Wednesday, March 11, 2009

Pointsec for PC: Creating an update profile based on an installation profile

One thing that really annoys my users is having their computers lock after a period of inactivity. They really don't like having to put a password in and would prefer if they could leave themselves logged in forever (and probably forget their password in the process). But when we install Pointsec on a computer it sets the screensaver to lock, and we don't turn that feature off. Usually I tell users how important that security feature is until they get tired of talking to me and go away, but the other day someone presented a valid reason why his inactivity time needs to be longer. I decided to make that change to his computer, but I'm not going to do it to everyone. His valid reason isn't something that applies across the board. Here is how I'm doing it.

To start, I opened up my Management Console and went to Profiles. Right-click on profiles and select New Profile -> Update. The New Profile Wizard appears. Click Next to begin. First you will be asked to give the profile a name. I'm going to call mine 60-min-screensaver. You also have to provide a profile protection password.

Remember, in most cases your profiles are kept on a simple file server and you probably aren't limiting read access to these profiles to a single account. It is possible, but not commonly done. In order to prevent people from downloading your profile and examining them for weaknesses or creating rogue update profiles, you have to specify a profile protection password. You cannot continue until you provide that password.

Now you will be asked if you want to base this profile on an existing profile or the machines local settings. I'm going to check this box and continue. On the next page I will have the option to search for the profile that I want to use as my template, or I can use the local machines settings. In this case, I'm going to use my installation profile rather than my local settings. To be honest, I don't remember if I've made changes to my own machine while playing around with stuff. I know that the installation profile is pristine. So I'm going to select that, and I'm going to make sure that I have not checked "Base on local settings." I'm also going to uncheck "Base on Groups" which will automaticall uncheck "User Accounts."

Was that last step really necessary? Probably not. I have all the same users and groups on the machines that are out there, so including the group and user configuration in this update profile shouldn't hurt anything. The reason I unchecked it has to do with the difference between "shouldn't cause a problem" and "wont cause a problem." If I don't include any group or user information in this update profile, then I know that I wont make any changes to the user and group settings on my computer. Generally speaking, you want to limit your update profile as much as possible to only cover things that you're going to change. You don't have a ton of granularity in limiting the scope of your update profile, but you should exercise the power that you have in that area. Click Next to continue, and Finish to open up the profile editor.

This is a pretty simple change to make. I'm just going to click on the Windows Integrated Logon folder on the left and find the setting called "Set WIL User Screen Saver Timeout." Double-click and change it to 60. Then click OK to quit the profile editor. I'm going to get two warnings. One is a warning that I have Windows Integrated Logon enabled. That's fine, I don't want to turn WIL off so I can ignore that warning. The other message is that "No user has a group authority level high enough to change system settings." We're getting this message because we stripped all the user and group informaton out of this update profile. You couldn't have an installation profile that looked like that, but this update is only going to change that one setting and leave the current users and groups that are on the machine in place. So even though this profile doesn't have any admin users, the end users computer will because they already have them. We can safely ignore this message as well.

Now in my Management Console I see a profile called 60-min-screensaver. If I wanted to push this out to everyone on the network, then I could right-click and select publish. But that's not what I want to do. Instead I'm going to go over to the file server itself and find my profile storage folder. In there I'll find the actual profile file. I'm going to email it to the user the file with instructions on how to apply it to his own machine. Another course of action would be to put the file in the update folder for his particular machine and wait. This guy isn't on our network right now so I'm just going to use the email route.

How do you apply the update profile to a single users machine without putting it in the update folder? The answer is shockingly simple...you put it in their work folder. When a Pointsec machine checks for updates, it really just goes out to the file server and copies the update profiles down to the local hard drive in a folder called work. The path is C:\Program Files\Pointsec\Pointsec for PC\Work. Once the profile is in that folder, it is checked to make sure the Update Validation Password is correct and then the settings are applied. If you manually copy the update file into that folder, you will be doing the same thing. Somewhere between 5 and 15 seconds after the file is copied, it will disappear, and the settings will be applied.

No comments: