2.0 Types of Security Policies

There are nine security policies that control a range of security-related functionality for Windows workstation devices. You can use all or some of the policies, depending on your organization’s needs.

Policy

Purpose

Application Control

Blocks execution of applications or denies Internet access to applications. You specify the applications that are blocked or denied Internet access.

Communication Hardware

Disables the following communication hardware: 1394-Firewire, IrDA-Infrared, Bluetooth, serial/parallel, dialup, wired, and wireless. Each communication hardware is configured individually, which means that you can disable some hardware types (for example, Bluetooth and dialup) while leaving others enabled.

Data Encryption

Enables data encryption of files on removable storage devices.

Firewall

Controls network connectivity by disabling ports, protocols, and network addresses (IP and MAC).

Microsoft Data Encryption

Controls data encryption of files on removable disk drives using Microsoft BitLocker encryption.

Scripting

Runs a script (JScript or VBScript) on a device. You can specify the triggers that cause the script to run. Triggers can be based on Endpoint Security Agent actions, location changes, or time intervals.

Storage Device Control

Controls access to CD/DVD drives, floppy drives, and removable storage drives. Each storage device type is configured individually, which means that you can disable some and enable others.

USB Connectivity

Controls access to USB devices such as removable storage devices, printers, input devices (keyboards, mice, etc). You can specify individual devices or groups of devices. For example, you can disable access to a specific printer and enable access to all SanDisk USB devices.

VPN Enforcement

Enforces a VPN connection based on the device’s location. For example, if the device’s location is unknown, you can force a VPN connection through which all Internet traffic is routed.

Wi-Fi

Disables wireless adapters, blocks wireless connections, controls connections to wireless access points, and so forth.

In addition to the above security policies, the following security policies help protect and configure the ZENworks Endpoint Security Agent. The Endpoint Security Agent enforces security policies on a workstation device.

Policy

Purpose

Security Settings

Protects the Endpoint Security Agent from being tampered with and uninstalled.

This policy is not used with ZENworks 11 SP2 Endpoint Security Agents. The ZENworks 11 SP2 Endpoint Security Agent’s security settings are not applied as a policy; instead, they are applied as ZENworks Agent settings (ZENworks Control Center > Configuration > Management Zone Settings > Device Management > ZENworks Agent).

This policy is retained in ZENworks 11 SP2 to provide support for devices that are still running the ZENworks 11 or ZENworks 11 SP1 Endpoint Security Agent. Those versions of the agent continue to use the Security Settings policy.

Location Assignment

Provides a list of predefined locations for the Endpoint Security Agent. ZENworks Endpoint Security Management lets you associate different security policies with different locations. For example, you might have an Office location and a Remote Office location; you also have a default Unknown location. The Endpoint Security Agent evaluates its current network environment to see if it matches any of the locations included in the Location Assignment policy. If so, the security policies associated with the matched location are applied. If not, the security policies associated with the Unknown location are applied.