Audit-On-Schedule

This option is available only if the server can access a Policy File Library.

7.If you want the policy to be available to use in audits, check the Make this policy active box.

Clear the check box to make the policy unavailable to use in audits without deleting the policy.

8.If you want to policy to be available to use in self-service audits, check the Available for use in self-service audits box.

9.For Audit-On-Connect include the Link Type, Device Type, Posture Condition, Pass Results Valid For and Fail Results Valid For settings.

10.Set Windows Group Access. Enter Windows groups, separated by a comma, that can use this policy, remediate audit results generated using this policy, and view audit results for it. This establishes which users can access this policy and its audit results due to their role. If a Windows User Group isn't on the local computer, you'll need to enter the group in domain\groupname format.

In the Use Policy field, enter the Windows groups who should be able to modify the policy.

In the Remediate field, enter the Windows groups who should be able to remediate audit results generated using this policy.

In the View Audit Results field, enter the Windows groups who should be able to view results from audits using the policy.

To grant all users access, type Everyone. To restrict all users, type None.

11.Click Update to revise the Policy settings in the database.

Any Audit-on-Connect or Audit-on-Schedule audits that are already based on this policy use the new policy settings the next time they run.

Deleting Policies

Click the Delete hyperlink for the policy that you want to remove. When you delete a policy, you remove it from the database. A warning appears to remind you that you are about to delete a record from the database. Cancel the action or delete the record.

Configuring with Run-Time Policy Variables

Some policy files, such as the NSA Guidelines for Windows XP and Windows 2000, contain a special rule named .CONFIGURE. The .CONFIGURE rule allows you to configure your policy files and set global parameters for policy files at run time.

Certain information is unique and distinct between systems or groups of systems. A run-time policy variable allows administrators to use a single policy file but allows identification of unique rules that requires variable information. When a policy file uses a variable, your organization can use one policy file for multiple conditions where variables differ between departments or Machine Lists. For example, a variable might rename administrator accounts, change the members of an administrator account, or define the groups to which certain policies apply.

To understand the run-time policy variable, note the following settings in the NSA Guidelines for Windows XP and Windows 2000:

1.The name for the new rule must be .CONFIGURE.

2.The check type can be blank, or you can type CONFIGURE.

59

Page 67
Image 67
Symantec Security Expressions Server manual Deleting Policies