Server Lockdown Policy

Server Lockdown prevents unauthorized software from running on servers.

To do this, Sophos makes a list of the software already installed, checks it is safe, and allows only that software to run in future.

You lock down a server at its details page.

You can use the Server Lockdown settings in a policy to change what is allowed without the need to unlock the server. For example, you might want to add and run new software.

Note If an option is locked global settings have been applied by your partner or Enterprise administrator.

To set up a policy:

  • Create a Lockdown policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is enabled.

Allowed files/folders

This option lets you allow software (such as updaters) to run and modify other applications. It also lets you add new software to a locked-down server without unlocking it.

Caution This option “trusts” the software, so that any files it creates or changes are also allowed. This is different from the process when you lock down a server, which only allows the software itself to run.

You can specify files that are allowed, or a folder in which all the files are allowed.

Tip You can specify a folder where you always download installers for use on the server.
  1. Click Add allowed file/folder.
  2. Select the type of item to allow (file or folder).
  3. Enter the path of the file or folder.
    Note You can use the wildcard *
  4. Click Save.
Blocked files/folders

This lets you block software that is currently allowed to run.

You can specify files that are blocked, or a folder in which all the files are blocked.

Tip You can block a folder used for applications, such as installers, that you want to make available to other users on the network, but don’t want to run on your server.
  1. Click Add blocked file/folder.
  2. Select the type of item to block (file or folder).
  3. Enter the path of the file or folder.
    Note You can use the wildcard *
  4. Click Save.