Create or edit a risk assessment policy

In this topic, you will learn how to create and assign a risk assessment policy in Portnox™ Cloud.

To understand what are policies in Portnox Cloud, what types of policies are available, and how they work together with accounts and groups, read the following topic: What are policies in Portnox Cloud?.

Note: The System Default Policy is tuned to meet the requirements of most configurations. When testing or initially deploying Portnox Cloud, you can skip this topic and keep the default settings. The System Default Policy is assigned to all groups, unless you create another policy and assign it manually.
Important: Risk assessment policies require Portnox AgentP. You need to install AgentP on each device that is to have its risk score calculated. For devices without AgentP, the risk score is 0.

Risk assessment policies are based on a set of attributes. You assign a value to each attribute. To learn how the final score is calculated on the basis of attributes, read the following FAQ entry: How is the risk score calculated for risk assessment policies?.

  1. In the Cloud portal top menu, click on the Policies option.

  2. In the Cloud portal left-hand menu, click on the RISK ASSESSMENT POLICIES tile.

  3. In the right-hand side pane, click on the Create new button to create a new policy.
    Note: You can also click on the  ✎  icon on the right-hand side of the selected line that represents the policy to edit an existing policy, or click on the  ⧉  icon to create a duplicate of one of the existing policies and edit it. The creation and editing processes are almost the same.
  4. In the Risk Assessment Policy name field, enter the name for the new policy and in the Description (optional) field, enter an optional description.

    If you’re editing the System Default Policy, you cannot change its name.

  5. On the right-hand side, adjust the slider, if needed.

    This slider controls the behavior if the device does not meet the policy. By default, if the risk score is between 0 and 69, Portnox Cloud will allow network access, and if the risk score is higher, it will generate an alert, but it will not block network access for the device. By adjusting the two handles on the slider, you can change this behavior, and, for example, configure Portnox Cloud to block the device if the risk score is above 70 and generate an alert if the risk score is over 50.

  6. In the Agent-based (AgentP) section on the left-hand side, select the operating system to configure the attributes for this operating system.

    Each policy contains rules for all operating systems. If you do not configure a specific operating system, Portnox Cloud will use default settings for that operating system.

    For detailed description of all available attributes, see the section Risk assessment policy attributes below.

    Important: If you integrated Portnox Cloud with Microsoft Intune, there is also an Agentless (requires Intune) section on the left-hand side. This section contains attributes for all operating systems, which apply a Cloud risk score depending on the status of Intune integration and compliance. To learn more about these attributes, see the following topic: Configure risk based on the Intune integration.
  7. In the right-hand side pane, configure the attributes for the selected operating system.
  8. Repeat the above steps for other operating systems.
  9. To save your policy settings, click on the Save policy button on the bottom right of the page.

Result: You created or edited a risk assessment policy. You can now assign this policy to groups.

To assign policies to groups, see the following topic: Assign policies to a group.

Risk assessment policy attributes

In this section, you will learn to configure all risk assessment policy attributes for different operating systems.

Note: Attributes are listed alphabetically. Some attributes are available for multiple operating systems. Some attributes are available only with a specific integration: Intune, Jamf, or Absolute.
Note: In the Agentless section, there are two tabs: INTUNE and JAMF. For Windows and Android devices, only the INTUNE tab is active. For macOS and iOS devices, both tabs are active, and you should select attributes depending on whether the devices are managed by Intune or by Jamf. If they are managed by both, Intune has priority.
  • Administrator privileges: Portnox Cloud increases the risk score if the user of the device is logged in with administrator privileges.
  • Antivirus: Portnox Cloud increases the risk score if the device does not have Portnox Cloud-supported antivirus software installed and active.
  • Applications: You can specify applications, which are forbidden, and applications, which are required on the device. Portnox Cloud increases the risk score if even one forbidden application is found or if even one required application is not found.
    1. In the FORBIDDEN APPLICATIONS section, click on the Add an application link to add a name of an application to the forbidden list. Repeat for other applications if necessary.
    2. In the REQUIRED APPLICATIONS section, click on the Add an application link to add a name of an application to the required list. Repeat for other applications if necessary.
    To find the exact name of the application:
    1. Click on the Devices menu option in the top bar
    2. In the list of accounts, click on an account with AgentP installed
    3. Click on a device that has AgentP installed
    4. In the top-right corner, next to the device name, click on the  🗎  icon
    5. In the DEVICE DETAILS window, click on the APPLICATIONS tab
    6. Copy required application names and paste them in the policy
  • Azure directory membership: Portnox Cloud increases the risk score if the device is not a member of any of the listed Azure Active Directory (Entra ID) tenants.
    1. Click on the Add tenant name or id link to add a new Azure/Entra ID tenant name or ID.
    2. Click on the Save button.
    3. Repeat the above steps if necessary to add another tenant.
    Portnox Cloud increases the risk score only if the device is not a member of any of the listed tenants.
  • Certificates: You can specify certificates, which are required to be installed on the device. Portnox Cloud increases the risk score if even one required certificate is not found on the device.
    You can identify certificates by thumbprint or by issuer. If you enter an issuer, any certificate from that issuer will be considered valid.
    1. Click on the Add certificate thumbprint link to enter a thumbprint of the required certificate. Repeat if necessary for other thumbprints.
    2. Click on the Add certificate issuer link to enter an issuer of the required certificate. Repeat if necessary for other issuers.
      The certificate issuer should be listed in the X.500 Directory Specification format. In Windows, you can find this information by opening a command window, typing certlm.msc to run the certificate manager, selecting a certificate, double-clicking it, selecting the Details tab, and selecting Issuer from the list.
      For example: CN = DigiCert Trusted Root G4, OU = www.digicert.com, O = DigiCert Inc, C = US
    You can specify a list of thumbprints and a list of issuers. If Portnox Cloud finds even one certificate from the thumbprint list missing, or if it finds even one certificate from the issuer list missing, it will increase the risk score. First, Cloud checks for all thumbprints. If it finds that one or more thumbprints are missing, it searches remaining device certificates for certificates that were issued by any of the listed issuers. If it doesn’t find a matching certificate for one or more issuers, it increases the risk score.
  • Domain membership: Portnox Cloud increases the risk score if the device is not a member of any of the listed Windows LDAP directory domains.
    1. Click on the Add domain link to add a new Windows LDAP directory domain.
    2. Click on the Save button.
    3. Repeat the above steps if necessary to add another domain.
    Portnox Cloud increases the risk score only if the device is not a member of any of the listed domains.
  • Dormant: You can treat devices that do not communicate regularly with Portnox Cloud as risky.
    • Start sending wake-up push notifications after: Specify a period after which Portnox Cloud will start sending wake-up push notifications to the inactive device.
    • Send a wake-up push notification each: Specify the frequency of sending wake-up push notifications to the inactive device.
    • Stop sending wake-up push notification and mark device as dormant after: Specify after how many push notifications Portnox Cloud should treat the inactive device as dormant and increase the risk score.
  • Drive encryption: Portnox Cloud increases the risk score if the user of the device has turned off built-in hardware encryption on the drive of the device.
    For some operating systems, a specific technology is required. For example, BitLocker Drive Encryption for Windows.
  • Firewall: Portnox Cloud increases the risk score if the device does not have a personal firewall installed and active.
  • Geolocation: You can specify countries, from which connections are allowed or from which connections are forbidden.
    For this attribute to have a value, you must allow geolocation when installing AgentP on a device.
    • List forbidden countries: Selected countries are forbidden, all other countries are allowed.
    • List required countries: Selected countries are required, all other countries are forbidden.

    Click on the box under the Required countries or Forbidden countries heading, and select the country from the list to add it to the list of countries for this rule. Repeat if necessary for more countries. Portnox Cloud increases the risk score, if the device connects from a forbidden country or from a country other than the required countries. You cannot use an allowed and a forbidden list at the same time.

    You can also click on the Apply to all button to apply this setting to all operating systems in this policy.

  • Installation from unknown sources: Portnox Cloud increases the risk score if the user of the device has turned on the operating system option to install applications from unknown sources.
  • Intune dormant: The integration with Microsoft Intune is not working correctly:
    • Device isn't reporting its configuration to Intune for: The risk score is affected if the device hasn’t been reporting its status to Intune for more than the selected time.

    • Compliance status isn't updated for: The risk score is affected if the device’s status in Intune hasn’t updated for more than the selected time.

  • Intune non-compliant: The device is regarded by Intune as a non-compliant device.
  • Jailbroken: Portnox Cloud increases the risk score if the device is jailbroken.
  • Jamf dormant: The device is regarded by Jamf as a dormant device.
  • Jamf not managed: The device is not managed by Jamf.
  • Log-in and accounts: Portnox Cloud increases the risk score if any of the selected login account conditions are not met:
    • Each user account on the device has a password with a defined expiration date
    • Each user account on the device has a non-blank, strong password
    • The Guest account on the device is disabled
    • Device auto-login is disabled
    • Anonymous device access is disabled on the device
  • Missing patches: Portnox Cloud increases the risk score if software patches that are identified as critical or important are not installed within the required time period.
    • Critical patches grace period: Select a grace period for patches identified as critical (24-240h).
    • Important patches grace period: Select a grace period for patches identified as important (24-240h).
    • Add required patches: Manually add patch KB numbers to the list of required patches.
  • Not managed by Absolute Secure Endpoint: Portnox Cloud increases the risk score if the device is not managed by Absolute Secure Endpoint.
    Note: This option is available only if you integrated Portnox Cloud with Absolute Secure Endpoint.
  • Not managed by Intune: Portnox Cloud increases the risk score if the device is not managed by Microsoft Intune.
    Note: This option is available only if you integrated Portnox Cloud with Intune.
  • Open ports: Portnox Cloud increases the risk score if even one of the listed ports is open on the device.
    1. Click on the Add port number link to add a port number to the forbidden list.
    2. Repeat if necessary for other port numbers.
  • OS version: Portnox Cloud increases the risk score if the version number of the operating system on the device is lower than the defined version number.
    Enter the minimum OS version number in the text field.
  • Passcode: Portnox Cloud increases the risk score if the device access is not protected using a passcode.
  • Peripheral devices: You can specify peripheral device types, which the user is forbidden to connect to their device. Portnox Cloud increases the risk score if even one forbidden peripheral devices is connected to the device.
    1. Click on the box under the Specify which peripheral devices it is forbidden to connect to the device heading to select a type from a list and add the type to the forbidden list.
    2. Repeat if necessary for other types.
    The list includes types of peripheral devices such as printers, scanners, cameras, card readers, and more.
  • Rootkit: Portnox Cloud increases the risk score if the user of the device has installed a rootkit on the device.
  • Running services: You can specify services, which are forbidden, and services, which are required to be running on the device. Portnox Cloud increases the risk score if even one forbidden service is found to be running or if even one required service is not running.
    1. In the FORBIDDEN RUNNING SERVICES section, click on the Add link to add a name of a service to the forbidden list. Repeat if necessary for other services.
    2. In the REQUIRED RUNNING SERVICES section, click on the Add link to add a name of a service to the required list. Repeat if necessary for other services.
  • Windows registry: Portnox Cloud increases the risk score if the device does not have the required Windows registry keys.
    1. Click on the Add new registry key link to add a new registry key.
    2. In the Root field, select the registry key root.
    3. In the Key, Value name, and Value fields, enter relevant key and value information for the required registry key.
    4. In the Value type field, select the value type: Int, String, or Bytes.
    5. Click on the Add button to add the key.
    6. Repeat the above steps for other keys if necessary.
    Portnox Cloud increases the risk score if even one of the listed keys is missing.
  • Windows update: Portnox Cloud increases the risk score if the Windows update mode on the device is not configured to match the selected options.
    • Update Automatically
    • Update Manually
    • Update by Windows Server Update Services (WSUS)
    Portnox Cloud increases the risk score if even one of the conditions is not met, with one exception: if the device is configured to update automatically, but the mode selected in this attribute is Update Manually, this is not considered a policy violation.