McAfee 6.1 manual 161

What happens to the nodes of the Directory under a node where I assigned a new policy?

All nodes with inheritance enabled for the specific policy category inherit the policy applied to a parent node.

How are the nodes to which a policy is applied affected when the policy is modified?

All nodes to which a policy is applied receive any modification made to the policy at the next agent-server communication or by running an agent wake-up call. The policy is then enforced at each policy enforcement interval.

Why isn’t the new Host Intrusion Prevention policy I assigned being enforced? New policy assignments are not enforced until the next agent-server communication or by running an agent wake-up call after the assignment has been made. Also, if the client UI is unlocked with a password, no new policy assignments are enforced.

Can I delegate administration of IPS and firewall policies to different administrators in different geographic locations?

Yes. Host Intrusion Prevention enables you to delegate responsibility for all or individual product features such as IPS or Firewall. Finer granularity of roles within the feature, for example, client management and exception creation, is not supported.

Assign user rights at the site level, one level below the root directory, and the rights are inherited by all nodes under that site. Explicit user permission on nodes below the site level is not supported. To delegate administration by geographic location, designate a geographic location at a site node, and then apply the appropriate user rights.

Can I apply the same security configuration to different systems?

The console tree organizes nodes hierarchically. You assign policies at nodes, so the site-level nodes typically denote profile-based groupings, such as All Servers, All Desktops, IIS Servers, or SQL Servers. This group pattern can be replicated under each site node.

ePolicy Orchestrator enables the creation of policies that are independent of any node, yet shareable across all nodes. When you assign a policy to a node, it is automatically inherited by its children, unless overridden by another policy. You can create a policy matching each profile, such as IIS Server Policy, and apply it to each of the corresponding node groups, such as IIS Servers.

Place a computer with a new Host Intrusion Prevention client in the appropriate profile group to be assigned the correct security policies. If this is not possible, you can set the policy for an individual client by modifying the policies at the individual node level. Most inherited policies can be overridden, unless a policy has forced inheritance assigned.

If the ePolicy Orchestrator tree nodes have already been organized to support products whose organization does not suit Host Intrusion Prevention, it may be difficult to reorganize the tree. Because reorganization might break existing policy assignments, knowledge of and permissions over all applicable products is required.

161