Q: How do I assign machines to a group?

A. The group to which a machine belongs is specified when you allow that machine to obtain a digital certificate. Unless you need widely varying IDS policies to control application network access, it is better to just use the group called "Default."

However, if you have clearly identified groups of users who will have significantly different IDS policies for which applications can access the network from their machines, create a separate group in the Group Security Policies window for each clearly defined set of policies that you wish to implement.

Q: My computer is a policy server, but I cannot edit the local IDS policies.

A. If your computer is a member of a group that is not allowed to add/delete local IDS rules, then you cannot modify the rules in your Local IDS Policy window. To modify the local rules, you must open the Group Security Policies window, click the "IDS implemented policies" tab, get the implemented policies from your computer, modify them, and save them.

Q: The "Logs" menu in the Local IDS Policy window shows two logs. What are they?

A. The "Logs" menu shows the Application activity log and the Application access log. The Application activity log shows the last 100 IDS/IDP events. An event is as any rule change or application access. The Application access log lists the last ten unique network accesses by each application on the machine. The Application access logs are color-coded, and anything in red signifies a violation of the defined policy.

Q: How do I remotely modify the IDS policies for a machine?

A. In order to modify IDS rules on a machine remotely, you must be a policy server and have privileges to modify the rules for the group to which the client belongs.

Open the Group Security Policies window and click the "IDS implemented policies" tab. Enter the name or IP address of the client and click the "Get policies" button. Edit the policies and click the "Save policies" button.

Q: How do I view the "Application unique access" logs remotely?

A. Open the Group Security Policies window and click the "Application unique access logs" tab. Enter the name or IP address of the client and click the "Get logs" button.

You can create a rule based on the log entry by right clicking on the log entry and selecting the appropriate option.

Q: Why do I see high CPU usage after distributing a new group policy?

A. When you distribute a new group policy, all the application hashes are re-computed. This usually causes a temporary CPU usage spike.

Q: I see a message "Integrity check failed for xyz.exe." What does this mean?

A. Your group policy is configured to verify the hash of each application, and this specific application hash did not match the stored value. This can happen if you have updated the application or any DLLs that it uses or if the application is infected by a virus. Group policy management can be used to recompute the hash for that application or for all applications. Refer to the "Policy Management" chapter for details.