Symantec Client Security Administrator's Guide

Symantec™ Client Security Administrator's Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 3.1

Legal Notice

Copyright © 2006 Symantec Corporation. All rights reserved.

Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.

Symantec, the Symantec logo, LiveUpdate, Norton AntiVirus, Symantec AntiVirus, Symantec Client Firewall, Symantec Client Security, Symantec Security Response, and Symantec System Center are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202.

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ A telephone and web-based support that provides rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:

www.symantec.com/techsupp/ent/enterprise.html

Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using.

Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL:

www.symantec.com/techsupp/ent/enterprise.html Select your region or language under Global Support.

When you contact Technical Support, please have the following information available:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

www.symantec.com/techsupp/ent/enterprise.html

Select your region or language under Global Support, and then select the Licensing and Registration page.

Customer service

Customer service information is available at the following URL: www.symantec.com/techsupp/ent/enterprise.html

Select your country or language under Global Support.

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade insurance and maintenance contracts

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:

■ Asia-Pacific and Japan: [email protected]

■ Europe, Middle-East, and Africa: [email protected]

■ North America and Latin America: [email protected]

Additional Enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. Educational Services

To access more information about Enterprise services, please visit our Web site at the following URL:

Technical Support

Section 1

Managing Symantec Client Security

Chapter 1

Symantec Client Security™ basics

About Symantec Client Security ... 21

About the Symantec System Center ... 22

Symantec System Center console icons ... 23

Using the Symantec System Center ... 25

Starting the Symantec System Center ... 25

Selecting a primary management server for a server group ... 26

About console views ... 27

Changing console views ... 27

Saving console settings ... 27

Customizing console view columns ... 28

Showing when clients are offline ... 30

Showing client Auto-Protect status ... 31

Showing client infection state ... 31

About refreshing the console ... 31

About the Discovery Service ... 32

How Discovery works ... 32

Types of Discovery ... 33

Discovery Service requirement for WINS or Active Directory ... 35

NetWare computers and the Discovery Service ... 36

Running the Discovery Service ... 36

Configuring the Discovery Service to use IP addresses ... 36

Configuring the Discovery Service ... 38

Configuring the Discovery Cycle interval ... 40

Using the Find Computer feature ... 40

Finding computers using a local cache search ... 41

Finding computers using a network search ... 42

Locating found items in the Symantec System Center console ... 43

Using the Refresh feature ... 44

Auditing computers ... 44

Configuring login certificates ... 49

Configuring login certificate lifetime and time tolerance ... 50

Configuring login certificate key size ... 52

Chapter 2

Managing Symantec Client Security

About servers ... 53

About primary management servers ... 54

About secondary management servers ... 54

About parent management servers ... 55

About server groups and client groups ... 55

Deciding whether to use server groups, client groups, or both ... 56

Client groups and configuration priority ... 56

How settings propagate ... 58

Server and client group scenario ... 59

Using server groups to manage ... 59

Best practice: installing a secondary management server ... 60

Creating server groups ... 60

Locking and unlocking server groups ... 61

Viewing and filtering server groups ... 63

Renaming server groups ... 64

Deleting server groups ... 64

Changing primary management servers ... 64

Changing parent management servers ... 65

Moving a server to a different server group ... 66

Restoring client communication when a primary server is lost ... 67

Managing user accounts for server groups ... 68

Configuring options for Windows Security Center (WSC) ... 70

Configuring the out-of-date time for definitions ... 71

Configuring alerts to appear on the host computer ... 71

Configuring Symantec Client Security to disable Windows Security Center ... 73

Optimizing server performance ... 73

Optimizing definitions and configuration rollouts ... 73

Monitoring clients ... 75

Using Tamper Protection ... 77

Enabling, disabling, and configuring Tamper Protection ... 77

Creating Tamper Protection messages ... 80

Using client groups to manage ... 82

Creating client groups ... 82

Adding clients to a client group ... 83

Configuring settings and running tasks at the client group

level ... 83

About client group settings ... 83

Moving a client to a different client group ... 84

Viewing and filtering client groups ... 84

Renaming client groups ... 86

Deleting client groups ... 86

Using client group settings instead of server group settings ... 87

Managing clients ... 87

Managing legacy clients ... 87

Enabling direct client configuration ... 88

Handling clients with intermittent connectivity ... 88

Changing the management mode of a client ... 89

Chapter 3

Alert Management System

About the Alert Management System ... 91

How Alert Management System works ... 92

Configuring alert actions ... 93

Alert configuration tasks ... 93

Speeding up alert configuration ... 93

Configuring the Message Box alert action ... 95

Configuring the Broadcast alert action ... 96

Configuring the Run Program alert action ... 96

Configuring the Load An NLM alert action ... 97

Configuring the Send Internet Mail alert action ... 98

About paging services ... 99

Configuring the Send Page alert action ... 99

Configuring the Send SNMP Trap alert action ... 101

Configuring the Write To Event Log alert action ... 103

About configuring alert action messages ... 104

Configuring a default alert message ... 105

Working with configured alerts ... 106

Testing configured alert actions ... 106

Deleting an alert action from an alert ... 107

Exporting alert actions to other computers ... 107

Using the Alert Management System Alert Log ... 108

Viewing detailed alert information ... 110

Filtering the Alert Log display list ... 111

Forwarding alerts from unmanaged clients ... 112

Section 2

Configuring antivirus protection

Chapter 4

Scanning for viruses and security risks

About viruses and security risks ... 117

About Symantec Client Security™ scans ... 120

About the automatic exclusion of Microsoft Exchange files and directories ... 121

About the global exclusion of security risks from scans ... 122

Understanding Auto-Protect scans ... 122

About manual scans ... 123

About virus sweep scans ... 123

About scheduled scans ... 123

Selecting computers to scan ... 124

About inclusions and exclusions in scans ... 126

Configuring file and folder inclusions and exclusions ... 130

Configuring global security risk exclusions ... 132

About actions for viruses and security risks that scans detect ... 134

Configuring Auto-Protect ... 134

About propagating Auto-Protect settings ... 135

Locking and unlocking Auto-Protect options ... 135

Configuring File System Auto-Protect ... 136

Configuring Auto-Protect email scanning for groupware applications ... 163

Configuring Auto-Protect scanning for Internet email ... 165

Configuring manual scans ... 168

Configuring actions for manual scans ... 177

Configuring notifications for manual scans ... 178

Creating and configuring scheduled scans ... 180

Creating scheduled scans ... 180

Configuring scheduled scans ... 183

Managing the client user experience ... 186

Enabling users to pause, snooze, or stop scheduled scans ... 187

Preventing or allowing users to unload Symantec AntiVirus services ... 188

Changing the password that is required to uninstall ... 189

Changing the password that is required to scan mapped drives ... 189

Modifying scanning options for clients ... 189

Displaying a warning when definitions are out of date or missing ... 192

Managing warnings and notifications about infected files ... 192

Chapter 5

Updating definitions

About definitions ... 197

Ensure that all definitions are current ... 198

Definitions files update methods ... 198

Best practice: Using the Virus Definition Transport Method and LiveUpdate together ... 199

Best practice: Using Continuous LiveUpdate on 64-bit computers ... 200

Updating definitions files on servers ... 200

Updating and configuring servers using the Virus Definition Transport Method ... 200

Updating servers using LiveUpdate ... 203

Updating servers with Intelligent Updater ... 206

About using Central Quarantine polling to update servers ... 206

Minimizing network traffic and handling missed updates ... 207

Updating definitions files on clients ... 209

Forcing definitions files on clients to update immediately ... 211

Configuring managed clients to use an internal LiveUpdate server ... 212

Enabling and configuring Continuous LiveUpdate for managed clients ... 213

Setting LiveUpdate usage policies ... 214

Controlling definitions file deployment ... 215

Finding computers with outdated definitions files ... 215

Verifying the version number of definitions files ... 216

Viewing the risk list ... 216

Rolling back definitions files ... 216

Testing definitions files ... 217

Scenarios for definitions updates ... 217

About scanning after updating definitions files ... 218

Chapter 6

Responding to virus outbreaks

Preparing for virus outbreaks ... 219

Creating a virus outbreak plan ... 220

Defining Symantec Client Security actions for handling suspicious files ... 221

Configuring automatic Quarantine purge options ... 222

Registry settings for Quarantine Purge options ... 223

Forwarding items to the Quarantine Server ... 224

Enabling scan and deliver ... 224

Configuring actions to take when new definitions arrive ... 225

Handling a virus outbreak on your network ... 225

Using alerts and messages ... 226

Running a virus sweep ... 226

Tracking virus alerts using reporting, Event Logs, and Histories ... 227

Tracking submissions to Symantec Security Response with Central Quarantine Console ... 227

Chapter 7

Managing roaming clients

About roaming clients ... 229

Roaming client components ... 230

How roaming works ... 231

Implementing roaming ... 231

Analyzing and mapping your Symantec Client Security network ... 232

Identifying servers for each hierarchical level ... 233

Creating a list of level 0 Symantec Client Security servers ... 233

Creating a hierarchical list of Symantec Client Security servers ... 233

Configuring roaming client support options from the Symantec System Center console ... 234

Configuring additional roaming client support for roam servers ... 237

Command-line options ... 238

Registry values ... 240

Chapter 8

Working with Histories and Event Logs

About Histories and Event Logs ... 243

Sorting and filtering History and Event Log data ... 246

About Event Log icons ... 247

Viewing Histories ... 248

Working with Histories ... 250

Working with Scan Histories ... 250

Working with Risk Histories ... 253

Viewing Risk properties ... 256

Working with Tamper Histories ... 258

Working with Virus Sweep Histories ... 259

Forwarding client and server logs ... 259

Configuring log forwarding options ... 260

Configuring log events to forward ... 260

Best practice: configuring events to forward for sometimes-managed clients ... 264

Reviewing the forwarding status file ... 265

Deleting Histories and Event Logs ... 265

Section 3

Configuring Symantec Client Security

firewall protection

Chapter 9

Managing policies

About policies ... 269 Policy categories ... 270 Properties ... 271 Rules ... 271 pRules ... 271 pRule settings ... 271 Zones ... 272 Locations ... 272 IPS signatures ... 273 IPS settings ... 274 Macros ... 274 Client Settings ... 274

Web Content settings ... 275

Profiling options ... 276

File version settings ... 276

About predefined policies and updates ... 276

Configuring policies and updates ... 279

Creating and opening policies and updates ... 280

Adding and editing policy descriptions ... 282

Saving policies and updates ... 282

Importing and exporting policies and updates ... 283

About importing and exporting ... 285

About importing and exporting rules and pRules ... 286

About importing and exporting Locations ... 288

About importing and exporting Location Awareness settings ... 288

About importing and saving the default client policy file ... 289

Merging rules and pRules in policy files ... 290

Distributing policies ... 292

How policy distribution affects Locations, rules, and settings ... 293

Using Symantec System Center to distribute policy files ... 293

Using the policy file import/export utility ... 294

Supporting policies for legacy clients ... 295

Configuring policies for legacy clients ... 295

Merging rules in legacy policy files ... 296

Chapter 10

Using Location Awareness and Zones

Using Locations ... 297

Configuring required Location information ... 297

Implementing Location Awareness ... 303

Deleting Locations ... 310

Editing Locations and NetSpecs ... 311

Using Network Zones ... 312

Adding computers to Zones ... 312

Copying Zones to other Locations ... 313

About locking Zones ... 313

Excluding computers from AutoBlock ... 314

Deleting locked and unlocked Zones when exporting policies ... 315

Chapter 11

Creating and testing rules

About rules ... 317

Rule categories ... 318

Rule types ... 318

Rule processing order ... 319

Elements of a rule ... 320

About stateful inspection ... 325

About UDP connections ... 327

Working with firewall rules ... 327

Creating rules ... 327

Displaying rules by Location ... 330

Adding rules to different Locations ... 330

Deleting rules ... 330

Configuring rule lock settings ... 331

Ignoring inbound and outbound NetBIOS Name rules ... 331

About updating rulebases on Symantec Client Firewall ... 332

Using port groups ... 333

Adding named port groups ... 333

Deleting named port groups ... 335

Using address groups ... 336

Adding named address groups ... 336

Deleting named address groups ... 337

Incorporating Secure Port ... 338

About testing firewall settings ... 340

Testing firewall rules, pRules, and Zones ... 341

Chapter 12

Using pRules

About pRules ... 345

pRules and rule lock settings ... 346

Using a digest value to identify a program ... 346

Priority of pRule evaluation ... 347

Program rules and pRules ... 347

Guidelines for using pRules ... 348

Viewing Symantec-supplied pRules ... 349

Creating and editing pRules ... 350

Selectively disabling auto-create ... 352

Configuring Ignore File Name Matching ... 352

Configuring Ignore Digest Values ... 353

Specifying the program identity for a pRule ... 354

Adding or editing match names for a pRule ... 354

Configuring match criteria ... 355

Adding a rule to a pRule ... 359

Configuring pRule lock settings ... 359

About Location-aware pRules ... 359

Creating pRule exceptions for Locations ... 360

Configuring pRules to support Active Directory ... 364

Using Profiling to generate pRules and NetSpecs ... 365

Profiling overview ... 365

Enabling Profiling in policy files ... 367

About exporting the policy file to clients ... 368

Viewing and saving profiled data with Symantec System Center ... 368

Retrieving profiled information ... 369

Processing profiled firewall rule exceptions ... 370

Processing profiled connections ... 372

Refreshing profiled data ... 373

About working with .csv files ... 373

Chapter 13

Customizing Intrusion Prevention

About the Intrusion Prevention System ... 377

Supporting different versions of IPS engines and signatures ... 378

Excluding attack signatures from being blocked ... 379

Configuring AutoBlock ... 380

Locking IPS exclusions and IP addresses ... 381

Chapter 14

Managing client log data

About logging ... 383

Setting the logging level ... 384

Viewing Event Logs from the Symantec System Center ... 385

Displaying logs ... 387

Filtering log data ... 388

Sorting log data ... 388

Understanding Event Log icons ... 388

Chapter 15

Creating network rulebases

Choosing an implementation approach ... 391

Considering implementation options ... 392

Using the Trusted Zone approach ... 392

Using the network-level firewall approach ... 392

Using the program-level firewall approach ... 393

Implementing network rulebases ... 394

Implementing Trusted Zones ... 394

Implementing network-level firewalls ... 394

Implementing program-level firewalls ... 397

Configuring an initial network rulebase ... 400

Fine-tuning and troubleshooting rulebases ... 402

Configuring a default-permit rulebase ... 403

Configuring user interaction ... 404

Chapter 16

Configuring Client Settings and Web Content settings

About Client Settings ... 407

General settings ... 408

Global settings ... 409

User Interface settings ... 410

Tray Menu Options settings ... 411

Windows Integration settings ... 412

Firewall settings ... 413

Advanced Firewall Options settings ... 415

Intrusion Prevention settings ... 416

Privacy Control settings ... 417

Ad Blocking settings ... 419

Alert Customization settings ... 419

About Configure Alerting ... 421

How Configure Alerting affects settings ... 421

Setting Configure Alerting options ... 423

About Miscellaneous Notifications ... 424

About permissions ... 425

General permissions ... 426

Client Firewall Operation permissions ... 428

Client Firewall Configuration permissions ... 429

Intrusion Prevention permissions ... 432

Miscellaneous permissions ... 433

Setting user access levels for legacy clients ... 435

About Protocol Filtering ... 437

Default Protocol Filtering settings ... 437

VPN protocols ... 438

Web Content settings ... 439

Managing Symantec Client

Security

■ Symantec Client Security™ basics

■ Managing Symantec Client Security

■ Alert Management System

1

Symantec Client Security™

basics

This chapter includes the following topics:

■ About Symantec Client Security

■ About the Symantec System Center

■ Using the Symantec System Center

■ About the Discovery Service

■ Running the Discovery Service

■ Using the Find Computer feature

■ Configuring login certificates

About Symantec Client Security

Symantec™ Client Security provides scalable, cross-platform firewall protection, intrusion prevention, protection from viruses and security risks, and repair of viral and security risk side effects for workstations. For network servers, it provides protection from viruses and security risks, and repairs their side effects.

Symantec Client Security lets you do the following:

■ Establish and enforce antivirus, security risk, and firewall security policies.

■ Retrieve content updates, such as virus and security risk definitions, and intrusion prevention signatures.

■ Quarantine and delete live viruses.

■ Analyze logged events.

1

■ Create pre-defined and customizable graphical reports that are based on Symantec Client Security security information from your network.

Symantec Client Security product components and system requirements, including the protocols and ports that are used for Symantec Client Security, are described in the Symantec Client Security Installation Guide.

The Symantec Client Security client software provides antivirus and security risk protection, as well as firewall protection, for networked and non-networked computers. The Symantec AntiVirus client software protects the 32-bit and the supported 64-bit computers that run supported Windows® versions. Symantec™ Client Firewall software is not supported on 64-bit computers.

The term, Symantec Client Security, refers to both the Symantec Client Security server and the Symantec Client Security client software. Computers that run Symantec Client Security server software might be required to do so because of system requirements. Computers that run Symantec Client Security server software are not required to act as management servers.

The Symantec Client Security server software can manage other computers that run Symantec Client Security and supported legacy versions of Norton AntiVirus™ Corporate Edition. It can also push configuration updates, as well as virus and security risk definitions file updates, to these clients. The Symantec Client Security server software also provides antivirus and security risk protection for the computers on which it runs.

Note: The Symantec AntiVirus server software is not supported on 64-bit computers.

About the Symantec System Center

By using the Symantec System Center™, you can manage network security by performing administrative operations such as the following:

■ Installing antivirus and security risk protection on workstations and network servers.

■ Installing firewall and intrusion protection on workstations.

■ Updating Symantec Client Security definitions.

■ Managing Symantec Client Security servers and clients.

■ Managing content licensing, if you use a content license rather than a site license for your computers.

See the Content Licensing chapter in the Symantec Client Security Installation

Guide.

In addition to the Symantec System Center, you can also use Grc.dat configuration files to configure Symantec Client Security clients. You can use configuration files if you want to use a third-party tool to remotely configure your network. The following information about the Symantec System Center is not included in this guide:

■ Information about the configuration and use of reporting functionality is in the Reporting User's Guide.

■ Information about the configuration and use of endpoint compliance functionality is in the Endpoint Compliance Implementation Guide .

Symantec System Center console icons

When the Symantec System Center runs, it displays a system hierarchy of server groups, client groups, and the servers that the icons represent. The icons appear in an expandable hierarchy in the Symantec System Center console.

The Symantec System Center uses icons to represent the different states of computers that are running Symantec managed products. For example, if the server group icon in the server group view appears with a padlock icon, the server group must be unlocked with its password before you can configure or run scans for the computers in the server group.

Table 1-1describes the Symantec System Center icons. Table 1-1 Symantec System Center icons

Icon descriptions Icon

Highest level object representing the system hierarchy, which contains all server groups.

Unlocked server group or client group. Compare this icon to the locked server group icon. For security reasons, all server groups default to locked when you start the Symantec System Center.

Locked server group. You must enter a password before you can view the computers in the server group to configure and run updates and scans.

An issue needs to be resolved in this server group. For example, there may not be a primary management server that is assigned to the server group or a server may have detected a virus or security risk.

Table 1-1 Symantec System Center icons (continued) Icon descriptions

Icon

A security risk, such as adware or spyware, was detected on a computer in this server group.

Note:If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears.

Symantec Client Security server running on a supported computer. Compare this icon to the next one, which is the primary management server for the server group.

Symantec Client Security primary management server running on a supported computer.

Unavailable Symantec Client Security server. This icon appears when communication is severed between the Symantec Client Security server and the Symantec System Center console. The communication error may result from one of several different causes. For example, the server system is not running; the Symantec software has been removed; the server, client, and Symantec System Center system times are out of sync; or there could be a network failure between the console and the system.

A virus was detected on the computer that is running Symantec Client Security server.

A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security server.

If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears.

Symantec Client Security client running on a supported Windows computer. If you use Symantec endpoint compliance, this icon also indicates that this client computer is compliant.

When you select this computer, you view options only on that computer.

A virus was detected on the computer that is running Symantec Client Security client.

Note:Client infection state will not display in the Symantec System Center console unless you enable that option under Tools > SSC Console Options, on the Virus Alert Filter tab.

Table 1-1 Symantec System Center icons (continued) Icon descriptions

Icon

A security risk, such as adware or spyware, was detected on the computer that is running Symantec Client Security client.

If Symantec Client Security detects both a virus and a security risk on the same computer, the virus icon appears.

An issue needs to be resolved with this client. For example, virus and security risk definitions files may be out of date or the client group to which the client was assigned may be no longer valid.

The status field in the Symantec System Center console indicates the actual problem.

This computer, which runs Symantec Client Security client software, has access to the network, but failed an endpoint compliance audit. You may want to examine why it failed and take action to remediate the problem.

The computer, which runs Symantec Client Security client software, failed an endpoint compliance check.

The computer, which runs Symantec Client Security client software, is not currently connected to the network. This situation could occur because the server, client, and Symantec System Center system times are out of sync.

You must enable a setting for the Symantec System Center console to show when clients are not connected to the network.

Using the Symantec System Center

The system hierarchy in the Symantec System Center console is the top level that contains all server groups and client groups.

Note: The system hierarchy is not populated until you install at least one Symantec Client Security server.

Starting the Symantec System Center

Start the Symantec System Center when you want to manage Symantec Client Security.

To start the Symantec System Center

◆ On the Windows taskbar, click Start > Programs > Symantec System Center Console > Symantec System Center Console.

The Symantec System Center opens to the Default Console View. Figure 1-1 The Symantec System Center console

Console tree tab Top server group level Contents of object selected in tree appear in right pane Locked server group Unlocked server group Client groups

Note: Viewing the Symantec System Center console from a terminal session is not supported.

Selecting a primary management server for a server group

If you have not already done so, the first thing that you must do to use Symantec System Center is to assign a primary management server for the server group that you created at the time of installation. You must specify a server in the server group as the primary management server; no server is specified as the primary management server by default. Until you specify a primary management server, you cannot perform most Symantec product management operations.

After promoting a server to primary and installing additional secondary management servers, you should remove and archive the server group private key from the pki\private-keys directory that is located under the Symantec Client Security directory that you selected at the time of installation.

For more information, see the Symantec Client Security Reference Guide. When you select a server group object in the Symantec System Center console and set options, the settings are saved to the primary management server in the server group. Other servers in the server group also use the new configuration. Computers that are running any of the following operating systems can be primary management servers:

■ Windows® 2000 Server/Advanced Server/Professional

■ Windows Server™ 2003 Web/Standard/Enterprise/Datacenter Editions

■ Windows® XP Professional

The primary management server plays an important role, so select a stable server that is always running.

To select the primary management server for a server group

◆ Right-click the server that you want to be the primary management server, and then click Make Server A Primary Server.

About console views

Each product management snap-in makes a new product view available within the Symantec System Center console. For example, when you install the Symantec AntiVirus management snap-in, the Symantec AntiVirus view is added, which includes the fields that are related to Symantec Client Security, such as Last Scan and Definitions.

Changing console views

Unless you change the view, the Symantec System Center console displays the Default Console View. The other views available depend upon which managed Symantec Client Security snap-ins you have installed.

To change console views

1

In the left pane, right-click an object, such as System Hierarchy.

2

On the View menu, in the list that appears at the bottom of the menu, click a view.

Saving console settings

When you close the Symantec System Center, you are prompted to save Microsoft® Management Console (MMC) console settings for the Symantec System Center.

This process has no effect on the Symantec Client Security configuration changes that you make when you use the Symantec System Center.

To save console settings

◆ Do one of the following:

■ Click Yes if you want to see the same console view the next time that you launch the Symantec System Center.

■ Click No if you want to see the last saved view the next time you launch the Symantec System Center.

Customizing console view columns

The columns that appear in the right pane change based on the selected view. When System Hierarchy is selected, the Default Console View includes the following data columns:

■ Name

■ Status

■ Primary Server

■ Valid State

Table 1-2lists the data columns in the Symantec AntiVirus view. Table 1-2 Data columns in the Symantec AntiVirus view

Data columns that appear in right pane Level selected in left pane

■ Server Group

■ Status

■ Definition Sharing

■ Newest Definitions

■ Status of Server Updates System hierarchy ■ Server ■ Type ■ Status ■ Last Scan ■ Definitions ■ Version ■ Scan Engine ■ Address

■ Status of Client Updates Server group

Table 1-2 Data columns in the Symantec AntiVirus view (continued) Data columns that appear in right pane Level selected in left pane

■ Group Name

■ Configuration Change Date

■ Number of Clients Groups (for client groups)

■ Client

■ User, including the domain that authenticated the user ■ Status ■ Last Scan ■ Definitions ■ Version ■ Scan Engine ■ Address ■ Group ■ Server Client group or server

Table 1-3lists the data columns in the Symantec Client Firewall view. Table 1-3 Data columns in the Symantec Client Firewall view

Data columns that appear in right pane Level selected in left pane

■ Server Group ■ Status System hierarchy ■ Server ■ Type ■ Status ■ Version

■ Server Policy File

■ Server Policy Rollout Time

■ Client Policy File

■ Client Policy Rollout Time

■ Address Server group

■ Group

■ Client Policy File

■ Client Policy Rollout Time

■ Number of clients Groups (for client groups)

Table 1-3 Data columns in the Symantec Client Firewall view (continued) Data columns that appear in right pane Level selected in left pane

■ Client

■ User, including the domain that authenticated the user

■ Status

■ Version

■ Policy File

■ Policy Rollout Time

■ Address

■ Group

■ Server Client group or server

You can rearrange the order of the columns to better suit your needs. To customize the columns in a view

1

In the left pane, under Symantec System Center, select an object.

2

On the View menu, in the list that appears at the bottom of the menu, select the view that you want to customize.

3

On the View menu at the top of the Symantec System Center window, click Choose Columns.

4

In the Modify Columns dialog box, use the Add, Remove, Move Up, and Move Down buttons to customize your view as needed, or use Reset to return the settings to the last saved state.

Showing when clients are offline

You can configure the Symantec System Center console to show when computers running Symantec Client Security client software are not currently connected to the network. The icon in the last row ofTable 1-1indicates that the client is offline. To show when clients are offline

1

On the Tools menu, click SSC Console Options.

2

In the SSC Console Options Properties dialog box, on the Client Display tab, under Client Configuration Options, check Indicate when clients are offline. This option is unchecked by default.

Showing client Auto-Protect status

You can configure the Symantec Client Security client or server icon to appear on the Windows system tray.

The icon shows a client or server's Auto-Protect status as follows:

■ When Auto-Protect is enabled, the icon appears as a full shield. When you right-click the icon, a check mark appears before Enable Auto-Protect.

■ When Auto-Protect is disabled, the icon is covered by a universal no sign (a red circle with a diagonal slash). When you right-click the icon, no check mark appears before Enable Auto-Protect.

Showing client infection state

You can configure the Symantec System Center to display client infection state that is based on client check-in data on the Symantec System Center console. This option is disabled by default.

To show client infection state on the Symantec System Center console

1

On the Tools menu, click SSC Console Options.

2

In the SSC Console Options Properties dialog box, on the Virus Alert Filter tab, check Display the infected state of each client that is based on client check-in data.

3

To configure how long the information displays, use the arrows or type the number of days you want virus infection data to remain on the Symantec System Center console. By default, the console does not display the infections that occurred more than three days ago.

4

To reset the Symantec System Center to display client infection state from the current time forward, check Don’t show virus alerts before:, and then click Set to Current Time.

Note: Use the reporting console for more comprehensive and up-to-date infection status.

For information about the reporting console, see the Reporting User's Guide.

About refreshing the console

At the first startup of a newly installed Symantec System Center console, the console pings the network to find all available computers that run Symantec Client Security server software. As soon as the servers respond, they are added to the

console. Connected workstations running a managed Symantec client product are added when their parent management server is selected in the console tree. If you start the servers that are running a manageable Symantec product while the Symantec System Center is already running, you may need to locate the servers by using the Find Computer feature or by running the Discovery Service so that they appear in the server group view.

See“Using the Find Computer feature”on page 40.

You can also use Discovery to locate network computers on which Symantec Client Security is not installed.

See“About the Discovery Service”on page 32.

About the Discovery Service

The Symantec System Center console runs a single service: the Symantec System Center Discovery Service (Nsctop.exe). This service is responsible for discovering the computers running Symantec Client Security server software that appear in the Symantec System Center console. The Discovery Service also populates the Symantec System Center console with the objects in the hierarchy.

From the Symantec System Center console, you can select any object beneath the console root, and then choose Discovery Service from the Tools menu to perform a new Discovery of servers.

How Discovery works

To discover computers on the network, a computer that runs the Symantec System Center sends several pings to the network. The pings are UDP broadcasts to port 38293. The ping program verifies that the remote computer exists and can accept requests. When Symantec Client Security servers and AMS2 servers that run the Ping Discovery Service (Intel® PDS) hear a ping, they respond with pong packets. Only antivirus servers are discovered by using this ping and pong mechanism. Symantec Client Security finds client information by querying the server for its client information.

Clients ping the server to get the port number that the server's Rtvscan listens on. The client's Rtvscan can then send its keep-alive packet to the parent server's Rtvscan, and communication can begin.

The keep-alive packet contains information such as the following:

■ Date of the computer's virus definitions files

■ When the computer was last infected

■ Firewall version

■ Time-stamp of the firewall policy

■ If the firewall is installed, enabled, and whether there was an error importing the last policy sent

■ If the firewall policy on the server and client differ

IP pings are sent to the remote computer running Symantec Client Security server software to determine what type of protocol it uses.

The data from the computer that runs Symantec Client Security client software is stored on the computer that runs Symantec Client Security server software that is the client's parent management server.

The Symantec System Center console reads each parent management server's registry to get the data that it displays in the console.

Following the completion of this process, Normal Discovery runs.

Types of Discovery

Symantec System Center uses the following types of Discovery:

■ Load from cache only (with or without using IP Discovery)

■ Local Discovery (with or without using IP Discovery)

■ Intense Discovery (with or without using IP Discovery)

■ Normal Discovery (not user-initiated)

Table 1-4describes the types of Discovery that Symantec Client Security uses: Table 1-4 Discovery types

What follows Description

Type

Normal Discovery Load from cache only offers the most basic type of

Discovery. It tries to refresh all of the servers for which the Symantec System Center console address cache contains information. Each server is then sent a series of pings to see if the server checks back in, and to refresh information on the console.

Load from cache only reduces traffic on the network when you launch the Symantec System Center. In most cases, you may find that choosing Load from cache only finds all of the servers that you need to add to the Symantec System Center console.

Load from cache only

33 Symantec Client Security™ basics

Table 1-4 Discovery types (continued)

What follows Description

Type

■ Load from cache only

■ Normal Discovery In Local Discovery, a ping packet is broadcast over the local

subnet of the computer that runs the Symantec System Center console. Intel PDS services that run on servers on the local subnet reply with pong data.

Local Discovery generates less ping noise, but is limited to the local subnet. Local Discovery works very well on small subnets. In very large subnets, you might obtain better results by using Intense Discovery.

Local Discovery (default)

■ Local Discovery

■ Load from cache only

■ Normal Discovery Intense Discovery walks My Network Places on the local

Windows computer and attempts to resolve all computers that it finds into a network address. When it has the network address, it attempts to send ping requests. You can configure whether Intense Discovery walks the NetWare® or Microsoft branches of the network tree, or both.

The ability of Intense Discovery to locate computers is limited by several factors: the availability of a Windows Internet Naming Service (WINS) server or Active Directory®, network subnet and router configuration, DNS configuration, and Microsoft domain and workgroup configuration. Searching by IP address range in most cases is not affected by these factors. For this reason, you may want to use IP Discovery.

Intense Discovery

Table 1-4 Discovery types (continued)

What follows Description

Type

Runs automatically after other types of Discovery; not user-initiated. The Symantec System Center console broadcasts to all

servers that are in unlocked server groups. Normal Discovery queries the primary management server of the server group for the list of secondary management servers in its address cache.

The Symantec System Center console address cache stores information for all servers that have ever reported to it. The primary management server address cache contains information for every server within the server group. The address cache includes the names of all secondary management servers and their IP addresses.

The Symantec System Center console compares its own address cache with the address cache sent by the primary management server. When a mismatch is identified, the console pings the associated server. When the pong data returns, it is added to all other servers in the list. In this way, Normal Discovery can identify every server in the server group and attempt to resolve information conflicts between parent management servers. Normal Discovery

You can configure Load from cache only, Local Discovery, and Intense Discovery to use IP Discovery by using either an IP address or an IP subnet address range. You may want to use IP Discovery only periodically to discover computers across the network. After the computers are in the address cache, you can then use the Load from cache only method.

Discovery Service requirement for WINS or Active Directory

The Discovery Service requires the use of Windows Internet Naming Service (WINS) or Active Directory name resolution. If you attempt to run the Discovery Service in an environment where WINS or Active Directory is not available, you need to find at least one computer running Symantec Client Security server on your network first. To find the computer, you can use the Find Computer feature or the Importer tool.

See“Using the Find Computer feature”on page 40.

See the Symantec Client Security Reference Guide for information about the Importer tool.

35 Symantec Client Security™ basics

NetWare computers and the Discovery Service

The Discovery Service may not find NetWare computers that are running IP only. To find the computers that are not located by the Discovery Service, you can use the Find Computer feature.

See“Using the Find Computer feature”on page 40.

Running the Discovery Service

You initiate all types of Discovery in the Symantec System Center console.

Note: The Discovery Service uses WINS or Active Directory when it browses for new computers that run Symantec Client Security. If you are trying to discover new computers in an environment in which WINS or Active Directory is

unavailable, you may want to run the Find Computer feature or the Importer tool first.

See“Using the Find Computer feature”on page 40.

See the Symantec Client Security Reference Guide for information about the Importer tool.

Configuring the Discovery Service to use IP addresses

You can run the Discovery Service and find servers with or without including IP addresses and subnets.

To configure the Discovery Service to use IP addresses

1

In the left pane, select any object below the console root.

2

On the Tools menu, click Discovery Service.

3

In the Discovery Service Properties window, on the Advanced tab, check Enable IP Discovery.

Once Enable IP Discovery is checked, an IP Discovery session runs whenever you run an Intense Discovery. To run any type of Discovery without also running IP Discovery, uncheck Enable IP Discovery.

You can also access IP Discovery functionality in the Find Computer dialog box.

4

In the Scan Type list, select one of the following:

■ IP Address: The console pings every computer in the range of IP addresses.

■ IP Subnet: The console broadcasts to each subnet.

5

In the Beginning of range and End of range boxes, type the addresses.

6

If you clicked IP Subnet, type the subnet mask to refine the search.

IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results are displayed in the Symantec System Center console status bar.

37 Symantec Client Security™ basics

Configuring the Discovery Service

You can configure and run three types of Discovery. To configure the Discovery Service

1

In the Symantec System Center console, on the Tools menu, click Discovery Service.

2

If you want to run Discovery using IP addresses, configure the settings on the Advanced tab.

See“To configure the Discovery Service to use IP addresses”on page 36.

3

In the Discovery Service Properties window, on the General tab, select one of the following options:

This is the quickest method. The Symantec System Center reads the list of servers and clients stored in the local cache.

Load from cache only

Broadcasts to the Symantec System Center console's local subnet. Servers respond immediately with information about themselves and their clients. Each server's server group appears in the console unless you have filtered the view by using the View menu. Load from cache only runs as well.

Local Discovery

This is the most thorough method. If you have a large network, the Discovery process may take a long time. The Symantec System Center serially pings every server in the Network Neighborhood. Server names appear in the message area of the Symantec System Center console as they are found during the Discovery process. Intense Discovery also performs the same local subnet broadcast as Local Discovery. Load from cache only and Local Discovery run as well. Intense Discovery

SeeTable 1-4on page 33.

4

Under Discovery Cycle, select the interval in minutes, if necessary.

5

If you plan to run Intense Discovery, under Intense Discovery Properties,

specify the number of Intense Discovery threads, between 2 and 50. Each Discovery thread is an independent search for servers and clients. To maintain the most up-to-date Discovery information, select a lower Discovery interval and a higher number of Discovery threads.

6

If you want to clear all server and client information out of the active memory and address cache, and immediately run Discovery based on the current Discovery settings, under Cache Information, click Clear Cache Now. When you clear the cache, unlocked server groups are locked.

7

Do one of the following:

■ Click OK to save your changes.

■ If you want to immediately run Discovery, click Run Discovery Now, and then click Close.

Only one Discovery can run at a time.

39 Symantec Client Security™ basics

Rebuilding a list of servers on a large network during Discovery may take a long time.

Configuring the Discovery Cycle interval

You can configure the Discovery Cycle time-out interval. By default, the interval is set to 480 minutes (every 8 hours), but you can set the time-out to any value from 1 to 1440 minutes between Discovery attempts.

A new Discovery is skipped if the last Discovery is still running. For example, if you have Discovery set to run once a minute, and Discovery takes 20 minutes, 19 Discovery attempts are skipped.

Note: Increasing the Discovery Cycle interval can result in a display of outdated information in the Symantec System Center console.

To change the Discovery Cycle interval

1

On the Tools menu, click Discovery Service.

2

Change the Interval in minutes setting as necessary.

Using the Find Computer feature

If you quickly want to find a server without having to expand and browse through the tree, you can use the Find Computer feature. You can search using TCP/IP addresses or computer names.

The Find Computer feature is also useful if you install a server and then do not see it in the tree view when you expand a server group or server, which may occur for the following reasons:

■ The Symantec System Center may not automatically discover servers on LAN segments that are separated by routers.

■ Servers may not be visible in the Network Neighborhood. For example, Windows Internet Naming Service (WINS) servers or Active Directory may not be replicated across network segments.

If you cannot locate some servers on your LAN, you can locate them manually by using the Find Computer feature in the Symantec System Center console. After you use the Find Computer feature to locate a server, you can manage it from the Symantec System Center console.

Finding computers using a local cache search

Rather than search the entire network for computers, you can restrict the search to those known to be stored already in the local cache.

To find computers using a local cache search

1

On the Tools menu, click Find Computer.

2

In the Find Computer window, on the Local Search tab, type the network name of the server that you want to find.

3

Under Match Type, select one of the following:

Searches for a server name that is a partial match.

Partial

Searches for a server name that is an exact match.

Exact

If you leave the Search For text box empty, and then specify Partial as the match type, all computers in the local cache appear when you run the search.

4

Click Find Now.

Finding computers using a network search

You can use a network search to find individual computers running the Symantec Client Security server software.

The Symantec System Center console contains the following Find Computer options that search the network:

Finds computers that run the Symantec Client Security server software by computer name or address.

Network Discovery

Finds the computers that run the Symantec Client Security server software by using an IP address or subnet range.

Scan Network

This broad network search allows you to not only locate the computers, but also to determine the protection that is available on them, including whether other antivirus software is installed, and to configure a number of search settings. This option takes the most time and resources.

See“To run a network audit”on page 45. Audit Network

To find computers using an address type

1

On the Tools menu, click Find Computer.

2

In the Find Computer window, on the Network Discovery tab, specify whether you want to use a computer name or an IP address as the search criterion.

3

Type the server address or computer name.

4

Click Find Now.

To find computers using an IP address range

1

On the Tools menu, click Find Computer.

2

In the Find Computer window, on the Scan Network tab, select one of the following:

Sends out a broadcast to each subnet. IP Subnet

Pings every computer in the range of IP addresses.

IP Address

3

Type the addresses for Beginning of range and End of range.

4

If you clicked IP Subnet in step2, type the subnet mask to refine the search.

5

Click Find Now.

IP Address search results appear in the lower portion of the Find Computer dialog box. IP Subnet search results appear in the Symantec System Center console status bar.

Locating found items in the Symantec System Center console

You can use an item in a Find Computer list to locate the same item in the Symantec System Center console tree. This list can be particularly useful if you have a very large number of computers in your network. To match an item, the server group to which the item belongs must be unlocked.

To locate found items in the Symantec System Center console

1

On the Tools menu, click Find Computer.

2

In the Find Computer window, select the wanted computer.

3

Click Sync Item.

The Symantec System Center console tree view moves to the selected item, which is then highlighted in the right pane.

4

Click Save if you want to save the search results as a comma-delimited file.

Using the Refresh feature

In the Symantec System Center console, you can refresh the information in the console at the system hierarchy, server group, or server level to validate active communication with the list of currently displayed servers. If the refresh determines that a server that previously appeared in the server group view is no longer communicating, the unavailable server icon appears.

Note: The Refresh feature does not find the servers or the server groups that may have been added since the current session of the Symantec System Center started. To use the Refresh feature

◆ In the left pane, right-click the system hierarchy, unlocked server group, server, or client group, and then click Refresh.

Auditing computers

Computers on your network that do not have Symantec Client Security running leave holes open in your network security.

You can run a network audit of remote computers to determine the following:

■ Whether a Symantec Client Security component is installed and running.

■ The type of protection that is installed, such as Symantec Client Security server, client, or unmanaged client software.

■ Whether antivirus software from other vendors or from Symantec (such as a Norton AntiVirus consumer version), including the type and version of that software, is installed on the computer.

You must be able to log in as Administrator to the remote computers that you audit.

Note: Because Symantec Client Security now uses secure communications over SSL, server and server group information for the clients that run the current version of Symantec Client Security does not appear after a network audit. If a firewall is running on the remote computer, the network audit may not be able to gather information.

To run a network audit

1

On the Tools menu, click Find Computer.

2

In the Find Computer window, on the Audit Network tab, type the beginning and end of the IP address range that you want to search.

3

Click Options to set custom network audit options. For example, if you want to find the remote computers that have unmanaged Symantec Client Security client software that is installed, you can enable the related option.

4

In the Audit Network Options dialog box, set the number of audit threads to use to a value between 2 and 50.

A higher number yields faster results but requires more network resources.

5

Under Ping Options, set the following options:

■ The time-out period in milliseconds for Symantec PDS and Windows ICMP pings.

■ Whether the search should continue even if an ICMP ping fails. This option is useful if you know that a firewall is set up with a rule to block an ICMP ping, because you can still audit the network for the computers that run Symantec Client Security.

6

Under Symantec AntiVirus IP ports, configure the search to ping up to four Symantec AntiVirus IP ports. To support legacy and current clients, both UDP and TCP ports are pinged.

Port 1 defaults to 2967, which is the default port number of Rtvscan, the main Symantec Client Security service.

7

Under Display Options, specify whether you want to display the following:

■ Previously labeled machines.

■ Parent management servers that are discovered through clients even if they are outside the IP address range.

8

Under Search Options, set the following options:

■ Whether to look for the computers that run unmanaged Symantec Client Security client software, and offline servers and clients. This option requires you to specify valid administrator account information, such as a user name and password.

■ Whether to look for the computers that run other vendors' antivirus software. This option requires that you know valid administrator account information, such as a user name and password.

■ Whether or not always to use name resolution. See“Setting administrator account options”on page 48.

9

Click OK.

10

Click Find Now to run the audit.

You can see the audit progress at the bottom of the Find Computer dialog box.

When the audit completes, the following types of information appear:

The name of the remote computer. Machine

The name of the server group to which the remote computer belongs.

Server Group

The name of the server that controls the remote computer.

Server

The server or client type. Login errors are also reported in this column.

Type

The version of the antivirus product running on the computer.

Version

The IP address of the computer. Address

The user name that is associated with the compute, including the domain that authenticated the user.

User

Syncing found computers to locate them

After the status of the computers in your audit search is identified, you can locate selected computers by syncing to them.

To sync found computers

1

In the Find Computer dialog box, select a computer, and then click Sync Item to locate the selected computer that runs Symantec Client Security client software.

2

If the computer is in a locked server group, type the user name and password of the server group to which the computer belongs.

Setting administrator account options

When you run a network audit, if you select the following options in the Audit Network Options dialog box, you are required to specify administrator account information:

■ Look for unmanaged clients, offline servers, and offline clients.

■ Look for other AntiVirus software.

Figure 1-2 Remote Administrator Account dialog box

To set administrator account options

1

In the Remote Administrator Account dialog box, do one of the following:

■ Type the name of the domain that contains the computers that you want to find, followed by valid domain administrator account information.

■ Check Use local accounts to access a specific computer, and then type the Admin user name and password.

2

Click OK.

Labeling found items and rerunning the audit

You can label the items that an audit finds. It may be useful to label items such as the following:

■ The computers that cannot be located or to which a connection cannot be made.

■ Routers and network drives.

■ Computers that do not have Symantec Client Security software installed. To label a found item and rerun the audit

1

In the Find Computer dialog box, in the Machine column, right-click an item, and then click Label.

2

In the Edit description for dialog box, type a new label for the item.

3

Click OK.

4

Right-click the item again, and then click Audit again.

Configuring login certificates

Clients and servers use a temporary login certificate to authenticate Symantec System Center users. Because the user's login certificate is chained through the primary management server's login CA certificate back to the Server Group root certificate, the client or server knows that the user is authorized to manage the server group.

When servers and clients receive a user's request for configuration changes, they authenticate the user. If authentication succeeds, the clients compare their system clocks to the certificate's time-stamp. If they verify that the user's temporary login certificate has not expired, they accept the user's configuration changes. For more information about certificates and their use in Symantec Client Security, see the Symantec Client Security Reference Guide.

The login certificate is time-limited for security purposes, but is valid across all time zones. If a specific user account is deleted in the Symantec System Center, the temporary login certificate that is associated with that user cannot be renewed after it expires, regardless of the time zone. If the login certificate expires after the user authenticates to a server or client, the user is automatically issued another valid login certificate.

49 Symantec Client Security™ basics

You can use the Symantec System Center to configure the login certificate lifetime. Login certificates are time-stamped, and by default, expire 24 hours after being issued. You can configure a shorter lifetime to increase the level of network security, but this configuration also increases processing overhead.

Warning: Unsynchronized computer system clocks in a server group can prohibit servers and clients from authenticating a user's login certificate because of the time difference. Synchronize your computer system clocks to prevent this situation from occurring.

For example, suppose that a user has a temporary login certificate that contains a primary management server's time-stamp and is valid for 30 minutes. If that user attempts to authenticate to a client that has a clock setting that is set 45 minutes ahead of the primary management server, then when the client receives the login certificate, it believes that the login certificate expired 15 minutes ago based on its system clock setting, and does not permit configuration changes by that user.

Because login certificates are issued by the primary management server in a server group, you can configure login certificate settings only at the server group level.

Configuring login certificate lifetime and time tolerance

If you do not use some method that automatically synchronizes system clocks in your network, be sure that the time periods that you configure are sufficient to cover any likely time discrepancies between your primary management servers, and the clients and secondary management servers that are managed by the primary management servers.

When you configure the login certificate settings, Symantec System Center automatically compensates for time zone differences.