Comodo Help
Find the desired product help
Comodo Endpoint Security Manager

Comodo Endpoint Security Manager

Administrator Guide v 2.1

English

Print Help Download Help
The Administrative Console > The Policies Area
  • Introduction To Endpoint Security Manager – SME
    • Software Components And System Requirements
    • Removing Incompatible Products
    • Installing And Configuring The Service
    • Key Concepts
    • Best Practices
    • Quick Start Guide
  • The Administrative Console
    • Logging-in To The Administrative Console
    • The Dashboard Area
      • Adding And Re-configuring Tiles
      • Quick Actions Tiles
      • Policy Status Tile
      • Endpoint Updates Tile
      • Endpoint Infections Tile
      • Connectivity Tile
      • Getting Started Tile
      • System Status Tile
      • License Status Tile
      • Software Tile
    • The Computers Area
      • Adding Endpoint Computers To ESM
        • Importing Computers By Automatic Installation Of Agent
        • Adding Computers By Manual Installation Of Agent And CIS
        • Updating Comodo Software On Managed Computers
      • Creating Endpoint Groups
      • Viewing Endpoints
      • Updating Endpoints
    • The Policies Area
      • Viewing Policies
      • Creating A New Policy
    • The Reports Area
      • Reports Gallery
        • Computer Details Report
        • CIS Configuration Report
        • Computer Infections Report
        • Quarantined Items Report
        • Antivirus Updates Report
        • CIS Log Report
        • Policy Compliance Report
        • Policy Delta Report
        • Malware Statistics Report
        • Top Ten Malware Report
      • Report Explorer
      • Report Settings
    • About
    • Logging Out Of ESM Console
  • How To... Tutorials
    • How To Connect CIS To CESM At The Local Endpoint
    • How To Configure CIS Policies - An Introduction
    • How To Set Up External Access From The Internet
    • How To Install CIS
  • Appendix 1 - The Service Configuration Tool
    • Start And Stop The ESM Service
    • Main Settings
    • Server Certificate
    • Internet And Mail Settings
    • Caching Proxy Settings
    • Viewing Database Event Log
  • About Comodo

 

The Policies Area

 

A policy is the security configuration of Comodo Internet Security (CIS) deployed on an endpoint or a group of endpoints. Each policy determines the antivirus settings, Internet access rights, firewall traffic filtering rules, sandbox configuration and Defense+ application control settings for an endpoint.

 

The 'Policies' area allows administrators to import and manage security polices for endpoint machines and consists of two tiles:

 


  • View All Policies – Allows administrators to view, add, reconfigure and export ESM polices

  • Create Policy – A step-by-step wizard that takes admins through the policy import, specification and deployment process

Before proceeding with creating a policy, read the 'Key Concepts' section below to gain a baseline understanding first.

 

Policies - Key concepts

  • Policies are security settings for the installed components of CIS configured and tested on a local machines via the standard CIS interface.

  • Policies can be imported from an endpoint into the ESM console then applied to target computers or groups of computers. The machine chosen for this purpose can be considered a template of sorts for other equivalently configured machines in the organization (i.e. having the same hardware/software – a computer used to image other endpoints in the organization is ideal for this purpose). This allows admins to create a 'model' configuration on one machine that can be rolled out to other computers.

Policies can also be created by:

    • Importing CIS configuration from a previously saved .xml file or image.

    • Importing an existing policy to use as the starting point for a new policy.

  • Policies can be named according to criteria deemed suitable by the administrator. For example, policies based on security levels could be named 'Highly Secure', 'Medium Security' and 'Low Security'.

  • At the administrator's discretion, a policy can cover settings for all or only some of the three CIS components that may be installed on an endpoint:- Antivirus, Firewall, and Defense + settings. A policy which excludes settings for one of the CIS components installed on the endpoint receiving policy is considered as locally configured (see below) for the settings of that component.

  • The ESM agent installed at each endpoint is responsible for connecting the target machine to the respective ESM server and the remote management of the CIS installation. Only the agent applies the security policy settings to different components of the CIS application and checks whether the application is compliant to policy.

  • Each endpoint has two types of policy assigned to it: directly, or via the group that an endpoint is a member, 'Local Policy' and 'Internet Policy':

    • A 'local policy' which describes the CIS security settings that will apply when the endpoint is within the local network.

    • An 'Internet policy' which is automatically applied when the endpoint connects to ESM from an IP address outside the local network.

  • Policy and CIS Mode are independent of each other. 'CIS Mode' can be either 'Local' or 'Remote' and this determines whether or not ESM will enforce policy compliance on an endpoint:

    • Remote Mode – The policy of an endpoint in remote management mode will be determined by the ESM console. If the endpoint falls out of compliance (because CIS settings have been altered) then the console will automatically re-apply the assigned policy to the endpoint. This is the ideal situation for ongoing management.

      Exception – if the policy is 'Locally Configured' then remote mode have no effect (see below).

    • Local Mode – An endpoint that is locally managed effectively takes the machine 'offline' so ESM will not automatically re-apply assigned policy if an endpoint falls out of compliance. This allows administrators to change a policy at the local machine without having ESM constantly re-apply the 'old' policy in the background. Once policy specification is complete, the admin can return to the console, import the new policy and deploy it to target machines. The source machine can then, optionally, be returned to remote mode.

    • Policy, as mentioned earlier, refers to the actual security configuration of CIS. An endpoint can have any chosen policy and can be in either 'Remote' or 'Local' mode.

  • 'Locally Configured' policy. 'Locally Configured' policy means that CIS settings can be managed by the local user and policy compliance will not be enforced by ESM. Machines or groups with this policy will always report compliance status of 'OK'.  Changes made to the CIS settings on to the machine with 'Locally Configured' policy are dynamically stored in the policy. If a machine is switched back to 'Locally Configured' policy from an applied security policy, the last stored local CIS configuration settings will be restored to it.

Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2013. All rights reserved.