CSA deployment best practice -- please help

NAVIN PARWAL · ‎06-20-2006

Folks,

Planning to deploy 2000 agents on desktops. My questions is what is the best way to add rules to a group so that i can modify them as I fine tune the application.

Here is what i think, please let me know if i am wrong. The computers would be part of desktop policy(inbuilt). If i need to fine tune a rule, i will copy that rule within the policy and give it a higher priority(deny or allow) so that it overrides the original rule), is this the right way?

Also, do i need any more default policy in addition to the default desktop policy. How about a Test policy where i can put custom made rules, any ideas?

Thanks

HarrytheBrain · ‎06-22-2006

you should deploy the agents with rule modules you think which matches your security policy. Firewall/Desktop/NetworkShield or whatever. Put them in your own Policy, so its easier to add or remove rule modules later. I prefer making my own rule module too and just use the available rules and of course my own.

But the most important part is to implement them in test mode. (try it on a handful systems) In test mode its easy to see what exceptions you have to make. for example svchost.exe talking to a domaincontroller, needs three exceptions in the network shield rule in my environment. Those exceptions are quiet easy to make with the wizard. just look at the events and the client triggerd "alerts".

The wizard also can generate new application classes if theres an application it don't know yet.

After the fine tuning you can remove the test mode.

Maybe its useful to activate a learning mode afterwards.

NAVIN PARWAL · ‎06-23-2006

Many thanks for the useful input.

I am trying to use the wizard to quite some applications on our systems that are noisy like the svchost, please could you tell me more how you use the wizard to tell the system to ignore messages generated by some trusted files.