Configuring system lockdown

System lockdown controls applications on a group of client computers by blocking unapproved applications. You can set up system lockdown to allow only applications on a specified list (whitelist). The whitelist includes all the approved applications; any other applications are blocked on client computers. Or, you can set up system lockdown to block only applications on a specified list (blacklist). The blacklist comprises all the unapproved applications; any other applications are allowed on client computers.
Any applications that system lockdown allows are subject to other protection features in
Symantec Endpoint Protection
.
A whitelist or blacklist can include file fingerprint lists and specific application names. A file fingerprint list is a list of file checksums and computer path locations.
You can use an Application and Device Control policy to control specific applications instead of or in addition to system lockdown.
You set up system lockdown for each group or location in your network.
System lockdown steps
Action
Description
Step 1: Create file fingerprint lists
You can create a file fingerprint list that includes the applications that are allowed or not allowed to run on your client computers. You use the file fingerprint list as part of a whitelist or blacklist in system lockdown.
When you run system lockdown, you need a file fingerprint list that includes all of the applications you want to whitelist or blacklist. For example, your network might include Windows Vista 32-bit, Windows Vista 64-bit, and Windows XP SP2 clients. You can create a file fingerprint list for each client image that you want to whitelist.
You can create a file fingerprint list in the following ways:
  • Symantec Endpoint Protection
    provides a checksum utility to create a file fingerprint list. The utility is installed along with
    Symantec Endpoint Protection
    on the client computer.
    Use the utility to create a checksum for a particular application or all the applications in a specified path. Use this method to generate file fingerprints to use when you run system lockdown in blacklist mode.
  • Create a file fingerprint list on a single computer or small group of computers using the Collect File Fingerprint List command.
    In 12.1.6 or later, you can run the Collect File Fingerprint List command from the console. The command collects a file fingerprint list that includes every application on the targeted computers. For example, you might run the command on a computer that runs a gold image. You can use this method when you run system lockdown in whitelist mode. Note that the file fingerprint list that you generate with the command cannot be modified. When you re-run the command, the file fingerprint list is automatically updated.
  • Create a file fingerprint list with any third-party checksum utility.
In 12.1.6 or later, if you run
Symantec EDR
in your network, you might see file fingerprint lists from
Symantec EDR
.
Step 2: Import file fingerprint lists into
Symantec Endpoint Protection Manager
Before you can use a file fingerprint list in the system lockdown configuration, the list must be available in
Symantec Endpoint Protection Manager
.
When you create file fingerprint lists with a checksum tool, you must manually import the lists into
Symantec Endpoint Protection Manager
.
When you create a file fingerprint list with the Collect File Fingerprint List command, the resulting list is automatically available in the
Symantec Endpoint Protection Manager
console.
You can also export existing file fingerprint lists from
Symantec Endpoint Protection Manager
.
Step 3: Create application name lists for approved or unapproved applications
You can use any text editor to create a text file that includes the file names of the applications that you want to whitelist or blacklist. Unlike file fingerprint lists, you import these files directly into the system lockdown configuration. After you import the files, the applications appear as individual entries in the system lockdown configuration.
You can also manually enter individual application names in the system lockdown configuration.
A large number of named applications might affect client computer performance when system lockdown is enabled in blacklist mode.
Step 4: Set up and test the system lockdown configuration
In test mode, system lockdown is disabled and does not block any applications. All unapproved applications are logged but not blocked. You use the
Log Unapproved Applications Only
option in the
System Lockdown
dialog to test the entire system lockdown configuration.
To set up and run the test, complete the following steps:
  • Add file fingerprint lists to the system lockdown configuration.
    In whitelist mode, the file fingerprints are approved applications. In blacklist mode, the file fingerprints are unapproved applications.
  • Add individual application names or import application name lists into the system lockdown configuration.
    You can import a list of application names rather than enter the names one by one in the system lockdown configuration. In whitelist mode, the applications are approved applications. In blacklist mode, the applications are unapproved applications.
  • Run the test for a period of time.
    Run system lockdown in test mode long enough so that clients run their usual applications. A typical time frame might be one week.
Step 5: View the unapproved applications and modify the system lockdown configuration if necessary
After you run the test for a period of time, you can check the list of unapproved applications. You can view the list of unapproved applications by checking the status in the
System Lockdown
dialog box.
The logged events also appear in the Application Control log.
You can decide whether to add more applications to the file fingerprint or the applications list. You can also add or remove file fingerprint lists or applications if necessary before you enable system lockdown.
Step 6: Enable system lockdown
By default, system lockdown runs in whitelist mode. You can configure system lockdown to run in blacklist mode instead.
When you enable system lockdown in whitelist mode, you block any application that is not on the approved applications list. When you enable system lockdown in blacklist mode, you block any application that is on the unapproved applications list.
Make sure that you test your configuration before you enable system lockdown. If you block a needed application, your client computers might be unable to restart.
Step 7: Update file fingerprint lists for system lockdown
Over time, you might change the applications that run in your network. You can update your file fingerprint lists or remove lists as necessary.
You can update file fingerprint lists in the following ways:
You might want to re-test the entire system lockdown configuration if you add client computers to your network. You can move new clients to a separate group or test network and disable system lockdown. Or you can keep system lockdown enabled and run the configuration in log-only mode. You can also test individual file fingerprints or applications as described in the next step.
Step 8: Test selected items before you add or remove them when system lockdown is enabled
After system lockdown is enabled, you can test individual file fingerprints, application name lists, or specific applications before you add or remove them to the system lockdown configuration.
You might want to remove file fingerprint lists if you have many lists and no longer use some of them.
Be careful when you add or remove a file fingerprint list or a specific application from system lockdown. Adding or removing items from system lockdown can be risky. You might block important applications on your client computers.
  • Test selected items.
    Use the
    Test Before Removal
    to log specific file fingerprint lists or specific applications as unapproved.
    When you run this test, system lockdown is enabled but does not block any selected applications or any applications in the selected file fingerprint lists. Instead, system lockdown logs the applications as unapproved.
  • Check the Application Control log.
    The log entries appear in the Application Control log. If the log has no entries for the tested applications, then you know that your clients do not use those applications.