By defining what is known and allowed to execute, you're protecting your server machines from unauthorised, illegal or unwanted applications by default, and preventing any interruption in the normal flow of your business.

Sanctuary Server Edition gives you total protection from unauthorised, illegal or unwanted applications on your business critical server machines. With Sanctuary, you define what is known and allowed to execute your server machines. Everything else is denied by default. Only authorised programs will run on your network servers, regardless of the source. Nothing else can get in.

Sanctuary calculates a cryptographic hash for each executable file. This 20-byte signature is generated using the well-known SHA-1 algorithm and serves to identify a particular file. This signature is calculated on the binary content of the executables itself instead of weak attributes such as file name or path, ensuring that only known and allowed will be executed. The signature is calculated at each and every launch of any executable code with no performance impact, delivering 100% reliability. Even if only one bit of the original file is modified it will not be allowed to execute on the host - thus protecting by default your business critical application servers such as Mail, Web, Database and any other specific Application servers.


Sanctuary can be implemented in three easy steps:
1) After identifying the executable files that your users and computers need to have access to, you first authorise these files by generating a signature for each one of them in order to populate Sanctuary's database. Sanctuary provides the tools to quickly build your inventory of allowed executable files based on authorised Operating Systems and applications.

2) In order to easily manage authorised software, related executable files can be collected into File Groups. 

3) Using your existing domain structure, you may authorise individual user or group access to the relevant file groups. You have the flexibility to simply secure the organisation's as a whole from all unwanted and unknown executables and, in addition, to definitively control user access to specific applications if desired.


Because Sanctuary uses positive security model - not a black list - it requires no constant administrative updates:
1. It is only necessary to update the list of authorised executable files when new software is deployed.
2. Sanctuary supports both Windows® WSUS and SUS Update Services and allows automated permission updates for an easy patch deployment.
3. Sanctuary gives you the time to test and deploy system patches because the hosts are protected by default from newly discovered malware executables.
4. If you need to change user rights, Sanctuary is capable of implementing those changes immediately and on the fly - no computer reboot is necessary.

There is no more racing to restore operations after an invasion - because invasions can't occur. There is no more repairing damage done by unwitting employees - because employees aren't allowed to execute what you don't want them to execute. There is no more incessant security updating - because protection is always there, built-in and impenetrable.

Optional Local Authorisation
- Local Authorisation option that allows users to self authorise their own applications
- Dialogue displayed when users attempt to run a non-centrally authorised executable
- Local authorisation sent to the Administrator

White List
Only executable explicitly authorised are allowed to run. The default value is to deny it
- No requirement for regular/subscription updates
- Need to update the list of authorised executable when new software is deployed. We provide you with the major OS and suit updates while lists
- Export and import authorisation lists

Flexibility and Customisation Capabilities
- Grant access rights to specific users, user groups and "on the fly", from the management console without the need to reboot or logoff
- A wide range of administration tools, including a wizard, are provided to ease application's authorisation
- Serverless installations supported

Enhanced potentiality
- All modules have an exhaustive sorting capabilities
- A complete set of searching fields to ease your work
- The file hash permits unambiguously identifying files with the same name

Logs and Audit Capabilities
All users' requests for authorised or unauthorised executable files can be logged
- Full auditing of all Administrator actions
- All Sanctuary Client start and stop actions are recorded

Software Update Services (SUS), Windows Server Update Services (WSUS)
Windows updates are handled automatically
- SUS and WSUS are supported

Script / Path Protection
- Sanctuary® Server Edition can manage the execution of VBScript, Microsoft Office VBA and JavaScript
- It is possible to authorise application by path

Blocking Mode vs. Non-Blocking Mode
- Blocking or Non-Blocking Mode determines whether the Sanctuary® Server Edition Client will impede the running of an unauthorised executable or not (Blocking Mode is the default option)
- The Administrators group is automatically set up in Non-Blocking Mode to simplify the implementation phase

Active Directory and eDirectory Support
- Map Access Rights to users or user groups of an existing Active Directory Domain and Novell eDirectory objects
- Delegation of Administrative rights for Active Directory Organisational Units is automatically incorporated into Sanctuary® Server Edition

Silent Unattended Installations
Installation may be accomplished using any deployment tools that use MSI Setup (e.g.: Microsoft Systems Management Server (SMS), Group Policies, WinInstall, etc.)

Authorisation Wizard
- The Authorisation Wizard allows traversing archives in its search of executable files to okay. It supports RAR and other popular file compression formats.