What is policy
Policy is the rules determined according to the guidelines for using the system.
It regulates the allowed operations, unallowed (prohibited) operations as well as information about which operation logs will be collected when the PC is being used.
Contents can be set in policy.
Policies of “Prohibited Operation” and “Log Collection Operation” can be set in Systemwalker Desktop Keeper.
The following are types of prohibited operations, which are set by the administrator or department administrator in the Management Console.
File Export Prohibition
Encryption Function is not available.
By setting the file export prohibition policy, file and folder export in drive, network drive, removable drive or DVD/CD of the PC with the client (CT) installed can be prohibited conditionally.
According to the set condition, “File Export Utility” can be used to export files and folders from the prohibited drive. Also, encryption can be performed while exporting.
Please refer to “Systemwalker Desktop Keeper User’s Guide: for Client” for “File Export Utility”.
Reading Prohibition
By setting the reading prohibition policy, reading of data on the removable drive, network drive or DVD/CD in the PC with the client (CT) installed can be prohibited.
Printing Prohibition
By setting the printing prohibition policy, printing by non-specified applications can be prohibited in the PC with the client (CT) installed.
PrintScreen Key Prohibition
By setting the PrintScreen key prohibition policy, the use of PrintScreen key for collecting the hard copy of screen in the PC with the client (CT) installed can be prohibited. In this case, the type of screen hard copy to be collected becomes clear, and screen capture can be collected.
Logon Prohibition
This function is not available.
By setting the logon prohibition policy, logon with the user name that belongs to a set group when logon from the PC with the client (CT) installed can be prohibited. The groups that can be prohibited are as follows:
Administrators
Backup Operators
Debugger Users
Power Users
Guests
Replicator
Users
Domain Admins
Domain Guests
Domain Users
Enterprise Admins
Group Policy Creator Owners
Application Startup Prohibition
By setting the application startup prohibition policy, startup of the specified applications in the PC with the client (CT) installed can be prohibited.
E-mail Attachment Prohibition
This function is not available.
By setting the E-mail file attachment policy, sending or saving the E-mail with the prohibited file attachment from the PC with the client (CT) installed can be prohibited.
However, saving cannot be prohibited when porting auditing mode is used (the E-mail software uses SMTP to send attachment).
The files that can be specified as prohibited targets are unencrypted files or the files with specified extensions.
In addition, as long as there is one prohibited file in the attachment, the E-mail (E-mail text and all attachments) cannot be sent.
URL Access Prohibition
By setting the URL access prohibition policy, access to the unauthorized URL in the PC with the client (CT) installed can be prohibited.
FTP Server Connection Prohibition
By setting the FTP server connection prohibition policy, connection to the non-specified FTP server can be prohibited in the PC with the client (CT) installed.
Web Upload and Download Prohibition
By setting the Web upload and download prohibition policy, upload and download on the non-specified Web site in the PC with the client (CT) installed can be prohibited.
Clipboard Operation Prohibition
By setting the clipboard operation prohibition policy, information transfer from the virtual environment to the physical environment or from the physical environment to the virtual environment via clipboard can be prohibited.
This is a policy that sets the type of operation log to be collected. The operation logs that can be collected are as follows. Policies are set by the system administrator or department administrator in the Management Console.
Application startup log
Application termination log
Application startup prohibition log
Window title obtaining log
E-mail sending log
E-mail sending interruption log
This function is not available.
E-mail attachment prohibition log
This function is not available.
Command log
This function is not available.
Device configuration change log
Printing operation log
Printing prohibition log
Logon prohibition log
This function is not available.
File export log
PrintScreen key operation log
PrintScreen key prohibition log
Web operation log
Web operation prohibition log
FTP operation log
FTP operation prohibition log
Clipboard operation log
Clipboard operation prohibition log
File operation log
Logon/Logoff log
Linkage log
Screen capture
Policy Settings Targets
The name of policy varies according to the settings of the defined policy.
When setting policy for the “Client (CT)”, it is called “CT Policy”.
When setting policy for the “User”, it is called “User Policy”.
The policy set for the “Client (CT)” is called “CT Policy”. During the client (CT) operation, when the CT policy is valid, the prohibition and log collection will be implemented according to the policies set in the client (CT), no matter which user performs operation. Different policies can be set for each client (CT).
In addition, the clients (CTs) can be grouped by department, and after the clients (CTs) with same purpose of operation is divided into one group, the policy set for this group is called CT group policy. Different policies can be set for each group.
In the above image, the following settings can be performed for the client (CT) and CT group through the Management Console.
The following policies can set for each the client (CT):
CT (1) Printing only.
Printing prohibition: No
File export prohibition: Yes
Application startup prohibition: Yes
CT (2) File export only.
Printing prohibition: Yes
File export prohibition: No
Application startup prohibition: Yes
CT (3) Application startup only.
Printing prohibition: Yes
File export prohibition: Yes
Application startup prohibition: No
Group the clients (CTs) and set the group policy can be to “Allow Printing, File Export and Application Startup” and “Collect All Logs”.
CT policy will be applied to each client immediately or at the next startup. After policy has been applied, the client (CT) will run according to the applied policy.
[When CT policy is applied in the each CT]
CT (1) No matter who operates, only printing is allowed.
CT (2) No matter who operates, only file export is allowed.
CT (3) No matter who operates, only application startup is allowed.
[When CT policy is applied in CT (1) and CT (2) while group policy is applied in CT (3)]
CT (1) No matter who operates, only printing is allowed .
CT (2) No matter who operates, only file export is allowed.
CT (3) No matter who operates, printing, file export, application startup can be performed, and the logs of each operation will be collected.
The policy set for the user name that is input during logon to Windows in the PC with the client (CT) installed is called User Policy. During the client (CT) operation, when the user policy is valid, the prohibition and log collection can be implemented according to the policies set for the logon user name regardless of the PC on which the operation is performed. Different policies can be set for each user.
In addition, the users can be grouped by department, and after the clients (CTs) with same operation content can be divided into one group, and the policy set for this group is called user group policy. Different policies can be set for each group.
In the above image, the following settings can be performed for the user and user group through the Management Console.
The following policies can be set for each user name:
User name: 0100 user can only print.
Printing prohibition: No
File export prohibition: Yes
Application startup prohibition: Yes
User name: 0200 user can only export files.
Printing prohibition: Yes
File export prohibition: No
Application startup prohibition: Yes
User name: 0300 user can only start applications.
Printing prohibition: Yes
File export prohibition: Yes
Application startup prohibition: No
Group the users and set the group policy to “Allow Printing, File Export and Application Startup” and “Collect All Logs”.
After logon to Windows by each user name, correspondent user policy can be applied. After the policy is applied, it has nothing to do with the CT policy of the client (CT). Instead, operation will be performed according to user policy only.
[When user policy is applied in each CT]
Regardless of the client (CT) on which logon occurs, all operations that can be performed by the user have been determined.
User name: 0100 user can only print.
User name: 0200 user can only export files.
User name: 0300 user can only start applications.
[When user policy is applied to User Name: 0100 and User Name: 0200 while user group policy is applied to User Name: 0300]
Regardless of the client (CT) on which logon occurs, all operations that can be performed by the user have been determined.
User name: 0100 user can only print.
User name: 0200 user can only export the file.
User name: 0300 user can print, export files and start applications, and logs of each operation will be collected.
CT Policy/User Policy and Items can be Set
The items that can be set in the CT policy are different from those can be set in user policy. The items that can be set are as follows:
Settings Items | CT Policy | User Policy | |
|---|---|---|---|
Prohibition Function | File export prohibition | ○ | ○ |
Reading prohibition | ○ | ○ | |
Printing prohibition | ○ | ○ | |
PrintScreen key prohibition | ○ | ○ | |
Logon prohibition | ○ | ― (Note) | |
Application startup prohibition | ○ | ○ | |
E-mail attachment prohibition | ○ | ○ | |
URL access prohibition | ○ | ○ | |
FTP server connection prohibition | ○ | ○ | |
Web upload and download prohibition | ○ | ○ | |
Clipboard operation prohibition | ○ | ○ | |
Record Function | Application startup log | ○ | ○ |
Application termination log | ○ | ○ | |
Application startup prohibition log | ○ | ○ | |
Window title obtaining log | ○ | ○ | |
E-mail sending log | ○ | ○ | |
E-mail sending interruption log | ○ | ○ | |
E-mail attachment prohibition log | ○ | ○ | |
Command log | ○ | ○ | |
Device configuration change log | ○ | ○ | |
Printing operation log | ○ | ○ | |
Printing prohibition log | ○ | ○ | |
Logon prohibition log | ○ | ― (Note) | |
File export log | ○ | ○ | |
PrintScreen key operation log | ○ | ○ | |
PrintScreen key prohibition log | ○ | ○ | |
Web operation log | ○ | ○ | |
Web operation prohibition log | ○ | ○ | |
FTP operation log | ○ | ○ | |
FTP operation prohibition log | ○ | ○ | |
Clipboard operation | ○ | ○ | |
Clipboard operation prohibition log | ○ | ○ | |
File operation log | ○ | ― (Note) | |
Logon/Logoff log | ○ | ― (Note) | |
Linkage log | ○ | ― (Note) | |
Screen capture | ○ | ○ | |
○: can be set
―: cannot be set
Note: During the client (CT) operation, when the user policy is valid, for the items that cannot be set as user policy, the configuration value of CT policy in the operated the client (CT) is valid.
Form of Operation and Valid Prohibition/Log Collection
Citrix XenApp is not available.
After the CT policy and user policy have been set and updated to the client (CT), though operation prohibition and log collection can be performed in the client (CT), the valid prohibition is different from the collected logs according to the form of operation.
The valid items are shown as follows:
In addition, functions may be restricted due to the operating environment. Please refer to “1.2 Notes Relating to Functions ” for details.
Form of operaion | When recording the operations of the client (CT) of Systemwalker Desktop Keeper | When recording the operations on Citrix XenApp Server (Note 1) | |||
|---|---|---|---|---|---|
OS Startup Mode | At normal startup (Logon to Windows after OS has started) | When starting in safe mode or the safe mode with network (Note 3) (Note 5) | At normal startup (Logon to Windows after OS has started) | ||
Windows Vista® | Windows® XP | ||||
Prohibition Function | File export prohibition | ○ | ○ | ○ | ― |
Printing prohibition | ○ | ― | ― | ― | |
PrintScreen key prohibition | ○ | ○ | ○ | ― | |
Logon prohibition | ○ | ○ | ○ | ― | |
Application startup prohibition | ○ | ○ | ○ | ― | |
E-mail attachment prohibition | ○ | ― | ○ | ― | |
URL access prohibition | ○ | ○ | ○ | ― | |
FTP server connection prohibition | ○ | ○ | ○ | ― | |
Web upload and download prohibition | ○ | ○ | ○ | ― | |
Clipboard prohibition | ○ | ○ | ○ | ― | |
Record Function | Application startup log | ○ | ○ | ○ | ○ |
Application termination log | ○ | ○ | ○ | ○ | |
Application startup prohibition log | ○ | ○ | ○ | ― | |
Window title obtaining log | ○ | ○ | ○ | ○ | |
Window title obtaining log (with URL) | ○ | ○ | ○ | ○ | |
E-mail sending log | ○ | ― | ○ | ― | |
E-mail sending interruption log | ○ | ○ | ○ | ― | |
E-mail attachment prohibition log | ○ | ― | ○ | ― | |
Command log | ○(Note 4) | ○ | ○ | ○ | |
Device configuration change log | ○ | ○ | ○ | ― | |
Printing operation log | ○ | ― | ― | ○ | |
Printing prohibition log | ○ | ― | ― | ― | |
Logon prohibition log | ○ | ○ | ○ | ― | |
File export log | ○ | ○ | ○ | ― | |
PrintScreen key operation log | ○ | ○ | ○ | ○ | |
PrintScreen key prohibition log | ○ | ○ | ○ | ― | |
Web operation log | ○ | ○ | ○ | ○ | |
Web operation prohibition log | ○ | ○ | ○ | ― | |
FTP operation log | ○ | ○ | ○ | ○ | |
FTP operation prohibition log | ○ | ○ | ○ | ― | |
Clipboard operation log | ○ | ○ | ○ | ○ | |
Clipboard operation prohibition log | ○ | ○ | ○ | ― | |
File operation log | ○ | ○ | ○ | ○ | |
Logon/Logoff log | ○ | ○ (Note 2) | ○ (Note 2) | ○ (Note 2) | |
Linkage log | ○ | ○ | ○ | ― | |
Screen capture | ○ | ○ | ○ | ― | |
○: Valid
―: Invalid.
Note 1: The policy set for Citrix XenApp monitoring is CT policy. The user policy is not set.
Note 2: PC sleep logs and PC restoration logs are not collected.
Note 3: When starting in safe mode or if the network is in safe mode, only the CT policy will be running while the user policy will not be applied.
Note 4: In the Windows Server® 2008 64 bit Edition, Windows Server® 2008 R2, prohibition operations and log collection cannot be performed.
Note 5: When starting in safe mode or safe mode with network, sometimes the operation logs will not be sent to the Management Server before the next normal startup.
