Security_Compliance

Security Compliance

Security Compliance leverages Microsoft Active Directory™ services to determine the security status of computers on the network. After querying Active Directory, the Web console displays the security status of computers. The security status can be any of the following:

Managed by the OfficeScan server
Managed by another OfficeScan server
No OfficeScan client program installed
Unreachable

To use Security Compliance, ensure that the OfficeScan server computer is a member of an Active Directory domain.

To enforce security compliance, perform the following tasks:

Define the Active Directory Scope and Query.
Check unprotected computers from the Active Directory Query Result.
Perform OfficeScan Client Installation.
Configure Scheduled Query.

Active Directory Scope and Query

When using Security Compliance for the first time, define the Active Directory scope, which includes Active Directory objects that the OfficeScan server will query on demand or periodically. After defining the scope, start the query process.

To configure the Active Directory scope and start the query process:

Security Compliance

On the Active Directory Scope section, click Define.
In the screen that opens, the Active Directory structure displays. Select the objects to query.

If querying for the first time, select an object with less than 1000 accounts and then record how much time it took to complete the query. Use this data as your performance benchmark.

Under Advanced Settings, specify ports used by OfficeScan servers to communicate with clients. Setup randomly generates the port number during OfficeScan server installation.

To view the communication port used by the OfficeScan server, go to Networked Computers > Client Management and select a domain. Check the IP Address column. The port number displays after the IP address. Keep a record of port numbers for your reference.

Click Specify ports.
Type the port number and click Add. Repeat this step until you have all the port numbers you want to add.
Click Save.

Choose whether to check a computer’s connectivity using a particular port number. When connection is not established, OfficeScan immediately treats the computer as unreachable. The default port number is 135.

Enabling this setting speeds up the Active Directory query. When connection to a computer cannot be established, the OfficeScan server no longer needs to perform all the other connection verification tasks before treating a computer as unreachable.

To save the Active Directory scope and start the query, click Save and re-assess. To save the settings only, click Save only.

The Security Compliance screen displays with the result of the query.

The query may take a long time to complete, especially if the query scope is broad. Do not perform another query until the Security Compliance screen displays the result. Otherwise, the current query session terminates and the query process restarts.

Active Directory Query Result

The Security Status section classifies computers as follows:

Computer protection status

Status	Description
Managed by this OfficeScan server	The OfficeScan clients installed on the computers are managed by the OfficeScan server. Clients are either online, offline, or roaming, and run either this OfficeScan version or an earlier version.
Managed by another OfficeScan server	The OfficeScan clients installed on the computers are managed by another OfficeScan server. Clients are online and run either this OfficeScan version or an earlier version.
No OfficeScan client installed	The OfficeScan client is not installed on the computer.
Unreachable	The OfficeScan server cannot connect to the computer and therefore cannot determine whether there is no client installed on the computer or, if a client is installed, whether the client is managed by another OfficeScan server or is unmanaged. The OfficeScan server database contains a list of clients that the server manages. If the client computer is unreachable but the OfficeScan server detects that it is managing the client installed on the computer, the computer’s status is "Managed by this OfficeScan server".

Recommended tasks:

On the Security Status section, click a number link to display all affected computers in the client tree.
Use the search and advanced search functions to search and display only the computers that meet the search criteria.

If you use the advanced search function, specify the complete name for the following items:

Computer name
OfficeScan server name
OfficeScan domain name
Active Directory tree

Use the wildcard character (*) if unsure of the complete name.

OfficeScan will not return a result if the name is incomplete and the wildcard character is not specified.

To save the list of computers to a file, click Export.
For clients managed by another OfficeScan server, use the Client Mover tool to have these clients managed by the current OfficeScan server. For more information about this tool, see Client Mover.

OfficeScan Client Installation

Before installing the client, take note of the following:

Record the logon credentials for each computer. OfficeScan will prompt you to specify the logon credentials during installation.
The OfficeScan client will not be installed on a computer if:

The OfficeScan server is installed on the computer.
The computer runs Windows XP Home, Windows Vista™ Home Basic, and Windows Vista Home Premium. If you have computers running these platforms, choose another installation method. See Installation Methods for details.

If the target computer runs Windows Vista Business, Enterprise, or Ultimate Edition, perform the following steps on the computer:

Enable a built-in administrator account and set the password for the account.
Disable the Windows firewall.
Click Start > Programs > Administrative Tools > Windows Firewall with Advanced Security.
For Domain Profile, Private Profile, and Public Profile, set the firewall state to "Off".
Open Microsoft Management Console (click Start > Run and type services.msc) and start the Remote Registry service. When installing the OfficeScan client, use the built-in administrator account and password.

If there are Trend Micro or third-party endpoint security programs installed on the computer, check if OfficeScan can automatically uninstall the software and replace it with the OfficeScan client. For a list of endpoint security software that OfficeScan automatically uninstalls, open the following files in <Server installation folder>\PCCSRV\Admin. You can open these files using a text editor such as Notepad.

tmuninst.ptn
tmuninst_as.ptn

If the software on the target computer is not included in the list, manually uninstall it first. Depending on the uninstallation process of the software, the computer may or may not need to restart after uninstallation.

To install the OfficeScan client:

Security Compliance

Click Install on top of the client tree.

If an earlier OfficeScan client version is already installed on a computer and you click Install, the installation will be skipped and the client will not be upgraded to this version. To upgrade the client, see Update Settings.

Specify the administrator logon account for each computer and click Log on. OfficeScan starts installing the client on the target computer.
View the installation status.

Scheduled Query

OfficeScan can automatically query Active Directory based on a schedule.

To configure the query schedule:

Security Compliance

Click Settings on top of the Security Compliance client tree.
Enable scheduled query.
Specify the schedule. If you specify the 31st of each month and the month has less than 31 days, the assessment happens on the last day of the month.
To save the schedule, click Save only. To query without saving the schedule, click Query Now.

See also: