Policies in Server & Workload Protection are intended to be created in a hierarchical structure. As an administrator, you
begin with one or more base policies from which you create multiple levels of child
policies that get progressively more granular in their detail. You can assign broadly
applicable rules and other configuration settings at the top-level policies and then
get more targeted and specific as you go down through levels of child policies, eventually
arriving at rule and configuration assignments at the individual computer level.
As well as assigning more granular settings as you move down through the policy tree,
you can also override settings from higher up the policy tree.
Server & Workload Protection provides a collection of policies that you can use as initial templates for the design
of your own policies tailored to your environment:
Inheritance
Child policies inherit their settings from their parent policies. This allows you
to create a policy tree that begins with a base parent policy configured with settings
and rules that will apply to all computers. This parent policy can then have a set
of child and further descendant policies which have progressively more specific targeted
settings. Your policy trees can be built based on any kind of classification system
that suits your environment. For example, the branches in the policy tree that comes
with Server & Workload Protection has branches designed for specific operating systems. The Windows branch has further
child policies for various sub-types of Windows operating systems.
In the Windows policy editor on the Overview page, you can see that the Windows policy was created as a child of the Base Policy. The policy's anti-malware setting is Inherited (Off):
This means that the setting is inherited from the parent Base Policy, and that if you were to change the anti-malware setting in the Base Policy from Off to On, the setting would change in the Windows policy as well. (The Windows policy setting would then read Inherited (On). The value in parentheses always shows you what the current inherited setting is.)
Overrides
The Overrides page shows you how many settings have been overridden at this policy or specific
computer level. To undo the overrides at this level, click the Remove button.
In this example, the Windows Server policy is a child policy of the Windows policy. Here, the anti-malware setting is no longer inherited; it is overridden and
hard-set to On.
TipYou can automate override checking, creation, and removal using the Server & Workload Protection API. For examples, see Configure Computers to Override Policies.
|
Override object properties
The intrusion prevention rules that are included in this policy are copies of the
intrusion prevention rules stored by Server & Workload Protection, which are available for use by any other policies. If you want to change the properties
of a particular rule, you have two choices: modify the properties of the rule globally
so that the changes you make apply to all instances where the rule is in use, or modify
the properties locally so that the changes you make only apply locally. The default
editing mode in a Computer or policy editor is local. If you click Properties on the Assigned Intrusion Prevention Rules area toolbar, any changes you make in the Properties window that appears will only
apply locally. (Some properties like the rule name can't be edited locally, only globally.)
Right-clicking a rule displays a context menu which gives you the two Properties editing
mode options: selecting Properties will open the local editor window and Properties (Global) will open the global editor window.
Most of the shared common objects in Server & Workload Protection can have their properties overridden at any level in the policy hierarchy right down
to the individual computer level.
Override rule assignments
You can always assign additional rules at any policy or computer level. However, rules
that are in effect at a particular policy or computer level because their assignment
is inherited from a parent policy cannot be unassigned locally. They must be unassigned
at the policy level where they were initially assigned.
TipIf you find yourself overriding a large number of settings, you should probably consider
branching your parent policy.
|
View the overrides on a computer or policy at a glance
You can see the number of settings that have been overridden on a policy or a computer
by going to the Overrides page in the Computer or Policy Editor:
Overrides are displayed by protection module. You can revert system or module overrides
by clicking the Remove button.