This content has been marked as final. Show 4 replies
The fewer policies you have, the easier to manage, and therefore less likely to go wrong :)
All things being equal, I would set up two groups, and set the policies at the group level.
Let's say you want to exclude either C:\FOOBAR or D:\FOOBAR depending on which Drive FOOBAR is installed...
+ GROUP-C-FOOBAR <-- apply the policy exclusion here
| + Server A
| + Server B
+ GROUP-D-FOOBAR <-- apply the policy exclusion here
| + Server C
| + Server D
Of course - if it really IS as simple as I've shown above, then you can also set a policy at the top level excluding **\FOOBAR\ - which will exclude foobar irrespective of which drive it is on, or how far down the path it is...
Now the reality is not that simple...
Server 1: MSSQL, IIS
Server 2: DC, WINS, DNS, DHCP, RIS, IIS
Server 3: Oracle, IIS
Server 4: IIS
Server 5: exchange, IIS
and so on...
I am trying to set exclusions based om the applications on the server. And the application/services are scattered in many different combinations. I dont have x servers running IIS and y servers running oracle. It is all mixed up...
I should need policies that aggregates/cumulative (I think that is the english word for it). In other words, several policies on one server, if you understand...
Yeah, this is a feature that ePO/VSE is missing alright that would be pretty handy.
It would be great to define a primary VSE policy - say Global_Default which excludes things like pagefile.sys and other standards, then a sub policy called IIS, then another one called Oracle, etc . . .
Then you could apply a series of policies based on tags - so everything would get Global_Default, the ones you have tagged as IIS servers would get the IIS policy, the ones with IIS & Oracle tag would get both extra policies, etc . . .
As you have described above, it's almost impossible to create policies to match all the combinations of servers you have. And it's not just as simple as bunging all the exclusions into one big policies - there are reasons you might want to exclude some things for Oracle but not exclude them for IIS.
Come on McAfee . . . lose the monolithic approach to policy creation and make it more flexible, like for the real world.
I agree a more flexible approach would be welcome...but with what we've got today, you have a couple of options, ShootKing
a) Have the one generic policy that covers all bases - using the '**' wildcard
e.g. Exclude **\Oracle\ & **\Exchange\
It will exclude the items on each server IF THEY ARE INSTALLED/THERE.....
b) Have specific exclusions for each combination of software
..but you already knew that :)
Perhaps if you workout your individual exclusions you can see where a minor change to the exclusions can be used to reduce the number of groups - e.g. all mail servers in one group, all infrastructure in another, etc. This half-way-house may not be ideal, but may give you the right level of protection across the right servers...