Copyright © 2024 Sophos Ltd

Getting Started with

Sophos Central Server
Lockdown

Sophos Central Endpoint Protection

Version: 5.0v1

[Additional Information]

Sophos Central Endpoint Protection

EP3560: Getting Started with Sophos Central Server Lockdown

April 2024
Version: 5.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with Sophos Central Server Lockdown - 1

Copyright © 2024 Sophos Ltd

Getting Started with Server Lockdown

In this chapter you will learn what Server RECOMMENDED KNOWLEDGE AND EXPERIENCE
Lockdown is, how to configure the Server
Lockdown policy and how to enable and ✓ How to access and navigate Sophos Central
manage a locked down server. You will also ✓ How to protect and manage devices
learn how to unlock a server. ✓ How to create and assign policies

DURATION 7 minutes

In this chapter you will learn what Server Lockdown is, how to configure the Server Lockdown policy
and how to enable and manage a locked down server. You will also learn how to unlock a server.

Getting Started with Sophos Central Server Lockdown - 2

Copyright © 2024 Sophos Ltd

What is Server Lockdown?

Known applications are
whitelisted

Whitelist
Locked Down Server

Administrator
New App

New applications are not able to run

until approved by the administrator

Existing applications are trusted

Server lockdown uses technology that only allows approved applications to run on servers. Controlling
what can run on a protected server and what modifications can be made, can make it harder for an
attacker to compromise a server.

Server Lockdown uses drivers that reside in the operating system kernel that only allow trusted
applications and their associated files to execute and modify files.

Getting Started with Sophos Central Server Lockdown - 3

Copyright © 2024 Sophos Ltd

Server Lockdown Policy

Change the settings on a locked down server without unlocking it
Allowing existing software to run and modify applications
Configure the lockdown policy BEFORE locking down a server to decrease the overall time taken to
generate the whitelist

The Server Lockdown policy is used to change the settings on a locked down server without unlocking
it. For example, you may want to add and run new software.

Allowing files and folders permits new software to run. It also allows existing software to run and
modify other applications. An example could be a folder used to restore trusted installers. Please be
cautious when using this option as it ‘trusts’ the software so that any files it creates, or changes are
also trusted.

It is beneficial to configure the Server Lockdown policy before locking down a server because the
specified files and folders will not be scanned or added to the whitelist. This decreases the overall time
taken to generate the whitelist.

Getting Started with Sophos Central Server Lockdown - 4

Copyright © 2024 Sophos Ltd

Server Lockdown Policy

Files in a network share are not blocked if the folder location or file is blocked in the lockdown policy
Allowed and blocked lists in the lockdown policy ONLY apply to local execution

‘Blocked files/folders’ can be used to block software that is currently allowed to run or to block a
specific folder for applications, such as installers that you want to make available to other users on the
network, but don’t want to run on your server. An example may be a share or filer location.

Please note, if you have installers in a share, they can be executed on a remote computer without
being in the allowed files and folders, this is only required to allow local execution on the server. In the
same way, you cannot prevent a shared installer from being run on a remote computer by adding it to
the blocked files and folders.

Getting Started with Sophos Central Server Lockdown - 5

Copyright © 2024 Sophos Ltd

Enabling Server Lockdown

Server Lockdown is enabled on the Details page for a server by clicking Lock Down.

When locking down a server, the current state is taken ‘as good’, and any existing applications can be
run normally. New applications added after lockdown will not be able to run unless allowed by a
Sophos Central administrator. The process is known as whitelisting. The lockdown process scans all
local drives, so any policies will need to cover these.

Please note that Server Lockdown can take some time to complete.

Getting Started with Sophos Central Server Lockdown - 6

Copyright © 2024 Sophos Ltd

Enabling Server Lockdown

The lock down

button will now
display as Unlock

The lockdown status will display Locked when the

lockdown process is complete

Once completed, a server will display the ‘Unlock’ button in the server details.

On the SUMMARY tab you will see the Lockdown Status. This will change during the lockdown
process, however, when completed, it will display as ‘Locked’.

Getting Started with Sophos Central Server Lockdown - 7

Copyright © 2024 Sophos Ltd

Enabling Server Lockdown

The Sophos Endpoint Agent will display the Lockdown status of the server. Click About to view the
products installed.

Open the Endpoint Self Help Tool and select the Server tab which displays the Lockdown state and
when the files were whitelisted.

Getting Started with Sophos Central Server Lockdown - 8

Copyright © 2024 Sophos Ltd

Managing a Locked Down Server

To view lockdown events following

lockdown click Request Report

The LOCKDOWN EVENTS tab will appear in the server details page once lockdown has been
completed. Please note that following lockdown, you will need to click Request Report to view the
report.

Getting Started with Sophos Central Server Lockdown - 9

Copyright © 2024 Sophos Ltd

Managing a Locked Down Server

You will then need to click Request Report to view any updated lockdown events. This tab displays any
triggered warnings or events relating to the locked down status. You can use the drop-down menu to
filter which events are shown and can search for events if required.

Getting Started with Sophos Central Server Lockdown - 10

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Managing a Locked Down Server

1 2 3 4
Add the installer filename to Remove the installer
Download the application’s Run the installer on the
the allowed filed in the filename from the Lockdown
installer locked down server
Lockdown Policy Policy

Avoid allowing applications list FileZilla.exe as files downloaded by the allowed application can be executed and reduce protection

To add or update an application without unlocking the server, we recommend the following process:

1. Download the installer of the application you want to install on the locked down server.
2. Add the application’s installer file name to the Lockdown Policy in Sophos Central as an allowed
file.
3. Run the installer on the locked down server.
4. Once the application is installed, remove the installer file from the Lockdown Policy in Sophos
Central.

This process will add the installed application’s files to the local whitelist so that it is executed
successfully. Adding application installers or execution files in the lockdown policy to allow them on a
protected server can have unwanted effects and can reduce the security of the server. If you choose to
add an Internet browser for example, every file that is downloaded from that browser becomes
trusted and can execute on the server.

The process detailed here prevents this from happening, allowing your servers to run the required
applications without compromising the security of your servers.

[Additional Information]
For more information and other applications that should be manually configured, see knowledge base
article KB-000035445. https://support.sophos.com/support/s/article/KB-000035445

Getting Started with Sophos Central Server Lockdown - 11

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Unlocking a Locked Down Server

To unlock a server,
click Unlock

To unlock a server, navigate to the Server details page in Sophos Central and click Unlock.

Once unlocked, the server will return to its unlocked state and the execution of all files will be allowed.
The lockdown agent on the server needs to be removed locally. The unlock process does not remove
the agent. This is completed by locating the uninstall string in the registry and running an uninstall
command from a command prompt.

[Additional Information]
More information about this can be found in Knowledge base article KB-000035355.
https://support.sophos.com/support/s/article/KB-000035355

Getting Started with Sophos Central Server Lockdown - 12

Copyright © 2024 Sophos Ltd

Unlocking a Locked Down Server

Confirm that you want to

unlock the server

Please note that when unlocking a server unauthorized activities on that server will no longer be
prevented. A confirmation message will be displayed to ensure that you mean to unlock the server.

Getting Started with Sophos Central Server Lockdown - 13

Copyright © 2024 Sophos Ltd

Unlocking a Locked Down Server

The lockdown status will be

updated

The lockdown status will be updated and will show that the server is being unlocked.

Getting Started with Sophos Central Server Lockdown - 14

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Unlocking a Locked Down Server

The lockdown product

must be removed Use MsiExec.exe /X command along
manually with the uninstall key to remove the
product from the server

Once unlocked, the server will return to its unlocked state and the execution of all files will be allowed.
The lockdown agent on the server needs to be removed locally. The unlock process does not remove
the agent. This is completed by locating the uninstall string in the registry and running an uninstall
command from a command prompt.

[Additional Information]
Open a Command Prompt as Administrator and paste the following string: MsiExec.exe /X{77F92E90-
ED4F-4CFF-8F60-3E3E4AEB705C}
Press Enter to uninstall Sophos Lockdown. Accept any prompts that appear during the removal
process.

Getting Started with Sophos Central Server Lockdown - 15

Copyright © 2024 Sophos Ltd

Simulation: Configure and Apply Server Lockdown

In this simulation, you will enable server lockdown and

test the lockdown features.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/ce/simulation/ServerLockdown/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

Getting Started with Sophos Central Server Lockdown - 16

Copyright © 2024 Sophos Ltd

Chapter Review

Server lockdown uses technology that only allows trusted applications and their associated files to
execute and modify files.

The Server Lockdown policy is used to change the settings on a locked down server without unlocking it.

Allowing files and folders permits new software to run. It also allows existing software t run and modify
other applications.

Here are the three main things you learned in this chapter.

Server lockdown uses technology that only allows trusted applications and their associated files to
execute and modify files.

The Server Lockdown policy is used to change the settings on a locked down server without unlocking
it.

Allowing files and folders permits new software to run. It also allows existing software to run and
modify other applications.

Getting Started with Sophos Central Server Lockdown - 22

Copyright © 2024 Sophos Ltd

Getting Started with Sophos Central Server Lockdown - 23