200 likes | 205 Views
0. OSL150 – Get Hands on with Ivanti Endpoint Security David Murray Rob Kelsall. What is Ivanti Endpoint Security?. Ivanti Endpoint Security is a single platform that is endpoint security focused offering best of breed solutions for: Patch Ma nagement Application Control Device Control
E N D
OSL150 – Get Hands on with Ivanti Endpoint Security David Murray Rob Kelsall
What is Ivanti Endpoint Security? • Ivanti Endpoint Security is a single platform that is endpoint security focused offering best of breed solutions for: • Patch Management • Application Control • Device Control • AntiVirus • One suite solution • Single, Modular, Extensible Architecture • Single Workflow-based Console • Asset Discovery and Agent Deployment • Installation Manager • AD Integration and Synchronization • Role-based Access Control • Reporting and Notification
Lab Agenda • Discover endpoints and install agents • Create custom groups and add endpoints to these groups • Create AntiVirus policies and scan for malware • Patch vulnerable applications • Application Control blocking and Denied Applications • Install an application with Trusted Updater • Create a Local Authorization policy • Protect against memory-based attacks • Protect data with device control • Dashboard widgets & reports
Orientation • Ivanti Endpoint Security Workflow • Work from left to right • Discover – Assets, Malware • Review – Vulnerabilities, Virus Alerts, Discovered Assets, Logs • Manage – Endpoints, Groups, Users, Policies, Libraries, Quarantine • Reports – Standard & Enhanced Reports • Tools – Roles, Installers, Subscriptions, DB maintenance, Notifications, Options • Help – which hopefully you don’t need to use too much • Let’s get started • Logon credentials contained in your lab guide • Turn off Windows Defender on Windows 10 endpoint
Exercise 1 – Discover Endpoints & Install Agents • Goal • The goal of this exercise is to discover new endpoints and to bring them under control • Discover > Assets • Select “Immediate” under scheduling • Use IP address range 192.168.100.10 to 192.168.100.99 • Review > Job Results • Go to Completed tab when job is finished (page auto-refreshes) • Manage Agents > Install Agents, for any assets (Win7) with “No Agent Found”
Exercise 2 – Create Groups & Add Endpoints • Goal • As we generally manage by groups rather than endpoints, the goal of this exercise is to create a number of custom groups so we can use these groups in subsequent exercises • Create three custom groups • Manage > Groups > Group Membership view • Select “Custom Groups” from panel on left • Delete/ignore any existing groups (I forgot to do so!) • Create the following groups – Server, Desktop, All Systems • Add endpoints to each group • Manage > Groups > Endpoint Membership view • Use Membership button or right-click on group • Server – Ivanti Endpoint Server & CentOS • Desktop – Win10 and Win7 • All systems – all four endpoints
Exercise 3 – Create AV policies & scan for malware • Goal • Discover and remove any malware that exists • Create policies to provide ongoing protection • Scan for malware • Discover > Scan Now – Virus and Malware Scan • Select Immediate scan option and assign to the Desktop group • Add a “folder” exclude for C:\ drive to minimize scan duration • Follow progress on Win10 endpoint via Agent Control Panel • Review “Centralized Quarantine” when completed • Create policies for ongoing protection • Manage > AntiVirus Policies • Create Real time Monitoring Policy • Create Recurring Virus and Malware Scan Policy • Set policy to run at the weekend (not during Interchange!)
Exercise 4 – Patch Vulnerable Applications • Goal • Understand what vulnerabilities exist • Apply patches to remediate (some of) these vulnerabilities • Understand vulnerabilities • Navigate to Manage > Endpoints • Select Endpoint and select Vulnerabilities/Patch Content tab • Select filters (Detection Status = Not Patched) • Select (1 or 2) cached packages and “Add to List” called Interchange • Remediate Vulnerabilities • Manage > Groups (Vulnerabilities/Patch Content view) • Select All Systems group • Select Interchange Custom Patch List (and select all content) • Click “Deploy” Cached Not cached
Exercise 5 – App Control Blocking and Denied Apps • Goal • Demonstrate that non-whitelisted applications are blocked • Deny a whitelisted application • Non-whitelisted applications • Log on to Win10 endpoint • Open “Test Files” folder on the desktop (added after lockdown) • Try to run any of these applications -> receive blocked dialog • Deny whitelisted application • Open Mozilla Firefox and confirm that it opens correctly • Go to Manage > Application Library and search for Firefox.exe in “Ungrouped files” • Move file to “Prohibited Applications” • Go to Manage > Application Control policies • Create Denied Applications policy and add “Prohibited Applications” application to it • Assign to Desktop group and confirm Mozilla Firefox is blocked (once policy delivered)
Exercise 6 – Install an application with Trusted Updater • Goal • Install a blocked application on a locked-down endpoint • Try to install application on locked-down endpoint • Open Test Files folder on Win10 desktop • Try to launch one or more of the installers (you may already have completed this step earlier) • Add installer to a Trusted Updater policy • Go to Review > Application Control Log Queries • Create “All Denied Application Events” log query for Desktop group • Review results and locate denied installer (refresh the query if it is not there yet) • Select the installer in the log query results and click on “Trust” button • Assign to Desktop group • Once policy delivered, confirm that application gets installed correctly and can be opened
Exercise 7 – Local Authorization • Goal • Enable endpoint users to decide whether to launch/install application on their endpoint • Create Local Authorization policy • Go to Manage > Application Control policies and select “Trusted Change” tab • Create Local Authorization policy and assign to Desktop group • Locally authorize an application • Once policy is delivered, go the Test Files folder on the Win10 endpoint • Select an application or an installer and try to open it • You should now receive a local authorization dialog and can decide whether to allow or deny
Exercise 8 – Protect against Memory-based attacks • Goal • Implement a Memory Protection policy to detect and block a memory injection • Create Memory Protection Policy in Audit Mode • Go to Manage > Application Control policies and select Memory Protection tab • Create a Memory Protection policy in Audit Mode and assign to the Desktop group • Launch application and inject into memory • Follow lab guide to launch target application (view in Task Manager) • Launch injector application and inject into process of target application • Go to Review > Application Control log queries and create All Memory Injection Events query • Convert Memory Protection Policy to Enforcement Mode • Edit Memory Protection policy and switch to Enforce from Audit mode • Confirm Target Application is terminated (via logs and Task Manager)
Exercise 9 – Protect data with Device Control • Goal • Create policies to protect data when copied to removable media (e.g. USB sticks) • Confirm current read/write behaviour • Copy files to and from E:\ and F:\ drives on Win10 endpoint and confirm both read & write work • Create Unencrypted and Encrypted drives policy • Go to Manage > Device Control policies and create policies per lab guide • Test Device Control policies • Disable default policy for Removable Storage Devices and set Global policy to Enforce • Attempt to copy files to (unencrypted) E:\ or F:\ drives and confirm that they are read-only • Encrypt F:\ drive and confirm both read and write work on encrypted drive • Reboot Win10 endpoint to see behaviour when E:\ and F:\ drives connected • Option provided to encrypt E:\ drive • Need to enter encryption password for F:\ drive
Exercise 10 – Dashboard Widgets and Reports • Goal • Enable Dashboard widgets to provide overall system summary on login • Create reports for more detailed analysis or for management • Dashboard widgets • Go to Home page on console • Select “Configure Dashboard Settings” and select dashboards to display • Drag and drop dashboards as needed • Reports • Go to Reports > Enhanced Reports • Run reports to report on earlier exercises and review results