Global Threat Condition: Elevated
Creating and populating groups
Use these tasks to create and populate groups. You can populate groups with systems, either by typing NetBIOS names for individual systems or by importing systems directly from your network.
There is no single way to organize a System Tree, and because every network is different, your System Tree organization can be as unique as your network layout. Although you won’t use each method offered, you can use more than one.
Example
For example, if you use Active Directory in your network, consider importing your Active Directory containers rather than your NT domains. If your Active Directory or NT domain organization does not make sense for security management, you can create your System Tree in a text file and import it into your System Tree. If you have a smaller network, you can create your System Tree by hand and import each system manually.
Best practices
While you won’t use all of the System Tree creation methods, you also probably won’t use just one. In many cases, the combination of methods you choose balances ease of creation with the need for additional structure to make policy management efficient.
For example, you might create the System Tree in two phases. First, you can create 90% of the System Tree structure by importing whole NT domains or Active Directory containers into groups. Then, you can manually create subgroups to classify systems together that may have similar anti-virus or security policy requirements. In this scenario, you could use tags, and tag-based sorting criteria on these subgroups to ensure they end up in the desired groups automatically.
If you want all or part of your System Tree to mirror the Active Directory structure, you can import and regularly synchronize the System Tree to Active Directory.
If one NT domain is very large or spans several geographic areas, you can create subgroups and point the systems in each to a separate distributed repository for efficient updating. Or, you can create smaller functional groupings, such as for different operating system types or business functions, to manage unique policies. In this scenario, you could also use tags and tag-based sorting criteria to ensure the systems stay in the group.
IP Information
If your organization’s IP address information coincides with your security management needs, consider assigning IP address sorting criteria to these groups before agent distribution, to ensure that when agents check into the server for the first time, the systems are automatically placed in the correct location. If you are implementing tags in your environment, you can also use tags as sorting criteria for groups, or even a combination of IP address and tag sorting criteria.
Although you can create a detailed System Tree with many levels of groups. McAfee recommends that you create only as much structure as is useful. In large networks, it is not uncommon to have hundreds or thousands of systems in the same container. Assigning policies in fewer places is easier than having to maintain an elaborate System Tree.
Although you can add all systems into one group in the System Tree, such a flat list makes setting different policies for different systems very difficult, especially for large networks.
