The new Security feature addresses the security challenges faced by most administrators by enabling them to quickly grasp the security status of their devices through a vulnerability-based view. Using this feature administrators can easily identify and remediate vulnerabilities that impact the devices in their zone. This is achieved by:
Section 1.3.1, Patching Software Security Vulnerabilities Using CVEs
From a security perspective, the primary way of tracking software vulnerabilities is through Common Vulnerabilities and Exposures (CVEs) and ZENworks now allows you to track device vulnerabilities via CVEs. As the CVEs are mapped to patches, you can easily remediate the vulnerabilities without the need to manually select patches. The CVE dashlets can be used to remediate the vulnerabilities.
For more information, see the CVE Reference.
The new Getting Started pages simplify the process of setting up and tracking security in your zone and enables you to remediate vulnerabilities through the application of patches on exploitable devices. Using this page you can mitigate vulnerabilities, and also encrypt and secure devices.
For more information, see ZENworks Security Reference.
The following UI changes have been made to enable administrators to easily navigate between all the security features provided by ZENworks:
The Patch Management, Device Encryption and Securing Devices features are now grouped together within the new Security tab.
The Management Zone settings has a new Security listing which includes the Patch Management and Endpoint Security configuration settings.
The Patch Management feature in the left navigation menu of ZCC has been replaced by the Security feature.
View comprehensive information related to a selected patch: The Patch object page includes the following tabs:
Patch Information: Details about the patch, the CVEs addressed by the patch and the supersedence details of the patches, which are useful for reporting and for the purpose of investigation.
Relationships: Information about the patch policies, remediation deployments and bundles associated with the selected patch.
Devices: Information about the devices that are impacted by the patch, the time at which the last patch scan was performed, the patch status, the assigned remediations, the name of the source (ZENworks or Other) that installed the assignment and the time at which the assignment was installed on the device.
View comprehensive information about the vulnerability status of a device: In the Devices page, you can view information related to the applicable patches, patch policy assignments and patch remediation assignments made to the device.You can also identify when patches were installed and whether they were installed by ZENworks or another source.
The new Security Dashboard enables you to monitor the vulnerability status of your zone and remediate the vulnerabilities through security dashlets. These dashlets can be customized to track important CVEs and Patches and their impact on your environment. The Security dashlets include:
Patch Tracker: The Patch Tracker dashlet, enables you to track the status of a single patch or multiple, associated, patches and view the current patching status of the vulnerable devices. After identifying the vulnerable devices, you can use the Deploy Remediation quick task to apply the required patches on the devices. The Trend Chart within the Patch Tracker dashlet enables you to analyze and track the unpatched device trend for a specific time period.
CVE Tracker: The CVE Tracker dashlet enables you to track a single or multiple, associated, CVEs based on the NVD-issued CVE IDs. For the specified CVEs you can track the total number of applicable devices and identify the devices that are still vulnerable. After identifying the vulnerable devices, you can use the Deploy Remediation quick task to apply the required patches on these devices. In the Vulnerability Trend section of the dashlet, you can analyze and track the vulnerability trend of the selected CVEs, for a specific time period.
CVE Severity Distribution: The CVE Severity Distribution dashlet displays all the CVEs that are applicable to devices in the zone, grouped based on their severity. Based on your requirement, you can easily filter and sort the data in order to identify and prioritize the vulnerabilities that you need to address. To remediate the vulnerabilities, you can select the devices and then apply the required patches by performing the Deploy Remediation quick task.
Top CVEs: The Top CVEs dashlet, by default, displays the top CVEs based on the most recently published CVEs. You can change the filters to display the top CVEs based on the most number of vulnerable devices, or based on the severity rating. Based on your requirement, you can easily filter and sort the data in order to identify and prioritize the vulnerabilities that you need to address. To remediate the vulnerabilities, you can select the devices and then apply the required patches by performing the Deploy Remediation quick task.
For more information, see the ZENworks Patch Management Reference and the CVE Reference.
When you initiate this quick task for a selected device, ZENworks updates the Primary Server with the required patches for the selected device without waiting for a scheduled scan so that patches can be identified for caching and installation.
For more information, see the Initiating a Patch Scan section in the ZENworks Patch Management Reference.
This feature enables administrators to deploy patch policies when the device is shutting down, thereby allowing the deployment of patches required by their organization, on end-user devices, without impacting the end-user’s normal operations. Currently this feature is supported only for Windows managed devices.
For more information, see the Patch Policy Reboot Behavior section in the ZENworks Patch Management Reference.
The following Endpoint Security policies have the feature enhancements indicated:
Microsoft Data Encryption: This policy has added management of Microsoft's Windows Encrypting File System (EFS), which adds the capability to encrypt fixed disk folders on managed devices. You can configure folders to be encrypted by default when the policy is a applied and end users will be able to encrypt their own folders. Encrypted folders can also be public or private, dependent on whether they are default policy folders outside of a user's profile, or encrypted by the user in or outside of the user's profile. The feature also has a built-in and standalone recovery tool for administrator use in the event of a lost user password.
Storage Device Control: This policy has added control of devices that identify as Windows Portable Devices (WPD). This includes the addition of an exception list that you can configure for WPD media.