This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lockdown feature - questions about use

Hi,

we're planning to use Lockdown on Windows Servers with intercept-X installed.

I have some general questions about that feature.

1. How long does it take to unlock a server before installing new software?

2. Can I stop the Lockdown process - if yes: how - after I started it? How long does it take to stop?

     Imagine scenario: Disable Lockdown, install new software, re-enable Lockdown, you notice you forgot to install an other software and need to do that asap, you want to stop the Lockdown process.

3. How does Lockdown work for fileservers where I have huge shares (multi TB) that contain installers?



This thread was automatically locked due to age.
Parents
  • Hi

    1) It really depends on what you have set up. The Lockdown is basically a calculation of hashes of what is there. The initial lock takes most of the time. Deltas take less. Overall, however, you should be crafting the policy to target the specific elements. Think of it this way - it works like a firewall, it has a default NO to everything and then you add in allows for specific elements. This is only for PEs executing on that server itself. If someone accesses a share hosted on the server and pulls a PE down to their local and runs it there - lockdown has no effect on that.

    2) I am not sure off the top of my head - let me look into it for you.

    3) it has no effect if the shares are being accessed by endpoints that are copying the files locally. If they try to execute the PE in the share and it isn't excluded - then the lock will prevent the execution.

    Does that make sense?

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thank you for your answers.

    Could you please be more precise on Q1 about the time to UNlock the server? I'm aware that the Lock-Time depends on data volumes.

    Q2 is important for our management. They heard voices it would take a long time. Really looking forward to your answer.

    Q3: so per default all drives are included in the Lockdown process? If I'd like to exclude the installer shares, I could do that by policy?

    What is PE?

  • PE = Portable Executable - basically anything that is executable in windows. .exe, .dll and more

    I am looking into point 2 but it is the end of the week so I don't expect an answer until next week at the earliest.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • I reached out to our lockdown expert and got this reply:

    1. How long does it take to unlock a server before installing new software? Once the unlock command has been received by the server, the unlock process should take seconds. You should expect to see a status change in Central for an unlocked server within 60 seconds.

    2. Can I stop the Lockdown process - if yes: how - after I started it? How long does it take to stop? No, once it's initiated it can't be cancelled. Hence the 'Lock Down' message we display when choosing to Lockdown
    3. How does Lockdown work for fileservers where I have huge shares (multi TB) that contain installers?
    If the installers are for clients, then it should be fine as the data is just being read. As soon as you start to modify the installers, try to delete them you will have issues. It depends what else is being hosted, as we state in our FAQ:
    ===============
    Is Server Lockdown suitable for all server environments?
    No, Server Lockdown is not suitable for all server environments as it will prevent certain actions from taking place. For example, if you host scripts on the server that are regularly updated or host an application used by other computers where data is regularly modified/updated.
    It is recommended that you test Server Lockdown in your environment to confirm suitability.
    ===============
    Also note, any new installers/files added to the share will not be covered by lockdown unless they unlock/lock.
    If these are for clients only and not for running on the server they could add them to the Block list. They will still be added to the baseline so are still protected from the standard delete, modify actions

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • I reached out to our lockdown expert and got this reply:

    1. How long does it take to unlock a server before installing new software? Once the unlock command has been received by the server, the unlock process should take seconds. You should expect to see a status change in Central for an unlocked server within 60 seconds.

    2. Can I stop the Lockdown process - if yes: how - after I started it? How long does it take to stop? No, once it's initiated it can't be cancelled. Hence the 'Lock Down' message we display when choosing to Lockdown
    3. How does Lockdown work for fileservers where I have huge shares (multi TB) that contain installers?
    If the installers are for clients, then it should be fine as the data is just being read. As soon as you start to modify the installers, try to delete them you will have issues. It depends what else is being hosted, as we state in our FAQ:
    ===============
    Is Server Lockdown suitable for all server environments?
    No, Server Lockdown is not suitable for all server environments as it will prevent certain actions from taking place. For example, if you host scripts on the server that are regularly updated or host an application used by other computers where data is regularly modified/updated.
    It is recommended that you test Server Lockdown in your environment to confirm suitability.
    ===============
    Also note, any new installers/files added to the share will not be covered by lockdown unless they unlock/lock.
    If these are for clients only and not for running on the server they could add them to the Block list. They will still be added to the baseline so are still protected from the standard delete, modify actions

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
  • Hello ,

    thanks for your detailled answer!

    Q1+2 are now fully answered.

    I have difficulties to understand the answer about executables on shares.

    In FAQ the following is written: "Lockdown uses technology that only allows approved applications to run on your servers. Controlling what can run and modify application makes it harder for an attacker to hack the server"

    If I place, modify, delete Executables on a share (regularly), those files just appear, change or disappear on the disk of the server. They are not executed or "run" to use the terminology used on FAQ.

    I understand that I cannot run the new exe files on the console of file server but from my understanding I could run them from a client directly from the fileshare. Anything else would not make sense to me.

    Looking forward to your answer.

  • it comes down to where the context of execution is. 

    If on the server - it will be blocked.

    If on the endpoint - it should work.

    Does that clarify it?

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • If you can replace "should" work by "will" work - yes. Does it? :-)

  • It is supposed to work but I can't give a guarantee for every PE out there. If they are coded properly - everything will work. 

    If the thing does an absolute call to a folder on the machine where it sits (on the server) then it might/probably will fail. 

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • when installing the july patches for Server 2016 I noticed, the test server with lockdown enabled (during the patching), needed about twice the time than the Server 2016 machines without lockdown.

    for windows update unlocking should not be required and actually isn't technically. but it seems to slow down the process.

    Patching Server 2016 is already a PIA so we're thinking about unlocking all servers before installing MS patches in the future.

    Unfortunately, this looks like a real clicky orgy in Central as it does'nt seem too be possible to disable or even enable this feature for multiple servers at once.

    Any tip how we can do this for multi servers? If the answer may disclose security features, please via PM.

  • A slow down is expected and turning off Lockdown and turning it back on won't help. The issue is that Lockdown is indexing the system - and it will have to when you turn it back on.

    The only scenario where it might speed up a bit by doing this is if the updates modify the same elements in sequence:

    1. update 1 touches file A
    2. We index
    3. update 2 touches file A
    4. we index again

    However, I think that you will have a higher cost by turning off then on again because you will have to re-index the entire system.

    I will bring you comment to the PM and Dev team to see if there are optimizations we could include in the product to bring that time down.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.