Impulse Safe●Connect | Version 3 | Custom Policies
Table of Contents
- Introduction
- Accessing the Custom Policy Module
- Policy Creation
- Windows Updates
- Edit an Existing Policy
- Applying Your Policies
- Finally
Administrators of the Safe●Connect Policy Gateway can create policies based on a wide variety of self-specified factors, including the presence of running processes or services, specific Windows Security Updates and the presence and values of registry keys. This allows real-time response to emerging threats and network security issues. Custom policies can be used to provide highly specific, targeted messaging to anyone from individual users (by IP address or LDAP User Group) to a whole network. They also provide the ability to block and reinstate internet access at will for chosen users or machines.
Accessing the Custom Policy Module
From the Safe●Connect Policy Manager main window, click the button at the bottom right labeled“Custom Policies”.
This will bring up the Custom Policies Workspace.
From this panel, you can create new policies or edit existing custom policies.
Policy Creation
Example 1: Process Check
To create a custom policy, simply click the “New Custom Policy” button at the top left corner.
This brings up the Name and Description dialogue. Enter a name for your group that is unique and descriptive. This will help you to identify at a glance which pages the policy should use and which groups it should be applied to. If you need to be more specific, you may use the optional description box below.
Click “OK” to return to the main workspace, where you can choose the object to check for. In this case, we will check for the process “notepad.exe” running on Windows XP computers. Click the “Add a new process” button to the far left.
This will bring up the Process Information box. Enter “notepad.exe”, click “Running” and “Windows XP”, then click “OK” to return to the main workspace.
This box would also allow you to specify any other named process, for any or all supported versions of the Windows OS. The current configuration makes a policy assessment whenever it finds “notepad.exe” running. You could also set it up to pass up an assessment if Notepad happened to be turned off.
You will now choose which page set to apply to this policy. The following assumes that you have first created the appropriate pages in the Custom Messaging Module. Click here for more information about how to create and edit notification pages.
As you can see, from the box at the right “Relationship between Conditions”, we have determined that the user will fail this policy if Notepad is found to be running on a Windows XP machine.
If you have mistyped the process name, or if you wish to replace it with another process, you may do so by hilighting the process and clicking “Edit”.
If you no longer want to base this policy on the current process, you can remove it entirely by highlighting it and clicking “Delete”.
The button labeled “Help and more information” will lead you back to this Manual.
Now lets say that you would like to assure that users in a certain group
all have a specific Windows Critical Update installed. You would also like
to point all of them to your WSUS server, even though they are not on a
domain. In this case, you can create a policy that searches for the specific
update, and for the presence of the registry key that points to your WSUS
server.
First, create a new policy, as in example 1.
Then click “Add a KB Number”, which bring up the following panel.
Here you can decide which patches to search for.
Check the boxes at the bottom of the panel to display patches for specific Window OS's Then click the patch number in the box to the left for a description of the specific patch.
Note: Many patches only apply to one or two OS's Also many patches are rolled into major Service Packs for each OS.
When the Policy Key searches, it will take into account which OS and which Service Pack are installed before it determines policy compliance.
Once you determine which patches you want to search for, simply hilight the desired patch in the box to the left and click “Add-->”. Do this for each patch you want to add.
When you have chosen all your patches, click “OK” to go back to the main workspace.
To check for your WSUS settings, you will want to look for a registry key.
From the main workspace, click on the button “Add a new Registry Key”.
This will bring up the following dialogue, which will allow you to begin
specifying the registry settings you would like to search for.
Define your reg key check by choosing the general location first. Do this
by clicking the dropdown under “Registry Area”. In this case
we have chose HKeyLocalMachine.
Input the specific path and the value name in their respective boxes.
Then use the “Value Type” dropdown to choose whether the value you are looking for is a string or a number, and enter the appropriate value in the “Data to match against” box.
We have chosen to base this policy on the existence of this reg key on
all Windows machines.
Click “OK” to return to the main workspace, and repeat the above
steps until you have included all the desired registry keys. Your resulting
policy will look something like this.
Please note we have specified that users will pass this policy only if all
the elements are present. Also note that this policy is using the generic
default page set, as we have not yet created a custom page set to go with
it.
Click “OK” to save and close. Then use the Custom Messaging module to create a page set for this policy. When you are done, open the Custom Policy module again and select this policy from the dropdown at the top.
Your new page set will now be available in the “Message Name”dropdown.
To edit an existing policy, simply choose it from the dropdown at top center.
The “Peer to Peer Sharing” policy is shown here.
As you can see, this policy searches for a number of different processes.
If any of the processes is found to be running on the client machine, the
Policy Key will report a failed policy.
Perhaps you would like to add another process to scan for. In this case, you would simply click the “Add a new process” button. Thereafter the steps would be identical to those for creating a new policy.
You can also change which pages a given custom policy uses at any time, simply by selecting the policy name from the top dropdown and then choosing the new page set from the “Message Name” dropdown.
Also, if a customer policy has run its course, you can always delete it. Select the policy name from the dropdown at top and then click “Delete this policy”. The next time you upload, the deleted policy will be removed from service.
If you are done editing custom policies, you can now click the “OK”
button. This will prompt you to save the current policy.
If you decide to save, you will return to the Policy Manager main window.
Now hilight a Policy Group in the left hand panel and click the “Settings”
button next to Custom Policy. Your new policy will appear in the box below,allowing
you to add it to the current Policy Group.
To add this policy to your current group, hilight the policy name and click
the “Add-->” button. This will take you immediately to the
Policy Enforcement options for this policy. For more information about how
to set Policy Enforcement options, please see the Management
Console manual.
If you would like to add another custom policy to this policy group, just
click the “<Previous” button from the Policy Enforcement
panel. This will bring you back to the Custom Policy Selector panel.
When you are done adding custom policies to your Policy Group, hit the “Upload Data” button, and the new policies will go into effect immediately.