Novell ZENworks Endpoint Security Management 3.5 User Manual

Novell ZENworks

Endpoint Security Management

3.5

July 26, 2007 ADMINISTRATOR’S MANUAL

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreeme nt .

PN: AM300MWE

Document Version 2.0. - supporting Novell ESM 3.5 and subsequent version 3 releases

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves th e right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulat ions and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://

www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your fail-

ure to obtain any necessary export approvals.

Copyright © 2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.nov-

ell.com/company/legal/patents/) and one or more additional patents or pending patent applicat ions in the U.S. and in other

countries.

Novell, Inc. 404 Wyman Street, Suite 500

Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the online documentation for this and other Novell products, and to get updates, see the Novell

Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell Trademarks , see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html)

Third-Party Materials

All third-party trademarks are the property of their respective owners.

Licenses

FIPS Certified AES Crypto

Compilation Copyright (c) 1995-2003 by Wei Dai. All rights reserved. This copyright applies only to this software distribution package as a compilation, and does not imply a copyright on any particular file in the package. The following files are copyrighted by their respective original authors: mars.cpp - Copyright 1998 Brian Gladman. All other files in this compilation are placed in the public domain by Wei Dai and other contributors. Permission to use, copy, modify, and distribute this compilation for any purpose, including commercial applications, is hereby granted without fee, subject to the following restrictions:

1. Any copy or modification of this compilation in any form, except in object code form as part of an application software, must include the above copyright notice and this license.

2. Users of this software agree that any modification or extension they provide to Wei Dai will be considered public domain and not copyrighted unless it includes an explicit copyright notice.

3. Wei Dai makes no warranty or representation that the operation of the software in this compilation will be error-free, and Wei Dai is under no obligation to provide any services, by way of maintenance, update, or otherwise. THE SOFTWARE AND ANY DOCUMENTATION ARE PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR TICULAR PURPOSE. IN NO EVENT WILL WEI DAI OR ANY OTHER CONTRIBUT OR BE LIABLE FOR DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

4. Users will not use Wei Dai or any other contributor's name in any publicity or advertising, without prior written consent in each case.

5. Export of this software from the United States may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

6. Certain parts of this software may be protected by patents. It is the users' responsibility to obtain the appropriate licenses before using those parts. If this compilation is used in object code form in an application software, acknowledgement of the author is not required but would be appreciated. The contribution of any useful modifications or extensions to Wei Dai is not required but would also be appreciated.

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

ZENworks Endpoint Security Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ESM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

About the ESM Manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

USB/Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Policy Distribution Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Securing Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Running the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Management Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Securing Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Running the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Task Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Menu Bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Permissions Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuration Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Alerts Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Generating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

ZENworks Storage Encryption Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

ZENworks File Decryption Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Override-Password Key Generator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

USB Drive Scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Client Location Assurance Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Securing Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Optional Server Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Transferring the Public Key to the Management Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Updating the Encryption Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

ZENworks Security Client Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Client Self Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Upgrading the ZSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Running the ZSC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

ZENworks Security Client Diagnostics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Creating and Distributing ESM Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Creating Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Custom User Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

ZENworks® ESM 3.5 Administrator’s Manual 4

Hyperlinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Global Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Wireless Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Global Communication Hardware Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Storage Device Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Data Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

ZSC Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

VPN Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Location Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Location Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Communication Hardware Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Storage Device Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Network Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Wi-Fi Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Wi-Fi Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

TCP/UDP Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Application Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Integrity and Remediation Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Antivirus/Spyware Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Advanced Scripting Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Rule Scripting Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Sample Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Compliance Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Publishing Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Exporting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Importing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Exporting Policies to Unmanaged Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Allowing ASP.NET 1.1 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Troubleshooting SQL Server Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Acronym Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

ZENworks® ESM 3.5 Administrator’s Manual 5

List of Figures

Figure 1: Effectiveness of NDIS-layer firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Figure 2: ESM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Figure 3: The Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Figure 4: Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Figure 5: Management Console Permissions Settings Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 6: Permission Settings Organization Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 7: Publish To Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 8: Publish To List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 9: Infrastructure and Scheduling Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 10: Authenticating Directories Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 11: Service Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Figure 12: Alerts Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 13: Alerts Configuration Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 14: Alert Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 15: Alerts Configuration Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 16: Reports Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Figure 17: Use calendar tool to set the date-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Figure 18: Report Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 19: Report list icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 20: No data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 21: Sample Blocked Applications Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 22: Sample Location Usage Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 23: Sample Detected Removable Storage Devices report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Figure 24: Sample Wireless Environment History report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 25: Browse the Reporting Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Figure 26: Report Document Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Figure 27: Available Database Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Figure 28: Add New Crystal Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 29: Crystal Reports Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Figure 30: Access Reporting Service Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Figure 31: Select OLE DB Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 32: Enter Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 33: Select Source Table or View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Figure 34: Select the columns to include. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Figure 35: Select Columns to Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 36: Select Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 37: Visual Basic Report Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Figure 38: Setting Up a Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Figure 39: Create Parameter Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 40: Link the Parameter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 41: Specify the Correct Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Figure 42: Access Encryption Keys through the tools menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Figure 43: Override Password Key Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Figure 44: USB Drive Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Figure 45: Scan for Device Name and Serial Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Figure 46: ZENworks Security Client About Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Figure 47: ZENworks Security Client Diagnostics Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Figure 48: Administrator Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Figure 49: View Policy Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Figure 50: Rule Scripting Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Figure 51: Scripting Variable Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

ZENworks® ESM 3.5 Administrator’s Manual 6

Figure 52: Client Driver Status Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Figure 53: ZENworks Security Client Settings Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Figure 54: Logging Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Figure 55: Comment Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Figure 56: Reporting Overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Figure 57: Duration Settings, and Make Permanent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Figure 58: Hold Reports for Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Figure 59: Policy Toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Figure 60: Select Component Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Figure 61: Show Usage Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Figure 62: Error Notification Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Figure 63: ESM Security Policy creation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Figure 64: Custom User Message with a Hyperlink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Figure 65: Custom Message and Hyperlink Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Figure 66: Custom User Message with a Hyperlink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Figure 67: Custom Message and Hyperlink Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Figure 68: Global Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Figure 69: Updated Policy Custom Message with Hyperlink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Figure 70: Uninstall Password Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Figure 71: Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Figure 72: Global Communication Hardware Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Figure 73: Global Storage Device Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Figure 74: Verify Local Storage Device Options are set as Disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 75: Data Encryption controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Figure 76: ZSC Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Figure 77: Basic VPN Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Figure 78: Advanced VPN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Figure 79: Location Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Figure 80: CLAS location checked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Figure 81: Location Communication Hardware Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Figure 82: Location Storage Device Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Figure 83: Network Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Figure 84: Wi-Fi Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Figure 85: Managed Access Points Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Figure 86: Filtered Access Points Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 87: Prohibited Access Points Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 88: Signal Strength Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Figure 89: Wi-Fi Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Figure 90: Firewall Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Figure 91: TCP/UDP Ports Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Figure 92: Access Control Lists Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Figure 93: Application Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Figure 94: Antivirus/Spyware Integrity rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Figure 95: Integrity Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Figure 96: Integrity Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Figure 97: Advanced Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Figure 98: Script Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Figure 99: Script Text Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Figure 100: Compliance Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Figure 101: Publish a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Figure 102: Open IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Figure 103: Allowing ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Figure 104: Communications Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Figure 105: Distribution Service - Client Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

ZENworks® ESM 3.5 Administrator’s Manual 7

Figure 106: Distribution Service - Server Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Figure 107: Management Service - Client Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Figure 108: Management Service - Server Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Figure 109: Trace Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Figure 110: Add Counters Dialogue Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Figure 111: System Monitor Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Figure 112: Database Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Figure 113: Trace Sample. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Figure 114: Example Configuration Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Figure 115: Example Repository Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Figure 116: Example Organization Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Figure 117: Example ORG_REP Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Figure 118: Example Event Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Figure 119: Example Configuration Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Figure 120: Configuration Form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Figure 121: Example Organization Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Figure 122: Organization Audit Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Figure 123: Example Publish_Organization_Audit Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

ZENworks® ESM 3.5 Administrator’s Manual 8

List of Tables

Table 1: System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Table 2: Signal Strength thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Table 3: TCP/UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Table 4: Network Address Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Table 5: Application Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Table 6: Shell Folder Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

ZENworks® ESM 3.5 Administrator’s Manual 9

ZENworks Endpoint Security Management

Novell's ZENworks Endpoint Security Management (ESM) provides complete, centralized security management for all endpoints in the enterprise. Because ESM applies security at the most vulnerable point, the endpoint, all security settings are applied and enforced regardless of whether the user is connecting to the network directly, dialing in remotely, or even not connecting to corporate infrastructure at all. This is critical to not only protect the data within the corporate perimeter, but also to protect the critical data that resides on the endpoint device itself.

ESM automatically adjusts security settings and user permissions based on the current network environment characteristics. A sophisticated engine is used to determine the user's location and automatically adjusts firewall settings and permissions for applications, adapters, hardware, etc.

Security is enforced through the creation and distribution of ESM security policies. Each location (Work, Home, Alternate, Airport, etc.) listed in a security policy is assigned to a network environment (or multiple network environments). A location determines which hardware is available and the degree of firewall settings that are activated within the network environment. The firewall settings determine which networking ports, access control lists (ACLs), and applications are accessible/required. Various integrity checks and scripts can be run at location change to ensure that all required security software is up to date and running.

In securing mobile devices, ESM is superior to typical personal firewall technologies which operate only in the application layer or as a firewall-hook driver. ESM client security is integrated into the Network Driver Interface Specification (NDIS) driver for each network interface card (NIC), providing security protection from the moment traffic enters the PC. Differences between ESM and application-layer firewalls and filter drivers are illustrated in Figure 1.

Security decisions and system performance are optimized when security implementations operate at the lowest appropriate layer of the protocol stack.

Figure 1 : Effectiveness of NDIS-layer firewall

With ESM's ZENworks Security Client, unsolicited traffic is dropped at the lowest levels of the NDIS driver stack by means of Adaptive Port Blocking (stateful packet inspection) technology. This approach protects against protocol-based attacks including unauthorized port scans, SYN Flood, NetBIOS, and DDOS attacks.

ZENworks® ESM 3.5 Administrator’s Manual 10

ESM Overview

ESM consists of five high-level functional components: Policy Distribution Service, Management Service, Management Console, Client Location Assurance Service, and the ZENworks Security Client. The figure below shows these components in the architecture

Figure 2 : ESM Architecture

The ZENworks Security Client (ZSC) is responsible for enforcement of the distributed security policies on the endpoint system. When the ZSC is installed on all enterprise PCs, these endpoints may now travel outside the corporate perimeter and maintain their security , while endpoints inside the perimeter will receive additional security checks within the perimeter firewall.

Each Central Management component is installed separately, the following components are installed on servers which are secured inside the corporate perimeter:

• Policy Distribution Service is responsible for the distribution of security policies to

the ZSC, and retrieval of reporting data from the ZSCs. The Policy Distribution Service can be deployed in the DMZ, outside the enterprise firewall, to ensure regular policy updates for mobile endpoints

• Management Service is responsible for user policy assignment and component

authentication; reporting data retrieval, creation and dissemination of ESM reports; and security policy creation and storage

• Management Console is a visible user interface, which can run directly on the server

hosting the Management Service or on a workstation residing inside the corporate firewall with connection to the Management Service server . The Management Console is used to both configure the Management Service and to create and manage user and group security policies. Policies can be created, copied, edited, disseminated, or deleted using the editor

• Client Location Assurance Service provides a cryptographic guarantee that ZEN-

works Security Clients are actually in a defined location, as other existing network environment parameters indicate

ZENworks® ESM 3.5 Administrator’s Manual 11

System Requirements

Table 1: System Requirements

Server System Requirements Endpoint System Requirements

Operating Systems:

Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Advanced Server SP4 Windows 2003 Server

Processor:

3.0 GHz Pentium 4 HT (or greater) 756 MB RAM minimum (1 GB+ Recommended)

Disk Space:

500 MB - Without local Microsoft SQL database 5 GB - With local MS SQL database (SCSI recommended)

Required Software:

Supported RDBMS (SQL Server Standard, SQL Server Enterprise, Microsoft SQL Server 2000 SP4, or SQL 2005) Microsoft Internet Information Services (configured for SSL) Supported Directory Services (eDirectory , Active Directory, or NT Domains*)

* = NT Domains is only supported when the Management Service is installed on a Windows 2000, or 2000 advanced server (SP4).

Operating Systems:

Windows XP SP1 Windows XP SP2 Windows 2000 SP4

Processor:

600MHz Pentium 3 (or greater) Minimum 128 MB RAM (256 MB or greater recommended

Disk Space:

5 MB required, 5 additional MB recommended for reporting data

Required Software:

Windows 3.1 Installer All Windows updates should be current

ASP.NET

The Policy Distribution, Management, and Client Location Assurance services require a LOCAL account of ASP.NET to be enabled. If this is disabled, the services will NOT work correctly.

Reliable Time Stamp

The Novell ESM solution gathers data from multiple sources and collates this data to create a wide variety of security and audit reports. The utility and probative value of these reports is greatly diminished if disparate sources disagree as to times, and so it is strongly recommended that anyone installing ESM provide for enterprise-wide time synchronization (such as that provided by Active Directory, or through the use of Network Time Protocol).

The ESM Administrator(s) should follow all installation, operation, and maintenance recommendations provided in this document and the ESM Installation and Quick-Start guide, in order to ensure a strong security environment.

ZENworks® ESM 3.5 Administrator’s Manual 12

About the ESM Manuals

The ZENworks Endpoint Security Management manuals provide three levels of guidance for the users of the product.

• ESM Administrator's Manual - This guide is written for the ESM Administrators

who are required to manage the ESM services, create security policies for the enterprise, generate and analyze reporting data, and provide troubleshooting for end-users. Instructions for completing these tasks are provided in this manual

• ESM Installation and Quick-S tart Guide - This guide provides complete installation

instructions for the ESM components and assists the user in getting those components up and running

• ZENworks Security Client User's Manual - This manual is written to instruct the

end-user on the operation of the ZENworks Security Client (ZSC). This guide may be sent to all employees in the enterprise to help them understand how to use the ZSC

USB/Wireless Security

ZENworks USB/Wireless Security (UWS) is a simplifed version of the product that provides comprehensive USB control, connectivity security, and file encryption features; and does not include some of the additional security features that are available in ESM. If you have purchased UWS rather than ESM, all functionality described in this manual will be essentially the same, with only certain policy features unavailable in the Management Console.

The unavailable features have been marked with the following notation on their respective pages:

Note:

This feature is only available in the ESM installation, and cannot be used for UWS security policies.

Features without this notation are available for both ESM and UWS security policies. To verify which version you are running, open the “About” screen from the Help menu in

Management Console (see “Menu Bar” on page 22).

ZENworks® ESM 3.5 Administrator’s Manual 13

Policy Distribution Service

The Policy Distribution Service is a web service application that, when requested, distributes security policies and other necessary data to ZENworks Security Clients. ESM security policies are created and edited with the Management Service's Management Console, then published to the Policy Distribution Service where they are downloaded by the client at check-in.

The Policy Distribution Service authenticates ZENworks Security Clients based on the user ID credentials obtained from the Management Service, and supplies each client with the designated security policy.

Reporting data is collected by ZENworks Security Clients and passed up to the Policy Distribution Service. This data is periodically collected by the Management Service and then deleted from the Policy Distribution Service.

The Policy Distribution Service does not initiate any communications with the other ESM components, and only responds to others. It does not hold sensitive data in the clear, nor does it hold the keys needed to decrypt the sensitive data. It does not hold user credentials, or any other user-specific data.

Server Selection and Installation

Please refer to the Installation and Quick Start guide for selection and installation instructions.

Server Maintenance

It is recommended that regular Disk Cleanup tasks be configured to run on this server to remove temporary files out of the Windows\temp folder. Under extreme load conditions windows can generate an inordinate amount of temporary files that needlessly take up disk space.

Upgrading the Software

The ESM Policy Distribution Service software can be upgraded by running the new installation software.

Uninstall

To uninstall the Policy Distribution Service, use the Add/Remove Programs function in the Windows Control Panel, or run the installation again from the ESM installation CD.

ZENworks® ESM 3.5 Administrator’s Manual 14

Securing Server Access

Physical Access Control

Physical access to the Distribution Service Server should be controlled to prevent access by unauthorized parties. Measures taken should be appropriate to the risks involved. There are multiple available standards and guidelines available, including NIST recommendations, HIPAA requirements, ISO/IEC 17799, and less formal collections of recommendations such as CISSP or SANS guidelines. Even when a given regulatory frameworks is not applicable, it may still act as a valuable resource and planning guide.

Likewise, Disaster Recovery and Business Continuity mechanisms to protect the Distribution Server should be put in place to protect the server if an organizational risk assessment identifies a need for such steps. The mechanisms best used will depend on the specifics of the organization and its desired risk profile, and cannot be described in advance. The same standards and guidelines sources listed above can be helpful in this decision as well.

Network Access Control

The Distribution Server can be further protected from unauthorized access by restricting network access to it. This may take the form of some or all of the following:

• restricting incoming connection attempts to those ports and protocols from which a valid access attempt might be expected;

• restricting outgoing connection attempts to those IP addresses to which a valid access attempt might be expected; and/or

• restricting outgoing connection attempts to those ports and protocols to which a valid access attempt might be expected.

Such measures can be imposed through the use of standard firewall technology.

High Availability

High Availability mechanisms for the Distribution Server should be put in place if an organizational risk assessment identifies a need for such steps. There are multiple alternative mechanisms for building high availability solutions, ranging from the general (DNS roundrobining, layer 3 switches, etc.) to the vendor specific (the Microsoft web site has multiple resources on high availability web services and clustering issues). Those implementing and maintaining an ESM solution should determine which class of high availability solution is most appropriate for their context. It should be kept in mind that the Distribution Server has been architected to function in non-high-availability situations, and does not require High Availability to provide its services.

ZENworks® ESM 3.5 Administrator’s Manual 15

Running the Service

The Policy Distribution Service launches immediately following installation, with no reboot of the server required. The Management Console can adjust upload times for the Distribution Service using the Configuration feature (See “Infrastructure and Scheduling” on page 28). For other monitoring capabilities see:

• “Server Communication Checks” on page 214

• “System Monitor” on page 221

ZENworks® ESM 3.5 Administrator’s Manual 16

Management Service

The Management Service is the central service for ESM. It is used to create authentication credentials, design and store security policies and their components, and provide remediation through a robust reporting service. It provides security policies and user information to the Policy Distribution Service, as well as providing opaque credentials to ZENworks Security Clients.

Security policies, credentials, and reports are stored in an SQL database(s), which may reside on the same server as the Management Service or on remote servers.