HP Access Control Client Software manual Testing Method by Control over Endpoints

Designing Access Controls

Choose Endpoint Integrity Testing Methods

In this case, your choice of testing methods is limited to ActiveX because the requirements for ActiveX are less stringent. The browser must be configured to allow JavaScript and ActiveX. (If Windows XP endpoints are running a non- SP2 firewall, port 1500 must be opened. By default, the Windows XP firewall opens port 1500.)

If you have more control over endpoints, you can require users to download and run the NAC EI agent. For the endpoints in a Windows domain, you can supply the admin credentials and use the agentless test method.

Table 3-44 summarizes the requirements for each testing method.

Table 3-44. Testing Method by Control over Endpoints

* Only on unmanaged endpoints that run Windows XP with non-SP2 firewalls

Example. At PCU, network administrators have some influence over staff and faculty endpoints—although perhaps not over the endpoints used for logging in to the VPN—less influence over student endpoints, and none at all over guest wireless endpoints. Some endpoints in the public wired zone are located in public computer labs and owned by the university. The administra- tors actually have quite a bit of control over these computers. Other endpoints, however, are owned by students and guests.

The network administrators can ask students, faculty, and staff members to download the NAC EI agent. On other endpoints, ActiveX is a more realistic option, although guests might allow the NAC EI agent to install automatically.

Table 3-45. Testing Method by Administrative Control

3-70