Pointsec Protector Administration Guide
Transcription
Pointsec Protector Administration Guide
Pointsec Protector Administrator’s Guide Version 4.91, C May 2009 © 2003-2008 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 217. Contents Who Should Use This Guide? .............................................................................. 1 About This Guide ............................................................................................... 1 About Pointsec Protector .................................................................................... 1 Related Documentation ...................................................................................... 2 More Information ............................................................................................... 2 Feedback .......................................................................................................... 3 Chapter 1 Introduction Overview ........................................................................................................... 5 Removable Media/IO Device Manager.............................................................. 6 Unauthorized Software/File Protection............................................................. 6 Device Management ...................................................................................... 7 Centralized Management................................................................................ 7 Centralized Auditing and Alerts ...................................................................... 7 Detailed Reporting ........................................................................................ 7 Content Management .................................................................................... 7 Anti-Virus Scanner Integration........................................................................ 8 Remote/Home User Support ........................................................................... 8 Removable Media Encryption ......................................................................... 8 License Handling ............................................................................................... 9 Changing the Language of Pointsec Protector ....................................................... 9 System Requirements....................................................................................... 10 Pointsec Protector Enterprise Server ............................................................. 10 Pointsec Protector Enterprise Client .............................................................. 10 Additional Information...................................................................................... 11 Chapter 2 Using the Administration Console Pointsec Protector Administration Console.......................................................... 13 Getting Started ................................................................................................ 14 Administrator Utilities ...................................................................................... 15 Connect to Remote or Local Server ............................................................... 15 System Utilities ............................................................................................... 17 Removable Media Manager .......................................................................... 17 Remote Help .............................................................................................. 20 Pointsec Protector Server Properties ............................................................. 22 Chapter 3 Create and Export Profile Templates Overview ......................................................................................................... 43 Creating New Profile Template .......................................................................... 44 General Tab................................................................................................ 45 Device Manager Tab .................................................................................... 45 User Interface Tab ...................................................................................... 49 Auditing Tab............................................................................................... 51 Program Security Guard (PSG) Tab ............................................................... 61 Removable Media Manager Tab .................................................................... 67 Encryption Tab ........................................................................................... 70 Advanced Tab............................................................................................. 76 Table of Contents i Security Tab ............................................................................................... 80 Exporting Profile Templates .............................................................................. 80 Default Profile Template ................................................................................... 85 Chapter 4 Set up User and Group Configuration Profiles Users/Groups ................................................................................................... 87 Creating New Users/Groups .......................................................................... 87 Chapter 5 Monitoring Computers - Dynamic Client Configuration........................................................ 105 Computers View ........................................................................................ 106 Alerts............................................................................................................ 111 Creating a New Alert.................................................................................. 111 Logs ............................................................................................................. 113 Log Filter ...................................................................................................... 116 Exporting Logs .......................................................................................... 116 Log Archival ............................................................................................. 117 Removable Media Log .................................................................................... 118 Predefined Filters...................................................................................... 120 Viewing Removable Media Audits for Individual Users .................................. 123 Viewing CD/DVD Audit ............................................................................... 123 Removable Media Log Archival ................................................................... 124 CD Audit Tab............................................................................................ 126 Reports ......................................................................................................... 126 Creating a New Report............................................................................... 127 Chapter 6 Installing a Remote Pointsec Protector Administrator Console Installation Instructions .................................................................................. 133 Connecting to the Remote Server..................................................................... 137 Installing Pointsec Protector Client .................................................................. 137 Manual Installation ................................................................................... 137 Silent Network Installation ......................................................................... 143 Upgrading Pointsec Protector ..................................................................... 148 Installing Enterprise Client with Active Directory using GPOs......................... 148 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server................... 163 Chapter 7 Encryption Policy Manager Explorer Introduction .................................................................................................. 171 The Requirement – No Software Installation on Target Machine..................... 172 Installation .................................................................................................... 172 Using the Encryption Policy Manager Explorer ............................................. 174 Drag and Drop/Copy and Paste of files......................................................... 178 CD/DVD Encryption ........................................................................................ 178 Encrypting CD/DVDs .................................................................................. 178 Erasing CD/DVDs....................................................................................... 183 Chapter 8 Pointsec DataScan About Pointsec DataScan................................................................................ 185 Introduction .................................................................................................. 186 What is New in Version 3 ........................................................................... 186 Installing Pointsec DataScan........................................................................... 187 Using Pointsec DataScan................................................................................ 187 Functionality ............................................................................................ 187 Understanding the XML Script ................................................................... 188 ii Pointsec DataScan’s installed files ............................................................. 192 Pointsec DataScan’s Command Line Parameters .......................................... 193 Appendix A Frequently Asked Questions Where can I find out about up to date support issues and solutions? ................... 199 How can I integrate Pointsec Protector Client with my anti-virus scanner? ........... 199 Do Check Point offer training on Pointsec Protector? ......................................... 199 How can I configure my client workstations to only authorize media containing data only? ..................................................................................................... 199 How can I change the file types that Pointsec DataScan?................................... 200 How can I authorize media that contains executable code? ................................ 200 How can I disable Pointsec Protector Client if my Operating System becomes corrupt? ........................................................................................................ 200 I cannot install software with my software distribution package any more because PSG blocks it? ............................................................................................... 200 How can I allow my software distribution package to install software when PSG is enabled?.................................................................................................... 201 How can I silently install Pointsec Protector Client across my Window Domain? ... 201 Profile changes I make on the server are not being updated on the client workstations?................................................................................................. 201 How can I view the profile of the current user?.................................................. 201 How can I assign a special profile to a user without creating a new group?........... 202 How can I set up RMM to only display an unauthorized media message and not authorize, thus forcing the user to visit a sheep dip workstation? ........................ 203 How can I set up a standalone 'Sheep dip' machine? ......................................... 203 I cannot authorize media with Sophos Anti-Virus when logged in as a user? ......... 203 How can I stop users downloading MP3 files from the internet and e-mail attachments?................................................................................................. 204 How can I specify two or more server names in Pointsec Protector Client? ........... 204 Is it possible to change the style of the Pointsec Protector Client message boxes? 204 Is it possible to enforce users to only have write access to encrypted removable media?.......................................................................................................... 204 Is there a key recovery mechanism implemented into the Encryption Policy Manager? ...................................................................................................... 205 How can I allow users to access encrypted media external to my organization without converting the device back to clear text?............................................... 205 How can I stop a particular user from accessing previously authorized encrypted media?.......................................................................................................... 205 How can I stop users with local admin rights from disabling the Pointsec Protector Service? ........................................................................................................ 205 How can I setup multiple Pointsec Protector Servers? ........................................ 206 How can I assign machine specific settings?..................................................... 206 How can I pre-encrypt a device for a user?........................................................ 206 How can I assign devices to individual users only? ............................................ 208 Is it possible to hide the Pointsec Protector system tray icon? ............................ 208 How can I configure it so that certain devices are enabled independent of who logs on? ........................................................................................................ 208 How can I add my own specific devices? .......................................................... 208 Does Pointsec Protector still protect in safe mode?............................................ 209 Can I prevent users with local admin rights from uninstalling the Pointsec Protector Client software? ............................................................................... 209 Is it possible to configure different profile settings for when a mobile user is on and off the network?....................................................................................... 209 Can Pointsec Protector Server be installed onto an existing MS SQL Server database?...................................................................................................... 209 If I already have MSDE installed on my server, can I install Pointsec Protector Table of Contents iii Server onto the same machine? ....................................................................... 210 Can I install Pointsec Protector in an audit-only mode?...................................... 210 Appendix B Glossary of Terms Index ........................................................................................................... 221 iv Pointsec Protector Preface P In This Section Who Should Use This Guide? About This Guide About Pointsec Protector Related Documentation Feedback page page page page page 1 1 1 2 3 Who Should Use This Guide? Administrators at organizations using Pointsec Protector should read this guide. About This Guide This guide describes how to manage the Pointsec Protector Server and Client. About Pointsec Protector Pointsec Protector is a unique corporate solution that provides a policy-driven mechanism of securing an organization’s information and ensuring data integrity. 1 Related Documentation Related Documentation This release includes the following additional documentation Table 1-1 Pointsec Protector documentation Document This document contains ... Pointsec Protector Installation Guide Information relevant when installing the master installation of Pointsec Protector. Pointsec Protector Quick Start Guide Instructions for getting started. Pointsec Protector Release Notes • • System requirements for Pointsec Protector Server and Client. Current information about the product, such as • new features and functions in the current release • problems that have been fixed since the previous release, and • any known issues about the current release. More Information If you require information on Check Point’s other security products or services, or if you should encounter any problems with Pointsec Protector, please visit our web site or call us. Table 1-2 Telephone: Web site: 2 Contact information Technical Support Sales The Americas 972-444-6600 1-800-429-4391 International +972-3-6115100 http://support.checkpoint.com http://partners.us.checkpoint.com Our Support Center is a comprehensive self-service database designed to quickly and easily answer all of your technical installation, configuration and upgrade needs on Check Point Software Technologies Ltd. products. Here you can search for a Check Point sales partner near you. Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation. Please contact your technical sales representative if you have comments on this guide. Preface 3 Feedback 4 1 Chapter Introduction This chapter gives and overview of the Pointsec Protector product and its modules. You also find the system requirements in this chapter. In This Chapter Overview Removable Media/IO Device Manager Unauthorized Software/File Protection Device Management Centralized Management Centralized Auditing and Alerts Detailed Reporting Content Management Anti-Virus Scanner Integration Remote/Home User Support Removable Media Encryption License Handling Changing the Language of Pointsec Protector System Requirements Pointsec Protector Enterprise Server Pointsec Protector Enterprise Client Additional Information page page page page page page page page page page page page page page page page page 5 6 6 7 7 7 7 7 8 8 8 9 9 10 10 10 11 Overview Pointsec Protector is a unique corporate solution that provides a policy driven mechanism of securing an organization’s information and ensures data integrity across all end points. 5 Removable Media/IO Device Manager The following features are optional and can be selected during installation allowing the administrator to match the organization’s security policies. Removable Media/IO Device Manager By centrally controlling access to removable media/IO devices, the system administrator can control user access to floppy disks, memory sticks, PDAs, flash memory, Zip/Jazz drives, digital cameras, etc. (CDs, CDRs, DVDs can be protected by using Device Manager). The Removable Media Manager controls device access on all available ports including USB and Firewire. All removable media/IO devices must be authorized before use is granted. Authorization can be centrally managed or users can authorize their own devices providing certain rules are met (see data authorization and anti-virus scanner integration below). A digital signature is written to a device to mark it as authorized. The digital signature is automatically updated during file transfers within the protected environment. If changes to the media are permitted outside of the organization, the device will require re-authorization before it can be used again within the protected environment. The system enforces that all devices are virus-free, prevents illegal importing of data and more importantly, it can prevent the unauthorized exporting of data. This system will also stop users gaining access to any unauthorized hot-swap and plug-and-play devices. Unauthorized Software/File Protection Pointsec Protector provides profile-based file management. Users can be prevented from creating defined file types on the local workstation and network drives. File types are specified by extension and can be used to prevent the introduction of unlicensed software (.exe, .com, .dll, etc.), malicious file types (.vbs, .scr, etc.), or simply unwanted file types (.mpg, .mp3, .jpg, etc.). Protection is provided from any external source including e-mail attachments and web downloads. This component also provides unrivalled protection against new and unknown virus attacks. For example, both W32/MSBlast and W32/SoBig would be automatically blocked from infecting the system simply by preventing the creation of unauthorized executable files. 6 Device Management Device Management Pointsec Protector allows the administrator to control user access to devices accessed through all PC ports. Access to IrDA, COM, USB, Firewire and LPT ports can be controlled. By applying security permissions to devices it is also possible to manage access to all removable media, CD/DVD drives, PDAs, WiFi, Blackberries, Bluetooth and unauthorized hard disks. This feature prevents users from connecting unauthorized devices to the PC ports including hardware such as a modem and provides On/Off/read-only protection as opposed to the more granular approach offered by Removable Media Manager detailed above. Centralized Management Pointsec Protector is centrally administered. A familiar Microsoft Management Console (MMC) interface is provided to control user profiles, real-time monitoring, and extensive auditing. User profile management and configuration is all stored within an SQL database. Centralized Auditing and Alerts Pointsec Protector provides detailed auditing of attempted security breaches. All events are centrally logged in an SQL database with the ability to create structured queries and detailed reports. Pointsec Protector enables the administrator to centrally audit all file operations on all removable storage including CDs/DVDs. The administrator can configure the auditing of certain events to produce e-mail alerts to defined addresses. Detailed Reporting The Pointsec Protector auditing provides extensive tracking of user behavior and system security. To simplify audit analysis, fully configurable HTML reports can be generated from within the administration console detailing summary information across all audit events. Content Management Pointsec Protector is supplied with a data authorization module, which is integrated within the Media authorization process. Employing this module, users can be given the right to authorize their own media providing the device contains only permitted file types. The Pointsec DataScan module can be configured to only allow the authorization of data-only files. Any executable/unapproved code will be rejected even if renamed or hidden. Chapter 1 Introduction 7 Anti-Virus Scanner Integration This provides an additional layer of generic active code protection. Using the Pointsec DataScan configuration utility, it is possible to specify which file types are permitted. Anti-Virus Scanner Integration Pointsec Protector automatically detects and integrates with compatible anti-virus scanners. Anti-Virus scanners can be used to enforce that all removable media are virus-free before access is granted as part of the authorization process. Remote/Home User Support Pointsec Protector supports remote and standalone workstations. Remote workstations (laptops and desktops) often pose a greater security risk as conventional anti-virus and security techniques are often hard to enforce. Pointsec Protector provides valuable generic protection against malicious code and can be fully managed just like networked workstations. A remote worker can be dynamically controlled if connected to the Internet via a VPN or RAS connection. Pointsec Protector empowers businesses to manage and secure their data across both networked and standalone workstations. Being user-based and centrally managed, it presents the minimum of administrator overhead whilst affording the maximum level of security aimed at your internal threats. Removable Media Encryption Pointsec Protector can be supplied with the optional Encryption Policy Manager (EPM). The greatest threat when granting access to removable media storage devices is the loss of sensitive or proprietary information. The encryption policy manager can ensure that data can only be accessed by authorized staff on authorized systems. The Pointsec Protector Encryption Policy Manager provides transparent encryption of removable media storage devices. This feature includes the encryption of CD/DVDs when using the built-in software on the protected workstations. Unlike any other solution on the market, offline access can be granted to trusted users. Users will be able to access secure devices without the need to install any software onto third party systems using secure password authentication. This component will allow access on third party systems even with just basic user rights. 8 License Handling License Handling Licenses for both Port Management and Media Encryption features together, or for either one of them can be obtained from Check Point. It is possible to run some computers in a network with Port Management only enabled, while other computers have Media Encryption only enabled, and while others still have both features enabled. Computers with a license for both Port Management and Media Encryption have access to all features in the administration console. On computers with a Port Management-only license, everything is accessible except the Encryption tab and the Encrypted column in the Device Manager which are grayed out. On computers with a Media Encryption-only license, only the Encryption tab and the Encrypted column in the Device Manager are accessible, the rest is grayed out. If a user tries to install a client with both features enabled while only having a license for one of them, an alert will be displayed in the central logs. If there are any active unlicensed computers, a warning screen with details will be displayed at the startup of the administration console. Both from the central logs and from the startup warning screen it is possible to run the License Manager and install additional licenses. There is no need for any uninstallations or manual configurations of the clients missing valid licenses. For further information, please contact your authorized Check Point Software Technologies Ltd. partner. For a list of authorized partners, please visit http://partners.us.CheckPoint.com/partnerlocator/. Changing the Language of Pointsec Protector The Pointsec Protector client user interface can be displayed in the following languages: English, French, French (Canadian), German, and Spanish. The language is set in the client automatically at start-up based on the setting of the “HKLM/SOFTWARE/Reflex/Disknet/Language” string in the client registry. The following settings are possible: • XX – the language is taken from the language of the computer • EN – English (United States) - default • FR – French • CA – French (Canadian) • DE – German Chapter 1 Introduction 9 System Requirements • ES – Spanish (European) If the language localization file does not exist, then the product uses the English file as default, which always exists. System Requirements Pointsec Protector Enterprise Server All Platforms • MSSQL 2000/2005 license or MSDE (supplied) • Suitable Server backup mechanisms • 1GB+ RAM • 1GB+ Hard disk space for SQL database storage MS Windows 2000 • MS Windows 2000 Server/Advanced Server or Professional • MS Windows 2000 Service Pack 2+ • MS Internet Explorer v5.5+ MS Windows 2003 • MS Windows 2003 Server/Advanced Server/R2 MS Windows XP • MS Windows XP Professional • MS Windows XP Service Pack 1+ It is recommended that the latest Microsoft operating system patches are applied and that the system BIOS is set to prevent booting from removable media. Note - Pointsec Protector Enterprise Server integrates with Novell NDS networks but must be installed on an MS Windows server/workstation with the Novell Client installed. Pointsec Protector Enterprise Client MS Windows 2000 10 • MS Windows 2000 Professional • MS Windows 2000 Service Pack 2+ Additional Information • MS Internet Explorer v5.5+ MS Windows 2003 • MS Windows 2003 Server/Advanced Server/R2 The BIOS boot protection should be configured on the hardware hosting the Pointsec Protector components so that it will boot solely from its local internal hard drive. MS Windows XP • MS Windows XP Professional • MS Windows XP Service Pack 1+ MS Windows Vista • MS Windows Vista 32-bit Additional Information Pointsec Protector is supplied with fully indexed administrator and user online help. In addition to these resources further information is available from the Check Point web site, http://www.checkpoint.com The website provides a support area, http://support.checkpoint.com, which includes: • A fully searchable support knowledge base that provides up to date information on the latest support problems and frequently asked questions • Downloads of the latest software updates and patches for licensed customers • The latest product documentation • Discussion forums on Check Point products Chapter 1 Introduction 11 Additional Information 12 2 Chapter Using the Administration Console This chapter describes how to get started with Pointsec Protector, and also how to use the administrator and system utilities. In This Chapter Pointsec Protector Administration Console Getting Started Administrator Utilities Connect to Remote or Local Server System Utilities Removable Media Manager EPM Key Recovery Pointsec Protector Server Properties page 13 page 14 page 15 page 15 page 17 page 17 page 20 page 22 Pointsec Protector Administration Console The Pointsec Protector Administration Console allows system administrators to centrally manage Pointsec Protector Client software. The Pointsec Protector Administration Console is a Microsoft Management Console (MMC) snapin. Using this management console it is possible to perform the following tasks: • Create and manage user/group-based policy profiles for the control of Removable Media Manager, Program Security Guard (PSG), Device Manager, and Encryption Policy Manager. • Perform dynamic management of Pointsec Protector Client workstations. 13 Getting Started • View and process audit events • Management of automated alerts • Management of Pointsec Protector Security infrastructure • Management of removable media encryption settings (EPM) Getting Started This section presents the stages that should be followed when installing Pointsec Protector for the first time (for detailed installation instructions, see the Pointsec Protector Installation Guide). It is advisable to complete the following steps in the order they are presented here to complete a successful deployment: 1. Edit the default profile. This profile is used as the default global profile and contains the default organizational policies. For example, if a global messaging standard is required across the organization it should be configured within the default profile. The default profile is also used if the client user is unknown or if the server connection fails and should be used as a failsafe mechanism. 2. Create new profile templates from within the Profile Templates node. These profiles should include a standard user profile and an administrator profile plus any other special profiles required. 3. Create new groups using the Create New Group Wizard and assign the required profile templates. It is often advisable to create new Windows/Novell domain groups for use with the Pointsec Protector Enterprise Server. 4. Specify the required e-mail alerts from the Alerts node. 5. Configure the Pointsec Protector security settings as required. If using the Encryption Policy Manager, please pay careful attention when specifying the EPM Key Recovery option. 6. Back up the media ID using the Export Media ID wizard. A prompt to back up the media ID would also be received the first time the administration console is opened. 7. Export the default profile to Pointsec Protector Client installation folder. 8. Manually install at least two Pointsec Protector Client workstations for testing. 9. Set up and configure a silent Pointsec Protector Client installation. 14 Administrator Utilities Administrator Utilities A number of administrator utilities are provided for managing the Pointsec Protector Enterprise. This section details the following features: • Managing Pointsec Protector Enterprise Server/Client security • Performing a local/remote server connection using Microsoft Management Console (MMC) • Generating a Pointsec Protector Emergency Access disk • Managing Removable Media signature IDs • Configuring device types covered under the management of Device Manager • Managing Removable Media Encryption (EPM) Connect to Remote or Local Server The Pointsec Protector Administration Console uses the industry standard Microsoft Management Console (MMC) to manage the Pointsec Protector Server. MMC provides a great deal of flexibility and allows for remote server connections. It is possible to install multiple administration consoles across an organization to manage a Pointsec Protector Server (see “Installing a Remote Pointsec Protector Administrator Console” on page 133. To connect to a remote or local server machine that is within the same LAN: 1. Select Connect to from the Check Point Protector Server node as displayed below: Figure 2-1 The following window opens: Chapter 2 Using the Administration Console 15 Connect to Remote or Local Server Figure 2-2 2. Select one of the following connections as applicable: • the local machine, if the Pointsec Protector Server is running locally or • a remote machine, by entering the server machine name or IP address in the host field. The TCP/IP port number of the server machine should be entered (default 9738). 3. Click Finish to complete the connection. The following connection process is displayed: Figure 2-3 The current connection status is displayed. Note that security access must be granted within the Security Permissions tab before a remote server connection can be performed. Figure 2-4 16 System Utilities System Utilities Removable Media Manager During installation the Pointsec Protector Enterprise Server generates a unique signature media ID. This unique ID is used during media authorization and ensures that media authorized within other Pointsec Protector protected environments are not valid within this protected zone and vice versa. On occasions it can be desirable to use the same media signature ID on multiple sites/servers. This means that devices authorized within one protected environment can also be recognized as authorized in other environments. This can be achieved using the Import/Export Media ID feature. Enhanced Mode The Removable Media Manager operates in Enhanced Mode by default as determined by the EM field in the config.ini file when deploying the Pointsec Protector Client software. This Enhanced Mode of operation will detect every single change made to the removable media on a non-Pointsec Protector machine. However, this system would be slow for all media directory levels and is therefore only applied to seven directory levels (that is, including the root level). Doing the check any deeper could result in a noticeable system slow down and we cannot compromise this trade-off, having to maintain system security and speed. Therefore, files/folders beyond this scope are treated as read-only with no access to the binary files therein. Files cannot be executed or copied to the Pointsec Protector client machine's hard drive. If the Enhanced Mode flag is manually changed in the config.ini pre-rollout by a System Administrator and is not operational on their Pointsec Protector client-base, only significant media changes will be detected when reintroduced media has been amended on these client machines. Import/Export Media ID To launch the Import/Export Media ID wizard: 1. Right-click on the Pointsec Protector Server node and select Removable Media Manager > Import/Export Media ID as shown below: Chapter 2 Using the Administration Console 17 Removable Media Manager Figure 2-5 2. Click Next past the welcome screen: Figure 2-6 3. Select Import media ID if you wish to set up this server with a previously generated media ID, and select Export media ID to back up your media ID and also if you wish to set up another server using the same media ID. Click Next to continue: 18 Removable Media Manager Figure 2-7 4. Select the location where you wish to import/export the media ID from/to. Click Next to continue: Figure 2-8 5. Click Finish to complete the process: Chapter 2 Using the Administration Console 19 Remote Help Figure 2-9 Remote Help Both the full Pointsec Protector client and the EPM Explorer support challenge/response password recovery either using the Pointsec Protector Management console or using the SmartCenter for Pointsec - webRH system. More information on how to install, configure and use SmartCenter for Pointsec - webRH is found in these documents: • SmartCenter for Pointsec - webRH Framework Administrator’s Guide • SmartCenter for Pointsec - webRH Framework Installation Guide • SmartCenter for Pointsec - webRH Pointsec Protector Module Administrator’s Guide • SmartCenter for Pointsec - webRH Pointsec Protector Module Installation Guide EPM Key Recovery On sites where the Encryption Policy Manager (EPM) has been enabled it is possible to perform remote password recovery in the event that a user forgets his/her offline password on encrypted devices. The challenge response system settings can be configured within the EPM tab. 20 Remote Help Figure 2-10 To perform remote password recovery: 1. Select EPM Key Recovery. The following dialog is displayed: Figure 2-11 2. Click Next to continue. The following dialog is displayed: Figure 2-12 Chapter 2 Using the Administration Console 21 Pointsec Protector Server Properties 3. Enter the challenge code generated by the locked out user. Click Next to continue. The Pointsec Protector Enterprise Server will securely authenticate the challenge code and verify its authenticity. Once verified, a response code is generated and must be relayed to the user: Figure 2-13 4. On completion, click Finish. Pointsec Protector Server Properties Right-click on the Pointsec Protector Server node and choose Properties, the following tabs are displayed; General, Applications, Security, E-mail configuration, and Console settings. General Tab The General tab displays Pointsec Protector server information, media revocation, and license information as described below. Version Information The version of Pointsec Protector Server that is currently running is displayed in the General tab, this information is very useful for support purposes and should be relayed back to the Check Point Technical support department during any correspondence. 22 Pointsec Protector Server Properties Figure 2-14 Media Revocation The media revocation feature allows the revocation all previously authorized media, thus enforcing re-authorization. This is achieved by changing the media ID on all machines within the protected environment. To revoke all previously authorized media, select Revoke All on the General tab. Note - This process can be reversed by re-importing the media ID providing a backup was taken during installation. Chapter 2 Using the Administration Console 23 Pointsec Protector Server Properties Figure 2-15 Licensing Information Pointsec Protector Enterprise Server requires a license number to be entered during installation both for evaluation and licensed use. The license information can be viewed under License information on the General tab. Figure 2-16 Further information can be obtained by clicking the License Manager... button. The following dialog will be displayed: 24 Pointsec Protector Server Properties Figure 2-17 This dialog details the type of license (full or evaluation), the number of clients permitted, and the expiration date of the license(s). Add New Registration Codes/License Numbers It is possible add new registration codes/license numbers in the Pointsec Protector License Manager. To add a new license number: 1. Open the Pointsec Protector License Manager window by clicking the License Manager... button on the General tab. 2. Click on the Add License button and enter a new license issued from Check Point, or click on the Add from license file button to import a license from a license file (.lic). 3. Click OK to complete the activation. Figure 2-18 A message is displayed to show a valid license number has been entered. Chapter 2 Using the Administration Console 25 Pointsec Protector Server Properties Figure 2-19 Applications Tab The Applications tab displays settings for the expreset.ini, the Device Manager Configuration Editor, and the EPM site identification as described below. Figure 2-20 Expreset.ini Pointsec Protector is shipped with a database of recommended file types that should be protected by Program Security Guard (PSG). This database is regularly updated and distributed in a file called expreset.ini. In addition to recommended file types, this file contains a list of recommended exempt applications. During installation the contents of the expreset.ini is automatically imported into all new profiles. Backing Up expreset.ini It is often desirable to take a snapshot of the current PSG settings either for backup purposes or use within another Pointsec Protector Enterprise Server. The current settings can be exported to an expreset.ini file by clicking the Backup button and selecting a suitable location. 26 Pointsec Protector Server Properties Restoring/Importing New expreset.ini Check Point frequently update the current list of PSG recommended file types and exemptions. A new expreset.ini can be imported by selecting the Restore button and selecting the updated file. Device Manager Configuration Editor The Pointsec Protector Device Manager provides unrivalled management of all removable media/IO devices. Pointsec Protector is shipped with a default list of device types but it is often desirable to add/remove new devices as required. This feature allows greater granularity and supports both black list and white list protection. Using the Device Manager Configuration Editor it is possible to add specific brands and models of devices for more granular device management. Specific security rights can then be assigned on a device by device basis. Figure 2-21 By clicking Edit the Device Manager Configuration Editor is invoked: Chapter 2 Using the Administration Console 27 Pointsec Protector Server Properties Figure 2-22 Adding a New Device Class In the unlikely event that a new device class is introduced that is not part of the core operating system default list, it is possible to specify and add new types of device (device class). To add a new device class: 1. Click Add device class. The following dialog is invoked: Note - A device class is a new type of device rather than a specific model or brand of existing device class. 28 Pointsec Protector Server Properties Figure 2-23 2. Supply the following credentials: Device information • Display Name The name of the device as displayed within the Device Manager configuration tab. The name should be a useful description of the device type. • Device GUID This is the unique system information about the new device class. This information can be retrieved from the log field after the device has been inserted into the system. Each type/brand of device will have its own unique ID. To be less specific the device GUID string can be reduced. For further information please contact the Pointsec support department. • Device Connection It is possible to stipulate the device connection type. It is possible to control either just internal, just external or both types of connection for the new device class. For example, it maybe desirable to block the use of external modems but permit the use of built-in modems on a laptop computer. • Extra Information For removable media storage devices it is desirable to stipulate whether the device appears to MS Windows as a fixed disk device (Hard disk with master boot record) or as removable media (Media without master boot record). Chapter 2 Using the Administration Console 29 Pointsec Protector Server Properties • Icon A custom icon can be used for graphical representation in the Device Manager configuration tab. Select the required icon from the drop-down menu or alternatively new icons can be added using the Load Images button on the parent dialog. Device capabilities • Can be read only For storage devices it is possible to provide read-only management. By selecting this checkbox the read-only functionality will be available during device configuration. • Can be used for reading and writing If the new device class provides removable media storage that can be read from and written to, this option should be selected. • Can encrypt data with EPM For digital storage devices, the Encryption Policy Manager (EPM) can be enabled to provide transparent removable media encryption. • Can generate audit event on arrival The arrival of new devices can be audited under the Audit tab. This event records the type of device with full details of the device usage. This checkbox determines if the device is able to generate audit events or not; for the actual sending of events, the Generate device arrival audit event checkbox must be selected. Default device access rights • Default access This setting configures the default device access for new profiles. Select the required configuration, No access or Full access, from the drop-down menu. • Generate device arrival audit event This checkbox enables, if selected, the sending of audit events from the device. Adding a New Device ID It is often desirable to provide greater granularity over the types/brands/model of device that can be can be managed within the Pointsec Protector Device Manager. For example, the system administrator may wish to specify additional security rights on defined corporate brands and models of device. This component offers both white list and black list protection across all device types. For example, the system administrator can specify that 'any device except for the XXXX Brand(s)/Model(s)' can be used or alternatively that 'only the XXXXX Brand(s)/Model(s)' of device can be used. Under each specific device it is possible to assign individual security rights. 30 Pointsec Protector Server Properties To add a new device ID: 1. Click on the device class under which the new device is to be added (i.e., removable media in the Device Manager configuration editor) and click Add device ID. The following dialog opens: Figure 2-24 2. Supply the following credentials: Device information • Display Name The name of the device as displayed within the Device Manager configuration tab. The name should be a useful description of the device type. • Device GUID This is the unique system information about the device class. When adding a new device ID, this will be grayed out as device IDs fall under existing device classes. • Device Connection It is possible to stipulate the device connection type. It is possible to control either just internal, just external or both types of connection for the new device class. For example, it maybe desirable to block the use of external modems but permit the use of built-in modems on a laptop computer. • Extra Information For removable media storage devices it is desirable to stipulate whether the device appears to MS Windows as a fixed disk device (Hard Disk with master boot record) or as removable media (Media without master boot record). Chapter 2 Using the Administration Console 31 Pointsec Protector Server Properties • Icon A custom icon can be used for graphical representation in the Device Manager configuration tab. Select the required icon from the drop-down menu or alternatively new icons can be added using the Load Images button on the parent dialog. Device ID filter • Device ID String begins with Each specific model of device has a device specific ID. This information can be automatically imported from the unauthorized device manager alert within the logs node. The Device Manager can be configured to be very specific by including the entire device ID string or less specific by including just the start of the ID string. Please see the “Frequently Asked Questions” on page 197 for examples. Device cababilities • Can be read only For storage devices it is possible to provide read-only management. By selecting this checkbox the read-only functionality will be available during device configuration. Read-only will prevent users copying data from the local drive/network to the removable storage device. • Can be used for reading and writing If the new device class provides removable media storage that can be read from and written to, this option should be selected. • Can generate audit event on arrival The arrival of new devices can be audited under the Event tab. This event records the type of device with full details of the device usage. This checkbox determines if the device is able to generate audit events or not; for the actual sending of events, the Generate device arrival audit event checkbox must be selected. • Can encrypt data with EPM For digital storage devices the Encryption Policy Manager (EPM) can be enabled to provide transparent removable media encryption. • Can execute files directly on the device This option determines whether or not executable files are allowed to run from the device. Default device access rights 32 • Device access This setting configures the default device access for new profiles. Select the required configuration from the drop-down menu. • Generate device arrival audit event This checkbox turns on, if selected, the sending of audit events from the device. Pointsec Protector Server Properties EPM Site Identification The Encryption Policy Manager enables transparent encryption of removable media. Within large organizations it is often desirable to enable the transfer of data between trusted organizations via removable media devices such as USB flash media. With EPM it is possible to set up trust relationships between different Pointsec Protector sites that are not physically linked. This trust relationship enables controls over which third party encrypted devices can be accessed. This section provides the ability to add trusted sites, the access control rights are however configured within the individual profiles. Figure 2-25 Export this site ID The site ID can be exported for import within other sites. Click the Export this site ID.. button. Select a location to export the file to (default filename will be the servername): Figure 2-26 Chapter 2 Using the Administration Console 33 Pointsec Protector Server Properties Import ID of another site 1. Click the Import ID of another site... button. The import wizard is initialized. Figure 2-27 Click Next to continue: 2. Select the required EPM Site ID and click Next to continue: Figure 2-28 3. Enter a relevant site ID name and click Next to continue: 34 Pointsec Protector Server Properties Figure 2-29 4. Click Finish to complete the import process: Figure 2-30 Advanced The Advanced... button opens additional configuration options. From within this dialog the administrator can view the current list of trusted sites and amend as required. Click Advanced...: Chapter 2 Using the Administration Console 35 Pointsec Protector Server Properties Figure 2-31 From within the Advanced tab it is possible to add/remove and edit existing trusted site IDs. Security Tab The Pointsec Protector Enterprise Server has been developed using secure client/server authentication. The system administrator can configure the level of security applied to the underlying architecture. To access the Pointsec Protector Server security console, right-click on the Pointsec Protector Server node and select properties. Navigate to the Security tab as shown below: Figure 2-32 36 Pointsec Protector Server Properties During installation, Pointsec Protector Enterprise Server sets up default security permissions. Anyone within the Windows Administrator group will have full rights to the Pointsec Protector Server. Authenticated users will be granted client access only by default. You can add and remove users/groups using the Add and Remove buttons and select the desired security permissions by choosing to allow or deny each feature. At the bottom of the Security tab, two sub-tabs are displayed; Basic permissions and Advanced permissions. Basic Permissions Tab Figure 2-33 The following options can be configured with the Basic permissions security tab: • Administrate This option grants access to administer the Pointsec Protector Enterprise server. The ability to change the media ID and delete log files is unavailable. • Manage Reports This option grants access to manage and generate reports within the Pointsec Protector Administration Console. • Special Permissions Special permissions will grant access to recover encryption keys and change the media ID. This option should only be selected for security administrators. Chapter 2 Using the Administration Console 37 Pointsec Protector Server Properties Advanced Permissions Tab Figure 2-34 The Advanced permissions security tab allows configuration of the following security settings: • Change Permissions This feature can be used to control who has access to change security permissions within the Pointsec Protector Administration Console. Users/groups will be prevented from changing rights within this section of the Pointsec Protector Administration Console. This feature can be used to explicitly deny users from elevating permissions (e.g domain admins) Note - Caution should be taken to ensure that rights are not removed from all users. • EPM Key Recovery This option is only applicable if the Encryption Policy Manager (EPM) is available and should not be configured for standard users. This option allows the defined users/groups to perform key recovery of encrypted removable media using the Encryption Policy Manager. Members of this group will have full access to all encrypted removable media. By default this will be configured for system administrators only. • 38 Change Media ID This option determines whether the selected users/groups have the rights to change the Removable Media ID. It is advised that only Pointsec Protector Server Properties security administrators are granted the rights to change the media ID as this process is irreversible and will impact Pointsec Protector Client users. • Change Configuration Settings This feature can be used to control which users/groups have access to change configuration options (excluding profiles and groups) within the Pointsec Protector Administration console. • Change Profile template Permissions can be assigned regarding the capability of changing global profile templates. Please note that specific profile security will override the global setting. • Change Groups and Group Order Permissions can be assigned regarding the capability of creating, deleting and modifying user groups. Group ordering can also be restricted. • Create Reports The Create Reports security can be used to define which users/groups are permitted to create new HTML reports from within the administration console. • Delete Reports By configuring access to this option it is possible to specify users/groups that are permitted to delete reports from within the administration console. • View Configuration This option will grant/revoke access for the selected users/groups to view the users/groups and profile section within the Pointsec Protector administration console. Without access being granted to view the configuration, no access will be given to the Pointsec Protector Administration Console. • View Logs This option will allow the selected users/groups the ability to view the Pointsec Protector audit logs within the Pointsec Protector Administration Console. Note - The anonymous network connection must be supported by the Pointsec Protector server in order to account for requests from the clients where there is no interactive user logged in. In such scenarios a connection between the client and server is still established according to the security protocol (sspi), that is, authenticated. Anonymous logon accounts must be given client access permissions only as by default. This must not be deleted under any circumstances. Chapter 2 Using the Administration Console 39 Pointsec Protector Server Properties E-mail Configuration Tab The Pointsec Protector Enterprise Server can be configured to send e-mail alerts on defined events to the e-mail addresses specified under the events node. During installation it is possible to configure the SMTP server used for sending alerts and also the specified accounts and security credentials. This tab enables the administrator to specify or reconfigure these settings: Figure 2-35 The following information must be specified: 40 • SMTP server name The name of the server where SMTP is enabled for internal connections. • Port Port number on which the SMTP server can be connected to (default 25) • SMTP user name Specify a user account that has permission to connect to and send e-mail alerts via SMTP. • Password The user account password. • Confirm Password As above. • Server e-mail address The e-mail address used to send Pointsec Protector alerts via the SMTP server • Alert message subject This text will appear in the message subject for all alert messages generated by the Pointsec Protector Enterprise Server. Pointsec Protector Server Properties • Send a test alert to Enables the system administrator to test the SMTP configuration settings. On pressing this button a test message should be received immediately in the specified test e-mail inbox. Console Settings Tab Pointsec Protector is designed to be used on global infrastructures with many thousands of machines and workstations. To improve performance it is possible to restrict the number of viewed users and workstations. Select the required numbers and click OK to continue: Figure 2-36 Server Key Tab For Novell network installations, the Server Key tab will be automatically displayed. The Pointsec Protector Server uses an RSA key to encrypt client>server communication across the network. The RSA key must be exported to the client installation folder prior to install or alternatively the .reg file should be run on any previously installed clients. Note - If the server key is not exported to the client install disk on Novell server installations the client>server communication will not function correctly. Chapter 2 Using the Administration Console 41 Pointsec Protector Server Properties Figure 2-37 Click Create client registry file to export the serverkey.reg file to the root of the client installation folder: Figure 2-38 42 Chapter Create and Export Profile Templates 3 This chapter describes how to create and export profile templates. In This Chapter Overview Creating New Profile Template General Tab Device Manager Tab User Interface Tab Auditing Tab Program Security Guard (PSG) Tab Removable Media Manager Tab Encryption Tab Advanced Tab Security Tab Exporting Profile Templates Default Profile Template page 43 page 44 page 45 page 45 page 49 page 51 page 61 page 67 page 70 page 76 page 80 page 80 page 85 Overview Profile template are an integral part of the Pointsec Protector Enterprise Server Administration Console. Profile templates are used to make management of user/group settings easier to administer. It is advisable to set up a number of standard templates prior to creating/importing any users and groups into the Pointsec Protector Enterprise Server. 43 Creating New Profile Template The default profile provides the core global settings. Additional profiles can then be created to specify additional settings. Pointsec Protector offers the ability to merge profiles to provide simple management of policy. This section details the various options available as part of the profile templates. Creating New Profile Template To create a new profile template, navigate to the Profile Templates node and right-click New > Profile template as shown below: Figure 3-1 The following configuration dialog is displayed, enter a suitable profile name (for example, Standard User Profile): Figure 3-2 44 General Tab General Tab • Profile Name Enter a unique name into this field to describe the profile template. • Notes Enter a meaningful description of the use of this profile. Device Manager Tab Figure 3-3 Denotes that the settings are defined in this profile. Denotes that the settings are not defined in this profile and are inherited from the profile below. • Audit This checkbox will enable the ability for the specified device type to be audited if auditing is enabled within the Auditing tab. Please note this does not turn auditing on it just enables the capability • Plain text The dropdown lists under Plain text will control the access rights for the specified devices/device types. Chapter 3 Create and Export Profile Templates 45 Device Manager Tab The following are all available types of access rights (note that not all access rights are available for all types of devices): • • No access No access at all is allowed to the device in question when this option is selected. • Read only The Read only option prevents data from being written to approved devices but all reading and copying of data from devices are allowed. • Read only, No network This options allows all reading and copying of data from devices but blocks the device from being shared over a network, irrespective of NTFS/Share level security permissions. • Read only, Execute The Read-only, Execute option allows all reading and copying of data from approved devices as well as the ability to execute files from the devices. • Full access The Full access option allows the user to read from and write to approved devices. • Full access, no network This option allows allows the user to read from and write to approved devices but blocks the device from being shared over a network, irrespective of NTFS/Share level security permissions. • Full access, Execute This option allows the user to read, write, and execute files to and from all approved devices. • Full access, Execute, no network This option allows the user to read, write, and execute files to and from all approved devices, but blocks the device from being shared over a network, irrespective of NTFS/Share level security permissions. Encrypted In the Encrypted column it is possible to control whether or not the user have access only to encypted media or is allowed to create encrypted media. Device Manager (DM) Pointsec Protector allows the administrator to control user access to all plug-and-play devices including PC ports such as COM, LPT, serial, PCMCIA, Firewire, and USB ports. 46 Device Manager Tab This feature prevents users from connecting unauthorized devices to the PC ports including hardware, such as modems, PDAs, USB memory sticks, scanners, and so on. In addition, the Device Manager can be used to generically block or grant read-only access to other media storage devices. Note - Using this feature can d disable access to desired devices, for example, modems and USB peripherals. When no access is granted, this feature will override the Removable Media Manager. The Device Manager supports both white list and black list security by enabling the administrator to specify that 'all devices except XXXX' can be accessed or by specifying that 'only XXXX device' can be accessed and all others will be blocked. Pointsec Protector is shipped with a default list of devices but due to the unique way Pointsec Protector has been developed, it is possible for the system administrator to specify additional devices including the ability to add specific models and brands of device. Example 1 It maybe desirable to allow access to all removable media except for a defined MP3 player or model of banned PDA. Example 2 It maybe desirable to specify an organizationally approved brand of memory stick but deny access to all other brands and types of device. For further information about adding new devices, please see the “Device Manager Configuration Editor” on page 27. Default List of Devices Detailed below are the default list of devices shipped with Pointsec Protector Device Manager: Removable Media Devices (USB drives, etc.) — All removable media device access can be managed including the ability to assign no access, read-only access, or full access. Additional more granular control can also be achieved using the Removable Media Manager; this component will ensure that only digitally signed authorized devices can be accessed. This option will manage the use of removable media devices plugged into any port including USB and Firewire. Removable storage devices can also be encrypted if the optional Encryption Policy Manager has been purchased. Please note there is an automatic exemption on EPM encrypted drives and full access is granted. Chapter 3 Create and Export Profile Templates 47 Device Manager Tab Optical devices (CD/DVD) — CD and DVD drives can be either disabled or read-only access granted. This provides management over the use of CDR/DVDR and CDRW/DVDRW drives. Pointsec Protector can control the use of native XP CD burning and other third party CD/DVD authoring software. External hard drives — If this option is selected, access to any unauthorized new hard disks including USB/Firewire drives can be blocked or read-only access granted. External hard drives can also be encrypted if the optional Encryption Policy Manager has been purchased. Please note there is an automatic exemption on EPM encrypted drives and full access is granted. Floppy drives — It is possible to block or grant read-only access to any floppy disk drive if authorized access using the Removable Media Manager is not desired. Tape Drives — The Device Manager can be used to manage access to tape drives. Modems — The Device Manager can be used to manage access to both internal and external modems. Printers (LPT/USB) — The Device Manager can be used to manage access to LPT/USB ports thus preventing access to unauthorized printers. Bluetooth — The Device Manager can be used to manage access to Bluetooth devices including USB dongles. Still image devices — The Device Manager can be used to manage access to still image devices including scanners and digital cameras. Serial ports (COM) — The Device Manager can be configured to manage access to COM ports and hence block the introduction of unapproved serial port devices including modems. Infrared ports (IrDA) — Infrared ports pose a potentially large security vulnerability particularly for laptop users. The Device Manager can be used to disable IrDA ports. Smart card readers — The Device Manager can be used to manage access to both internal and external smart card readers. PCMCIA Memory — The Device Manager can be used to manage access to PCMCIA memory including Compact Flash and removable hard disks. Blackberry RIM devices — Blackberry (RIM) device access can be managed by the Device Manager. Windows CE Portable Devices — MS Windows CE PDA device access can be managed using the Device Manager. This includes all devices that connect to MS Windows using MS Active Sync. Windows Portable Devices — Devices like MP3 players and personal video players can be managed by the Device Manager under this category. 48 User Interface Tab Ports (COM/LPT) — The Device Manager can be configured to manage access to COM ports/LPT ports and hence block the introduction of unapproved serial port devices including modems and printers. Wireless Network Adapters (WiFi) — The Device Manager can be configured to manage access to all WiFi adapter including internal Centrino and USB dongle devices. When the Device Manager is enabled, users will receive bubble alerts from the system tray when an unapproved device is connected. Note - The No access option within the Device Manager will override all Removable Media Manager settings. An exclusion is automatically built into the Device Manager to allow peripheral devices such as mice and keyboards to operate without problem. Caution should be exercised when enabling this feature as improper use could make some peripheral devices inoperable. The default operation for the Device Manager is to enable access to all ports. To protect ports, simply select the desired checkboxes from the dialog displayed above in Figure 3-3 on page 45 and click OK. User Interface Tab Figure 3-4 Denotes that the settings are defined in this profile. Chapter 3 Create and Export Profile Templates 49 User Interface Tab Denotes that the settings are not defined in this profile and are inherited from the profile below. • Pointsec Protector system tray icon drop-down list: • No Icon The Pointsec Protector system tray icon and all messaging are hidden from the user. • Icon Only The Pointsec Protector system tray icon is displayed but does not show messaging or the client menu system. Please note the system tray icon must be visible to provide balloon messaging. 50 • Icon and short menu The Pointsec Protector system tray icon is displayed as well as the short menu which includes client help, manual profile download options, and an about box. • Icon and full menu The Pointsec Protector system tray icon is displayed together with a full context-sensitive menu system. The full menu provides the ability for users to access the Device Manager, Removable Media Manager, Program Security Guard (PSG) and Encryption Policy Manager menu systems. • Display PSG alerts as balloon notifications PSG standard messaging can often be quite intrusive to the user. If this option is selected users will receive all messaging from the system tray as balloon messages that automatically close after 10 seconds and require no user interaction. • User can access the Pointsec Protector system tray menu With this option selected, users with this profile will have access to the Pointsec Protector client system tray. • User can disable Removable Media Manager (RMM) By selecting this option users with this profile will have the rights to disable RMM from the Pointsec Protector system tray. Caution should be exercised when enabling this option as a user will have the ability to bypass the Removable Media Manager security. • User can disable Program Security Guard (PSG) By selecting this option users with this profile will have the rights to disable PSG from the Pointsec Protector system tray. Caution should be exercised when enabling this option as a user running this profile can disable PSG completely, thus bypassing all security. • User can disable Device Manager (DM) By selecting this option users with this profile will have the rights to disable DM from the Pointsec Protector system tray. Caution should be exercised when enabling this feature as user will be able to bypass all security provided by the Device Manager. Auditing Tab • PSG alert text Message: This message will be displayed on the Pointsec Protector Client software when a user from the selected profile attempts to create or modify a file type defined in the PSG protected file types list. Contact Information: Additional support contact information can be specified. • RMM alert text Message: This message will be displayed on the Pointsec Protector Client software when a user from the selected profile inserts an unauthorized media device (for example, floppy disk, flash memory, Zip drive, etc.). Please note: this message will not be displayed if the Removable Media Manager has been set to automatic authorization. Contact Information: Additional support contact information can be specified. Auditing Tab Figure 3-5 Denotes that the settings are defined in this profile. Chapter 3 Create and Export Profile Templates 51 Auditing Tab Denotes that the settings are not defined in this profile and are inherited from the profile below. The Auditing tab allows the system administrator to decide which security breaches/events require auditing and how the events should be processed. Audit Events Panel The following information is audited for all events: • ID The log ID number is an incremental number and is used to make searching events easier. • Unique ID The unique ID is assigned to each audit event. • Time Records information about the time and date at which the audit event occurred. • Event The name of the event (for example, Unauthorized (PSG) File operation) • Alert Details whether there is an alert configured for the selected event (Yes/No) • User ID The User ID within the Pointsec Protector user database. • User Name The MS Windows username of the user who was logged on when the event occurred. • Hostname The machine name on which the event occurred. • Source The source of the audited event (for example, PSG, RMM, DM, etc.). • Message Contains other relevant information about the event, (for example, virus infection details, unauthorized file audits, etc.). The following information can be audited for events: 52 • Authorized Device Event This audit event records all access to approved devices. This information can be used to add new specific devices to the Device Manager configuration direct from the audit event. • Encrypted Removable Media Exported This event audits when an EPM encrypted device is exported back to clear text. Auditing Tab • Fixed Hard Disk Configuration Changed This event audits when there has been a physical change in hard disk configuration. This could be either the unauthorized addition of a new hard disk or the unauthorized removal of a hard disk. The addition of such devices can be blocked using Device Manager. • Pointsec DataScan The Pointsec DataScan provides a detailed audit of media scan results including detailed analysis of file types and unsuccessful authorization of media. • Pointsec Protector Client Service Was Shutdown Where local administration rights are present on a client workstation and the Pointsec Protector service is not locked, the shutdown of the Pointsec Protector client service can be audited. • Removable Media Scan Was Skipped During the media authorization process if permission to skip a virus or DataScan scan is permitted this event can be audited. • Removable Media Was Encrypted If the Encryption Policy Manager (EPM) component is enabled, and permission to import new devices is granted, the import of all new devices can be audited. • Scanner Event Pointsec Protector can audit the results of anti-virus scans (provided supported within the AV scanner). Please contact Check Point for further information about supported scanners: http://www.checkpoint.com/services/contact/ • Service Startup Error The core of Pointsec Protector client messaging is an MS Windows service. It is possible to audit the service startup and whether it has succeeded or failed. The Pointsec Protector Client service is started during bootup. If the service is not started, Pointsec Protector Client will not operate correctly and all devices will be secured and the default profile selected. Audit of this event will only be received the next time the service is successfully started. • Successful Media Authorization During media authorization it is possible to audit when media is successfully authorized. • Suspected key logger detected This event is generated if a suspected USB key logger is detected. The Pointsec Protector client software can detect any suspicious keyboard configuration changes. • Unauthorized (PSG) File Operation Unauthorized PSG file operations can be recorded. As well as recording unauthorized user file access, this feature can also be useful for tracing new applications that require PSG exemption. A Chapter 3 Create and Export Profile Templates 53 Auditing Tab detailed log also contains information about the process that triggered PSG. This information can be used to create new exempt applications. • Unauthorized Device Event All unauthorized device access attempts can be recorded. This information can be used to add new specific devices to the Device Manager configuration direct from the audit event. • Unauthorized Execution Attempt Program Security Guard (PSG) automatically blocks the execution of files without defined executable extensions. Only programs with a .exe, .com, .sys, or .vbs file extension are allowed to be executed. • Unauthorized Removable Media Found Unauthorized removable media detection can be recorded. In addition to the standard audit information, it is also possible to view the capacity and type of the unauthorized media. • Unsuccessful Media Authorization If authorization of a media device fails, the event is audited as well as the reason for failure. • User has disabled a system component Disabling of the core Pointsec Protector client components RMM, PSG, and DM can be audited when available in the client software. • User has enabled a system component Enabling of the core Pointsec Protector client components RMM, PSG, and DM can be audited when available in the client software. Settings for audited events: 54 • Ignore If the propagation of an audit event is set to Ignore, the selected event will not be logged locally or centrally. • Register If the propagation of an audit event is set to Register, the event audit will be stored locally on the client machine until the next schedule client/server synchronization takes place. • Immediate If the propagation of an audit event is set to Immediate, as soon the event occurs the client will immediately connect to the Pointsec Protector Enterprise Server (if available) and upload the audit information. This mode overrides the settings in the Client log synchronization (see section “Protector client log synchronization” on page 77). This mode can be used in conjunction with the Alerts section, see “Alerts” on page 111. Auditing Tab Removable Media Audit Rules Panel The Removable Media Manager is a very powerful component for controlling the use of removable media storage devices. The Removable Media Audit Rules panel provides the ability to audit all file operations performed on removable media devices and CD/DVD drives. From the RMM Audit Rules panel it is possible to configure a profile to either audit every file operation performed or to build a complex set of rules based on certain defined criteria. Removable Media Audit Rules can record the following information: • ID The log ID number is an incremental number and is used to make searching events easier. • Date & Time Records information about the time and date at which the audit event occurred. • Host Name The machine name on which the event occurred. • Operation Type The type of operation that was performed on the removable media device: • Create Audits the creation of new files • Open for Write Audits any files that are opened for write access. • Move/Rename Audits file moves and renames • Delete Audits file deletions • Filename1 Records the file name and extension • Filename2 Records the new filename if a file rename is performed • Process Records the process name that performed the file operation (for example, Winword.exe, Explorer.exe etc.) • User Name Records the Domain and Username of the current user. • Alert Details whether there is an alert configured for the selected event (Yes/No). Reset Chapter 3 Create and Export Profile Templates 55 Auditing Tab Disables all removable media auditing from the current profile. Log all By selecting this option all removable media file operations will be audited within the current profile. Note - This option can generate large amounts of audit information and should be used with caution. Add It is possible to build a set of defined rules to control which removable media events are audited. To build a removable media audit rule select Add and the Media Audit Rule window is displayed. Media Audit Rule Window Figure 3-6 Media rule name Enter a unique name for the rule. Recorded in server log By selecting this option, all audit events will automatically be uploaded to the server log. Recorded in server log and raised alert By selecting this option, it is possible to audit the defined events and trigger an alert. Select an appropriate alert from the drop-down menu. Note - Please use this option with care as the number of alerts generated could be VERY large. Conditions By using the drop-down menus, it is easy to build complex rules. The following events can be defined: 56 Auditing Tab • Date Records information about the time and date at which the audit event occurred. • Computer Name The machine name on which the event occurred. • Operation Type The type of operation that was performed on the removable media device: • • Create File creations on removable media • Open for Write Any files that are opened on removable media can be audited. (Please note this entry can generate multiple events for each file open). • Move/Rename Audits the move/rename of files on removable media and will detail the name before and after. • Delete Audits the deletion of files on removable media. • CD/DVD audit Audits the creation of files burnt to CD/DVD using CD authoring applications. • EE Copy Out Audits the exporting of files from EPM explorer to third party systems. • EE Copy In Audit the importing of files using EPM explorer on third party systems. • EE Read File Audits the opening of files using EPM explorer on third party systems • EE Rename Audits the renaming of files using EPM explorer. • EE Delete Audit the deletion of files using EPM explorer. • EE Create Audit the creation of new files using EPM explorer. • EE Audit Log was tampered with Audits the attempted tampering of the EPM explorer audit log Filename1 Records the file name and extension. Chapter 3 Create and Export Profile Templates 57 Auditing Tab • Filename2 Records the new filename if a file rename is performed. • Process Records the process name that performed the file operation (for example, Winword.exe, Explorer.exe etc.). • User ID Records the user logon ID. • User Records the Domain and Username of the current user. In addition the following expressions can be used: • Is equal to (for example, Filename is Mydata.doc) • Is not is not equal to (for example, Process is not test.exe) Please note that * (an asterisk) can be used as wild card entry for ‘IS‘ and ‘IS NOT‘ expressions. Example 1 To audit the creation of all files on removable media devices, the following rule would be used: Figure 3-7 Example 2 To audit all file operations except for 'Delete' performed by MS Word, the following rule would be used: 58 Auditing Tab Figure 3-8 Example 3 To audit all file operations except for those performed by the Sherlock Anti-Virus scanner, the following rule would be used: Figure 3-9 Example 4 To audit all file operations for a defined user (user1) except for operations created by Sherlock.exe and on a specific machine (Machine1), the following would be used: Chapter 3 Create and Export Profile Templates 59 Auditing Tab Figure 3-10 Example 5 To audit all file operations on any file containing 'database', the following would be used: Figure 3-11 60 Program Security Guard (PSG) Tab Program Security Guard (PSG) Tab Figure 3-12 Denotes that the settings are defined in this profile. Denotes that the settings are not defined in this profile and are inherited from the profile below. • Protected file types list Click the Configure file types button to manage the list of unsafe file types within the current profile. • Trusted applications Click the Configure products button to Add/Remove and edit the list of products that are exempt from PSG protection within the current profile. • Disable Process Executable Check To enhance security, PSG can also be configured to block the execution of non-executable file extensions. By default, PSG will only allow the execution of .exe, .com, and .sys file types. • Exempt Internet Explorer Trusted Zones By selecting the this option all Internet Explorer trusted zones will be exempt from PSG file protection. This provides security against attacks from spyware, trojans, and viruses spread by the internet Chapter 3 Create and Export Profile Templates 61 Program Security Guard (PSG) Tab but will enable trusted sites to create/install software as required. This is particularly useful for setting up trusts with internal intranets and webbased applications. • Program Security Guard (PSG) Module Control: • PSG will turn on automatically if unsafe file types are defined. If protected files types are configured within the PSG protected files list, the Program Security Guard (PSG) is automatically enabled. • Disable PSG even if there are defined unsafe file types If this option is selected, the Program Security Guard (PSG) is disabled even if unsafe file types are defined. Configure File Types Clicking the Configure file types... button opens the Unsafe file types window. Figure 3-13 Program Security Guard (PSG) is a powerful yet flexible mechanism for blocking the introduction of unauthorized/malicious file types. PSG allows the system administrator to define a list of unauthorized file types that cannot be created on a Pointsec Protector protected machine neither locally nor on network resources. In addition to blocking creation, PSG also prevents existing file types from being modified or deleted either accidentally or maliciously. PSG also provides an additional layer of defense against the introduction of unlicensed software and a further defense against malicious/virus infected code. Pointsec Protector is shipped with a default list of recommended file types (.bat, .com, .dll, .scr, .vxd, .exe). 62 Program Security Guard (PSG) Tab Adding New PSG Protected File Types To add a new PSG-protected file: 1. Click on the Configure file types... button on the Program Security Guard tab to open the Unsafe file types window. 2. Click Add and the following dialog is displayed: Figure 3-14 3. Enter the file extension and description if required and then click OK. 4. Select the file type extension’s checkbox. Please note that the new extension will not be enabled unless the checkbox is selected. New file types will appear in all profiles but will be deselected by default. Note - Only file extensions with a length of three characters are currently supported as other types typically form part of an installation package that PSG will prevent from being renamed to executable code, therefore this will stop the execution of non three character extensions. Removing Previously Created Extensions To remove a previously created PSG extension: 1. Select the extension and click Remove. Please note that a file extension can be switched off from the selected profile simply by deselecting the checkbox. Configure Applications Clicking the Configure applications... button opens the PSG exemptions window. Chapter 3 Create and Export Profile Templates 63 Program Security Guard (PSG) Tab Figure 3-15 The Pointsec Protector client can be configured to prevent the introduction of, and unauthorized modification of defined file types (defined in the Unsafe file types window). Due to the nature of PSG, it is often desirable to allow certain defined programs to be exempt from PSG protection. Anti-Virus scanners and software deployment utilities generally require full access to modify and create new programs/files. Rather than disabling PSG during file modifications, a PSG exempt process is authorized to run leaving the machine secured against unauthorized processes. Pointsec Protector Server is supplied with a default list of exempt processes, this list is found in a file called expreset.ini. The current list of default applications is shown below: 64 • Pointsec Deployment Server • NAI McAfee VirusScan & Total Virus Defense • NAI Dr Solomon’s Toolkit • Sophos (SAVAdmin) • F-Secure • Microsoft SMS v2.0 • Microsoft SMS v2003 • Symantec Norton Anti-Virus • Computer Associates AimIT • Vet - Cyber Pty Ltd. • Panda Anti-Virus • MS Applications Program Security Guard (PSG) Tab • Trend Micro OfficeScan • NAI McAfee VS Enterprise 7x • Norman Anti-Virus • EZ E-Trust Anti-Virus v7+ Selecting Exempt Processes To select an existing PSG exempt application: 1. Select the relevant checkbox in the PSG exemptions window and click OK. Adding a New Exempt Process If a particular application requires PSG exemption it is possible to add new program(s) to the selected profile. To add a new exempt process: 1. Click the Add button in the PSG exemptions window to open the PSG product declaration dialog. Enter a product name in the Product name field as shown below: Figure 3-16 2. Click Add and the following dialog is displayed: Chapter 3 Create and Export Profile Templates 65 Program Security Guard (PSG) Tab Figure 3-17 3. Enter the name(s) of the application that you wish to exempt. This information can be obtained from the PSG audit logs created when the PSG unauthorized operation occurred. There are 3 options as to when the defined program is exempt; System account, Administrator account, and Any account. Note - Please exercise caution when exempting an application with the Any account option selected. This option, if used incorrectly, could leave PSG insecure, (for example, avoid adding explorer.exe, setup.exe etc.). 66 Removable Media Manager Tab Removable Media Manager Tab Figure 3-18 Denotes that the settings are defined in this profile. Denotes that the settings are not defined in this profile and are inherited from the profile below. Removable Media Manager (RMM) controls access to removable media devices. RMM enforces that all removable media is authorized prior to access being granted. By digitally signing authorized devices, the Removable Media Manager enables additional granularity over removable media device control. The authorization process and options available to the users can be centrally configured within the Removable Media Manager tab are shown below. The following options are available: • No media authorization check By selecting this option the Removable Media Manager will not be active in the current profile. Users will be able to access any devices permitted within the Device Manager tab. Chapter 3 Create and Export Profile Templates 67 Removable Media Manager Tab • Automatic media authorization If the Automatic Media Authorization radio button is selected within a profile, whenever a user inserts a removable media device and attempts to access it through MS Windows Explorer/My Computer, access will be blocked. The authorization process will automatically execute and attempt to authorize the media. During automatic authorization, Pointsec Protector client will automatically detect compatible anti-virus scanners installed on the machine. Note - If no anti-virus scanner or Pointsec DataScan is detected on the client machine then automatic authorization will not be possible and access will not be granted. • Automatic Media authorization with an option to delete files If the Automatic Media Authorization with an option to delete files radio button is selected within a profile, whenever a user inserts a removable media device and attempts to access it through MS Windows Explorer/My Computer, access will be blocked. The authorization process will automatically execute and attempt to authorize the media. During automatic authorization, Pointsec Protector client will automatically detect compatible Anti-Virus scanners installed on the machine. Note - If no anti-virus scanner or Pointsec DataScan is detected on the client machine then automatic authorization will not be possible and access will not be granted. In this mode the user will be prompted with an option to delete any unauthorized files detected by Pointsec DataScan to enable authorization. • Allow users the following rights (wizard mode) The media authorization process can either be invoked automatically (as discussed above) or the user can be presented with a simple authorization wizard. This mode requires user interaction to authorize media. • User can authorize removable media This option allows users within the selected profile to authorize removable media with any installed and compatible anti-virus/Data Authorization scanner detected. If this option is not selected users will be presented with a message only and no rights to authorize the media. • 68 User can select scanners If this option is selected users within the defined profile will be able to select which scanner to use during authorization of removable media devices. Removable Media Manager Tab The user must select at least one scanner to continue the authorization process. It is not advisable to select this option when using the Pointsec DataScan as users maybe able to import unauthorized file types by deselecting and choosing just to invoke an anti-virus scan. • User can skip media scan This option should only be selected for advanced user profiles. This option will allow a user to bypass anti-virus and Data Authorization scans and potentially allow virus infected or unauthorized file types onto the system. • User can delete files on unauthorized media This option should be used in conjunction with the Pointsec DataScan. If an unauthorized file type is detected during the media authorization process, it is possible to delete the unauthorized file(s) using the browse option from within the RMM unauthorized message box. Re-authorization can then be performed. Note - This facility is only available in wizard mode. Chapter 3 Create and Export Profile Templates 69 Encryption Tab Encryption Tab Figure 3-19 Denotes that the settings are defined in this profile. Denotes that the settings are not defined in this profile and are inherited from the profile below. The Encryption tab will only be visible if the Encryption Policy Manager (EPM) has been installed. The Pointsec Protector Encryption Policy Manager provides strong encryption using the AES algorithm for all selected removable media devices. From within this component it is possible to enforce that all removable media storage devices must be encrypted before access is granted. By enforcing encryption of all devices organizations can ensure that all sensitive information is transparently secured from external breaches. Note - The following options permit users to encrypt new devices during the authorization process. The Encryption Policy Manager is always active in the background irrespective of these options. This means users can access previously created encrypted devices providing they are correctly authenticated and are approved for access. 70 Encryption Tab Automatic access to encrypted media Figure 3-20 Select the Configure button to configure the encrypted media access rights for the current profile. The following options are available: • No access to any protected media By selecting this option all users running the selected profile will be prompted for a password when inserting an encrypted media. Users will not be able to encrypt at all even if Access, create is set in the Device Manager. • Access to media encrypted by any user This option will permit access to any encrypted media that has been created within the current organization, irrespective of the user group that imported the device. • Only grant access to owner of the encrypted media This option will permit access to encrypted media only by the user that initially performed the encryption media import. Please note that only EPM key recovery officers will have access to all encrypted media. This feature enables the system administrator to enforce individual media assignment. • Access to media encrypted by members with the same profile template By selecting this option users of the current profile will only be able to access devices imported by other users using the same profile. For example, if a user is using the 'standard users profile' he or she will only be able to access devices imported by other users who are also running the 'standard users profile'. • Access to all encrypted media except members of the following groups By selecting this option is it is possible to specify that users running the selected profile can access devices imported by all Chapter 3 Create and Export Profile Templates 71 Encryption Tab groups except for defined groups. For example, it maybe desirable to allow full access to all devices except for those imported by members of the accounts group. Access to password protected media It is often desirable to configure access levels for devices that have been protected by a password. These devices will generally be devices created outside of the environment currently protected by Pointsec Protector. From within this part of the tab it is possible to set up trust relationships between multiple sites and to explicitly deny access to any unknown encrypted media. If you want to: Then: Allow access to all password protected media (irrespective of where the device was first encrypted) Set This site to Allow access and <Other sites> to Allow access Please note that the Removable Media Manager provides additional access control rights. Allow access to password protected media created within the current site only No access to any password protected media, regardless of site Set This site to Allow access and <Other sites> to No access Set This site to No access and <Other sites> to No access This is the most secure option. Allow access to the media from specific sites only Click the Sites button and enter the Site IDs to the sites you trust and want to allow access from. Then set these sites to Allow access in the Encryption tab. Advanced Settings • Protect media with a password for full access in offline mode The Pointsec Protector EPM client operates transparently within a networked environment as the client connects to the server to authenticate that the user is permitted to access the encrypted device. When accessed externally in standard mode, the user by default will have no access to the encrypted data on the storage device. It is often desirable to grant external access when a network 72 Encryption Tab connection is not present or when access on a separate network running Pointsec Protector EPM is required. This can be achieved by enabling the Protect media with a password for full access in offline mode option. Providing the external workstation has either the full Pointsec Protector Client software or the freeware EPM client software installed access to encrypted media can be achieved providing a password is entered. If this option is selected during the creation process of any removable media, the user will be required to choose a password. The minimum password criteria can be set by clicking the Configure button, this opens the Password contraints window: Figure 3-21 Constraints tab From the Constraints tab, it is possible to configure minimum and maximum password lengths and required character types. The Test panel can be used to confirm that the password settings are correctly implemented. Chapter 3 Create and Export Profile Templates 73 Encryption Tab Advanced tab Figure 3-22 On the Advanced tab, users can be given policy notes detailing password constraints by entering the relevant information into the Password note text field. 74 • Password attempts The number of password attempts permitted to access encrypted removable media can be specified. (0=infinite password attempts) • Block access for (minutes): When the maximum number of password attempts has been exceeded it is possible to block access to encrypted media for XX minutes. • Lock drive completely after (attempts): To enhance security it is possible to configure that encrypted removable media devices can be locked out completely after XX password attempts. Access to the device can be re-enabled by either returning the device to the home network and securely authenticating it or by recovering via secure challenge/response. • Users can change size of encrypted media If this option is enabled, users are permitted to change the percentage of removable media that is encrypted during EPM import wizard. • Copy the EPM Explorer to encrypted media for offline access By enabling this option, the EPM Explorer is automatically copied to encrypted removable media. Encryption Tab The EPM Explorer enables offline access to encrypted data on third party machines without the need to install any software. Even if the third party machine does not have either Pointsec Protector or the EPM Freeware client installed, access can be granted to encrypted removable media via a password. For further information about using the EPM Explorer, please see section “Encryption Policy Manager Explorer” on page 171. • Users can create media for other users This option is generally selected for administrator profiles. Using this option, the administrator can import devices and assign to different users. There is also the ability to import a device in a 'limbo' state. This means the device can be issued to a user and the first time they insert the device it will be assigned to the current user. • Users can recover their password using challenge/response In the event that a user forgets his/her password for encrypted removable media when remote from the home site it is possible to perform remote password recovery using a challenge/response procedure. • Users can remove EPM encryption from media If this option is enabled, users are permitted to decrypt encrypted removable media devices. This can be achieved by the clicking the Export button from within the EPM Client console. Removing encryption will back up the contents of the device, decrypt the information and then copy the data back in clear text. This option should only be given to the administrator or trusted users. Chapter 3 Create and Export Profile Templates 75 Advanced Tab Advanced Tab Figure 3-23 Denotes that the settings are defined in this profile. Denotes that the settings are not defined in this profile and are inherited from the profile below. Enable Pointsec Protector client anti-tamper protection Pointsec Protector is implemented using kernel mode device drivers and hence provides unrivalled security. organizations often have to enable local administration rights for certain defined users to ensure flexibility and support for legacy applications. To enhance security, the Pointsec Protector client can be enabled to include additional anti-tamper protection. By enabling this option, users with local administration rights will be unable to modify or delete key Pointsec Protector registry keys or system files. Note - It is advisable to disable this feature for system administrators as this feature will prevent any debug of the Pointsec Protector client software. 76 Advanced Tab Protector client profile reload By default the Pointsec Protector client only connects to the Pointsec Protector server at logon or when a manual profile reload is instigated from the client or the server. Additional options can be configured to ensure that the profile applied is always current and based on location and status: • Only reload the profile on logon or network connection change A profile reload will automatically be performed on logon and if the network connection status is changed, for example when changing from a wired network to wireless. • Check for updated profile every XXX minutes An automatic profile reload can be performed at scheduled intervals to ensure that the Pointsec Protector policy is always up to date. This feature is particularly applicable where users do not log off of workstations/laptops regularly. Protector client log synchronization • Immediately after an event occurs: With this option, selected the client workstation will perform an immediate connection to the Pointsec Protector Enterprise Server (if available) and upload the latest audit log information. • Every day at _____ The client workstation can be configured to upload the latest log information every day at a defined time. • Every ____ minutes The client workstation can be configured to upload the latest log information at defined intervals. SmartCenter for Pointsec - webRH support • Use webRH profile for challenge/response By selecting this option, it is possible to use the SmartCenter for Pointsec - webRH challenge/response service for remote password reset/recovery of EPM encrypted devices. 1. Select the Use webRH profile for challenge/response checkbox and then click the Import button to load the required webRH profile. The following dialog is displayed: Chapter 3 Create and Export Profile Templates 77 Advanced Tab Figure 3-24 2. Select the required webRH profile and click Open. Enter the webRH profile security password: Figure 3-25 3. On completion of the import process, the webRH profile is displayed in the Advanced tab dialog: 78 Advanced Tab Figure 3-26 Chapter 3 Create and Export Profile Templates 79 Security Tab Security Tab Figure 3-27 For larger organizations it is often desirable to delegate administration based on geographic location and/or role. Using the Security tab, the administrator can configure users/groups that are permitted to modify and delete the selected profile. Use the Add and Remove buttons to configure the required users and groups. Exporting Profile Templates It is possible to export profile templates after creation. This is useful for backup purposes and more importantly for the installation of standalone and remote users. To export a profile template: 1. Select the default Profile Template, right-click and select Export, as shown below: 80 Exporting Profile Templates Figure 3-28 The Profile Export Wizard welcome screen is displayed. 2. Click Next to continue: Figure 3-29 3. Select the type of profile export required: • DNP Format DNP format enables the system administrator to export a profile to a protected file that can be applied by the user to enable remote and temporary profile changes. • XML Format XML format is used for manual profile changes only. This format can only be applied by system administrators. This format should also be used when updating the default.xml prior to client installation. 4. Select the required format and click Next to continue: Chapter 3 Create and Export Profile Templates 81 Exporting Profile Templates Figure 3-30 When exporting a profile it can be configured as if it was exported from an existing machine configuration or without specific computer-based profiles: 82 • Export profile as if loaded on any computer The exported profile can be applied to any computer. • Export profile as if loaded on a specific Check Point Protector client computer Use the Browse button to list specific computers that the exported profile will be taken from. • View Displays a preview of the exported profile. • Profile can be loaded only on a machine with a specified name To enhance security it is possible to restrict machines on which the exported profile can be imported. These machines can be listed separately and separated by a comma or using wildcards. • The exported profile will expire on a specified date To enable the application of temporary access right changes, it is possible to specify when a profile will expire. Once the expiration time is reached the client workstation will revert back to the previously applied profile. • Apply only to some users of the machine It is possible to restrict which users are able to apply the new profile changes. Exporting Profile Templates Figure 3-31 5. Select the required options and click Next to continue: Figure 3-32 6. When exporting a .dnp file, it is possible to protect the file with a password. This password must be relayed to the user to enable import. Enter a suitable password and click Next to continue: Chapter 3 Create and Export Profile Templates 83 Exporting Profile Templates Figure 3-33 7. Select the required file location using the Browse button, click Next to continue: Figure 3-34 8. Click Finish to complete the profile export: 84 Default Profile Template Figure 3-35 The message is displayed confirming the profile export. For standalone client installations the exported profile can be copied to the Pointsec Protector Client installation folder (default.xml). This profile will be used for future installations when a Pointsec Protector Enterprise Server is not present. Note - To update an existing default policy (XML format) the machine must be logged on with local administration rights. Default Profile Template During the installation of Pointsec Protector Enterprise Server a default profile template is created. This default profile cannot be deleted from the Pointsec Protector Administration Console. The default profile is used when a user connects from a Pointsec Protector Client machine that is not in the Pointsec Protector user database. It is recommended that the default profile is configured so that all components are enabled to ensure that a weakness is not introduced into the Pointsec Protector protected environment. The default profile is used as the base profile for all other profiles. The default profile should be used to define global settings. For example, it maybe desirable to specify global messaging across the entire organization. This can be achieved by configuring the messaging in the default profile but not defining in any other profile. Chapter 3 Create and Export Profile Templates 85 Default Profile Template 86 4 Chapter Set up User and Group Configuration Profiles This chapter describes how to set up user and group configuration profiles. In This Chapter Users/Groups Creating New Users/Groups page 87 page 87 Users/Groups Pointsec Protector Enterprise Server is designed primarily for MS Windows/Novell-based domain networks. However, support is available for standalone/remote users and further information can be obtained from the Check Point technical support department http://www.checkpoint.com/services/contact/. Before any client machines are installed it is essential to set up user/group configuration profiles and to export a default profile. This section details the various user/group configuration options available. Creating New Users/Groups Before installing any client software it is important to import/create Pointsec Protector user groups. There are two default groups within the Pointsec Protector Server; “Default Group” and “Users with Custom Profiles”. 87 Creating New Users/Groups Default Group The default group is created and used when a user(s) connects to the server and does not have a profile available in the Pointsec Protector Enterprise Server user database. Creating a new user group (Windows Domain (AD), Novell) Note - Profile template(s) should have been created prior to launching this wizard. To create a new group: 1. Right-click on the Groups node and select New > Group of users. Figure 4-1 The New Group Wizard is displayed, click Next to continue: Figure 4-2 2. Enter a suitable group name and group description if required. Click Next to continue: 88 Creating New Users/Groups Figure 4-3 3. Each group needs to be assigned at least one Pointsec Protector Client profile. The profiles to be assigned to the group must be selected: • Use configuration profile The selected profile(s) will be used for all users in the group. Changes made to the profile within the Profile Templates node will be applied to users within this group. When assigning multiple profiles to a group of users the profile settings will be combined to produce a cumulative profile. The profile order can be configured by selecting the properties of the group. Note - The default profile must be assigned to all groups. 4. Select the required profiles and click Next to continue: Figure 4-4 Chapter 4 Set up User and Group Configuration Profiles 89 Creating New Users/Groups 5. Now you can choose to add users to your group or to create an empty group with no users. • Create an empty group This option creates an empty user group. Users can be added at a later time. • Add all users from a Windows/Novell domain group Pointsec Protector Server automatically integrates into MS Windows Domain networks allowing import of Domain groups. Select the domain and group you wish to import into the newly created Pointsec Protector group by clicking the Browse button. • Synchronize this Pointsec Protector Group with domain/NDS group It is advisable to select this checkbox to ensure that the Pointsec Protector group remains synchronized with the Windows Domain group/NDS group. New users added to the Domain group and users who are removed from the Windows/NDS Domain group will be synchronized into the Pointsec Protector database. It is advisable to create new Windows/NDS Domain groups for use with Pointsec Protector (for example, Protector Users and Protector Administrators) and import and synchronize these groups. 6. Click Next to continue: Figure 4-5 7. Click Finish to complete the Pointsec Protector group creation wizard. 90 Creating New Users/Groups Figure 4-6 8. Repeat this process to create further groups. Creating a new group of users synchronized to Domain/NDS group Figure 4-7 To add new Domain and NDS user groups: 1. Right-click on the Group node and choose New > Group of users synchronized to domain/NDS group. 2. Select the required domain/NDS group: Figure 4-8 Chapter 4 Set up User and Group Configuration Profiles 91 Creating New Users/Groups 3. Select the required group options including automated synchronization in the Group tab: Figure 4-9 4. The relevant profiles can be selected using the Add/Remove buttons in the Profiles tab as required. If an existing profile is not available it is possible to define custom profile settings that will be applied to this group only. Figure 4-10 5. Additional security can be applied to the group to define users/groups that are permitted to edit the group membership etc. 92 Creating New Users/Groups Figure 4-11 Users with Custom Profiles It is possible to assign special profile rights to individual users rather than just groups. Any users that are selected to have a custom profile will be automatically moved to the Users with custom profiles group. Note - As long as the users stay in the Users with custom profiles group they will always receive a customized profile regardless of the synchronization within domain groups (where they originally belonged). If the system administrator later wishes to reassign the original group profile to the user, the following can be done: i. Drag and drop the user back into the original Pointsec Protector group. ii. Delete the user from the Users with custom profiles group and either run a manual domain synchronization or wait for the next scheduled synchronization every XX minutes, as specified. Adding Users to Groups To add new users to an existing group: 1. Select the group, right-click and select Add users to group. Figure 4-12 Chapter 4 Set up User and Group Configuration Profiles 93 Creating New Users/Groups 2. Select the Windows groups/users you wish to import: Figure 4-13 3. Click OK to complete the user import wizard. Note - Users can only be added to previously created groups if the Synchronize with Windows/Novell Domain option was not selected. If this option was selected, it is advisable to add any new users either to a new group or to add the new users to the Domain group that is being synchronized. Because synchronization only applies to predefined groups of users from the PDC or workgroup, if a Pointsec Protector group is created where only individual users are added (from Domain or Workgroup), please note that synchronization will not apply to users in this Pointsec Protector group. Offline Users Pointsec Protector can be configured to assign different access rights when machines are on and off the network. This maybe particularly desirable for laptop users where different access rights are required. For example, disabling WiFi access when the laptop is on the network and enabling it when offline. There are two categories of offline user: • Offline user Applies to all users with local user rights • Offline Administrator Applies to all users with local administrator rights Offline profile settings can be edit by right-clicking and selecting Properties. Either the default profile can be applied or Define custom settings for this user can be selected: 94 Creating New Users/Groups Figure 4-14 Group Properties To view the properties of a group, right-click on the group and select Properties as shown below: Figure 4-15 The User Group Properties window is displayed and contains two tabs; Group and Profiles. From the Group tab it is possible to reconfigure the group settings including the group name and description. The configuration profile can be changed and domain synchronization settings modified. Chapter 4 Set up User and Group Configuration Profiles 95 Creating New Users/Groups Figure 4-16 The Profiles tab can be used to change the currently selected profile template(s). Note - If the group is currently using a profile template(s) and the Edit button is selected, any changes made will also affect other groups using this profile template(s). If the group is using a custom template then any changes will only affect the selected group. The order within which profile security rights are assigned can be defined by using the Up and Down buttons: Figure 4-17 96 Creating New Users/Groups Group Synchronization Settings Windows Domain group synchronization is used to ensure that the Pointsec Protector user groups are kept synchronized with Windows Domain user groups. There are a number of configuration options available that can be located by right-clicking on the Groups node and selecting Properties. Figure 4-18 The User Group Properties window opens, which contains two tabs; Group Order and Advanced. Group Order Tab The Pointsec Protector Server can be used in two modes. Users can be members of only one domain/NDS user group or members of multiple domain groups. When users are members of more than one Windows/Novell domain group it is possible to define a synchronization order. Whichever group is at the top of the list has precedence over groups below. Use drop-and-drag or the Move Up and Move Down buttons to move a group and change the order of the groups. If a user belongs to more than one MS Windows domain group and their Check Point groups are individually pointed to different Pointsec Protector groups, whichever Pointsec Protector group you require the user to belong to has to be at the top of the list within the Synchronization Order tab. Please also be aware that in this scenario, when synchronization occurs, the last Pointsec Protector group will inherit the user and the user will disappear from the Pointsec Protector group in which they were explicitly assigned. Chapter 4 Set up User and Group Configuration Profiles 97 Creating New Users/Groups Note - As long as the user stays in the Users with custom profiles group they will always receive a customized profile regardless of the synchronization within domain groups (where they originally belonged). If the system administrator later wishes to reassign the original group profile to the user, the following can be done: i. Drag and drop the user back into the original Pointsec Protector group. ii. Delete the user from the Users with custom profiles group and either run a manual domain synchronization or wait until the next scheduled synchronization every XX minutes, as specified. Figure 4-19 98 Creating New Users/Groups Advanced Tab (Synchronization Period Tab) Figure 4-20 Synchronization between Pointsec Protector user groups and Windows Domains can be performed automatically at scheduled intervals. • Automatic synchronization • Synchronize every Synchronization can be performed at scheduled intervals. The synchronization period can be defined in either minutes or hours. It is important to note that any new users added to the domain using Windows user manager or Active directory users and groups will not appear in the Pointsec Protector Server database until the next scheduled domain synchronization has occurred. • • Synchronize now Performs an immediate synchronization of Pointsec Protector user groups and Window Domain user groups. User group membership Pointsec Protector can operate in two modes which offer different features and benefits: • User can be a member of one Protector group at a time When this mode is selected users can only be a member of one Pointsec Protector group and the synchronization order will define which group they are a member of. • Users can be a member of multiple Protector groups at a time When this mode is selected users can be members of multiple Pointsec Protector groups. The resulting policy will be a merge of all applied group memberships dependent on group order. Chapter 4 Set up User and Group Configuration Profiles 99 Creating New Users/Groups Creating a new Computer Group The Pointsec Protector Enterprise infrastructure is based on roaming user profiles. This means that wherever a user logs on, he/she will receive the defined profile settings. However, in many instances there is often a requirement to assign machine specific settings. Machine specific settings are useful where certain devices on defined computers should be accessible to any user that logs on (for example, a scanner on a graphics workstation). Machine specific settings can be configured within the Computer Groups. To create a new computer group: 1. Right-click on the Groups node and select New > Group of Computers: Figure 4-21 2. The New Group wizard is invoked, click Next to continue: Figure 4-22 3. Enter a suitable group name and description and click Next to continue: 100 Creating New Users/Groups Figure 4-23 4. Select the required machine based profile, the profile order can be configured after creation. Click Next to continue: Figure 4-24 Click Finish to complete the computer group creation: Chapter 4 Set up User and Group Configuration Profiles 101 Creating New Users/Groups Figure 4-25 Adding computers to a computer group Computer based profiles can be assigned to machines that have already registered with the Pointsec Protector Enterprise Server and appear in the computers node. To add a computer to a computer group, select the required computer(s) from within the Computers node and drag that into the relevant computer group: Figure 4-26 Configuring computer group profile priority When using computer groups it is desirable to configure whether the computer based profile is applied before or after the user based profile. To configure the profile order, right-click on the required computer group and select Properties: 102 Creating New Users/Groups Figure 4-27 The Computers Properties window is displayed, which contains three tabs; Group, Profiles and Licensing: Figure 4-28 Group Tab • • Computer group profile priority • User profile overrides computer profile With this option selected the computer based profile will be applied first and the user based profile will override settings if defined. • Computer profile overrides user profile The computer based profile will override user and user group profiles if settings are defined. Offline Profiles Chapter 4 Set up User and Group Configuration Profiles 103 Creating New Users/Groups • Disconnected computers use cached profiles By default the Pointsec Protector client will used a cached (last downloaded) profile when unable to connect to the Pointsec Protector Server. When this option is selected as part of a computer group the cached policy will always be used when disconnected from the network. • Disconnected computers use offline profiles If this option is selected offline computers that are a member of the defined group will use an offline profile when disconnected from the network. Licensing Tab Figure 4-29 In the Licensing tab it is possible to specify which Pointsec Protector features should be disabled for the computers in this group. Disabled features do not require a license. • Computers in this group do not use Port Management Select this check box if the computers in this group should not be able to use Port Management. • Computers in this group do not use Media Encryption Select this check box if the computers in this group should not be able to use Media Encryption. If none of these options are selected, both Port Management and Media Encryption are enabled for the computers in this group. 104 Chapter Monitoring 5 This chapter describes how to monitor installed Pointsec Protector clients, create alerts and reports, view logs and audits etc. In This Chapter Computers - Dynamic Client Configuration Computers View Alerts Creating a New Alert Logs Log Filter Exporting Logs Log Archival Removable Media Log Predefined Filters Viewing Removable Media Audits for Individual Users Viewing CD/DVD Audit Removable Media Log Archival CD Audit Tab Reports Creating a New Report page 105 page 106 page 111 page 111 page 113 page 116 page 116 page 117 page 118 page 120 page 123 page 123 page 124 page 126 page 126 page 127 Computers - Dynamic Client Configuration The Computers node details the currently installed Pointsec Protector Client machines. By clicking on Computers you will see a list of Pointsec Protector protected workstations. This component provides the ability to disable Pointsec Protector Client components across a network. To access the dynamic configuration tab, select the machine(s) and double-click or select Properties. 105 Computers View Computers View Figure 5-1 It is possible to view the current status of the Pointsec Protector Client workstations. The following information can be viewed from the computers node: 106 • Computer Name: Workstation Name. • Last Known IP: The last known IP address of the client workstation. • Last connection time: Details the time and date of the last successful profile download from the server. • User account: The username of the last user to log on to the client workstation. • Logged on: (Yes/No) Details whether there is currently a user logged on. • Installed drivers: Details the currently installed components (DM, PSG, RMM). • Active drivers: Details the current status of the Pointsec Protector components. Computers View • Client version: Details the version of the Pointsec Protector client software. • Group Name: Details any specific computer group based profile settings. • License Status: Details whether the license is valid or not for the computer group. • License Features: The License Features column displays the features used by a host as follows: PM+ME/none used PM+ME removed PM+ME disabled Any workstations that have components disabled will be highlighted with a yellow exclamation mark. Workstations with a missing license will be highlighted with a red circle and white cross. By right-clicking on selected machines the following options can be executed: • Refresh Host The Refresh host option enforces the selected Pointsec Protector client(s) to re-register with the server. To perform this task right-click on the selected workstations and select Refresh Host. Figure 5-2 • Reload Profile To force the selected client workstation(s) to download a new user profile, right-click and select Reload Profile. This feature is useful if you have changed the rights for a particular user or group of users and want to force an immediate profile change. To select all computers on the current domain press Ctrl+a and then Reload profile. Note - Reloading the profile on all computers is inadvisable and may increase network traffic. Alternatively, a profile can be reloaded for any user using a specific profile by right-clicking on the relevant profile and selection Force profile reload. Chapter 5 Monitoring 107 Computers View Figure 5-3 • Refresh Workstation To refresh the current status of a particular workstation(s) select Refresh. This will update the current list of active drivers and installed components. Figure 5-4 Computer Filter On large networks it is often desirable to search for named workstations, or to build a collection of workstations meeting certain defined criteria. To find defined workstation(s), or to build a filter, select the Filters button from the tool bar: Figure 5-5 The Configure Filter dialog will open. From within this dialog, a filter can be created by selecting specified conditions and defined criteria. Figure 5-6 108 Computers View Computer Properties Window When you right-click on a computer and select Properties, the Computer Properties window is displayed. It contains two tabs; General and Configuration. General Tab Figure 5-7 The General tab displays the following information: • Client ID: Client machines unique identifier • Client Version: Displays the version of Pointsec Protector client installed • Computer name: Displays the selected machine name • Last know IP: Displays the last known client machine IP address • Connection Time: Displays the time and date of the last client/server connection • Last User: Displays the name of the last user who logged onto the client workstation • Is Logged on: Displays information about whether the machine is currently logged onto the network Chapter 5 Monitoring 109 Computers View • License Status: Details whether the license is valid or not for the computer group. • License Features: The License Features column displays the features used by a host as follows: PM+ME/none used PM+ME removed PM+ME disabled Configuration Tab Figure 5-8 It is possible to disable PSG, RMM and DM from within the Configuration tab. Boot protection user, and administrator passwords can also be changed. 110 • Disabling PSG (Program Security Guard) The Program Security Guard can be disabled by de-selecting the PSG checkbox and clicking Apply. • Disabling RMM (Removable Media Manager) The Removable Media Manager can be disabled by de-selecting the RMM checkbox and clicking Apply. Alerts • Disabling DM (Device Manager) The Device Manager can be disabled by de-selecting the DM checkbox and clicking Apply. Note - When disabling PSG, RMM and DM it is important to note that these components will not be re-enabled until the current user either reboots or logs off. Alternatively it is possible to re-enable these components by selecting the relevant checkboxes and clicking Apply. After any of the components above have been disabled or enabled there maybe a slight delay in updating the selected client machine. To view the current status of a machine it is advisable to right-click on the machine and select Refresh. The running Drivers column will display the current status of PSG, RMM and DM. Figure 5-9 Alerts Pointsec Protector Enterprise Server includes the ability to generate audit based e-mail alerts. The audit log provides a flexible method of auditing client events but it is often desirable to highlight certain events as more serious. The alerts node allows the administrator to flag certain events as very serious and generate an immediate e-mail alert to defined e-mail addresses. Note - It is important to note that Alerts will only occur instantly if the client log synchronization for the alerted events has been set to Alert or client log synchronization is set to Immediately after an event occurs within the Audit Events tab. Creating a New Alert To create a new e-mail alert: 1. Right-click on the Alerts node and select New > Alert. Figure 5-10 Chapter 5 Monitoring 111 Creating a New Alert The following dialog is displayed: Figure 5-11 2. Enter a suitable alert name under Alert Name on the General tab. 3. Select one of the to options in the Event panel: • Alert on all events If the Alert on all events option is selected, all available audit events will trigger an e-mail alert. It is strongly advised that this option is not selected as the number of e-mail alerts generated could be very large and cause e-mail performance issues. • Alert on selected events It is advisable to flag only certain events to generate e-mail alerts. These can be selected using the Alert on selected events radio button and then selecting the desired events from the list. The Clear All and Select All button can be used to make this process easier. 4. Go to the User Groups tab and select one of the two options: 112 • All Groups Select this option to monitor all Pointsec Protector users/groups for the new Alert. • Selected Groups This option allows only certain groups to be monitored for the selected events within the defined Alert. On large installations it is advisable to create new alerts for each group. Logs Figure 5-12 5. In the Action tab, click Add to add a new e-mail address where the alerts are sent. The following dialog is displayed: Figure 5-13 6. Enter the required e-mail address and click OK. This process can be repeated until all required e-mail addresses have been added. E-mail addresses can be edited or removed using the Edit and Remove buttons. For further information about the current status of support for other alert mechanisms like SMS and SNMP, please contact the Check Point support department http://www.checkpoint.com/services/contact/ Logs Pointsec Protector includes centralized audit alerts. For information about configuring Audit events, please see the “Auditing Tab” on page 51. The logs section can accessed by selecting the Logs node from the Pointsec Protector Administration console. Chapter 5 Monitoring 113 Logs Figure 5-14 Each log entry is assigned a unique ID number. The type of alert and its severity is symbolized by the color of the icon. Detailed information of a log can be viewed by double-clicking on the event. The following information is displayed: Figure 5-15 114 • ID Is the incremental number assigned to each event. • Unique ID Is the unique ID number assigned to each event. • Time Details the time and date at which the event occurred. Logs • Event The type of event. • Alert Sent: (Yes/No) Details whether an e-mail alert is configured for this event. • User ID The name of the Pointsec Protector user who was logged on when the event occurred. • User Account The domain and username of the user who was logged on when the event occurred. • Computer Name The machine name on which the event occurred. • Event Source The Pointsec Protector client component that created the event. • Message Component specific information detailing the event. Figure 5-16 The Device information tab details additional information from the Device Manager audit log. This information details authorized and blocked devices and can be used to add new device IDs. To add a new device to the Device Manager tab click Add this device to device manager, this will open the Device Manager Configuration Editor, see section “Device Manager Configuration Editor” on page 27. Chapter 5 Monitoring 115 Log Filter Log Filter After a period of time the number of log entries may become large. To make log viewing easier and searchable, the Pointsec Protector Administration Console includes a log filter. The log filter provides the ability to display logs meeting specified criteria. To access the log filter: 1. Select the Filter button from the taskbar. Figure 5-17 The following dialog is displayed: Figure 5-18 2. Select the required events using the drop-down menus and the 'And' or 'Or' statements as needed. Exporting Logs It is possible to export a copy of the log files to a .txt or .csv file format for use in other applications or for backup purposes. To export a copy of the log files: 1. Right-click on the Logs node and select Export List. Figure 5-19 2. Choose the desired export file type (.txt or .csv) and filename. 3. Click Ok to complete the export process: 116 Log Archival Figure 5-20 Log Archival Over a long period of time the audit event logs may become very large. It is advisable to periodically archive and delete older events. This can achieved using the Log Archival wizard which is launched by right-clicking on the Logs node and selecting Properties. The following dialog is opened: Figure 5-21 • Archive events that occurred earlier than Specifies the time period within which events will be archived. • Archive log manually Audit logs will only be archived by selecting the Archive now button. Chapter 5 Monitoring 117 Removable Media Log • Archive log automatically every Configures the automatic archiving of audit logs to the specified location. This can be configured periodically by selecting a preferred day and time. • Archive Now Will perform a manual archive of the audit logs within the specified time constraints. • Log Archive Folder Specifies the location where the archives will be stored in delimited text format. The archive will be created using a filename denoting the date of the archive creation. Removable Media Log Pointsec Protector includes the ability to audit defined file operations on removable media and CDs/DVDs including the creation, deletion, move/rename, and open for read and write of files. For further information about configuring removable media audit events please see the Removable Media Manager Audit tab. The Removable Media Logs can be accessed by selecting the Removable Media Log node from the Pointsec Protector Administration console. The default view shows a summary of the top ten active users and hosts as shown below: 118 Removable Media Log Figure 5-22 The removable media audit log view can be changed by the administrator by right-clicking on the Removable Media Log node and selecting from one of the following options. Chapter 5 Monitoring 119 Predefined Filters Figure 5-23 Predefined Filters • Last 24 hours Shows all events within the last 24 hours. Please note this filter is also dependent on whether viewing the summary or complete log. • Last 7 days Shows all events within the last 7 days. Please note this filter is also dependent on whether viewing the summary or complete log. • Last 30 days Shows all events within the last 30 days. Please note this filter is also dependent on whether viewing the summary or complete log. • 120 Custom Filter It is possible to build administrator-defined filters for displaying the removable media audit events. Custom filters can be set up by clicking Edit from the removable audit summary window. The following dialog is displayed: Predefined Filters Figure 5-24 • Example 1 To view the removable media audit events for a defined computer name (TEST-WK3-XP) over the entire time period, the following settings would be used: Figure 5-25 • Example 2 To view all removable media audit file creation events on computer name TEST-WK3-XP by any user in the last 30 days, the following settings would be used: Figure 5-26 • Example 3 To view all removable media audit information regarding operations on the filename Mydatabase.db by any user over the last 30 days, the following settings would be used: Chapter 5 Monitoring 121 Predefined Filters Figure 5-27 • Example 4 To view all removable media audit events that were file creations or move/rename in the last 30 days, the following settings would be used: Figure 5-28 • Example 5 To view all removable media audit events for the user User1 in the last 30 days, the following settings would be used: Figure 5-29 122 • All Events Displays all removable media audit events. • Summary Displays a predefined summary of the top ten most active users and hosts. Viewing Removable Media Audits for Individual Users • Complete Log Shows the complete Removable Media Audit log. Viewing Removable Media Audits for Individual Users To view all file operations for selected users: 1. Double-clicking on a user log entry or right-clicking and selecting Display these events. Figure 5-30 The list of file operations is displayed. 2. Double-clicking on an entry to view the document summary information. 3. For CD images the Browse Disk Directory can be used to expand the entire CD/DVD file structure: Figure 5-31 Viewing CD/DVD Audit CD/DVD audit information can be viewed by selecting Browse disk directory. The entire disk structure can be viewed: Chapter 5 Monitoring 123 Removable Media Log Archival Figure 5-32 Removable Media Log Archival Over a long period of time the removable media audit event logs may become very large. It is advisable to periodically archive and delete older events. This is achieved using the Log Archival wizard. To archive older events: 1. Right-click on the Removable Media Logs node and select Properties to launch the Log Archival wizard. The following dialog is opened: 124 Removable Media Log Archival Figure 5-33 2. Set the following options as appropriate: • Archive events that occurred earlier than Specifies the time period within which events will be archived. • Archive log manually Audit logs will only be archived by selecting the Archive now button. • Archive log automatically every Configures the automatic archiving of audit logs to the specified location. This can be configured periodically by selecting a preferred day and time. • Archive Now Will perform a manual archive of the audit logs within the specified time constraints. • Log Archive Folder Specifies the location where the archives will be stored in delimited text format. The archive will be created using a filename denoting the date of the archive creation. Chapter 5 Monitoring 125 CD Audit Tab CD Audit Tab Figure 5-34 The auditing of CD/DVD file operations can involve the exchange of vast amounts of audit information. For this reason the core CD audit information is stored outside of the SQL database. The location of the information can be configured from the CD Audit tab. Reports The Pointsec Protector core architecture provides comprehensive auditing of defined security and user events. To enable simple analysis and collation of audit events Pointsec Protector includes a comprehensive reporting engine that generates fully configurable HTML reports. A pre-built list of report templates are supplied as part of the product and can be configured to produce the desired output results. 126 Creating a New Report Figure 5-35 Creating a New Report To create a new report: 1. Right-click on the Reports node and select New, the following welcome screen is displayed. Figure 5-36 Chapter 5 Monitoring 127 Creating a New Report 2. Click Next to continue: Figure 5-37 3. Select the required report from the list and click Next to continue: Figure 5-38 4. Each of the reports has a number of customizable fields. Each field can be edited by selecting and clicking the Edit button: 128 Creating a New Report Figure 5-39 5. Select the required event type and click OK: Figure 5-40 6. Enter a relevant report description/name and click Next to continue: Chapter 5 Monitoring 129 Creating a New Report Figure 5-41 7. There are two options that can be selected regarding the report generation: • Generate this report immediately This option will start processing the report immediately. Note - On large sites with lots of audit information this process may take some time but will continue in the background enabling normal operation of the administration console. • Generate this report at the specified time To minimize the impact of system performance, report generation can be configured to take place at a defined date and time. For example, it may be desirable to schedule report generation overnight when there is little or no network activity. 8. Select the required option and click Next to continue: 130 Creating a New Report Figure 5-42 9. A report summary is displayed. Providing the details are correct click Next to create the report: Figure 5-43 10. If Generate this report immediately was selected, the report creation will begin immediately. The progress bar shows the current report generation progress. Clicking Next will close the dialog, report generation will continue in the background: Chapter 5 Monitoring 131 Creating a New Report Figure 5-44 11. Click Finish to close the report generation wizard. Report generation is complete when the newly created report is displayed with a green tick. 132 6 Chapter Installing a Remote Pointsec Protector Administrator Console This chapter provides instructions for installing remote Pointsec Protector Administration consoles. In This Chapter Installation Instructions Connecting to the Remote Server Installing Pointsec Protector Client Manual Installation Silent Network Installation Upgrading Pointsec Protector Installing Enterprise Client with Active Directory using GPOs Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server page 133 page 137 page 137 page 137 page 143 page 148 page 148 page 163 Installation Instructions It is often desirable to set up a number of remote administration consoles for the Pointsec Protector Enterprise Server. To install a remote administration console, perform the following steps: 1. Log on to a MS Windows workstation with local administration rights. 133 Installation Instructions 2. From the installation CD-ROM, run the Check Point Protector Enterprise Server installation setup.exe. 3. Click Next through the welcome screen: Figure 6-1 4. The server license agreement is displayed. Providing you agree with the terms and conditions of the license, select I accept the agreement and click Next to continue: Figure 6-2 5. Enter a valid registration code/license number or click Load from file to import a license from a license file (.lic). Click Next to continue: 134 Installation Instructions Figure 6-3 6. Select to install the Pointsec Protector Server Administration Console. Click Next to continue: Figure 6-4 7. Choose the start menu folder and click Next to continue: Chapter 6 Installing a Remote Pointsec Protector Administrator Console 135 Installation Instructions Figure 6-5 The installation progress bar will be displayed. Installation is completed when the progress bar reaches 100%. Figure 6-6 8. Click Finish to complete the installation. 136 Connecting to the Remote Server Figure 6-7 Connecting to the Remote Server After installing Pointsec Protector Administration console you need to complete the following steps to connect to the remote Enterprise Server. To connect to the Remote Server: 1. Open Pointsec Protector Administration Console (Start > Programs > Check Point > Pointsec Protector > Administration Console). 2. Ensure that the user wishing to connect to the remote Enterprise Server has sufficient security rights granted to allow access. 3. To connect to the remote server, right-click and select Connect to. Select the remote server name or IP address and Port Number and click Finish. Installing Pointsec Protector Client Manual Installation This section details the installation of Pointsec Protector client software to Windows 2000 and XP client workstations. To install Pointsec Protector client manually perform the following steps: 1. Locate the Pointsec Protector client software and run setup.exe. The following welcome screen is displayed. 2. Click Next to continue: Chapter 6 Installing a Remote Pointsec Protector Administrator Console 137 Manual Installation Figure 6-8 3. The client license agreement is displayed. Providing you agree with the terms and conditions of the license, select I accept the agreement and click Next to continue: Figure 6-9 4. Select the installation type, either Complete or Custom. It is advisable to select a Custom installation as you will be given the opportunity to select the install components. Click Next to continue: 138 Manual Installation Figure 6-10 If a custom installation was selected the components required must be selected. • Pointsec Protector DataScan Pointsec Protector is supplied with a data authorization module, which is integrated within the media authorization process. Employing this module, users can be given the right to authorize their own media, providing the device contains only permitted file types. The module can be configured to only allow the authorization of data-only files. Any executable/active code will be rejected even if renamed or hidden. 5. Select the required components and click Next to continue: Chapter 6 Installing a Remote Pointsec Protector Administrator Console 139 Manual Installation Figure 6-11 6. Add a server(s) by typing the server name or IP address and port number and then click Add. A test connection will be performed to check that the server name is correct. Multiple servers can be added and their order can be arranged using the Move Up and Move Down buttons. Pointsec Protector uses a secure TCP/IP connection to communicate between client and server workstations. The machine name(s) of the Pointsec Protector Enterprise Server(s) must be entered as well as the TCP/IP port number (default 9738). When multiple servers have been added it possible to select the following options: • Sequential The client will connect to the first server in the list by default. If this server is unavailable then the second server will be contacted and so on in order. • Random When multiple servers are present the client software will automatically share the load across all configured servers using random selection. 7. Click Next to continue: 140 Manual Installation Figure 6-12 8. A summary of the selected installation components will be displayed. Click Next to install Pointsec Protector Client with the configured options: Figure 6-13 The setup progress is indicated as below: Chapter 6 Installing a Remote Pointsec Protector Administrator Console 141 Manual Installation Figure 6-14 9. On completion of installation a reboot is required. Select the reboot option and click Finish to complete installation: Figure 6-15 142 Silent Network Installation Silent Network Installation The preferred method for installing Pointsec Protector Client is a silent network deployment. Because Pointsec Protector Client requires local administration rights to install, you will need to use a software deployment mechanism to install. To install Pointsec Protector Client silently using any mechanism an install template file must be created. This can be created by recording a standard install. Creating a Template Installation for Silent Deployment To create a standard template installation for silent network deployment, perform the following steps: 1. Create a shared folder on the server and copy the contents of the Pointsec Protector folder on the Pointsec Protector installation CD-ROM to this location. 2. Log on, with local administration rights, to a Windows 2000 or XP client workstation that currently does not have Pointsec Protector Client installed. 3. Navigate to Start > Run and browse to the location of setup.exe within the Pointsec Protector client folder. Run Setup.exe -r to invoke a recorded install as shown below: Figure 6-16 4. Complete the installation as detailed in the section “Manual Installation” on page 137. Note - All options and configuration will be recorded and used for future silent installations. 5. A file named setup.iss will have been created in the Windows directory (for example, C:\winnt). Copy this file to the software installation network share location. 6. It is now possible to execute the Pointsec Protector Client installation in silent mode using setup.exe -s. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 143 Silent Network Installation Editing Config.ini Additional installation options can be configured within the config.ini file which is located on the root folder of the client installation. From the config.ini it is possible to specify the Pointsec Protector Server names and default port number, boot protection passwords, and permission of who is allowed to uninstall the client software. The config.ini can be opened and edited using any text editor or notepad.exe. The following information is stored (the default settings are shown): [Server] Servers= DefaultPort=9738 ServerOrder=1 [Client] UsersCanAdmin=0 EM=1 (Removable Media Manager) EMUPGRADE=0 [Uninstall] AllowedUsers=%COMPUTER%\Administrator,%DOMAIN%\Administrator AllowedGroups=%DOMAIN%\Administrators,%DOMAIN%\domain admins,CHECK POINT\administrators Syntax [Server] - (Server configuration section) Servers=Server1:9738;Server2:9738 - (Specify the server names and port number) DefaultPort=9738 - (Specify the default port number displayed in the server installation dialog) ServerOrder=1 - (Specifies the server mode - 1=sequential, 2=random) [Client] - (Client configuration section) UsersCanAdmin=0 - (Enables the client local administration mode) EM=1 - (Enables removable media manager enhanced mode disk checking 1=enabled, 0=disabled) EMUPGRADE=0 - (Determines whether the EM settings are modified during upgrade 1=upgrade, 0=Leave existing settings) [Uninstall] AllowedUsers=%COMPUTER%\Administrator,%DOMAIN%\Administrator (If present specifies the users that can uninstall Pointsec Protector client %COMPUTER% denotes the current computer where the software is being installed. %DOMAIN% denotes the current domain where the software is being installed. Domain\username can also be used to specify specific domains.) 144 Silent Network Installation AllowedGroups=%DOMAIN%\Administrators,%DOMAIN%\domain admins,CHECK POINT\administrators (If present specifies the user groups that can uninstall the Pointsec Protector Client Software) Example 1 If for example a Pointsec Protector Client is to be installed with the following settings: • Connecting to Server1 and Server2 on port 9738 sequentially • Only the username Dnadministrator and the group domain admins on the installed domain can uninstall the software. [Server] Servers=Server1:9738;Server2:9738 DefaultPort=9738 ServerOrder=1 [Uninstall] AllowedUsers=%DOMAIN%\Dnadministrator AllowedGroups=%DOMAIN%\domain admins Example 2 If for example a Pointsec Protector Client is to be installed with the following settings: • Connecting to Server1 and Server2 on port 9738 randomly • Only the username Dnadministrator and the group domain admins on the installed domain can uninstall the software. In addition the local user Administrator and the user Administrator on the Check Point domain are permitted to uninstall. [Server] Servers=Server1:9738;Server2:9738 DefaultPort=9738 ServerOrder=2 [Uninstall] AllowedUsers=%DOMAIN%\Dnadministrator,%COMPUTER%\Administrator, Check Point\Administrator AllowedGroups=%DOMAIN%\domain admins Example 3 If for example a Pointsec Protector Client is to be installed with the following settings: • Connecting to Server1 and Server2 on port 9738 randomly • Only the username Dnadministrator and the group domain admins on the Check Point domain can uninstall the software. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 145 Silent Network Installation [Server] Servers=Server1:9738;Server2:9738 DefaultPort=9738 ServerOrder=2 [Uninstall] AllowedUsers=Check Point\Dnadministrator AllowedGroups=Check Point\Domain administrators 146 Silent Network Installation Editing the Setup.iss Configuration File The setup.iss stores the configuration and installation options for silent installshield deployment running setup.exe /s. This configuration file is a standard text file and can be edited with Notepad or any other text editor. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 147 Upgrading Pointsec Protector Upgrading Pointsec Protector The Pointsec Protector Client software automatically detects and upgrades previous versions of Reflex Disknet Pro and Pointsec Protector. When running a manual installation, if a previous version is detected the following message will be displayed. Click Yes to continue. Figure 6-17 Note - When performing a silent upgrade using Check Point Deployment Server or any other deployment mechanism, please ensure that the setup.iss file is created from a clean installation and not by performing an upgrade. Installing Enterprise Client with Active Directory using GPOs [parts of the document are based on http://technet.microsoft.com/en-us/library/Bb742421.aspx © 2007 Microsoft Corporation. All rights reserved] Introduction Software Installation and Maintenance for the Windows® 2000/3 operating system allows administrators to manage software for their organizations, including applications, service packs, and operating system upgrades. This overview guide explains how to use the Software Installation extension of the Group Policy Microsoft Management Console snap-in to specify policy settings for application deployment for groups of users and computers. Software Installation and Maintenance is dependent upon both the Active Directory and Group Policy. Administrators who are responsible for Software Installation and Maintenance should be familiar with both of these technologies. Publish vs. Assign Administrators can use Software Installation and Maintenance to either publish or assign software: • 148 Publish: Administrators publish applications that users may find useful, allowing users to decide whether to install the application. You can only publish to users, not computers. Installing Enterprise Client with Active Directory using GPOs • Assign: Administrators assign applications that users require to perform their jobs. Assigned applications are available on users' desktops automatically. Publishing Pointsec Protector Enterprise Client to Computers The Pointsec Protector Enterprise Client can be deployed using Group Policy Objects (GPO) via assignment to computers. It is necessary to use Assign to Computers because it does not require a user to install the software and the Pointsec Protector Client setup needs administrative privileges in order to install correctly. Limitations of installing Pointsec Protector Client using GPO • Default.xml profile must disable the PSG component (i.e. <DisableModules param="1" />). This is needed to enable upgrades and uninstallation of the application. • Reflex Disknet Pro (former name) Client versions prior to 4.3 cannot be upgraded using GPO deployment. • Pointsec Protector Client can only be upgraded using GPO if the previous version has been installed by GPO. If Pointsec Protector Client has been installed by means other than GPO, then it must be uninstalled using other tools prior to installing an updated version via GPO. Creating a Software Distribution Point for the Windows Installer Applications To manage software, a software distribution point (SDP) must be created that contains a Pointsec Protector Client MSI package (.msi file), Transform file (.mst file) and all other setup files. To create the software distribution point: 1. Log on to the server as an administrator. 2. Create a shared folder which will become the software distribution point. Copy the Pointsec Protector Client installation files to this location. 3. The config.ini contains information about the client installation including server information which must be edited to contain the correct configuration. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 149 Installing Enterprise Client with Active Directory using GPOs 4. Select Properties of the shared folder and click Permissions. In the Permissions for the shared folder, change Everyone to read-only access and grant Administrator and system full control. Note - For computer-assigned applications, the network share needs to be accessible by the local system account. This is not the default for Windows NT 4.0 and Novell servers. Assigning Pointsec Protector Client to a Computer It is advisable to deploy the Pointsec Protector Client to a number of test workstations before rolling out globally. From within the Active Directory Users and Groups console, select a test organizational Unit that contains a number of test workstations. Note - To deploy the Pointsec Protector Client.msi package, you need to apply a Protector Client GPO.mst transform file. This transform file has been pre-configured to install the most commonly selected configuration that will install Program Security Guard, Device Manager, Removable Media Manager and Pointsec DataScan. For further information about changing this configuration, please contact the Check Point technical support department http://www.checkpoint.com/services/contact/ To assign Pointsec Protector Client to a computer, perform these steps: 1. Click on the Test Organizational Unit and select Properties from the context menu. In the Test Properties dialog box, click the Group Policy tab and then the Open button. On the Group Policy Objects node, right-click and select New: Figure 6-18 2. Label the new GPO Pointsec Protector Client or as required: Figure 6-19 150 Installing Enterprise Client with Active Directory using GPOs 3. Right-click Pointsec Protector Client in the Group Policy Object Links list box, and click Edit. This opens the Group Policy snap-in. 4. In the Group Policy snap-in, under Computer Configuration node, double-click Software Settings: Figure 6-20 5. Right-click Software installation, click New, and then click Package. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 151 Installing Enterprise Client with Active Directory using GPOs Figure 6-21 6. Browse the network to the software distribution point that has the Pointsec Protector Client installation files created earlier. 7. If installshield applications have not been deployed across the organization before, the iscript installation engine will require updating. To update the Iscript engine, select the Isscript8.msi and then click Open. 8. In the Deploy Software dialog box, select Assigned option. Click OK. 9. To deploy the Pointsec Protector Client, select the Pointsec Protector Enterprise Client.msi file and then click Open. 10. In the Deploy Software dialog box, select the Advanced Published or Assigned option and click OK. 11. In the Pointsec Protector Enterprise Client Properties dialog, click the Modifications tab. Then click the Add button. 12. Select Protector Client GPO.mst and click Open. This will specify the MSI transform that is necessary for the installation. For further information about editing the Pointsec Protector Client transform, please contact the Check Point technical support department http://www.checkpoint.com/services/contact/ 13. It is advisable to select the Uninstall this application when it falls out of the scope of management under the Deployment tab. 152 Installing Enterprise Client with Active Directory using GPOs Figure 6-22 14. Click OK in the Pointsec Protector Enterprise Client Properties dialog. 15. Close the Group Policy snap-in. In the Test Properties dialog box, click Close in the Group Policy page. 16. At this point test workstation(s) should be restarted. Pointsec Protector Client will be assigned to it after the next reboot. Note - If the Iscript engine requires updating two reboots maybe required. Installing Pointsec Protector Client/Reflex Disknet Pro using MS SMS v2.0/2003 Pointsec Protector Client can be silently deployed using MS SMS v2.0/2003. To install Pointsec Protector Client using MS SMS v2.0/2003, perform the following steps: Creating an Installation Package 1. Create an installshield installation template (setup.iss) and software installation share as detailed in the section “Creating a Template Installation for Silent Deployment” on page 143. Note - It is important to select NO to a reboot when creating the setup.iss file. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 153 Installing Enterprise Client with Active Directory using GPOs 2. Open the MS SMS Administrator console and right-click on the Packages node and select New > Package From Definition as shown below: Figure 6-23 3. Click Next past the welcome screen: Figure 6-24 4. Pointsec Protector is supplied with a pre-build SMS package definition file. Select Browse and locate the package definition file (Pointsec Protector.sms) which is located in the \software\Pointsec Protector folder on the installation CD-ROM. Figure 6-25 154 Installing Enterprise Client with Active Directory using GPOs Figure 6-26 5. Select Pointsec Protector 4 (Win 2K/XP) and click Next: Figure 6-27 6. Select Always obtain files from a source directory and click Next: Figure 6-28 Chapter 6 Installing a Remote Pointsec Protector Administrator Console 155 Installing Enterprise Client with Active Directory using GPOs 7. Select the Check Point Protector Client share location created earlier. Please ensure this is a UNC path and click Next to continue: Figure 6-29 8. Click Finish to complete the installation: Figure 6-30 9. The Pointsec Protector Client installation package should have been created successfully with standard settings. To view the package, select the Programs node and double-click on Install Protector. The following dialog will be displayed. From within this dialog it is possible to change the name of the package and command line options if required. 156 Installing Enterprise Client with Active Directory using GPOs Figure 6-31 10. Within the Requirements tab it is possible to specify the minimum specification of machine with which Pointsec Protector Client can be installed. Please configure this as required. Figure 6-32 11. Additional environment variables can also be defined in the Enviroment tab. Note - It is imperative that the Run with administrative rights radio button is selected or the installation will fail. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 157 Installing Enterprise Client with Active Directory using GPOs Figure 6-33 12. The Advanced tab allows additional criteria to be specified. It also provides the ability to run other packages prior to installing Pointsec Protector Client. Figure 6-34 Distributing a Package After completing the package creation wizard, Pointsec Protector Client is available for installation. 158 Installing Enterprise Client with Active Directory using GPOs To install Pointsec Protector Client: 13. Select a collection of workstations that you wish to install, right-click and select All Tasks > Distribute Software: Figure 6-35 14. Click Next past the welcome screen: Figure 6-36 15. Select the Pointsec Protector Client package and click Next: Figure 6-37 Chapter 6 Installing a Remote Pointsec Protector Administrator Console 159 Installing Enterprise Client with Active Directory using GPOs 16. Select the site server(s) that the package will be deployed to and click Next: Figure 6-38 17. Select the collection of workstation that require installation and click Next': Figure 6-39 18. Click Next to continue: 160 Installing Enterprise Client with Active Directory using GPOs Figure 6-40 19. Select the desired advertisement settings and click Next: Figure 6-41 20. Select an expiration date for the advertisement and click Next: Chapter 6 Installing a Remote Pointsec Protector Administrator Console 161 Installing Enterprise Client with Active Directory using GPOs Figure 6-42 21. Select whether to assign the advertisement. It is advisable to always assign Pointsec Protector Client packages to ensure the installation is mandatory and cannot be cancelled. Click Next to continue: Figure 6-43 22. The final installation screen is displayed. Click finish to complete the package distribution. 162 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server Figure 6-44 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server The following section describes how to upgrade Pointsec Protector Enterprise Server 4.50 to 4.52+ and migrate the database from MySQL to MS SQL Database Server. It is split in three scenarios: • “Scenario1: The MS SQL Database Engine (MSDE) is being installed as part of the Pointsec Protector Enterprise Server Setup” on page 163 • “Scenario 2: The MS SQL Database Server is installed separately on the same computer where Pointsec Protector Enterprise Server is being upgraded” on page 165 • “Scenario 3: MS SQL Database Server is installed separately on a remote computer” on page 167 Scenario1: The MS SQL Database Engine (MSDE) is being installed as part of the Pointsec Protector Enterprise Server Setup In this scenario, the upgrade is straightforward and you need to follow the Setup prompts. 1. Enter the new registration code/license number as appropriate: Chapter 6 Installing a Remote Pointsec Protector Administrator Console 163 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server Figure 6-45 2. Select the Complete setup type, the setup will install the Microsoft Database Engine (MSDE). If the MS SQL server is already installed on this computer, then the setup will detect and use it automatically and MSDE will be automatically deselected. Figure 6-46 3. Follow the standard setup prompts, and then specify the location where the setup will back up the existing MySQL database prior to starting the database migration. 164 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server Figure 6-47 4. Follow the prompts and enter the relevant information in the consequent setup pages. The setup will then automatically install MSDE, migrate the database, uninstall previous version of Pointsec Protector Enterprise Server and install the latest release. Scenario 2: The MS SQL Database Server is installed separately on the same computer where Pointsec Protector Enterprise Server is being upgraded The setup procedure is similar to the one described in the Scenario 1. Figure 6-48 1. Select the Custom setup type and ensure that Microsoft SQL Database Engine is not selected. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 165 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server Figure 6-49 2. In the MS SQL Server Setup window, specify the name of the computer where Pointsec Protector Enterprise Server is being upgraded. Use Network name of the computer and not localhost. Figure 6-50 3. Specify the location where the setup will back up the existing MySQL database prior to starting the database migration. 166 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server Figure 6-51 4. In the Specify Service Account setup page, please ensure that the Protector Service Account has “db_owner” role for Protector database. 5. Follow the prompts and enter relevant information in the consequent setup pages. The setup will then automatically migrate the database, uninstall previous version of Pointsec Protector Enterprise Server and install the latest release. Scenario 3: MS SQL Database Server is installed separately on a remote computer The setup procedure is similar to the one described in the Scenario 1. 1. Install MySQL ODBC driver provided (MyODBC-3.51.11-1-win.exe) on the computer where MS SQL Server is installed. Figure 6-52 Chapter 6 Installing a Remote Pointsec Protector Administrator Console 167 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server 2. Select the Custom setup type and ensure that Microsoft SQL Database Engine is not selected. Figure 6-53 3. In the MS SQL Server Setup window, please specify the network name of the computer where MS SQL Server is installed. Figure 6-54 4. Then specify the location where the setup will back up the existing MySQL database prior to starting database migration. 5. In the Specify Service Account setup page, please ensure that the Protector Service Account has “db_owner” role for Protector database. 168 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server Figure 6-55 6. Follow the prompts and enter relevant information in the consequent setup pages. The setup will then automatically install onto the existing MSSQL server, migrate the database, uninstall previous versions of Pointsec Protector Enterprise Server and install the latest release. Chapter 6 Installing a Remote Pointsec Protector Administrator Console 169 Upgrade 4.50 to 4.52+ and migrate to MS SQL Database Server 170 Chapter Encryption Policy Manager Explorer 7 This chapter describes how to install and use the Pointsec Protector Encryption Policy Manager (EPM). In This Chapter Introduction The Requirement – No Software Installation on Target Machine Installation Using the Encryption Policy Manager Explorer Drag and Drop/Copy and Paste of files CD/DVD Encryption Encrypting CD/DVDs Erasing CD/DVDs page 171 page 172 page 172 page 174 page 178 page 178 page 178 page 183 Introduction The Pointsec Protector Encryption Policy Manager (EPM) provides unrivalled security on the use of removable media storage devices. Built using industry standard AES (FIPS approved) encryption the Encryption Policy Manager is secure and transparent to the user. Pointsec Protector offers the ability to grant trusted users the facility to access encrypted removable media offline via password authentication. Previous versions of Pointsec Protector have allowed offline access providing either the complete Pointsec Protector Client or the freeware version of the Encryption Policy Manager plug-in is installed on the target machine. 171 The Requirement – No Software Installation on Target Machine The Requirement – No Software Installation on Target Machine Due to operational requirements of many organizations and the required usage of removable media storage devices, the installation of client software onto third party systems to access encrypted media would not be a suitable solution. To enable transparent and authenticated access to encrypted removable media, a standalone application has been created that can run without the requirement to install any third party software onto the target machine and without the need for local administration rights. The Encryption Policy Manager Explorer provides the following features: • Access encrypted removable media devices with full read/write access without requiring any software installation • Enables the user to extract encrypted data into clear text on the target machine • Provides secure 'double-click access' to open encrypted documents and then performs a secure erasure on the target machine once the document is closed. In this mode all traces of sensitive data will be removed from the target workstation. Installation For encryption/decryption of CD/DVDs, see section “CD/DVD Encryption” on page 178. The installation of the Encryption Policy Manager Explorer is automated and controlled from the Management Console. When offline access is permitted, the unlock.exe will be automatically copied to the root of the encrypted removable media device. To use the EPM Explorer, the following steps must be performed assuming the Pointsec Protector Server and Client are already installed: 1. Ensure the Encryption Policy Manager is enabled on the server with the Copy the EPM Explorer to encrypted media for offline access enabled: 172 Installation Figure 7-1 2. On the Pointsec Protector client workstation, insert a clear text memory stick and complete the Encryption Import wizard ensuring a password is selected: Figure 7-2 The memory stick is now encrypted and secured ready for use. Chapter 7 Encryption Policy Manager Explorer 173 Using the Encryption Policy Manager Explorer 3. On inserting the encrypted memory into a machine not running Pointsec Protector, the following files will be displayed. The unlock.exe is automatically copied to the root of the memory stick as shown below: Figure 7-3 Using the Encryption Policy Manager Explorer 1. To access encrypted data on the device, double-click the unlock.exe (It will auto-run on most systems). Enter the security password: Figure 7-4 2. The Encryption Policy Manager Explorer window is opened. It is now possible to view the encrypted drive contents. 174 Using the Encryption Policy Manager Explorer Figure 7-5 There are two methods of accessing the data; extracting files to the local hard disk and double-click secure file extraction: • Extracting files to the local hard disk Files and folders can be extracted from the encrypted area and saved to the local hard disk or network drive. Select the file(s) and/or folder(s) that are to be decrypted and saved to the local hard disk by using the Ctrl and Shift keys. When the selection is complete, right-click and select Extract: Figure 7-6 Select the location where the files will be extracted to: Chapter 7 Encryption Policy Manager Explorer 175 Using the Encryption Policy Manager Explorer Figure 7-7 The files are now decrypted and saved in clear text on the local workstation. On closing the EPM Explorer the user will be asked if they wish to securely delete all of the extracted files. By clicking Yes all of the newly extracted files will be securely deleted thus leaving no traces of sensitive information: Figure 7-8 • Double-click Secure File Extraction By double-clicking on a selected file within the drive explorer, the EPM Explorer transparently decrypts the file to a temporary location and then automatically opens the file with the associated application. To view a file in secure mode simply double-click on the required file: 176 Using the Encryption Policy Manager Explorer Figure 7-9 If any changes are made to the decrypted file, the following prompt will be displayed asking whether the encrypted file within the device should be updated. Click Yes as required. Figure 7-10 Chapter 7 Encryption Policy Manager Explorer 177 Drag and Drop/Copy and Paste of files Drag and Drop/Copy and Paste of files Once the EPM Explorer Window is unlocked, it is possible to drag-and-drop or copy-and-paste files in and out of the encrypted device. Note - For further information and an example user guide, please see the Pointsec Protector User Guide.pdf located on the Pointsec Protector installation CD. CD/DVD Encryption Pointsec Protector for Windows XP and Windows Vista support the encryption of CDs when burnt by using built-in CD/DVD burning software on workstations where the Pointsec Protector client and the Encryption Policy Manager are installed. In addition, Pointsec Protector for Windows Vista also supports the encryption of DVDs. Note • Import will be accessible only for RW and blank R/RW discs. • Nothing can be added to or removed from once burnt CD/DVDs. Such CD/DVDs can be erased only. The process of encrypting CD/DVDs is similar to the process for encrypting other removable media such as USB sticks described in section “Installation” on page 172. When the user inserts a CD/DVD disc in the workstation, the standard EPM wizard starts. In the wizard the user selects which files to import to the blank disc. After the disc has been burnt and the files encrypted, it is mounted in the system as an EPM container and is accessible for reading. If offline access has been permitted, a stand-alone utility, a file called unlock.exe, has been added to the disc during the burn process. This utility allows access to the disc, with password authentication, on offline workstations and on workstations which do not have Pointsec Protector installed. Encrypting CD/DVDs 1. Ensure the Encryption Policy Manager is enabled on the server with the Copy the EPM Explorer to encrypted media for offline access enabled: 178 Encrypting CD/DVDs Figure 7-11 2. Insert a blank CD (or DVD, if you have Windows Vista installed) in your CD/DVD drive. The EPM wizard starts: Figure 7-12 3. Click Next and the Media properties window opens: Chapter 7 Encryption Policy Manager Explorer 179 Encrypting CD/DVDs Figure 7-13 4. Click Next, the Media owner information window is displayed. Figure 7-14 5. When encrypting CD/DVs, only the Assign this media to a user option is available. Click Next and the Password protection window is displayed. 180 Encrypting CD/DVDs Figure 7-15 6. Set a password to allow offline users or users who do not have Pointsec Protector installed to access the information on the disc. If you choose not to set a password here, the disc will only be accessible when online on the current network (or on a network with the same media ID as the current network). 7. Click Next, a window is displayed where you can add and remove files which will be imported to and encrypted on the disc. Figure 7-16 Go up one step in the folder structure Chapter 7 Encryption Policy Manager Explorer 181 Encrypting CD/DVDs Add files to be burnt on disc Add an entire folder to be burnt on disc Delete selected file or folder, stops it from being added to the disc 8. Click Next, the files will be imported and the disc will be burnt: Figure 7-17 9. The following message will be displayed when the burning process is finished: 182 Erasing CD/DVDs Figure 7-18 Erasing CD/DVDs Once the encrypte d CD/DVDs have been burnt, there is no way to remove any single files on the disc. The only option is to erase all information on the disc, you do that by clicking the Erase button in the EPM. Chapter 7 Encryption Policy Manager Explorer 183 Erasing CD/DVDs 184 8 Chapter Pointsec DataScan This chapter describes how to install and use the Pointsec DataScan module. In This Chapter About Pointsec DataScan Introduction What is New in Version 3 Installing Pointsec DataScan Using Pointsec DataScan Functionality Understanding the XML Script Pointsec DataScan’s installed files Pointsec DataScan’s Command Line Parameters page 185 page 186 page 186 page 187 page 187 page 187 page 188 page 192 page 193 About Pointsec DataScan Figure 8-1 Pointsec DataScan v3.13 185 Introduction Copyright © Check Point Software Technologies Ltd. 1996 - 2007 Online Help v1.3 Online help written by: Check Point Software Technologies Ltd. Operating Systems: Microsoft Windows 2000/XP Published: November 2007 All rights reserved. This software is sold subject to license. All use of this software is subject to the terms & conditions of Check Point Software Technologies Ltd. Copyright infringement may give rise to civil and/or criminal liability. Check Point welcomes your questions, comments and suggestions. Check Point Software Technologies Ltd. 31-33 Priory Park Road London NW6 7HP United Kingdom Tel: +44 (0)20 7372 6666 Fax: +44 (0)20 7372 2507 Email: enquiries@checkpoint.com Web: www.checkpoint.com Other Offices: Australia, Benelux, Canada, Italy, Middle East, South Africa, USA Introduction Pointsec DataScan (herein referred to as DataScan) is the new name for Check Point's data scanner, previously known as Check Point CheckDat. It differs from a virus scanner in that it will not 'pass' any files with executable code; whereas a virus scanner will 'pass' executable files only if they are not infected with a virus. Pointsec Protector Administrators can therefore install DataScan on their users' machines, safe in the knowledge that any media being signatured when scanned by DataScan is not only virus-free, but are also free of any executable binary files or software, such as games. What is New in Version 3 XML Data File DataScan has a new XML data file containing the file definitions (XML is a mark-up language for documents containing structured information). The previous store for file binary information was a raw hex data file. However, by now using XML, the source is open and easy to understand for all who 186 Installing Pointsec DataScan use and may need to amend this file to better suit their requirements. Please refer to section “Understanding the XML Script” on page 188 for further information. Pointsec Protector Server Logging DataScan has always had its own log file options, but the new Pointsec Protector Server module will not only generically log the results of all third party scans of media with virus scanners, it will further log the exact file(s) preventing media from being authorized when scanned. DataScan is one of these products and is provided as part of the Pointsec Protector suite. Installing Pointsec DataScan Pointsec DataScan cannot be installed as a standalone Check Point product; it is only offered as a sub-option of the Pointsec Protector suite. Using Pointsec DataScan If installed as part of the Pointsec Protector suite, the Pointsec DataScan will be offered as one of the scanners by which a user can authorize media, though it will fail all executable files, not just infected ones. There are several DataScan command line options to refine your level of detection as detailed in the section “Pointsec DataScan’s Command Line Parameters” on page 193. This gives exact details of how to call DataScan to operate as desired. A general overview of its functionality is detailed in the next section named “Functionality”. Functionality Unzipping ZIP Files ZIP files are automatically expanded and their contents examined for executable/unauthorized code. If not specified, any ZIP files will automatically fail a DataScan scan as their content is obviously unknown. If they are investigated and found to be free of executables, they will pass the scanning process and a disk that might otherwise have failed a DataScan scan will be authorized. MS Office Macros DataScan can be configured to fail all macros (by default), or just viral macros when performing a scan. Chapter 8 Pointsec DataScan 187 Understanding the XML Script MS Outlook Files Any MS Outlook messages that are saved to a media device can be scanned for attachments with executable code. No matter how deep the executable code is buried, DataScan will find it. For example, if someone were to attach an executable to an email, send it to themselves, save this message to their hard disk, place this message in a zip file, which they then sent to themselves again and saved once again to hard disk, then DataScan would fail the resulting file if scanned. No matter how complicated the paper trail, DataScan will unearth the executable code. Log File If specified, a log file will be produced from the DataScan scan. If this scan then results in a failure, the offending file(s) can be identified and appropriate action taken in order for the media to be signatured and therefore authorized access past the DataScan security wall. This saves any guesswork on the part of the user as to what files are preventing the disk being authorized, that is , assumed file deletions and unnecessary aggravation. All activity is recorded on the Pointsec Protector Server log. Understanding the XML Script DataScan has a new XML data file containing the file definitions (XML is a mark-up language for documents containing structured information). The previous store for file binary information was a raw hex data file. However, by now using XML the source is open and easy to understand for all who use and may need to amend this file to better suit their requirements. CheckDat.XML Contains All Possible File Types The XML file in question is CheckDat.XML. This file contains information structures of all the possible file types DataScan needs to know about and whether they can be authorized or not. Having this XML file separated from the main executable files allows the ability to update the file types it can identify as necessary without requiring a rebuilt master binary file. Following this understanding, the XML file is stored uncompressed in the Pointsec Protector setup suite to allow for an amended copy to replace the master pre-rollout. File Types Checked in Order There are currently 85 distinct file types to compare against a scanned file and these are detailed in the section “The XML script” on page 190. The file types are listed in the order in which they are checked for together with whether they pass or fail a media scan. The final column contains the structure type, of which there are 11; see the section “Structure Types” on page 192 for further details. 188 Understanding the XML Script Looking at the list of file types, you can see most of DataScan’s file type detection is based on checking file signatures to determine type. The most common file types are the first types checked for, more complex file types - specifically more complex structure types - are located towards the end of the XML file. It is a balance for optimum performance. Checking File to be not an Disguised COM File If DataScan has compared all but the last four file types without identifying the scanned file, it then ensures that the file is not a disguised COM file with the final four file type checks. If the file is not identified after all 85 checks, DataScan is satisfied that the file is safe and reports it as being so. Add In-house File Types If you have an in-house file type that you want to be recognized by DataScan, you may edit CheckDat.XML accordingly, see the “Structure Types” on page 192 section for help and further details. Chapter 8 Pointsec DataScan 189 Understanding the XML Script The XML script Table 8-1 190 # File Type Pass/ Fail Structure Type 1. EXE file FAIL 2 2. COM file FAIL 2 3. Renamed EXE file FAIL 1 4. NetWare NLM FAIL 1 5. PKZIP file with password protection FAIL 3 6. PKZIP file with password protection (method #2) FAIL 3 7. PKZIP file (PASS / FAIL as zip contents are checked and result of the scan reflects that) PASS/F AIL 1 8. HYPER file (signature #1) FAIL 1 9. HYPER file (signature #2) FAIL 1 10. ARC or PAK file FAIL 10 11. PAK file FAIL 10 12. ZOO file FAIL 1 13. ARJ file FAIL 1 14. RAR file FAIL 1 15. Microsoft Expand file FAIL 1 16. Microsoft CAB file FAIL 1 17. S and S compressed file FAIL 1 18. S and S NT compressed file FAIL 1 19. XTREE ZIP file FAIL 1 20. LHA file FAIL 1 21. BAT file FAIL 2 22. MS Outlook file FAIL 1 23. MS Office file PASS 11 Unauthorized MS Office file FAIL 24. Lotus Ami Pro file with auto-executing macros FAIL 5 25. Lotus Ami Pro file PASS 1 26. Lotus Symphony / Windows Icon file PASS 1 27. WinWord 1.0 file PASS 1 28. WinWord 2.0 file PASS 1 29. WinWord 6.0 file PASS 1 Understanding the XML Script Table 8-1 30. PCX v2.5 file PASS 1 31. PCX v2.8 file (with palette) PASS 1 32. PCX v2.8 file (without palette) PASS 1 33. PCX v3.0 file PASS 1 34. GEM Metafile PASS 1 35. Tag Image File Format PASS 1 36. PC Paint file PASS 1 37. JPEG/JFiF file PASS 1 38. Windows 2.0 Paint file (Sig 1) PASS 1 39. Windows 2.0 Paint file (Sig 1) PASS 1 40. Windows 2.0 Paint file (Sig 2) PASS 1 41. Windows 2.0 Paint file (Sig 2) PASS 1 42. Windows 3.x format file / OS/2 Picture file PASS 1 43. OS/2 Icon file PASS 1 44. OS/2 Cursor file PASS 1 45. OS/2 Color Icon file PASS 1 46. OS/2 Color Pointer file PASS 1 47. Clipboard file PASS 1 48. Windows Card file PASS 1 49. Excel file (Biff 2) PASS 1 50. Excel file (Biff 3) PASS 1 51. Excel file (Biff 4) PASS 1 52. MS-Word file (v3/4/5) PASS 1 53. WordPerfect file(v5.0/5.1) PASS 1 54. Interchange file format PASS 1 55. Sun Raster format PASS 1 56. Creative Music Format PASS 1 57. Soundblaster Instrument Format PASS 1 58. Soundblaster Instrument Bank format PASS 1 59. MIDI file PASS 1 60. Windows 3.x group file PASS 1 61. Windows WAV file PASS 1 62. Data Interchange Format file PASS 1 63. Adobe Photoshop file PASS 1 64. Lotus 123 WK3 File marker PASS 1 65. Lotus 123 Pic File Header PASS 1 Chapter 8 Pointsec DataScan 191 Pointsec DataScan’s installed files Table 8-1 66. GIF file PASS 1 67. GIF file (signature #2) PASS 1 68. Windows write program PASS 1 69. Windows 3.x Calendar file PASS 1 70. HTML file containing 'Object' tag(s) FAIL 4 71. HTML file containing 'Script' tag(s) FAIL 4 72. HTML file containing 'IFrame' tag(s) FAIL 4 73. HTML file containing 'Embed' tag(s) FAIL 4 74. HTML file containing 'Applet' tag(s) FAIL 4 75. HTML file PASS 2 76. Word 2 file with auto-executing macros FAIL 4 77. Word 2 file PASS 1 78. Microsoft Works file PASS 1 79. VBScript FAIL 2 80. Not a renamed COM file PASS 6 81. Data file PASS 3 82. COM file (near jump detected) FAIL 3 83. COM file (3 byte jump detected) FAIL 7 84. COM file (call instruction detected) FAIL 7 85. COM file (INT 21h function detected) FAIL 8 86. MP3 file FAIL 1 87. MP3 file FAIL 2 Structure Types The simplest types are '1' and '2', whereby '1' is checking the file signature and '2' is checking against the file extension. The remaining 9 structures are more complex, with formulas and embedded engines working on their sometimes complex instructions. If you have in-house file types that you would like to be recognized by DataScan, we can create a custom XML 'file definitions' file for you, please contact Check Point http://www.checkpoint.com/services/contact/. Pointsec DataScan’s installed files As part of the Pointsec Protector software suite, all the files will be installed in the same install folder. 192 Pointsec DataScan’s Command Line Parameters Additionally, DataScan now utilizes XML to store its file definitions and as such we have two new XML system dlls in the master. Table 8-1 Filename Description Platform Installed to CheckDat.dll Scanning engine All <Pointsec Protector file path> ChkDat32.exe Data Scan executable All <Pointsec Protector file path> Cunzip32.dll File unzipping engine All <Pointsec Protector file path> Xmlparse.dll XML system file All <Pointsec Protector file path> Xmltok.dll XML system file All <Pointsec Protector file path> CheckDat.XML XML file types store All <Pointsec Protector file path>\CheckDatProfiles Pointsec DataScan’s Command Line Parameters Pointsec DataScan's command line parameters are as follows: • /NONSTOP parameter if used, DataScan will not stop at the first executable file it finds, it will continue the scan through the entire media. • /UNZIP parameter unzips pkzip files. • /VMACROS parameter will only fail viral macros in MS Office documents. The default is to fail all macros. • /NOHEADER parameter will not create a header for the local log file, if specified. The default is to create a header. • /NOMAPI parameter For the MS Outlook .msg file scanning functionality to work properly machines must have MAPI support, (that is, Mapi32.dll on the machine). If, however, you know your machine(s) do not have this file, you can use this parameter and DataScan will not check for its presence. • /NEWRETURN parameter returns '2' instead of '0' to stop users pressing Ctrl+Alt+Del and bypassing the scan process to illegally validate a disk, i.e., this key-press combination will terminate DataScan and return '0' by default. Note - Please note that this return code is strictly for communication between DataScan’s scanning DLL and its calling program, you will not get a '0' return code. See section “Pointsec DataScan’s Return Codes” on page 194 for more information. Chapter 8 Pointsec DataScan 193 Pointsec DataScan’s Command Line Parameters • /TIMEOUT parameter the default time to pause after a bad scan or a scan with errors is five seconds, this allows you to see what the problem was in good time. If this is not sufficient, specify the number of seconds you wish the dialog to pause for. For example: /TIMEOUT=10 will pause for ten seconds. • /LOG parameter specify a local log file path. For example: /LOG="c:\mylogfile.txt" Pointsec DataScan’s Return Codes Owing to the calling structure of DataScan’s files, the .DLL that does the actual scanning will return a precise code to its calling program, ChkDat32.exe. In most cases, this will, in turn, either return a simple Disk passed or Disk has executables return code. However, if there were problems, ChkDat32.exe will add the hex sum of 0x500 (1280 decimal) to the actual return code from the DLL, so we know that anything above this figure is an error. ChkDat32’s return codes 34 (0x22) DISK_PASSED 68 (0x44) DISK_HAS_EXES 1280+ (0x500+) - ERRORS. To get the exact error, subtract 1280 from the return code, the result translates as: XML DATA FILE ERRORS 16 COULDNT_OPEN_XMLFILE 17 COULDNT_READ_XMLFILE 18 COULDNT_GET_XMLFILE_FILESIZE 19 ERROR_SETTING_XMLFILE_PTR 20 NOT_ALL_XMLFILE_BYTES_READ 32 XMLFILE_CORRUPTED 33 XML_LOAD_FAILED FILE SCANNING ERRORS 48 COULDNT_OPEN_FILE 49 COULDNT_READ_FILE 194 Pointsec DataScan’s Command Line Parameters 50 COULDNT_GET_FILE_FILESIZE 51 ERROR_SETTING_FILE_PTR 52 NOT_ALL_FILE_BYTES_READ GENERAL 256 OUT_OF_MEMORY Chapter 8 Pointsec DataScan 195 Pointsec DataScan’s Command Line Parameters 196 A Appendix Frequently Asked Questions In this appendix you find the answers to the most frequently asked questions. In This Appendix Where can I find out about up to date support issues and solutions? page 199 How can I integrate Pointsec Protector Client with my anti-virus scanner? page 199 Do Check Point offer training on Pointsec Protector? page 199 How can I configure my client workstations to only authorize media containing data only? page 199 How can I change the file types that Pointsec DataScan? page 200 How can I authorize media that contains executable code? page 200 How can I disable Pointsec Protector Client if my Operating System becomes corrupt? page 200 I cannot install software with my software distribution package any more because PSG blocks it? page 200 How can I allow my software distribution package to install software when PSG is enabled? page 201 How can I silently install Pointsec Protector Client across my Window Domain? page 201 Profile changes I make on the server are not being updated on the client workstations? page 201 How can I view the profile of the current user? page 201 How can I assign a special profile to a user without creating a new group? page 202 How can I set up RMM to only display an unauthorized media message and not authorize, thus forcing the user to visit a sheep dip workstation? page 203 197 Frequently Asked Questions How can I set up a standalone 'Sheep dip' machine? page 203 I cannot authorize media with Sophos Anti-Virus when logged in as a user? page 203 How can I stop users downloading MP3 files from the internet and e-mail attachments? page 204 How can I specify two or more server names in Pointsec Protector Client? page 204 Is it possible to change the style of the Pointsec Protector Client message boxes? page 204 Is it possible to enforce users to only have write access to encrypted removable media? page 204 Is there a key recovery mechanism implemented into the Encryption Policy Manager? page 205 How can I allow users to access encrypted media external to my organization without converting the device back to clear text? page 205 How can I stop a particular user from accessing previously authorized encrypted media? page 205 How can I stop users with local admin rights from disabling the Pointsec Protector Service? page 205 How can I setup multiple Pointsec Protector Servers? page 206 How can I assign machine specific settings? page 206 How can I pre-encrypt a device for a user? page 206 How can I assign devices to individual users only? page 208 Is it possible to hide the Pointsec Protector system tray icon? page 208 How can I configure it so that certain devices are enabled independent of who logs on? page 208 How can I add my own specific devices? page 208 Does Pointsec Protector still protect in safe mode? page 209 Can I prevent users with local admin rights from uninstalling the Pointsec Protector Client software? page 209 Is it possible to configure different profile settings for when a mobile user is on and off the network? page 209 Can Pointsec Protector Server be installed onto an existing MS SQL Server database? page 209 If I already have MSDE installed on my server, can I install Pointsec Protector Server onto the same machine? page 210 Can I install Pointsec Protector in an audit-only mode? 198 page 210 Frequently Asked Questions Where can I find out about up to date support issues and solutions? The Check Point knowledgebase offers tried and tested solutions to the most common support queries. http:/www.checkpoint.com How can I integrate Pointsec Protector Client with my anti-virus scanner? Pointsec Protector Client automatically detects and integrates with compatible anti-virus scanners. A database of compatible anti-virus scanners is stored in a file avirdef.cab located in system drive\program files\common files\Check Point. Check Point offer frequent updates to the avirdef.cab when new compatible AV scanners become available. If there is a particular scanner that requires integration, please contact the Check Point support department for up-to-date information. http://www.checkpoint.com/services/contact/ Do Check Point offer training on Pointsec Protector? Check Point provide a full training and installation service. For further information please contact Check Point at training@CheckPoint.com How can I configure my client workstations to only authorize media containing data only? Pointsec Protector client is supplied with the Pointsec DataScan. During installation of the client software there is an option to install this component. The Pointsec DataScan will only authorize data-only files, any files containing executable or active code will be blocked. For further information please see “Installing Pointsec DataScan” on page 187. Appendix A Frequently Asked Questions 199 Frequently Asked Questions How can I change the file types that Pointsec DataScan? The settings for DataScan are stored in a configuration file called checkdat.xml. For further information about changing the contents of this file, please contact the Check Point support department on http://www.checkpoint.com/services/contact/ How can I authorize media that contains executable code? If the Pointsec DataScan was installed on Pointsec Protector Client workstations during installation then by default users are unable to authorize media containing executable code. There are two methods of allowing authorization of executable code: • The user can be permitted to select an AV scanner to authorize media, thus enforcing only virus free file types can be authorized irrespective of their executable content. • The user can bring all media containing executables to dedicated IT personnel who can verify the media contents before authorizing. How can I disable Pointsec Protector Client if my Operating System becomes corrupt? It is possible to create a Pointsec Protector 'emergency access disk' which allows the system administrator to disable all Pointsec Protector Client drivers. I cannot install software with my software distribution package any more because PSG blocks it? Pointsec Protector includes an advanced PSG exemption mechanism. The software distribution package needs to be added to the exempt applications list, see section “Program Security Guard (PSG) Tab” on page 61 for further information. 200 Frequently Asked Questions How can I allow my software distribution package to install software when PSG is enabled? Pointsec Protector supports many of the leading software distribution packages by default. The software is shipped with a default list of exempt applications which can be amended to include new applications. Please see section “Program Security Guard (PSG) Tab” on page 61 for further information. How can I silently install Pointsec Protector Client across my Window Domain? Pointsec Protector Client can be silently deployed using any software distribution tool including MS SMS 2.0/2003, Altiris, Novell Zenworks and is fully MSI compatible enabling deployment direct from Active Directory via GPO. The preferred method for client installation is using Check Point Deployment Server. Profile changes I make on the server are not being updated on the client workstations? If this problem occurs, the following should be checked: • The profile being changed is the correct profile assigned to that particular group of users. • The Pointsec Protector Enterprise Server service is running. • The client workstation(s) is connecting to the correct Enterprise Server. For further diagnostic tools, please contact the Check Point technical support department http://www.checkpoint.com/services/contact/ How can I view the profile of the current user? It is possible to view a user’s profile for testing purposes by right-clicking the Pointsec Protector Client icon and selecting Options: Appendix A Frequently Asked Questions 201 Frequently Asked Questions Figure A-1 From the Options dialog, press Ctrl+Shift+F6. The user profile is displayed: Figure A-2 For further information about the Pointsec Protector Client profile, please contact the Check Point support department http://www.checkpoint.com/services/contact/ How can I assign a special profile to a user without creating a new group? The Users with custom profiles group is created for users that require individual profiles. 202 Frequently Asked Questions To grant a user special rights perform the following steps: 1. Select the user you wish to assign a special profile, right-click and select Properties. 2. Edit the custom profile as required. 3. The user will automatically be moved to the Users with custom profiles group. How can I set up RMM to only display an unauthorized media message and not authorize, thus forcing the user to visit a sheep dip workstation? To set up a Pointsec Protector Client profile without the ability to authorize media, the Allow users the following rights (wizard mode) option should be selected with none of the sub-options selected. How can I set up a standalone 'Sheep dip' machine? To set up a standalone sheep dip machine, a new profile should be created on the Enterprise Server. The Export profile template option should then be used to create an installation template. The client software can then be installed using the template profile settings. I cannot authorize media with Sophos Anti-Virus when logged in as a user? For further information about setting up Pointsec Protector Client software using Sophos Anti-Virus, please contact the Check Point support department http://www.checkpoint.com/services/contact/ Appendix A Frequently Asked Questions 203 Frequently Asked Questions How can I stop users downloading MP3 files from the internet and e-mail attachments? The Program Security Guard can be used to block the introduction of unwanted file types from any source. To add a new file type, open the Unsafe file types window by clicking the Configure file types... button in the required profile and add the new extension, see “Program Security Guard (PSG) Tab” on page 61 for further information. How can I specify two or more server names in Pointsec Protector Client? During installation of Pointsec Protector Client it is possible to specify two or more server names for backup and load balancing purposes. The servers can either be contact randomly or sequentially. The Dnver utility is also available to perform real-time server location changes after installation Is it possible to change the style of the Pointsec Protector Client message boxes? It is possible to customize the Pointsec Protector Client message alert boxes to a corporate image. By placing 400x250 pixel copies of the following files in the Pointsec Protector Client installation folder it is possible to customize the Removable Media Manager and Program Security Guard message boxes: • Program Security Guard - psgbmp.bmp • Removable Media Manager - rmmbmp.bmp Is it possible to enforce users to only have write access to encrypted removable media? Yes, this can be achieved by granting read-only access to the devices in Device Manager, this will enforce encryption. The Device Manager has an automatic exclusion for encrypted media and will not apply read-only to encrypted devices. 204 Frequently Asked Questions Is there a key recovery mechanism implemented into the Encryption Policy Manager? From the Pointsec Protector Enterprise Server Security tab it is possible to specify users/groups that have EPM key recovery rights. Users who have EPM key recovery rights will have full access to all encrypted removable media within the current network. How can I allow users to access encrypted media external to my organization without converting the device back to clear text? By enabling the Protect media with a password for offline mode the device can be accessed externally via a password. For this option to operate, either a full copy of Pointsec Protector Client or the freeware version of EPM must be installed on the external workstation. Alternatively, the EPM Explorer can be used to grant secure read/write access without the need to install any software. How can I stop a particular user from accessing previously authorized encrypted media? It is often desirable to revoke user access to encrypted media. This can be achieved by removing the user from the current group and dragging the user to the Users with custom profiles group. The user will then have no access to encrypted media as they no longer belong to the user group. How can I stop users with local admin rights from disabling the Pointsec Protector Service? Pointsec Protector is implemented using kernel mode filter drivers to ensure the highest level of security. In addition, the Pointsec Protector service provides customized messaging and user alerts. By default, standard users are prevented from disabling or uninstalling the Pointsec Protector client service. Even if a user with local admin rights is permitted Appendix A Frequently Asked Questions 205 Frequently Asked Questions to stop the service, security is still enforced by the kernel mode filter drivers. It is possible to audit when a user disables the Pointsec Protector client service. In addition, the Pointsec Protector Client Anti-Tamper protection can be enabled within the user interface tab on each profile. The anti-tamper protection will block users with local administration rights from being able to tamper with registry keys and client system files. All attempted breaches are audited. How can I setup multiple Pointsec Protector Servers? For further information about configuring multiple Pointsec Protector Servers including server replication, please contact the Check Point technical support department http://www.checkpoint.com/services/contact/. How can I assign machine specific settings? It is often useful to assign computer specific permissions onto defined machines where global access rights are required. This can be achieved using a computer groups. How can I pre-encrypt a device for a user? Many organizations have a requirement to ensure that only corporate devices are issued from a central location and that users are unable to introduce any new devices without administrator approval. In addition it is required that defined administrators can pre-configure encrypted devices for users. Pointsec Protector enables the unique facility of pre-encrypting and assigning devices for users. To setup this scenario the following should be completed: 1. A user profile is configured as required to block all unauthorized access. 2. An administrator profile is configured with the Users can create media for other users under the Encryption tab. 3. Log on to a workstation with the Pointsec Protector client software as an administrator user. 4. During the Encryption import wizard, select the required user: 206 Frequently Asked Questions Figure A-3 5. If the user should be prompted to select their own password on first logon, leave the fields blank when requested for the offline password in the next window and click Next: Figure A-4 Appendix A Frequently Asked Questions 207 Frequently Asked Questions 6. The pre-encrypted device can now be given to the defined user. The user will be prompted to select a new password on first access to the device. Note - Encrypted removable media will override any device manager settings and use the EPM authentication system for access control. How can I assign devices to individual users only? Providing the Encryption Policy Manager component is used, it is possible to assign devices to individual users by selecting the Only grant access to owner of the encrypted media under the required profile. For further information please see the section “Encryption Tab” on page 70. Is it possible to hide the Pointsec Protector system tray icon? The Pointsec Protector system tray icon can be either completely hidden from the user or enabled with predefined options. For further information please see the “User Interface Tab” on page 49. How can I configure it so that certain devices are enabled independent of who logs on? Computer groups provide the ability to assign machine based permissions. How can I add my own specific devices? Pointsec Protector Enterprise Server is supplied with a list of predefined device types. However, to enhance white list security it is often required that only specific brands and models of devices are permitted. Pointsec Protector enables the system administrator to add new devices via a simple import wizard. To add a new specific device type from a device manager log see the sections “Logs” on page 113 and “Device Manager Configuration Editor” on page 27. 208 Frequently Asked Questions Does Pointsec Protector still protect in safe mode? As Pointsec Protector Client utilizes kernel mode device drivers, all security is still maintained even when a workstation is booted into MS Windows Safemode. Can I prevent users with local admin rights from uninstalling the Pointsec Protector Client software? Prior to installation of the Pointsec Protector Client software it is possible to configure within the config.ini users/groups that are permitted to uninstall the software. When deploying via Group Policy, the Add/Remove programs entry is automatically removed. Is it possible to configure different profile settings for when a mobile user is on and off the network? The offline user/admin function enables the system administrator to define a different set of user rights for when mobile workstation(s) are disconnected from the network. This feature can be particularly useful where wireless connection is not permitted inside of the organization but is permitted externally. Can Pointsec Protector Server be installed onto an existing MS SQL Server database? The Pointsec Protector Server can be installed onto an existing MS SQL database server. Please contact the Check Point Technical Support department for further information http://www.checkpoint.com/services/contact/. Appendix A Frequently Asked Questions 209 Frequently Asked Questions If I already have MSDE installed on my server, can I install Pointsec Protector Server onto the same machine? The Pointsec Protector Server can be installed on an existing MSDE database using a new database instance. Please contact the Check Point Technical Support department for further information http://www.checkpoint.com/services/contact/. Can I install Pointsec Protector in an audit-only mode? Most organizations that implement Pointsec Protector have no true picture of how prevalent device usage is within the organization. For this reason it is recommended that Pointsec Protector is initially rolled out in an audit-only mode to ascertain details about devices currently in use. This list can then be filtered to distinguish between the required devices and the unwanted devices. To enable audit-only mode the relevant profiles should be configured to allow access to all devices. The Authorized Device Event under the Auditing tab should be enabled for all profiles. This will record all device access back to the Pointsec Protector Server. 210 B Appendix Glossary of Terms In This Chapter AES encryption Anti-Virus Anti-Virus Definition Files (DEF Files) Authentication COM port .csv Default profile Digital signature Drivers Exempt Applications Filter Graphical User Interface (GUI) Group Synchronization Hostname ID IP address .iss MMC Master Boot Record (MBR) Media authorization Media ID MMC Profile template Program Security Guard (PSG) Removable media Service SMS Simple Mail Transfer Protocol (SMTP) TCP/IP page page page page page page page page page page page page page page page page page page page page page page page page page page page page page 212 212 212 212 212 212 212 212 212 213 213 213 213 213 213 213 213 214 213 214 214 214 214 214 214 214 215 215 215 211 Glossary of Terms Unique ID Universal Naming Convention (UNC) USB - Universal Serial Bus User ID VPN page page page page page 215 215 215 216 216 AES encryption AES Encryption Advanced Encryption Standard using Rijndael block cipher. The industry standard for strong encryption. Anti-Virus anti-virus Refers to software used for detecting computer virus infected code. Anti-Virus Definition Files (DEF Files) DEF files These type of files contain the latest virus information for use with the Sherlock Anti-Virus Scanner. Authentication authentication The process for verifying that an entity or object is who or what it claims to be. Examples include confirming the source and integrity of information, such as verifying a digital signature or verifying the identity of a user or computer. COM port COM COM ports An interface on the computer that allows asynchronous transmission of data characters one bit at a time. Also called a communication port or com port. .csv The CSV (Comma delimited) file format saves only the text and values as they are displayed in columns of the active log. All rows and all characters in each entry are saved. Columns of data are separated by commas, and each row of data ends in a carriage return. If a cell contains a comma, the cell contents are enclosed in double quotation marks. Default profile default profile Default Profile The default profile is the profile that will be used by any users which logon to a Pointsec Protector Client machine that are not listed within the Pointsec Protector Enterprise Server users/groups. Digital signature digital signature A string of code that is written to removable media devices to mark as authorized. The digital signature includes a checksum or the information stored on the device encoded with a customer ID. Drivers drivers 212 Glossary of Terms Refers to the Pointsec Protector Enterprise Client device drivers that provide the backbone to the security infrastructure. Exempt Applications exempt applications Program Security Guard (PSG) prevents the introduction and authorized modification of defined file types. It is possible to build a list of applications that are exempt from PSG protection. Filter filter For Indexing Service, software that extracts content and property values from the Pointsec Protector database in order to index them. Graphical User Interface (GUI) Graphical User Interface GUI Refers to the Pointsec Protector user interface on the client software. Group Synchronization group synchronization The ability to synchronize Pointsec Protector Enterprise Server user groups with groups within a Windows Domain network. Hostname hostname Details the workstation name on which an event was created. ID Is a unique identifier assigned to each log entry sequentially generated. IP address A 32-bit address used to identify a node on an IP internetwork. Each node on the IP internetwork must be assigned a unique IP address, which is made up of the network ID, plus a unique host ID. This address is typically represented with the decimal value of each octet separated by a period (for example, 192.168.7.27). In this version of Windows, you can configure the IP address statically or dynamically through DHCP. .iss Is a InstallShield Silent response file used for storing silent installation configuration data. LPT port LPT ports LPT The input/output connector for a parallel interface device. Printers are generally plugged into a parallel port. Master Boot Record (MBR) master boot record The first sector on a hard disk, which starts the process of booting the computer. The Master Boot Record (MBR) contains the partition table for the disk and a small amount of executable code called the master boot code. Appendix B Glossary of Terms 213 Glossary of Terms Media authorization media authorization Media authorization defines the ability to grant access to a removable media device. Media authorization will often require certain criteria to be met before a digital signature is written to the device. Media ID media ID During authorization of removable media a unique digital signature is written to the device. This digital signature is made up of a check sum of the information and a unique Media ID generated during installation of the server software. MMC Microsoft Management Console (MMC) You can use Microsoft Management Console (MMC) to create, save, and open administrative tools (called MMC consoles) that manage the hardware, MMC software, and network components of your Windows system. MMC can be run on the various Windows operating systems. MMC does not perform administrative functions, but hosts tools that do. The primary type of tool you can add to a console is called a snap-in. Other items that you can add include ActiveX controls, links to Web pages, folders, taskpad views, and tasks. There are two general ways that you can use MMC: in user mode, working with existing MMC consoles to administer a system, or in author mode, creating new consoles or modifying existing MMC consoles. For more information about the differences between user and author mode Profile template profile templates template profile A profile template is a collection of Pointsec Protector Client settings that can be applied to users/groups. Program Security Guard (PSG) Program Security Guard PSG Program Security Guard provides a fully scalable method for preventing the introduction or new, and the modification of existing defined file types. The administrator can define the list of file types from the Pointsec Protector Enterprise Server. Removable media Removable Media removable media The term removable media describes any removable device that can be used to store and transport data/files. These devices include floppy disks, zip drives, memory sticks, USB flash memory, digital cameras. Service service Services services A program, routine, or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided over a network, they can be published in Active Directory, facilitating service-centric administration and usage. Some examples of services are the Security Accounts Manager service, File Replication service, and Routing and Remote Access service. 214 Glossary of Terms SMS Microsoft Systems Management Server Microsoft® Systems Management Server 2.0 includes detailed hardware inventory, software inventory and metering, software distribution and installation, and remote troubleshooting tools. These integrated features make Systems Management Server 2.0 the most scalable way to reduce the cost of change and configuration management for Windows® based desktop and server systems. Systems Management Server 2.0 is built on industry-standard management protocols, ensuring compatibility with complementary management tools. Systems Management Server 2.0 is tightly integrated with Microsoft SQL Server™ and Microsoft Windows Server operating system, making it easier than ever to install, configure, and maintain Systems Management Server in any size network. Simple Mail Transfer Protocol (SMTP) Simple Mail Transfer Protocol SMTP When you're exchanging electronic mail on the Internet, SMTP is what keeps the process orderly. It is a protocol that regulates what goes on between the mail servers. TCP/IP Transmission Control Protocol/Internet Protocol Transmission Control Protocol/Internet Protocol (TCP/IP) is the most popular network protocol, and the basis for the Internet. Its routing capabilities provide maximum flexibility in an enterprise-wide network. In Windows XP TCP/IP is automatically installed. On a TCP/IP network, you must provide IP addresses to clients. Clients may also require a naming service or a method for name resolution. This section explains IP addressing and name resolution for Network Connections on TCP/IP networks. It also describes the FTP and Telnet tools that are provided by TCP/IP. Unique ID unique ID Is the unique ID number assigned to each event. Universal Naming Convention (UNC) Universal Naming Convention UNC A convention for naming files and other resources beginning with two backslashes (\), indicating that the resource exists on a network computer. UNC names conform to the \\SERVERNAME\SHARENAME syntax, where SERVERNAME is the server's name and SHARENAME is the name of the shared resource. The UNC name of a directory or file can also include the directory path after the share name, with the following syntax: \\SERVERNAME\SHARENAME\DIRECTORY\FILENAME USB - Universal Serial Bus USB An external bus that supports Plug and Play installation. Using USB, you can connect and disconnect devices without shutting down or restarting your computer. You can use a single USB port to connect up to 127 peripheral devices, including speakers, telephones, CD-ROM drives, Appendix B Glossary of Terms 215 Glossary of Terms joysticks, tape drives, keyboards, scanners, and cameras. A USB port is usually located on the back of your computer near the serial port or parallel port. User ID user ID Details the username of the user who was logged on when an alert was generated. VPN A VPN is an extension of a private network that encompasses links across shared or public networks such as the Internet. VPN connections leverage the IP connectivity of the Internet and use a combination of tunneling and data encryption to securely connect remote clients and remote offices. 216 THIRD PARTY TRADEMARKS AND COPYRIGHTS Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group. The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR 217 ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/ or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 218 This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>. This product includes software written by Tim Hudson (tjh@cryptsoft.com). Copyright (c) 2003, Itai Tzur <itzur@actcom.co.il> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this document for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600. U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). 219 Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. Written by: Philip Hazel <ph10@cam.ac.uk> University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Copyright (c) 1997-2004 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 220 Index A B Access automatic access to encrypted media 71 encrypted data 175 from trusted sites only 72 in offline mode 72 no access to encrypted media 71 offline and online rights 94 read-only 30, 32, 46, 204 rights 45 stop user access to authorized media 205 to all encrypted media 71 to password-protected media 72 write access only 204 Administration console installation 133 overview 13 Administrator utilities 15 AES encryption, definition 212 Alert, create new 111 Anti-tamper protection, enable 76 Anti-virus definition 212 definition files (DEF files) 212 integrate scanner with client 199 Application(s) add exempt application 65 default list of exempt applications 64 Audit(s) CD/DVD 123 create rule 56 settings for audited events 54 view for individual users 123 Audit-only mode 210 Authentication, definition 212 Authorization automatic 68 media containing data only 199 media containing executable code 200 stop access to authorized media 205 Blackberry RIM device(s) 48 Bluetooth 48 May 5, 2009 C Cached profile 103 CD/DVDs audit 126 encrypt 178 erase 183 Challenge/response, see Remote Help CheckDat.xml 188 Client configurations 105 COM port, definition 212 Computer filter 108 Computer group(s) add computers to 102 create new 100 profile priority 102 Computer properties 109 Computer-specific settings 100 Config.ini edit 144 syntax 144 Connect to local or remote server 15 Contact information 2 Csv file, definition 212 Current status of workstations 106 D Datascan see Pointsec Datascan Default profile, definition 212 Device Manager configuration editor 27 disable by user 50 overview 46 Device(s) add a specific device 30 add new class 28 add new ID 30 default list of 47 enable for specific users 208 GUID 29, 31 pre-encrypt for user 206 Digital camera(s) 48 Digital signature, definition 212 Disable client drivers 200 DNP format 81 Driver(s) definition 212 disable on client 200 E Emergency access disk 200 Encryption access encrypted device 174 CD/DVDs 178 removable media 172 Encryption Policy Manager Explorer installation 172 using 174 EPM key recovery 20 EPM site identification 33 Erase CD/DVDs 183 Event(s) audited, settings for 54 information 52 Exempt application(s) add new 65 definition 213 Internet Explorer trusted sites 61 Export log 116 media ID 17 profile template 80 site ID 33 Expreset.ini 64 back up 26 import new 27 restore 27 External access 72 External hard drive 48 F File type(s) add new for PSG protection 63 configure 62 define unauthorized 63 221 remove from PSG protection 63 Filter configure 108 create 108 definition 213 log 116 predefined for removable media log 120 Floppy drive(s) 48 Force profile, see Reload profile client, manual 137 create template for silent deployment 143 Encryption Policy Manager Explorer 172 Pointsec Datascan 187 server 133 silent network 143 using MS SMS 153 distribute package 158 Internet Explorer trusted sites 61 IP address, definition 213 Iss file, definition 213 G Glossary 211 Graphical User Interface definition 213 Group(s) create new 87 create new computer group 100 create synchronized to domain group 91 synchronization period 99 synchronization order 97 synchronization settings 97 synchronization, definition 213 H Hard drive(s), external 48 Hostname, definition 213 K Key recovery, see EMP key recovery L Language, changing 9 License(s) add new 25 handling, overview 9 Media encryption 104 Port management 104 Log archival 117 archival, removable media 124 export 116 filter 116 Pointsec Datascan 188 removable media log 118 synchronization 77 LPT port, definition 213 I ID M definition 213 media ID, export 17 media ID, import 17 site ID, import 34 Import media ID 17 site ID 34 Infrared port(s) (IrDA) 48 Installation administration console 133 client with active directory using GPOs 148 assign clients 150 create software distribution point 149 public or assign 148 publish clients 149 Machine-specific settings 100 Manual installation 137 Master Boot Record (MBR), definition 213 Media authorization automatic 68 definition 214 revocation 23 Media encryption license 104 Media ID definition 214 export 17 import 17 Message box, change style 204 222 Migration, from MySQL to SQL database server 163 MMC, definition 214 Mode audit-only 210 enhanced 17 offline 72 safe mode 209 Modem(s) 48 MP3 stop users from downloading 204 MS SMS create installation package 153 distribute package 158 MS SQL Database Engine 210 MS SQL database server 163 MySQL 163 O Offline access 72 different profile for online/ offline users 209 mode 72 profile 103 Operating system, corrupt 200 Optical device(s), see CD/DVDs P Parameters, Pointsec Datascan 193 Password(s) attempts 74 constraints 73 recovery 77 PCMCIA memory 48 Pointsec Datascan 185 add in-house file types 189 CheckDat.xml 188 command line parameters 193 installation 187 installed files 192 log file 188 MS Office macros 187 MS Outlook files 188 scan order 188 structure types 192 unzip ZIP files 187 using 187 XML data file 186 XML script 188, 190 Port management, license 104 Ports COM 49, 212 IrDA 48 LPT 49, 213 Predefined filters 120 Pre-encrypt device 206 Printer(s) 48 Profile template(s) Advanced tab 76 Auditing tab 51 create new 44 default 85 definition 214 Device manager tab 45 Encryption tab 70 export 80 export, type of 81 General tab 45 Program Security Guard tab 61 Removable media manager tab 67 Security tab 80 User interface tab 49 Profile(s) apply to specific user only 202 cached 103 changes not reflected on workstations 201 custom 93 different profiles for online/ offline 209 expiration date 82 offline 103 reload 77, 107 update on clients view profile of current user 201 Program Security Guard definition 214 disable by user 50 PSG, see Program Security Guard Publish client to computers 149 R Read-only access 30, 32, 46, 204 Registration code see License(s) Reload profile 77, 107 Remote Help 20 see also EPM key recovery see also SmartCenter for Pointsec - webRH Removable media add new event 56 definition 214 encrypt 172 log all events 56 stop access to authorized media 205 view encrypted files 175 Removable media log archival 124 overview 118 predefined filters 120 Removable Media Manager disable by user 50 overview 17 Report(s) create 127 schedule 130 RMM, see Removable Media Manager S Safe mode 209 Serial port(s) (COM) 48 Server installation 133 Server properties Applications tab 26 Console settings tab 41 E-mail Configuration tab 40 General tab 22 licensing information 24 media revocation 23 Security tab 36 Advanced permissions tab 38 Basic permissions tab 37 Server key tab 41 version information 22 Server(s) name, multiple 204 Service, definition 214 Setup.iss, edit 147 Sheep dip workstation force user to visit 203 set up standalone 203 Simple Mail Transfer Protocol (SMTP), definition 215 Site ID export 33 import 34 Smart card reader(s) 48 SmartCenter for Pointsec webRH 20, 77 SMS, definition 215 Software distribution package, blocked by PSG 200 Software distribution point, create 149 SQL Database Engine, see MS SQL Database Engine (MSDE) SQL database server, see MS SQL database server Status of workstations 106 Still image device(s) 48 Support 2 Synchronization between groups, period 99 client log 77 group order 97 group settings 97 Protector group with domain group 90 System requirements client 10 server 10 System tray icon, hide 50 System utilities 17 T Tape drive(s) 48 TCP/IP, definition 215 Training 199 Trusted site ID add 35 remove 35 Trusted sites, see EPM site identification U Uninstallation, prevent users from 209 Unique ID, definition 215 Universal Naming Convention (UNC), definition 215 Unlock.exe 174 Upgrade 4.50 to 4.52+ and migrate to SQL database server 163 Pointsec Protector 148 USB drive(s) 47 see also Removable media USB, definition 215 User(s) add to group 93 add users from domain group 90 belonging to more than one group 97 create new 87 custom profile 93 group membership 99 ID, definition 216 offline 94 User/group configuration 87 223 Utilities administrator 15 system 17 V Version information 22 VPN, definition 216 W WiFi, see Wireless Network Adapters Windows CE Portable Device(s) 48 Windows installer applications 149 Windows Portable Device(s) 48 Wireless Network Adapters (WiFi) 49 Write access 204 X XML format 81 XML script 188 224