5.0 Performing the Policy Distribution Service Installation

The server hosting the ZENworks® Endpoint Security Management Policy Distribution Service should always be reachable by your users, whether within the network or out in the DMZ. Ensure that the required software is installed on the server prior to installation (see System Requirements). After the server is selected, note the server name, both the NETBIOS and Fully Qualified Domain Name (FQDN).

Deployment of the Policy Distribution Service on a Primary Domain Controller (PDC) is not supported for both security and functionality reasons.

NOTE:It is recommended that the SSI Server be configured (hardened) so as to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment, and so cannot be described in advance. Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage. Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide.

To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs. Reference the articles below:

For security purposes, it is highly recommended that the following default folders be removed from any IIS installation:

  • IISHelp

  • IISAdmin

  • Scripts

  • Printers

We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com.

Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If in doubt, the Dynamic Web server template is recommended.

Please check off the following prerequisites prior to beginning the installation: