Managing Registry Keys

Network administrators can modify Ivanti Device and Application Control registry keys, so that Application Control and Device Control can operate more effectively or efficiently in unique network environments or according to specific enterprise network policies.

Registry keys can be used to adapt Application Control and Device Control according to enterprise-specific network environment policies and requirements. Registry keys that can be modified include:

  • Application Server keys
  • Client keys
  • Management Console keys

The database connection registry key parameters allow you to define Application Server behavior during periods of database connectivity loss. The Application Server can run with intermittent database connectivity, ignoring the lack of database connection for specified periods. During these periods, the Application Server retries connecting to the database. After repeatedly attempting to establish database connectivity, the Application Server declines further connectivity requests from the client and console, until database connectivity is restored.

The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Parameter Name

Description

Default Value

DbConnectionCount

Shows the number of database connections in the connection pool.

20

DbConnectionString

Shows the driver, server, database, and trusted connection or user name and password.

Provider=sqloledb; DataSource= ; InitialCatalog=sx; Trusted_Connection=yes

DbInitializationDelay

Shows the period in seconds that the Application Server waits before contacting the SQL server.

300

The parameters for the Ivanti Device and Application Control Authorization Service tool registry key parameters are shown in the following table.

Key Name

Description

Default Values

CmdLineBlockParams

Allows user to setup assignment mode, group name(s), and filters in the FileTool.exe command line parameters.

-a1 = Microsoft Update Files

Log file name

Depends upon the Log to file value.

authSrvHlpr.log

Log to file

Sends debug message to the log file yes=1

no = 0

OutputDirectory

Directory path where output XML reports are located.

C:\Program Files\Ivanti\Device and Application Control\Authorization Service\Logs\

SendMail

The service sends e-mail at the end of the scan, which includes the command line and attached XML report.

no = 0

SXSServer

Name or IP address of the Application Server.

Not applicable.

VerboseReport

Report mode. no=normal report mode

yes = verbose report mode

WSUSContentDirectory

Absolute directory path where WSUS files are located.

C:\

You can use the debugging registry key parameters to specify the behavior for debugging the Application Server.

The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Key Name

Description

Default Value

Debug

For the Application Server running as a service, a debugger will launch and attach to the server when the value is set to yes = 1.

no = 0

Log file name

Shows the name of the log file written when Log to file = yes.

sxs.log

Log to console

Sends debug messages to the console when the value is set to yes = 1.

no = 0

Log to dbwin

Sends debug messages to the DBwin32 when the value is set to yes = 1.

no = 0

Log to file

Sends debug messages to the log file when the value is set to yes = 1.

no = 0

Log file size

Sets the maximum size of a log file (in bytes). When the file size is reached, a new log file with an incremented filename is created. The limit may be exceeded by a small amount.

16777216

Log file count

Sets the maximum number of log files to retain.

8

VerboseSyncLogging

The Application Server logs the important object attributes retrieved during domain synchronization.

no = 0

The general registry key parameters govern the general behavior of the Application Server.

The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Parameter Name

Description

Default Value

AdoVersion

Specifies a string representing the version of Active Directory objects used.

No value.

Concurrency

Shows how many running threads are allowed for the input/output connection port (IOCP). Zero is equivalent to one thread per central processing unit (CPU). Maximum number equals MaxThreads.

0=auto

DataFileDirectory

Shows the name of the base directory where the Application Server stores data files.

C:\DataFileDirectory

SysLogGenerateMsg

Determines what type of logs are sent to the SysLog server.

1 = Audit logs only

2 = System logs only

3 = Audit and system logs

SysLogServerAddress

The SysLog server that the Application Server sends server and audit log events to.

Specified during initial client installation.

SyncContinueOnError

When set to true, configures the Application Server to log duplicate user or machine SIDs (or other ACL errors), instead of abort, during a directory synchronization. Errors are recorded to the Application Server log (default sxs.log).

No default value. Key must be manually created and set to true.

The security registry key parameters govern the security configuration for the Application Server.

The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sxs\parameters registry key parameters for the Application Server. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Parameter Name

Description

Default Value

CommVer

Specifies the client-server communication protocol that the Application Server uses as follows:

1 = Client versions 3.1 or 3.2

2 = Client version 4.0 or higher

3 = Client version 4.0 or higher with TLS enabled

3

MaxSockets

Specifies the maximum number of TCP connections allowed at any time.

5000

Port

Specifies the TCP port where the socket-based Application Server listens for new connections.

Minimum value = 1 Maximum value = 65534

65129

RpcProtectionLevel

Specifies whether the RPC server requires RPC clients to authenticate.

0 = OS selects protection level 1 = No protection

2 = Client identify is verified when connecting to the Ivanti Device and Application Control Application Server

3 = Examines client credentials for TCP connection.

4 = Examines client credentials for TCP connection, adds cryptographic signature to every packet.

5 = Examines client credentials for TCP connection, adds additional cryptographic signature to every packet.

6 = Examines client credentials for TCP connection, adds cryptographic signature to every packet, and encrypts data in both directions

6

SecureInterSxs

Specifies that inter-Ivanti Device and Application Control Application Server communication use the TLS protocol.

no

SndPort

Specifies the TCP where the Ivanti Device and Application Control client listens for new connections.

Minimum value = 1 Maximum value = 65534

33115

SxdConnectTimeoutMSec

Specifies the time in milliseconds that the Application Server waits to accept a TCP connection for the client. The value should be between 500 and 120000 ms.

5000

SxdPort

Specifies the TCP port where the built-in client server listens for new connections.

Minimum value = 1 Maximum value = 65534

33115

TLSMaxSockets

Specifies the maximum number of TCP connections allowed when using the TLS protocol.

0

TLSPort

Specifies the TLS port where the socket-based Application Server listens for new connections.

Minimum value = 1 Maximum value = 65534

65229

Configure MaxSockets

When certain security registry key parameters interact, some of the combinations formed are not valid as shown in the following table.

Secure InterSxs

CommVer

TLSMax Sockets

MaxSockets

Combined Result

No

<3

0

0

Not valid

0

>0

Valid

>0

0

Not valid

>0

>0

Valid

3

0

0

Not valid

0

>0

Not valid

>0

0

Not valid

>0

>0

Valid

Yes

<3

0

0

Not valid

0

>0

Not valid

>0

0

Valid

>0

>0

Valid

3

0

0

Not valid

0

>0

Not valid

>0

0

Valid

>0

>0

Valid

Configuring MaxSockets and TLSMaxSockets

The following table describes the parameters used for the MaxSockets and TLSMaxSockets configuration rules.

TLSMaxSockets and MaxSockets Values

Description

TLSMaxSockets>0 AND MaxSockets=0

Only TLS connections are available for Application Server-client communication using the TLSPort port specification.

TLSMaxSockets=0 AND MaxSockets>0

Only non-TLS connections are available for Application Server-client communication using the Port port specification.

TLSMaxSockets>0 AND MaxSockets>0

Both TLS and non-TLS connections are available for Application Server-client communication using the TLSPort and Port port specifications.

The registry key parameters for Ivanti Device and Application Control Command & Control (SCC) that govern the behavior for all communication between the server, the client(s), and the Certificate Authority (CA) server are shown in the following table.

The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scomc\parameters registry key parameters for the Ivanti Device and Application Control Command & Control module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Key Name

Description

Default Value

CertGeneration

Yes=Client is in automatic mode and requests CA certificate.

No=Client is in manual mode and a user certificate must be generated manually.

Defined during client install.

ImportDir

Shows the directory used import the policies file.

C:\Program Files\Ivanti\Device and Application Control\\Import

ListenPort

Show a port number value set between 1025 and 65536 (ports numbers 0 to 1024 are reserved for privileged services).

Port number 33115 is the default value.

Log file name

Shows the name of the log file.

scomc.log

Log to console

Yes=Sends debug message to console.

No=No debug messages sent to console.

No default value.

Log to dbwin

Yes=Sends debug message to dbwin.

No=No debug messages sent to dbwin.

No

Log to file

Yes=Sends debug message to log file.

No=No debug messages sent to log file.

No

Log file size

Sets the maximum size of a log file (in bytes). When the file size is reached, a new log file with an incremented filename is created. The limit may be exceeded by a small amount.

16777216

Log file count

Sets the maximum number of log files to retain.

8

Servers

Shows a list of Application Server names by FQDN or IP address.

Defined during server install.

SyncPeriod

Shows the time in milliseconds for synchronization periods between the Application Server and the client.

3,600,000 ms (one hour) is the default value.

TicketDir

Shows directory where endpoint maintenance tickets are stored.

Cannot modify this key.

UseTLS

Yes=TLS protocol used

No=TLS protocol not used

Defined during server install.

The client kernel parameter sub-entries are shown in the following table.

The following table describes the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\parameters registry key parameters for the client kernel. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Parameter Name

Description

Default Value

EncryptionMode

EncryptionMode which SK runs one of the following masks:

encLpc = 1

encFips = 2

encDefault = 0

NDISInstallation

Specifies how SCOMC installs SK-NDIS.

1 = Uninstall only an existing SK-NDIS driver.

2 = Uninstall an existing SK-NDIS driver, then install a new SK-NDIS driver.

None

The registry key parameters that govern the application software configuration are shown in the following table.

The following table describes the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC registry key parameters for the Management Console module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Parameter Name

Description

Default Value

EnableAuthEpResolution

Sets the RestrictRemoteClients functionality status for the RPC interface. Remote and anonymous RPC call is available only if:

  • RPC registry key and EnableAuthEpResolution value described are created during setup.

  • The EnableAuthEpResolution registry value is set to 0.

0

The Application Server registry key parameters allow you to define default server and number of servers connected to the database and console.

The following table describes the HKEY_CURRENT_USER\SOFTWARE\Lumension\Endpoint Security\Server registry key parameters for the Application Server module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Parameter Name

Description

Default Value

DefaultServer

Name of the last Application Server that the Management Console connected to.

None

Server List

Lists the names of the Application Servers that the Management Console connected to. Server names are separated by commas.

None

The Authorization Wizard registry key parameters allow you to define the behavior for communication between the Application Server and the wizard.

The following table describes the HKEY_CURRENT_USER\SOFTWARE\Lumension\Endpoint Security\SecureEXE\AuthWiz\Parameters registry key parameters for the Authorization Wizard module. All registry key entries are of the type: REG_SZ (= string value), unless designated otherwise.

Parameter Name

Description

Default Value

AutoAssign

Specifies whether the Application Server should assign the hashed files to a file group.

Yes

DefaultServer

The Application Server that the Authorization Wizard sends a result to. The value is the Application Server IP address.

127.0.0.1

DefaultTemDir

The file location where the Authorization Wizard stores results before uploading to an Application Server.

%TEMP%

Conflicts may occur between drivers that exist on managed endpoints and the Ivanti Device and Application Control driver. In these cases, you can create registry entries to exclude the conflicting driver from protection by Ivanti Device and Application Control.

You can repeat this procedure to create multiple registry entries for each driver conflict.

  1. Open the Windows registry on the client computer.
  2. Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters.
  3. Select New > DWORD (32-bit) Value.
    A new entry is created.
  4. In the Name column for the new entry, type the file path to the driver that you want to exclude.
  5. Press Enter.
  6. Right-click the new registry entry.
  7. Select Modify.
  8. Enter 0 in the Value data field.
  9. Click OK.
    The value for the new registry entry is set. The driver specified in the in the registry entry name will be excluded from protection by Ivanti Device and Application Control.

Installing Ivanti Device and Application Control on Windows 7 operating systems may trigger a security audit resulting in a false error message reporting invalid hashes. Adding a registry key will prevent the audit and the resulting error message from occurring.

  1. Open the Windows registry on the client computer.
  2. Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters.
  3. Select New > DWORD (32-bit) Value.
    A new entry is created.
  4. In the Name column for the new entry, type ExcludeProtectedProcesses.
  5. Press Enter.
  6. Right-click the new registry entry.
  7. Select Modify.
  8. Enter 1 in the Value data field.
  9. Click OK.
    The value for the new registry entry is set.