osmgmt

Security Compliance for Unmanaged Endpoints

Security Compliance can query unmanaged endpoints in the network to which the OfficeScan server belongs. Use Active Directory and IP addresses to query endpoints.

The security status of unmanaged endpoints can be any of the following:

Security Status of Unmanaged Endpoints

Status

Description

Managed by another OfficeScan server

The OfficeScan clients installed on the computers are managed by another OfficeScan server. Clients are online and run either this OfficeScan version or an earlier version.

No OfficeScan client installed

The OfficeScan client is not installed on the computer.

Unreachable

The OfficeScan server cannot connect to the computer and determine its security status.

Unresolved Active Directory Assessment

The computer belongs to an Active Directory domain but the OfficeScan server is unable to determine its security status.

  • The OfficeScan server database contains a list of clients that the server manages. The server queries Active Directory for the computers' GUIDs and then compares them with GUIDs stored in the database. If a GUID is not in the database, the computer will fall under the Unresolved Active Directory Assessment category.

To run a security assessment, perform the following tasks:

  1. Define the query scope. For details, see Active Directory/IP Address Scope and Query.

  2. Check unprotected computers from the query result. For details, see Query Result.

  3. Install the OfficeScan client. For details, see Installing with Security Compliance.

  4. Configure scheduled queries. For details, see Scheduled Query.

Active Directory/IP Address Scope and Query

When querying for the first time, define the Active Directory/IP address scope, which includes Active Directory objects and IP addresses that the OfficeScan server will query on demand or periodically. After defining the scope, start the query process.

  1. On the Active Directory/IP Address Scope section, click Define. A new screen opens.

  2. To define an Active Directory scope:

    1. Go to the Active Directory Scope section.

    2. Select Use on-demand assessment to perform real-time queries and get more accurate results. Disabling this option causes OfficeScan to query the database instead of each client. Querying only the database can be quicker but is less accurate.

    3. Select the objects to query. If querying for the first time, select an object with less than 1,000 accounts and then record how much time it took to complete the query. Use this data as your performance benchmark.

  3. To define an IP address scope:

    1. Go to the IP Address Scope section.

    2. Select Enable IP Address Scope.

    3. Specify an IP address range. Click the plus () or minus () button to add or delete IP address ranges.

    The IPv6 address range limit is 16 bits, which is similar to the limit for IPv4 address ranges. The prefix length should therefore be between 112 and 128.

    Length

    Number of IPv6 Addresses

    128

    2

    124

    16

    120

    256

    116

    4,096

    112

    65,536

  4. Under Advanced Setting, specify ports used by OfficeScan servers to communicate with clients. Setup randomly generates the port number during OfficeScan server installation.

    1. Click Specify ports.

    2. Type the port number and click Add. Repeat this step until you have all the port numbers you want to add.

    3. Click Save.

  5. To check a computer’s connectivity using a particular port number, select Declare a computer unreachable by checking port <x>. When connection is not established, OfficeScan immediately treats the computer as unreachable. The default port number is 135.

  6. To save the scope and start the query, click Save and re-assess. To save the settings only, click Save only.

The Outside Server Management screen displays the result of the query.

Query Result

The query result appears under the Security Status section. An unmanaged endpoint will have one of the following statuses:

Recommended tasks:

  1. On the Security Status section, click a number link to display all affected computers.

  2. Use the search and advanced search functions to search and display only the computers that meet the search criteria.

  3. If you use the advanced search function, specify the following items:

    OfficeScan will not return a result if the name is incomplete. Use the wildcard character (*) if unsure of the complete name.

  4. To save the list of computers to a file, click Export.

  5. For clients managed by another OfficeScan server, use the Client Mover tool to have these clients managed by the current OfficeScan server. For more information about this tool, see Client Mover.

Scheduled Query

Configure the OfficeScan server to periodically query the Active Directory and IP addresses to ensure that security guidelines are implemented.

  1. Click Settings on top of the client tree.

  2. Enable scheduled query.

  3. Specify the schedule.

  4. Click Save.

See also: