software. ◦ Lowest software version—Lowest anti-spyware software version allowed by the anti-spyware software policy. An anti-spyware software policy supports the format XX.XX.XX, for example, 1.3.11. • Check—Indicates whether the corresponding anti-spyware software is checked. • Priority—Order (descending) in which the iNode client checks the anti-spyware software. Viewing the anti-spyware software policy list To view the anti-spyware software policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. 4. To sort the Anti-Spyware Software Policy List, click the Anti-Spyware Software Policy Name or Service Group column label. Click Refresh to refresh the Anti-Spyware Software Policy List. Viewing anti-spyware software policy details To view details of an anti-spyware software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. Click the name of the anti-spyware software policy for which you want to view the detailed information. The View Anti-Spyware Software Policy page appears. 4. To go back to the Anti-Spyware Software Policy List, click Back. Adding an anti-spyware software policy To add an anti-spyware software policy: 1. Click the Service tab. 134 Configuring security check items for smart terminals 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. Click Add. The Add Anti-Spyware Software Policy page appears. 4. 5. 6. Configure the basic information for the anti-spyware software policy. To check an anti-spyware software product in the anti-spyware software policy, select the box in the Check field for the anti-spyware software. Make sure you configure the anti-spyware software products in the Android Operating System section. Anti-spyware software products in other operating system sections do not take effect on smart terminals. Modify the anti-spyware software check: a. Click the Modify icon for the anti-spyware software you want to modify. The Anti-Spyware Software Settings dialog box appears. b. c. To check the anti-spyware software version, select the box next to Check software version. Select Specified Version from the Version Check Mode list. When the anti-spyware engine version of an access user is higher than the specified version, the anti-spyware engine version check is passed. d. Enter the anti-spyware engine version in the Lowest Software Version field, in the format XX.XX.XX, for example, 1.3.11. You must use dotted format for an anti-spyware engine version. e. 7. Click OK. Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move the anti-spyware software up one position in the list, or click the Move Down icon to move the anti-spyware software down one position in the list. The iNode client checks the anti-spyware software of access users based on descending priority order (most important first). 8. Click OK. The anti-spyware software policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy” (page 19). Modifying an anti-spyware policy To modify an anti-spyware software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. Click the Modify icon for the anti-spyware software policy you want to modify. The Modify Anti-Spyware Software Policy page appears. 4. Modify the basic information for the anti-spyware software policy. You cannot modify Policy Name or Service Group. 5. 6. To check an anti-spyware software product in the anti-spyware software policy, select the box in the Check field for the anti-spyware software. Make sure you configure the anti-spyware software products in the Android Operating System section. Anti-spyware software products in other operating system sections do not take effect on smart terminals. Modify the anti-spyware software check: Anti-spyware software policy management 135 a. Click the Modify icon for the anti-spyware software you want to modify. The Anti-Spyware Software Settings dialog box appears. b. c. To check the anti-spyware software version, select the box next to Check software version. Select Specified Version from the Version Check Mode list. When the anti-spyware engine version of an access user is higher than the specified version, the anti-spyware engine version check is passed. d. Enter the anti-spyware engine version in the Lowest Software Version field, in the format XX.XX.XX, for example, 1.3.11. You must use dotted format for an anti-spyware engine version. e. 7. Click OK. Click the Move Up icon in the Priority field of the Anti-Spyware Software Policy List to move the anti-spyware software up one position in the list, or click the Move Down icon to move the anti-spyware software down one position in the list. The iNode client checks the anti-spyware software of access users based on descending priority order (most important first). 8. Click OK. Deleting an anti-spyware software policy Before deleting an anti-spyware software policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete an anti-spyware software policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Security Software Policies > Anti-Spyware Software Policies from the navigation tree. The Anti-Spyware Software Policy List displays all anti-spyware software policies. 3. Click the Delete icon for the anti-spyware software policy you want to delete. A confirmation dialog box appears. 4. Click OK. Smart terminal software control management You can enable smart terminal software control in a security policy and specify software control groups to be checked. When an access user is authenticated, the iNode client checks software on the smart terminal according to the configuration in the security policy. Operators can view, add, modify, and delete software control groups for smart terminals. A smart terminal software control group can use either of the following check types: • Installed Forbidden—The smart terminal is prohibited from installing any software defined in the smart terminal software control group. • Installed Required—The smart terminal must install one or more software defined in the smart terminal software control group. Smart terminal software control group list contents 136 • Group Name—Name of the smart terminal software control group. Click the name to view its details. • Type—Type of the smart terminal software control group. The field always displays Software. • Description—Description of the smart terminal software control group. Configuring security check items for smart terminals • Default Action for Check Failure—Default action of the smart terminal software check failure: ◦ Monitor (default)—The user is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—The user is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—The user is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area. Security check results are recorded in the security logs. ◦ Kick Out—The user is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. A new smart terminal software control group uses the default action you configured for smart terminal software control check failure. When you select Global Security Mode in Security Level configuration, the default action of the smart terminal software control check failure is invalid. • Local Data—Indicates whether the smart terminal software control group is created by the EAD server. When the value is No, the smart terminal software control group is deployed by an upper-level node. For more information, see “Hierarchical node management” (page 54). • Service Group—Service group to which the smart terminal software control group belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the smart terminal software control group. to delete the smart terminal software control group. Smart terminal software control group details Smart terminal software control group details comprise the basic information and software list information. Basic information contents • Group Name—Name of the smart terminal software control group. • Type—Type of the smart terminal software control group, Software. • OS—Name of the OS on the smart terminal. Only Android is supported. • Description—Description of the smart terminal software control group. • Default Action for Check Failure—Default action of the smart terminal software control check failure: ◦ Monitor (default)—The user is not informed of security problems after going online, and can access the network. Security check results are recorded in the security logs. ◦ Inform—The user is informed of security problems after going online, the system prompts the user for modification, and the user can access the network. Security check results are recorded in the security logs. ◦ Isolate—The user is informed of security problems after going online, the system prompts the user to solve the problems, and the user can access the resources in the isolation area according to configured ACL. Security check results are recorded in the security logs. ◦ Kick out—The user is informed of security problems after going online, fails the authentication, and is forced to log off. Security check results are recorded in the security logs. Smart terminal software control management 137 A new smart terminal software control group uses the default action you configured for smart terminal software control check failure. When you select Global Security Mode in Security Level configuration, the default action of the smart terminal software control check failure is invalid. • Service Group—Service group to which the smart terminal software control group belongs. Software list information • Software Name—Name of the software. The software name must be the same as that in Android. • Alias—Alias of the software. When an access user fails the access control check, the iNode client uses the alias of the software as the name of the software on the Security Check Result page. • Version Number—Version number of the software. The software version must be the same as that in Android. • Description—Description of the software. Viewing the smart terminal software control group list To view the smart terminal software control group list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal Software Control Group from the navigation tree. The Smart Terminal Software Control Group List displays all smart terminal software control groups. Querying the smart terminal software control group To query the smart terminal software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal Software Control Group from the navigation tree. 3. Enter your query criteria in the Query Smart Terminal Software Control Group section: 4. 5. • Group Name—Enter the name of the smart terminal software control group. • Software Name—Enter the software name of the smart terminal software control group. Click Query. To reset both the query values and the search results, and to restore the full Smart Terminal Software Control Group List, click Reset and re-enter your query criteria. Viewing smart terminal software control group details To view a smart terminal software control group details: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal Software Control Group from the navigation tree. The Smart Terminal Software Control Group List displays all smart terminal software control groups. 3. Click the smart terminal software control group name for which you want to view the detailed information. The View Smart Terminal Software Control Group page appears. 4. 138 To go back to the Smart Terminal Software Control Group List, click Back. Configuring security check items for smart terminals Adding a smart terminal software control group To add a smart terminal software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal Software Control Group from the navigation tree. The Smart Terminal Software Control Group List displays all smart terminal software control groups. 3. Click Add. The Add Smart Terminal Software Control Group page appears. 4. 5. Configure the basic information for the smart terminal software control group. Add a software to the Software List: a. Click Add. The Add Software dialog box appears. b. c. Enter the Software Name, Alias, Version Number, and Description. Click OK. The added software appears in the Software List. 6. Click OK. The smart terminal software control group you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy” (page 19). Modifying a smart terminal software control group To modify a smart terminal software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal Software Control Group from the navigation tree. The Smart Terminal Software Control Group List displays all smart terminal software control groups. 3. Click the Modify icon for the smart terminal software control groups you want to modify. The Modify Smart Terminal Software Control Group page appears. 4. Modify the basic information for the smart terminal software control group. You cannot modify Group Name, Type, or Service Group. 5. Add a software to the Software List: a. Click Add. The Add Software dialog box appears. b. c. Enter the Software Name, Alias, Version Number, and Description. Click OK. The added software is displayed in the Software List. 6. Modify the software in the Software List: a. Click the Modify icon for the software you want to modify. The Modify Software dialog box appears. b. c. Modify the Software Name, Alias, Version Number, and Description. Click OK. The modified software appears in the Software List. Smart terminal software control management 139 7. Delete the software in the Software List: a. Click the Delete icon for the software you want to delete. b. Click OK in the dialog box that appears. 8. Click OK. Deleting a smart terminal software control group Before deleting a smart terminal software control group that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a smart terminal software control group: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Software Control Group Management > Smart Terminal Software Control Group from the navigation tree. The Smart Terminal Software Control Group List displays all smart terminal software control groups. 3. Click the Delete icon for the smart terminal software control group you want to delete. A confirmation dialog box appears. 4. Click OK. Smart terminal policy management You can enable Smart Terminal Configuration Check in a security policy and specify a smart terminal policy. The smart terminal policy checks the status of GPS, auto locking, and Bluetooth services on the smart terminal that attempts to access the network. Smart terminal policy management allows you to view, add, modify, and delete a smart terminal policy. Smart terminal policy list contents The smart terminal policy contains the following parameters: • Smart Terminal Policy Name—Name of the smart terminal policy. Click the name to view its details. • Enable GPS Service—Whether the GPS service must be enabled on the smart terminal. • Enable Auto Lock—Whether the auto lock function must be enabled on the smart terminal. • Disable Bluetooth—Whether the Bluetooth service must be disabled on the smart terminal. • Service Group—Service group to which the smart terminal policy belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the smart terminal policy. to delete the smart terminal policy. Smart terminal policy details The smart terminal policy details page contains the following parameters: • Smart Terminal Policy Name—Name of the smart terminal policy. • Service Group—Service group to which the smart terminal policy belongs. • Enable GPS Service—Whether the GPS service must be enabled on the smart terminal. • Enable Auto Lock—Whether the auto lock function must be enabled on the smart terminal. 140 Configuring security check items for smart terminals • Disable Bluetooth—Whether the Bluetooth service must be disabled on the smart terminal. • Description—Description of the smart terminal policy. Viewing the smart terminal policy list To view the smart terminal policy list: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation tree. The Smart Terminal Policy List displays all smart terminal policy. 3. 4. To sort the Smart Terminal Policy List, click any column label except the Modify and Delete fields. Click Refresh to refresh the Smart Terminal Policy List. Viewing smart terminal policy details To view details of a smart terminal policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation tree. The Smart Terminal Policy List displays all smart terminal policy. 3. Click the name of the smart terminal policy for which you want to view the detailed information. The View Smart Terminal Policy page appears. 4. To go back to the Smart Terminal Policy List, click Back. Adding smart terminal policy To add a smart terminal policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation tree. The Smart Terminal Policy List displays all smart terminal policies. 3. Click Add. The Add Smart Terminal Policy page appears. 4. 5. Configure the smart terminal policy. Click OK. The smart terminal policy you have added now appears in the configuration options when you configure the security policy. For more information, see “Security policy” (page 19). Modifying a smart terminal policy To modify a smart terminal policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation tree. The Smart Terminal Policy List displays all smart terminal policies. 3. Click the Modify icon for the smart terminal policy you want to modify. The Modify Smart Terminal Policy page appears. 4. Modify the smart terminal policy. Smart terminal policy management 141 5. Click OK. Deleting a smart terminal policy Before deleting a smart terminal policy that has been assigned to a security policy, you must cancel their associations. For more information, see “Modifying a security policy” (page 44). To delete a smart terminal policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Smart Terminal Policy Management from the navigation tree. The Smart Terminal Policy List displays all smart terminal policies. 3. Click the Delete icon for the smart terminal policy you want to delete. A confirmation dialog box appears. 4. 142 Click OK. Configuring security check items for smart terminals 7 Controlling Internet access Internet access refers to an organization's or enterprise's user access to the Internet. Depending on whether the user terminal is authenticated, Internet access is divided into authenticated Internet access and unauthenticated Internet access. • Authenticated Internet access—Uses two or more NICs to access multiple networks at the same time after passing the authentication, one of which is the Internet. • Unauthenticated Internet access—Accesses the Internet by using an unauthenticated host, usually a portable device. Internet access must be regulated to avoid sensitive information leakage and to improve security. EAD offers access control for both authenticated and unauthenticated Internet access. For authenticated Internet access, EAD deploys ACLs to all but the authenticated NIC. For unauthenticated Internet access, EAD deploys ACLs to all NICs on the unauthenticated host. EAD also provides the logging capabilities for Internet access control. It instructs the iNode client to log specified Internet access behaviors of users and collects and stores the logs in its database for future retrieval and audit. For EAD to implement Internet access control on user terminals, operators must enable the Lock Internet Access Ability feature on the iNode client. Otherwise, a user cannot pass authentication if the user tries to access the Internet by using a service that contains Internet access control configuration. Internet access control comprises the following: • Internet access configurations. With Internet access configuration, you can specify whether and how to control and audit users' Internet access behaviors. EAD enables you to implement flexible Internet access control by assigning different Internet access configurations specific to services and access policies. • Internet access audit policies. An Internet access audit policy specifies the rules for generating Internet access audit logs, which applies only to authenticated users. The policies must be assigned to Internet access configurations to take effect. • Internet access audit logs. An Internet access audit log records detailed information about a user's Internet access behaviors. EAD enables you to query the Internet access audit logs through basic query or advanced query. • Internet access logging parameters. You can specify the lifetime of an Internet access audit log and the maximum number of Internet access audit logs that can be kept in the system. This helps improve log query efficiency and prevent accumulated Internet access logs from degrading system performance. Managing Internet access configurations An Internet access configuration specifies whether and how to control and audit users' access to the Internet. From the Internet access configuration management page, you can view, add, modify, and delete an Internet access configuration. Viewing the Internet access configuration list 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration Management from the navigation tree. The Internet Access Configuration Management page appears. Managing Internet access configurations 143 Internet Access Configuration List contents 3. • Internet Access Configuration Name—Name of the Internet access configuration. Click the name to view its details. • Service Group—Service group to which the Internet access configuration belongs. • Description—Description of the Internet access configuration. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the Internet access configuration. to delete the Internet access configuration. Click Refresh to refresh the Internet Access Configuration List. Viewing Internet access configuration details 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration Management from the navigation tree. The Internet Access Configuration Management page appears. 3. Click the name of the Internet access configuration whose detailed information you want to view. The page showing detailed information about the Internet access configuration appears. Internet Access Configuration Details contents Basic Information • Internet Access Configuration Name—Name of the Internet access configuration. • Service Group—Service group to which the Internet access configuration belongs. • Description—Description of the Internet access configuration. Internet Access Configuration Information • • 4. Lock Internet Access Ability—Whether to enable Internet access control. If enabled, you must select the client ACLs for the All but Authenticated NIC and Unauthenticated Hosts options. The iNode client applies the specified ACLs to the hosts accessing the Internet to implement access control. ◦ All but Authenticated NIC—ACL applied to all but the authenticated NIC. An empty field indicates no Internet access control is applied. ◦ Unauthenticated Hosts—ACL applied to all NICs on unauthenticated hosts. If no ACL is specified, the default ACL is used. The default ACL is configured when the installation package of the iNode client was customized in iNode Management Center. Enable Internet Access Audit—Whether to enable Internet access audit. If this option is selected, specify the following parameters: ◦ Audit Policy—Audit policy assigned to the Internet access configuration. The iNode client generates Internet access audit logs based on the ACL rules in the specified audit policy, and reports the generated logs to EAD. ◦ Report Interval (Minutes)—Specifies the interval in minutes at which the iNode client reports Internet access audit logs to EAD. Click Back to return to the Internet Access Configuration Management page. Adding an Internet access configuration 1. Click the Service tab. 144 Controlling Internet access 2. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration Management from the navigation tree. The Internet Access Configuration Management page appears. 3. Click Add. The Add Internet Access Configuration page appears. 4. Configure the basic information for the Internet access configuration: • Internet Access Configuration Name—Enter the Internet access configuration name. • Service Group—Select the service group to which the Internet access configuration belongs. • Description—Enter the description of the Internet access configuration. Detailed description can help facilitate maintenance. • Lock Internet Access Ability—Select this option if you want to enable Internet access control. When this option is selected, you must select the client ACLs for the All but Authenticated NIC and Unauthenticated Hosts options. The iNode client applies the specified client ACLs to the hosts accessing the Internet to implement access control. For information about client ACLs, see “Managing client ACLs” (page 68). • 5. ◦ All but Authenticated NIC—Select the ACL applied to all but the authenticated NIC. Leave this field empty to apply no Internet access control. ◦ Unauthenticated Hosts—Select the ACL applied to unauthenticated hosts. If no ACL is specified, the default ACL is used. The default ACL is configured when the installation package of the iNode client is customized in iNode Management center. Enable Internet Access Audit—Select this option if you want to enable Internet access audit. When this option is selected, you can specify the Audit Policy and Report Interval. ◦ Audit Policy—Select an audit policy. The iNode client generates Internet access audit logs based on the audit ACL rules specified in the audit policy, and reports the logs to EAD at specified report interval. For information about configuring audit policies, see “Managing Internet access audit policies” (page 146). ◦ Report Interval (Minutes)—Specifies a report interval in minutes. The value range is 10 to 60 and the default is 30. The iNode client reports the Internet access audit logs to EAD at the specified interval and when user logs off. Click OK. Modifying an Internet access configuration 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration Management from the navigation tree. The Internet Access Configuration Management page appears. 3. Click the Modify icon for the Internet access configuration you want to modify. The page for modifying the Internet access configuration appears. 4. Modify the Internet access configuration parameters. You can modify all parameters except Service Group. 5. Click OK. Managing Internet access configurations 145 Deleting an Internet access configuration Before deleting an Internet access configuration that has been assigned to a service, you must cancel their associations. For more information, see HP IMC User Access Manager Administrator Guide. To delete an Internet access configuration: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Configuration Management from the navigation tree. The Internet Access Configuration Management page appears. 3. 4. Click the Delete icon Click OK. for the Internet access configuration you want to delete. Managing Internet access audit policies An Internet access audit policy specifies the rules for generating Internet access audit logs, which applies only to authenticated users. With Internet access audit policy management, you can view, add, modify, and delete an Internet access audit policy. Viewing the Internet access audit policy list 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy from the navigation tree. The Internet Access Audit Policy List displays all Internet access audit policies. Internet Access Audit Policy List contents 3. • Policy Name—Internet access audit policy name. Click the name to view its details. • Service Group—Service group to which the Internet access audit policy belongs. • Description—Description of the Internet access audit policy. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the Internet access audit policy. to delete the Internet access audit policy. Click Refresh to refresh the Internet Access Audit Policy List. Viewing Internet access audit policy details 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy from the navigation tree. The Internet Access Audit Policy List displays all Internet access audit policies. 3. Click the name of the Internet access audit policy whose detailed information you want to view. The page showing detailed information about the Internet access audit policy appears. Internet Access Audit Policy details contents Basic Information 146 • Name—Name of the Internet access audit policy. • Default Action—Action to take on packets that do not match any ACL rule, Audit or Not Audit. • Description—Description of the Internet access audit policy. • Service Group—Service group to which the Internet access audit policy belongs. Controlling Internet access Audit ACL Rule List 4. • Enable Audit—Whether to enable the iNode client to send Internet access audit logs to EAD when the ACL rule is matched. • Protocol—Name or number of the transport layer protocol. • Destination IP/Mask—Destination network IP address and mask length. The value of 0.0.0.0 matches all IP addresses. • Destination Port—Destination port number. Click Back to return to the Internet Access Audit Policy List. Adding an Internet access audit policy 1. 2. Click the Service tab. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy from the navigation tree. The Internet Access Audit Policy List displays all Internet access audit policies. 3. Click Add. The Add Internet Access Audit Policy page appears. 4. 5. Configure basic information: • Name—Enter the name of the Internet access audit policy. • Default Action—Select the default action to apply to packets that do not match any ACL rule, Audit or Not Audit. ◦ Audit—Sends Internet access logs to EAD. ◦ Not Audit—Does not send Internet access audit logs to EAD. • Description—Enter the description of the Internet access audit policy. • Service Group—Select the service group to which the Internet access audit policy belongs. Add audit ACL rules to the Internet access policy: a. Click Add. b. Configure the following parameters for the ACL rule: c. • Enable Audit—Select Audit or Not Audit to specify whether or not to enable the iNode client to send Internet access audit logs to EAD when the ACL rule is matched. • Protocol—Select the name or number of the transport layer protocol. • Destination IP/Mask—Specifies the destination network IP address and mask length. The value of 0.0.0.0 matches all IP addresses. • Destination Port—Specifies the destination port number. Click the Move up icon rule. / Move down icon to raise or reduce the priority of an ACL The ACL rules displayed in the ACL Rule List are in descending order of priority. The rule with a higher priority is matched against first. Once a match is found for a packet, the remaining rules are ignored. d. 6. Click OK. Click OK. Modifying an Internet access audit policy 1. Click the Service tab. Managing Internet access audit policies 147 2. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy from the navigation tree. The Internet Access Audit Policy List displays all Internet access audit policies. 3. Click the Modify icon of the Internet access audit policy you want to modify. The page for modifying the Internet access audit policy appears. 4. Modify the basic information for the Internet access audit policy. You can modify all the parameters except Policy Name and Service Group. 5. Modify the ACL rules of the Internet access audit policy. a. b. c. Click the Modify icon of an ACL rule to modify its settings. to delete the ACL rule. Click the Delete icon Click the Move up icon / Move down icon to raise or reduce the priority of an ACL rule. The ACL rules displayed in the ACL Rule List are in descending order of priority. The rule with a higher priority is matched against first. 6. Click OK. Deleting an Internet access audit policy Before deleting an Internet access configuration that has been assigned to an Internet access configuration, you must cancel their associations. For more information, see HP IMC User Access Manager Administrator Guide. To delete an Internet access audit policy: 1. Click the Service tab. 2. Select Endpoint Admission Defense > Terminal Access Control > Internet Access Audit Policy from the navigation tree. The Internet Access Audit Policy List displays all Internet access audit policies. 3. Click the Delete icon of the Internet access audit policy you want to delete. A confirmation dialog box appears. 4. Click OK. Managing Internet access audit logs Internet access audit logs record users' access to the Internet. Operators can filter Internet access audit logs through basic query or advanced query. Viewing the Internet access audit log list 1. 148 Click the User tab. Controlling Internet access 2. Select Access User View > Log Management > Internet Access Audit Log from the navigation tree. The Internet Access Audit Log List displays all Internet access audit logs. Internet Access Audit Log List contents • Account Name—Account name used by the user to access the Internet. • User Name—Name of the IMC Platform user to which the access account is attached. • Start Time (Server)—Logging start time recorded by the EAD server. • End Time (Server)—Logging end time recorded by the EAD server, which is the time when the EAD server received the Internet access audit log. • Destination IP—Destination IP address the user accessed. • Source IP—Source IP address used by the user to access the Internet. • Destination Port—Destination port accessed by the user. • Protocol Number—Number of the transport layer protocol used by the user. Common transport layer protocol numbers include 1 (ICMP), 6 (TCP), and 17 (UDP). • NIC Name—Name of the NIC used by the user to access the Internet. • MAC Address—MAC address used by the user to access the Internet. • Packet Number—Total number of packets sent by the user that match the ACL rule for auditing. • Details—Click the Details icon to view detailed information about an Internet access audit log. Performing a basic query for Internet access audit logs 1. 2. Click the User tab. Select Access User View > Log Management > Internet Access Audit Log from the navigation tree. The Internet Access Audit Log List displays all Internet access audit logs. 3. Enter or select one or multiple of the following query criteria: • Account Name—Enter the account name used by the user to access the Internet. EAD supports fuzzy matching for this field. • User Name—Enter the name of the IMC Platform user to which the access account is attached. EAD supports fuzzy matching for this field. • Start Time (Server) From/To—Specify the range of the logging start time recorded by the EAD server, in the format of YYYY-MM-DD hh:mm. You can manually enter the time range, or click the Calendar icon to select the time range. The default is 00:00 to 23:59. • Destination IP From/To—Specify the destination IP address range the user accessed. An empty field does not serve as a query criterion. 4. Click Query. The Internet Access Audit Log List displays all Internet access audit logs that match the query criteria. Click Reset to clear all the query criteria and display all logs. Performing an advanced query for Internet access audit logs 1. 2. Click the User tab. Select Access User View > Log Management > Internet Access Audit Log from the navigation tree. The Internet Access Audit Log List displays all Internet access audit logs. Managing Internet access audit logs 149 3. 4. Click Advanced Query on the upper right corner of the Query Internet Access Audit Logs area. Enter or select one or multiple of the following query criteria: • Account Name—Enter the account name used by the user to access the Internet. EAD supports fuzzy matching for this field. • User Name—Enter the name of the IMC Platform user to which the access account is attached. EAD supports fuzzy matching for this field. • User Group—Enter the user group to which the user belongs. EAD supports fuzzy matching for this field. • Service Name—Enter the name of the service used by the user. • Start Time (Server) From/To—Specify the range of the logging start time recorded by the EAD server, in the format of YYYY-MM-DD hh:mm. You can manually enter the time range, or click the Calendar icon to select the time range. The default is 00:00 to 23:59. • Start Time (Client) From/To—Specify the range of the logging start time recorded by the iNode client, in the format of YYYY-MM-DD hh:mm. You can manually enter the time range, or click the Calendar icon to select the time range. • Destination IP From/To—Specify the destination IP address range the user accessed. • Destination Port From/To—Specify the destination port range the user accessed. • Source IP From/To—Specify the source IP address range of the user. • Packet Number From/To—Specify the range of the total number of packets sent by the user that the match ACL rule for auditing. • Protocol Number—Select the number of the transport layer protocol used by the user to access the Internet. • NIC Name—Enter the name of the NIC used by the user to access the Internet. EAD supports fuzzy matching for this field. • MAC Address—Enter a partial or complete MAC address used by the user to access the Internet. Valid MAC address formats include XX-XX-XX-XX-XX-XX, XXXX-XXXX-XXXX, and XX:XX:XX:XX:XX:XX. EAD supports fuzzy matching for this field. An empty field does not serve as a query criterion. 5. Click Query. The Internet Access Audit Log List displays all Internet access audit logs that match the query criteria. Click Reset to clear all the query criteria and display all logs. Viewing Internet access audit log details 1. 2. Click the User tab. Select Access User View > Log Management > Internet Access Audit Log from the navigation tree. The Internet Access Audit Log List displays all Internet access audit logs. 3. Click the Details icon to view. of the Internet access audit log whose detailed information you want The page showing detailed information about the Internet access audit log appears. Internet Access Audit Log details contents 150 • Account Name—Account name used by the user to access the Internet. • User Name—Name of the IMC Platform user to which the access account is attached. • Service Name—Name of the service used by the user. • User Group—User group to which the user belongs. • Start Time (Server)—Logging start time recorded by the EAD server. Controlling Internet access 4. • End Time (Server)—Logging end time recorded by the EAD server, which is the time when the EAD server received the log. • Start Time (Client)—Logging start time recorded by the iNode client. • End Time (Client)—Logging end time recorded by the iNode client. • Destination IP—Destination IP address the user accessed. • Source IP—Source IP address used by the user. • Destination Port—Destination port accessed by the user. • Protocol Number—Number of the transport layer protocol used by the user. Common transport layer protocol numbers include 1 (ICMP), 6 (TCP), and 17 (UDP). • NIC Name—Name of the NIC used by the user to access the Internet. • MAC Address—MAC address used by the user to access the Internet. • Packet Number—Total number of packets sent by the user that match the ACL rule whose Enable Audit is set to Audit. Click Back to return to the Internet Access Audit Log List. Configuring Internet access logging parameters From the EAD System Parameter Config page, you can specify the lifetime of an Internet access audit log and the maximum number of Internet access audit logs that can be kept in the system. This helps improve log query efficiency and prevent accumulated Internet access logs from degrading system performance. To configure Internet access logging parameters: 1. Click the User tab. 2. Select Endpoint Admission Defense > Service Parameters> System Parameters Config from the navigation tree. The System Parameters Config page appears. 3. 4. Configure the Internet access log keeping parameters: • Internet Access Audit Log Keeping Time (Days)—Specify the maximum number of days an Internet access audit log can be kept in the system. The system automatically deletes the logs whose lifetime exceeds the specified keeping time every morning. The default is 30 days. • Max Internet Access Audit Logs (10000)—Specify the maximum number of Internet access audit logs (in ten thousand) that can be kept in the system. The system automatically deletes logs from the earliest record when the specified number is reached. The default is ten million. Click OK. Assigning Internet access configurations to services and access policies An Internet access configuration must be assigned to a service or an audit policy to take effect. EAD deploys the Internet access configuration along with other settings in the service to the iNode client of the user accessing the Internet. A service can comprise multiple access policies. If a user matches one access scenario of an access policy, EAD deploys to the user the Internet access configuration assigned to the policy. If no matching access scenario is found for the user, EAD deploys the default Internet access configuration of the service to the user. Configuring Internet access logging parameters 151 Assigning an Internet access configuration to a service You can assign an Internet access configuration to a service as the default Internet access configuration. When a user matches no access scenarios defined for the access policies of the service, EAD deploys the default Internet access configuration to the user. To assign the default Internet access configuration to a service: 1. Click the User tab. 2. Select User Access Manager > Service Configuration from the navigation tree. The Service Configuration page appears. 3. Click the Modify icon of the target service. The page for modifying the service appears. 4. 5. In the Basic Information area, select the Internet access configuration you want to assign to the service from the Default Internet Access Configuration list. Or select Do not use to apply no default Internet access configuration. Click OK. Assigning an Internet access configuration to an access policy 1. 2. Click the User tab. Select User Access Manager > Service Configuration from the navigation tree. The Service Configuration page appears. 3. Click the Modify icon of a service. The page for modifying the service appears. 4. In the Access Policy List, click the Modify icon an Internet access configuration. the access policy to which you want to assign The Modify Access Policy window appears. 5. 6. 152 Select the Internet access configuration from the Default Internet Access Configuration list. Or select Do not use to assign no Internet access configuration to the policy. Click OK. Controlling Internet access 8 Configuring DAM DAM manages and monitors desktop assets, including PCs and servers running Windows, and assigns each asset a unique asset number. DAM uses the iNode client to collect hardware and software information for each asset, and then implements asset management and statistics collection, desktop control, asset audit, and software deployment. To implement these functions, operators must complete the following tasks: • Configure service parameters. • Create asset groups. • Add assets to DAM. • Implement asset statistics. • Configure asset export tasks. In this document, a server deployed with the DAM service component is referred to as the DAM server. Operators must first set the asset numbering mode for DAM in the service parameter settings. The numbering mode can be automatic or manual (the default). The service parameters also include Asset Change Record Lifetime, Life of Log, and Send Syslogs. For more information, see “DAM service parameters” (page 312). To facilitate asset management, DAM allows operators to manage assets by group. Operators can manually create asset groups and subgroups in DAM, or allow DAM to automatically create asset groups and subgroups based on existing user groups on the IMC platform. For more information, see “Managing asset groups” (page 153). DAM provides several asset management functions, including: • Querying, viewing, adding, modifying, and deleting assets • Moving assets between groups • Exporting asset information • Viewing the asset export history Assets use assigned asset numbers for registration. DAM manages registered assets only, using the iNode client to collect information for each asset. After registered asset information is collected, operators can view system, OS, software, and hardware information to monitor asset usage and troubleshoot problems. For more information, see “Managing assets” (page 158). DAM asset statistics can list or display in a pie chart asset statistics by asset type, CPU, hard disk, operating system, or software installed. For more information, see “Collecting asset statistics” (page 178). DAM export task management allows operators to manage all scheduled tasks for periodic exporting of USB monitoring records. For more information, see “Managing the export task” (page 184). Managing asset groups DAM allows operators to add, modify, and delete asset groups; assign asset groups to specified operators for management; and organize the assets by asset groups or user groups. Operators can manually create asset groups and subgroups in DAM, or allow DAM to automatically create asset groups and subgroups based on existing user groups on the IMC platform. When assets are automatically created based on user groups, every asset is automatically added to the group to which its owner belongs. Assets that do not have an owner are added to Ungrouped, which is a special asset group automatically created by the system. DAM supports an asset group hierarchy of a maximum of five levels. Managing asset groups 153 Asset group list contents • Expand All/Collapse All—Click the Expand All icon to expand the asset group. Click the Collapse All icon to collapse the asset group. The Expand All icons are grayed out for asset groups that have no subgroups. • Group Name—Displays the name of the asset group. Click the name to view its details. This field also shows the group level. For a top-level asset group, this field displays only the group name. For a middle-level asset group that has subgroups and a parent group, this field displays the group name and a Group icon next to the name. For bottom-level asset groups that have only a parent group, this field displays the group name and a Group icon next to the name. • Control Scheme—Displays the name of the desktop control scheme assigned to the asset group. Click the name to view details of the scheme, which contains a set of control policies. For more information, see “Configuring desktop control schemes” (page 186). • Asset List—Click the Asset List icon • Add Sub-Group—Click the Add Sub-Group icon to add a subgroup to the asset group. This link is not available for Ungrouped, which is a system-defined asset group that cannot have a subgroup. • Modify—Click the Modify icon • Delete—Click the Delete icon to view assets in the asset group. to modify the asset group. to delete the asset group. Asset group details Asset group details comprise the following sections: • Basic information • Asset group details • Immediate parent group list • Authorized operator Basic information section • Group Name—Enter the asset group name. • Control Scheme—Select an existing desktop control scheme for the asset group, or select Disable Control Scheme when you do not want to apply any control scheme to the asset group. For more information, see “Configuring desktop control schemes” (page 186). • Group Description—Enter the description of the asset group. Asset group details section • Group Name—Name of the asset group. • Control Scheme—Name of the desktop control scheme assigned to the asset group. Click the name to view details of the scheme, which is a set of control policies. You can select an existing desktop control scheme for a group or subgroup, or select Disable Control Scheme when you do not want to apply any control scheme to the asset group. When you skip this step, the subgroup inherits control schemes from its parent group. For more information, see “Configuring desktop control schemes” (page 186). 154 Configuring DAM • Parent Group Name—Name of the parent group. When you add a subgroup, this field is automatically populated with the name of the parent group. This field is not available when the asset group has no parent group. • Group Description—Description of the asset group. You can modify this parameter only when the Use Asset Groups option is selected. Immediate parent group list section This section is available only for asset groups that have parent groups. • Group Name—Name of the parent group. • Control Scheme—Name of the desktop control scheme assigned to the parent group. With no control scheme configured, a subgroup inherits the control scheme from its parent group. • Group Description—Description of the parent group. Authorized operator section This section is not available when the asset is created based on existing user groups on the IMC platform. • Username—Name of the operator authorized to manage the asset group. • Full Name—Full name of the operator. • Privilege—Privilege level assigned to the operator: Admin, Maintainer, or Viewer. • Description—Description of the operator. Viewing the asset group list To view the asset group list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. Click Refresh to refresh the Asset Group List. When you configure DAM to automatically create and delete asset groups along with existing user groups on the IMC platform, the Asset Group List does not contain the Add Sub-Group and Delete fields. Viewing asset group details To view details of an asset group: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. Click the name of the asset group for which you want to view the detailed information. The Asset Group Details page appears. 4. To go back to the Asset Group List, click Back. Adding asset groups Operators can manually create asset groups and subgroups in DAM, or allow DAM to automatically create asset groups and subgroups based on existing user groups on the IMC platform. DAM supports an asset group hierarchy of a maximum of five levels. After an asset group/subgroup is added, DAM creates an asset group/subgroup branch under the All Assets node on the left navigation tree. Managing asset groups 155 Manually adding an asset group When the Use Asset Groups option is selected on the Asset Group List page, you can manually add asset groups using the following procedure: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. Click Add Group. The Add Asset Group page appears. 4. 5. 6. Configure the basic information. Select operators to manage the asset group in the Authorized Operators section. Select the box for the operator you want to manage the asset group. Operators with the Admin privilege are selected automatically. 7. Click OK. Automatically adding asset groups based on user groups DAM can automatically create asset groups and subgroups based on existing user groups on the IMC platform. This function is available only when DAM contains no manually added asset groups except the system-defined asset group, Ungrouped. To enable DAM to automatically create asset groups based on user groups: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. Click Use User Groups. The Asset Group page is refreshed to display the asset groups added based on user groups. When the Use User Groups option is selected, DAM automatically creates asset groups based on existing user groups on the IMC platform, adjusts the asset groups along with the user groups, and prohibits operators from manually adding asset groups. When all asset groups are automatically created, you can select the Use Asset Groups option to manually add more asset groups. However, you must reselect operators for each asset group, except operators with the Admin privilege who are automatically selected. Adding a subgroup for an asset group DAM allows operators to manually add subgroups for asset groups. However, when the Use User Groups option is selected, DAM automatically maintains the same group structure as that of the user groups, and prohibits operators from manually adding asset groups or subgroups. To manually add a subgroup for an asset group: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. Click the Add Sub-Group icon for the asset group to which you want to add a subgroup. The Add Asset Group page appears. When you configure DAM to automatically create and delete asset groups along with existing user groups on the IMC platform, the Asset Group List does not contain the Add Sub-Group field. 4. 156 Configure the basic information/asset group details for the subgroup. Configuring DAM 5. Confirm the control scheme for the current group in the Immediate Parent Group List section. When no control scheme is configured, the asset group inherits control schemes from its parent group. 6. 7. Select operators to manage the asset group in the Authorized Operators section. Select the box for the operator you want to manage the asset group. Operators with the Admin privilege are selected automatically. 8. Click OK. Modifying an asset group To modify an asset group: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. 4. 5. Click the Modify icon for the asset group you want to modify. Modify the basic information/asset group details for the asset group. • Group Name—Enter the group name. You cannot modify this parameter when the Use Asset Groups option is selected. • Control Scheme—Select an existing desktop control scheme for the asset group, or select Disable Control Scheme when you do not want to apply any control scheme to the asset group. When no control scheme is configured, the asset group inherits control schemes from its parent group. For more information, see “Configuring desktop control schemes” (page 186). • Group Description—Enter the description of the group. You can modify this parameter only when the Use Asset Groups option is selected. Select operators to manage the asset group in the Authorized Operators section. This section is not available when the Use User Groups option is selected. 6. Select the box for the operator you want to manage the asset group. Operators with the Admin privilege are selected automatically. 7. Click OK. Deleting an asset group DAM allows operators to delete an asset group. However, when the Use User Groups option is selected, DAM automatically maintains the same group structure as that of the user groups, and prohibits operators from manually deleting asset groups or subgroups. Before deleting an asset group, you must remove all of its assets. When the asset group has subgroups, delete its subgroups first. To delete an asset group: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. Click the Delete icon for the asset group you want to delete. A confirmation dialog box appears. 4. Click OK. Managing asset groups 157 Granting an operator privileges to manage asset groups You can grant operators privileges to manage specific asset groups. When assets are grouped based on user groups, the operators are automatically granted privileges to manage their respective asset groups, and their granted asset group privileges change along with the user group settings. When you switch from the Use User Groups option to the Use Asset Groups option, DAM keeps all asset groups created based on user groups. You must grant privileges to operators again to manage their asset groups, unless they have the Admin privilege, in which case they are granted privileges automatically. To grant an operator privileges to manage specific asset groups: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Group from the navigation tree. The Asset Group List displays all asset groups. 3. Click Operator Privileges. The Operator List displays all operators and their respective privileges. 4. Click the Modify icon for the operator to modify privileges. The Modify Privileges page appears. 5. 6. Select the asset groups that you want the operator to manage. Click OK. Managing assets DAM uses the iNode client to collect information about registered assets for desktop monitoring, asset audit, and software deployment. DAM manages only the registered assets. Operators can configure EAD security policies so that EAD checks the asset status of access users, and monitors, informs, isolates, or blocks access users that use unregistered assets. Operators can query, view, add, modify or delete assets; move assets between groups; batch export assets; and view the asset export history. Registering assets DAM manages only the registered assets. DAM assigns each asset a unique asset number for registration. The asset registration mode varies based on the asset numbering mode: manual or automatic. 158 • Manual numbering mode—Operators must manually add asset information to DAM, such as the asset number, owner, and asset group to which the asset belongs. When an access user logs in, the iNode client prompts the user to enter the asset number to complete asset registration. • Automatic numbering mode—Operators must enable automatic numbering and specify a prefix. When an access user logs in, DAM automatically numbers the asset and prompts the user to enter the model, position, vendor, type, and description of the asset to complete asset registration. Configuring DAM Asset list contents • Status—Status of the asset: ◦ Online—Asset is managed and online. ◦ Offline—Asset is managed and offline. ◦ Unmanaged—Asset is not managed by DAM. • Asset Number—Asset number of the asset. Click the asset number to view the asset details. • Asset Name—Name of the asset. • Group Name—Name of the asset group to which the asset belongs. Click the name to view the group details. • Model—Model of the asset. • ACK Status—Indicates whether an operator has acknowledged the asset information. This field appears only when Auto Number is set to Enable. • Owner—Owner of the asset. Click the owner to view the owner details. • Inserted at—Time when the asset was manually added to DAM or automatically numbered by DAM. • Modify—Click the Modify icon to modify the asset information. Asset details Asset details comprise the following sections: • System information • Operating system information • Hardware information • Screen saver information • IP address list • Partition list • Logical disk list • Software list • Patch list • Process list • Service list • Share list • Port list System information section • Asset Number—Asset number of the asset. • • Asset Name—Name of the asset. Status—Status of the asset: ◦ Online—Asset is managed and online. ◦ Offline—Asset is managed and offline. ◦ Unmanaged—Asset is not managed by DAM. Managing assets 159 • Asset Group—Asset group to which the asset belongs. • Group Control Scheme—Desktop control scheme assigned to the asset group. Click the control scheme name to view its details. An empty field indicates that no desktop control scheme is assigned to the asset group. • Asset Control Scheme—Desktop control scheme assigned to the asset. This scheme applies to the asset regardless of whether a desktop control scheme is assigned to the asset group where it resides. An empty field indicates that no desktop control scheme is assigned to the asset, and in this case, the asset must use the desktop control scheme assigned to the asset group where it resides. • Owner—Owner of the asset. Click the owner name to view the owner details. • User—User who last used the asset or is currently using the asset for network access. Click the user name to view the detailed user information. An empty field indicates that no user has passed identity authentication by using the asset. • Login Name—Windows account name used to log in to the asset, which can be a local account or a domain account. • Operating System—Operating system running on the asset. • Asset Type—Asset type: PC, Laptop, Server, Workstation, and Others. • Vendor—Vendor of the asset. • Model—Model of the asset. • Client Language—Language used by the iNode client on the asset. • Client Version—Version of the iNode client installed on the asset. • Inserted at—Time when the asset was manually added to DAM or automatically numbered by DAM. • Managed at—Time when the asset completed registration after being added to DAM. • Updated at—Time when the asset software or hardware was last updated after registration. • Login at—Time when the asset last logged in after registration. • Location—Location information of the asset. • Remarks—Comments on the asset. • ACK Status—Indicates whether an operator has acknowledged the asset information. In manual numbering mode, the ACK Status is Yes for all assets. In automatic numbering mode, the ACK Status is Yes for acknowledged assets, and is No for unacknowledged assets. Operating system information section • Operating System—Name of the operating system running on the asset. • Version—Version of the operating system running on the asset. • Patch—Patch version of the operating system running on the asset. • Installed at—Time when the operating system was installed on the asset. • Operating System Language—Language of the operating system running on the asset. 160 Configuring DAM Hardware information section To view detailed hardware information, click the Details link in the section title area. For more information, see “Viewing hardware details” (page 165). • • • • BIOS Information ◦ Caption—Caption of the BIOS. ◦ Vendor—Vendor of the BIOS. ◦ Release Date—Release date of the BIOS. ◦ Version—Version of the BIOS. Mainboard Information ◦ Vendor—Vendor of the main board. ◦ Model—Model of the main board. Memory Information ◦ Total Memory—Total memory size of the asset. ◦ Free Memory—Free memory size of the asset. CPU Information Information for different CPUs is separated by a comma. • ◦ CPU No—Local serial number of the CPU assigned by Windows. ◦ CPU Model SN—Serial number of the CPU model. ◦ CPU Name—Name of the CPU. ◦ CPU Classification—Classification of the CPU: Family, Model, or Stepping. ◦ Current Frequency—Current working frequency of the CPU, in MHz. ◦ Clock Frequency—Clock frequency of the CPU, in MHz. NIC Information Information for different NICs is separated by a comma. • ◦ Caption—Caption of the NIC. ◦ Device Instance Path—Device instance path of the NIC. ◦ MAC Address—MAC address of the NIC. Hard Disk Information Information for different hard disks is separated by a comma. ◦ Hard Disk Number—Hard disk number of the asset. ◦ Interface Type—Interface type of the hard disk. ◦ SN—Serial number of the hard disk. ◦ Model—Model of the hard disk. Managing assets 161 • ◦ Total Partitions—Total number of logical partitions on the hard disk. ◦ Hard Disk Size—Hard disk capacity, in GB. DVD/CD-ROM ◦ Caption—Caption of the DVD/CD-ROM. ◦ Type—Type of the DVD/CD-ROM. ◦ Device Instance Path—Device instance path of the DVD/CD-ROM. Screen saver information section • Screen Saver—Indicates whether the screen saver is enabled for the asset. • Display Logon Screen on Resume—Indicates whether password protection is enabled for the screen saver. • Idle Timeout—Maximum idle time, in seconds, before the asset enters the screen-saver state. IP address list section • Enable DHCP—Indicates whether the NIC can obtain an IP address from a DHCP server. • IP Address—IP address of the NIC. • MAC Address—MAC address of the NIC. • Gateway IP Address—Gateway IP address of the NIC. • Subnet Address—Subnet address of the NIC. Partition list section • Partition Number—Number of the partition. • Hard Disk Number—Number of the hard disk on the partition. The combination of a partition number and a hard disk number uniquely identifies a partition on an asset. • Partition Type—Type of the partition. • Boot Partition—Indicates whether the partition is the boot partition. • Size—Size of the partition, in GB. Logical disk list section • Name—Name of the logical disk. • Description—Volume label of the logical disk and DVD/CD-ROM. When the logical disk has no volume label, this field displays Local Disk. • File System—File system of the logical disk. • SN—Serial number assigned to the logical disk by the operating system. • Total Size—Total size of the logical disk, in GB. The total size of a logical disk is the sum of the free space and the used space. Software list section 162 • Software Name—Name of the software. • Software Version—Version of the software. • Installed on—Date on which the software was installed on the asset. Configuring DAM Patch list section • Software Name—Name of the software for which the patch is installed. A single software product might have multiple patches installed. • Software Version—Version of the software for which the patch is installed. • Patch Name—Name of the patch. • Installed on—Date on which the patch was installed. • Patch Type—Type of the patch. • Description—Description of the patch. Process list section • Process Name—Name of the process. • Created at—Time when the process was executed on the asset. Service list section • Service Name—Name of the service. • Service Display Name—Description of the service. • Startup Type—Startup type for the service: Auto, Manual, or Disabled. • Service Status—Status of the service: Running, Stopped, Paused, Starting, Stopping, Waiting, Pausing, or Unknown. Share list section • Share Number—Share number assigned by the DAM server. • Share Name—Name of the shared directory. • Local Path—Path of the shared directory. • Share Type—Type of the shared directory: ◦ Common Share—A share type securing the shared file by specifying the permitted users or user groups and setting the permission level. When using this share type, the user should delete Everyone from the Group or user names list to prevent unauthorized users from accessing the shared file. ◦ Default Share—The default share type provided by Windows. This share type is vulnerable to attacks. ◦ Others—IPC$ share used in Windows. • Object Domain—Domain name of the user or user group of the share. This parameter is available only when the share type is Common Share. An empty field indicates that the share user or user group does not belong to any domain. • Object Name—Name of the user or user group of the share. This parameter is available only when the share type is Common Share. Managing assets 163 • Object Type—Type of the user or user group of the share. An empty field indicates that the share user or user group does not belong to any object type. ◦ System Group—Object permitted or denied access to the share is a system-defined operating system user group. ◦ Custom Group—Object permitted or denied access to the share is a user-defined operating system user group. ◦ User—Object permitted or denied access to the share is a user. • Right of Object—Permission that the user or user group has to the share. This field is available only when the share type is Common Share. The permission can be Read Only, Read Write, or All. • Control Type—Control type of the object: Permit or Deny. This parameter is available only when the share type is Common Share. Port list section This section displays all processes associated with the active ports on the asset, including the processes that use a local port as a listening port, and the processes that use a local port to connect to a remote host. • Process Name—Name of the process that listens for a local port or has connected to a remote host using a local port. • Process ID—ID of the process, which is assigned by the operating system of the asset. • Local IP—IP address of the asset. • Local port—Listening port of the asset used by the process. • Remote IP—IP address of the host to which the asset has connected. • Remote Port—Port used by the remote host to connect to the asset. • Status—Connection status of the process. • Protocol—Protocol type used by the process: TCP or UDP. • Process Path—Local path of the process on the asset. Viewing the asset list To view the asset list: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. To view the asset list of a specific asset group, click the asset group name under Desktop Asset Manager > All Assets in the navigation tree. Viewing asset details DAM uses the iNode client to collect and report information about registered assets to the EAD server. Asset information is displayed on the Asset Details page. The Action menu on this page allows operators to perform various operations for assets. Accessing the Asset Details page Method 1 1. Click the Service tab. 164 Configuring DAM 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. Click the asset number for the asset to view its detailed information. The Asset Details page appears. Method 2 1. 2. Click the Service tab. Click an asset group name located under the All Assets branch in the navigation tree. The Asset List displays only the assets that belong to the asset group. 3. Click the asset number for the asset to view its detailed information. The Asset Details page appears. Viewing hardware details To display the Hardware Details page, click the Details link in the Hardware Information section. Performing actions The Action menu on the upper right corner on the Asset Details page enables you to apply management and configuration options to the selected asset. Use the menu options to refresh the current Asset Details page, scan and modify the selected asset, and delete the asset from DAM. You can also view the software deployment history, USB monitor and printer monitor information, and change history of asset software and hardware. Regroup Use the Regroup option to move a selected asset from its current group to another group. 1. Click Regroup in the Action menu. The Regroup Assets page appears. 2. Click the Select Asset Group icon next to the Group Name field. The Select Asset Group window appears. 3. Select a group and click OK. The Group Name field is populated with the selected asset group. 4. Click OK. For more information, see “Regrouping an asset” (page 175). Modify Use the Modify option to modify the owner, group control scheme, asset control scheme, location, asset type, vendor, model, and remarks for the selected asset. 1. Click Modify in the Action menu. The Modify Asset page appears. 2. Modify the following parameters for the asset: • Owner—Click Select next to the Owner field. The Select User dialog box appears. Select a new owner for the asset and click OK. • Group Control Scheme—You cannot modify the control scheme assigned to the asset group where the asset resides. • Asset Control Scheme—Select a control scheme for the asset. • Location—Enter the location of the asset. Managing assets 165 3. • Asset Type—Select an asset type. • Vendor—Enter the asset vendor. • Model—Enter the asset model. • Remarks—Enter remarks for the asset. Click OK. The top of the Asset Details page is updated to reflect the modifications. Delete Use the Delete option to delete an asset from DAM. This option is not available for online assets. 1. Click Delete in the Action menu. 2. Click OK in the dialog box that appears. Scan Use the Scan option to have the iNode client report the latest asset information to DAM. 1. Click Scan in the Action menu. The top of the Asset Details page is updated to show initiation of the scan process. 2. Use the Refresh option on the right navigation tree to view any updates to asset details. Viewing an asset's software deployment history Use the SW Deployment option to view the software deployment history for an asset. 1. Click SW Deployment in the Action menu. The Software Deploy Task List displays all software deploy tasks that include the asset in their deployment targets. 2. To go back to the Asset Details page, click Back. Software Deploy Task List • Task Name—Name of the software deploy task. • Execution time—Time when the software deploy task was executed. • Software Name—Name of the software deployed in the task. • Status—Status of the software deploy task: Not Executed, Deployment Succeeded, Deployment Failed, Download Succeeded, or Download Failed. USB Monitor Use the USB Monitor option to view the USB monitoring information for the asset. 1. Click USB Monitor in the Action menu. The USB Monitor List displays the USB monitoring information. 2. To go back to the Asset Details page, click Back. USB Monitor List • Asset Number—Number of the asset on which a USB storage device is used. • Asset Name—Name of the asset on which a USB storage device is used. • Owner—Owner of the asset on which a USB storage device is used. • Logic Drive—Drive letter of the USB storage device displayed on the asset. • USB Plugged (Server)—Time recorded by the DAM server when the USB storage device was plugged into the asset. 166 Configuring DAM • USB Unplugged (Server)—Time recorded by the DAM server when the USB storage device was unplugged from the asset. • Details—Click the Details icon to view detailed USB storage device usage information. Printer Monitor Use the Printer Monitor option to view the printer usage information for an asset. 1. Click Printer Monitor in the Action menu. The Printer Monitor List displays the printer usage information. 2. To go back to the Asset Details page, click Back. Printer Monitor List • Asset Number—Number of the asset that submitted a printer task. • Asset Name—Name of the asset that submitted a printer task. • Owner—Owner of the asset that submitted a printer task. • Printer Name—Name of the printer used by the asset. • File Name—Name of the printed file. • Printed Pages—Number of printed pages. • Report Time—Time recorded by the DAM server when the asset used the printer. • Share Printer—Indicates whether the printer is a shared printer. Check Asset Files Use the Check Asset Files option to search files on the asset for auditing. 1. Click Check Asset Files in the Action menu. The Audit page appears. 2. Configure the following parameters: • Check Files in—Enter the absolute path of the file you want to audit, ending with a backward slash (\). • File Name Includes—Enter a partial or complete file name. • 3. ◦ The file name can contain the wildcard characters asterisk (*) and question mark (?). An asterisk matches zero or more characters. ◦ A question mark matches any character except the dot (.), and matches zero characters or one character when it is placed in front of the dot, or one character when it is placed after the dot. ◦ The file name cannot contain four or more consecutive question marks or any of the following characters: angle brackets (< >), quotation mark ("), forward slash (/), backward slash (\), and vertical bar (|). ◦ Do not use file names that comprise only the wildcard characters and dot, such as ?*.*?. Description—Enter a description of the audit. Click Start. The Asset File Check List displays all asset file check tasks that have been executed. • To export the audit result, click the Export icon • To view detailed audit information, click the Details icon for the asset file check task. for the asset file check task. Managing assets 167 For more information, see “Terminal file audit” (page 216). Change History Use the Change History option to view the change history of software and hardware on the asset. 1. Click Change History in the Action menu. The Asset Change History displays the change history of the asset. 2. To go back to the Asset Details page, click Back. Asset Change History contents • Change Type—Type of the change. • Change Item—Name of the changed item. Click the content of this field to display the Asset Software Change Details page or Asset Hardware Change Details page. • Changed on—Time when the change occurred. Refresh Use the Refresh option to reload the current Asset Details page, and capture any updates to the asset details. Querying assets DAM allows operators to query assets through a basic query or an advanced query. A basic query has several key criteria for a quick search. An advanced query has query criteria for a precise match. Performing a basic query To perform a basic query for assets: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. Click Basic Query at the upper right of the page. When Advanced Query is displayed at the upper right of the page, you are already in basic query mode. Skip this step. 4. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number. DAM supports fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field. • Group Name—Click the Select Asset Group icon Select Asset Group window. , select a group and click OK in the The Group Name field is automatically populated with the selected asset group. When a field is empty, it does not serve as a query criterion. 5. Click Query. The Asset List displays all assets that match the query criteria. 6. To clear the query criteria, click Reset. The Asset List displays all assets. 168 Configuring DAM Performing an advanced query To perform an advanced query for assets: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets. 3. Click Advanced Query at the upper right of the page. When Basic Query is displayed at the upper right of the page, you are already in advanced query mode. Skip this step. 4. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number. DAM supports fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • Status—Select the asset status: • ◦ Online—Asset is managed and online. ◦ Offline—Asset is managed and offline. ◦ Unmanaged—Asset is not managed by DAM. Group Name—Click the Select Asset Group icon . The Select Asset Group window appears. Select a group and click OK. The Group Name field is automatically populated with the selected asset group. 5. • Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field. • User—Enter a user name. All assets that the user has recently used or is currently using are queried. DAM supports fuzzy matching for this field. • Inserted at from/to—Specify the range of time when the asset was manually added to DAM or automatically numbered by DAM. You can click the Select Date and Time icon to select the time, or enter a date in YYYY-MM-DD format. • Last Logoff from/to—Specify the range of time when the asset last went offline. You can click the Select Date and Time icon to select the time, or enter a date in YYYY-MM-DD format. • Asset Type—Select an asset type to be queried. Options are PC, Laptop, Server, Workstation, and Others. • Vendor—Enter the vendor of the asset. DAM supports fuzzy matching for this field. • Model—Enter the model of the asset. DAM supports fuzzy matching for this field. • ACK Status—Select the acknowledgment status of the asset. Use this criterion in automatic numbering mode. In manual numbering mode, the ACK Status is Yes for all assets. Specify operating system criteria for query. Select the By Operating System box, and then enter or select one or more of the following query criteria: • Operating System—Enter the operating system version, for example, Windows Vista or Windows 7. DAM supports fuzzy matching for this field. • Operating System Language—Select an operating system language: Chinese (PRC) or English. DAM supports fuzzy matching for this field. Managing assets 169 6. • Operating System Patch—Enter the operating system patch, for example, Service Pack 1, Service Pack 2, or R2. • Multiple Operating Systems—Select this option to allow multiple operating systems to be installed on the asset to be queried. Specify main-board criteria for query. Select the By Mainboard box, and then enter the following query criterion: • 7. 8. 9. Model—Enter the model of the main board. DAM supports fuzzy matching for this field. Specify software criteria for query. Select the By Software box, and then enter or select one or more of the following query criteria: • Software Name—Enter the software name. DAM supports fuzzy matching for this field. • Software Version—Enter the software version. DAM supports fuzzy matching for this field. • Installation Status—Specify whether the software is installed on the asset: Installed or Uninstalled. Specify patch criteria for query. Select the By Patch box, and then enter or select one or more of the following query criteria: • Patch Name—Enter the patch name, for example, KB911565. DAM supports fuzzy matching for this field. • Installation Status—Specify whether the patch is installed on the asset: Installed or Not installed. Specify screen-saver criteria for query. Select the By Screen Saver box, and then select one or more of the following query criteria: • Screen Saver—Specify whether the screen saver is enabled: Yes or No. • Display Logon Screen on Resume—Specify whether the password is specified for the screen saver: Yes or No. 10. Specify memory criteria for query. Select the By Memory box, and then enter the following query criterion: • Total Memory from/to—Specify a range of the total memory for the asset, in MB. 11. Specify CPU criteria for query. Select the By Processor box, and then enter one or both of the following query criteria: • Number of Processors from/to—Specify the range of the total number of CPUs for the asset. • Processing Frequency from/to—Specify a range of CPU frequency for the asset. 12. Specify NIC criteria for query. Select the By NIC box, and then enter one or both of the following query criteria: • Number of NICs from/to—Specify a range of the total number of NICs installed on the asset. • MAC Address—Enter the MAC address of a NIC installed on the asset. DAM support fuzzy matching for this field. 13. Specify hard disk drive criteria for query. Select the By Hard Disk Drive box, and then enter or select one or more of the following query criteria: 170 • Number of Hard Disk Drives from/to—Specify a range of the total number of hard disk drives installed on the asset. • Total Disk Capacity from/to—Specify a range of total disk capacity, in GB. Configuring DAM 14. Specify IP address criteria for query. Select the By IP Address box, and then enter the following query criterion: • IP Address from/to—Specify a range of IP addresses. All assets with IP addresses last reported by the iNode client in the range are queried. 15. Specify process criteria for query. DAM queries assets by the process information last reported by the iNode client. Select the By Process box, and then enter or select one or more of the following query criteria: • Process Name—Enter the name of the process. DAM supports fuzzy matching for this field. • Process Status—Select the status of the process: Running or Stopped. 16. Specify service criteria for query. DAM queries assets by the service information last reported by the iNode client. Select the By Service box, and then enter or select one or more of the following query criteria: • Service Name—Enter the service name. DAM supports fuzzy matching for this field. A service has both a service name and a service display name. Operators can view the service name in the Service Control Manager of the operating system. • Service Display Name—Enter the service display name. DAM supports fuzzy matching for this field. A service has both a service name and a service display name. Operators can view the service display name in the Service Control Manager of the operating system. • Installation Status—Select the installation status of the service: Installed or Uninstalled. • Service Status—Select the running status of the service: Running or Other. The following states are categorized as Other: Stopped, Paused, Starting, Stopping, Waiting, Pausing, and Unknown. 17. Click Query. The Asset List displays all assets that match the query criteria. 18. To clear the query criteria, click Reset. The Asset List displays all assets. To query assets in a specific asset group, click the asset group name located under Desktop Asset Manager > All Assets in the navigation tree, and then specify the query criteria. Adding an asset In manual numbering mode, operators must manually add asset information, such as asset numbers (required), owners, asset groups, and desktop control schemes in DAM. When an access user logs in, the iNode client prompts the user to enter the asset number to complete registration. In automatic numbering mode, assets are displayed automatically in DAM. When an access user logs in, DAM automatically numbers the asset of the user, and prompts the user to enter the asset information—asset model, position, vendor, type, and description—to complete registration. To manually add an asset: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. Click Add. The Add Asset page appears. 4. 5. Asset Number—Enter the asset number. Owner—Select an owner for the asset. Managing assets 171 a. Click Select next to the Owner field. The Select User window appears. b. Filter users using basic query or advanced query. The Query Asset feature is displayed above the Asset List. The Advanced Query link is a toggle switch between Basic Query and Advanced Query. When the link is Advanced Query, you are in basic query mode, and vice versa. c. Enter or select one or more of the following query criteria: • User Name—Enter the user name. DAM supports fuzzy matching for this field. • Identity Number—Enter the user identity number. DAM supports fuzzy matching for this field. • Contact Address—Enter the contact address of the user. DAM supports fuzzy matching for this field. This field is available for advanced queries only. • Telephone—Enter the telephone number of the user. DAM supports fuzzy matching for this field. This field is available for advanced queries only. • Email—Enter the email address of the user. DAM supports fuzzy matching for this field. This field is available for advanced queries only. • User Group—Click the Select User Group icon appears. Select a group and click OK. • Open Account—Select this option to create a self-service account for the user. A self-service account on the IMC platform allows a user to access the SOM console. • Account Name—Enter the user account name. DAM supports fuzzy matching for this field. . The Select User Group window When a field is empty, it does not serve as a query criterion. d. Click Query. The User List displays all users matching the query criteria. e. f. 6. 7. 172 Select a user from the list. Click OK. Configure the following parameters: • . The Select Asset Group window Group Name—Click the Select Asset Group icon appears. Select a group and click OK. When the Use User Groups option is selected, the system automatically populates this field with the user group to which the asset owner belongs. • Group Control Scheme—Automatically populated with the same desktop control scheme that is assigned to the asset group. • Asset Control Scheme—Select a desktop control scheme for the asset, or select Disable Control Scheme when you do not want to apply any control scheme to the asset. The desktop control scheme configuration can be on a group basis or an asset basis. The group basis configuration applies to all assets in the same group, but can be overridden by the asset basis configuration. • Location—Enter the location of the asset. • Asset Name—Enter the asset name. • Asset Type—Select an asset type from the list: PC, Laptop, Server, Workstation, or Others. • Model—Enter the asset model. • Remarks—Enter remarks for the asset. Click OK. Configuring DAM Batch importing assets Operators can batch import assets from a file that contains asset information. Asset information can be separated by a space, tab, comma (,), colon (:), pound sign (#), or dollar sign ($). The file can use only one type of separator. To batch import assets: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. Click Batch Import. The Batch Import Assets page appears. 4. 5. Configure the following parameters: • Import File—Click Browse next to the Import File field. The Choose File window appears. Browse to the target file that contains the asset information. The file must be a text file with columns separated by delimiters. The system automatically populates the field with the file path and name. • Column Separator—Select the column separator to use as the delimiter in the file. Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). Click Next. The Basic Information page appears. 6. 7. Configure the basic information for the import task: • Asset Number—Select the column in the file that contains the asset number. • . The Select Asset Group window Asset Group—Click the Select Asset Group icon appears. Select a group and click OK. The group name is automatically populated in the Asset Group field. • Owner—Select the column in the file that contains the asset owner, or select Not Import from File. • Owner ID Number—Select the column in the file that contains the owner ID, or select Not Import from File. This field is not available when the Owner field is set to Not Import from File. The Owner ID Number uniquely identifies a user as the asset owner in case of duplicated user names. • Asset Name—Select the column in the file that contains the asset name, or select Not Import from File. To configure the same asset name for all assets, select Not Import from File and enter the settings manually. • Location—Select the column in the file that contains the asset location, or select Not Import from File to set the same location for all imported assets manually. • Asset Type—Select the column in the file that contains the asset type, or select Not Import from File and then select an asset type for all imported assets. Options are PC, Laptop, Workstation, Server, and Others (any other asset type). • Vendor—Select the column in the file that contains the asset vendor, or select Not Import from File to set the same vendor for all imported assets manually. • Model—Select the column in the file that contains the asset model, or select Not Import from File to set the same asset model for all imported assets manually. • Remarks—Select the column in the file that contains remarks for the asset, or select Not Import from File to enter the remarks manually. To view the first 10 assets imported according to your settings, click Preview. Managing assets 173 8. To import all assets in the file to DAM, click OK. The Import Asset Result page appears. 9. Click Download to download the result. 10. To go back to the Asset List, click Back. Modifying an asset To modify an asset: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. Click the Modify icon for the asset you want to modify. The Modify Asset page appears. 4. Owner—Select an owner for the asset. a. Click Select next to the Owner field. The Select User window appears. b. Filter users through basic query or advanced query. The Query Asset feature is displayed above the Asset List. The Advanced Query link is a toggle switch between Basic Query and Advanced Query. When the link is Advanced Query, you are in basic query mode, and vice versa. c. Enter or select one or more of the following query criteria: • User Name—Enter the user name. DAM supports fuzzy matching for this field. • Identity Number—Enter the user identity number. DAM supports fuzzy matching for this field. • Contact Address—Enter the contact address of the user. DAM supports fuzzy matching for this field. This field is available for advanced queries only. • Telephone—Enter the telephone number of the user. DAM supports fuzzy matching for this field. This field is available for advanced queries only. • Email—Enter the email address of the user. DAM supports fuzzy matching for this field. This field is available for advanced queries only. • User Group—Click the Select User Group icon appears. Select a group and click OK. • Open Account—Select this option to create a self-service account for the user. A self-service account on the IMC platform allows a user to access the SOM console. • Account Name—Enter the user account name. DAM supports fuzzy matching for this field. . The Select User Group window When a field is empty, it does not serve as a query criterion. d. Click Query. The User List displays all users matching the query criteria. e. f. 5. Configure the following parameters: • 174 Select a user from the list. Click OK. Group Name—Click the Select Asset Group icon . The Select Asset Group window appears. Select a group and click OK. When the Use User Groups option is selected, the Configuring DAM system automatically populates this field with the user group to which the asset owner belongs. 6. • Group Control Scheme—Automatically populated with the same desktop control scheme as that assigned to the asset group. • Asset Control Scheme—Select a desktop control scheme for the asset, or select Disable Control Scheme when you do not want to apply any control scheme to the asset. The desktop control scheme configuration can be on a group basis or an asset basis. The group basis configuration applies to all assets in the same group, but can be overridden by the asset basis configuration. • Location—Enter the location of the asset. • Asset Name—Enter the asset name. • Asset Type—Select an asset type from the list. Options are PC, Laptop, Server, Workstation, and Others. • Model—Enter the asset model. • Remarks—Enter remarks for the asset. Click OK. Deleting an asset After deleting an asset, the asset number and all other asset information is removed permanently from the DAM database. To resubmit this asset to DAM management, you must re-register the asset. To delete an asset: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. 4. Select the box next to the Status field for the asset you want to delete. Click Delete. Regrouping an asset Operators can manually move assets between asset groups. However, if the Use User Groups option is selected, DAM automatically assigns each asset to the user group to which its owner belongs, and prohibits operators from manually moving assets between asset groups To regroup an asset: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. 4. Select the box next to the Status field for the asset you want to regroup. Click Regroup. The Regroup Assets page appears. 5. In the Target Group area, click the Select Asset Group icon . The Select Asset Group window appears. 6. Select an asset group and click OK. The Select Asset Group window closes. 7. On the Regroup Assets page, click OK. Managing assets 175 Exporting asset information The asset export function allows operators to use the query function to produce a list of assets to be exported, and then export those assets to an export file. Operators can either export basic information or all information for the asset. The basic information includes the contents of the System Information section on the Asset Details page; it can be exported to a text file. All information is exported to a zip file that contains multiple HTML files, including the Asset List page and Asset Details page. The Asset List page provides export information, export criteria, and hyperlinks to the assets. The Asset Details page contains detailed information about the assets. For more information, see “Viewing asset details” (page 164). Asset export function asset list • Asset Number—Asset number of the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. • Asset Group—Group to which the asset belongs. • Inserted at—Time when the asset was manually added to DAM or automatically numbered by DAM. • Group Name—Click the Select Asset Group icon . The Select Asset Group window appears. Select a group and click OK. The selected asset group is automatically populated in the Group Name field. Exporting asset information To export asset information: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in DAM. 3. Filter the assets using basic query or advanced query in the Query Asset area. For more information, see “Querying assets” (page 168). 4. Click Export. The Export Contents page appears. All listed assets that match the query criteria are exported. 5. Configure the following parameters: • Export Contents—Select the content to be exported: Basic Information or All Information. When you select All Information, the File Type and File Column Separator fields do not appear. When you select Basic Information, you can export asset information only to a text file, and you must select a column separator. 6. • File Type—When Export Contents is set to Basic Information, this field appears and displays TXT, which cannot be modified. • File Column Separator—Select the column separator to use as the delimiter in the file. Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). This field does not appear when Export Contents is set to All Information. Click OK. The Asset Export Results page appears. 7. 8. 176 Click Download to download the result. To go back to the Asset List, click Back. Configuring DAM NOTE: To ensure fast and stable user authentication, do not perform any batch operations if there are several user authentication processes running. Managing the asset export history DAM records the export history of asset information in the Asset Export History List. Operators can view, download, and delete the asset export history. Asset export history list contents • Export File Name—Name of the export file. • Export File Path—Path of the export file. • Operator—Operator who exported the asset information. • Exported at—Time when the asset information was exported. • Download File—Click the Download link to download the export file. • Delete—Click the Delete icon to delete the asset export file. Viewing the asset export history To view the asset export history: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The Asset List displays all assets in the DAM database. 3. Click Export History on the upper right corner of the Assets List. The Asset Export History Listdisplays the export history of asset information. 4. To go back to the Asset List, click Back. Downloading the asset export history record To download the asset export history record: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The All Assets page appears. 3. Click Export History in the Asset List area. The Asset Export History List displays all asset export history records. 4. 5. Click the Download link for the export history record you want to download. Open or save the export history record. Deleting the asset export history record To delete the asset export history record: 1. Click the Service tab. 2. Select Desktop Asset Manager > All Assets from the navigation tree. The All Assets page appears. 3. Click Export History in the Asset List area. The Asset Export History List displays all asset export history records. 4. Click the Delete icon for the export history record you want to delete. A confirmation dialog box appears. Managing the asset export history 177 5. Click OK. Collecting asset statistics DAM allows operators to collect statistics for registered assets by asset type, CPU frequency, hard disk size and type, operating system version and language, and software installed. The data collection target can be all assets or a specific asset group and its subgroups. Operators can collect statistics only for groups and subgroups for which they have privileges. Collecting statistics by asset type Operators can collect statistics for all assets or a specific asset group by asset type, which can be PC, Laptop, Server, Workstation, or Others. To collect statistics by asset type: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Statistics from the navigation tree. The Asset Statistics page appears. 3. Click the Type icon in the Asset Statistics section. The Statistics of Types page appears. By default, the report displays statistics for all asset groups to which the operator has privileges. 4. Click the Select Asset Group icon next to the Group Name field. The Select Asset Group window appears. 5. Select a group and click OK. The Group Name field is populated with the selected asset group. 6. 7. Select a report type from the list: Pie Chart or List. Click Query. The query results appear under the Asset Query section. 8. Click Reset to restore the default. The report displays statistics for all asset groups to which the operator has privileges. Asset type statistics reports The asset type statistics reports can be displayed in a pie chart or a list. Asset type statistics report—Pie chart This report displays, in a pie chart, the number of assets of each asset type and their proportion. Figure 4 Asset type statistics report—Pie chart 178 Configuring DAM Asset type statistics report—List This report lists the number of assets of each asset type and their proportion. Figure 5 Asset type statistics report—List Collecting statistics by CPU Operators can collect statistics for all assets or a specific asset group by CPU frequency. To collect statistics by CPU frequency: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Statistics from the navigation tree. The Asset Statistics page appears. 3. Click the CPU icon in the Asset Statistics section. The Statistics of CPU page appears. By default, the report displays statistics for all asset groups to which the operator has privileges. 4. Click the Select Asset Group icon next to the Group Name field. The Select Asset Group window appears. 5. 6. 7. Select a group and click OK. Select a report type from the list: Pie Chart or List. Click Query. The query results appear under the Asset Query section. 8. Click Reset to restore the default. The report displays statistics for all asset groups to which the operator has privileges. CPU frequency statistics reports The CPU frequency statistics reports can be displayed in a pie chart or a list. CPU frequency statistics report—Pie chart This report displays, in a pie chart, the number of CPUs in each frequency range and their proportion. Collecting asset statistics 179 Figure 6 CPU frequency statistics report—Pie chart CPU frequency statistics report—List This report lists the number of CPUs in each frequency range and their proportion. Figure 7 CPU frequency statistics report—List Collecting statistics by hard disk Operators can collect statistics for all assets or a specific asset group by hard disk capacity and type. To collect statistics by hard disk capacity and type: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Statistics from the navigation tree. The Asset Statistics page appears. 3. Click the Hard Disk icon in the Asset Statistics section. The Hard Disk Statistics page appears. The report displays statistics for assets in all asset groups to which the operator has privileges. 4. Click the Select Asset Group icon next to the Group Name field. The Select Asset Group window appears. 5. Select a group and click OK. The Group Name field is populated with the selected asset group. 6. 7. Select a report type from the list: Pie Chart or List. Click Query to submit your filter criteria. The results of your filter or search query are displayed under the Asset Query section. 8. Click Reset to restore the default. The report displays statistics for all asset groups to which the operator has privileges. Hard disk capacity and type statistics reports The hard disk capacity and type statistics report can be displayed in a pie chart or a list. 180 Configuring DAM Hard disk capacity statistics report—Pie chart This report displays, in a pie chart, the number of hard disks in each capacity range and their proportion. Figure 8 Statistics report by hard disk capacity—Pie chart Hard disk capacity statistics report—List This report lists the number of hard disks in each capacity range and their proportion. Figure 9 Statistics report by hard disk capacity—List Hard disk type statistics report—Pie chart This report displays, in a pie chart, the number of hard disks of each type and their proportion. Figure 10 Statistics report by hard disk type—Pie chart Hard disk type statistics report—List This report lists the number of hard disks of each type and their proportion. Collecting asset statistics 181 Figure 11 Statistics report by hard disk type—List Collecting statistics by operating system Operators can collect statistics for all assets or a specific asset group by operating system version and language. To collect statistics by operating system version and language: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Statistics from the navigation tree. The Asset Statistics page appears. 3. Click the OS icon in the Asset Statistics section. The Statistics of OS page appears. The report displays statistics for assets in all asset groups to which the operator has privileges. 4. Group Name—Click the Select Asset Group icon next to the Group Name field. The Select Asset Group window appears. 5. Select a group and click OK. The Group Name field is populated with the selected asset group. 6. 7. Select a report type from the list: Pie Chart or List. Click Query to submit your filter criteria. The results of your filter or search query are displayed under the Asset Query section. 8. Click Reset to restore the default. The report displays statistics for all asset groups to which the operator has privileges. Operating system version and language statistics reports Operating system version and language statistics reports can be displayed as a pie chart or in a list. Operating system version statistics report—Pie chart This report displays, in a pie chart, the number of operating systems of each version and their proportion. 182 Configuring DAM Figure 12 Statistics report by operating system version—Pie chart Operating system version statistics report—List This report lists the number of operating systems of each version and their proportion. Figure 13 Statistics report by operating system version—List Operating system language statistics report—Pie chart This report displays, in a pie chart, the number of operating systems using each language and their proportion. Figure 14 Statistics report by operating system language—Pie chart Operating system language statistics report—List This report lists the number of operating systems using each language and their proportion. Figure 15 Statistics report by operating system language—List Collecting asset statistics 183 Collecting statistics by software installed Operators can use the Asset Statistics function to collect statistics for all assets or a specific asset group by software installed. To collect statistics by software installed: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset Statistics from the navigation tree. The Asset Statistics page appears. 3. Click the Software icon in the Asset Statistics section. The Statistics of Software page appears. By default, the report displays statistics for all asset groups to which the operator has privileges. 4. Click the Select Asset Group icon next to the Group Name field. The Select Asset Group window appears. 5. Select a group and click OK. The Group Name field is populated with the selected asset group. 6. 7. Select List from the Report Type field. Click Query to submit your filter criteria. The results of your filter or search query are displayed under the Asset Query section. 8. Click Reset to restore the default. The report displays statistics for all asset groups to which the operator has privileges. Software installation statistics report The software installation statistics report is displayed in a list. Software installation statistics report This report lists statistics for software installed on all assets or assets in selected asset groups. Figure 16 Software installation statistics report Managing the export task Operators can schedule a task to export and save all USB monitoring records to a directory or FTP server as a CSV file or TXT file. Export task list contents • Task Name—Name of the export task: USB Monitor. • Export file path (iMC installation directory)—Export file path of the USB monitoring records in the IMC installation directory. 184 Configuring DAM • Status—Indicates whether the export task is enabled. By default, this field displays Disabled. • Config—Click the Config icon to configure the export task. Viewing the export task management list To view the export task management list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Export Task Management from the navigation tree. The Export Task List displays the USB monitor task. Configuring the export task To configure the export task: 1. Click the Service tab. 2. Select Desktop Asset Manager > Export Task Management from the navigation tree. The Export Task List displays all export tasks. 3. Click the Config icon for the USB monitor task you want to configure. The USB Monitor page appears. 4. Select Enable Automatic Export to enable automatic export of USB monitoring records. When you skip this step, the scheduled export task is not executed. Configure the following parameters for the export task: 5. 6. • Export Interval—Select the interval at which the task is executed: Daily or Monthly. • File Type—Select the type of the export file: TXT or CSV. When you select TXT, you must select a separator for the file. • Task Description—Enter a brief description of the task. • Prefix of Export File—Enter a prefix for the name of the export file. The export file name is composed of the prefix and the system time when the file was exported. For example, when you set the prefix to Backup, the export file name may be Backup20120316033010, where 20120316033010 indicates the time when the file was exported, to the second. • Separator—Specify the delimiter to use for the data fields in the exported file. Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). This field appears only when the File Type is set to TXT. Select Export to FTP Server field when you want to export the USB monitoring records to an FTP server. Configure the following parameters for the FTP server: • FTP Username—Enter the user name used to log in to the FTP server. • FTP Password—Enter the password used to log in to the FTP server. • FTP Server IP—Enter the IP address of the FTP server. Click OK. Managing the export task 185 9 Configuring desktop control schemes and policies A desktop control scheme contains a set of policies distributed by the DAM server to each iNode client for controlling desktop assets. The policies are classified as follows: • Peripheral management policies—Disables peripheral devices and monitors the use of USB storage devices and printers. The iNode client immediately reports an event to the DAM server for auditing when a peripheral device is enabled, a USB storage device is used, or a print task is submitted. Operators can view, add, modify, and delete peripheral management policies. For more information, see “Configuring peripheral management policies” (page 188). • Energy-saving policies—Implements scheduled shutdown of assets. According to the energy-saving policy, the iNode client displays a message 10 minutes before the scheduled shutdown time, requesting that the user shut down the computer, and forcibly shuts down the computer when the user does not respond. Operators can view, add, modify, and delete energy-saving policies. For more information, see “Configuring energy saving policies” (page 191). • Monitoring alarm policies—Allows the DAM server to encapsulate monitoring information in syslogs and send them to the specified syslog server. The monitoring information is reported by the iNode client and includes software and hardware changes of assets, unauthorized copying, and printing of sensitive files. Operators can view, add, modify, and delete monitoring alarm policies. For more information, see “Configuring monitoring alarm policies” (page 193). Configuring desktop control schemes You can view, add, modify, and delete desktop control schemes. The desktop control scheme configuration can be on a group basis or asset basis. The group basis configuration applies to all assets in the same group, but can be overridden by the asset basis configuration. Desktop control scheme list contents • Name—Name of the desktop control scheme. Click the name to view its details. • Peripheral Management Policy—Name of the peripheral management policy assigned to the desktop control scheme. • Energy-Saving Policy—Name of the energy-saving policy assigned to the desktop control scheme. • Monitoring Alarm Policy—Name of the monitoring alarm policy assigned to the desktop control scheme. • Description—Description of the desktop control scheme. • Service Group—Service group to which the desktop control scheme belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the desktop control scheme settings. to delete the desktop control scheme. Desktop control scheme details Desktop control scheme details comprise the basic information section and the policy list section. Basic information section • Name—Name of the desktop control scheme. • Service Group—Service group to which the desktop control scheme belongs. • Description—Description of the desktop control scheme. 186 Configuring desktop control schemes and policies Policy list section • Policy Name—Name of the policy assigned to the desktop control scheme. Click the name to view its details. • Policy Type—Policy type: Peripheral Management Policy, Energy-Saving Policy, or Monitoring Alarm Policy. • Description—A description of the policy. • Service Group—Service group to which the policy belongs. Viewing the desktop control scheme list To view the desktop control scheme list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Control Scheme from the navigation tree. The Control Scheme List displays all desktop control schemes. 3. 4. Click Refresh to refresh the Control Scheme List. To sort the Control Scheme List, click the Name or Service Group column label. Viewing desktop control scheme details To view details of a desktop control scheme: 1. Click the Service tab. 2. Select Desktop Asset Manager > Control Scheme from the navigation tree. The Control Scheme List displays all desktop control schemes. 3. Click the name of the desktop control scheme for which you want to view the detailed information. The Control Scheme Details page appears. 4. To go back to the Control Scheme List, click Back. Adding a desktop control scheme Each desktop control scheme can contain one peripheral management policy, one energy-saving policy, and one monitoring alarm policy. You must create the policies before you add them to a desktop control scheme. For more information about the configuration procedure, see “Adding a peripheral management policy” (page 190), “Adding an energy saving policy” (page 192), and “Adding a monitoring alarm policy” (page 195). To add a desktop control scheme: 1. Click the Service tab. 2. Select Desktop Asset Manager > Control Scheme from the navigation tree. The Control Scheme List displays all desktop control schemes. 3. Click Add. The Add Control Scheme page appears. 4. 5. Configure the basic information for the desktop control scheme. Assign policies to the desktop control scheme in the Policy List section. Select the box for the policy you want to assign to the desktop control scheme. You can select one peripheral management policy, one energy-saving policy, and one monitoring alarm policy. 6. Click OK. After adding the desktop control scheme, you can assign it to a single asset or a group of assets. The group basis configuration applies to all assets in the same group, but can be overridden by Configuring desktop control schemes 187 the asset basis configuration. For more information, see “Modifying an asset group” (page 157) and “Modifying an asset” (page 174). Modifying a desktop control scheme To modify a desktop control scheme: 1. Click the Service tab. 2. Select Desktop Asset Manager > Control Scheme from the navigation tree. The Control Scheme List displays all desktop control schemes. 3. 4. 5. Click the Modify icon for the desktop control scheme you want to modify. Modify the description for the desktop control scheme. You cannot modify other basic information. Reassign policies to the desktop control scheme in the Policy List section. Select the box for the policy you want to assign to the desktop control scheme. To cancel a policy, clear its box. 6. Click OK. Deleting a desktop control scheme When you delete a desktop control scheme, the scheme is removed from all associated assets and asset groups. To assign new schemes, modify the assets and asset groups. To delete a desktop control scheme: 1. Click the Service tab. 2. Select Desktop Asset Manager > Control Scheme from the navigation tree. The Control Scheme List displays all desktop control schemes. 3. Click the Delete icon for the desktop control scheme you want to delete. A confirmation dialog box appears. 4. Click OK. Configuring peripheral management policies A peripheral management policy is used to disable peripheral devices and monitor the use of USB storage devices and printers. The iNode client immediately reports an event to the DAM server for auditing when a peripheral device is enabled, a USB storage device is used, or a print task is submitted. Operators can view, add, modify, and delete peripheral management policies. Peripheral management policy list contents • Policy Name—Name of the peripheral management policy. Click the name to view its details. • Description—Description of the peripheral management policy. • Illegal—Types of peripheral devices prohibited by the peripheral management policy. • Report—Indicates whether the iNode client reports to the DAM server that a prohibited peripheral device is enabled on the asset. If so, this field displays Report; if not, this field is empty. • Service Group—Service group to which the peripheral management policy belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon 188 Configuring desktop control schemes and policies to modify the policy settings. to delete the peripheral management policy. Peripheral management policy details Peripheral management policy details comprise a basic information section and a disable devices section. Basic information section • Policy Name—Name of the peripheral management policy. • Service Group—Service group to which the peripheral management policy belongs. • Report—Indicates whether the iNode client reports to the DAM server that a peripheral device selected in the Disable Devices section is enabled on the asset. Operators can audit the peripheral use violations on the DAM server. For more information, see “Unauthorized peripheral use record audit” (page 213). • Monitor USB Storage Devices—Indicates whether USB storage device monitoring is enabled. When enabled, the iNode client reports the plug/unplug and write events of USB storage devices to the DAM server for auditing. For more information, see “USB monitoring record audit” (page 205). • Printer Use Monitor—Indicates whether printer monitoring is enabled. When enabled, the iNode client monitors the printers in use, and reports the following information to the DAM server for auditing: printer name, printer type (shared or not shared), printed file names, printed file pages, and printed file size. For more information, see “Printer monitoring record audit” (page 209). • Description—Description of the peripheral management policy. Disable devices section Select the peripheral devices for the DAM server to disable: • USB Storage—USB storage devices • USB Nonstorage—USB nonstorage devices • USB Storage Device Whitelist—USB storage devices that are not disabled • DVD/CD-ROM—DVD/CD-ROM drives • Floppy—Floppy disk drives • PCMCIA—PCMCIA interfaces • COM—COM interfaces • LPT—LPTs • Infrared—Infrared devices • Bluetooth—Bluetooth peripheral devices • 1394—1394 interfaces • Modem—Modems Viewing the peripheral management policy list To view the peripheral management policy list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from the navigation tree. The Peripheral Management Policy List displays all peripheral management policies. 3. Click Refresh to refresh the Peripheral Management Policy List. Configuring peripheral management policies 189 4. To sort the Peripheral Management Policy List, click the Policy Name or Service Group column label. Viewing peripheral management policy details To view details of a peripheral management policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from the navigation tree. The Peripheral Management Policy List displays all peripheral management policies. 3. Click the name of the peripheral management policy you want to view. The Peripheral Management Policy Details page appears. 4. To go back to the Peripheral Management Policy List, click Back. Adding a peripheral management policy To add a peripheral management policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from the navigation tree. The Peripheral Management Policy List displays all peripheral management policies. 3. Click Add. The Add Peripheral Management Policy page appears. 4. Configure the basic information for the peripheral management policy. • Policy Name—Enter a unique name for the peripheral management policy. • Service Group—Select the service group to which the peripheral management policy belongs. • Report—Select the box next to the Report field to report peripheral use violations for auditing. • Monitor USB Storage Devices—Select the box next to the Monitor USB Storage Devices field to monitor use of USB storage devices for auditing. • Printer Use Monitor—Select the box next to the Printer Use Monitor field to monitor use of printers for auditing. • Description—Enter a description for the peripheral management policy to facilitate maintenance. NOTE: When you select the Monitor USB Storage Devices option, the USB Storage option in the Disable Devices section turns gray. You cannot disable the USB storage devices for the asset. 5. 6. 7. In the Disable Devices section, reselect the peripheral device types to disable for the asset: USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM, LPT, Infrared, Bluetooth, 1394, and Modem. If the USB storage device is disabled, you can enter the device ID in the USB Storage Device Whitelist field. Only one device ID is allowed per line. A device ID comprises a vendor ID (VID) and a product ID (PID), separated by a slash (/), which uniquely identifies a USB storage device. Click OK. The new peripheral management policy appears in the Peripheral Management Policy List and in the Policy List on the Add Control Scheme page. 190 Configuring desktop control schemes and policies Modifying a peripheral management policy To modify a peripheral management policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from the navigation tree. The Peripheral Management Policy List displays all peripheral management policies. 3. 4. 5. 6. 7. Click the Modify icon for the peripheral management policy you want to modify. Modify the basic information for the peripheral management policy. You cannot modify Policy Name or Service Group. • Report—Select the box next to the Report field to report peripheral use violations for auditing, or clear the box to disable the function. • Monitor USB Storage Devices—Select the box next to the Monitor USB Storage Devices field to monitor use of USB storage devices for auditing, or clear the box to disable the function. • Printer Use Monitor—Select the box next to the Printer Use Monitor field to monitor use of printers for auditing, or clear the box to disable the function. • Description—Enter a new description for the peripheral management policy. In the Disable Devices section, reselect the peripheral device types to disable for the asset: USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM, LPT, Infrared, Bluetooth, 1394, and Modem. If the USB storage device is disabled, you can enter the device ID in the USB Storage Device Whitelist field. Only one device ID is allowed per line. A device ID comprises a vendor ID (VID) and a product ID (PID), separated by a slash (/), which uniquely identifies a USB storage device. Click OK. Deleting a peripheral management policy You cannot delete a peripheral management policy that is assigned to a desktop control scheme. You must remove the association between the policy and the desktop control scheme by reassigning policies for the scheme. For more information about the configuration procedure, see “Modifying a desktop control scheme” (page 188). To delete a peripheral management policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Peripheral Management Policy from the navigation tree. The Peripheral Management Policy List displays all peripheral management policies. 3. Click the Delete icon for the peripheral management policy you want to delete. A confirmation dialog box appears. 4. Click OK. Configuring energy saving policies Use an energy-saving policy to implement a scheduled shutdown of assets. According to the energy-saving policy, the iNode client displays a message 10 minutes before the scheduled shutdown time, requesting that the user shut down the computer, and forcibly shuts down the computer when the user does not respond. Operators can view, add, modify, and delete energy-saving policies. Configuring energy saving policies 191 Energy saving policy list contents • Policy Name—Name of the energy-saving policy. • Auto Shutdown at—Automatic shutdown time configured for the asset. • Description—Description of the energy-saving policy. • Service Group—Service group to which the energy-saving policy belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the policy settings. to delete the energy-saving policy. Viewing the energy saving policy list To view the energy-saving policy list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the navigation tree. The Energy-Saving Policy List displays all energy-saving policies. 3. 4. Click Refresh to refresh the Energy-Saving Policy List. To sort the Energy-Saving Policy List, click the Policy Name or Service Group column label. Adding an energy saving policy To add an energy-saving policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the navigation tree. The Energy-Saving Policy List displays all energy-saving policies. 3. Click Add. The Add Energy-Saving Policy page appears. 4. 5. Configure the following parameters for the energy-saving policy: • Policy Name—Enter a unique name for the energy-saving policy. • Service Group—Select the service group to which the energy-saving policy belongs. • Auto Shutdown at—Enter the automatic shutdown time in the format hh:mm, where hh represents the two-digit hour in 24-hour format, and mm represents the two-digit minute. • Description—Enter a description for the energy-saving policy to facilitate maintenance. Click OK. The new energy-saving policy appears in the Energy-Saving Policy List and in the Policy List on the Add Control Scheme page. Modifying an energy saving policy To modify an energy-saving policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the navigation tree. The Energy-Saving Policy List displays all energy-saving policies. 3. Click the Modify icon for the energy-saving policy you want to modify. The Modify Energy-Saving Policy page appears. 192 Configuring desktop control schemes and policies 4. 5. Modify the following parameters for the energy-saving policy. You cannot modify the policy name or service group. • Auto Shutdown at—Enter a new automatic shutdown time in the format hh:mm, where hh represents the two-digit hour in 24-hour format, and mm represents the two-digit minute. • Description—Enter a new description for the energy-saving policy. Click OK. Deleting an energy saving policy You cannot delete an energy-saving policy while it is still assigned to a desktop control scheme. First you must remove the association between the policy and the desktop control scheme, by reassigning policies for the scheme. For more information about the configuration procedure, see “Modifying a desktop control scheme” (page 188). To delete an energy-saving policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Energy-Saving Policy from the navigation tree. The Energy-Saving Policy List displays all energy-saving policies. 3. Click the Delete icon for the energy-saving policy you want to delete. A confirmation dialog box appears. 4. Click OK. Configuring monitoring alarm policies Monitoring alarm policies enable the DAM server to encapsulate monitoring information in syslogs and send them to the specified syslog server. The monitoring information is reported by the iNode client, and includes software and hardware changes of assets, unauthorized copying, and printing of sensitive files. Operators can view, add, modify, and delete monitoring alarm policies. Before you configure monitoring alarm policies, select Enable for Send Syslogs on the Service Parameters page. Otherwise, the DAM server cannot send syslogs to the specified syslog server. For more information about the configuration procedure, see “DAM service parameters” (page 312). The IMC platform can serve as the syslog server to receive syslogs from the DAM server. For more information about syslog management, see HP IMC Base Platform Administrator Guide. Monitoring alarm policy list contents • Policy Name—Name of the monitoring alarm policy. Click the name to view its details. • Description—Description of the monitoring alarm policy. • Service Group—Service group to which the monitoring alarm policy belongs. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the policy settings. to delete the monitoring alarm policy. Monitoring alarm policy details Monitoring alarm policy details comprise the following sections: • Basic information • USB monitoring • Printer monitoring Configuring monitoring alarm policies 193 • Hardware changes monitoring • Software changes monitoring Basic information section • Policy Name—Name of the monitoring alarm policy. • Service Group—Service group to which the monitoring alarm policy belongs. • Description—Description of the monitoring alarm policy. USB monitoring section Keywords to Trigger Alarms—List of keywords for triggering alarms. When the DAM server receives information about files written from the asset to a USB storage device, it checks the file names for keywords. When a keyword is found, the DAM server encapsulates the information in syslogs and sends them to the specified syslog server. Operators can view the following information on the syslog server: asset number, asset name, owner, time when the USB storage device was connected to the asset, and name, size, and write time of each file written to the USB storage device. Printer monitoring section Keywords to Trigger Alarms—List of keywords for triggering alarms. When the DAM server receives information about files printed by the asset, it checks the file names for keywords. When a keyword is found, the DAM server encapsulates the information in syslogs and sends them to the specified syslog server. Operators can view the following information on the syslog server: asset number, asset name, owner, printer name, and name, number of pages, size, and print time of each printed file. Hardware changes monitoring section This section contains the hardware items to be monitored. When the content of a selected item changes, the DAM server encapsulates the changes in syslogs and sends them to the specified syslog server. • CPU—CPU number and name. • Memory—Total memory of the asset. • Mainboard—Vendor and product model of the main board. • DVD/CD-ROM—Device instance path of the DVD/CD-ROM drive. • NIC—Device instance path. • Hard Disk—Hard-disk interface type and device instance path. • BIOS—BIOS caption, vendor, release date, and version. Software changes monitoring section This section contains the software items to be monitored. When the content of a selected item changes, the DAM server encapsulates the changes in syslogs and sends them to the specified syslog server. • Logical Disk—Logical disk name, description, file system, serial number, and total size. The logical disks are scanned and checked only when the asset starts up. • IP Address—NIC serial number, IP address, DHCP status, gateway IP address, asset MAC address, and subnet mask. • Operating System—Operating system name, version, service pack, installation date, and language. Screen Saver—Screen-saver status (enabled or disabled), display of logon screen on resume (enabled or disabled), and idle time. • 194 Configuring desktop control schemes and policies • System Information—Login name of the asset. • Computer Name—Computer name of the asset. • Partition—Hard disk number, partition number, partition type, boot partition (yes or no), and partition capacity. • Software—Software name and version. • Reinstall OS or Other Update—Operating system reinstallation and recovery. Viewing the monitoring alarm policy list To view the monitoring alarm policy list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the navigation tree. The Monitoring Alarm Policy List displays all monitoring alarm policies. 3. 4. Click Refresh to refresh the Monitoring Alarm Policy List. To sort the Monitoring Alarm Policy List, click the Policy Name or Service Group column label. Viewing monitoring alarm policy details To view details of a monitoring alarm policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the navigation tree. The Monitoring Alarm Policy List displays all monitoring alarm policies. 3. Click the name of the monitoring alarm policy you want to view. The Monitoring Alarm Policy Details page appears. 4. To go back to the Monitoring Alarm Policy List, click Back. Adding a monitoring alarm policy To add a monitoring alarm policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the navigation tree. The Monitoring Alarm Policy List displays all monitoring alarm policies. 3. Click Add. The Add Monitoring Alarm Policy page appears. 4. 5. Configure the basic information for the monitoring alarm policy: • Policy Name—Enter a unique name for the monitoring alarm policy. • Service Group—Select the service group to which the monitoring alarm policy belongs. • Description—Enter a description for the monitoring alarm policy to facilitate maintenance. Enter the keywords in the Keywords to Trigger Alarms field of the USB Monitoring section. You can enter up to 100 keywords per line, with each keyword containing up to 32 characters. When the DAM server receives information about files written from the asset to a USB storage device, it checks the file names for keywords. When a keyword is found, the DAM server encapsulates the information in syslogs and sends them to the specified syslog server. You can view the following information on the syslog server: asset number, asset name, owner, Configuring monitoring alarm policies 195 and time when the USB storage device was connected to the asset; and name, size, and write time of each file written to the USB storage device. 6. Enter the keywords in the Keywords to Trigger Alarms field of the Printer Monitoring section. You can enter up to 100 keywords per line, with each keyword containing up to 32 characters. When the DAM server receives information about files printed by the asset, it checks the file names for keywords. When a keyword is found, the DAM server encapsulates the information within syslogs and sends them to the specified syslog server. You can view the following information on the syslog server: asset number, asset name, owner, and printer name; and name, number of pages, size, and print time of each printed file. 7. Select the hardware items to monitor in the Hardware Changes Monitoring section. Click the boxes next to the target items to monitor. When the content of a selected item changes, the DAM server encapsulates the changes within syslogs and sends them to the specified syslog server. 8. 9. • CPU—CPU number and CPU name. • Memory—Total memory of the asset. • Mainboard—Vendor and product model of the main board. • DVD/CD-ROM—Device instance path of the DVD/CD-ROM drive. • NIC—Device instance path. • Hard Disk—Hard-disk interface type and device instance path. • BIOS—BIOS caption, vendor, release date, and version. Select the software items to monitor in the Software Changes Monitoring section. Click the boxes next to the target items to monitor. When the content of a selected item changes, the DAM server encapsulates the changes within syslogs and sends them to the specified syslog server. • Logical Disk—Logical disk name, description, file system, serial number, and total size. The logical disks are only scanned and checked when the asset starts up. • IP Address—NIC serial number, IP address, DHCP status, gateway IP address, asset MAC address, and subnet mask. • Operating System—Operating system name, version, service pack, installation date, and language. • Screen Saver—Screen saver status (enabled or disabled), display of logon screen on resume (enabled or disabled), and idle time. • System Information—Login name of the asset. • Computer Name—Computer name of the asset. • Partition—Hard disk number, partition number, partition type, boot partition (yes or no), and partition capacity. • Software—Software name and version. • Reinstall OS or Other Update—Operating system reinstallation and recovery. Click OK. The new monitoring alarm policy appears in the Monitoring Alarm Policy List and the Policy List on the Add Control Scheme page. Modifying a monitoring alarm policy To modify a monitoring alarm policy: 1. Click the Service tab. 196 Configuring desktop control schemes and policies 2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the navigation tree. The Monitoring Alarm Policy List displays all monitoring alarm policies. 3. Click the Modify icon for the monitoring alarm policy you want to modify. The Modify Monitoring Alarm Policy page appears. 4. 5. Modify the description for the monitoring alarm policy. You cannot modify other basic information. Modify the keywords in the Keywords to Trigger Alarms field of the USB Monitoring section. You can enter up to 100 keywords per line with each keyword containing up to 32 characters. When the DAM server receives information about files written from the asset to a USB storage device, it checks the file names for keywords. When a keyword is found, the DAM server encapsulates the information within syslogs and sends them to the specified syslog server. You can view the following information on the syslog server: asset number, asset name, owner, and time when the USB storage device was connected to the asset; and name, size, and write time of each file written to the USB storage device. 6. Modify the keywords in the Keywords to Trigger Alarms field in the Printer Monitoring section. You can enter up to 100 keywords per line, with each keyword containing up to 32 characters. When the DAM server receives information about files printed by the asset, it checks the file names for keywords. When a keyword is found, the DAM server encapsulates the information in syslogs and sends them to the specified syslog server. You can view the following information on the syslog server: asset number, asset name, owner, and printer name; and name, number of pages, size, and print time of each printed file. 7. Reselect the hardware items to monitor in the Hardware Changes Monitoring section. Select the boxes next to the items to monitor. To cancel an item, clear its box. When the content of a selected item changes, the DAM server encapsulates the changes in syslogs and sends them to the specified syslog server. 8. Reselect the software items to monitor in the Software Changes Monitoring section. Select the boxes next to the items to monitor. To cancel an item, clear its box. When the content of a selected item changes, the DAM server encapsulates the changes in syslogs and sends them to the specified syslog server. 9. Click OK. Deleting a monitoring alarm policy You cannot delete a monitoring alarm policy that is assigned to a desktop control scheme. You must remove the association between the policy and the desktop control scheme by reassigning policies for the scheme. For more information about the configuration procedure, see “Modifying a desktop control scheme” (page 188). To delete a monitoring alarm policy: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Policy > Monitoring Alarm Policy from the navigation tree. The Monitoring Alarm Policy List displays all monitoring alarm policies. 3. Click the Delete icon for the monitoring alarm policy you want to delete. A confirmation dialog box appears. 4. Click OK. Configuring monitoring alarm policies 197 10 Asset audit DAM supports the following asset audit functions: • • Post audits—Post-audit data shows the asset usage based on the asset history records stored in DAM, including: ◦ Asset hardware changes ◦ Asset software changes ◦ Use of USB storage devices ◦ Printers ◦ Use of unauthorized peripherals Real-time audits—Real-time audit data shows asset information in real time. DAM provides the terminal file audit function to show in real time whether a terminal asset contains specified files. Asset hardware change record audit DAM works with the iNode client to support the asset hardware change record audit function. The iNode client automatically collects the asset hardware changes shown in Table 14 and reports them to the DAM server. Operators can view the change time and change content by auditing these changes. Operators can configure the hardware items to be monitored in a monitoring alarm policy, assign the policy to a desktop control scheme, and assign the desktop control scheme to the target asset or asset group. The DAM server collects the hardware changes from the monitored asset or each asset in the monitored asset group, and then sends them in syslogs to the specified syslog server. DAM and the syslog server both are aware of the asset hardware changes.Operators can configure the hardware items to be monitored in a monitoring alarm policy, assign the policy to a desktop control scheme, and assign the desktop control scheme to the target asset or asset group. The DAM server collects the hardware changes from the monitored asset or each asset in the monitored asset group, and then sends them in syslogs to the specified syslog server. DAM and the syslog server both are aware of the asset hardware changes. By default, asset hardware change records can be kept for 1,825 days (about five years). Operators can modify the record lifetime through the Asset Change Record Lifetime parameter. For more information about modifying the record lifetime, see “DAM service parameters” (page 312). Table 14 Asset hardware changes Item Changes CPU • CPU number • CPU name Mainboard • Vendor • Product model BIOS • Caption • Vendor • Release date • Version Memory 198 Asset audit Total memory Table 14 Asset hardware changes (continued) Item Changes Hard Disk • Interface type • Device instance path NIC Device instance path DVD/CD-ROM Device instance path Asset hardware change information list contents • Asset Number—Asset number of the asset. Click the asset number to view detailed information about the asset. • Asset Name—Name of the asset. • Change Type—Change type of the asset hardware. Options are Common Update, Reinstall OS, and Other Update. • Change Contents—Content of the changed hardware. Options are CPU, Memory, Mainboard, DVD/CD-ROM, NIC, Hard Disk, and BIOS. • Owner—Owner of the asset. Click the owner to view its details. • Changed on—System time of the server when the asset hardware was changed. • Details—Click the Details icon to view detailed information about the asset hardware change. Asset hardware change record details Asset hardware change record details comprise the following parameters: • CPU Change Information—Appears only when the CPU number or the CPU name has changed. Operators can view the CPU changes by comparing the new list with the old list. • BIOS Change Information—Appears only when the BIOS caption, vendor, release date, or version has changed. Operators can view the BIOS changes by comparing the new list with the old list. • Mainboard Change Information—Appears only when the vendor or product model of the main board has changed. Operators can view the main-board changes by comparing the new list with the old list. • Memory Change Information—Appears only when the total memory of the asset has changed. Operators can view the memory changes by comparing the new list with the old list. • Hard Disk Change Information—Appears only when the hard-disk interface type or device instance path has changed. Operators can view the asset hard-disk changes by comparing the old list with the new list. • NIC Change Information—Appears only when the device instance path of the NIC has changed. Operators can view the NIC changes by comparing the new list with the old list. The device instance path changes when the NIC or the position of the NIC PCI is changed. • DVD/CD-ROM Change Information—Appears only when the device instance path of the DVD/CD-ROM drive has changed. Operators can view the asset DVD/CD-ROM drive changes by comparing the old list with new list. Viewing the asset hardware change information list To view the asset hardware change records list: 1. Click the Service tab. Asset hardware change record audit 199 2. Select Desktop Asset Manager > Asset HW Change from the navigation tree. The Asset Hardware Change Information list displays all asset hardware change records. 3. To sort the Asset Hardware Change Information list, click the Asset Number, Asset Name, Change Type, Owner, or Changed on column label. Viewing asset hardware change record details To view details of an asset hardware change record: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset HW Change from the navigation tree. The Asset Hardware Change Information list displays all asset hardware change records. 3. Click the Details icon for the asset hardware change information you want to view. The Asset Hardware Change Details page appears. 4. To go back to the Asset Hardware Change Information list, click Back. Querying asset hardware change records DAM allows operators to filter detailed asset hardware change records by using basic query mode or advanced query mode. Basic query To query asset hardware change records by using basic query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset HW Change from the navigation tree. The Asset Hardware Change Information list displays all asset hardware change records. 3. Click Basic Query at the upper right of the page. When Advanced Query is displayed at the upper right of the page, you are already in basic query mode. Skip this step. 4. 5. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • Changed from/to—Set the range of time when the asset hardware was changed. You can enter the time range, or click the Select Date and Time icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. Click Query. The Asset Hardware Change Information list displays all asset hardware change records matching the query criteria. 6. To clear the query criteria, click Reset. The Asset Hardware Change Information list displays all hardware change records. Advanced query To query asset hardware change records by using advanced query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset HW Change from the navigation tree. The Asset Hardware Change Information list displays all asset hardware change records. 200 Asset audit 3. Click Advanced Query at the upper right of the page. When Basic Query is displayed at the upper right of the page, you are already in advanced query mode. Skip this step. 4. 5. Enter or select one or more of the following query criteria: • Asset Numberr—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Asset Namer—Enter the name of the asset. DAM supports fuzzy matching for this field. • Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field. • Group Name—Click the Select Asset Group icon asset is located. • Change Type—Select the change type from the list: to select the asset group where the ◦ Common Update—Ordinary hardware changes on the asset, such as adding a memory bar to the computer, are categorized into this type. The iNode client collects and reports to DAM the asset hardware change information. ◦ Reinstall OS—All hardware information about the asset that the user re-registers through the iNode client. The user re-registers the asset only after its operating system is reinstalled. The iNode client re-collects and reports to DAM all asset information. ◦ Other Update—Hardware changes that are not categorized into Common Update or Reinstall OS are categorized into Other Update, such as registering the asset on multiple DAMs. • Change Contents—Select the content of changed hardware from the list. Options are CPU, Memory, Mainboard, DVD/CD-ROM, NIC, Hard Disk, and BIOS. • Changed from/to—Set the range of time when the asset hardware was changed. You can enter the time range, or click the Select Date and Time icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. Click Query. The Asset Hardware Change Information list displays all asset hardware change records matching the query criteria. 6. To clear the query criteria, click Reset. The Asset Hardware Change Information list displays all hardware change records. Asset software change record audit DAM supports the asset software change record audit function with the cooperation of the iNode client. The iNode client automatically collects the asset software changes shown in Table 15 and reports them to the DAM server. Operators can view the change time and change content by auditing these changes. Operators can configure the software items to be monitored in a monitoring alarm policy, assign the policy to a desktop control scheme, and assign the desktop control scheme to the target asset or asset group. The DAM server collects the software changes from the monitored asset or each asset in the monitored asset group, and then sends them in syslogs to the specified syslog server. DAM and the syslog server are both notified of the asset software changes. By default, asset software change records can be kept for 1,825 days (approximately five years). Operators can modify the record lifetime using the Asset Change Record Lifetime parameter. For more information about modifying the record lifetime, see “DAM service parameters” (page 312). Asset software change record audit 201 Table 15 Asset software change records Item Changes Login Name Computer login name Computer Name Computer name Logical Disk • Name • Description • File system • Serial number • Total size Operating System • Name • Version • Service pack • Installation date • Language Screen Saver • Screen-saver status (enabled or disabled) • Display of logon screen on resume (enabled or disabled) • Idle time Partition • Hard disk number • Partition number • Partition type • Boot partition (yes or no) • Partition capacity Network Connections • NIC serial number • IP address • DHCP status • Gateway IP address • NIC MAC address • Subnet mask Software • Software name • Software version Asset software change information list contents • Asset Number—Number of the asset. Click the asset number to view detailed information about the asset. • Asset Name—Name of the asset. • Change Type—Change type of the asset software. Options are Common Update, Reinstall OS, and Other Update. • Change Contents—Content of the changed software. Options are Login Name, Computer Name, Logical Disk, Operating System, Screen Saver, Partition, Network Connections, and Software. • Owner—Owner of the asset. Click the owner to view its details. 202 Asset audit • Changed on—System time of the server when the asset software was changed. • Details—Click the Details icon to view detailed information about the asset software change. Asset software change record details Asset software change record details comprise the following parameters: • Login Name Change Information—Appears only when the computer login name has changed. Operators can view the computer login name change by comparing the new list with the old list. • Computer Name Change Information—Appears only when the computer name has changed. Operators can view the computer name change by comparing the new list with the old list. • Logical Disk Change Information—Appears only when the logical disk name, description, file system, serial number, or total size has changed. Operators can view the logical disk change by comparing the new list with the old list. • Network Connection Change Information—Appears only when the NIC serial number, IP address, DHCP status, gateway IP address, MAC address, or subnet mask has changed. Make sure that the DAM service parameter Report Network Connection Changes is configured as Yes. Operators can view the network configuration change by comparing the new list with the old list. • Operating System Change Information—Appears only when the operating system name, version, service pack, installation time, or language has changed. Operators can view the asset OS change by comparing the new list with the old list. • Screen Saver Change Information—Appears only when the status of the screen saver (enable or disable), display of logon screen on resume (enabled or disabled), or the idle time length has changed. Operators can view the screen saver changes of the asset by comparing the new list with the old list. • Partition Change Information—Appears only when the hard disk number, partition number, partition type, boot partition (yes or no), or partition capacity of the asset has changed. Operators can view the partition changes by comparing the new list with the old list. • Software Change Information—Appears only when the name or version of the software installed on the asset has changed. Operators can view the installed software changes of the asset by comparing the new list with the old list. Viewing the asset software change record list To view the asset software change record list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset SW Change from the navigation tree. The Asset Software Change Information list displays all asset software change records. 3. To sort the list, click the Asset Number, Asset Name, Change Type, Owner, or Changed on column label. Viewing the asset software change record details To view details of an asset software change record: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset SW Change from the navigation tree. The Asset Software Change Information list displays all asset software change records. 3. Click the Details icon for the asset software change information you want to view. The Asset Software Change Details page appears. Asset software change record audit 203 4. To go back to the Asset Software Change Information list, click Back. Querying the asset software change records DAM allows operators to filter detailed asset software change records by using basic query mode or advanced query mode. Basic query To query asset software change records by using basic query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset SW Change from the navigation tree. The Asset Software Change Information list displays all asset software change records. 3. Click Basic Query at the upper right of the page. When Advanced Query is displayed at the upper right of the page, you are already in basic query mode. Skip this step. 4. 5. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • Changed from/to—Set the range of time when the asset software was changed. You can enter the time range, or click the Calendar icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. Click Query. The Asset Software Change Information list displays all asset software change records matching the query criteria. 6. Click Reset to clear the query criteria. The Asset Software Change Information list displays all software change records. Advanced query To query asset software change records by using advanced query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Asset SW Change from the navigation tree. The Asset Software Change Information list displays all asset software change records. 3. Click Advanced Query at the upper right of the page. When Basic Query is displayed at the upper right of the page, you are already in advanced query mode. Skip this step. 4. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • Owner—Enter owner of the asset. DAM supports fuzzy matching for this field. • Software Name—Enter the name of software. DAM supports fuzzy matching for this field. 204 Asset audit • 5. Change type—Select the change type from the list: ◦ Common Update—Ordinary software changes on the asset, such as installing or uninstalling software, are categorized into this type. The iNode client collects and reports to DAM the asset software change information. ◦ Reinstall OS—All software information about the asset that the user re-registers through the iNode client. The user re-registers the asset only after its operating system is reinstalled. The iNode client re-collects and reports to DAM all the asset information. ◦ Other Update—Software changes that are not categorized into Common Update or Reinstall OS are categorized into Other Update, such as registering the asset on multiple DAMs. • Group Name—Click the Select Asset Group icon asset is located. • Changed from/to—Set the range of time when the asset software was changed. You can enter the time range, or click the Calendar icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. to select an asset group where the Click Query. The Asset Software Change Information list displays all asset software change records matching the query criteria. 6. Click Reset to clear the query criteria. The Asset Software Change Information list displays all software change records. USB monitoring record audit DAM supports the USB monitoring record audit function. To use this function, operators must configure the USB storage device monitoring function in a peripheral management policy, assign the policy to a desktop control scheme, and assign the desktop control scheme to the target asset or asset group. The USB monitoring record audit function enables operators to view the time when the USB storage device was plugged in or out, and to view the logical drive letter of and the contents written to the USB storage device. By default, the monitoring records can be kept for 90 days, and operators can modify the record lifetime using the Life of Log parameter. For more information, see “DAM service parameters” (page 312). USB monitor list contents • Asset Number—Asset number of the asset. Click the asset number to view detailed information about the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. Click the owner to view its details. • Logic Drive—Logical disk letter of the USB storage device. • USB Plugged (Server)—System time of the DAM server when the USB storage device was plugged into the asset. • USB Unplugged (Server)—System time of the DAM server when the USB storage device was unplugged from the asset. • Details—Click the Details icon to view detailed information about the USB monitoring record. USB monitoring record audit 205 USB monitoring record details USB monitoring record details comprise the Information of USB Copied Files section and the List of USB Copied Files section. Information of USB copied files section • Owner—Owner of the asset. Click the owner to view its details. • Asset Name—Name of the asset. • Asset Number—Asset number of the asset. Click the asset number to view detailed information about the asset. • Logic Drive—Logical disk letter of the USB storage device. • USB Plugged (Client)—System time of the client when the USB storage device was plugged into the asset. • USB Plugged (Server)—System time of the DAM server when the USB storage device was plugged into the asset. • USB Unplugged (Server)—System time of the DAM server when the USB storage device was plugged from the asset. • Number of Copied Files—Number of the files copied to the USB storage device. • Size of Copied Files (Byte)—Total size of the files copied to the USB storage device, in bytes. List of USB copied files section • File Name—Name of the file copied to the USB storage device. • Operation Type—Operation type of the file copied to the USB storage device, which can only be Write. • File Size (Byte)—Total size of the file copied to the USB storage device, in bytes. • Operation Time (Client)—System time of the client when the file was copied to the USB storage device. • Operation Time (Server)—System time of the server when the file was copied to the USB storage device. Viewing the USB monitoring record list To view the USB monitoring record list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation tree. The USB Monitor List displays the USB monitoring records of all assets. 3. To sort the list, click the Asset Number, Asset Name, Owner, USB Plugged (Server), or USB Unplugged (Server) column label. Viewing the USB monitoring record details To view details of a USB monitoring record: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation tree. The USB Monitor List displays the USB monitoring records of all assets. 206 Asset audit 3. Click the Details icon for the USB monitor you want to view. The USB Monitor Details page appears. 4. 5. 6. To go back to the USB Monitor List, click Back. Click Refresh to refresh the List of USB Copied Files. To sort the list, click the File Name, Operation type, File Size (Byte), Operation Time (Client), or Operation Time (Server) column label. Querying the USB monitoring records DAM allows operators to filter the USB monitoring records using either basic query mode or advanced mode. The USB monitoring records include when the USB storage device was plugged in or out, and files copied to the USB storage device. Basic query 1. 2. Click the Service tab. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation tree. The USB Monitor List displays the USB monitoring records of all assets. 3. Click Basic Query at the upper right of the page. When Advanced Query is displayed at the upper right of the page, you are already in basic query mode. Skip this step. 4. 5. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • USB Plugged from/to—Set the range of time when the USB storage device was plugged into the asset. You can enter the time range, or click the Calendar icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. Click Query. The USB Monitor List displays all USB monitoring records matching the query criteria. 6. Click Reset to clear the query criteria. The USB Monitor List displays the USB monitoring records of all assets. Advanced query To query USB monitoring records by using advanced query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation tree. The USB Monitor List displays the USB monitoring records of all assets. 3. Click Advanced Query at the upper right of the page. When Basic Query is displayed at the upper right of the page, you are already in advanced query mode. Skip this step. 4. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. USB monitoring record audit 207 5. • Owner—Enter the name of the asset owner. DAM supports fuzzy matching for this field. • File Name—Enter the name of the file copied to the USB storage device. DAM supports fuzzy matching for this field. • USB Plugged from/to—Set the range of time when the USB storage device was plugged into the asset. You can enter the time range, or click the Calendar icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. • Minimum File Size—Enter the bytes of the file copied to the USB storage device. The USB monitoring records whose file size is greater than or equal to this value is filtered out. Click Query. The USB Monitor List displays all USB monitoring records matching the query criteria. 6. Click Reset to clear the query criteria. The USB Monitor List displays the USB monitoring records of all assets. Exporting the USB monitoring records DAM supports exporting the USB monitoring records. By default, the USB monitoring records can be kept for 90 days. When the record lifetime expires, DAM automatically deletes the records. To avoid the records from being deleted, operators can keep the records for a longer time by modifying the record lifetime through the Life of Log parameter. Operators can also save the USB monitoring records by exporting the USB monitoring records manually or automatically. This section only focuses on manually exporting the USB monitoring records. For more information, see “Managing the export task” (page 184). USB monitor log export history list contents • Export File Name—Name of the file that stores the export results. The file-name extension must be .zip. • Export File Path—Path of the export file. The export file is located in the installation path of IMC. In distributed deployment, the export file is located in the IMC installation path on the master server. • Operator—Name of the operator who exported the USB monitoring records. • Exported at—Time when the USB monitoring records were exported. • Download File—Click Download to save the export results. • Delete—Click the Delete icon to delete the export history of the USB monitoring records. Exporting USB monitoring records To export the USB monitoring records: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation tree. The USB Monitor List displays the USB monitoring records of all assets. 3. Click Export. The Exporting File Format page appears. 208 Asset audit 4. 5. Set the export file attributes: • File Type—Select the format of the file you want to export USB monitoring records to. Options are TXT and CSV. • File Column Separator—Select the separator for the text file when TXT is selected as the format of the export file. Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). Click OK. The Result of exporting USB monitor page appears. 6. 7. Click Download to save the export results. To go back to the USB monitoring record list, click Back. Viewing the USB monitor log export history DAM supports viewing the export history of the USB monitoring records. DAM automatically generates an export history record each time the USB monitoring records are exported manually. Operators can download the export results or delete the export history. To view the export history of USB monitoring records: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > USB Monitor from the navigation tree. The USB Monitor List displays the USB monitoring records of all assets. 3. Click Export History next to the USB Monitor List. The Export History page appears. 4. To go back to the USB Monitor List, click Back. Printer monitoring record audit DAM supports the printer monitoring record audit function. To use this function, operators must configure the printer monitoring function in a peripheral management policy, assign the policy to a desktop control scheme, and assign the desktop control scheme to the target asset or asset group. The printer monitoring record audit function enables operators to view the name and pages of each printed file. By default, the printer monitoring records can be kept for 90 days, and operators can modify the record lifetime through the Life of Log parameter. For more information about modifying the record lifetime, see “DAM service parameters” (page 312). Printer monitor list contents • Asset Number—Asset number of the asset. Click the asset number to view detailed information about the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. Click the owner to view its details. • Printer Name—Name of the printer. • File Name—Name of the printed file. • Printed Pages—Number of the pages of the printed file. • Report Time—Time when the DAM server received the file printing message from the asset. • Share Printer—Indicates whether the file was printed on a shared printer. • Details—Click the Details icon record. to view detailed information about the printer monitoring Printer monitoring record audit 209 Printer monitoring record details Printer monitoring record details comprise the following parameters: • Asset Number—Asset number of the asset. Click the asset number to view detailed information about the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. Click the owner to view its details. • Printer Name—Name of the printer. • Share Printer—Indicates whether the file was printed on a shared one. • File Name—Name of the printed file. • Name of the Computer Initiating Printing—Computer name of the asset where the shared printer locates. This option appears only when the shared printer is used for printing. • Asset Number of the Computer Initiating Printing—Asset number of the asset where the shared printer is located. This option appears only when the file is printed by the shared printer. • Owner of the Computer Initiating Printing—Owner of the asset where the shared printer is located. This option appears only when the file is printed by the shared printer. • Print Time—System time of the client when the printer was used. • Report Time—System time of the DAM server when the printer was used. • File Total Pages—Total pages of the printed file. • Printed Pages—Number of the printed pages. • File Total Size—Total size of the printed file, in bytes. • Printed Size—Size of the printed data, in bytes. • Driver Info.—Driver information of the printer. • Port—Computer port that the printer is connected to. Viewing the printer monitoring record list To view the printer monitoring record list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation tree. The Printer Monitor List displays the printer monitoring records of all assets. 3. To sort the list, click the Asset Number, Asset Name, Owner, Printer Name, File Name, Printed Pages, Report Time, or Share Printer column label. Viewing the printer monitoring record details To view the printer monitoring record details: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation tree. The Printer Monitor List displays the printer monitoring records of all assets. 3. Click the Details icon for the printer monitoring record you want to view. The Printer Monitor Details page appears. 4. 210 To go back to the Printer Monitor List, click Back. Asset audit Querying the printer monitoring records DAM allows operators to filter the printer monitoring records by using basic query mode or advanced mode. The printer monitoring records include the use of printers by assets. Basic query To query the printer monitoring records by using basic query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation tree. The Printer Monitor List displays the printer monitoring records of all assets. 3. Click Basic Query at the upper right of the page. When Advanced Query is displayed at the upper right of the page, you are already in basic query mode. Skip this step. 4. 5. Enter one or both of the following query criteria: • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. Click Query. The Printer Monitor List displays all printer monitoring records matching the query criteria. 6. Click Reset to clear the query criteria. The Printer Monitor List displays the printer monitoring records of all assets. Advanced query To query the printer monitoring records by using advanced query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation tree. The Printer Monitor List displays the printer monitoring records of all assets. 3. Click Advanced Query at the upper right of the page. When Basic Query is displayed at the upper right of the page, you are already in advanced query mode. Skip this step. 4. Enter or select one or more of the following query criteria: • Asset Name—Enter the name of the asset. DAM supports fuzzy matching for this field. • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Owner—Enter the name of the asset owner. DAM supports fuzzy matching for this field. • File Name—Enter the name of the printed file, which must be exactly the same as that in the Windows printer task list. • Name of the Computer Initiating Printing—Enter the name of the computer where the shared printer is located. DAM supports fuzzy matching for this field. This field is empty unless the file is printed on a shared printer. • Asset Number of the Computer Initiating Printing—Enter the asset number of the asset where the shared printer is located. DAM supports fuzzy matching for this field. This field is empty unless the file is printed on a shared printer. Printer monitoring record audit 211 5. • Report Time from/to—Set the range of time when the printer monitoring record was reported. You can enter the time range, or click the Calendar icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. • Printer Name—Enter the name of the printer. DAM supports fuzzy matching for this field. • Share Printer—Select whether the printer is a shared one. • Printed Pages from/to—Enter the range of pages of the printed file. • Printed Size from/to—Enter the data size of the printed file. • Port—Enter the port of the computer that the printer is connected to. • Driver Info.—Enter the driver information of the printer. Click Query. The Printer Monitor List displays all printer monitoring records matching the query criteria. 6. Click Reset to clear the query criteria. The Printer Monitor List displays the printer monitoring records of all assets. Exporting the printer monitoring records DAM supports exporting the printer monitoring records. By default, the printer monitoring records can be kept for 90 days. When the record lifetime expires, DAM automatically deletes the records. To avoid the records from being deleted, operators can keep the records for a longer time by modifying the record lifetime through the Life of Log parameter. Operators can also save the printer monitoring records by exporting them. To export the printer monitoring records: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation tree. The Printer Monitor List displays the printer monitoring records of all assets. 3. Click Export. The Exporting File Format page appears. 4. 5. Set the export file attributes: • File Type—Select the format of the file you want to export printer monitoring records to. Options are TXT and CSV. • File Column Separator—Select the separator for the text file when TXT is selected as the format of the export file. Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). Click OK. The Result of exporting USB monitor page appears. 6. 7. Click Download to save the export results. To go back to the Printer Monitor List, click Back. Viewing the export history of the printer monitoring records DAM supports viewing the export history of the printer monitoring records. DAM automatically generates an export history record each time the printer monitoring records are exported. Operators can download the export results or delete the export history. To view the export history of the printer monitoring records: 1. Click the Service tab. 212 Asset audit 2. Select Desktop Asset Manager > Desktop Control Audit > Printer Monitor from the navigation tree. The Printer Monitor List displays the printer monitoring records of all assets. 3. Click the Export History next to the Printer Monitor List. The Export History page appears. 4. To go back to the Printer Monitor List, click Back. Printer monitor log export history list contents • Export File Name—Name of the file that stores the export results. The file-name extension must be .zip. • Export File Path—Path of the export file. The export file is located in the installation path of IMC. In distributed deployment, the export file is located in the IMC installation path on the master server. • Operator—Name of the operator who exported the printer monitoring records. • Content Exported—Content description of the exported file. • Exported at—Time and date when the printer monitoring records were exported. • Download File—Click Download to save the export results. • Delete—Click the Delete icon to delete the export history of the printer monitoring records. Unauthorized peripheral use record audit DAM supports the unauthorized peripheral use record audit function. To use this function, operators must configure the unauthorized peripheral items in a peripheral management policy, assign the policy to a desktop control scheme, and assign the desktop control scheme to the target asset or asset group. The unauthorized peripheral use record audit function enables operators to view the type of unauthorized peripherals, time, asset owner, and the unauthorized desktop control scheme. By default, the unauthorized peripheral use record can be kept for 90 days, and operators can modify the record lifetime through the Life of Log parameter. For more information about modifying the record lifetime, see “DAM service parameters” (page 312). Illegal peripheral use report list contents • Asset Number—Asset number of the asset. Click the asset number to view detailed information about the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. Click the owner to view its details. • Device Type—Types of unauthorized peripheral types. Options are DVD/CD-ROM, FloppyDisk, Modem, COM/LPT, 1394, USB, Infrared, Bluetooth, and PCMCIA. • Operation Time (Server)—Time when the DAM server detected the unauthorized peripheral use. • Description—Description of the unauthorized devices. • Disable Result—Indicates whether the authorized devices are disabled. • Details—Click the Details icon use record. to view detailed information about the unauthorized peripheral Unauthorized peripheral use record audit 213 Illegal peripheral use log export history list contents • Export File Name—Name of the export that stores the export results. The file-name extension must be .zip. • Export File Path—Path of the export file. The export file is located in the installation path of IMC. In distributed deployment, the export file is located in the IMC installation path on the master server. • Operator—Name of the operator who exported the unauthorized peripheral use records. • Content Exported—Content description of the exported file. • Exported at—Time and date when the unauthorized peripheral use records were exported. • Download File—Click Download to save the export results. • Delete—Click the Delete icon use records. to delete the export history of the unauthorized peripheral Viewing the unauthorized peripheral use record list To view the unauthorized peripheral use record list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from the navigation tree. The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all assets. 3. To sort the list, click the Asset Number, Asset Name, Owner, Device Type, Operation Time (Server), Description, or Disable Result column label. Viewing the export history of the unauthorized peripheral use records DAM supports viewing the export history of the unauthorized peripheral use records. DAM automatically generates an export history record each time the unauthorized peripheral use records are manually exported. Operators can download the export results and delete the export history. To view the export history of unauthorized peripheral use records: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from the navigation tree. The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all assets. 3. Click the Export History next to the Illegal Peripheral Use Report List. The Export History page appears. 4. 5. View the Illegal Peripheral Use Log Export History List. To go back to the Illegal Peripheral Use Report List, click Back. Querying the unauthorized peripheral use records DAM allows operators to filter the unauthorized peripheral use records by using basic query mode or the advanced mode. The unauthorized peripheral use records include the use of peripherals by assets. Basic query To query the unauthorized peripheral use records by using basic query mode: 1. Click the Service tab. 214 Asset audit 2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from the navigation tree. The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all assets. 3. Click Basic Query at the upper right of the page. When Advanced Query is displayed at the upper right of the page, you are already in basic query mode. Skip this step. 4. 5. Enter one or both of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this field. • Owner—Enter the name of the asset owner. DAM supports fuzzy matching for this field. Click Query. The Illegal Peripheral Use Report List displays all unauthorized peripheral use records matching the query criteria. 6. Click Reset to clear the query criteria. The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all assets. Advanced query To query the unauthorized peripheral use records by using advanced query mode: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from the navigation tree. The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all assets. 3. Click Advanced Query at the upper right of the page. When Basic Query is displayed at the upper right of the page, you are already in advanced query mode. Skip this step. 4. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy criteria for this field. • Asset Name—Enter the name of the asset. DAM supports fuzzy criteria for this field. • Owner—Enter the name of the asset owner. DAM supports fuzzy criteria for this field. • Group Name—Click the Select Asset Group icon asset is located. • Operation Time (Server) from/to—Set the range of time when the unauthorized peripheral use record was reported. You can enter the time range, or click the Calendar icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. • Peripheral Management Policy—Select the peripheral management policy that is violated. • Device Type—Select the type of the peripheral device. Options are DVD/CD-ROM, FloppyDisk, Modem, COM/LPT, 1394, USB, Infrared, Bluetooth, and PCMCIA. • Device Instance Path—Enter the device instance path of the peripheral device. DAM supports fuzzy matching for this filed. to select the asset group where the Unauthorized peripheral use record audit 215 5. Click Query. The Illegal Peripheral Use Report List displays all unauthorized peripheral use records matching the query criteria. 6. Click Reset to clear the query criteria. The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all assets. Exporting the unauthorized peripheral use records DAM supports exporting the unauthorized peripheral use records. By default, the unauthorized peripheral use records can be kept for 90 days. When the record lifetime expires, DAM automatically deletes the records. To avoid the records from being deleted, operators can keep the record for a longer time by modifying the record lifetime through the Life of Log parameter. Operators can also save the unauthorized peripheral use records by exporting them. To export the unauthorized peripheral use records: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Illegal Peripheral Use Report from the navigation tree. The Illegal Peripheral Use Report List displays the unauthorized peripheral use records of all assets. 3. Click Export. The Exporting File Format page appears. 4. 5. Select the export file attributes: • File Type—Select the format of the file you want to export unauthorized peripheral use records to. Options are TXT and CSV. • File Column Separator—Select the separator for the text file when TXT is selected as the format of the export file. Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). Click OK. The Result of exporting illegal peripheral use report page appears. 6. 7. Click Download to save the export results. To go back to the Illegal Peripheral Use Report List, click Back. Terminal file audit DAM supports the terminal file audit function to show whether a terminal asset contains specified files in real time. DAM creates and immediately executes an audit task for each terminal file audit operation, and allows operators to view or export the audit results. Asset file check list contents 216 • Asset Number—Asset number of the asset. Click the asset number to view detailed information about the asset. • Group Name—Group that the asset belongs to. • Owner—Owner of the asset. Click the owner to view its details. • File Name Includes—Check path of the audit task. • Check Time—Time when the audit task was created. • Status—Current status of the audit task. Asset audit • Export—Click the Export icon to export the audit results of the terminal file audit task. • Details—Click the Details icon to view detailed information about terminal file audit task. Asset file check list details Asset file check list details comprise the basic information section and the file list section. Basic information section • Asset Number—Asset number of the asset. • Asset Name—Name of the asset. • Asset User—User of the asset. • Report Time—Time when the audit results of the terminal file was submitted to the DAM server. • Owner—Owner of the asset. • Check Time—Time when the audit task was created. • Status—Status of the audit task: Reported or Not Reported. ◦ Reported—Indicates that the audit task is complete and the audit result has been submitted to the DAM server. ◦ Not Reported—Indicates that the audit result has not been submitted to the DAM server. • Check Files in—Absolute path of the check files in the audit task list. The file path includes the directory and all subdirectories, which must end with a backslash (\). • File Name Includes—Name of the audited file. The file name can contain the wildcard characters asterisk (*) or question mark (?). An asterisk can match none or many characters. A question mark can match only one character when it is placed after the dot (.), and can match all characters except the dot (.) when it is placed before the dot. • Description—Description of the audit task. File list section • File Name—Name of the file. • File Path—Absolute path of the file. • File Size—Size of the file, in bytes. Viewing the terminal file audit task list To view the terminal file audit task list: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation tree. The Asset File Check List displays the terminal file audit tasks of all assets. 3. To sort the list, click the Asset Number, Group Name, Owner, File Name Includes, Check Time, or Status column label. Querying terminal file audit tasks Operators can filter the terminal file audit tasks through a query. To query terminal file audit tasks: 1. Click the Service tab. Terminal file audit 217 2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation tree. The Asset File Check List displays the terminal file audit tasks of all assets. 3. 4. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number of the asset. DAM supports fuzzy matching for this filed. • Owner—Enter owner of the asset. DAM supports fuzzy matching for this filed. • Check Time from/to—Set the range of time when the terminal file audit task was performed. You can enter the time range, or click the Calendar icon to bring up the time control window and select the time range. The time range must be in the format YYYY-MM-DD hh:mm:ss. Click Query. The Asset File Check List displays all terminal file audit tasks matching the query criteria. 5. To clear the query criteria, click Reset. The Asset File Check List displays the terminal file audit tasks of all assets. Auditing the terminal files To audit the terminal files: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation tree. The Asset File Check List displays the terminal file audit tasks of all assets. 3. Click Audit. The Audit page appears. 4. Select the asset whose terminal files you want to audit: a. Click Select Asset. The Asset List dialog box appears. b. Filter assets through a basic query or advanced query. The Query Asset feature appears above the Asset List. The Advanced Query link is a toggle between Basic Query and Advanced Query. When the link is Advanced Query, then you are in basic query mode, and vice versa. Enter or select one or more of the following query criteria: 218 Asset audit • Asset Number—Enter the asset number of the asset. DAM supports for fuzzy matching for this field. • Asset Name—Enter the name of the asset. DAM supports for fuzzy matching for this field. • Owner—Enter the name of the asset owner. DAM supports for fuzzy matching for this field. • Group Name—Click the Select Asset Group icon to select an asset group. In the Select Asset Group window that appears, select a group and click OK. • Operating System—Enter the name of the operating system. DAM supports for fuzzy matching for this field. This field is available only for advance queries. c. d. e. • Operating System Language—Select the operating system language: Chinese (PRC) or English. This field is available only for advance queries. • Operating System Patch—Enter the version of the service pack of the operating system, such as Service Pack 3. This field is available only for advance queries. Click Query. Select the asset you want to add in the Asset List. Click OK. The selected asset appears in the Asset Number field. 5. 6. Enter the following parameters for the audit task: • Check Files in—Enter the absolute path of the files you want to check. • File Name Includes—Enter a partial of the file name. The file name can contain the wildcard characters asterisk (*) or question mark (?). An asterisk can match none or many characters. A question mark can match only one character when it is placed after the dot (.), and can match all characters except the dot (.) when it is placed before the dot. • Description—Enter the description of the audit. Click Start. Viewing the terminal file audit results To view the result of a terminal file audit task: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation tree. The Asset File Check List displays the terminal file audit tasks of all assets. 3. Click the Details icon for the terminal file audit to view its details. The Asset File Check List page appears. 4. 5. To go back to the Asset File Check List, click Back. To save the audit results, click Export. Exporting the terminal file audit results To export the terminal file audit results: 1. Click the Service tab. 2. Select Desktop Asset Manager > Desktop Control Audit > Check Asset Files from the navigation tree. The Asset File Check List displays the terminal file audit tasks of all assets. 3. Click Export icon export. in the Asset File Check List for the terminal file audit result you want to The Exporting File Format page appears. 4. Select a format for the export file from the File Format list. Options are TXT and CSV. TXT indicates that the terminal file audit results are exported to the text file of the *.txt type. Excel indicates that the terminal file audit result is exported to the text file of the *.csv type. 5. Select the separator for the terminal file audit results that are exported to the text file of *.txt type. Options are space, tab, comma (,), colon (:), pound sign (#), and dollar sign ($). Terminal file audit 219 6. Click OK. After the operation is complete, the Export Result page appears. 7. Click Download to save the export results. 220 Asset audit 11 Configuring software deployment The software deployment function allows operators to batch deploy the same software product to multiple assets. Preparing to use the software deployment function To use this function, complete the following tasks: 1. Set up a software deployment server, which can be an HTTP, FTP, or file share server. The server must be properly configured to allow assets to download software. 2. Add the server settings to DAM, such as the IP address, port, and username/password. 3. Configure a software deploy task in DAM. The task settings include the software deployment server, name and version of the software to be deployed, download path, installation mode, and deployment target (individual assets or asset groups). DAM sends the software deploy task to the iNode client for execution, and then the iNode client downloads and installs software from the software deployment server as specified in the task. Configuring software deployment server settings DAM supports the following types of software deployment servers: HTTP, FTP, and file share. Operators can add the server settings to DAM for management. Software server settings list contents • Server Name—Name of the software deployment server. Click the name to view its details. • Deployment Method—Software deployment method: HTTP, FTP, or Share File. • IP Address—IP address of the software deployment server. • Modify—Click the Modify icon • Delete—Click the Delete icon to modify the server settings. to delete the server settings. Software deployment server settings details Software deployment server settings details comprise the following parameters: • • Server Name—Name of the software deployment server. Deployment Method—Software deployment method: HTTP, FTP, or Share File. When the deployment method is HTTP, the page also contains the following parameter: ◦ Port Number—Listening port of the HTTP server, 80 by default. When the deployment method is FTP, the page also contains the following parameters: ◦ Port Number—Listening port of the FTP server, 21 by default. ◦ Transmission Mode—FTP transfer mode to use when a firewall or NAT device exists between the FTP server and the iNode client. The value can be PORT or PASV. – PORT—When the FTP server is protected by the firewall or NAT device, select the PORT mode. – PASV—When the iNode client is protected by the firewall or NAT device, select the PASV mode. ◦ Anonymous User—Indicates whether to allow anonymous login to the FTP server. ◦ User Name—User name used to access the FTP server. This field appears only when Anonymous User is set to No. Preparing to use the software deployment function 221 When the deployment method is Share File, the page also contains the following parameters: • ◦ Anonymous User—Indicates whether to allow anonymous login to the file share server. ◦ User Name—The user name used to access the file share server, in the format prefix\user ID. If the software deployment server has been assigned to a domain, use the domain name as the prefix; if not, use the computer name as the prefix. This parameter appears only when Anonymous User is set to No. IP Address—IP address of the software deployment server. Viewing the software deployment server settings list To view the software deployment server settings list: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Server Settings from the navigation tree. The Software Server Settings List displays all software deployment server settings. 3. 4. Click Refresh to refresh the Software Server Settings List. To sort the Software Server Settings List, click the Server Name, Deployment Method, or IP Address column label. Viewing software deployment server settings details To view details of software deployment server settings: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Server Settings from the navigation tree. The Software Server Settings List displays all software deployment server settings. 3. Click the name of the software deployment server for which you want to view the detailed settings. The Software Server Settings Details page appears. 4. To go back to the Software Server Settings List, click Back. Adding software deployment server settings To add software deployment server settings: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Server Settings from the navigation tree. The Software Server Settings List displays all software deployment server settings. 3. Click Add. The Add Software Server Settings page appears. 4. 5. 6. Configure the basic server information. Configure parameters related to the deployment method. Click OK. Modifying software deployment server settings To modify the software deployment server settings: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Server Settings from the navigation tree. The Software Server Settings List displays all software deployment server settings. 3. Click the Modify icon for the software deployment server settings you want to modify. The Modify Software Server Settings page appears. 222 Configuring software deployment 4. 5. 6. Modify the basic server settings. Modify parameters related to the deployment method. Click OK. Deleting software deployment server settings You cannot delete the settings of a software deployment server when the server name is selected for a software deploy task. To delete the server settings, you must first delete all software deploy tasks that use the server. For more information about deleting software deploy tasks, see “Deleting software deploy tasks” (page 229). To delete software deployment server settings: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Server Settings from the navigation tree. The Software Server Settings List displays all software deployment server settings. 3. Click the Delete icon for the software deployment server settings you want to delete. A confirmation dialog box appears. 4. Click OK. Configuring software deploy tasks Operators must first add software deployment server settings before they can create software deploy tasks. The software deploy task settings include the software deployment server, name and version of the software to be deployed, download path, installation mode, and deployment target (assets or asset groups). The task is sent to the iNode client for execution, which downloads and installs the software from the software deployment server as specified in the task. Operators can query, add, modify, and delete software deploy tasks. Software deploy task list contents • Task Name—Name of the software deploy task. Click the name to view its details. • Created at—Time when the task was created. • Software Name—Name of the software to be deployed in the task. • Server Name—Name of the software deployment server used in the task. • Installation Type—The type of installation: • ◦ Quiet Installation—Installs software automatically after it is downloaded, without any user intervention. Make sure that the software supports quiet installation. The iNode client can display a task message when the quiet installation is complete. ◦ Interactive Installation—Interacts with the user to obtain the necessary information, such as the download path and serial number for installation. The iNode client can display a task message when the software requiring an interactive installation is downloaded. ◦ Portable Software—Requires no installation and allows the user to use the software immediately after it is downloaded and decompressed. The iNode client can display a task message when the portable software is downloaded. Modify—Click the Modify icon to modify the task settings. Software deploy task details Software deploy task details comprise the basic information section and the software deployment targets section. Configuring software deploy tasks 223 Basic information section • Task Name—Name of the software deploy task. The name must be unique in DAM. • Software Server—Name of the software deployment server. Click the name to view the detailed server settings. • Task Message—Prompt message that the iNode client displays when a quiet software installation or a software download process is complete. • Created at—Time when the software deploy task was created. • Execution Time—Time when the software deploy task is to be executed. • Download Delay—Time delay for the software deploy task, in minutes. To avoid massive downloading from the server at the same time, this parameter allows the iNode client to download software at a random delay between 0 and the specified value. • Software Name—Name of the software to be deployed in the software deploy task. The name the name of the software to be deployed, which must be the same as that in the Add or Remove Programs tool of the Windows Control Panel. This field is available only when the Installation Type is set to Quiet Installation or Interactive Installation. • Software Version—Version of the software to be deployed in the software deploy task. The version must be the same as that in the Add or Remove Programs tool of the Windows Control Panel. This field is available only when the Installation Type is set to Quiet Installation or Interactive Installation. • Execute Task—When the software deploy task is executed: Execute Immediately or Later. ◦ Execute Immediately—Task starts immediately after the configuration is complete. ◦ Later—Task starts at a specified time after the configuration is complete. • Test Method—Select Test Method to test whether the software download path is valid. • Installation Type—The type of installation: • ◦ Quiet Installation—Installs software automatically after it is downloaded, without any user intervention. Make sure that the software supports quiet installation. The iNode client can display a task message when the quiet installation is complete. ◦ Interactive Installation—Interacts with the user to obtain the necessary information, such as the download path and serial number for installation. The iNode client can display a task message when the software requiring an interactive installation is downloaded. ◦ Portable Software—Requires no installation and allows the user to use the software immediately after it is downloaded and decompressed. The iNode client can display a task message when the portable software is downloaded. Software Name and Path—Download path and source file name of the software: ◦ For an HTTP server, the value is in the following format: http://<IP address>:<Port>/<Path>/<Software name> For example: http://192.168.10.1:80/tools/MD5.exe ◦ For an FTP server, the value is in the following format: ftp://<IP address>:<Port>/<Path>/<Software name> For example: 224 Configuring software deployment ftp://192.168.10.1:21/tools/MD5.exe ◦ For a file-share server, the value is in the following format: \\<IP address>\<Path>\<Software name> For example: \\192.168.10.1\tools\MD5.exe • CLI Parameters—Enter the CLI script to perform a quiet software installation. This field is available only when the Installation Type is set to Quiet Installation. • Setup File—How the setup file is handled after the software installation process is complete, which can be Deleted after Installation or Kept after Installation. This parameter is available only when the Installation Type is set to Quiet Installation or Interactive Installation. ◦ Deleted after Installation—The setup file is automatically deleted after the software installation process is complete. ◦ Kept after Installation—The setup file is kept after the software installation process is complete. Software deployment targets section The deployment targets include asset groups and individual assets. For a target asset group, the software is downloaded to and installed on all assets in the asset group. Deploy group list contents • All Asset Groups—Name of the asset group. Click the Expand All icon to expand all asset groups. Click the Collapse All icon to collapse all asset groups. When the group name carries an icon on the left, the group has subgroups. Click the icon to view software deployment information of the subgroups. Click the group name to enter the asset group details page. • Success Downloads—Number of assets in the asset group that have successfully downloaded the software. • Total Deployed—Number of assets in the asset group that are required to download the software. • Details—Click the Details icon to view the deploy task status of all assets in the asset group. Deploy asset list contents • Asset Number—Asset number of the asset. Click the asset number to view its details. • Asset Name—Name of the asset. • Group Name—Name of the group the asset belongs to. Click the group name to enter the asset group details page. • Asset Owner—Owner of the asset. • Task Status—Execution status of the task, which can be Not Executed, Deployment Succeeded, Deployment Failed, Download Succeeded, or Download Failed. Click the content of this field to view the task execution result for the asset. When you click the content in the Task Status field for an asset in the Deploy Group List section or on the Asset List of an asset group, you can view the list of all assets in the group. • Redeploy—Click the Redeploy icon to deploy the task again. This field is available only when the task status of the asset is Download Failed. Configuring software deploy tasks 225 Task execution result details • Task Name—Name of the software deploy task. • Task Status—Execution status of the task, which can be Not Executed, Deployment Succeeded, Deployment Failed, Download Succeeded, or Download Failed. • Asset Name—Name of the asset. • Asset Number—Asset number of the asset. • Asset Owner—Owner of the asset. • Asset Group—Asset group to which the asset belongs. • Execution Time—Time when the software deploy task started. • Finish Time—Time when the software deploy task finished. This field is available only when the task status of the asset is Download Succeeded or Download Failed. Viewing the software deploy task list To view the software deploy task list: 1. Click the Service tab. 2. Select Desktop Asset Manager>SW Deploy Task from the navigation tree. The Software Deploy Task List displays all software deploy tasks. 3. 4. Click Refresh to refresh the Software Deploy Task List. To sort the Software Deploy Task List, click the Task Name, Created at, Software Name, or Server Name column label. Viewing software deploy task details To view the software deploy task list: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Deploy Task from the navigation tree. The Software Deploy Task List displays all software deploy tasks. 3. Click the name for the software deploy task you want to view. The Software Deploy Task Details page appears. 4. 5. To view a list of all assets in a group, click the Details icon Group List section. To go back to the Software Deploy Task List, click Back. for the asset group in the Deploy Querying software deploy tasks You can filter software deploy tasks through basic query or advanced query. Basic query criteria include several key parameters for quick search. Advanced query offers various query criteria for precise match. Basic query To perform a basic query for software deploy tasks: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Deploy Task from the navigation tree. The Software Deploy Task List displays all software deploy tasks. 3. Click Basic Query at the upper right of the page. When Advanced Query is at the upper right of the page, you are already in basic query mode. Skip this step. 226 Configuring software deployment 4. Enter or select one or more of the following query criteria: • Task Name—Enter the software deploy task name. DAM supports fuzzy matching for this field. • Asset Number—Enter the asset number, which uniquely identifies an asset in DAM. All tasks that include the asset as the deployment target are queried. DAM supports fuzzy matching for this field. • . The Select Asset Group window Group Name—Click the Select Asset Group icon appears. Select a group and click OK. The Group Name field is automatically populated with the selected asset group. • Software Name—Enter the name of the software deployed in the task. DAM supports fuzzy matching for this field. When a field is empty, this field does not serve as a query criterion. 5. Click Query. The Software Deploy Task List displays all the software deploy tasks that match the query criteria. 6. Click Reset to clear the query criteria. The Software Deploy Task List displays all software deploy tasks. Advanced query To perform an advanced query for software deploy tasks: 1. Click the Service tab. 2. Select Desktop Asset Manager>SW Deploy Task from the navigation tree. The Software Deploy Task List displays all software deploy tasks. 3. Click Advanced Query at the upper right of the page. When Basic Query is at the upper right of the page, you are already in advanced query mode. Skip this step. 4. Enter or select one or more of the following query criteria: • Task Name—Enter the software deploy task name. DAM supports fuzzy matching for this field. • Asset Number—Enter the asset number. All tasks that include the asset as the deployment target are queried. DAM supports fuzzy matching for this field. • Created From/To—Set the time range when the software deploy task was created. You can click the Select Date and Time icon enter the value in YYYY-MM-DD format. to select the date and time, or manually • Group Name—Click the Select Asset Group icon. The Select Asset Group window appears. Select a group and click OK. The Group Name field is automatically populated with the selected asset group. • Server Name—Enter the name of the software deployment server. • Software Name—Enter the name of the software deployed in the task. DAM supports fuzzy matching for this field. When a field is empty, this field does not serve as a query criterion. 5. Click Query. The Software Deploy Task List displays all the software deploy tasks that match the query criteria. Configuring software deploy tasks 227 6. Click Reset to clear the query criteria. The Software Deploy Task List displays all software deploy tasks. Adding a software deploy task To add a software deploy task: 1. Click the Service tab. 2. Select Desktop Asset Manager>SW Deploy Task from the navigation tree. The Software Deploy Task List displays all software deploy tasks. 3. Click Add. The Add Software Deploy Task page appears. 4. 5. Configure basic task information. The task name must be unique in EAD. Select target asset groups in the Deploy Group List area. Click the Expand All icon to display all asset groups. A group name with an icon on the left indicates that the group contains subgroups. Click the icon to display all subgroups of the group. 6. Select target assets in the Deploy Asset List area: a. Click Add Asset. The Asset List dialog box appears. b. Filter assets through basic query or advanced query. The Query Asset feature is displayed above the Asset List. The Advanced Query link is a toggle switch between Basic Query and Advanced Query. When the link is Advanced Query, you are in the basic query mode, and vice versa. Enter or select one or more of the following query criteria: • Asset Number—Enter the asset number. Each asset is assigned a unique asset number. DAM supports fuzzy matching for this field. • Asset Name—Enter the asset name. DAM supports fuzzy matching for this field. • Owner—Enter the owner of the asset. DAM supports fuzzy matching for this field. • Group Name—Click the Select Asset Group icon . The Select Asset Group window appears. Select a group and click OK. The Group Name field is automatically populated with the selected asset group. • Operating System—Enter the name of the operating system. DAM supports fuzzy matching for this field. This field is available only for advance queries. • Operating System Language—Select the operating system language, Chinese (PRC) or English. This field is available only for advance queries. • Operating System Patch—Enter the version of the operating system patch. DAM supports fuzzy matching for this field. This field is available only for advance queries. • Status—Select the status of the asset. Options are Online, Offline, and Unmanaged. This field is available only for advance queries. When a field is empty, this field does not serve as a query criterion c. d. e. Click Query. Select the assets you want to add in the Asset List. Click OK. All selected assets appear in the Deploy Asset List. 7. Click OK. 228 Configuring software deployment Modifying a software deploy task 1. 2. Click the Service tab. Select Desktop Asset Manager > SW Deploy Task from the navigation tree. The Software Deploy Task List displays all software deploy tasks. 3. Click the Modify icon for the software deploy task you want to modify. The Modify Software Deploy Task page appears. 4. 5. 6. 7. Modify basic task information. Modify the target asset groups in the Deploy Group List area. Modify the target assets in the Deploy Asset List area by using one or both of the following methods: • Click Add Asset to select assets for the task. • Click the Delete icon for the undesired assets to remove them from the task. Click OK. Deleting software deploy tasks Deleting a software deploy task does not affect execution of the task on the client host when the task is already received by the iNode client. The iNode client can continue to download and install the software specified in the task. To delete one or more software deploy tasks: 1. Click the Service tab. 2. Select Desktop Asset Manager > SW Deploy Task from the navigation tree. The Software Deploy Task List displays all software deploy tasks. 3. 4. Select one or more software deploy tasks you want to delete. Click Delete. A confirmation dialog box appears. 5. Click OK. Configuring software deploy tasks 229 12 EAD audit EAD audit includes the following functions: • Viewing access user security logs—Record the access information of access users and the detailed information of security events. Operators can query security logs to identify security risks in the network, and take actions to enhance network security. • Client driver audit—Allows operators to query the driver errors to repair faulty terminals in time. • Viewing security status of online and roaming users—Use the online and roaming user lists. The Online User List also displays the client ACLs, device ACLs, traffic status, and online asset information. • Online user security check—Perform a security check for online user terminals at any time. Security check items include system information, screen saver protection and password setting, drive list information, shared directory information, installed software, installed patches, enabled services, and running processes. Performing a security check for an online user does not affect the security status of the user. Many EAD functions require cooperation of the iNode client. When the iNode client encounters driver errors, the security functions cannot work. The iNode client can send these errors to the EAD server. Security logs EAD records security logs for the following security events: • Assigning ACLs to users • Security check • Security recheck • Real-time monitoring By default, EAD records security logs only for access users failing security check. For EAD to record security logs for access users passing security check, enable the Generate logs after the security check is passed feature. For more information, see “Service parameters management” (page 310). Security log list contents • Account Name—Name of the account. Click the name to view detailed information about the user account. • Service Name—Service assigned to the access user. Click the name to view contents of the service configuration. • Login Date/Time—Date and time when the access user logged in. • User MAC Address—MAC address that the access user used for a security check. • User IP Address—IP address that the access user used for a security check. • Details—Click the Details icon to view detailed information about the security log. Security log details Security log details comprise the basic information area and the details area to present access information and security log contents for an access user. 230 EAD audit Basic information area • Account Name—Name of the account. This field serves as a link for navigating to the Access Account Info page. For more information, see HP IMC User Access Manager Administrator Guide. • Service Name—Service assigned to the access user. This field serves as a link for navigating to the Service Configuration Details page. For more information, see HP IMC User Access Manager Administrator Guide. • Login Time—Time when the user logged in. • User IP Address—IP address that the access user used for security check. • User MAC Address—MAC address that the access user used for security check. Details section • Log Type—Possible security log types include Security Check, Real-Time Monitoring, Security Re-Check, and Action. ◦ Security Check—EAD performs security check for an access user when the user logs in. When such a security event occurs, EAD records the event as a Security Check log. ◦ Real-Time Monitoring—EAD performs real-time monitoring for online access users. When an access user fails a check during real-time monitoring, EAD records the security event as a Real-Time Monitoring log. ◦ Security Re-Check—EAD performs another security check for an access user that has stayed online for a long time. EAD records such a security event as a Security Re-Check log. ◦ Action—EAD records a security ACL or an isolation ACL assignment action as an Action log. • Alarm Time—Time when EAD logs a security event/action. • Security Policy Name—Security policy used for the access user security check. • Security Status—Security status of the access user can be Passed Security Check, Monitored, Informed, Isolated, or Kicked out. • Details—Detailed reason for a security check failure of the access user. This field is empty for access users whose security status is Passed security check. Viewing the security log list To view the security log list: 1. Click the User tab. 2. Select Access User View > Log Management > Security Log from the navigation tree. The Security Log List displays the security logs generated for all access users on the current day. 3. To sort the list, click the Account Name, Login Date/Time, User MAC Address, or User IP Address column label. Viewing security log details Security log details include the access information of a user and the specific security log information recorded for the user during the online period, including the security ACL or isolation ACL assigned to the access user, security check information, security recheck information, real-time monitoring check result, and the security check failure reason. To view security log details: Security logs 231 1. 2. Click the User tab. Select Access User View > Log Management > Security Log from the navigation tree. The Security Log List displays the security logs generated for all access users on the current day. 3. Click the Details icon for a security log for which you want to view the details. The Security Log Details page appears. 4. To go back to the Security Log List, click Back. Querying security logs EAD provides the basic query and advanced query functions for you to search for security logs. Basic query To query security logs by using basic query mode: 1. Click the User tab. 2. Select Access User View > Log Management > Security Log from the navigation tree. The Security Log List displays the security logs generated for all access users on the current day. 3. Click Basic Query at the upper right corner of the page. When Advanced Query is at the upper right corner of the page, you are already in basic query mode. Skip this step. 4. 5. Enter or select one or more of the following query criteria: • Account Name—Enter an account name string. EAD supports for fuzzy matching for this field. • Service Name—Select a service from the service list. • Time Range From/To—Set a security log generation time range or click the Calendar icon to select one. The date and time settings must be in the format YYYY-MM-DD hh:mm. Click Query. The Security Log List displays the security logs that match the query criteria. 6. Click Reset to reset the query criteria. The Security Log List displays the security logs generated for all access users on the current day. Advanced query To query security logs by using advanced query mode: 1. Click the User tab. 2. Select Access User View > Log Management > Security Log from the navigation tree. The Security Log List displays the security logs generated for all access users on the current day. 3. Click Advanced Query at the upper right corner of the page. When Basic Query is at the upper right corner of the page, you are already in advanced query mode. Skip this step. 4. 232 EAD audit Enter or select one or more of the following query criteria: • Account Name—Enter an account name string. EAD supports fuzzy matching for this field. • User Name—Enter a user name string. One user can have multiple accounts. 5. • User Group—Click the Select User Group icon to select a user group. In the Select User Group window that appears, select a group and click OK. • Service Name—Select a service from the service list. • User IP Address From/To—Enter an IPv4 address range to match access users. • Security Policy Name—Select a security policy from the security policy list. • User MAC Address—Enter a MAC address string to match access users. This field supports these commonly used MAC address formats: XX-XX-XX-XX-XX-XX, XX:XX:XX:XX:XX:XX, and XXXX-XXXX-XXXX. For example, 02-50-F2-00-00-02, 02:50:F2:00:00:02, and 0250-F200-0002. • Time Range From/To—Set a security log generation time range or click the Calendar icon to select one. The date and time settings must be in the format YYYY-MM-DD hh:mm. • Security Status—Select the security status of access users. Options are Passed security check, Monitored, Informed, Isolated, and Kicked out. When an access user's log details include multiple security statuses, the security log of the access user displays only when one security status matches the selected one. • Security Check Item—Select a security check item from the security check item list. Options are Anti-virus software, Anti-spyware software, Firewall software, Anti-phishing software, Hard disk encrypt software, Patches, Patch Manager, Applications – software, Applications – processes, Applications – services, Applications – files, Registry, Traffic, OS password, Sharing, and Asset registration. Click Query. The Security Log List displays the security logs that match the query criteria. 6. Click Reset to reset the query criteria. The Security Log List displays the security logs generated for all access users on the current day. Client driver audit Many EAD functions require cooperation of the iNode client, such as client ACL, locking Internet access, illegal ARP packet filtering, and illegal DHCP packet filtering. When a client driver error occurs, for example, because the access user uninstalled the client driver by accident, the iNode client sends the error to the EAD server. Operators can use the iNode Driver Audit function to view iNode client errors and repair the erroneous user terminal in time. iNode driver list contents • Account Name—Account name of the access user who encountered a client driver error. Click the name to view detailed information about the user account. • Login Time—Date and time when the access user logged in. • Description—Description of the client driver error. Viewing client driver errors in the iNode Driver list To view client driver errors: 1. Click the User tab. 2. Select Access User View > Log Management > iNode Driver Audit from the navigation tree. The iNode Driver List displays the client driver errors generated by all access users on the current month. Client driver audit 233 Querying client drive errors To query client driver errors: 1. Click the User tab. 2. Select Access User View > Log Management > iNode Driver Audit from the navigation tree. The iNode Driver List displays the client driver errors generated by all access users on the current day. 3. 4. Enter or select one or more of the following query criteria: • Account Name—Enter an account name string. • to select a user group. In the Select User User Group—Click the Select User Group icon Group window that appears, select a group and click OK. The User Group field is automatically populated with the selected user group. • Start Time/End Time—Set a query time range or click the Calendar icon The date and time settings must be in the format YYYY-MM-DD hh:mm. to select one. Click Query. The iNode Driver List displays the iNode driver error logs that match the query criteria. 5. Click Reset to reset the query criteria. The iNode Driver List displays the client driver errors generated by all access users on the current month. Security status audit for online and roaming users Operators can view the security status of online and roaming users on the online and roaming user lists. The Online User List also displays the client ACLs, device ACLs, traffic status, and online asset information. Online users list contents After the EAD service component is deployed, the Security Status column is automatically added to the Online User List. Operators can customize the Online User List to display the Traffic Status, Client ACL, and Device ACL columns. The Security Check of Computer icon is added to the Operation column. After the DAM service component is deployed, the Asset details icon added to the Operation column. • 234 EAD audit is Security Status—Security status of an online user: ◦ No Security Authentication—The online user needs no security check. ◦ For Security Authentication—Security check is ongoing for the online user. ◦ Secure—The online user has passed all security check items and can access network resources properly. ◦ Monitored—The online user fails some security check items but can access network resources properly. EAD only records security logs for users in this security status. ◦ Informed—The online user fails some security check items, but can access network resources properly. EAD informs users of the failures for repair. ◦ Isolated—The online user fails some security check items and is required to repair the failures. Users in this security status are isolated and can access only the network resources permitted by the isolation ACL. ◦ Offline—The online user fails some security check items and is logged off immediately. ◦ For Isolation—The online user fails some security check items and is to be isolated. Users in this security status are isolated when the configured waiting time is reached. ◦ For Offline—The online user fails some security check items and is to be logged off. Users in this security status are logged off when the configured waiting time is reached. • Client ACL—Client ACL assigned to an online user. • Device ACL—Device ACL assigned to an online user. • Operation—This field contains five links: Details , Security Check of Computer Connect , Add to Blacklist or Release from Blacklist , and Asset details , Remote . ◦ Click the Security Check of Computer icon to perform a security check for the computer of an online user. This icon is available only after the EAD service component is deployed. For more information, see “Performing a computer security check” (page 238). ◦ Click the Asset details icon to view detailed asset information about an online user. This icon is available only after the DAM service component is deployed. For more information, see “Viewing asset details” (page 164). Roaming online user list contents The Roaming Online User List contents are the same as the Online User List contents. After the EAD service component is deployed, the Roaming Online User List displays the Security Status column. Viewing the online user list After the EAD service component is deployed, operators can view the security status, traffic status, client ACL, and device ACL of an online user. Operators can also perform a security check for the user on the Online User List. After the DAM service component is deployed, operators can also view the asset information of a user on the Online User List. To view the Online User List: 1. Click the User tab. 2. Select Access User View > All Online Users from the navigation tree. The Online User List displays all online users. 3. Click Refresh to refresh the Online User List. NOTE: UAM provides the functions of viewing online user details, remote desktop connection, and adding online users to or removing online users from the blacklist. For more information, see HP IMC User Access Manager Administrator Guide. Viewing the roaming online user list After the EAD service component is deployed, operators can view the security status of the roaming users on the Roaming Online User List. To view the Roaming Online User List: 1. Click the User tab. 2. Select Access User View > Roaming Online Users from the navigation tree. The Roaming Online User List displays all online roaming users. 3. Click Refresh to refresh the Roaming Online User List. Security status audit for online and roaming users 235 Customizing the online user list After the EAD service component is deployed, the Security Status column is automatically added to the online user list. Operators can use the Customize GUI function to add Traffic Status, Client ACL, and Device ACL columns to the Online User List. To customize the Online User List: 1. Click the User tab. 2. Select Access User View > All Online Users from the navigation tree. The Online User List displays all online users. 3. Click Customize GUI. The Customize GUI page appears. The Option List includes the columns that can be displayed on the Online User List. The Output List includes the columns that have been already displayed on the Online User List. You can select one or more items at a time. To select multiple items, press and hold down the Ctrl key and then select the items. • Click to add all items on the Option List to the Output List. • Click to add one or more items on the Option List to the Output List. • Click to remove one or more items from the Output List. • Click to remove all items from the Output List. • Click to move one or more items on the Output List to the top of the list. • Click to move up one or more items by one line on the Output List. • Click to move down one or more items by one line on the Output List. • Click to move one or more items on the Output List to the bottom of the list. The position of an item on the Output List determines the position of the item on the Online User List. The topmost item on the Output List displays in the first column of the Online User List, and so forth. 4. 5. Select Traffic Status, Client ACL, and Device ACL on the Option List, and click add them to the Output List. Click OK. to The Online User List displays the Traffic Status, Client ACL, and Device ACL columns. Performing a computer security check By using the computer security check function, operators can perform a security check for online user terminals at any time without affecting the security status of the user. Computer security check result details Computer security check result details comprise the following sections: • Basic information • Screen saver settings • Hard disk partition table • Share list • Installed software • Installed patches 236 EAD audit • Running services • Running processes Basic information section • Account Name—Account name of the access user. • Checked at—Time when the security check is finished. • Computer Name—Computer name of the online user terminal. • User Name—Online user name. • OS—Name of the operating system used by the online user terminal. Screen saver settings section • Screen Saver—Indicates whether the online user terminal enables the screen saver. • Display Logon Screen on Resume—Indicates whether password protection is enabled for the screen saver. • Screen Saver Startup Timeout—Screen idle timeout (in seconds) to start the screen saver. • Password Length—Length of the screen saver password, effective only for Windows 98. Hard disk partition table section • Hard Disk Number—Physical disk number of a partition. • Partition Number—Number of the partition. • Type—Number of the partition type. • Type Name—Name of the partition type. • Startup Partition—Indicates whether the partition is the startup partition. • Size—Size of the partition in MB. Share list section • No.—Number of a shared directory. This number is assigned by EAD. • Share Name—Name of the shared directory. • Local Path—Path of the shared directory. • Share Type—Type of the shared directory: ◦ Common Share—A relatively secure share type. The user can share files with the specified users or user groups and set the permission level. The user must delete the Everyone group from the Group or user names list to prevent unauthorized users from accessing the shared files. ◦ Default Share—An insecure share type. The default shares of Windows are likely to be used by attackers to attack the user terminal. ◦ Others—This type includes only one share named IPC$, which is used by Windows. • Type—Permission type for the specified user or user group to the shared directory. Options are Allow and Deny. This parameter is available only when the share type is Common Share. • Object—Name of the user or user group of the share. This parameter is available only when the share type is Common Share. Performing a computer security check 237 • Domain of Object—Domain name of the user or user group of the share. This parameter is available only when the share type is Common Share. This field is empty when the user or user group has not joined a domain. • Object Type—Type of the user or user group of the share. This parameter is available only when the share type is Common Share. Object type can be System Group, Custom Group, or User. This field is empty when the user or user group does not have this parameter. • ◦ System Group—The object permitted or denied access to the shared directory is a system-defined operating system group. ◦ Custom Group—The object permitted or denied access to the shared directory is a user-defined operating system group. ◦ User—The object permitted or denied access to the shared directory is a user. Right of Object—Permission that the user or user group has to the shared directory. This field is not empty only when the share type is Common Share. The permission can be Read-Only, Read-Write, or All. Installed software section • No.—Number of the software. This number is assigned by EAD. • Name—Name of the software. • Version—Version of the software. • Installed on—Time when the software was installed. Installed patches section • No.—Number of a patch. This number is assigned by EAD. • Software Name—Name of the software for which the patch is installed. • Software Version—Version of the software for which the patch is installed. • Name—Name of the patch. • Description—Description of the patch. • Installed at—Time when the patch was installed. • Type—Type of the patch. Running services section • No.—Number of a service. This number is assigned by EAD. • Name—Name of a service. Running processes section • No.—Number of a process. This number is assigned by EAD. • Name—Name of the process. Performing a computer security check To perform a computer security check for an online user: 1. Click the User tab. 2. Select Access User View > All Online Users from the navigation tree. The Online User List displays all online users. 238 EAD audit 3. Click the Security Check of Computer icon a security check. for an online user for which you want to perform The Computer Security Check page appears. 4. 5. Click Select All to select all check items or select the boxes next to the check items that you want to execute. Check items are Check System Information, Check Screen Saver and Password, Check Partition Table, Check Shares, Check Installed Software, Check Installed Patches, Check Running Services, and Check Running Processes. Click OK. The Computer Security Check Result page appears. 6. To go back to the Computer Security Check page, click Back. Performing a computer security check 239 13 EAD service reports The EAD service report function is implemented through the report feature of the IMC platform. All reports on the Report tab are template driven; they are generated from system or user-defined templates. IMC platform offers various reporting options. From the Report tab, you can quickly and easily access EAD service reports. Through the report feature of the IMC platform, you can view and export real-time reports and scheduled reports. The EAD component provides the system-defined service report templates shown in Table 16. Table 16 EAD service report templates Dependent service component Real-time report Scheduled report All-Node Online Users 24-Hour Trend Graph EAD Available Unavailable Asset Information Report DAM Available Available Asset Type Report DAM Available Available Asset Usage Report DAM Available Available CPU Report DAM Available Available Hard Disk Capacity Report DAM Available Available Illegal Peripheral Use Report DAM Available Available Insecurity Category Statistic EAD Report Available Available Multi-Node Certain Security EAD Policy Statistics Report Available Unavailable Multi-Node Online Users Comparison Chart EAD Available Unavailable Multi-Node Security Check Items Report EAD Available Unavailable Multi-Node Single-Security Check Item Failures Comparison Chart EAD Available Unavailable Multi-Node User Counts Comparison Chart EAD Available Unavailable Multi-Node User Data Statistics Report EAD Available Unavailable Online User Security Status Report EAD Available Available OS Language Report DAM Available Available OS Version Report DAM Available Available Safe Log Gather Statistic Report EAD Available Available Single-Node Online Users 24-Hour Trend Graph EAD Available Unavailable Template name 240 EAD service reports Table 16 EAD service report templates (continued) Template name Dependent service component Real-time report Scheduled report Single-Node Security Check EAD Failure Report Available Unavailable Software Installation Report Available Available DAM With the real-time report feature, you can configure your Report main page to include any of the real-time reports IMC offers for quick and easy access to the report. With the scheduled report feature, you can schedule real-time report to run daily, weekly, monthly, quarterly, semi-annually, or annually. You can define the start dates of data collection for generating scheduled reports and the end dates and times for the corresponding scheduled report tasks. Scheduled reports are stored on the IMC server for later viewing and downloading. Finally, you can include email recipients for all scheduled reports. In addition, you can configure the report format with options for: • Adobe Acrobat Portal Document Format (PDF) • Comma-Separated Value (CSV) • Microsoft Excel (XLS) The Report main page, accessed using the Report tab, is a blank page that every IMC operator can customize to meet individual reporting needs. For more information about the IMC platform reports, see HP IMC Base Platform Administrator Guide. Real-time reports Real-time reports offer historical reporting capabilities on the EAD and DAM service components. Table 17 lists the real-time reports generated based on the system-defined report templates provided by the EAD component. IMC allows you to define new templates as needed. Table 17 Real-time reports provided by EAD Real-time reports Service component All-Node Online Users 24-Hour Trend Graph EAD Asset Information report DAM Asset Type Report DAM Asset Usage Report DAM CPU Report DAM Hard Disk Capacity Report DAM Illegal Peripheral Use Report DAM Insecurity Category Statistic Report EAD Multi-Node Certain Security Policy Statistics Report EAD Multi-Node Online Users Comparison Chart EAD Multi-Node Security Check Items Report EAD Multi-Node Single-Security Check Item Failures Comparison EAD Chart Multi-Node User Counts Comparison Chart EAD Real-time reports 241 Table 17 Real-time reports provided by EAD (continued) Real-time reports Service component Multi-Node User Data Statistics Report EAD Online User Security Status Report EAD OS Language Report DAM OS Version Report DAM Safe Log Gather Statistic Report EAD Single-Node Online Users 24-Hour Trend Graph EAD Single-Node Security Check Failure Report EAD Software Installation Report DAM All-node online users 24-hour trend graph This report collects statistics about the number of online users at each of the 24 hours of a day for the current node and all its child nodes. The online users fall into secure online users, insecure online users, and unknown online users. To view the all-node online users 24-hour trend graph: 1. Click the Report tab. 2. Click All-Node Online Users 24-Hour Trend Graph link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. Click the Calendar icon in the Query Time section. A popup calendar appears. Select the day for querying the report statistics from the calendar. 4. Click OK. The all-node online users 24-hour trend graph appears in an Intelligent Analysis Report Viewer window. Figure 17 All-node online users 24-hour trend graph 242 EAD service reports All-node online users 24-hour trend graph parameters • Statistics Time—Day when statistics are collected by the report. • Report Time—Time when the report is generated. • Description—A brief description of the report. All-node online users 24-hour trend graph fields • Number of online users—Displays the number of online users at each of the 24 hours of a day for all nodes, including the secure online users, insecure online users, and unknown online users. • Number of secure online users—Displays the number of secure online users at each of the 24 hours of a day for all nodes. • Number of insecure online users—Displays the number of insecure online users at each of the 24 hours of a day for all nodes. • Number of secure online users—Displays the number of unknown online users at each of the 24 hours of a day for all nodes. Asset information report This report collects statistics about the newly added and existing assets, memory size, and hard-disk capacity of an asset group (excluding its subgroups) in each month in a specified time range. The report displays only the statistics of the asset groups to which the current operator has privileges, and does not display the asset statistics in the current month. To view the asset information report: 1. Click the Report tab. 2. Click Asset Information Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. In the Start Month area, select the start month for report statistics collection; in the End Month area, select the end month for report statistics collection. The asset statistics of the current month are not displayed in the report. 4. Click OK. The asset information report appears in an Intelligent Analysis Report Viewer window. Figure 18 Asset information report Real-time reports 243 Asset information report parameters • Start Month—Start month for report statistics collection. • End Month—End month for report statistics collection. • Report Time—Time when the report is generated. • Description—A brief description of the report. Asset information report fields This report displays the per-month asset statistics. Table 18 describes the fields in the report. Table 18 Statistical items Statistical item Description Asset Group Name of the asset group. New Number of newly added assets in the asset group in a specified time range. Total Total number of assets in the asset group in a specified time range. New (GB) Size of newly added memory in the asset group in a specified time range. Total (GB) Total size of memory in the asset group in a specified time range. New (GB) Capacity of newly added hard disks in the asset group in a specified time range. Total (GB) Total capacity of hard disks in the asset group in a specified time range. Asset Memory Hard disk Asset type report This report collects statistics about the asset types and the number of assets of each type for all registered assets in the specified asset group (including its subgroups). The asset types are Laptop, PC, Server, Workstation, and Others. The report displays only the statistics of the asset group to which the current operator has privileges. To view the asset type report: 1. Click the Report tab. 2. Click Asset Type Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. In the Asset Group area, select the asset group whose statistics are to be collected. The system then collects statistics about the types of assets in the asset group and its subgroups. 244 EAD service reports 4. Click OK. The asset type report appears in an Intelligent Analysis Report Viewer window. Figure 19 Asset type report Asset type report parameters • Report Time—Time when the report is generated. • Group Name—Name of the asset group. The report collects statistics about the asset types and the number of assets of each type for all registered assets in an asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. Asset type statistics pie chart The asset type statistics pie chart displays the distribution of asset types. The asset type can be PC, Workstation, Laptop, Server, or Others. Click a slice in the pie chart to see statistics about the type of assets. Asset type statistics Figure 20 shows the statistics for asset types. Figure 20 Asset type statistics • Asset Type—Type of assets whose statistics are collected. • Amount—Number of assets belonging to this type. • Asset Number—Asset number of the asset. • Asset Name—Name of the asset. • Status—Status of the asset. Options are Online and Offline. • Owner—Owner of the asset. • Managed at—Time when the asset began to be managed. Real-time reports 245 • Location—Room where the asset resides. • Remarks—Remarks on the asset. Asset usage report This report collects statistics about the assets which have been offline for more than the specified days. This report displays the statistics about only the asset groups to which the current operator has privileges. To view the asset usage report: 1. Click the Report tab. 2. Click Asset Usage Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. In the Min. Idle Time field, enter the minimum number of idle days. The system collects statistics about the assets that have been offline for more than the specified days. 4. Click OK. The asset usage report appears in an Intelligent Analysis Report Viewer window. Figure 21 Asset usage report Asset usage report parameters • Report Time—Time when the report is generated. • Min. Idle Time—Minimum number of idle days. Statistics about assets that have been offline for more than the specified days are displayed in the report. • Description—A brief description of the report. Asset usage report fields • Asset Number—Asset number of the idle asset. • Asset Group—Asset group of the idle asset. • Owner—Owner of the asset. • Management Time—Time when the asset began to be managed. • Last Off-line—Time when the asset went offline last time. • Idle Period—Days for which the asset has been idle. 246 EAD service reports CPU report This report collects statistics about the assets whose CPU frequencies meet the specified conditions in the specified asset group (including its subgroups). This report displays the statistics about only the asset groups to which the current operator has privileges. To view the CPU report: 1. Click the Report tab. 2. Click CPU Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. In the Minimum Frequency (MHz) field, enter the minimum frequency value for the CPU frequency range; in the Maximum Frequency (MHz) field, enter the maximum frequency value for the CPU frequency range. The CPU frequencies shown in the report must meet the following criteria: Minimum Frequency ≤ CPU Frequency < Maximum Frequency. 4. From the Asset Group list, select the asset group whose statistics are to be collected. The system then collects CPU statistics about the assets in the asset group and its subgroups. 5. Click OK. The CPU report appears in an Intelligent Analysis Report Viewer window. Figure 22 CPU report CPU report parameters • Minimum Frequency—Minimum frequency (in MHz) of the CPU frequency range. • Maximum Frequency—Maximum frequency (in MHz) of the CPU frequency range. • Report Time—Time when the report is generated. • Group Name—Name of the asset group. The report collects CPU statistics about the registered assets in an asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. CPU report fields • Asset Number—Asset number of the asset. • Asset Name—Name of the asset. Real-time reports 247 • Owner—Owner of the asset. • CPU SN—Number of the CPU in the operating system. • CPU Name—Product name of the CPU. • Frequency—Frequency (in MHz) of the asset's CPU. Hard-disk capability report This report collects statistics about the number of hard disks in the specified asset group (including its subgroups), and classifies the hard disks according to their capacity: <80 GB, [80 GB to 160 GB), [160 GB to 250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), and >=1024 GB. The report displays the hard disk capacity statistics of only the asset groups to which the current operator has privileges. To view the hard disk capacity report: 1. Click the Report tab. 2. Click Hard Disk Capacity Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. From the Asset Group list, select the asset group whose statistics are to be collected. The system collects hard disk capacity statistics about the assets in the asset group and its subgroups. 4. Click OK. The hard disk capacity report appears in an Intelligent Analysis Report Viewer window. Figure 23 Hard disk capacity report Hard disk capacity report parameters • Report Time—Time when the report is generated. • Group Name—Name of the asset group. The report collects hard-disk capacity statistics about the registered assets in an asset group (including its subgroups). All indicates all asset groups. 248 EAD service reports The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. Hard disk capacity statistics pie chart The hard disk capacity statistics pie chart displays the distribution of hard-disk capacity. The hard-disk capacity is classified into the following levels: <80 GB, [80 GB to 160 GB), [160 GB to 250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), and >=1024 GB. Click a slice in the pie chart to see statistics about the type of hard disks. Hard disk type statistics Figure 24 shows statistics for a type of hard disk. Figure 24 Hard disk type statistics • Hard Disk Capacity—Capacity level of hard disks whose statistics are collected. • Amount—Number of hard disks belonging to this capacity level. • Asset Number—Asset number of the asset where the hard disk resides. • Asset Name—Name of the asset where the hard disk resides. • Owner—Owner of the asset where the hard disk resides. • Hard Disk Number—Number of the hard disk in the operating system. • Interface Type—Interface type of the hard disk. • Model—Model of the hard disk. • Total Partitions—Number of partitions on the hard disk. • Hard Disk Size—Size of the hard disk (in GB). Illegal peripheral use report This report collects statistics about the illegal peripheral usage types and the times of each type for the specified asset group (including its subgroups) in a specified time range. The peripheral types are USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM/LPT, Infrared, Bluetooth, 1394, and Modem. The report displays the illegal peripheral usage types and the times of each type for only the asset groups to which the current operator has privileges. To view the illegal peripheral use report: 1. Click the Report tab. 2. Click Illegal Peripheral Use Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. In the Start Time and End Time area, select a time range for the report. Options are Last Five Minutes, Last Ten Minutes, Last Thirty Minutes, and Custom Range. When you select Custom Range, the Start Time and End Time fields appear. Real-time reports 249 4. Click the Calendar icon in the Start Time field to select the start time. This parameter sets the start date for the specific time range in a data collection period. 5. Click the Calendar icon in the End Time field to select the end time. This parameter sets the end date for the specific time range in a data collection period. 6. From the Asset Group list, select the asset group whose statistics are to be collected. The system then collects statistics about the illegal peripheral usage types and the times of each type for the asset group and its subgroups. 7. Click OK. The illegal peripheral use report appears in an Intelligent Analysis Report Viewer window. Figure 25 Illegal peripheral use report Illegal peripheral use report parameters • Start Time—Start time for the report statistics. • End Time—End time for the report statistics. • Report Time—Time when the report is generated. • Group Name—Name of the asset group. This report collects statistics about the illegal peripheral usage types and the times of each type for the specified asset group (including its subgroups) in a specified time range. All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. 250 EAD service reports Illegal peripheral use statistics pie chart The pie chart displays the distribution of illegal peripheral usage types in a specified time range. The illegal peripheral usage types are USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM/LPT, Infrared, Bluetooth, 1394, and Modem. Click a slice in the pie chart to see statistics about the type of illegal peripheral usage. Illegal peripheral usage type statistics Figure 26 shows statistics about the illegal peripheral usage type. Figure 26 Illegal peripheral usage type statistics • Peripheral—Type of peripheral usage whose statistics are collected. • Amount—Times of the type of illegal peripheral uses. • Asset Number—Asset number of the asset. • Owner—Owner of the asset. • Operation Time—Time when the server records the illegal peripheral usage. • Disable Result—Indicates whether the iNode client successfully disables the illegal peripheral. • Device Description—Description of the peripheral illegally used. Insecurity category statistic report This report collects statistics about the security check failures of each insecurity category for the current EAD node in a specified time range. The insecurity category refers to the reason for the security check failures: • Anti-Virus Software • Anti-Spyware Software • Firewall Software • Anti-Phishing Software • Hard Disk Encryption Software • Windows Patches • Patch Manager • Applications - Software • Applications - Processes • Applications - Services • Applications - Files • Registry • Traffic • OS Password Sharing • Asset Registration Real-time reports 251 To view the insecurity category statistic report: 1. Click the Report tab. 2. Click Insecurity Category Statistic Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. Click the Calendar icon in the Begin Time field to select the begin time. This parameter sets the start date for the specific time range in a data collection period. 4. Click the Calendar icon in the End Time field to select the end time. This parameter sets the end date for the specific time range in a data collection period. 5. Click OK. The insecurity category statistic report appears in an Intelligent Analysis Report Viewer window. Figure 27 Insecurity category statistic report Insecurity category statistic report parameters • Start Time—Start time for the report statistics. • End Time—End time for the report statistics. • Report Time—Time when the report is generated. • Description—A brief description of the report. Insecurity category statistic pie chart The insecurity category statistic pie chart displays the percentage of the security check failures of each insecurity category to the total security check failures. Click a slice in the pie chart to see statistics about the specified insecurity category. Insecurity category statistics Figure 28 shows the statistics for an insecurity category. 252 EAD service reports Figure 28 Insecurity category statistics • Insecurity Category—Insecurity category whose statistics are collected. • Count—Number of insecurity check failures belonging to the insecurity category. • Account—Account name of the access user. • Full Name—Full name of the access user. • User Group—User group to which the access user belongs. • Service Name—Name of the service which the access user applies for. • Strategy Name—Name of the security policy that the access user uses. • User IP Address—IP address of the access user. • User MAC Address—MAC address of the access user. • Date—Date when the security check failure occurs. • Insecurity Description—Description of the security check failure. Multi-node certain security policy statistics report This report collects statistics about the security policies of multiple EAD nodes (the current node and its child nodes). You can filter the security policy statistics according to the status (enabled or disabled) of the specified security check items in the security policies. To view the multi-node certain security policy statistics report: 1. Click the Report tab. 2. Click Multi-Node Certain Security Policy Statistics Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. Configure the security check items whose statistics are to be collected. The security check items follow: • Check Anti-Virus Software • Check Anti-Spyware Software • Check Firewall Software • Check Anti-Phishing Software • Check Hard Disk Encryption Software • Check Applications • Check Patch Management Software Real-time reports 253 • Check Windows Patches • Check Registry • Check Share • Enable Traffic Control • Check Operating System Password Options are Unlimited, Enabled, and Disabled. 4. ◦ Unlimited—Does not limit the related security check items. The security policies with the specified security check items enabled and the security policies with the specified security check items disabled are all displayed. ◦ Enabled—Displays only the security policies with the specified security check items enabled. ◦ Disabled—Displays only the security policies with the specified security check items disabled. Click OK. The multi-node certain security policy statistics report appears in an Intelligent Analysis Report Viewer window. Figure 29 Multi-node certain security policy statistics report Multi-node certain security policy statistics report parameters • Report Time—Time when the report is generated. • Description—A brief description of the report. Multi-node certain security policy statistics report fields • Node Name—Name of the current node or child node. • IP Address—IP address of the current node or child node. • Status—Status of the current node or child node. • Security Policy Name—Security policy matching the filtering conditions. • Report Time—Time when the node reported the statistics. Multi-node online users comparison chart This report compares the number of online users of multiple EAD nodes (the current node and its child nodes) at a specific time. The online users fall into secure online users, insecure online users, and unknown online users. The total number of online users is the sum of the number of users of each type. When no data is received from a node, the report does not show the node. To view the multi-node online users comparison chart: 1. Click the Report tab. 254 EAD service reports 2. Click Multi-Node Online Users Comparison Chart link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. 4. Click the Calendar icon in the Query Time field to select the time for querying the report statistics. Click the radio button to the left of delay time, and set the delay to 5 minutes or 10 minutes. The system collects the number of online users for the current node and its child nodes and generates a chart to compare the online users of multiple nodes of the statistics time. The statistics time is calculated as follows: the system deducts the delay from the query time, and then rounds the result down to a multiple of half an hour. For example, when the query time is 2011-07-01 08:07:00 and the delay is 5 minutes, the report collects the statistics of 2011-07-01 08:00:00. When you modify the delay to 10 minutes, the system collects the statistics of 2011-07-01 07:30:00. 5. Select the nodes that you want to compare. The available node list contains the nodes that can be compared. The selected node list contains the nodes that are to be compared. You can hold down Ctrl and use the mouse to select multiple nodes. 6. • Click the Copy all icon node list. • Click the Copy icon the selected node list. to add one or more nodes on the available node list to • Click the Remove icon list. to remove one or more nodes from the selected node • Click the Remove all icon to add all nodes on the available node list to the selected to remove all nodes from the selected node list. Click OK. The multi-node online users comparison chart appears in an Intelligent Analysis Report Viewer window. Figure 30 Multi-node online users comparison chart Real-time reports 255 Multi-node online users comparison chart parameters • Statistics Time—Time when statistics are collected by the report. • Report Time—Time when the report is generated. • Description—A brief description of the report. Multi-node online users comparison chart • Number of online users—Displays the number of online users of the specified node at the specified time in a histogram. The online users include the secure online users, insecure online users, and unknown online users. • Number of secure online users—Displays the number of secure online users of the specified node at the specified time in a histogram. • Number of insecure online users—Displays the number of insecure online users of the specified node at the specified time in a histogram. • Number of unknown online users—Displays the number of unknown online users of the specified node at the specified time in a histogram. Multi-node security check items report This report collects statistics about the security policy configuration of multiple EAD nodes (the current node and its child nodes). You can filter the security check items in security policies according to the status (enabled or disabled) of security check items. To view the multi-node security check items report: 1. Click the Report tab. 2. Click Multi-Node Security Check Items Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. Configure the security check items to be filtered. The security check items follow: • Check Anti-Virus Software • Check Anti-Spyware Software • Check Firewall Software • Check Anti-Phishing Software • Check Hard Disk Encryption Software • Check Applications • Check Patch Management Software • Check Windows Patches • Check Registry • Check Share • • Check Operating System Password Traffic Control Options are Display and Hide. ◦ Display—Displays the status (enabled or disabled) of the specified security check items. ◦ Hide—Not displays the status (enabled or disabled) of the specified security check items. 256 EAD service reports 4. Select the nodes whose security policy configurations are to be compared. The available node list contains the nodes that can be compared. The selected node list contains the nodes that are to be compared. You can hold down Ctrl and use the mouse to select multiple nodes. 5. • Click the Copy all icon node list. • Click the Copy icon the selected node list. • Click the Remove icon list. • Click the Remove all icon to add all nodes on the available node list to the selected to add one or more nodes on the available node list to to remove one or more nodes from the selected node to remove all nodes from the selected node list. Click OK. The multi-node security check items report appears in an Intelligent Analysis Report Viewer window. Figure 31 Multi-node security check items report Multi-node security check items report parameters • Report Time—Time when the report is generated. • Description—A brief description of the report. Multi-node security check items report fields • Node Name—Name of the current node or child node. • Security Policy Name—Name of the security policy of the node. • Report Time—Time when the node reported the statistics. • Security Check Item—Displays the enabled security check items and disabled security check items. ◦ Enabled—Security check items enabled in the security policy. ◦ Disabled—Security check items disabled in the security policy. Real-time reports 257 Multi-node single-security check item failures comparison chart This report compares the check results of the specified security check item on multiple EAD nodes (the current node and its child nodes), and collects the statistics on a per-day, per-week, or per-month basis in the query time. When no data is received from a node, the report does not show the node. To view the multi-node single-security check item failures comparison chart: 1. Click the Report tab. 2. Click Multi-Node Single-Security Check Item Failures Comparison Chart link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. Select a report type from the Report Type list. Options are Daily report, Weekly report, and Monthly report. 4. Click the Calendar icon in the Query Time field to select the query time for the report statistics. The generated report collects statistics about Security check results on the specified nodes on a per-day, per-week, or per-month basis in the query time. 5. Select a security check item from the Query Item list. The security check items follow: 6. • Anti-virus software • Anti-spyware software • Firewall software • Anti-phishing software • Hard disk encrypt software • Application control group check • Patch Management Software • Patches • Registry • Sharing • Traffic • OS password • Asset registration Select the nodes whose statistics are to be collected and compared. The available node list contains the nodes whose statistics can be collected and compared. The selected node list contains the nodes whose statistics are to be collected and compared. You can hold down Ctrl and use the mouse to select multiple nodes. • Click the Copy all icon selected node list. to add all nodes on the available node list to the • Click the Copy icon the selected node list. to add one or more nodes on the available node list to • Click the Remove icon list. to remove one or more nodes from the selected node • Click the Remove all icon 258 EAD service reports to remove all nodes from the selected node list. 7. Click OK. The multi-node single-security check item failures comparison chart appears in an Intelligent Analysis Report Viewer window. Figure 32 Multi-node single-security check item failures comparison chart Multi-node single-security check item failures comparison chart parameters • Start Date—Start date for the report statistics. • End Date—End date for the report statistics. • Report Time—Time when the report is generated. • Security Check Item—Security check item whose statistics are collected in the report. • Description—A brief description of the report. Multi-node single-security check item failures comparison chart The chart displays the failure times of a security check item on each node in a specified time range in a histogram. Multi-node user counts comparison chart This report compares the number of users of multiple EAD nodes (the current node and its child nodes) at a specific time. The users include access users created, blacklist users, and guests. When no data is received from a node, the report does not show the node. To view the multi-node user counts comparison chart: 1. Click the Report tab. 2. Click Multi-Node User Counts Comparison Chart link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. Click the Calendar icon statistics. in the Query Time field to select the time for querying the report Real-time reports 259 4. Click the radio button to the left of delay time, and set the delay to 5 minutes or 10 minutes. The system collects the number of users for the current node and its child nodes and generates a chart to compare the users of multiple nodes of the statistics time. The statistics time is calculated as follows: the system deducts the delay from the query time, and then rounds the result down to a multiple of half an hour. For example, when the query time is 2011-07-01 08:07:00 and the delay is 5 minutes, the report collects the statistics of 2011-07-01 08:00:00. When you modify the delay to 10 minutes, the system collects the statistics of 2011-07-01 07:30:00. 5. Select the nodes whose user counts you want to compare. The available node list contains the nodes whose statistics can be collected and compared. The selected node list contains the nodes whose statistics are to be collected and compared. You can hold down Ctrl and use the mouse to select multiple nodes. 6. • Click the Copy all icon node list. • Click the Copy icon the selected node list. • Click the Remove icon list. • Click the Remove all icon to add all nodes on the available node list to the selected to add one or more nodes on the available node list to to removes one or more nodes from the selected node to remove all nodes from the selected node list. Click OK. The multi-node user counts comparison chart appears in an Intelligent Analysis Report Viewer window. Figure 33 Multi-node user counts comparison chart Multi-node user counts comparison chart parameters • Statistics Time—Time when statistics are collected by the report. • Report Time—Time when the report is generated. • Description—A brief description of the report. 260 EAD service reports Multi-node user counts comparison chart The chart displays the number of users for multiple nodes at a specific time in a histogram. • Number of created access users—Number of access users created on the node in a specified time range. • Number of blacklist users—Number of users added to the blacklist on the node in a specified time range. • Number of guests—Number of guests on the node in a specified time range. Multi-node user data statistics report This report collects and compares the user data statistics of the current EAD node and all its child EAD nodes. The user data statistics include the number of access users, blacklisted users, guests, online users, secure online users, insecure online users, and unknown online users. To view the multi-node user data statistics report: 1. Click the Report tab. 2. Click Multi-Node User Data Statistics Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The multi-node user data statistics report appears in an Intelligent Analysis Report Viewer window. Figure 34 Multi-node user data statistics report Multi-node user data statistics report parameters • Report Time—Time when the report is generated. • Description—A brief description of the report. Multi-node user data statistics report fields • Node Name—Name of the node. This column displays the name of the current node and its child node. • Access Users—Number of access users on the node. • Blacklisted Users—Number of blacklisted users on the node. • Guests—Number of guests on the node. • Online Users—Number of online users on the node. • Secure Online Users—Number of secure online users on the node. • Insecure Online Users—Number of insecure online users on the node. • Unknown Online Users—Number of unknown online users on the node. • Statistics Time—Time when statistics are collected. Real-time reports 261 Online user security status report This report collects statistics about the security status of all users in a specified user group (including its subgroups). The report collects statistics about only the user groups to which the current operator has privileges. The security status of an online user can be no security authentication needed, waiting for security authentication, secure, insecure, or others. To view the online user security status report: 1. Click the Report tab. 2. Click Online User Security Status Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. From the User Group list, select the user group whose statistics are to be collected. The system then collects user security status statistics about the users in the user group and its subgroups. 4. Click OK. The online user security status report appears in an Intelligent Analysis Report Viewer window. Figure 35 Online user security status report Online user security status report parameters • User Group—Name of the user group. This report collects statistics about the security status of all users in a user group (including its subgroups). All indicates all user groups. The report collects statistics about only the user groups to which the current operator has privileges. • Report Time—Time when the report is generated. • Description—A brief description of the report. Online user security status category statistics pie chart This report displays the distribution of the security status of all users in a user group (including its subgroups). The security status of an online user can be No Security Authentication Needed, Waiting for Security Authentication, Secure, Insecure, or Others. Click a slice in the pie chart to see statistics about online users in the specified security status. Online user security status statistics Figure 36 shows the statistics about online users in the specified security status. 262 EAD service reports Figure 36 Online user security status statistics • Security Status—Security status whose statistics are collected. • Count—Number of online users in the specified security status. • Service—Name of the service that the user uses for login. • Device IP—Access device IP address of the user. • User IP—IP address of the online user. • Access Time—Time when the user logs in. OS language report This report collects statistics about the OS language types and the number of assets using each OS language type for all registered assets in the specified asset group (including its subgroups). The report collects statistics about only the asset groups to which the current operator has privileges. The language types are Chinese (PRC), English, and Others. To view the OS language report: 1. Click the Report tab. 2. Click OS Language Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. From the Asset Group list, select the asset group whose statistics are to be collected. The system collects statistics about the OS language types and the number of assets using each OS language type for all registered assets in the asset group (including its subgroups). 4. Click OK. The OS language report appears in an Intelligent Analysis Report Viewer window. Figure 37 OS language report Real-time reports 263 OS language report parameters • Report Time—Time when the report is generated. • Description—A brief description of the report. • Group Name—Name of the asset group. This report collects statistics about the OS language types and the number of assets using each OS language type for all registered assets in the specified asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. OS language statistics pie chart This report displays the distribution of the OS language types of all registered assets in the specified asset group (including its subgroups). The recognizable language types are Chinese (PRC), English, and Others. Click a slice in the pie chart to see asset statistics about the specified OS language type. Asset statistics Figure 38 shows the asset statistics for an OS language type. Figure 38 Asset statistics for an OS language type • OS language—OS language type whose asset statistics are collected. • Amount—Number of assets using the OS language type. • Asset Number—Asset number of the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. • Operating System—Operating system running on the asset. • Version—Version of the operating system running on the asset. • Patch—Service pack version of the operating system running on the asset. • Installed on—Time when the operating system is installed on the asset. OS version report This report collects statistics about the OS versions and the number of assets running each OS version for all registered assets, and displays the distribution of top five OS versions. The report collects statistics about only the asset groups to which the current operator has privileges. To view the OS version report: 1. Click the Report tab. 2. Click OS Version Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) 3. Click OK. The OS version report appears in an Intelligent Analysis Report Viewer window. 264 EAD service reports Figure 39 OS version report OS version report parameters • Report Time—Time when the report is generated. • Description—A brief description of the report. OS version statistics pie chart The pie chart displays the distribution of top five OS versions for all the registered assets. Click a slice in the pie chart to see asset statistics for the specified OS version. Asset statistics Figure 40 shows the asset statistics for an OS version Figure 40 Asset statistics for an OS version • Version—OS version whose asset statistics are collected. • Amount—Number of assets running the OS version. • Asset Number—Asset number of the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. • OS Language—OS language type of the asset. • Patch—Service pack version of the operating system running on the asset. • Installed on—Time when the operating system is installed on the asset. Safe log gather statistic report This report collects statistics about the security logs of the current EAD node and all of its child nodes, and displays the distribution of the following types of insecurity events: • Anti-virus software • Anti-spyware software Real-time reports 265 • Firewall software • Anti-phishing software • Hard disk encryption software • Windows patches • Patch manager • Applications - software • Applications - processes • Applications - services • Applications - files • Registry • Traffic • OS password • Sharing • Asset registration To view the safe log gather statistic report: 1. Click the Report tab. 2. Click Safe Log Gather Statistic Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. Click the Calendar icon in the Begin Time field to select the begin time. This parameter sets the start date for the specific time range in a data collection period. 4. Click the Calendar icon in the End Time field to select the end time. This parameter sets the end date for the specific time range in a data collection period. 5. From the Grade Node list, select the node whose statistics are to be collected. The system collects statistics about the security logs of the current EAD node and all its child nodes, and displays the distribution of each type of insecurity events. 266 EAD service reports 6. Click OK. The safe log gather statistic report appears in an Intelligent Analysis Report Viewer window. Figure 41 Safe log gather statistic report Safe log gather statistic report parameters • Start Time—Start time for the report statistics. • End Time—End time for the report statistics. • Report Time—Time when the report is generated. • Grade Node—Name of the node whose statistics are collected by the report. All indicates all nodes. The report collects statistics about only the nodes to which the current operator has privileges. • Description—A brief description of the report. Safe log gather statistic pie chart The pie chart displays the distribution of insecurity events on a node and all of its child nodes. The insecurity events follow: • Anti-virus software • Anti-spyware software • Firewall software • Anti-phishing software • Hard disk encryption software • Windows patches • Patch manager • Applications - software • Applications - processes • Applications - services • Applications - files Real-time reports 267 • Registry • Traffic • OS password • Sharing • Asset registration Click a slice in the pie chart to see statistics for the specified insecurity category. Insecurity category statistics Figure 42 shows the statistics for an insecurity category. Figure 42 Insecurity category statistics • Insecurity Category—Insecurity category whose statistics are collected. • Count—Number of insecurity events belonging to the insecurity category. • Node Name—Name of the current node or child node. • Statistics Date—Date when the statistics are collected. • Amount—Number of insecurity events. Single-node online users 24-hour trend graph This report displays the number of online users on a single EAD node at each of the 24 hours in the specified day. The online users fall into secure online users, insecure online users, and unknown online users. The total number of online users is the sum of the number of online users of each type. To view the single-node online users 24-hour trend graph: 1. Click the Report tab. 2. Click Single-Node Online Users 24-Hour Trend Graph link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. 4. Click the Calendar icon in the Query Time field to select the date for the report statistics. From the Grade Node list, select the node whose statistics are to be collected. The system collects the number of online users on the node at each of the 24 hours in the day. 268 EAD service reports 5. Click OK. The single-node online users 24-hour trend graph appears in an Intelligent Analysis Report Viewer window. Figure 43 Single-node online users 24-hour trend graph Single-node online users 24-hour trend graph parameters • Statistics Time—Day when statistics are collected by the report. • Report Time—Time when the report is generated. • Node Name—Name of the node whose statistics are collected. Description—A brief description of the report. Single-node online users 24-hour trend graph • Number of online users—Number of online users of the specified node at each of the 24 hours in the specified day. The online users include the secure online users, insecure online users, and unknown online users. • Number of secure online users—Number of secure online users at each of the 24 hours in the specified day. • Number of insecure online users—Number of insecure online users at each of the 24 hours in the specified day. • Number of unknown online users—Number of unknown online users at each of the 24 hours in the specified day. Single-node security check failure report This report collects statistics about the security check failures of a single EAD node (the current node or its child node). The report statistics can be collected on a per-day, per-week, or per-month basis of the specified query time. The security check failure reasons follow: • Anti-virus software check failures • Anti-phishing software check failures • Firewall software check failures Real-time reports 269 • Anti-spyware software check failures • Hard disk encryption software check failures • Windows patch check failures • Patch management software check failures • Application check failures • Registry check failures • Shared-directory check failures • Traffic monitoring check failures • Operating system password check failures • Asset registration check failures To view the single-node security check failure report: 1. Click the Report tab. 2. Click Single-Node Security Check Failure Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. From the Grade Node list, select the node whose statistics are to be collected. The system collects statistics about the security check failure reasons and the number of security check failures for the access users on the node. 4. 5. Click the Calendar icon in Query Time field to select the time for the report statistics. From the Report Type list, select a report type. The report types include Daily Report, Weekly Report, and Monthly Report. The report statistics can be collected on a per-day, per-week, or per-month basis in the specified time range. 6. Click OK. The single-node security check failure report appears in an Intelligent Analysis Report Viewer window. Figure 44 Single-node security check failure report 270 EAD service reports Single-node security check failure report parameters. • Start Date—Start date for the report statistics. • End Date—End date for the report statistics. • Report Time—Time when the report is generated. • Node Name—Name of the node whose statistics are collected. • Description—A brief description of the report. Single-node security check failure bar chart This chart displays the statistics about the security check failures of a single EAD node (the current node or its child node). The security check failure reasons follow: • Anti-virus software check failures • Anti-phishing software check failures • Firewall software check failures • Anti-spyware software check failures • Hard disk encryption software check failures • Windows patch check failures • Patch management software check failures • Application check failures • Registry check failures • Shared-directory check failures • Traffic monitoring check failures • Operating system password check failures • Asset registration check failures The security check failure statistics are collected by account, service, and security check item. For example, when an account uses the same service and security check item to encounter two security check failures, the report considers them as one failure; when an account uses different services and the same security check item to encounter two security check failures, the report considers them as two failures. Software installation report This report collects statistics about the software names and the number of assets with each type of software installed for all registered assets in the specified asset group (including its subgroups). The report collects statistics only about the asset groups to which the current operator has privileges. To view the software installation report: 1. Click the Report tab. 2. Click Software Installation Report link in the My Real-Time Reports [Edit Mode] section. (Verify that this link displays [Edit Mode] as this confirms that you are in view mode.) The Set Parameter dialog box appears. 3. From the Asset Group list, select the asset group whose statistics are to be collected. The system collects statistics about the software names and the number of assets with each type of software installed for all registered assets in the asset group (including its subgroups). Real-time reports 271 4. Click OK. The software installation report appears in an Intelligent Analysis Report Viewer window. Figure 45 Software installation report Software installation report parameters • Report Time—Time when the report is generated. • Group Name—Name of the asset group. This report collects statistics about the software names and the number of assets with each type of software installed for all registered assets in the specified asset group (including its subgroups).All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. Software installation report fields • Software Name—Name of the software installed on the assets. • Software Version—Version of the software. The software installation report separately collects statistics about the software products with the same name but different versions. • Assets—Number of assets with the software installed. Scheduled reports You can schedule any real-time report to run daily, weekly, monthly, quarterly, semi-annually, or annually. You can define the start dates of data collection for generating scheduled reports and 272 EAD service reports the end dates and times for the corresponding scheduled report tasks. You can also configure the report format with options for the following: • Adobe Acrobat Portal Document Format (PDF) • Comma Separated Value (CSV) • Microsoft Excel (XLS) You can include email recipients for all scheduled reports. When reports are scheduled, IMC generates the reports in the specified report format, emails them to specified recipients, and stores the reports for future access. You can also access reports generated by IMC scheduling. IMC retains all scheduled reports indefinitely. Retention of all historical reports must be managed manually. Table 19 Scheduled reports for the EAD service component Scheduled report Service component Asset Information Report DAM Asset Type Report DAM Asset Usage Report DAM CPU Report DAM Hard Disk Capacity Report DAM Illegal Peripheral Use Report DAM Insecurity Category Statistic Report EAD Online User Security Status Report EAD OS Language Report DAM OS Version Report DAM Safe Log Gather Statistic Report EAD Software Installation Report DAM Asset information report This report collects statistics about the number of newly added assets, the size of newly added memory, the newly added hard-disk capacity, the number of existing assets, the size of existing memory, and the existing hard-disk capacity in all asset groups (excluding the subgroups) in the specified time range. The report collects statistics about only the asset groups to which the current operator has privileges, and does not collect the asset statistics of the current month. Adding an asset information report 1. 2. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Asset Information Report and click OK. Scheduled reports 273 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report. Select an operator group, and all operators in the group can view the report. To know operators in an operator group, click the Operator Group Information icon to the right of Access Right, and the Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators contained in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Asset information report supports the options Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Set the start month and end month. The asset information report collects statistics about the number of newly added assets, the size of newly added memory, the newly added hard-disk capacity, the number of existing assets, the size of existing memory, and the existing hard-disk capacity in all asset groups (excluding the subgroups) in the specified time range. 274 EAD service reports a. Click the Set Parameter icon Parameter Value list. for the start month, and select a start month from the The options range from 2000-01 to 2050-12. b. Click OK to return to the page for adding a report. The Set Parameter icon changes from start month. c. Click the Set Parameter icon Parameter Value list. to . The end month must be later than the for the end month, and select an end month from the The options range from 2000-01 to 2050-12. d. Click OK to return to the page for adding a report. The Set Parameter icon changes from start month. to . The end month must be later than the 10. Click OK. Viewing asset information reports To view asset information reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the asset information reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 46 Asset information report Asset information report parameters • Start Month—Start month for the report statistics. • End Month—End month for the report statistics. • Report Time—Time when the report is generated. • Description—A brief description of the report. Scheduled reports 275 Asset information report fields The asset information report collects statistics on a per-month basis.Table 20 describes the fields in the report. Table 20 Statistical items Statistical item Description Asset Group Name of the asset group. Asset Memory New Number of newly added assets in the asset group in a specified time range. Total Total number of assets in the asset group in a specified time range. New (GB) Size of newly added memory in the asset group in a specified time range. Total (GB) Total size of memory in the asset group in a specified time range. Hard disk New (GB) Newly added hard-disk capacity in the asset group in a specified time range. Total (GB) Existing hard-disk capacity in the asset group in a specified time range. Asset type report This report collects statistics about the asset types and the number of assets of each type for all registered assets in the specified asset group (including its subgroups). The asset types are Laptop, PC, Server, Workstation, and Others. The report collects statistics about only the asset groups to which the current operator has privileges. Adding an asset type report To add an asset type report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Asset Type Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report: Select an operator group, and all operators in the group can view the report. To know operators to the right of Access in an operator group, click the Operator Group Information icon Right, and the Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators contained in the operator groups are displayed. b. Click Close to the return to the page for adding a report. 276 EAD service reports 5. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day, and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. Scheduled reports 277 9. Set the asset group. The asset type report collects statistics about the asset types and the number of assets of each type for all registered assets in the specified asset group (including its subgroups). a. b. Click the Set Parameter icon for the asset group. Select an asset group from the Parameter Value list. The options are asset group names. c. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 10. Click OK. Viewing asset type reports To view asset type reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the asset type reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 47 Asset type report Asset type report parameters • Report Time—Time when the report is generated. • Group Name—Name of the asset group. This report collects statistics about asset types and the number of assets of each type for all registered assets in the specified asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. Asset type statistics pie chart The asset type statistics pie chart displays the distribution of asset types. Asset types are PC, Workstation, Laptop, Server, and Others. 278 EAD service reports Asset usage report This report collects statistics about assets which have been offline for more than the specified days. The report displays the asset statistics of only the asset groups to which the current operator has privileges. Adding an asset usage report To add an asset usage report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Asset Usage Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report: Select an operator group, and all operators in the group can view the report. To know operators to the right of Access in an operator group, click the Operator Group Information icon Right, and the Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators contained in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. Scheduled reports 279 When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Set the asset idle period. The asset usage report collects statistics about assets which have been offline for more than the specified days. a. b. c. to set the idle period. Click the Set Parameter icon In the Parameter Value field, enter the minimum number of idle days. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 10. Click OK. Viewing asset usage reports To view asset usage reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the asset usage reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 48 Asset usage report 280 EAD service reports Asset usage report parameters • Report Time—Time when the report is generated. • Min. Idle Time—Minimum number of idle days. Assets which have been offline for more than the specified days are displayed in the report. • Description—A brief description of the report. Asset usage report fields • Asset Number—Asset number of the idle asset. • Asset Group—Name of the asset group to which the asset belongs. • Owner—Owner of the asset. • Management Time—Time when the asset began to be managed. • Last Off-line—Last time when the asset went offline. • Idle Period—Period for which the asset has been idle. CPU report This report collects statistics about the assets whose CPU frequencies match certain criteria in the specified asset group (including its subgroups). The report displays the CPU statistics of only the asset groups to which the current operator has privileges. Adding a CPU report To add a CPU report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select CPU Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report: Select an operator group, and all operators in the group can view the report. To know operators in an operator group, click the Operator Group Information icon to the right of Access Right, and the Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators contained in the operator groups are displayed. b. Click Close to the return to the page for adding a report. Scheduled reports 281 5. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Set the minimum CPU frequency (in MHz) and maximum CPU frequency (in MHz). The CPU report collects statistics about assets whose CPU frequencies are between the minimum frequency and the maximum frequency. a. b. Click the Set Parameter icon for the Minimum Frequency. In the Parameter Value field, enter the minimum CPU frequency. 282 EAD service reports c. Click OK to return to the page for adding a report. The Set Parameter icon changes from d. e. f. to . Click the Set Parameter icon for the Maximum Frequency. In the Parameter Value field, enter the maximum CPU frequency. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 10. Set the asset group. The CPU report collects statistics about the CPU frequencies of all registered assets in the specified asset group (including its subgroups). a. b. Click the Set Parameter icon for the asset group. Select an asset group from the Parameter Value list. The options are asset group names. c. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 11. Click OK. Viewing CPU reports To view CPU reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the CPU reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 49 CPU report CPU report parameters • Minimum Frequency—Minimum frequency (in MHz) of the CPU frequency range. • Maximum Frequency—Maximum frequency (in MHz) of the CPU frequency range. Scheduled reports 283 • Report Time—Time when the report is generated. • Group Name—Name of the asset group. This report collects the CPU frequency statistics for the specified asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. CPU report fields • Asset Number—Asset number of the asset. • Asset Name—Name of the asset. • Owner—Owner of the asset. • CPU SN—Number of the CPU in the operating system. • CPU Name—Product name of the CPU. • Frequency—CPU frequency (in MHz) of the asset. Hard-disk capacity report This report collects statistics about the number of hard disks of assets in the specified asset group (including its subgroups), and classifies the hard disks according to their capacity: <80 GB, [80 GB to 160 GB), [160 GB to 250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), or >=1024 GB. The report displays the hard disk capacity statistics of only the asset groups to which the current operator has privileges. Adding a hard disk capacity report 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. Click the Report tab, select Scheduled Reports > All Scheduled Reports from the 2. Select a template: a. Click Select to the right of Template Name b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Hard Disk Capacity Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report. Select an operator group, and all operators in the group can view the report. To know operators in an operator group, click the Operator Group Information icon to the right of Access Right, and the Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators contained in the operator groups are displayed. b. Click Close to the return to the page for adding a report. 284 EAD service reports 5. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. Scheduled reports 285 9. Set the asset group. The hard disk capacity report collects the hard disk capacity statistics of all registered assets in the specified asset group (including its subgroups). a. b. c. Click the Set Parameter icon for the asset group. Select an asset group from the Parameter Value list. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 10. Click OK. Viewing hard disk capacity reports To view hard disk capacity reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. Click the History Report icon for the hard disk capacity reports to enter the History Report page. 4. Click the View link to open a statistics report, or save the statistics report. Figure 50 Hard disk capacity report Hard disk capacity report parameters • Report Time—Time when the report is generated. • Group Name—Name of the asset group. This report collects the hard disk capacity statistics for the specified asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. Hard disk capacity statistics pie chart The hard disk capacity statistics pie chart displays the distribution of hard-disk capacity. The hard-disk capacity is classified into the following levels: <80 GB, [80 GB to 160 GB), [160 GB to 250 GB), [250 GB to 500 GB), [500 GB to 1024 GB), and >=1024 GB. 286 EAD service reports Illegal peripheral use report This report collects statistics about the illegal peripheral usage types and the times of each type for the specified asset group (including its subgroups) in a specified time range. The peripheral types are USB Storage, USB Nonstorage, DVD/CD-ROM, Floppy, PCMCIA, COM/LPT, Infrared, Bluetooth, 1394, and Modem. The report displays the illegal peripheral usage types and the times of each type for only the asset groups to which the current operator has privileges. Adding an illegal peripheral use report To add an illegal peripheral use report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Illegal Peripheral Use Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report: Select an operator group, and all operators in the group can view the report. To know operators in an operator group, click the Operator Group Information icon to the right of Access Right, and the Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators contained in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and Scheduled reports 287 the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Set the begin time and end time. The illegal peripheral use report collects statistics about the illegal peripheral usage types and the times of each type in a specified time range. a. Click the Set Parameter icon for the start time. The options on the list depend on the schedule type configured in step 5. b. Select a begin time from the Schedule Parameter list. The options on the list depend on the schedule type configured in step 5. c. • Daily— Options are Begin time, One hour after begin time through Twenty-three hours after begin time, and End time. • Weekly— Options are Begin time, One day after begin time through Six days after begin time, and End time. • Monthly— Options are Begin time, One day after begin time through Thirty days after begin time, and End time. • Quarterly— Options are Begin time, One month after begin time, Two months after begin time, and End time. • Half Yearly— Options are Begin time, One month after begin time, Five months after begin time, and End time. • Yearly— Options are Begin time, One month after begin time, Eleven months after begin time, and End time. Click OK to return to the page for adding a report. The Set Parameter icon changes from d. Click the Set Parameter icon 288 EAD service reports to . for the end time. e. Select a begin time from the Schedule Parameter list. The options on the list depend on the schedule type configured in step 5. f. • Daily— Options are Begin time, One hour after begin time through Twenty-three hours after begin time, and End time. • Weekly— Options are Begin time, One day after begin time through Six days after begin time, and End time. • Monthly— Options are Begin time, One day after begin time through Thirty days after begin time, and End time. • Quarterly— Options are Begin time, One month after begin time, Two months after begin time, and End time. • Half Yearly— Options are Begin time, One month after begin time, Five months after begin time, and End time. • Yearly— Options are Begin time, One month after begin time, Eleven months after begin time, and End time. Click OK to return to the page for adding a report. The Set Parameter icon changes from begin time. to . The end time must be later than the 10. Set the asset group. The illegal peripheral use report collects statistics about the illegal peripheral usage types and the times of each type for assets in the specified asset group (including its subgroups). a. b. for the asset group. Click the Set Parameter icon Select an asset group from the Parameter Value list. The options are asset group names. c. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 11. Click OK. Viewing illegal peripheral use reports To view illegal peripheral use reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the illegal peripheral use reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Scheduled reports 289 Figure 51 Illegal peripheral use report Illegal peripheral use report parameters • Start Time—Start time for the report statistics. • End Time—End time for the report statistics. • Report Time—Time when the report is generated. • Group Name—Name of the asset group. This report collects statistics about the illegal peripheral usage types and the times of each type for the specified asset group (including its subgroups) in a specified time range. All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. Illegal peripheral use statistic pie chart The pie chart displays the distribution of illegal peripheral usage types and the times of each type in a specified time range. The illegal peripheral usage types follow: • USB Storage • USB Nonstorage • DVD/CD-ROM • Floppy • PCMCIA • COM/LPT • Infrared • Bluetooth 290 EAD service reports • 1394 • Modem Insecurity category statistic report This report collects statistics about the security check failures of each insecurity category for the current EAD node in a specified time range. An insecurity category refers to the type of the reason for security check failures. The insecure categories follow: • Anti-Virus Software • Anti-Spyware Software • Firewall Software • Anti-Phishing Software • Hard Disk Encryption Software • Windows Patches • Patch Manager • Applications - Software • Applications - Processes • Applications - Services • Applications - Files • Registry • Traffic • OS Password • Sharing • Asset Registration Adding an insecurity category statistic report To add an insecurity category statistic report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Insecurity Category Statistic Report and click OK. 3. Enter the report name in the Scheduled Report Name field. Scheduled reports 291 4. Select an operator group. All operators in the group can view the report. To view the operators in an operator group, click the Operator Group Information icon to the right of Access Right. The Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 292 EAD service reports 9. Set the begin time and end time. The insecurity category statistic report collects statistics about the security check failures of each insecurity category in a specified time range. An insecurity category refers to the type of the reason for security check failures. a. b. Click the Set Parameter icon for the start time. Select a begin time from the Schedule Parameter list. The options on the list depend on the schedule type configured in step 5. c. • Daily— Options are Begin time, One hour after begin time through Twenty-three hours after begin time, and End time. • Weekly— Options are Begin time, One day after begin time through Six days after begin time, and End time. • Monthly— Options are Begin time, One day after begin time through Thirty days after begin time, and End time. • Quarterly— Options are Begin time, One month after begin time, Two months after begin time, and End time. • Half Yearly— Options are Begin time, One month after begin time, Five months after begin time, and End time. • Yearly— Options are Begin time, One month after begin time, Eleven months after begin time, and End time. Click OK to return to the page for adding a report. The Set Parameter icon changes from d. e. to . Click the Set Parameter icon for the end time. Select a begin time from the Schedule Parameter list. The options on the list depend on the schedule type configured in step 5. f. • Daily— Options are Begin time, One hour after begin time through Twenty-three hours after begin time, and End time. • Weekly— Options are Begin time, One day after begin time through Six days after begin time, and End time. • Monthly— Options are Begin time, One day after begin time through Thirty days after begin time, and End time. • Quarterly— Options are Begin time, One month after begin time, Two months after begin time, and End time. • Half Yearly— Options are Begin time, One month after begin time, Five months after begin time, and End time. • Yearly— Options are Begin time, One month after begin time, Eleven months after begin time, and End time. Click OK to return to the page for adding a report. The Set Parameter icon changes from begin time. to . The end time must be later than the 10. Click OK. Viewing insecurity category statistic reports To view insecurity category statistic reports: Scheduled reports 293 1. 2. Click the Report tab. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. Click the History Report icon for the insecurity category statistic reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. 4. Figure 52 Insecurity category statistic report Insecurity category statistic report parameters • Start Time—Start time for the report statistics. • End Time—End time for the report statistics. • Report Time—Time when the report is generated. • Description—A brief description of the report. Insecurity category statistic pie chart The insecurity category statistic pie chart displays the percentage of the security check failures of each insecurity category to the total security check failures. Online user security status report This report collects statistics about the security status of all users in a user group (including its subgroups). The report collects statistics about only the user groups to which the current operator has privileges. The security status of an online user can be No Security Authentication Needed, Waiting for Security Authentication, Secure, Insecure, or Others. Adding an online user security status report To add an insecurity category statistic report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 294 EAD service reports 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Online User Security Status Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report. All operators in the group can view the report. To view the operators in an operator group, click the Operator Group Information icon to the right of Access Right. The Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. Scheduled reports 295 6. Set the time when a report becomes invalid. The EAD component does not generate any scheduled report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Set the begin time and end time. The insecurity category statistic report collects statistics about the security check failures of each insecurity category in a specified time range. An insecurity category refers to the type of the reason for security check failures. a. b. Click the Set Parameter icon for the start time. Select a user group from the Parameter Value list. The options are user group names. c. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 10. Click OK. Viewing online user security status reports To view online user security status reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the online user security status reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 53 Online user security status report 296 EAD service reports Online user security status report parameters • User Group—Name of the user group. This report collects statistics about the security status of all users in a user group (including its subgroups). All indicates all user groups. The report collects statistics about only the user groups to which the current operator has privileges. • Report Time—Time when the report is generated. • Description—A brief description of the report. Online user security status category statistics pie chart This report displays the distribution of the security status of all users in a user group (including its subgroups). The security status of an online user can be No Security Authentication Needed, Waiting for Security Authentication, Secure, Insecure, or Others. OS language report This report collects statistics about the OS language types and the number of assets using each OS language type for all registered assets in the specified asset group (including its subgroups). The report collects statistics about only the asset groups to which the current operator has privileges. The language types include Chinese (PRC), English, and Others. Adding an OS language report To add an OS language report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select OS Language Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report. All operators in the group can view the report. To view the operators in an operator group, click the Operator Group Information icon to the right of Access Right. The Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. Scheduled reports 297 When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Set the asset group. The OS language report collects statistics about the OS language types and the number of assets using each OS language type for all registered assets in the specified asset group (including its subgroups). a. b. for the asset group. Click the Set Parameter icon Select an asset group from the Parameter Value list. The options are asset group names. c. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 10. Click OK. Viewing OS language reports To view OS language reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 298 EAD service reports 3. 4. Click the History Report icon for the OS language reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 54 OS language report OS language report parameters • Report Time—Time when the report is generated. • Description—A brief description of the report. • Group Name—Name of the asset group. This report collects statistics about the OS language types and the number of assets using each OS language type for all registered assets in the specified asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. OS language statistics pie chart This report displays the distribution of the OS language types of all registered assets in the specified asset group (including its subgroups). The recognizable language types include Chinese (PRC), English, and Others. OS version report This report collects statistics about the OS versions and the number of assets running each OS version for all registered assets. It displays the distribution of top five OS versions. The report collects statistics about only the asset groups to which the current operator has privileges. Adding an OS version report To add an OS version report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. Scheduled reports 299 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Online User Security Status Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report. All operators in the group can view the report. To view the operators in an operator group, click the Operator Group Information icon to the right of Access Right. The Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 300 EAD service reports 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Click OK. Viewing OS version reports To view OS version reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. for the OS version reports to enter the History Report page. Click the History Report icon Click the View link to open a statistics report, or save the statistics report. Figure 55 OS version report OS version report parameters • Report Time—Time when the report is generated. • Description—A brief description of the report. OS version statistics pie chart The pie chart displays the distribution of the top five OS versions for all registered assets. Scheduled reports 301 Safe log gather statistic report This report collects statistics about the security logs of the current EAD node and all its child nodes, and displays the distribution of each type of insecurity event in a specified time range. The insecurity event types follow: • Anti-virus software • Anti-spyware software • Firewall software • Anti-phishing software • Hard disk encryption software • Windows patches • Patch manager • Applications - software • Applications - processes • Applications - services • Applications - files • Registry • Traffic • OS password • Sharing • Asset registration Adding a safe log gather statistic report To add a safe log gather statistic report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Safe Log Gather Statistic Report and click OK. 3. 4. Enter the report name in the Scheduled Report Name field. Select an operator group that can view the report. All operators in the group can view the report. To view the operators in an operator group, click the Operator Group Information icon to the right of Access Right. The Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators in the operator groups are displayed. b. Click Close to the return to the page for adding a report. 302 EAD service reports 5. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. 9. Set the begin time and end time. The insecurity category statistic report collects statistics about the security check failures of each insecurity category in a specified time range. An insecurity category refers to the type of the reason for security check failures. a. Click the Set Parameter icon for the start time. Scheduled reports 303 b. Select a begin time from the Schedule Parameter list. The options on the list depend on the schedule type configured in step 5. c. • Daily— Options are Begin time, One hour after begin time through Twenty-three hours after begin time, and End time. • Weekly— Options are Begin time, One day after begin time through Six days after begin time, and End time. • Monthly— Options are Begin time, One day after begin time through Thirty days after begin time, and End time. • Quarterly— Options are Begin time, One month after begin time, Two months after begin time, and End time. • Half Yearly— Options are Begin time, One month after begin time, Five months after begin time, and End time. • Yearly— Options are Begin time, One month after begin time, Eleven months after begin time, and End time. Click OK to return to the page for adding a report. The Set Parameter icon changes from d. e. to . for the end time. Click the Set Parameter icon Select a begin time from the Schedule Parameter list. The options on the list depend on the schedule type configured in step 5. f. • Daily— Options are Begin time, One hour after begin time through Twenty-three hours after begin time, and End time. • Weekly— Options are Begin time, One day after begin time through Six days after begin time, and End time. • Monthly— Options are Begin time, One day after begin time through Thirty days after begin time, and End time. • Quarterly— Options are Begin time, One month after begin time, Two months after begin time, and End time. • Half Yearly— Options are Begin time, One month after begin time, Five months after begin time, and End time. • Yearly— Options are Begin time, One month after begin time, Eleven months after begin time, and End time. Click OK to return to the page for adding a report. The Set Parameter icon changes from begin time. 304 EAD service reports to . The end time must be later than the 10. Set the grade node. Safe log gather statistic report collects statistics about the security logs of the node and all its child nodes. a. b. Click the Set Parameter icon for the grade node. Select a grade node from the Parameter Value list. The options are EAD grade node names. c. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 11. Click OK. Viewing safe log gather statistic reports To view safe log gather statistic reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the safe log gather statistic reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 56 Safe log gather statistic report Safe log gather statistic report parameters • Start Time—Start time for the report statistics. • End Time—End time for the report statistics. • Report Time—Time when the report is generated. • Grade Node—Name of the asset group whose statistics are collected by the report. The report collects statistics about only the nodes to which the current operator has privileges. • Description—A brief description of the report. Scheduled reports 305 Safe log gather statistic pie chart The pie chart displays the distribution of the insecurity events on the specified node and all its child nodes. The insecurity event types follow: • Anti-virus software • Anti-spyware software • Firewall software • Anti-phishing software • Hard disk encryption software • Windows patches • Patch manager • Applications - software • Applications - processes • Applications - services • Applications - files • Registry • Traffic • OS password • Sharing • Asset registration Software installation report This report collects statistics about the software names and the number of assets with each type of software installed for all registered assets in the specified asset group (including its subgroups). The report collects statistics about only the asset groups to which the current operator has privileges. Adding a software installation report To add a software installation report: 1. Enter the page for adding a scheduled report in one of the following ways: • Click the Report tab, and select Reports > Add Scheduled Report from the navigation tree. • Click the Report tab, select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page, and click Add. 2. Select a template: a. Click Select to the right of Template Name. b. Select EAD Service Report from the Type list in the Query Template section, and click Query. c. Select Software Installation Report and click OK. 3. Enter the report name in the Scheduled Report Name field. 306 EAD service reports 4. Select an operator group that can view the report. All operators in the group can view the report. To view the operators in an operator group, click the Operator Group Information icon to the right of Access Right. The Operator Group Information window appears. a. Select one or more operator groups in the Group Name section. The operators in the operator groups are displayed. b. 5. Click Close to the return to the page for adding a report. Specify the period a report is generated. A scheduled report period is determined by both the schedule type and schedule time settings. • Schedule Type—Contains fields such as Daily, Weekly, Monthly, Quarterly, Half Yearly, and Yearly. • Report Start Date—You can enter a report start date in the format of YYYY-MM-DD, or click the Calendar icon to select a start date. When you select the Daily schedule type, reports of the previous day are generated every day. For example, when you set the report start date to 2011-08-10, the first daily report is generated at 04:00 AM on 08, 11, 2011, and the data in the report is the data collected till 00:00 on the day that the report was generated. When you select the Weekly schedule type, reports of the previous seven days are generated every seven days. For example, when you set the report start date to 2011-08-10, the first weekly report is generated at 04:00 AM on 08, 17, 2011, and the data from 08, 10, 2011 to 08, 16, 2011 is displayed in the report. When you select the Monthly schedule type, reports of the previous month are generated every month. For example, when you set the report start date to 2011-08-10, the first monthly report is generated at 04:00 AM on 09, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Quarterly schedule type, reports of the previous three months are generated every three months. For example, when you set the report start date to 2011-08-10, the first quarterly report is generated at 04:00 AM on 11, 10, 2011, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Half Yearly schedule type, reports of the last half year are generated every half year. For example, when you set the report start date to 2011-08-10, the first half yearly report is generated at 04:00 AM on 02, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. When you select the Yearly schedule type, reports of the last year are generated every year. For example, when you set the report start date to 2011-08-10, the first yearly report is generated at 04:00 AM on 08, 10, 2012, and the data collected till 00:00 on the day that the report was generated is displayed in the report. 6. Set the time when a report becomes invalid and the EAD component does not generate the report. Click the End by box. Enter an end time in the format YYYY-MM-DD hh:mm, or click the Calendar icon to select an end day and then enter an end time at the lower part. 7. From the Report File Format list, select a report file format. Options are PDF, CSV, MSExcel, and MSExcel (Data-only). 8. Send a report by email. Click the Send by Email box, and enter the email address of the receiver. Reports can be sent to one email address. Scheduled reports 307 9. Set the asset group. The OS language report collects statistics about the OS language types and the number of assets using each OS language type for all registered assets in the specified asset group (including its subgroups). a. b. Click the Set Parameter icon for the asset group. Select an asset group from the Parameter Value list. The options are asset group names. c. Click OK to return to the page for adding a report. The Set Parameter icon changes from to . 10. Click OK. Viewing software installation reports To view software installation reports: 1. Click the Report tab. 2. Select Scheduled Reports > All Scheduled Reports from the navigation tree to enter the All Scheduled Reports page. 3. 4. Click the History Report icon for the software installation reports to enter the History Report page. Click the View link to open a statistics report, or save the statistics report. Figure 57 Software installation report Software installation report parameters • Report Time—Time when the report is generated. • Group Name—Name of the asset group. This report collects statistics about the software names and the number of assets with each type of software installed for all registered assets in the 308 EAD service reports specified asset group (including its subgroups). All indicates all asset groups. The report collects statistics about only the asset groups to which the current operator has privileges. • Description—A brief description of the report. Software installation report fields • Software Name—Name of the software installed on the assets. • Software Version—Version of the software. The software installation report collects separately collects statistics about the software products with the same name but different versions. • Assets—Number of assets with the software installed. Scheduled reports 309 14 Service parameters management You can configure the following service parameters: • EAD service parameters—Globally effective on the EAD service. • DAM service parameters—Globally effective on the DAM service. This chapter describes how to configure and tune these service parameters, as well as how to manually validate new service parameters. EAD service parameters EAD service parameters comprise the following: 310 • Patch Check Interval—Enter a number of days. When the Patch Check Interval is set to 0, EAD checks patches for the user in every security check. Otherwise, after an access user passes a patch check, EAD excludes patch check items from security checks for that user for the number of days indicated by the Patch Check Interval. The default setting is 7 days. • Reauthentication Interval—Enter the maximum online time for users, in hours. EAD forcibly reauthenticates the users whose online time exceeds the interval. The default setting is 24 hours. Set this parameter so that EAD can promptly check security items that do not support real-time monitoring. • Real-Time Monitor Interval—Enter the interval, in seconds, at which EAD performs security check in real time for online users, except for users who are isolated. The default setting is 60 seconds. Consider the performance of the EAD server and terminal users when you set this parameter. A shorter interval requires higher performance. For more information, see “Configuring real-time monitoring” (page 45). • EAD Service Group—Select this option to enable the EAD service group function. This parameter is available only when the UAM service group function is enabled. ◦ Enable—Enables the EAD service group function. ◦ Disable—Disables the EAD service group function. ◦ Center Control—Enables administrators to centrally manage the EAD service, and allows the maintainers and viewers to view the EAD service only. • Alarm Server IP—Enter the IP address of the server to which EAD sends SNMP alarms. SNMP alarms are generated when the traffic on the user terminal exceeds the traffic thresholds defined in the traffic control policy. • Listening Port of Alarm Server—Enter the number of the port that the alarm server uses to listen to SNMP alarms from EAD. The default value is 162. • Send Security Syslog—Specify whether to enable EAD to send syslogs. When you select Enable, EAD checks for new security logs every hour, encapsulates them in syslogs, and sends them to the specified syslog server. The IP address of the syslog server is configured in UAM service parameters. For more information, see HP IMC User Access Manager Administrator Guide. • Centralized Policy Management—Select this option to centrally manage security policies in hierarchical node management. • Data Reporting Time—Enter the time when a node reports data to its parent node each day. The default setting is 10:00. In centralized policy management, a child node must obtain the value of this parameter from its parent node; it cannot modify the value. Service parameters management • Data Lifetime—Enter how long a node keeps the data reported from a child node. The default setting is 90 days. In centralized policy management, a child node must obtain the value of this parameter from its parent node; it cannot modify the value. • Query Security Logs Before V3.60—Specify whether operators can query security logs generated by IMC V3.60 and earlier versions. When your IMC system is upgraded from V3.60 to V5.0, the security logs of the two versions use different structures and are stored separately. ◦ When you select Yes, EAD offers a separate query module for security logs generated by IMC V3.60 and earlier versions. ◦ When you select No, EAD does not offer the query module, and only allows query for security logs generated by IMC V5.0 and later versions. • Security Logs Lifetime—Specify how many days EAD keeps security logs. The default setting is 30 days. Expired logs are deleted automatically. • Internet Access Audit Log Keeping Time (Days)—Specify the maximum number of days an Internet access audit log can be kept in the system. The system automatically deletes the logs whose lifetime exceeds the specified keeping time every morning. The default is 30 days. • Max Internet Access Audit Logs (10000)—Specify the maximum number of Internet access audit logs (in ten thousand) that can be kept in the system. The system automatically deletes logs from the earliest record when the specified number is reached. The default is ten million. • Generate logs after the security check is passed—Select this option to enable EAD to generate security logs for access users after they pass the security check. By default, EAD does not generate security logs for those users. Configuring EAD service parameters To configure EAD service parameters: 1. Click the Service tab. 2. Select Endpoint Admission Defense>System Parameters>System Parameters Config from the navigation tree. The System Parameters Config page appears. 3. 4. Configure the EAD service parameters. Click OK. Typically, the new EAD service parameters take effect immediately. Validating EAD service parameters If EAD service parameters in distributed IMC deployment do not take effect immediately after they are modified, for example, because of a network failure, use one of the methods in this section to validate the parameters manually. Method 1 1. 2. Click the Service tab. Select Endpoint Admission Defense > System Parameters > Validate from the navigation tree. The Validate page appears, displaying the validation result. Method 2 1. 2. 3. Click the Service tab. Select Endpoint Admission Defense > Service Parameters from the navigation tree. Click the Validate link located in the Service Parameters area. The Validate page appears, displaying the validation result. EAD service parameters 311 DAM service parameters DAM service parameters comprise the following: • Auto Number—Select the asset numbering mode. The asset numbering mode can be modified only when there is no asset entity in the system database. Therefore, operators must delete all assets from the system database before they can change the asset numbering mode. For more information, see “Managing assets” (page 158). ◦ Enable—Use the automatic numbering mode. In this mode, when an access user logs in, DAM automatically numbers the asset of the user and prompts the user to enter the asset information, including the asset model, position, vendor, type, and description, to complete registration. ◦ Disable—Use the manual numbering mode. In this mode, operators manually specify the number, owner, and asset group for assets in DAM. When an access user logs in, the iNode client prompts the user to enter the asset number to complete registration. • Number Prefix—Enter the prefix for automatic numbering. This parameter appears only when Auto Number is set to Enable. Changes to this field do not affect existing asset numbers that are automatically assigned by DAM. • Auto Register—Select the asset registration mode. This field appears only when Auto Number is set to Enable. ◦ Enable—Use the automatic registration mode. In this mode, when an access user logs in, DAM automatically numbers the asset to complete asset registration without manual intervention. ◦ Disable—Use the manual registration mode. In this mode, when an access user logs in, DAM automatically numbers the asset and prompts the user to enter the asset model, position, vendor, type, and description to complete registration. • Scan Interval—Enter the interval, in minutes, at which the iNode client scans assets for software and hardware changes. • Heartbeat Interval—Enter the interval, in minutes, at which the iNode client sends a heartbeat packet to the DAM server. • Heartbeat Retries—Enter the maximum number of times the iNode client can try to send a heartbeat packet. • Heartbeat Retry Interval—Enter the number of seconds the iNode client can wait before it retransmits a heartbeat packet to the DAM server. The iNode client for an online asset sends heartbeat packets to the DAM server at heartbeat retry intervals. The DAM server responds to the heartbeat packet within the heartbeat retry interval to determine that the asset is online. When the iNode client receives no response from the DAM server within that interval, it retransmits the heartbeat packet until the Heartbeat Retry Interval value is reached. The iNode client then disconnects from the DAM server, and the DAM server waits one more interval to determine that the asset is offline. 312 • Life of Log—Enter the number of days DAM keeps logs in the database, including peripheral monitoring logs, printer monitoring logs, and USB monitoring logs. The DAM server deletes expired logs on a daily basis. • Asset Change Record Lifetime—Enter the number of days DAM keeps records of asset hardware and software changes in the database. The DAM server deletes expired records on a daily basis. Service parameters management • Asset Policy Request Period—Enter the interval, in minutes, at which the iNode client requests are sent for the latest asset policy information from the DAM server. For assets that stay online for a long period of time, the iNode client sends requests for up-to-date asset policy information at a specified interval. Examples include new DAM service parameters and software deploy tasks. • Server Port—Enter the listening port of the DAM server. DAM uses this port to listen for packets about changes made by the operator on the IMC GUI to the DAM settings, and adjusts itself accordingly. The value must be the same as that in the configuration file. • Proxy Server Port—Enter the port used by the DAM proxy server to listen to requests from the iNode client. The value must be the same as that in the configuration file. To modify the DAM server port and proxy server port in the configuration file: a. Locate the file \dam\conf\server.xml in the installation path of IMC. b. Open the file with a text editor such as Notepad. c. Search Service name="Dam Server" and change the value of the notifyPort parameter. d. Search Service name="DAM Proxy" and change the value of the listenPort parameter. e. Restart the damserver process. • Packets Encrypted—Select this option to enable encryption and compression of packets exchanged between the DAM server and the iNode client. Enable this function to protect data transmission. • DAM Asset Server Log Level—Select the lowest level of logs to be recorded by DAM. Options are Fatal, Error, Warning, Info, and Debugging, in descending order of severity. The DAM server records logs of the selected level and above. Do not use the debugging level except for troubleshooting because it consumes system resources. • Send Syslogs—Select this option to allow DAM to send syslogs to a syslog server. • Syslog Server IP—Enter the IP address of the syslog server. This field appears only when Send Syslogs is set to Enable. Monitoring alarm policies requires a syslog server. The policies allow the DAM server to encapsulate monitoring information within syslogs and send them to the syslog server. The monitoring information is reported by the iNode client; it includes changes to software and hardware assets, and unauthorized copying and printing of sensitive files. For more information, see “Configuring monitoring alarm policies” (page 193). • Report Network Connection Changes—Select this option to enable the iNode client to report asset network connection changes to DAM. These include changes to NIC serial numbers, IP addresses, DHCP statuses, gateways, MAC addresses, and subnet masks. DAM records them as asset software changes for auditing. For more information, see “Asset software change record audit” (page 201). • Asset-Access Account Binding—Specify whether DAM checks the access account bound to each asset for authentication. This parameter is available only in manual numbering mode. • ◦ Enable—Allows DAM to check the access account bound to each asset for registration. When an owner is bound to the asset, DAM allows only the access account of the owner to register the asset. When no owner is bound to the asset, DAM sets the first access account that passes authentication and completes registration for the asset as the owner. ◦ Disable—Prevents DAM from checking the access account bound to each asset for authentication. When this option is selected, DAM does not restrict the access account that registers an asset. Asset File Check Records Lifetime—Enter the number of days the asset file check records are kept in the database. The DAM server deletes expired records on a daily basis. DAM service parameters 313 • Display Asset Monitoring Information—Select this option to display the query feature for asset monitoring records on the asset owner's Access Account Info page. Operators can query the asset monitoring records by hour. Enable this feature with caution because it may cause serious delays to the Access Account Info page if there are large numbers of asset monitoring records in the DAM database. For more information about the Access Account Info page, see HP IMC User Access Manager Administrator Guide. • DAM Service Group—Select this option to allow operators to group DAM services together for flexible management. Configuring DAM service parameters To configure DAM service parameters: 1. Click the Service tab. 2. Select Desktop Asset Manager > Service Parameters > System Parameters Config from the navigation tree. The System Parameters Config page appears. 3. 4. Configure the DAM service parameters. Click OK. In general, the new DMA service parameters take effect immediately. Validating DAM service parameters If DAM service parameters in distributed IMC deployment do not take effect immediately after they are modified, for example, because of a network failure, use one of the methods in this section to validate the parameters manually. Method 1 1. 2. Click the Service tab. Select Desktop Asset Manager > System Parameters > Validate from the navigation tree. The Validate page appears, displaying the validation result. Method 2 1. 2. 3. Click the Service tab. Select Desktop Asset Manager > Service Parameters from the navigation tree. Click the Validate link located in the Service Parameters area. The Validate page appears, displaying the validation result. 314 Service parameters management 15 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: • Product model names and numbers • Technical support registration number (if applicable) • Product serial numbers • Error messages • Operating system type and revision level • Detailed questions New and changed information in this edition • A new "Support and other resources" chapter has been added. Typographic conventions This section describes the conventions used in this documentation set. Table 21 Document conventions Convention Element Blue text: Table 21 (page 315) Cross-reference links and e-mail addresses Blue, underlined text: http://www.hp.com Website addresses Bold text • Keys that are pressed • Text typed into a GUI element, such as a box • GUI elements that are clicked or selected, such as menu and list items, buttons, tabs, and check boxes Italic text Text emphasis Monospace text • File and directory names • System output • Code • Commands, their arguments, and argument values Monospace, italic text • Code variables • Command variables Monospace, bold text NOTE: Emphasized monospace text Provides additional information. Contacting HP 315 16 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback ([email protected]). Include the document title and part number, version number, or the URL when submitting your feedback. 316 Documentation feedback Index A anti-phishing software policy adding, 94 deleting, 95 details, 93 basic information section, 93 Mac OS section, 93 windows operating system section, 93 list contents, 93 management, 93 modifying, 94 viewing details, 94 list, 93 anti-spyware software policy adding, 88, 134 deleting, 90, 136 details, 87, 133 basic information section, 87 Mac OS section, 87 windows operating system section, 87 list contents, 87, 133 management, 86, 133 modifying, 89, 135 viewing details, 88 list, 88 policy details, 134 policy list, 134 anti-virus software policy adding, 83, 130 deleting, 86, 133 details, 81, 129 basic information section, 82 linux operating system section, 82 Mac OS section, 82 windows operating system section, 82 list contents, 81, 129 management, 81, 129 modifying, 85, 132 viewing details, 83, 130 list, 82, 130 asset audit, 198 asset file check list details basic information section, 217 file list section, 217 asset groups adding, 155 automatically based on user groups, 156 manually, 156 subgroup, 156 deleting, 157 details, 154 asset group details section, 154 authorized operator section, 155 basic information section, 154 immediate parent group list section, 155 granting operator privileges to manage, 158 list contents, 154 managing, 153 modifying, 157 viewing details, 155 list, 155 asset hardware change information list contents, 199 querying, 200 advanced, 200 basic, 200 record audit, 198 record details, 199 viewing list, 199 record details, 200 asset registration status check, 128 asset software change information list contents, 202 querying, 204 advanced, 204 basic, 204 record audit, 201 record details, 203 viewing record details, 203 record list, 203 asset statistics asset type statistics reports list, 179 pie chart, 178 collecting, 178 asset type statistics reports, 178 by asset type, 178 by CPU, 179 by hard disk, 180 by operating system, 182 by software installed, 184 CPU frequency statistics reports, 179 hard disk capacity statistics reports, 180 operating system language, 182 operating system version, 182 software installation statistics report, 184 type statistics reports, 180 CPU frequency statistics reports list, 180 pie chart, 179 hard disk capacity statistics reports list, 181 pie chart, 181 operating system language 317 list, 183 pie chart, 183 operating system version list, 183 pie chart, 182 software installation statistics report list, 184 type statistics reports list, 181 pie chart, 181 assets accessing details page method 1, 164 method 2, 165 adding, 171 batch importing, 173 deleting, 175 details, 159 hardware information section, 161 IP address list section, 162 logical disk list section, 162 operating system information section, 160 partition list section, 162 patch list section, 163 port list section, 164 process list section, 163 screen saver information section, 162 service list section, 163 share list section, 163 software list section, 162 system information section, 159 export history deleting record, 177 downloading record, 177 list contents, 177 viewing, 177 exporting, 176 function asset list, 176 information, 176 list contents, 159 managing, 158 export history, 177 modifying, 174 performing actions asset change history contents, 168 change history, 168 check asset files, 167 delete, 166 modify, 165 printer monitor, 167 printer monitor list, 167 refresh, 168 regroup, 165 scan, 166 software deploy task list, 166 USB monitor, 166 USB monitor list, 166 viewing software deployment history, 166 querying, 168 318 Index performing advanced query, 169 performing basic query, 168 registering, 158 regrouping, 175 viewing details, 164 list, 164 viewing details accessing details page, 164 hardware, 165 performing actions, 165 C child node information details, 55 basic information area, 55 real-time statistics on number of user-services failing security check, 56 on number of users, 55 client ACLs adding, 70 deleting, 71 details, 68 viewing, 69 list contents, 68 viewing, 69 managing, 68 modifying, 70 client driver EAD audit, 233 iNode driver list contents, 233 querying errors, 234 viewing errors in iNode driver list, 233 computer security check performing, 236, 238 result details, 236 basic information section, 237 hard disk partition table section, 237 installed patches section, 238 installed software section, 238 running processes section, 238 running services section, 238 screen saver settings section, 237 share list section, 237 contacting HP, 315 conventions document, 315 D DAM collecting asset statistics, 178 configuring, 153 exporting asset information, 176 managing asset, 158 asset export history, 177 asset groups, 153 export task, 184 service parameters, 312 DAM service parameters configuring, 314 validating, 314 method 1, 314 method 2, 314 deploy asset list contents, 225 deploy group list contents, 225 deployment, 59 configuring manual, 60 services, 60 contents, 60 scheduling automatic, 60 deployment history, 61 list contents, 61 viewing, 61 querying, 62 desktop asset management desktop monitoring, 23 software deployment, 24 desktop control policies configuring, 186 desktop control schemes adding, 187 configuring, 186 deleting, 188 details, 186 basic information section, 186 policy list section, 187 list contents, 186 modifying, 188 viewing details, 187 list, 187 document conventions, 315 documentation, providing feedback on, 316 domain URL classes adding, 75 configuring check items, 76 deleting, 77 details, 75 item list contents, 75 list contents, 75 managing, 74 modifying, 77 viewing class list, 75 details, 75 E EAD audit, 230 service parameters, 310 configuring, 311 validating, 311 EAD audit client driver, 233 performing computer security check, 236 security logs, 230 security status audit, 234 EAD component, 18 DAM service module, 19 EAD service module, 18 EAD component functions, 19 desktop asset, 22 ead audit, 25 EAD service report, 24 internet access control, 24 security policy, 19 service parameters, 24 EAD global network monitoring diagram accessing, 63 adding, 64 customizing background picture, 65 left-click menu of a node, 64 managing node icons, 66 right-click menu, 64 right-click menu of a node, 64 setting preloaded background picture, 65 toolbar contents, 63 EAD planning considerations, 25 configuring desktop control policies, 26 security policies, 26 identifying available features using iNode client with EAD and DAM, 26 number of access users, 26 terminal types, 26 physical location of the enterprise or organization, 25 EAD security policy EAD component, 18 EAD component functions, 19 EAD planning considerations, 25 EAD solution, 18 overview, 18 EAD service parameters configuring, 311 validating, 311 method 1, 311 method 2, 311 EAD service reports, 240 real-time reports, 241 all-node online users 24-hour trend graph, 242 asset information report, 243 asset type report, 244 asset usage report, 246 CPU report, 247 hard-disk capability report, 248 illegal peripheral use report, 249 insecurity category statistic report, 251 319 multi-node certain security policy statistics report, 253 multi-node online users comparison chart, 254 multi-node security check items report, 256 multi-node single-security check item failures comparison chart, 258 multi-node user counts comparison chart, 259 multi-node user data statistics report, 261 online user security status report, 262 OS language report, 263 OS version report, 264 safe log gather statistic report, 265 single-node online users 24-hour trend graph, 268 single-node security check failure report, 269 software installation report, 271 scheduled reports, 272 asset information report, 273 asset type report, 276 asset usage report, 279 CPU report, 281 hard-disk capacity report, 284 illegal peripheral use report, 287 insecurity category statistic report, 291 online user security status report, 294 OS language report, 297 OS version report, 299 safe log gather statistic report, 302 software installation report, 306 EAD solution, 18 energy saving policies adding, 192 configuring, 191 deleting, 193 list contents, 192 modifying, 192 viewing list, 192 export task configuring, 185 list contents, 184 managing, 184 viewing management list, 185 F file-type PC software control groups adding, 113 deleting, 115 details, 111 basic information contents, 111 file list information, 112 modifying, 113 viewing, 112 firewall software policy adding, 92 deleting, 92 details, 91 basic information section, 91 linux operating system section, 91 Mac OS section, 91 windows operating system section, 91 list contents, 91 320 Index management, 90 modifying, 92 viewing details, 91 list, 91 H hard disk encryption software policy adding, 96 deleting, 97 details, 96 basic information section, 96 windows operating system section, 96 list contents, 95 management, 95 modifying, 97 viewing details, 96 list, 96 help obtaining, 315 hierarchical node management, 54 child node adding, 58 deleting, 59 information details, 55 modifying, 58 child node details, viewing, 57 child node list contents, 54 viewing, 57 modifying name of the current node, 57 parent node confirming, 59 deleting, 59 information, 57 HP technical support, 315 I internet access controlling, 143 internet access audit logs managing, 148 performing advanced query, 149 basic query, 149 viewing details, 150 list, 148 internet access audit policies adding, 147 deleting, 148 managing, 146 modifying, 147 viewing details, 146 list, 146 internet access configuration adding, 144 assigning, 151 access policy, 152 services, 152 deleting, 146 managing, 143 modifying, 145 viewing details, 144 list, 143 internet access logging parameters configuring, 151 IP URL classes adding, 78 deleting, 79 details, 78 list contents, 78 managing, 77 modifying, 79 viewing details, 78 list, 78 M monitoring alarm policies adding, 195 configuring, 193 deleting, 197 details, 193 basic information section, 194 hardware changes monitoring section, 194 printer monitoring section, 194 software changes monitoring section, 194 USB monitoring section, 194 list contents, 193 modifying, 196 viewing details, 195 list, 195 O online users customizing, 236 list contents, 234 viewing list, 235 P page navigation aids, 28 menus, 28 password control, 127 modifying, 127 patch management software configuring, 115 list contents, 115 management, 115 PC software control groups downloading and using the MD5 tool, 101 list contents, 98 management, 98 managing adding common software list, 100 common software, 99 common software list, 99 deleting common software product, 101 file-type, 111 importing common software in batches, 100 process-type, 105 querying common software list, 100 service-type, 109 software-type, 102 viewing common software list, 100 querying, 99 viewing list, 99 peripheral management policies adding, 190 configuring, 188 deleting, 191 details, 189 basic information section, 189 disable devices section, 189 list contents, 188 modifying, 191 viewing details, 190 list, 189 printer monitoring record audit, 209 details, 210 exporting, 212 list contents, 209 printer monitor log export history list contents, 213 querying, 211 advanced, 211 basic, 211 viewing details, 210 export history of printer monitoring records, 212 list, 210 process-type PC software control group adding, 107 deleting, 108 details, 105 basic information contents, 105 process list information , 106 modifying, 107 viewing, 106 R real-time monitoring configuring, 45 enabling, 45 modifying parameters, 46 real-time reports all-node online users 24-hour trend graph fields, 243 parameters, 243 asset information report 321 fields, 244 parameters, 244 asset type report parameters, 245 asset type statistics list, 245 pie chart, 245 asset usage report fields, 246 parameters, 246 CPU report fields, 247 parameters, 247 hard-disk capability report parameters, 248 hard-disk capability statistics pie chart, 249 hard-disk type statistics, 249 illegal peripheral use report parameters, 250 statistics pie chart, 251 usage type statistics list, 251 insecurity category statistic report list, 252 parameters, 252 pie chart, 252 multi-node certain security policy statistics report fields, 254 parameters, 254 multi-node online users comparison chart fields, 256 parameters, 256 multi-node security check items report fields, 257 parameters, 257 multi-node single-security check item failures comparison chart fields, 259 parameters, 259 multi-node user counts comparison chart fields, 261 parameters, 260 multi-node user data statistics report fields, 261 parameters, 261 online user security status report parameters, 262 statistics list, 262 statistics pie chart, 262 OS language report asset statistics, 264 parameters, 264 statistics pie chart, 264 OS version report asset statistics, 265 parameters, 265 statistics pie chart, 265 safe log gather statistic report insecurity category statistics, 268 322 Index parameters, 267 statistic pie chart, 267 single-node online users 24-hour trend graph fields, 269 parameters, 269 single-node security check failure report bar chart, 271 software installation report fields, 272 parameters, 272 receipt history, 61 list contents, 61 viewing, 61 querying, 62 registry control adding, 121 deleting, 122 list contents, 119 details, 120 list details basic information section, 120 registry entry section, 120 modifying, 122 policy management, 119 querying, 121 viewing, 121 list, 121 roaming online users list contents, 235 viewing list, 235 S scheduled reports asset information report adding, 273 fields, 276 parameters, 275 viewing, 275 asset type report adding, 276 parameter, 278 statistics pie chart, 278 viewing, 278 asset usage report adding, 279 fields, 281 parameters, 281 viewing, 280 CPU report adding, 281 fields, 284 parameters, 283 viewing, 283 hard-disk capacity report adding, 284 parameter, 286 statistics pie chart, 286 viewing, 286 illegal peripheral use report adding, 287 parameters, 290 statistics pie chart, 290 viewing, 289 insecurity category statistic report adding, 291 parameters, 294 pie chart, 294 viewing, 293 online user security status report adding, 294 parameters, 297 statistics pie chart, 297 viewing, 296 OS language report adding, 297 parameters, 299 statistics pie chart, 299 viewing, 298 OS version report adding, 299 parameters, 301 statistics pie chart, 301 viewing, 301 safe log gather statistic report adding, 302 parameters, 305 statistic pie chart, 306 viewing, 305 software installation report adding, 306 fields, 309 parameters, 308 viewing, 308 security check items configuring for PCs, 81 security level details, 48 anti-phishing software area, 50 anti-spyware software area, 50 anti-virus area, 49 asset registration status area, 52 basic information area, 49 firewall software area, 50 hard disk encryption software area, 50 operating system password area, 52 patch management software area, 51 PC software control group area, 50 registry area, 51 share area, 51 smart terminal configuration, 51 software control group area, 50 traffic monitoring area, 49 windows patches area, 51 security level management, 47 security level adding, 52 deleting, 53 details, 48 list contents, 48 making action take effect, 48 modifying, 53 viewing details, 52 viewing list, 52 security logs details, 230 basic information area, 231 details section, 231 EAD audit, 230 list contents, 230 querying, 232 advanced, 232 basic, 232 viewing details, 231 list, 231 security policies assigning, 46 assigning security policy to an access policy, 47 configuring, 33 security level management, 47 security policy management, 33 default security policy to a service, assigning, 46 deploying security policies, 59 deploying services, 59 parameters, 59 deployment history, 61 EAD global network monitoring diagram, 63 hierarchical node management, 54 receipt history, 61 security policy details, 34 ant-virus software control area, 36 anti-phishing software control area, 37 anti-spyware software control area, 36 asset registration status check area, 42 basic information area, 34 firewall software control area, 37 hard disk encryption software control area, 38 isolation mode area, 35 patch management software control area, 40 periodic check area, 42 registry control area, 41 share control area, 42 smart terminal policy area, 42 smart terminal software control area, 39 software control area, 38 URL control area, 36 windows patch control area, 40 security policy management, 33 configuring default security policy for roaming users, 46 real-time monitoring, 45 security policy adding, 43 assigning, 46 deleting, 44 323 modifying, 44 security policy details, 34 viewing, 43 security policy list contents, 33 viewing, 42 security status audit online users, 234 roaming online users, 234 service parameters DAM, 312 EAD, 310 management, 310 service-type PC software control group adding, 110 basic information contents, 109 deleting, 111 details, 109 service list information, 109 modifying, 110 viewing, 110 share control adding, 124 deleting, 125 details, 123 list contents, 123 management, 123 modifying, 124 viewing details, 124 list, 124 smart terminal policy adding, 141 deleting, 142 details, 140 list contents, 140 management, 140 modifying, 141 viewing details, 141 list, 141 smart terminal software control group details, 137 list contents, 136 group details basic information contents, 137 software list information, 138 management, 136 smart terminal software control group adding, 139 deleting, 140 modifying, 139 querying, 138 viewing details, 138 list, 138 smart terminals configuring security check items, 129 324 Index software deploy task adding, 228 configuring, 223 deleting, 229 details, 223 basic information section, 224 software deployment targets section, 225 list contents, 223 modifying, 229 querying, 226 advanced, 227 basic, 226 viewing details, 226 list, 226 software deployment configuring, 221 server settings, 221 preparing to use, 221 software deployment server settings adding, 222 configuring, 221 deleting, 223 details, 221 list contents, 221 modifying, 222 viewing details, 222 list, 222 software-type PC software control group adding, 103 deleting, 105 details, 102 basic information contents, 102 software list information, 102 modifying, 103 viewing, 102 T task execution result details, 226 technical support HP, 315 terminal access control, 67 client ACLs managing, 68 configuring, 67 isolation mode, 67 managing domain URL classes, 74 IP URL classes, 77 URL control policies, 71 URL access control , 68 terminal file asset file check list contents, 216 details, 217 audit, 216 auditing, 218 exporting audit results, 219 querying, 217 viewing audit results, 219 audit task list, 217 traffic control adding, 126 deleting, 127 list contents, 125 details, 125 list details basic information section, 125 broadcast packet monitoring section, 126 IP traffic monitoring section, 126 packet monitoring section, 126 TCP/UDP connection monitoring section, 126 management, 125 modifying, 127 viewing details, 126 list, 126 typographic conventions, 315 basic, 207 viewing details, 206 list, 206 viewing USB monitor log export history, 209 W windows patch control , 115 adding windows patch, 117 applicable windows version list, 116 deleting windows patch, 117 information details, 116 list contents, 116 modifying windows patch, 117 querying windows patches, 116 viewing windows patch list, 116 windows versions adding, 118 deleting, 119 list contents, 118 managing, 118 viewing, 118 U unauthorized peripheral use record audit, 213 exporting, 216 illegal peripheral use log export history list contents, 214 report list contents, 213 querying, 214 advanced, 215 basic, 214 viewing export history of the unauthorized peripheral use records, 214 list, 214 URL control policies adding, 73 deleting, 74 details, 72 list contents, 71 managing, 71 modifying, 73 viewing details, 73 list, 72 USB monitoring record audit, 205 details, 206 information of USB copied files section, 206 list of USB copied files section, 206 exporting, 208 USB monitor log export history list contents, 208 USB monitoring records, 208 list, 205 querying, 207 advanced, 207 325
© Copyright 2024 Paperzz