Tuesday 24 March 2009

Bradford Primary Schools sophos configuration docs

Updated docs are available to staff members on http://brains.primaryt.co.uk/docs

Publicly viewable version below:

Primary Technology Primary school
Sophos configuration


Written by Adrian Rhodes
Revised by John McLear
Published by Primary Technology on Blog tracker http://primarytsupport.blogspot.com
On the 24/03/2009

John@primaryt.co.uk
Adrian@primaryt.co.uk






Before we begin…

Sophos should be downloaded from the sophos website using your username and password.

Before creating the policies ensure that ensure that Enterprise Manager is synchronized with your
AD structure and that you have created a user in AD for the sole purpose of doing sophos updates
i.e. create a user called “sophos” with a random password and join that user to the “domain
admins” group to ensure it has rights to access the machines.

%Servername% is the server name of the sophos server (IE 2k3server)
If you are unsure of your server name then this document may be a bit too advanced for you! Please call us on 0845 68 01274 or email us at support@primaryt.co.uk for advice.
This document is only relevant for Bradford Primary Schools including those on the BLN and other internet services.

If the school is not on a Telewest/Virgin Media connection then you may need to change the SMTP server settings when you configure email messaging.

If you have Primary Technology Edumon/remote monitoring services installed and configured, your system will periodically check sophos to ensure viruses are being handled as documented.

This installation procedure takes 1 hour

Updating Policies

Default Policy
This policy is applied to all servers, and devices that never leave the school premises.

1. Primary Server tab should be pointing to \\%SERVERNAME%\InterChk\ESXP then add the username and password that you created at the start remembering to include the domain with the username domain\sophos no proxy settings need adding as it is all done internally

2. Secondary server tab is left blank for the default policy

3. Logging can just be left as default

4. Schedule should be enabled and set to run every 60 minutes

5. Initial install source should be enabled and pointing to the same directory as your primary server by default.

Teachers Laptop Policy
This policy is applied to any devices that are attached to the school network and are taken off site.

1. Primary Server tab should be pointing to \\%SERVERNAME%\InterChk\ESXP then add the username and password that you created at the start remembering to include the domain with the username domain\sophos no proxy settings need adding as it is all done internally

2. Secondary server tab should be pointing direct to sophos which can be selected from the drop down box, the username and password for this address is currently (March 2009):

This username and password is only available on the private version of the docs. http://brains.primaryt.co.uk/docs/

3. No proxy settings need adding as the users probably won’t have a proxy set up at home

4. Logging can just be left as default

5. Schedule should be enabled and set to run every 60 minutes

6. Initial install source should be enabled and pointing to the same directory as your primary server by default.


Anti‐Virus Policies

Default Policy
This policies is to be applied to all devices except the servers

Ensure “Enable on‐access scanning” is enabled then under the On‐access scanning options check the following settings:

1. Scanning should be set to normal with none of the scanning options enabled, on‐access scanning behavior is best set with read, write and rename enabled however if machines in your school are particularly slow disable the read scanning
2. Extensions should be set to scan only executable and infectable files along with files that have no file extension.
3. Windows Exclusions should have an entry entered for C:\windows\csc which will stop your machines grinding to a halt during synchronization of offline files, do not exclude remote files.
4. Mac Exclusion & Linux exclusions can be left disabled.
5. Cleanup should be set to automatically delete viruses and spyware whilst doing nothing for suspicious files (because sophos isn’t all that smart and removes VNC as it thinks its suspicious)
6. Back at the main policy page now HIPS runtime behaviors can be left with all 3 options enabled.
7. Disable Desktop messaging.
8. Enable Email messaging using smtp.blueyonder.co.uk and put your email address in the recipient field.
9. SNMP messaging can be left as disabled.
10. Event log should always be enabled with the default settings plus any others if you so choose but there shouldn’t be any point.
11. Back on the main policy page again Authorization can be left as default.
12. Under scheduled scanning click Add, set it to scan local drives only on every day of the week at a time that is suitable (during lunch if the school don’t use the computers much then or just after school finishes are normally the best times) then click configure.
13. Set scanning to intensive mode and to scan inside archive files along with adware/PUA, under cleanup set it to automatically delete viruses and spyware as well as automatically delete adware/PUA.
14. Once more on the main policy page click extensions and exclusion, under extensions tell it to scan all files, there should be no exclusions at all.


Server Policy
This policies is to be applied to all servers on the domain


Ensure “Enable on‐access scanning” is enabled then under the On‐access scanning options check the following settings:

1. Scanning should be set to normal with none of the scanning options enabled, on‐access scanning behavior is best set with read, write and rename enabled however if your servers are particularly slow disable the read scanning, do not allow access to drives with infected boot sectors.
2. Extensions should be set to scan only executable and infectable files along with files that have no file extension.
3. Windows Exclusions should left blank, do not exclude remote files.
4. Mac Exclusion & Linux exclusions can be left disabled.
5. Cleanup should be set to automatically delete viruses and spyware whilst doing nothing for suspicious files.
6. Back at the main policy page now HIPS runtime behaviors can be left with all 3 options enabled.
7. Disable Desktop messaging.
8. Enable Email messaging using smtp.blueyonder.co.uk and put your email address in the recipient field.
9. SNMP messaging can be left as disabled.
10. Event log should always be enabled with the default settings plus any others if you so choose but there shouldn’t be any point.
11. Back on the main policy page again Authorization can be left as default.
12. Under scheduled scanning click Add, set it to scan local drives only on every day of the week at a time that is suitable (out of school hours but not so it conflicts with any backups been run on the server) then click configure.
13. Set scanning to intensive mode and to scan inside archive files along with adware/PUA, under cleanup set it to automatically delete viruses and spyware as well as automatically delete adware/PUA.
14. Once more on the main policy page click extensions and exclusion, under extensions tell it to scan all files, there should be no exclusions at all.

Monday 23 March 2009

SIMS Integration & Data Extraction

Thanks to the folks at ANB Software who have developed a tool to automate the creation of Active Directory users directly from SIMS data, the time taken to setup each server has drastically reduced.

Contact Primary Technology for more information or check out the website for ANB Software.