Endpoint Security

The new Endpoint Security tool is actually a set of complementary features and settings that lets you strongly secure and protect the managed devices on your network. You can restrict network connections for managed devices, restrict access to those managed devices by other types of devices, and use the Host Intrusion Prevention (HIPS) and Firewall tools to prevent unauthorized application operations.

Endpoint Security provides an impenetrable defense for all the protected devices within your LANDesk network and the perimeter of that network, as well as mobile users; providing complete control over access to and from those devices and what is allowed to occur on them.

Although Endpoint Security is a consolidated single agent that is deployed to target devices, it is fully configurable and provides services for several security components.

The Endpoint Security components are:

• Location Awareness: Provides network connection control with location awareness and trusted location features. For information, see Endpoint Security settings help.
• Host Intrusion Prevention (HIPS): Prevents unauthorized intrusions. For information, see Host Intrusion Prevention System (HIPS).
• LANDesk Firewall: Prevents unauthorized application operations and connections. For information, see LANDesk Firewall.
• Device Control: Restricts access for storage volumes, devices, interfaces, and so on. For information, see Device Control.

With Endpoint Security you can define trusted locations (network connections) for managed devices, create settings for each of the Endpoint Security components listed above, and deploy those settings based on whether the device is inside the trusted network location or outside the trusted location.

As stated above, Endpoint Security is a single agent that enforces protection rules on managed devices and controls the functionality of each of the distinct security components. Endpoint Security has the flexibility to allow you to enable and configure the security components independently or in a coordinated deployment. For example, you can deploy HIPS protection only, or HIPS and Device Control (via their respective settings), or any other combination of security components.

This section describes how to enable Endpoint Security on your managed devices, and directs you to information about each of the encompassed Endpoint Security components.

Enabling and deploying Endpoint Security

Endpoint Security is enabled on managed devices with Endpoint Security settings.

Endpoint Security can be enabled on managed devices via the initial agent configuration. You can also use a change settings task to install or update Endpoint Security settings to target devices.

Creating Endpoint Security settings

To create Endpoint Security settings

1. In the Security Configurations tool window, right-click Endpoint Security, and then click New.
   
   
   
   
2. At the General settings page, enter a name for the settings, and then specify the general requirements and actions. For information about an option, click Help.
3. If you want to manage network connections, select the Use location awareness option. When this option is selected, the Trusted location page is displayed. Also, by selecting this option, two separate groups are made available on the Security policies page, one for when the device is inside the trusted location and one for when the device is outside the trusted location. If location awareness is not enabled, only one policy group is needed.
4. At the Security policies page, select which Endpoint Security components you want to deploy to target devices with the Endpoint Security settings.
5. At the Trusted location page, define the allowed network connections (by IP address, IP range, or subnet).
6. Click Save.

Once configured, you can deploy settings to target devices with an installation or update task, or a change settings task.

Endpoint Security settings help

Use this dialog box to create and edit Endpoint Security settings.

This dialog box contains the following pages.

About the Endpoint Security: General settings page

Use this page to configure location awareness (trusted network) and other access settings.

• Name: Identifies the settings with a unique name.
• Use location awareness: Lets you manage network connections. You can restrict the network IP addresses that devices are allowed to connect with. You configure network restrictions by specifying which network addresses are allowed. The device can only receive IP addresses that are within the range of addresses that are explicitly allowed.
• Administrator password: Specifies the password required on devices configured with this Endpoint Security settings in order to perform certain actions on the protected device. Actions requiring a password include: accessing the HIPS client interface, installing unsigned software, authorizing HIPS violations, unloading HIPS, erasing the local report, and switching the HIPS operating mode.
• Allow Windows Service Control Manager to stop the Endpoint Security service: Lets the end user stop the Endpoint Security service on the client.
• Show violation pop-up messages: Displays a message on the end user device if a blocked operation occurs.
• Set as default: Assigns the settings as the default for tasks that use Endpoint Security.
• Save: Saves your changes and closes the dialog.

About the Endpoint Security: Policies page

Use this page to configure security policies for devices inside the trusted network and polices for devices outside the trusted network.

• When inside the trusted location: Specifies the component settings to be applied to devices when they are connected to a trusted location.
• When outside the trusted location: Specifies the component settings to be applied to devices when they are not connected to a trusted location.

About the Endpoint Security: Trusted Locations page

Use this page to define trusted locations. A trusted location is made up of a collection of network addresses, by IP address, IP range, or subnet.

• Trusted location: Lists the trusted locations for the settings.
• Import: Click to import the subnet range for the core server.
• Add: Lets you add a trusted location to the list.
• Edit: Lets you modify the selected existing trusted location.
• Delete: Removes the selected trusted location.
• Verify core server existence on the network: Select this option to ensure that the core server is running on a network before a device is allowed to connect to that network. A range of IP addresses can sometimes be used by more than one network, and this option provides added security in restricting network access. If no core server is found on the network being accessed, the connection will be disabled. (Note: Leave this option clear if you're confident that the network addresses in the access list are trusted, or if you prefer to reduce traffic on the network by not sending pings to the core server.)
  • Add: Lets you add a core server to the list.
  • Remove: Removes the selected core server.

What happens on a device configured with Endpoint Security components

This section describes how the Endpoint Security client displays on managed devices, what happens on end user devices when they are being protected by Endpoint Security, and the actions end users can take when a security violation is discovered.

Client interface and user actions

Once Endpoint Security has been deployed to managed devices, the client can be accessed through either the Start menu or the system tray icon.

NOTE: Administrator password protection
If the administrator has enabled the password protection option in the Endpoint Security settings, the correct password must be entered in order to access and use certain client features.

System tray icon

The system tray icon shows whether the HIPS component of Endpoint Security is running in learn mode or automatic blocking mode.

End users can right-click the icon to access its shortcut menu and select the following options:

• Open: Opens the client.
• Options: Displays the options that have been configured by the administrator at the console (read-only).
• Automatic mode: Enables the HIPS component to run in automatic mode where all predefined security violations are blocked.
• Learn mode: Enables the HIPS component to run in learn mode where all security violations are allowed, but are monitored and recorded in an action history file.
• Install software: Opens a file explorer window where the end user can select an installation or setup program to run.
• Unload: Lets the end user uninstall the client from their machine.

End user actions

The client is displayed in a window that includes the following elements, where the end user can:

• View the activity log.
• View the options that have been configured by the administrator at the console (read-only).
• On the Status page: View component information (for HIPS, Whitelist, Firewall, and Device Control), current operating mode, and activity occurring on the client. Change the operating mode (authorization password might be required).
• On the Programs page: View running applications and their authorizations. Select programs and view all of their authorizations or kill the process. Modify display options.
• On the Startup page: View and edit the contents of the system startup. Also, view and edit services running on the client and Internet Explorer extensions.
• On the Protection page: View program access rights and folder protections. Create, edit, and delete file protection rules, and change rule priority in the ordered list.
• On the Certifications page: View programs with special file certifications. Add and delete file certifications.