configuring symantec antivirus corporate edition phần 6 ppsx

Virtually all of the knowledgeand experience you just acquired is applicable to manual and scheduled scans,other Microsoft-based platforms, and even server side security policies.You wil

common program and document file extensions Just for fun, let’s add

the extensions for programs Click Programs (Figure 8.25).

5 You will now see a list of all file extensions defined by NAVCE to beassociated with programs and executables (Figure 8.26)

6 Before we exit, let’s restore the list to its default setting Click the Use Defaultsbutton (Figure 8.27) Although it may not appear that muchhas changed within the list, notice that the scrollbar has become visibly

“thinner.”This implies that the list has grown considerably in length

Figure 8.25 Adding File Extensions for Programs

Figure 8.26 Adding File Extensions for Programs

7 Click OK to return to the main window for File System Realtime

Protection Options

Configuring File System Realtime Protection Actions

When NAVCE’s File System Realtime Protection encounters a file it believes to

be infected, it can perform various actions Let’s explore the possible actions thatthe software can take

1 Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition

2 Click Configure | File System Realtime Protection (Figure 8.28).

On the right side of the window, you will see two tabs labeled “MacroVirus” and “Non-Macro Virus.” On each tab, you can select a primaryand secondary option For example, the default action is to “Clean virusfrom file.”

Figure 8.27 Resetting File Extensions to Default

Figure 8.28 File System Realtime Protection Options

If this primary action fails, the secondary default action is to

“Quarantine infected file.” Let’s examine each option and what it means:

■ Clean virus from file NAVCE attempts to permanently removethe virus from the infected file leaving the pertinent data intact

■ Quarantine infected file NAVCE physically moves the infectedfile from it physical location on the disk to the Quarantine.This isunlike the move operation performed on a file within by a userthrough an operating system Usually when a file is “moved” on adisk, only a logical pointer to the file is updated and the file appears

as if it has been moved Here, as we discussed earlier, the file is cally moved

physi-■ Delete infected file NAVCE deletes the infected file from thecomputer’s hard drive Again, this is unlike a normal delete opera-tion Usually when you delete a file, you can find it inside theRecycle Bin.This is because only the logical pointer to the file hasbeen altered When NAVCE deletes a file, it is physically purgedfrom the disk

■ Leave alone (log only) When this option is selected, the infectedfile is left unaltered It remains infected and stays capable of infectingother parts of the system.The only action taken by NAVCE is that

an entry is added in the Virus History to keep a log of the infectedfile Although this option seems a bit contradictory to the very pur-pose of the software, it can come in handy on systems that aredeemed so critical that any necessary changes (such as removing aninfected file) must be performed by a human.Therefore, the log isused solely to collect alerts Note that if you select “Leave alone (logonly)” as the primary action, the secondary action will be grayedout

3 Once the actions are configured as desired or as dictated by your

enter-prise security policies, click OK.

Configuring File System Realtime Protection Virus Notification Message Options

In the section labeled “Options,” you can set message options and file and folderexclusions Let’s start with message options

1 Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition

2 Click Configure | File System Realtime Protection Ensure that

the checkbox labeled “Display message on infected computer” ischecked (Figure 8.29)

3 Click Message (Figure 8.30) You will notice lines of text such as

“Action taken: [Action Taken].”The text not enclosed between squareparentheses is plain text.This means that this is a static caption that willappear on every virus message.The text enclosed within the square

parentheses is a variable field known as a message parameter Message

parameters are dynamically updated and added to the virus notificationmessage so that the displayed message contains relevant specifics Quiteoften, NAVCE administrators will add a static line of text with someinstructions (such as “Please contact the helpdesk”) at the bottom of thismessage

Figure 8.29 File System Realtime Protection Options

A list of available message parameters for File System RealtimeProtection (as well as manual scans) is shown in Table 8.1.To add a mes-sage parameter, right-click anywhere within the text area of the window

and select Insert Field.

Table 8.1 Virus Notification Message Parameters

detected the virus

Infected, Not Infected, or Deleted

NOTE

There are additional message parameters available for virus notification messages created for Microsoft Exchange Realtime Protection and Lotus Notes Realtime Protection When triggered by File System Realtime Protection or a manual scan, the virus notification message is displayed

Figure 8.30 Display Message Window

on the screen of the infected computer However, when triggered by Microsoft Exchange Realtime Protection or Lotus Notes Realtime Protection, the notification message can also be sent to the sender of the infected e-mail via an e-mail message or to a designated person (or persons) responsible for the mail infrastructure.

4 Once the message is customized as desired or as specified by your

enter-prise security policies, click OK to return to the File System Realtime

Protection Options main window

Configuring File and Folder Exclusions for File System Realtime Protection

File and folder exclusions can help prevent NAVCE from scanning data that doesnot need to be protected.This helps negotiate a balance between the protectionrequired and the system resources required Exclusions can also help decrease theload placed on system resources if the data is not susceptible to becoming

infected

To configure file and folder exclusions:

1 Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition

2 Click Configure | File System Realtime Protection.

3 Check the checkbox labeled Exclude selected files and folders.

Click Exclusions (Figure 8.31).

Figure 8.31 Excluding Selected Files and Folders

4 Check the checkbox labeled Check file for exclusion before ning Click Extensions (Figure 8.32).

scan-5 Enter filename extensions for all files that you want excluded and then

click Add The window should be similar to Figure 8.33 Here, lets add

a TXT extension, which is used for text files.

6 Click OK to return to the Exclusions screen.

7 In the Exclusions screen this time, click Files/Folders (Figure 8.34).

8 Select any files and folders that you wish to exclude (Figure 8.35).Then

click OK to return to the File System Realtime Protection Options

main window

Figure 8.32 Forcing NAVCE to Check File Exclusions

Figure 8.33Adding File Extensions to be Excluded

Figure 8.34 Setting Folder Exclusions

Figure 8.35 Selecting Folders to be Excluded

Practical Applications of File and Folder Exclusions – Microsoft Exchange

We just discussed how to exclude files and folders from real-time tection Such a discussion may seem to negate the very purpose of the software but it has some practical applications One classic example is pro- tecting Microsoft Exchange servers

pro-As you may have guessed, NAVCE was designed to protect whole files rather than a specific portion of a file

This kind of design is obviously not ideal for protecting a file (such as

a message store) that could contain multiple mailboxes each containing countless e-mail messages If identified to be infected and NAVCE attempted to delete or quarantine the entire file, the impact caused would

be more severe than the damage caused by the virus itself Understand that this is not exactly a shortcoming of the NAVCE software This would

be true of any other antivirus software designed to protect file systems.

There are other antivirus solutions (especially within the Norton/Symantec AntiVirus product line) to protect the Exchange server that are not within the scope of this book.

In a case such as the Microsoft Exchange server, NAVCE is used to protect only the file system rather than the Exchange server itself, and this requires certain folders to be excluded For more information about the specifics of this undertaking, please refer to Symantec Knowledge Base Documents 2000110108382448 and 2002051609590948 Also, refer to Microsoft Knowledge Base article 245822.

Designing & Planning…

Configuring Drive Types for

File System Realtime Protection

NAVCE’s File System Realtime Protection protects against viruses on the localsystem.There is an option where this protection can be extended to any networkdrives that the system accesses

To enable network drive types, complete the following steps

1 Click Start | Programs | Norton AntiVirus Corporate Edition | Norton AntiVirus Corporate Edition

2 Click Configure | File System Realtime Protection (Figure 8.36) Check the checkbox labeled Network Then click OK.

Figure 8.36 File System Realtime Protection Options - Network Drives

A Word of Caution about Network Drive Protection

Before checking this seemingly harmless checkbox, you must understand the potential impact that this could have on your enterprise infrastruc- ture Whether or not you allow this box to be checked will depend largely upon your enterprise environment Whereas it is impossible to examine every possible scenario (since most environments are a blend ofConfiguring & Implementing…

Continued

various server types), let’s discuss two extremes that may help illustrate the point of discussion Understand that these sample scenarios are purely for academic discussion and are not recommendations for your environment As the NAVCE administrator, it is up to you to make an informed decision about your environment.

Scenario 1: Microsoft Windows Based File Servers

Let’s imagine that every file server (that serves up files and data) in your environment is based on a Microsoft operating system If you have already installed NAVCE on every server, it would be pointless to enable Network Drive Type protection on the clients This is because the soft- ware on the server would already be scanning files as they are accessed rendering the scan conducted by the client redundant.

Imagine 500 clients logging in to the Windows domain every morning and downloading their roaming profiles from a Windows- based file server Imagine the load that would be placed on the server if every client (as well as the server) scanned every file as it was accessed and downloaded to the client

In such a case, it would make more sense to enable the protection only on the server and not on the clients It may even make sense to dis- able and lock this option from the parent server

Scenario 2: Network Appliance File Servers (Filers)

Before we begin with Network Appliance File Servers (often called NetApp Filers), let’s spend a minute to understanding this type of file servers File servers such as NetApp Filers and Quantum Snap drives use their own file and operating system Since they are unlike conventional systems in that they do not run a mainstream operating system (such as Microsoft Windows,) programs cannot be installed onto them They can either be “front-ended” with antiviral software, or you can use a NAVCE system to conduct scans at scheduled intervals

Now, in this scenario, imagine that you have 1000 client systems each running NAVCE Every user on their system has their home drive mapped where they store their documents and e-mail In other words, the file servers are constantly being battered by clients If Network Drive Type were enabled, the file servers would have a significantly lower input/output (I/O) throughput Every client performing scans would slow down others as well In such a case, it would make more sense to dis- able the network protection on the clients

It may make more sense to either front-end the file servers with an antivirus product designed specifically for this purpose, or to conduct virus scans at scheduled intervals

Other Types of Scans and Clients

In the preceding section we spent considerable time exploring various options ofthe File System Realtime Protection in detail.This learning experience was notlimited to the File System Realtime Protection Virtually all of the knowledgeand experience you just acquired is applicable to manual and scheduled scans,other Microsoft-based platforms, and even server side security policies.You willfind that even when installing NAVCE servers, the protection options for theserver itself are configured much like the unmanaged client Later in this chapter,

we will briefly cover the same options on a group of NAVCE servers and clientsusing the SSC Console

NOTE

NAVCE 7.x does not support NetWare 6.0 The next release of the NAVCE

product which is titled Symantec AntiVirus Corporate Edition (SAVCE) 8.0 provides full compatibility with NetWare 6.0.

Configuring Windows

NT 4.0/2000 Cluster Server Protection

NAVCE clients can be used to protect Microsoft Windows Cluster Servers Any

version of the NAVCE 7.0x (or higher) client software can be used to protect a

Windows NT cluster For a Windows 2000 cluster, you must use NAVCE sion 7.03 build 53a or higher NAVCE server software is not supported on aWindows server in a cluster configuration

ver-Protecting a Windows NT/2000 Cluster Server is fairly uncomplicated.However, due to the complexity of the way that the operating system behaves,there are some guidelines that a NAVCE administrator must adhere to.The fol-lowing is a brief list of some of these guidelines:

1 Only NAVCE Client software should be installed on a Windows ClusterServer NAVCE server is not supported on this platform

2 The NAVCE client must be installed on each system that is a part of thecluster If the software is being deployed remotely, it must be “pushed” to

each system (by name) that is a member of the cluster rather than thecluster’s virtual or shared name.

3 The client must not be installed to the shared drive Instead, it must beinstalled on the (local) physically attached drive for each server in thecluster

4 The clients on each cluster member must point to the same NAVCEparent server so that the virus definitions and security policies are iden-tical across all the members of the cluster

Once the NAVCE software is installed on a cluster, you will notice that thereare minor nuances to the way that it behaves in this configuration compared tohow it behaves on a stand-alone server A list of documented behaviors is avail-able within Symantec Knowledgebase Document 1999110109074348 Of course,you may observe other unique behaviors that may need to be analyzed and cor-rected on a case-by-case basis

Configuring Windows NT 4.0 Terminal Server Protection

As per Symantec, the NAVCE 7.6 client cannot be installed on Windows NT 4.0Terminal Server.This is due to a limitation with InstallShield 6.This limitationhas been corrected in InstallShield 7.Therefore, the next release of NAVCE(SAVCE 8.0) can be installed on NT 4.0 Terminal Servers Since that is beyondthe scope of this book, it will suffice to say that NAVCE 7.6 is not supported onthe Windows NT 4.0 Terminal Server platform

Configuring Windows 2000 Terminal Services Protection

NAVCE 7.6 is the first version of the software that offers support for TerminalServer versions of the Windows 2000 server platform Previously, administratorshad little choice but to depend on NTFS-based permissions to avoid execution

of any malicious or unauthorized code Even today, many cautious administratorschoose to avoid antivirus protection rather than install newly written software

Installing NAVCE on a Windows 2000 Terminal Server is slightly tricky inthe sense that it depends upon how your server is configured at the time that youare installing it If Terminal Services are already enabled on a Windows 2000server, only the server component of NAVCE can be installed.The client

component will detect that Terminal Services are enabled and will refuse to ceed with the installation.Therefore, if you want to install the NAVCE client on

pro-a terminpro-al server, you must do so prior to enpro-abling terminpro-al services Once the

NAVCE client is installed, you may enable Terminal Services It is highly mended that you install the NAVCE client rather than the NAVCE server forseveral reasons.The NAVCE client uses less memory, disk, and CPU resourcesthan the server does Since a NAVCE server will allow NAVCE clients to attach

recom-to it, this can also lead recom-to additional resource usage on the server which can inturn severely impact the computing experience for users connected to the servervia a terminal session

If Terminal Services are already enabled on a Windows 2000 Server machineand it is in application server mode, you must either switch to remote administra-

tion mode or you must use the change user /install command before you can

pro-ceed with the installation Many administrators prefer to avoid switching toremote administration mode once the system is in application server mode

because some applications can lose certain customizations.Therefore, if yourserver is already up and running in application server mode, you have little choicebut to install NAVCE server on it If, however, you are able to safely switch fromapplication server mode to remote administrator mode, you may have a choicebetween the NAVCE client and the server

Therefore, we will install a NAVCE client, configure it, and then enableTerminal Services Since you have learned how to install a NAVCE client alreadywithin this chapter, we will omit the installation procedure and continue on tothe steps necessary to enable Terminal Services on a Windows 2000 Server

Enabling Terminal Services

on a Windows 2000 Server

In this example, we will be using a stand-alone Windows 2000 Server We havealready installed an unmanaged NAVCE client Now, we will enable the TerminalServices in remote administration mode While enabling Terminal Services, youmay be prompted to insert a copy of your Windows 2000 Server CD Whenprompted, you may either insert the CD or provide a path to the I386 directory

on the system or the network

1 Click Start | Settings | Control Panel.

2 Click Add/Remove Programs.Then Click Add/Remove Windows Componentsto start the Windows Components Wizard(Figure 8.37)

3 Select Terminal Services in the list of available components and click Next

4 Select Remote Administration mode and click Next as shown in

Figure 8.38

5 Click Finish (Figure 8.39).

Figure 8.37 Windows Components Wizard

Figure 8.38 Enabling Terminal Services

6 At this point you will be prompted to reboot your machine Click Yes

to restart the computer Once the system has been rebooted, terminalservices will be enabled and ready to accept Terminal Server (RDP)connections

NOTE

NAVCE protection for the terminal server platform is relatively new and therefore has some limitations For a list of known issues and limitations, please refer to Symantec Knowledge Base Article 2001092012091148.

Switching from Application

Server to Remote Administration Mode

The NAVCE client cannot be installed on a Windows 2000 Server running inapplication server mode If your server is in application server mode, you willneed to switch to remote administration mode before you can proceed with theNAVCE client installation.To do this, you must follow the steps listed in the pre-ceding section titled “Enabling Terminal Services on a Windows 2000 Server.”

As you switch the mode of operation, you may notice (depending on yourWindows 2000 terminal services configuration) that the Terminal Services Setupwill attempt to delete custom settings and will have a check mark by the box

Figure 8.39 Completing Terminal Services Installation

ICA_Tcp Connection If you see this, you must uncheck this box and continue

with the rest of the steps until you are prompted to restart the system

Installing NAVCE on Windows 2000 Terminal Server

Previously, we installed the NAVCE client to a Windows 2000 server beforeenabling Terminal Services In the event that you have a Windows 2000 serveralready running Terminal Services, you would need to install NAVCE server tothe system Let’s start with a Windows 2000 Terminal Server and install NAVCEserver to it

1 On the Terminal Server console, insert CD 2 or browse to a networklocation where CD 2 files are available

2 Double-click on the CDStart.exe icon.

3 Click Install Norton AntiVirus to Servers (Figure 8.40).

4 Select Install and click Next (Figure 8.41).

Figure 8.40 NAVCE Installation Console

Figure 8.41 Installing NAVCE Server

5 At this point you will be presented with the Symantec License

Agreement Window Select I agree then click Next.

6 This will bring you to the Select Items Window as shown in Figure

8.42 Select Server Program Uncheck Alert Management System AMS 2 if it is checked.Then click Next.

7 At this point, you will have to select the install location Click the name

of the computer you are installing to and click Add Here, we are

installing to the local computer named Athar-Test01 When finished

your screen should appear similar to Figure 8.43 Click Next.

Figure 8.42 Select NAVCE Server Program

Figure 8.43 Select Computer(s)

8 You should be presented with a Severe Summary window that confirmsyour previous action Verify that the information is correct and click

Next(Figure 8.44)

9 Now you have the option to enter a new Norton antivirus server groupname or join an existing group (Figure 8.45) Here, we will accept the

default server group name of Norton Antivirus 1 and click Next.

10 You will be asked to confirm your action with a message like that

shown in Figure 8.46 Click Yes.

Figure 8.44 Select Destination

Figure 8.45 Create NAVCE Server Group

11 Now, you must specify the Server Startup Options for Norton AntiVirus

1 (Figure 8.47) Select Automatic startup and click Next.

12 You should be provided with SSC Console information (Figure 8.48)

Read this carefully and click Next.

Figure 8.46 Create a New Server Group

Figure 8.47 Configure Server Startup Options

Figure 8.48 Symantec System Center Console Information

13 Finally, you will be provided with the default password for unlocking

your new server Group.Take note of this and click Finish (Figure 8.49).

14 You will then be prompted with the Virus Definition File Warningwindow that you previously saw in Figure 8.9 Check the box labeled

Don’t remind me again until after next update Then click Close.

15 You should now verify that your setup was successful in the SetupProgress window as shown in Figure 8.50 If everything looks good,

click Close (Figure 8.50).

16 You should now be back at the opening splash screen for Installing

Symantec AntiVirus Solutions Scroll down and click Exit as shown in

Figure 8.51

Figure 8.49 Select NAVCE Server Group Password

Figure 8.50 Setup Progress

17 Reboot the system.

We just performed a NAVCE server install on a Windows 2000 TerminalServer But, as it turns out, the installation process is identical to that on any otherWindows platform.Therefore, this knowledge and experience is portable to anyWindows-based system where you install NAVCE server

Configuring NAVCE 7.6 Servers

As discussed at the beginning of this chapter, a NAVCE server does not meanNAVCE software on Windows (NT/2000) Server platform Instead, it refers tothe services that a NAVCE system provides to its clients Now that the servercomponent of NAVCE is installed on the Windows 2000 Terminal Server, wecan begin to configure it.The configuration of a NAVCE server’s own protectionoptions is remarkably similar to that of a NAVCE client.Therefore, you can refer

to that section within this chapter.The only difference is that the method ofaccessing the NAVCE console is different When attempting to start the NAVCEserver console, you will be prompted for the Norton AntiVirus Server Grouppassword (Figure 8.52)

Figure 8.51 Exiting Installation Screen

This is the password that we set while installing the server software Since weaccepted the default, the password is “symantec.” Once you enter the password

and click OK, you will see the NAVCE server console.The console appears to

be identical to the NAVCE client console with the exception of the sectionlabeled “General Information.” In a NAVCE server, you will notice that there is a

“Server Grp” caption, which defines the NAVCE server group that this NAVCEserver belongs to In a client console, you would see parent server information inthe same area of the console

Configuring Multiple NAVCE Clients and Servers

Thus far, we have explored how to configure the protection on both a NAVCEserver as well as a NAVCE client But, as an administrator, you will be required tomake changes to large groups of clients and servers.This is where the SymantecSystem Center Console (SSC) comes into play Since you have already workedextensively with the SSC in an earlier chapter, we will not discuss the installationand configuration here It should suffice to say that you could configure and lockdown settings for groups of servers and clients from the SSC

Configuring Roaming for NAVCE 7.6 Clients

You may already be familiar VDTM and LiveUpdate, which are the two mostpopular delivery mechanisms for virus updates VDTM is the overwhelmingchoice in many enterprise environments simply because it is easy to configureand operates silently in the background.The greatest disadvantage to VDTM isthe fact that the virus definitions downloaded are larger than 3MB A file of suchheft is inconsequential if the client (user’s system) is in the same building as theserver But, with corporate travel and notebook computers becoming increasinglypervasive, assuming that the client and server will share a local area network(LAN) is shortsighted Quite often, employees will travel from one building, onegeographical region, and even one country to another.This adds the location of

Figure 8.52 Unlocking Server Group

the client as a new variable to the NAVCE equation What is worse is that whenthey are in this new location, they are actually inside the same building as anotherNAVCE server but it is not the parent that their NAVCE clients are attached to.Until recently, NAVCE clients had no choice but to attempt to contact theirparent NAVCE server and to keep trying to reach it even if it was non-func-tional or obsolete Fortunately, Symantec has addressed this challenge with the

newer releases of NAVCE and has appropriately named it Roaming Client Support.

Roaming Client Support is a completely modular add-on feature.This meansthat it is up to the NAVCE administrator to decide whether or not to implement

it within the environment NAVCE will work with or without it.Therefore, wewill not discuss it at length here

Features of Roaming Client Support

Roaming Client Support is a service for NAVCE clients that allows them toconnect to the optimal parent server based on network connection speeds andgeographic proximity All that really means is that roaming options enable

NAVCE clients to choose from a list of NAVCE parent servers based on somecriteria Roaming Client Support allows NAVCE offers the following featuresand benefits:

■ Automatic connection to the nearest NAVCE server whenever theclients’ network address changes or upon startup

■ Automatic connection to a different NAVCE server if the current parent

is unreachable for any reason

■ Automatic periodic checks for the nearest NAVCE server even if thenetwork location has not changed.This results in automatic load bal-ancing for NAVCE servers

Roaming Client Support Requirements

Currently, Roaming Client Support is limited to NAVCE running on any of thefollowing platforms:

■ Windows 9x

■ Windows NT 4.0

■ Windows 2000

■ Windows XP

Implementing Roaming Client Support

There is no “one size fits all” recipe to implement NAVCE Roaming ClientSupport Each enterprise environment is unique and it is up to the NAVCEadministrator to decide how to best serve the enterprise user community

Roaming Client Support is covered in significant detail within a PDF file, which

is available on your NAVCE installation CD inside the DOCS directory.The file

is also available at: ftp://ftp.symantec.com/public/english_us_canada/

products/norton_antivirus/navcorp/manuals/roaming.pdf This document outlines the theory and operation behind Roaming ClientSupport It also discusses the tasks necessary to implement it with sample sce-narios Additional information is available within the Symantec Knowledge BaseDocument 2001092013012148

In this chapter, we learned how to configure NAVCE to protect the file system

We spent the majority of our time exploring and configuring the NAVCE FileSystem Realtime Protection.This was because this single feature covers almost allaspects of virus protection It applies both to clients and servers and many of theoptions selected here are the ones that need to be decided upon and configuredfor groups of servers and clients We did not spend any time on configuring thevirus history feature since it is more related to AMS2 and is covered elsewhere inthe book We also did not work with other scans since their configuration

parameters are also a subset of the features discussed within File System RealtimeProtection As an administrator, you will find that an overwhelming portion ofconsideration and planning goes towards deciding upon the client side real-timeprotection options.You will find that much of the knowledge and experiencederived from this discussion will be applicable in many other aspects of yourcareer as a NAVCE administrator Hence, we spent almost the entire chapter onthe installation, configuration, and discussion of this single feature

Solutions Fast Track

; Files and folders can be included or excluded from NAVCE protectionand scans In some cases (such as Microsoft Exchange Server machines,)

it is necessary to exclude certain files and folders

; Virus notifications can be configured to meet your enterprise needs

; Before you enable network drives, it is wise to understand the impact ofsuch a decision

; NAVCE 7.6x supports cluster and terminal servers but its behavior isslightly different than that on a stand-alone system

Configuring Roaming for NAVCE 7.6 Clients

; Roaming Client Support is a service for NAVCE clients that allows

them to connect to the optimal parent server based on networkconnection speeds and geographic proximity

; Roaming Client Support is covered in significant detail within a PDFfile, which is available on your NAVCE installation CD inside theDOCS directory.The file is also available at: ftp://ftp.symantec.com/

public/english_us_canada/products/norton_antivirus/navcorp/manuals/roaming.pdf

; Roaming Client Support is a modular feature of the NAVCE solution.

This means that it is not a required component for the software tofunction It is up to the administrator to decide whether it is a good fitfor their enterprise environment

Q: How can I check if NAVCE protection is working?

A: You can use the AntiVirus Test File created by the European Institute forComputer Antivirus Research (EICAR) specifically for this purpose It isavailable at www.eicar.org/anti_virus_test_file.htm.This file can also be used

to test your enterprise virus notification (such as AMS2) and other corporateprocedures

Q: Since I have a choice between the client and server, which portion of

NAVCE should I use on a terminal server?

A: It is strongly recommended that you install the NAVCE client on your serverbefore enabling terminal services NAVCE server has a higher system resourceusage (often referred to as “resource footprint”) than NAVCE client software.Since you need every last bit of computing power reserved for terminal ses-sions on a terminal server, it would be best to stay away from NAVCE server.Also, when you use NAVCE server, there is a possibility of clients beingattached (as children) and placing even more load on the system resources

Q: Do I really need a NAVCE server at every office location?

A: Symantec recommends that you implement you NAVCE solution such thatyou have a NAVCE server at every physical location.This is beneficial notonly for faster propagation of virus definitions but also because the UserDatagram Protocol (UDP) client check-in (as implemented by Symantec) isnot routable

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form.

Q: What are the best practices for configuring and maintaining a NAVCEimplementation?

A: For a complete list and discussion of best practices for a NAVCE tation, view Symantec Platinum Knowledge Base Document

implemen-2002053008103348 Be sure to revisit this document every few months as it

Q: How can I configure my Windows-based computer such that I get optimalperformance while running NAVCE?

A: This is an extension of the previous FAQ in the sense that the platform thatNAVCE will run on needs to be configured such that the result is a healthybalance between adequate virus protection and acceptable system perfor-

mance For a discussion on how to configure Windows 9x/Me/NT/2000

systems for optimal use of system resources, view Symantec PlatinumKnowledge Base Documents 2001040412150348 and 2000072514215039

Although Symantec has no document specifically for Windows XP at thistime, much if not all of the documentation available for Windows NT/2000will apply

Securing Your NAVCE 7.6

Environment

Solutions in this chapter:

■ Evaluating Security Requirements for your Organization

■ Developing a Security Solution for NAVCE 7.6

■ Implementing Your Security Solution for NAVCE 7.6

■ Securing NAVCE 7.6 Windows NT/2000 Servers

■ Securing NAVCE 7.6 Novell NetWare Servers

■ Securing NAVCE 7.6 Client PCs

■ Using the Reset ACL (resetacl.exe) Tool

Chapter 9

375

; Summary

; Solutions Fast Track

; Frequently Asked Questions

Now that we’ve covered the installation and planning requirements for NortonAntivirus Corporate Edition (NAVCE), let’s turn our attention to securing thatenvironment Security concerns permeate all facets of the modern networkadministrator’s life, and, as such, should enter into your installation and configura-tion plans at the earliest possible juncture.Your life will be much simpler (andyour security solutions that much better) if you address security as part of theoverall implementation process rather than attempting to ratchet security mea-sures into place after the fact

When addressing security concerns in your environment, remember that

secu-rity is a process, not a product In other words, antivirus protection is a major

com-ponent of any network security plan, but you also need to ensure that the servershousing the NAVCE software and the network connection it is using to access theInternet are equally secure Otherwise, you’re facing the equivalent of installing astate-of-the-art security system in your house, then leaving the front door wideopen If any one aspect of your security plan is weak, the rest of your network willsuffer.The topics we’ll cover in this chapter will not only deal with securing theNAVCE software itself, but will also touch on operating system security, regulation

of network traffic through firewall technologies, and auditing your network

(including your NAVCE installation) for any potentially hostile activity

When determining the technical requirements of your network securitypolicy, understanding the potential threats against your network cannot be over-stated As such, we’ll discuss the various kinds of threats—human, physical andtechnological—that your network will need to be protected against We’ll alsodiscuss the importance of documentation such as disaster recovery plans—when(not if ) you find your data lost to a virus, you’ll certainly be thankful you tookthe time to put such recovery mechanisms into place

Once you’ve created an overall security plan for your organization, you canattend to the specifics of securing your NAVCE installation.The remainder ofthis chapter will therefore address the particulars of selecting and securing themachine that will host the NAVCE service, as well as steps you can take to lockdown NAVCE to create a consistent level of antivirus protection across yourentire network We’ll also examine the network traffic generated by NAVCE sothat you can configure your firewall or proxy server to allow your antivirus pro-tection to operate correctly within a secured environment

Evaluating Security Requirements for Your Organization

While the focus of this book is antivirus protection, virus threats only make up aportion of a company’s overall security concerns Establishing an overall informa-tion security policy is critical in ensuring that your organization has the necessaryinformation and preparation to address concerns when (not if ) they arise Aquality network security policy is as much a business concern as it is a technolog-ical one; it should be developed with involvement from all facets of an organiza-tion—Risk Management, Legal, Human Resources, and so on.You should obtainsupport from all areas of the organizations when drawing up a security policy

Not only will the input of these various departments provide a more rounded security solution, you’ll obtain more “buy-in” from your users since theywere involved in the planning process

well-Corporate security policies provide a common baseline of security proceduresbased on the organization’s information security requirements, extending in manycases to legal and industry compliance and due diligence issues (This will also assist

an organization in demonstrating its security consciousness to customers, holders, and the like.) A final component of a corporate security policy focuses onuser training and awareness Attentiveness to information security cannot residesolely with the MIS department or it will be unavoidably doomed to failure

stock-When planning network and information security policies, your three chief

concerns are the confidentiality, integrity, and availability of all types of corporate

data.These three security objectives answer the following key questions:

■ Who has access to my data?

■ Has my data been corrupted or altered in any way?

■ Will I be able to access my data when I need it?

All methods, technologies, and practices within information security will mately address one or more of these key concepts

ulti-■ Confidentiality prevents any unauthorized disclosure of data, ensuring that

information is only available to people authorized to view it.You’ll hearabout this most often as it relates to personal privacy and the protection

of personal data: Social Security numbers, credit card information, andthe like A network security policy should call for physical, administra-tive, and technological controls to ensure that corporate and personal

information remains free from inadvertent or malicious disclosure.These

controls can include a physical safe-deposit box to store items such asbirth certificates and hard copies of tax returns, administrative procedureswithin an Accounting department to make sure that payroll informationremains confidential, and technologies like Secure Socket Layer (SSL)encryption to allow for secure transmission of pertinent data Virus pro-tection assists in protecting confidentiality, in that many virus threats canread or collect information from an infected hard drive or e-mail system

■ The concept of data integrity is concerned with preserving the accuracy and consistency of all types of data against fraudulent alteration Safeguards

designed to protect data integrity should ensure that only authorized sons are able to modify data (Compare this with confidentiality safe-

per-guards: we have moved away from determining who can see a piece of data, and are now asking who can modify it.) Taken one step further, integrity checks also make sure that an authorized user cannot make unau-

thorized changes to corporate data: A bank teller may be authorized to

view your checking account information, but certainly shouldn’t be able

to transfer money from your account into someone else’s Integrity trols are also designed to maintain data consistency; that is, ensuring thattwo plus two will equal four at all times Securing data integrity isanother critical task for antivirus software, as it protects system and datafiles from virus-related corruption, alteration, and even deletion

con-■ The final piece of the “Information Security Triad” is availability Similar

to the age-old question of trees falling in the forest and whether theymake a sound when no one can hear them, if your users can’t accesstheir data when they need it, then it hardly matters if that data’s confi-dentiality and integrity have been maintained or not.Technologies such

as load balancing, off-site backups and application clustering all assist in

protecting corporate data against destruction NAVCE also works in

ensuring this last factor through real-time protection and heuristic ning that can proactively quarantine virus infections before they have achance to propagate to the rest of your network

scan-Determining Your Security Policies

In drawing up security guidelines for your organization, there are two opposingphilosophies Quite simply, one philosophy advocates permitting all traffic that is

not explicitly forbidden, while the other prohibits all that is not specifically

allowed.This is more commonly referred to as the deny all method, and is

illus-trated in Table 9.1.There you can see that the only open ports are those ated with FTP, WEB, and E-MAIL, all others are blocked While this is a highlysecure network configuration, it involves a bit more legwork in configuring anetwork application like NAVCE to function properly (We’ll discuss some of theparticulars of this in the section “Developing a Security Solution for NAVCE7.6” later in this chapter.)

associ-Table 9.1 A Highly Restrictive Network Usage Policy

Compare the highly restrictive configuration in Table 9.1 with Table 9.2, in

which most network ports have been left open and only individual applicationshave been blocked from use NAVCE will usually function correctly “out-of-the-box” in this type of environment, as the ports it requires to function are typicallyalready available for use However, this ease of use comes at a price: With morenetwork ports open, a LAN configured in this manner will be more susceptible

to Internet- and e-mail-based virus and worm attacks In a configuration likethis, it is critical to maintain and update a complete antivirus protection strategy

to keep virus and network threats at bay

Table 9.2 More Permissive Usage Guidelines

In determining the technical configurations necessary to support your chosennetwork policy, you should ask yourself and others (manager, helpdesk personnel,Webmaster, developers, and so on) a few questions

■ Who (and where) are my users? A LAN contained within a singlebuilding will have differing security requirements from an enterprise-level

corporation with many office locations and traveling laptop users.

Determine how your users will be accessing network resources: via a localnetwork connection, across a modem, ISDN or shared Internet connec-tion, or even via a wireless Personal Digital Assistant (PDA) connection.Each access mechanism will need to be properly secured to ensure thesecurity of your user logins and password security

WARNING

Password security is often the “weakest link” in any network security policy, be it a result of people sharing or forgetting their passwords, or setting their password to be their youngest child’s birth date Security awareness training will help in this regard, as users will be far more likely

to select appropriately complex passwords if they understand the tial fallout of having their easy-to-guess password compromised by a malicious outsider.

poten-■ What applications do my users require on a daily/weekly/ monthly basis? Begin with an inventory of the software installed onyour clients’ PCs, then go one step further and conduct a survey or audit

of each department’s business processes.You will be amazed at howmany quirky little dial-up file transfer applications and the like arebrought to your attention during such an audit.This step will serve twopurposes: It will allow you to plan your network security configuration

to allow all required applications to run, and this will likely present anopportunity to streamline or improve business processes that you mightnot even have known existed After all, in order to support your users,

you must first understand what their needs are.

■ What are the network resources required by my user tions? If an application is passing traffic across the network, you need toknow how that traffic is being passed Most network-aware applicationswill operate using a specific TCP or UDP port, and it would be impos-sible to correctly configure network security without knowing whichports are required for your applications to function

applica-Writing It All Down: Drafting Your Network Security Policy

Whether you choose one of the extreme approaches described at the beginning

of this section or choose to configure your security policies somewhere between, the most important part of the equation lies in actually recording thepolicy so that it can be implemented within your organization A network secu-rity policy can be a massive document, with many possible sub-headings under itsjurisdiction When drafting your security policy, you can use any or all of the fol-lowing sections as appropriate to your network

in-Acceptable Use Policy

While a network security plan is only as useful as it is pertinent to your

organiza-tion, we can’t think of a company whose network would not benefit from the construction of an acceptable use policy As the name implies, this document details

what types of activity and usage are (and are not) permitted on a corporate work Most modern security surveys indicate that the greatest security risk on anetwork often originates from internal staff and employees Consider the fol-lowing situations:

net-■ Pirated software found on a company’s computer system opens the door

to legal exposure and copyright violations, even if the software was notinstalled by a member of the IT staff

■ An employee uses a customer database to spam people with quick e-mails

get-rich-■ A system administrator encounters pornographic material on anemployee hard drive while performing PC maintenance

■ An unauthorized employee uses NMAP or another network scanner tosearch for vulnerabilities on a corporate LAN

While an acceptable use policy might not have averted any of these tions, it’s nonetheless critical to have one in place so that whoever encounters adilemma (like IT, Human Resources, and so forth) will know two things:

situa-■ That a violation has occurred

■ The appropriate steps to take in response

A quick search query of “acceptable use policy” into your favorite search engine (like www.google.com) will result in hundreds upon hundreds of documents that you can use to help add a layer of security to your net- work security policies.

Internet Usage

While a policy regarding appropriate use of Internet resources could easily becategorized under acceptable use, many organizations have created a separatepolicy to draw attention to this most essential of issues A September 2000

Gartner survey reports that many users spend between two and three hours a daysurfing non-work-related Web sites, and that number has likely only grown sincethen Create a policy outlining what defines acceptable use of the Internet, whileallowing some time for personal Internet usage (during the lunch hour, forexample) Again, user awareness is key: make Internet use a part of new employeeorientations, or add it to corporate training programs

Disaster Recovery Policy

If you’re debating whether or not to invest the time and resources required todevelop a disaster recovery plan remember that a “disaster” doesn’t even have torevolve around a tornado or fire: data corruption resulting from a power outage

or virus outbreak can put a network out of commission just as effectively asrising flood waters If you’ve already surveyed your users’ business processes (as weadvised in the last section), then you’ve already completed the first steps in devel-oping a disaster recovery strategy While we could spend an entire book dis-cussing disaster recovery planning, the major steps involved are as follows: identifyyour critical assets, back them up on a regular basis, and have a policy in place toimplement recovery procedures in the event of a major outage An effective planneeds to include detailed plans regarding the backup of all critical systems andthe storage of these backups at an off-site location that can be brought onlinewithin a satisfactory time frame

Something as simple as an infected floppy disk can bring your network down ifyou have not mandated antivirus protection for all computers on your network Awell-formed antivirus policy should include the following elements:

■ Require all computer systems to have antivirus software installed beforethey can be connected to the network

■ Forbid users from disabling or altering antivirus features, including ning and updating functions

scan-■ Mandate that a full system scan be performed if antivirus software needs

to be disabled for any reason, such as installation of new software

■ Add a disclaimer to all outgoing e-mail messages stating that they havebeen scanned for virus infections Configuring these disclaimers will bespecific to the e-mail server and operating system you’re using For

example, in Microsoft Exchange you would create an OutboundAppend

Registry value in the HKLM\SYSTEM\CurrentControlSet\Services\

MSExchangeIMC\Parameters\Extension Registry key Consult theMicrosoft Knowledge Base or your e-mail server’s vendor Web site formore detailed information

Identifying Threats to Network Security

Before developing a network security policy, you first need to understand whatsorts of threats your network is susceptible to While the particulars of an attackagainst your organization will vary based on its size and structure, all networkthreats will target one or more of the following: confidentiality, integrity, or avail-ability In this section, we’ll discuss a partial list (though there are countless

others) of the more commonly encountered hazards to the integrity of your work and its security