Configuring Endpoint Profile

Owned by Chilukuri Srinivasa Reddy
Last updated: Apr 23, 2024 by Mayuresh Balaji Kamble (Unlicensed)Version comment
25 min read

You can configure Endpoint Profile to perform security checks for a Customer, set of IP Addresses, Locations, or Systems.

To create an Endpoint Profile:

  1. Select Asset > Configuration > Endpoint > Profile. The PROFILE page is displayed.


    Figure: PROFILE page

  2. On the ACTIONS panel, click ADDNEW. The PROFILE page is displayed.


    Figure: PROFILE page

  3. On the PROFILE page:
    • Select the Tenant type.
    • Type the Profile Name and Description.
    • Select the Active check box if you want to make the Endpoint profile active.
    • Under the Static and Dynamic tabs, select the required security check options.

    For more information about fields on the PROFILE page, see Field Description.

  4. Click SUBMIT at the top-right corner to configure the Endpoint profile.
     

Field Description

The following table describes the fields on the PROFILE page:

Field

Description

DETAILS

Profile Name

Type the name for the Endpoint Profile.

Description

Type a brief description about the Endpoint Profile.

Active

Indicates the status of the Endpoint Profile.

  • If you select the check box, the Endpoint Profile will be in Active status.
  • If you do not select the check box, the Endpoint Profile will be in Inactive status. The inactive Endpoint Profiles are not displayed in the Endpoint Profile list.

Static

Under the Static tab, the administrators can choose from 170 pre-defined parameters and create the Endpoint Profiles. You can search for a particular security check using the Search For Security Check search box.

 ANTIVIRUS

Displays the security checks related to Antivirus installed on the Assets.

 
Figure: Static tab: ANTIVIRUS security check


Click the  icon to display all the security checks related to antivirus.


Figure: ANTIVIRUS security check


The following table describes the fields for the ANTIVIRUS security check:

Field

Description

DETAILS

Select

Select the check box for the ANTIVIRUS to select all the security checks related to antivirus. To select a particular security check, select the check box for that security check.

Endpoint

Displays the Id assigned to the security check.

Criticality

Displays the Criticality for the security check.

Security Check

Displays the security check questions and the configured values.

  • Is Antivirus Auto-Protect Enabled?: Select the Enabled check box if the Antivirus Auto-Protect is enabled on the Asset. Select the Disabled check box if the Antivirus Auto-Protect is disabled on the Asset.
  • Is Antivirus Present?: Select the Enabled check box if the Antivirus is present on the Asset. Select the Disabled check box if the Antivirus is not present on the Asset.
  • Is Antivirus Updated?: Select the Enabled check box if the Antivirus installed on the Asset is updated. Select the Disabled check box if the Antivirus installed on the Asset is not updated.
 AUDIT POLICY

 Displays the security checks related to Audit Policy. Click the   icon to display all the security checks related to antivirus.


Figure: Static tab: AUDIT POLICY security check


The following table describes the fields for the ANTIVIRUS security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Are you auditing account logon events for failure or success?: Select the Success check box if you are auditing account logon for success. Select the Failure check box if you are auditing account logon for failure.
  • Are you auditing account management for failure or success?: Select the Success check box if you are auditing account management for success. Select the Failure check box if you are auditing account management for failure.
  • Are you auditing directory service access for failure or success?: Select the Success check box if you are auditing directory service access for success. Select the Failure check box if you are auditing directory service access for failure.
  • Are you auditing logon events for failure or success?: Select the Success check box if you are auditing logon events for success. Select the Failure check box if you are auditing logon events for failure.
  • Are you auditing object access for failure or success?: Select the Success check box if you are auditing object access for success. Select the Failure check box if you are auditing object access for failure.
  • Are you auditing policy change for failure or success?: Select the Success check box if you are auditing policy change for success. Select the Failure check box if you are auditing policy change for failure.
  • Are you auditing privilege use for failure or success?: Select the Success check box if you are auditing privilege use for success. Select the Failure check box if you are auditing privilege use for failure.
  • Are you auditing process tracking for failure or success?: Select the Success check box if you are auditing process tracking  for success. Select the Failure check box if you are auditing process tracking for failure.
  • Are you auditing system events for failure or success?: Select the Success check box if you are auditing system events for success. Select the Failure check box if you are auditing system events for failure.
 AUTO UPDATE

 Displays the security checks related to Auto Update. Click the   icon to display all the security checks related to Auto Update.


Figure: Static tab: AUTO UPDATE security check


The following table describes the fields for the Auto Update security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • What is the automatic update status of windows?: Select the Enabled check box if the automatic update for windows is enabled. Select the Disabled check box if the automatic update for windows is disabled.
 CUSTOM CHECKS

 Displays the security checks related to Custom Checks. Click the   icon to display all the security checks related to Custom Checks.


Figure: Static tab: CUSTOM CHECKS security check


The following table describes the fields for the Custom Check security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • What is the Desktop path?: Type in the desktop path in the text box.
  • What is Documents Folder path?: Type in the documents folder path in the text box.
  • Which Windows version is present?: Type in the windows version installed on the Asset in the text box.
 EVENTLOG SCAN

 Displays the security checks related to Event log Scan. Click the  icon to display all the security checks related to Event log Scan.


Figure: Static tab: EVENTLOG SCAN


The following table describes the fields for the EVENTLOG SCAN:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • What is the Maximum Application Log Size [in KiloBytes]?: Type in the configured maximum application log size in the text box.
  • What is the Maximum Security Log Size [in KiloBytes]?: Type in the maximum security log size in the text box.
  • What is the Maximum System Log Size [in KiloBytes]?: Type in the maximum system log size in the text box.
 FIREWALL POLICIES

 Displays the security checks related to Firewall Policies. Click the  icon to display all the security checks related to Firewall Policies.


Figure: Static tab: FIREWALL POLICIES security check


The following table describes the fields for the Firewall Policies security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Which are the Exceptions for Authorized Applications if any?: Type in the exceptions for authorized applications in the text box.
  • Which are the Exceptions for Open Ports if any?: Type in the exceptions for open ports in the text box.
  • Is Firewall Enabled?: Select the Enabled check box if the firewall is enabled on the Asset. Select the Disabled check box if the firewall is disabled on the Asset.
 INFORMATIONAL CHECKS

 Displays the security checks related to Informational Checks. Click the  icon to display all the security checks related to Informational Checks.


Figure: Static tab: INFORMATIONAL CHECKS security check


The following table describes the fields for the Informational Checks security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Which Hotfixes are installed?: Type in the Hotfixes installed on the Asset in the text box.
  • What is Last System Boot Up Time?: Specify the last System Boot Up time in the text box. Click the Calender icon to select a date and time.
  • What is Manufacturer name?: Type in the manufacturer name of the Asset in the text box.
  • What is Model name?: Type in the model name of the Asset in the text box.
  • Which Processor does the system have?: Type in the Processor on the Asset in the text box.
  • What is RAM size?: Type in the amount of RAM installed on the Asset.
  • What is Disk size?: Type in the size of Hard Disk on the Asset in the text box.
  • Which Network Files are shared?: Type in the Network Files which can be shared.
  • Which Non-NTFS Partitions the system has?: Specify the Non-NTFS partitions in the text box.
  • Which Processes are running while Scanning?: Type in the processes which are running while Scanning.
  • Which Services are Installed?: Specify the Services installed on the Asset in the text box.
  • Which Software are installed -Full Details?: Type in the details of the Software installed on the Asset in the text box.
 MISCELLANEOUS HARDENING

 Displays the security checks related to Miscellaneous Hardening. Click the  icon to display all the security checks related to Miscellaneous Hardening.


Figure: Static tab: MISCELLANEOUS HARDENING security check


The following table describes the fields for the Miscellaneous Hardening security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Does the user has access to Internet Explorer Security Page?: Select the Enabled check box if the user has access to Internet Explorer Security page. Select the Disabled check box if the user does not have access to Internet Explorer Security page.
  • Is Changing of Internet Explorer Advanced Page Settings Enabled?: Select the Enabled check box if the user can change the Internet Explorer Advanced page settings. Select the Disabled check box if the user cannot change the Internet Explorer Advanced page settings.
  • Does the user have access to CD-ROM Drives?: Select the Enabled? check box if the user has access to the CD-ROM Drive. Select the Disabled check box if the user does not have access to the CD-ROM Drive.
  • Does the user have access to Floppy Drives?: Select the Enabled check box if the user has access to the Floppy Drive. Select the Disabled check box if the user does not have access to the Floppy Drive.
  • Is Simple TCP/IP Services Enabled?: Select the Enabled check box if the simple TCP/IP service is enabled. Select the Disabled check box if the simple TCP/IP service is disabled.
  • Is SNMP Enabled?: Select the Enabled check box if the SNMP is enabled. Select the Disabled check box if the SNMP is disabled.
 PASSWORD POLICY

 Displays the security checks related to Password Policy. Click the  icon to display all the security checks related to Password Policy.


Figure: Static tab: PASSWORD POLICY security check


The following table describes the fields for the Password Policy security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • What is Account Lockout Duration [in number of minutes]?:Type in the Account Lockout Duration, in minutes, in the text box.
  • What is the value for Account Lockout Threshold?: Type in the Account Lockout threshold value in the text box.
  • What is the count for Enforce Password History?: Type in the count for enforce Password history in the text box.
  • What is Maximum Password Age [in number of days]?: Type in the maximum Password age, in days, in the text box.
  • What is Minimum Password Age [in number of days]?: Type in the minimum Password age, in days, in the text box.
  • What is Maximum Password Length [in number of characters]?: Type in the minimum Password length, in characters, in the text box.
  • What is the duration for Reset Account Lockout Counter After [in number of minutes]?: Type in the duration for the reset Account Lockout counter in the text box.
 SCREENSAVER

 Displays the security checks related to Screensaver. Click the  icon to display all the security checks related to Screensaver.


Figure: Static tab: SCREENSAVER security check


The following table describes the fields for the Screensaver security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Is Screen Saver Activated: Select the Enabled check box if the Screen Saver is activated on the Asset. Select the Disabled check box if the Screen Saver is not activated on the Asset.
  • Is Screen Saver Secured: Select the Enabled check box if the Screen Saver is secured on the Asset. Select the Disabled check box if the Screen Saver is not secured on the Asset.
  • What is Screen Saver Timeout Duration [ in number of seconds]: Type in the Screen saver timeout duration, in seconds, in the text box.
 SECURITY OPTIONS

 Displays the security checks related to Security Options. Click the  icon to display all the security checks related to Security Options.

 
Figure: Static tab: SECURITY OPTIONS security check


The following table describes the fields for the Security Options security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Accounts: Is Limit local account use of blank passwords to console logon only Enabled?: Select the Enabled check box if the use of blank password is enabled. Select the Disabled check box if the use of blank password is disabled.
  • Audit: Is Audit the access of global system objects Enabled?: Select the Enabled check box if the access of global system objects is enabled. Select the Disabled check box if the access of global system objects is disabled.
  • Audit: Is Audit the use of Backup and Restore privilege Enabled?: Select the Enabled check box if the use of backup and restore privilege is enabled. Select the Disabled check box if the use of backup and restore privilege is disabled.
  • Audit: Is Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled?: Select the Enabled check box if the force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings is enabled. Select the Disabled check box if the force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings is disabled.
  • Audit: Is Shut down system immediately if unable to log security audits Enabled?: Select the Enabled check box if shut down system immediately, if unable to log security audits, is enabled. Select the Disabled check box if shut down system immediately, if unable to log security audits, is disabled.
  • DCOM: Is Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax Enabled?: Type in the text box if the Machine Access Restriction in SDDL is enabled.
  • DCOM: Is Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax?: Type in the text box if the Machine Launch Restriction syntax in SDDL in the text box.
  • Devices: Is Allow undock without having to log on Enabled?: Select the Enabled check box if unlock is allowed without log on. Select the Disabled check box if unlock is not allowed without log on.
  • Devices: Is Allowed to format and eject removable media Enabled ?: Select from the list below which user role has the above access.
  • Devices: Is Prevent users from installing printer drivers Enabled?: Select the Enabled check box if the users are not allowed to install printer drivers. Select the Disabled check box if the users are allowed to install printer drivers.
  • Devices: Is Restrict CD-ROM access to locally logged-on user only Enabled?: Select the Enabled check box if the locally logged-on users do not have access to CD-ROM. Select the Disabled check box if the locally logged-on users have access to CD-ROM.
  • Devices: Is Restrict floppy access to locally logged-on user only Enabled?: Select the Enabled check box if the locally logged-on users do not have access to floppy drive. Select the Disabled check box if the locally logged-on users have access to floppy drive.
  • Domain controller: Is Allow server operators to schedule tasks Enabled?: Select the Enabled check box if the server operators are allowed to schedule tasks. Select the Disabled check box if server operators are not allowed to schedule tasks.
  • Domain controller: Is LDAP server signing requirements Enabled?: Select the from the list if the LDAP server signing requirements are enabled.
  • Domain controller: Is Refuse machine account password changes Enabled?: Select the Enabled check box if the refuse machine account password changes is enabled. Select the Disabled check box if the refuse machine account password changes is disabled.
  • Domain member: Is Digitally encrypt or sign secure channel data (always) Enabled?: Select the Enabled check box if the digitally encrypt or sign secure channel data is always enabled. Select the Disabled check box if the digitally encrypt or sign secure channel data is not always enabled.
  • Domain member: Is Digitally encrypt secure channel data (when possible) Enabled?: Select the Enabled check box if the digitally encrypt secure channel data (whenever possible) is enabled. users are not allowed to install printer drivers. Select the Disabled check box if the digitally encrypt secure channel data (whenever possible) is not enabled.
  • Domain member: Is Digitally sign secure channel data (when possible) Enabled?: Select the Enabled check box if the digitally sign secure channel data (whenever possible) is enabled. Select the Disabled check box if the digitally encrypt or sign secure channel data (whenever possible) is not enabled.
  • Domain member: Is Disable machine account password changes Enabled?: Select the Enabled check box if the machine account password change option is disabled. Select the Disabled check box if the machine account password change option is enabled.
  • Domain member: What is Maximum machine account password age [in number of days]?: Type in the maximum machine account password age (in number of days) in the text box.
  • Domain member: Is Require strong (Windows 2000 or later) session key Enabled?: Select the Enabled check box if the strong session key is required. Select the Disabled check box if the strong session key is not required.
  • Interactive logon: Is Do not display last user name Enabled?: Select the Enabled check box if the last user name is not displayed on the interactive logon. Select the Disabled check box if the last user name is displayed on the interactive logon.
  • Interactive logon: Is Do not require CTRL+ALT+DEL Enabled?: Select the Enabled check box if CTRL+ALT+DEL is not required on the interactive logon. Select the Disabled check box if CTRL+ALT+DEL is required on the interactive logon.
  • Interactive logon: Message text for users attempting to log on: Type in the Message text that appears for user attempting to log on.
  • Interactive logon: What is the count for Number of previous logons to cache ?(in case domain controller is not available) [in number of logons]: Type in the count of previous logons to be cached in the text box.
  • Interactive logon: How far in advance user are prompt to change password before expiration [in number of days]?: Type in the number of days in advance the users are prompted to change the password before expiration in the text box.
  • Interactive logon: Is Require Domain Controller authentication to unlock workstation Enabled?: Select the Enabled check box if the domain controller authentication is required to unlock the workstation. Select the Disabled check box if the domain controller authentication is not required to unlock the workstation.
  • Interactive logon: Is Require smart card Enabled?: Select the Enabled check box if the smart card is required on the interactive logon. Select the Disabled check box if the smart card is not required on the interactive logon.
  • Interactive logon: What is the behavior for Smart card removal?: Select the behavior from the list for the Smart Card removal.
  • Microsoft network client: Is Digitally sign communications (always) Enabled?: Select the Enabled check box if the digitally signed communications are enabled on the Microsoft network client. Select the Disabled check box if the digitally signed communications are disabled on the microsoft network client.
  • Microsoft network client: Is Digitally sign communications (if server agrees) Enabled?: Select the Enabled check box if the digitally signed communications (if server agrees) are enabled on the Microsoft network client. Select the Disabled check box if the digitally signed communications (if server agrees) are disabled on the Microsoft network client.
  • Microsoft network client: Is Send unencrypted password to third-party SMB servers Enabled?: Select the Enabled check box if the sending unencrypted password to third-party SMP servers is enabled. machine account password change option is disabled. Select the Disabled check box if the sending unencrypted password to third-party SMP servers is disabled.
  • Microsoft network server: How much the idle time required before suspending session [in number of minutes]?: Type in the idle time required before suspending session (in number of minutes).
  • Microsoft network server: Is Digitally sign communications (always) Enabled?: Select the Enabled check box if the digitally signed communications are always enabled. Select the Disabled check box if the digitally signed communications are not always enabled.
  • Microsoft network server: Is Digitally sign communications (if client agrees) Enabled?: Select the Enabled check box if the digitally signed communications (if the client agrees) are enabled. Select the Disabled check box if the digitally signed communications (if the client agrees) are disabled.
  • Microsoft network server: Is Disconnect clients when logon hours expire Enabled?: Select the Enabled check box if the client is disconnected when the logon hours are expired. Select the Disabled check box if the client is not disconnected when the logon hours are expired.
  • Network access: Is Do not allow anonymous enumeration of SAM accounts Enabled?: Select the Enabled check box if the anonymous enumeration of SAM accounts are not allowed. Select the Disabled check box if the anonymous enumeration of SAM accounts are allowed.
  • Network access: Is Do not allow anonymous enumeration of SAM accounts and shares Enabled?: Select the Enabled check box if the anonymous enumeration of SAM accounts and shares are not allowed. Select the Disabled check box if the anonymous enumeration of SAM accounts and shares are allowed.
  • Network access: Is Do not allow storage of credentials or .NET Passports for network authentication Enabled?: Select the Enabled check box if the storage of credentials or .NET passports for network authentication is not allowed. Select the Disabled check box if the storage of credentials or .NET passports for network authentication is allowed.
  • Network access: Is Let Everyone permissions apply to anonymous users enabled?: Select the Enabled check box if the everyone permissions apply to anonymous users. Select the Disabled check box if the everyone permissions does not apply to anonymous users.
  • Network access: Which Named Pipes that can be accessed anonymously are present in system?: Type in the names of the Named Pipes that can be accessed anonymously in the system.
  • Network access: Which Remotely accessible registry paths are present?: Type in the registry paths which are accessible remotely in the text box.
  • Network access: Which Remotely accessible registry paths and sub- paths are present?: Type in the present registry paths and sub-paths in the text box.
  • Network access: Is Restrict anonymous access to Named Pipes and Shares Enabled?: Select the Enabled check box if the anonymous access to Named Pipes and Shares is restricted. Select the Disabled check box if the anonymous access to Named Pipes and Shares is not restricted.
  • Network access: Is Shares that can be accessed anonymously Enabled?: Type in the Shares that can be accessed anonymously in the text box.
  • Network access: How Sharing and security model for local accounts are authenticated?: Select from the list the sharing and security model for authentication of local accounts.
  • Network security: Is Do not store LAN Manager hash value on next password change Enabled?: Select the Enabled check box if the LAN manager hash value is not stored on next password change. Select the Disabled check box if the LAN manager hash value is stored on next password change.
  • Network security: Which LAN Manager authentication level is present?: Select the LAN manager authentication level from the list.
  • Network security: Which LDAP client signing requirements is present?: Select the LDAP signing requirements present from the list.
  • Network security: Which Minimum session security for NTLM SSP based (including secure RPC) clients is present?: Type in the value for minimum session security for NTLM SSP based (including secure RPC) clients.
  • Network security: Which Minimum session security for NTLM SSP based (including secure RPC) servers is present?: Type in the value for minimum session security for NTLM SSP based (including secure RPC) servers.
  • Recovery console: Is Allow automatic administrative logon Enabled?: Select the Enabled check box if the automatic administrative logon is allowed. Select the Disabled check box if the automatic administrative logon is not allowed.
  • Recovery console: Is Allow floppy copy and access to all drives and all folders Enabled?: Select the Enabled check box if the floppy copy and access to all drives and all folders is allowed. Select the Disabled check box if the floppy copy and access to all drives and all folders is not allowed.
  • Shutdown: Is Allow system to be shut down without having to log on Enabled?: Select the Enabled check box if the system can be shut down without having to log on. Select the Disabled check box if the system cannot be shut down without having to log on.
  • Shutdown: Is Clear virtual memory pagefile Enabled?: Select the Enabled check box if the clear virtual memory pagefile option is enabled. Select the Disabled check box if the clear virtual memory pagefile option is not enabled.
  • System cryptography: Which setting for Force strong key protection for user keys stored on the computer is present?: Select from the list the setting present for Force strong key protection for user keys stored on the computer.
  • System cryptography: Is Use FIPS compliant algorithms for encryption, hashing, and signing Enabled?: Select the Enabled check box if the FIPS compliant algorithms for encryption, hashing, and siging is enabled. Select the Disabled check box if the FIPS compliant algorithms for encryption, hashing, and siging is disabled.
  • System objects: Is Require case insensitivity for non-Windows subsystems Enabled?: Select the Enabled check box if the case sensitivity for non-windows subsystems is required. clear virtual memory pagefile option is enabled. Select the Disabled check box if the case sensitivity for non-windows subsystems is not required.
  • System objects: Is Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled?: Select the Enabled check box if the strengthen default permission of internal system objects (e.g. Symbolic Links) is enabled. Select the Disabled check box if the strengthen default permission of internal system objects (e.g. Symbolic Links) is disabled.
  • System settings: Which subsystems are used to support your applications?: Type in the text box the subsystems used to support your application.
  • System settings: Is Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled?: Select the Enabled check box if the use certificate rules on windows executables for software restriction policies option is enabled. Select the Disabled check box if the  use certificate rules on windows executables for software restriction policies option is disabled.
  • User Account Control: Is Admin Approval Mode for the Built-in Administrator account Enabled?: Select the Enabled check box if the Admin Approval mode for the build-in administrator account is enabled. Select the Disabled check box if the admin approval mode for the build-in administrator account is disabled.
  • User Account Control: Which setting for Behavior of the elevation prompt for administrators in Admin Approval Mode is present?: Select from the list the setting for behavior of the elevation prompt for administrators is Admin Approval mode.
  • User Account Control: Which setting for Behavior of the elevation prompt for standard users is present?: Select from the list the setting for behavior of the elevation prompt for standard users.
  • User Account Control: Is Detect application installations and prompt for elevation Enabled?: Select the Enabled check box if the application installations and prompt for elevation is detected. Select the Disabled check box if the application installations and prompt for elevation not detected.
  • User Account Control: Is Only elevate executables that are signed and validated Enabled?: Select the Enabled check box if the only elevate executables that are signed and validated option is enabled. Select the Disabled check box if the only elevate executables that are signed and validated option is disabled.
  • User Account Control: Is Only elevate UIAccess applications that are installed in secure locations Enabled?: Select the Enabled check box if only elevate UIAccess applications that are installed in secure locations is enabled. Select the Disabled check box if only elevate UIAccess applications that are installed in secure locations is disabled.
  • User Account Control: Is Run all administrators in Admin Approval Mode Enabled?: Select the Enabled check box if all the administrators are run in the Admin Approval mode. Select the Disabled check box if all the administrators are not run in the Admin Approval mode.
  • User Account Control: Is Switch to the secure desktop when prompting for elevation Enabled?: Select the Enabled check box if switch to the secure desktop when prompting for elevation option is enabled. Select the Disabled check box if switch to the secure desktop when prompting for elevation option is disabled.
  • User Account Control: Is Virtualized file and registry write failures to per- user locations Enabled?: Select the Enabled check box if virtualize file and registry write failures to per-user locations option is enabled. Select the Disabled check box if virtualize file and registry write failures to per-user locations option is disabled.
  • Shutdown: Is Clear virtual memory pagefile Enabled?: Select the Enabled check box if the clear virtual memory pagefile option is enabled. Select the Disabled check box if the clear virtual memory pagefile option is not enabled.
  • Shutdown: Is Clear virtual memory pagefile Enabled?: Select the Enabled check box if the clear virtual memory pagefile option is enabled. Select the Disabled check box if the clear virtual memory pagefile option is not enabled.
 USB DEVICES

 Displays the security checks related to USB Devices. Click the  icon to display all the security checks related to USB Devices.


Figure: Static tab: USB DEVICES security check


The following table describes the fields for the USB Devices security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Which are the Connected Usb Devices?: Type in the USB devices connected to the Asset in the text box.
 USER ACCOUNTS

 Displays the security checks related to User Accounts. Click the   icon to display all the security checks related to User Accounts.


Figure: Static tab: USER ACCOUNTS security check


The following table describes the fields for the User Accounts security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Is Guest Account Active?: Select the Enabled check box if the guest account is active on the Asset. Select the Disabled check box if the guest account is not active on the Asset.
  • Is User an Administrator?: Select the Enabled check box if the user is an Administrator. Select the Disabled check box if the user is not an Administrator.
  • Which Local Administrators are present in the system?: Specify the local Administrators present in the system in the text box below.
  • Which Local Users are present in the system?: Specify the local users present in the system in the text box below.
 USER RIGHTS ASSIGNMENT

 Displays the security checks related to User Rights Assignment. Click the  icon to display all the security checks related to User Rights Assignment.


Figure: Static tab: USER RIGHTS ASSIGNMENT security check


The following table describes the fields for the User Rights Assignment security check:

Field

Description

DETAILS

Security Check

Displays the security check questions and the configured values.

  • Which users and groups are allowed to Access the Credential Manager as a trusted caller?: Specify the users and groups allowed to access the Credential Manager as a trusted caller in the text box.
  • Which users and groups are allowed to Access this computer from the network?: Specify the users and groups allowed to access the computer from the network in the text box.
  • Which users and groups are allowed to Act as part of the operating system?: Specify the users and groups allowed to act as part of the operating system.
  • Which users and groups are allowed to Add workstations to domain?: Specify the users and groups allowed to add workstations to domain.
  • Which users and groups are allowed to Adjust memory quotas for a process?: Specify the users and groups allowed to adjust memory quota for a process.
  • Which users and groups are allowed to Allow logon through Terminal Services?: Specify the users and groups allowed to logon through terminal services.
  • Which users and groups are allowed to Back up file and directories?: Specify the users and groups allowed to backup files and directories.
  • Which users and groups are allowed to Bypass traverse checking?: Specify the users and groups allowed to bypass traverse checking.
  • Which users and groups are allowed to Change the system time?: Specify the users and groups allowed to change the system time.
  • Which users and groups are allowed to Change the time zone?: Specify the users and groups allowed to change the time zone.
  • Which users and groups are allowed to Create a global objects?: Specify the users and groups allowed to create a global objects.
  • Which users and groups are allowed to Create a pagefile?: Specify the users and groups allowed to create a pagefile.
  • Which users and groups are allowed to Create a token object?: Specify the users and groups allowed to create a token object.
  • Which users and groups are allowed to Create permanent shared objects?: Specify the users and groups allowed to create permanent shared objects.
  • Which users and groups are allowed to Create symbolic links?: Specify the users and groups allowed to create symbolic links.
  • Which users and groups are allowed to Debug programs?: Specify the users and groups allowed to debug programs.
  • Which users and groups are denied to access to this computer from the network: Specify the users and groups which are denied access to this computer from the network.
  • Which users and groups are denied to logon as a batch job?: Specify the users and groups which are denied to logon as a batch job.
  • Which users and groups are denied to logon as a service?: Specify the users and groups which are denied to logon as a service.
  • Which users and groups are denied to logon locally?: Specify the users and groups which are denied to logon locally.
  • Which users and groups are denied to logon through Terminal Services?: Specify the users and groups which are denied to logon through terminal services.
  • Which users and groups are allowed to Enable computer and user accounts to be trusted for delegation?: Specify the users and groups which are allowed to enable computer and user accounts to be trusted for delegation.
  • Which users and groups are allowed to Force shutdown from a remote system?: Specify the users and groups which are allowed to force shutdown form a remote system.
  • Which users and groups are allowed to Generate security audits?: Specify the users and groups which are allowed to generate security audits.
  • Which users and groups are allowed to Impersonate a client after authentication?: Specify the users and groups allowed to impersonate a client after authentication.
  • Which users and groups are allowed to Increase a process working set?: Specify the users and groups allowed to increase a process working set.
  • Which users and groups are allowed to Increase scheduling priority?: Specify the users and groups allowed to increase scheduling priority.
  • Which users and groups are allowed to Load and unload device drivers?: Specify the users and groups allowed to load and unload device drivers.
  • Which users and groups are allowed to Lock pages in memory?: Specify the users and groups allowed to lock pages in memory.
  • Which users and groups are allowed to Log on as a batch job?: Specify the users and groups allowed to log on as a batch job.
  • Which users and groups are allowed to Log on as a service?: Specify the users and groups allowed to log on as a service.
  • Which users and groups are allowed to Log on locally?: Specify the users and groups allowed to log on locally.
  • Which users and groups are allowed to Manage auditing and security log?: Specify the users and groups allowed to manage auditing and security log.
  • Which users and groups are allowed to Modify an object label?: Specify the users and groups allowed to modify an object.
  • Which users and groups are allowed to Modify firmware environment values?: Specify the users and groups allowed to modify firmware environment values.
  • Which users and groups are allowed to Perform volume maintenance tasks: Specify the users and groups allowed to perform volume maintenance tasks.
  • Which users can use performance monitoring tools to monitor the performance of nonsystem processes ? (Profile single process): Specify the users which can use performance monitoring tools to monitor the performance of nonsystem processes.
  • Which users can use performance monitoring tools to monitor the performance of system processes ?: Specify the users which can use performance monitoring tools to monitor the performance of system processes.
  • Which users and groups are allowed to Remove computer from docking station?: Specify the users and groups allowed to remove computer from docking station.
  • Which users and groups are allowed to Replace a process level token?: Specify the users and groups allowed to replace a process level token.
  • Which users and groups are allowed to Restore files and directories?: Specify the users and groups allowed to restore files and directories.
  • Which users and groups are allowed to Shut down the system?: Specify the users and groups allowed to shut down the system.
  • Which users and groups are allowed to Synchronize directory service data?: Specify the users and groups allowed to synchronize directory service data.
  • Which users and groups are allowed to Take ownership of file or other objects?: Specify the users and groups allowed to take ownership of file or other objects.

Dynamic

Under the Dynamic tab, the Administrators can create additional custom parameters based on the availability of the registry entry, value of a registry key, value of a WMI class, VB scripts, Powershell, using batch Commands, and availability of a file/directory. You can search for a particular security check using the Search For Security Check search box.

 REGISTRY

 Displays the security checks for Registry settings. Select the check box for the REGISTRY to select all the security checks related to Registry settings. To select a particular security check, select the check box for that security check. Click the  icon to display all the security checks related to REGISTRY.


Figure: Static tab: REGISTRY security check


The following table describes the fields for the REGISTRY security check:

Field

Description

DETAILS

Select

Select the check box for the security check to select that security check.

Endpoint

Displays the Id assigned to the security check.

Criticality

Displays the Criticality for the security check.

Security Check

Displays the security check questions and the configured values. For more information configuring security checks, see: <topic name>.

 WMI

 Displays the security checks related to WMI. Select the check box for the WMI to select all the security checks related to Registry settings. To select a particular security check, select the check box for that security check. Click the  icon to display all the security checks related to WMI.


Figure: Dynamic tab: WMI security Checks

 CMD

Displays the security checks related to CMD. Select the check box for the CMD to select all the security checks related to Registry settings. To select a particular security check, select the check box for that security check. Click the  icon to display all the security checks related to CMD.


Figure: Dynamic tab: CMD security checks

 POWERSHELL

Displays the security checks related to POWERSHELL. Select the check box for the POWERSHELL to select all the security checks related to POWERSHELL. To select a particular security check, select the check box for that security check. Click the   icon to display all the security checks related to POWERSHELL.


Figure: Static tab: POWERSHELL security checks

 VBSCRIPT

Displays the security checks related to VBSCRIPT. Select the check box for the VBSCRIPT to select all the security checks related to VBSCRIPT. To select a particular security check, select the check box for that security check. Click the   icon to display all the security checks related to VBSCRIPT.


Figure: Static tab: VBSCRIPT security checks

 FILE

Displays the security checks related to FILE. Select the check box for the FILE to select all the security checks related to FILE. To select a particular security check, select the check box for that security check. Click the  icon to display all the security checks related to FILE.


Figure: Dynamic tab: FILE security checks

Color Codes

The color codes displayed for the check mark:

  • Grey: Indicates that the Tenant is disabled for the module.
  • Green: Indicates that all the associated components of the module is configured.
  • Yellow: Indicates that the associated components of the module is not configured.

ACTIONS

This section explains all the icons displayed on the ACTIONS panel of the PROFILE page:

 SHOW LIST

 Click SHOW LIST to display the LIST table showing all the Profiles configured in the SUMMIT application. For more information, see Viewing Profile List.

 DYNAMIC CONFIGURATION

 Click DYNAMIC CONFIGURATION to create the security checks for the dynamic fields of the Endpoint Profile under the Dynamic tab. For more information, see Configuring Dynamic Endpoint.