Windows Detection Policy

更新时间:2023-08-16 18:39:23

1. Usage Scenario

Windows Detection Items refers to the items or objects that can be detected by a Windows operating system, like installed programs, drivers, or updates. ESA has integrated with Windows detection items to ensure that the user’s login from a Windows operating system will be checked and confirmed to be secure enough to access the applications.

This feature only available on users with Premium bundle

2. Operation Steps

1) Go to Endpoint Security–>Compliance Check–>Config Policy, add New
image.png

2)Fill in the necessary information and click Next

Policy Name Explanation
Policy Name
Define the name of the policy
Status Configures to enable/disable the policy when it is created
Prompt Method
It configures when to prompt notice when risky events are detected. Available value:
1) Prompt risky notice at login: the client will pop out to notify that there are risky events been detected when user login to ESA client
2) Prompt risky notice at every check: the client will pop out to notify that there are risky events been detected every time the ESA client conducts device check. It works together with Detect Interval. 
3) Don't prompt: do not pop out notice even when risky events been detected
Detect Interval Configures the time interval for ESA client to conduct device compliance check. For example, if set to 30mins, the ESA client will perform compliance check every 30 minutes.  No matter what Interval has been configured, the client will conduct compliance check at login. 
Description Enter description to better understand the connector
Apply to User Defines which users will be assigned to the policy. To avoid policy confliction, one user can only be assigned to one compliance check policy

3)Enable the items you want to perform the compliance check and configure the deduct scores for each enabled items, then click Next.
image.png

See detail information of each items below:

Field Name Explanation Configuration Examples
Domain User Detection Check whether the endpoint is in the domain. Fill in your Windows domain name and the deduct score
Domain name=ALEX-TEST, deduct score =10 means: 
if user is not login from a device with Windows domain name=ALEX-TEST, user's trust score will be deducted 10 points
F-Scrack Check whether the computer account has a weak password Deduct score =10 means: 
if user is login from a Windows device with weak login password, user's trust score will be deducted 10 points
Credit Device Detection Check whether the device is on ESA authorized device list Deduct score =10 means:
if user is login from a device that is not on ESA authorized device, user's trust score will be deducted 10 points
Antivirus Software Detection Check whether the specified antivirus software is running on the device. When multiple antivirus software is selected, users running any of the select software can pass the check Antivirus software select IP-Guard and Windows Defender, deduct score=10 means:
if user is login from a device that has not running IP-Guard or Windows Defender, user's trust score will be deducted 10 points
Windows Firewall Detection Check if Windows Firewall is turned on Deduct score =10 means:
if user is login from a device without Windows Firewall turning on, user's trust score will be deducted 10 points
GUEST Account Detection Detect if GUEST account is disabled Deduct score =10 means:
if user is login from a device that the GUEST account is not disabled, user's trust score will be deducted 10 points
Computer Name Detection Check whether the computer name meets the specific requirements Name format=ALEX-TEST *, deduct score =10 means: 
if user is not login from a device with computer name starts with ALEX-TEST, user's trust score will be deducted 10 points
OS Version Detection
Check whether the computer operating system version meets the requirements OS version>20H2,  deduct score =10 means:
if user is login from a device which OS is lower than 20H2, user's trust score will be deducted 10 points
Client Version Detection Check whether the ESA client version is greater than the specified version Client version>=2.96.1, deduct score =10 means:
if user is login from an ESA client with version lower than 2.96.1, user's trust score will be deducted 10 points
System Shared Resource Check if there are shared directories configured on device Deduct score =10 means: 
if user is login from a device that has shared directories configured, user's trust score will be deducted 10 points
Remote Desktop Detection Check if remote desktop is enabled on the device Deduct score =10 means: 
if user is login from a device that has remote desktop enabled, user's trust score will be deducted 10 points

4)Move the buoy on score bar to define the risk level
Take following configuration as an example, when a user’s trust score is:

  • <=60, the user will be marked with Critical Risk
  • 60-70, the user will be marked with High Risk
  • 70-80, the user will be marked with Medium Risk
  • 80-90, the user is with low risk
  • 90-100, the user is safe

image.png

5) Click Submit to finish the policy configuration
6)Back to policy list, you will see the new policy. Click Management if you need to adjust the configuration.
image.png

本篇文档内容对您是否有帮助?
有帮助
我要反馈
提交成功!非常感谢您的反馈,我们会继续努力做到更好!