Create or edit a risk assessment policy

In this topic, you will learn how to create and assign a risk assessment policy in Portnox™ Cloud.

To understand what are policies in Portnox Cloud, what types of policies are available, and how they work together with accounts and groups, read the following topic: What are policies in Portnox Cloud?.

Note: The System Default Policy is tuned to meet the requirements of most configurations. When testing or initially deploying Portnox Cloud, you can skip this topic and keep the default settings. The System Default Policy is assigned to all groups, unless you create another policy and assign it manually.
Important: Risk assessment policies require Portnox AgentP. You need to install AgentP on each device that is to have its risk score calculated. For devices without AgentP, the risk score is 0.

Risk assessment policies are based on a set of attributes. You assign a value to each attribute. To learn how the final score is calculated on the basis of attributes, read the following FAQ entry: How is the risk score calculated for risk assessment policies?.

  1. In the Cloud portal top menu, click on the Policies option.

  2. In the Cloud portal left-hand menu, click on the RISK ASSESSMENT POLICIES tile.

  3. In the right-hand side pane, click on the Create new button to create a new policy.
    Note: You can also click on the  ✎  icon on the right-hand side of the selected line that represents the policy to edit an existing policy, or click on the  ⧉  icon to create a duplicate of one of the existing policies and edit it. The creation and editing processes are almost the same.
  4. In the Risk Assessment Policy name field, enter the name for the new policy and in the Description (optional) field, enter an optional description.

    If you’re editing the System Default Policy, you cannot change its name.

  5. On the right-hand side, adjust the slider, if needed.

    This slider controls the behavior if the device does not meet the policy. By default, if the risk score is between 0 and 69, Portnox Cloud will allow network access, and if the risk score is higher, it will generate an alert, but it will not block network access for the device. By adjusting the two handles on the slider, you can change this behavior, and, for example, configure Portnox Cloud to block the device if the risk score is above 70 and generate an alert if the risk score is over 50.

  6. In the Agent-based (AgentP) section on the left-hand side, select the operating system to configure the attributes for this operating system.

    Each policy contains rules for all operating systems. If you do not configure a specific operating system, Portnox Cloud will use default settings for that operating system.

    For detailed description of all available attributes, see the section Risk assessment policy attributes below.

    Important: If you integrated Portnox Cloud with Microsoft Intune, there is also an Agentless (requires Intune) section on the left-hand side. This section contains attributes for all operating systems, which apply a Cloud risk score depending on the status of Intune integration and compliance. To learn more about these attributes, see the following topic: Configure risk based on the Intune integration.
  7. In the right-hand side pane, configure the attributes for the selected operating system.
  8. Repeat the above steps for other operating systems.
  9. To save your policy settings, click on the Save policy button on the bottom right of the page.

Result: You created or edited a risk assessment policy. You can now assign this policy to groups.

To assign policies to groups, see the following topic: Assign policies to a group.

Risk assessment policy attributes

In this section, you will learn to configure all risk assessment policy attributes for different operating systems.

Note: Attributes are listed alphabetically. Some attributes are available for multiple operating systems. Some attributes are available only with a specific integration: Intune, Jamf, or Absolute.
Note: In the Agentless section, there are two tabs: INTUNE and JAMF. For Windows and Android devices, only the INTUNE tab is active. For macOS and iOS devices, both tabs are active, and you should select attributes depending on whether the devices are managed by Intune or by Jamf. If they are managed by both, Intune has priority.

Administrator privileges

Portnox Cloud increases the risk score if the user of the device is logged in with administrator privileges.

Operating systems: Windows, macOS

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the current user has logged in to the device with administrator privileges, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Antivirus

Portnox Cloud increases the risk score if the device does not have Portnox Cloud-supported antivirus software installed and active.

Operating systems: Windows, macOS, Linux

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device has no Portnox Cloud-supported antivirus software that is active, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Applications

You can specify applications that are forbidden and applications that are required on the device. Portnox Cloud increases the risk score if if even one forbidden application is found or if even one required application is not found.

Operating systems: Windows, macOS, Linux, Android, iOS

Parameters:

  • Risk score:

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that at least one of the forbidden applications is on the device, or that at least one of the required applications is missing, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • FORBIDDEN APPLICATIONS

    Click on the Add an application link to add a name of an application to the forbidden list. Repeat for other applications if necessary.

  • REQUIRED APPLICATIONS:

    Click on the Add an application link to add a name of an application to the required list. Repeat for other applications if necessary.

Note: You can use wildcard characters to match application names.
Important: To learn how to find application names, see the following topic: How to find application names for risk assessment policies?

Azure directory membership

Portnox Cloud increases the risk score if the device is not a member of any of the listed Entra ID (Azure Active Directory) tenants.

Operating systems: Windows

Parameters:

  • Risk score:

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device is not a member of any of the added Entra ID tenants, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Add tenant name or id

    Click to add a new Entra ID tenant name or ID. Enter the name or ID in the text field, then click on the Add button. Repeat if necessary to add other tenants.

Note: To find the Entra ID tenant ID, log in to your Entra ID web interface, and then copy the value from the following field: Overview > Tenant ID.

Certificates

You can specify certificates that are required to be installed on the device. Portnox Cloud increases the risk score if even one required certificate is not found on the device. You can identify certificates by thumbprint or by issuer. If you enter an issuer, any certificate from that issuer will be considered valid.

Operating systems: Windows, macOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that one of the specified certificates is missing, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Add certificate thumbprint

    Click on this link to enter a thumbprint of the required certificate. Repeat if necessary for other thumbprints.

  • Add certificate issuer

    Click on this link to enter an issuer of the required certificate. Repeat if necessary for other issuers.

The certificate issuer must be listed in the X.500 Directory Specification format. In Windows, you can find this information by opening a command window, typing certlm.msc to run the certificate manager, selecting a certificate, double-clicking on it, selecting the Details tab, and selecting Issuer from the list.

For example: CN = DigiCert Trusted Root G4, OU = www.digicert.com, O = DigiCert Inc, C = US

Note: You can specify a list of thumbprints and a list of issuers. If Portnox Cloud finds even one certificate from the thumbprint list missing, or if it finds even one certificate from the issuer list missing, it will increase the risk score. First, Cloud checks for all thumbprints. If it finds that one or more thumbprints are missing, it searches remaining device certificates for certificates that were issued by any of the listed issuers. If it doesn’t find a matching certificate for one or more issuers, it increases the risk score.

Domain membership

Portnox Cloud increases the risk score if the device is not a member of any of the listed Windows LDAP directory domains.

Operating systems: Windows

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device is not a member of any of the specified Windows LDAP directory domains, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Add domain

    Click on this link to add a new Windows LDAP directory domain. Then, click on the Add button. Repeat these steps if necessary to add more domains.

Dormant

Portnox Cloud increases the risk score if the device does not communicate regularly with Portnox Cloud.

Operating systems: Windows, macOS, Linux, Android, iOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that this device is dormant (based on the parameters specified below), and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Device is considered dormant if no activity is received after

    From the drop-down menu, select a period (in hours) after which Portnox Cloud will consider the device inactive and start sending wake-up push notifications to the device.

  • Send a wake-up push notification each

    From the drop-down menu, select the frequency (in hours) of sending wake-up push notifications to the inactive device.

  • Stop sending wake-up push notification after

    From the drop-down menu, select after how many push notifications Portnox Cloud should stop sending the wake-up notifications and consider the device dormant.

Important: The risk score is affected after the last failed wake-up attempt.

Drive encryption

Portnox Cloud increases the risk score if the user of the device has turned off built-in hardware encryption on the drive of the device.

Operating systems: Windows, macOS, Android, iOS

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that this device has no active built-in drive encryption, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Note: For some operating systems, a specific technology is required. For example, BitLocker Drive Encryption for Windows.

Firewall

Portnox Cloud increases the risk score if the device does not have a Portnox-supported personal firewall that is installed and active.

Operating systems: Windows, macOS, Linux

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that there is no Portnox-supported personal firewall installed on this device and active, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Geolocation

You can specify countries, from which connections are required or from which connections are forbidden. Portnox Cloud increases the risk score if the device is in a country listed as forbidden, or is not in any of the countries listed as required.

Operating systems: Windows, macOS, Linux, Android, iOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device is located in a forbidden country, or not in a required country, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • List forbidden countries

    Selected countries are forbidden, all other countries are allowed.

  • List required countries

    Selected countries are required, all other countries are forbidden.

  • Apply to all

    Click this button to apply this setting to all operating systems that support this policy.

  • Required countries/Forbidden countries

    Select countries from the list to add it to the list of countries for the selected rule (required or forbidden).

Note: For this attribute to have a value, you must allow geolocation when installing AgentP on a device.
Note: You must either use a list of forbidden countries (blacklist), or a list of allowed countries (whitelist). You cannot combine the two together.

Installation from unknown sources

Portnox Cloud increases the risk score if the user of the device has turned on the operating system option to install applications from unknown sources.

Operating systems: macOS, Android

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the option to install applications from unknown sources is activated on the device, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Intune dormant

Portnox Cloud increases the risk score if the integration with Microsoft Intune is not working correctly.

Operating systems: Windows, macOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the integration with Intune is not working correctly, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Device isn’t reporting its configuration to Intune for

    The risk score is affected if the device hasn’t been reporting its status to Intune for more than the selected time.

  • Compliance status isn’t updated for

    The risk score is affected if the device’s status in Intune hasn’t updated for more than the selected time.

Note: The risk score will be affected if at least one of the conditions listed above applies.

Intune non-compliant

Portnox Cloud increases the risk score if the device is regarded by Microsoft Intune as a non-compliant device.

Operating systems: Windows, macOS

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud receives information from Intune that the device is non-compliant, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Jailbroken

Portnox Cloud increases the risk score if the device is jailbroken.

Operating systems: iOS

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device has been jailbroken (has a rootkit installed), and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Jamf dormant

Portnox Cloud increases the risk score if the device is regarded by Jamf as a dormant device.

Operating systems: macOS (Agentless), iOS (Agentless)

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud receives information from Jamf that the device is dormant, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Jamf not managed

Portnox Cloud increases the risk score if the device is not managed by Jamf.

Operating systems: macOS, iOS

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device is not managed by Jamf, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Log-in and accounts

Portnox Cloud increases the risk score if any of the selected conditions that apply to logging in and accounts are not met.

Operating systems: Windows

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that at least one of the conditions listed below is not met, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Each user account on the device has a password with a defined expiration date
  • Each user account on the device has a non-blank, strong password
  • The Guest account on the device is disabled
  • Device auto-login is disabled
  • Anonymous device access is disabled on the device

Missing patches

Portnox Cloud increases the risk score if Microsoft Windows patches that are identified by Microsoft as critical or important are not installed within the required time period.

Operating systems: Windows, macOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that at least one of the listed grace periods for Windows patches has expired, based on the classification by Microsoft (critical or important), and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Critical patches grace period

    From the drop-down menu, select a grace period in days for patches identified as critical (recent to 90d).

  • Important patches grace period

    From the drop-down menu, select a grace period in days for patches identified as important (recent to 60d).

  • Add required patches

    Optionally, add patch KB numbers, including the KB letters at the start (for example, KB5026361). These patches will be required immediately, with no grace period. To enter more than one patch number, click on the Add required patches link again.

Note: The KB numbers are official numbers assigned by Microsoft. To find a patch KB number, check your Microsoft Windows release notes.

Not managed by Absolute Secure Endpoint

Portnox Cloud increases the risk score if the device is not managed by Absolute Secure Endpoint.

Note: This attribute is available only if you integrated Portnox Cloud with Absolute Secure Endpoint.

Operating systems: Windows

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device is not managed by Absolute Secure Endpoint, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Not managed by Intune

Portnox Cloud increases the risk score if the device is not managed by Microsoft Intune.

Note: This option is available only if you integrated Portnox Cloud with Intune.

Operating systems: Windows, macOS

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device is not managed by Microsoft Intune, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Open ports

Portnox Cloud increases the risk score if even one of the listed TCP ports is open on the device.

Operating systems: Windows, macOS, Linux, Android

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that a TCP port on the device is open, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Add port number

    Click on this link to add a TCP port number to the forbidden list. Click on the Add port number link again to add another port number. Repeat as many times as necessary.

OS version

Portnox Cloud increases the risk score if the version number of the operating system on the device is lower than the defined version number.

Operating systems: Windows, macOS, Linux, Android, iOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the operating system version on the device is lower than the defined number, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Version

    Enter the version number, as specified by the operating system manufacturer.

Note: To learn how to find the operating system version number for different systems, see the following topic: How to find the OS version for risk assessment policies?

Passcode

Portnox Cloud increases the risk score if the device access is not protected using a passcode.

Operating systems: Android, iOS

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device access is not protected using a passcode, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Peripheral devices

You can specify peripheral device types that the user is forbidden to connect to their device. Portnox Cloud increases the risk score if even one forbidden peripheral device type is connected to the device.

Operating systems: Windows, macOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device is connected to one of the forbidden peripheral device types, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Specify which peripheral devices it is forbidden to connect to the device

    Select types from the list to add them to the list of forbidden peripheral devices.

Note: The list includes types of peripheral devices such as printers, scanners, cameras, card readers, and more.

Rootkit

Portnox Cloud increases the risk score if the user of the device has installed a rootkit on the device.

Operating systems: Android

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the device has a rootkit installed, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Running services

You can specify services that are forbidden and services that are required to be running on the device. Portnox Cloud increases the risk score if even one forbidden service is found to be running or if even one required service is not running.

Operating systems: Windows, macOS

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that even one forbidden service is running, or even one required service is not running, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • FORBIDDEN RUNNING SERVICES

    Click on the Add link to add a name of a service to the forbidden list. Repeat if necessary for other services.

  • REQUIRED RUNNING SERVICES

    Click on the Add link to add a name of a service to the required list. Repeat if necessary for other services.

Note: You can use wildcard characters to match application names.
Important: To learn how to find service names, see the following topic: How to find service names for risk assessment policies?

Windows registry

Portnox Cloud increases the risk score if the device does not have the required Windows registry keys.

Operating systems: Windows

Parameters:

  • Risk score

    Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that even one required Windows registry key is missing, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

  • Add new registry key:
    1. In the Root field, select the registry key root.
    2. In the Key, Value name, and Value fields, enter relevant key and value information for the required registry key.
    3. In the Value type field, select the value type: Int, String, or Bytes.
    4. Click on the Add button to add the key.
    5. Repeat the above steps for other keys if necessary.
Note: You can use wildcard characters to match application names.

Windows update

Portnox Cloud increases the risk score if the Windows update mode on the device is not configured to match the selected options.

Operating systems: Windows

Parameters:

Risk score

Enter a number from 0 to 100 or select a number from the drop-down menu. If Portnox Cloud detects that the Windows update mode does not match the selected options, and if the risk score is below this value, Portnox Cloud will increase the risk score to this value.

Available options:

  • Update Automatically
  • Update Manually
  • Update by Windows Server Update Services (WSUS)
Note: Portnox Cloud increases the risk score if even one of the conditions is not met, with one exception: if the device is configured to update automatically, but the mode selected in this attribute is Update Manually, this is not considered a policy violation.