Symantec Security Expressions Server User Manual
Page 52
SecurityExpressions Server User Guide
44
To edit Exceptions:
1. Click the Edit hyperlink on the Exceptions table to select the row to edit.
2. Modify the Exception parameters (Type, Value, Expiration Date, Group Posture
Result)
3. Click Update.
Deleting Exceptions
To delete an Exception:
1. Click the Edit hyperlink on the Exceptions table to select the row to remove.
2. When you delete an Exception, you remove it from the database. A warning appears to
remind you that you are about to delete a record from the database. Cancel the action or
delete the record.
Connection Monitors
Connection Monitors
Connection Monitors are services that are installed on DHCP Servers, Active Directory Servers, or
other servers that coordinate Audit-on-Connect sequences. They determine when a device
connects to the network and then send a request to a server to perform an audit on that device.
Each Connection Monitor uses a configuration file (dmconfig.txt) to store a list of audit servers to
contact. This list includes a particular range of IP addresses, along with a distribution method to
balance the load among the audit servers.
Most of the configuration work is in editing the configuration file (dmconfig.txt). The settings
described here are only part of the process.
The SecurityExpressions Audit & Compliance Sever includes three types of Connection Monitors:
• DHCP Network Connection Monitor with access to network traffic, installed on any server,
monitors network packets for those containing DHCP protocols.
• Microsoft DHCP Server Plug-In Connection Monitor, installed on the device running
Windows DHCP server.
• Active Directory Connection Monitor, installed on any server on the domain, monitors
Active Directory activity for when a new device appears on the network.
IP Address or Fully Qualified Name
List the IP address or fully-qualified name of the computer hosting a Connection Monitor.
You must configure the SecurityExpressions Audit & Compliance Sever with a list of the known
Connection Monitors that will be listened to. If the IP address or the fully-qualified name of the
Connection Monitor does not appear in the Device Connection Monitor list, the module is not
listened to.
Add or remove the name of a new computer that hosts a Connection Monitor.
Specify Password and Encrypted Password