Granting or blocking access to remote Symantec Endpoint Protection Manager consoles
Symantec Endpoint Protection Managerconsoles
By default, all consoles are granted access. Administrators can log on to the main console locally or remotely from any computer on the network.
You can secure a management console from remote connections by denying access to certain computers.
You may want to grant or deny access from the following types of users or computers:
- You should deny access to anyone on the Internet. Otherwise, the console is exposed to Internet attacks.
- You should deny access to limited administrators who use consoles on a different network than the network they manage.
- You should grant access to system administrators and IT administrators.
- You should grant access to lab computers, such as a computer that is used for testing.
In addition to globally granting or denying access, you can specify exceptions by IP address. If you grant access to all remote consoles, the management server denies access to the exceptions. Conversely, if you deny access to all remote consoles, you automatically grant access to the exceptions. When you create an exception, the computer that you specified must have a static IP address. You can also create an exception for a group of computers by specifying a subnet mask. For example, you may want to grant access in all areas that you manage. However, you may want to deny access to a console that is located in a public area.
- To grant or deny access to a remote console
- In the console, clickAdmin, and then clickServers.
- UnderServers, select the server for which you want to change the remote console access permission.
- UnderTasks, clickEdit the server properties.
- On theGeneraltab, clickGranted AccessorDenied Access.
- If you want to specify IP addresses of the computers that are exempt from this console access permission, clickAdd.Computers that you add become exceptions. If you clickGranted Access, the computers that you specify are denied access. If you clickDenied Access, the computers that you specify are granted access. You can create an exception for a single computer or a group of computers.
- In theDeny Console Accessdialog box, click one of the following options:
- Single ComputerFor one computer, type the IP address.
- Group of ComputersFor several computers, type both the IP address and the subnet mask for the group.
- ClickOK.The computers now appear in the exceptions list. For each IP address and mask, its permission status appears.If you changeGranted AccesstoDenied Accessor vice versa, all exceptions change as well. If you have created exceptions to deny access, they now have access.
- ClickEdit Allto change the IP addresses or host names of those computers that appear on the exceptions list.TheIP Address Editorappears. TheIP Address Editoris a text editor that lets you edit IP addresses and subnet masks.
- When you finish adding exceptions to the list or editing the list, clickOK.