Lumension recognizes the difficulty that organizations have with enforcing security policies in their environment. Common tasks, such as performing a Disk Defragmentation, may be neglected. Security policies, such as requiring users to change passwords every 30 days, may be difficult to enforce across multiple domains, and are even harder to report on.
Lumension provides the System Management Pack, which is a collection of tasks and policies distributed as supported content through the Lumension Patch and Remediation product. With this content, IT administrators can:
- Centrally Manage System Tasks: Automate the scheduling of disk defragmentation
- Enforce Policies: Manage, enforce, and report on policies for account, device control, domain, network, and system policy settings
IT administrators will save time and effort by centrally managing system desktop configuration tasks and policies across the entire network through a single interface, and have confidence that those policies are enforced.
Why use the System Management Pack Content?
- Effectively manage common System Management tasks centrally across an entire distributed network in an automated fashion.
- Enforce policies and provide consistent reports – even across large networks that have thousands of nodes and servers, workstations, and domain controllers.
- Demonstrate compliance to auditors (both internal and external) from the inside out – can manage any node with an agent, regardless of domain.
- Extend system management capabilities by using the Lumension Content Wizard.
Why not use GPOs for System Management?
- Servers may have multiple legacy domains
- There may be computers that aren’t assigned to any domains.
- Servers may experience GPO issues that prevent them from receiving the GPO.
- No Reporting from GPOs.
Can I use Active Directory and the System Management content to manage system policies?
While it is possible to use both Active Directory and System Management content, including System Management content in Mandatory Baselines if policies are also managed through Active Directory is not recommended. If there were any System Management content applied to a node that conflicted with an Active Directory policy, the System Management content would be overridden by Active Directory.
Since there are both Enable and Disable patches available for many System Management policy patches, what happens when both an Enable and Disable for a specific policy are added to a mandatory baseline?
It is recommended that users never add both the Enable and Disable version of the same policy to a mandatory baseline. If both an Enable and Disable version of the same policy are added to a mandatory baseline, the policy that is applied last in the baseline’s deployment order will be the one that is applied. It is also recommended that users never add a Task to a Mandatory Baseline.
When a System Management policy has both an “(Enabled)” and “(Disabled)” patch, which one should I use?
Enabled/Disabled policy patches come in pairs. The titles of these patches can be confusing. It is important to carefully read the patch description for the specific behavior you want to enforce with enable/disable policies. If a patch is labeled as a Disable policy, choosing “(Enabled)” will enforce the disabled function as defined by the policy. Choosing “(Disabled)” will remove or cancel any enforcement of the disabled function. For example: take System Management - Disable Java JRE Plug-In (Firefox) for Windows (Enabled). If you choose this policy, then you are disabling the plug-in for Java JRE. The second patch in the pair will read, System Management - Disable Java JRE Plug-In (Firefox) for Windows (Disabled). This patch will enable the plug-in for Java JRE.
When a System Management policy has both an “(Enabled)” and “(Disabled)” patch, what happens when I deploy the patch using the uninstall option?
For Uninstall policy for SMP patches, Enable and Disable works similarly to each other. Again, it is very important to read carefully the patch description so that a patch is not unintentionally uninstalled. Uninstalling an “(Enabled)” System Management policy will remove or cancel the enforcement of the policy. Uninstalling a “(Disabled)” System Management policy will enforce the policy.
Will I see a deployment error if a System Management policy or task fails to deploy?
Yes, if a policy or task fails to deploy, the user interface will report back a deployment error. This will most likely be a 190c error, possibly with more details in the error message depending on the specific policy or task.
Is System Management content the same as Security Configuration Management (SCM)?
No, System Management content is more similar to other patches distributed through GSS to be used by Lumension Patch & Remediation. The main difference is that when System Management content is deployed, the deployable package is a script that modifies a system policy.
Are you going to have nested suites of conglomerated system variables in a single policy?
Not at this time, but this is possible in the future.
When the Remote Desktop policy is enabled, which user groups are granted access to Remote Desktop usage?
Enabling Remote Desktop at an endpoint does not affect the access privileges on the local machine. The default access would be for local administrators.