Symantec Security Expressions Server User Manual

Audit-On-Schedule

59

This option is available only if the server can access a Policy File Library.

7.

If you want the policy to be available to use in audits, check the Make this policy

active box.

Clear the check box to make the policy unavailable to use in audits without deleting the

policy.

8.

If you want to policy to be available to use in self-service audits, check the Available

for use in self-service audits box.
9.

For Audit-On-Connect include the Link Type, Device Type, Posture Condition, Pass

Results Valid For and Fail Results Valid For settings.
10.

Set Windows Group Access. Enter Windows groups, separated by a comma, that can use

this policy, remediate audit results generated using this policy, and view audit results for it. This
establishes which users can access this policy and its audit results due to their role. If a Windows

User Group isn't on the local computer, you'll need to enter the group in

domain\groupname

format.

• In the Use Policy field, enter the Windows groups who should be able to modify

the policy.

• In the Remediate field, enter the Windows groups who should be able to

remediate audit results generated using this policy.

• In the View Audit Results field, enter the Windows groups who should be able to

view results from audits using the policy.

To grant all users access, type Everyone. To restrict all users, type None.

11.

Click Update to revise the Policy settings in the database.

Any Audit-on-Connect or Audit-on-Schedule audits that are already based on this policy use the
new policy settings the next time they run.

Deleting Policies

Click the Delete hyperlink for the policy that you want to remove. When you delete a policy, you

remove it from the database. A warning appears to remind you that you are about to delete a

record from the database. Cancel the action or delete the record.

Configuring with Run-Time Policy Variables

Some policy files, such as the NSA Guidelines for Windows XP and Windows 2000, contain a

special rule named .CONFIGURE. The .CONFIGURE rule allows you to configure your policy files

and set global parameters for policy files at run time.

Certain information is unique and distinct between systems or groups of systems. A run-time

policy variable allows administrators to use a single policy file but allows identification of unique

rules that requires variable information. When a policy file uses a variable, your organization can

use one policy file for multiple conditions where variables differ between departments or Machine

Lists. For example, a variable might rename administrator accounts, change the members of an

administrator account, or define the groups to which certain policies apply.

To understand the run-time policy variable, note the following settings in the NSA Guidelines for

Windows XP and Windows 2000:

1. The name for the new rule must be .CONFIGURE.
2. The check type can be blank, or you can type CONFIGURE.