Skip to content

Server Lockdown Policy

Restriction

If you use Sophos XDR Sensor, this feature isn't available.

Server Lockdown prevents unauthorized software from running on servers.

To do this, Sophos makes a list of the software already installed, checks it is safe, and allows only that software to run in future.

You lock down a server at its details page.

You can use the Server Lockdown settings in a policy to change what is allowed without the need to unlock the server. For example, you might want to add and run new software.

Set up Server Lockdown

Go to My Products > Server > Policies to set up Server Lockdown.

To set up a policy, do as follows:

  • Create a Lockdown policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

This video explains how to set up a Server Lockdown policy and includes our recommendations for best practices.

Allowed files/folders

This option lets you allow software (such as updaters) to run and modify other applications. It also lets you add new software to a locked-down server without unlocking it.

Warning

This option “trusts” the software, so that any files it creates or changes are also allowed. This is different from the process when you lock down a server, which only allows the software itself to run.

You can specify files that are allowed, or a folder in which all the files are allowed.

Tip

You can specify a folder where you always download installers for use on the server.

  1. Click Add allowed file/folder.
  2. Select the type of item to allow (file or folder).
  3. Enter the path of the file or folder.

    Note

    You can use the wildcard *

  4. Click Save.

Blocked files/folders

This lets you block software that is currently allowed to run.

You can specify files that are blocked, or a folder in which all the files are blocked.

Tip

You can block a folder used for applications, such as installers, that you want to make available to other users on the network, but don’t want to run on your server.

  1. Click Add blocked file/folder.
  2. Select the type of item to block (file or folder).
  3. Enter the path of the file or folder.

    Note

    You can use the wildcard *

  4. Click Save.