Staying out of the Front Page Headlines Using NEPS Lab

Transcription

1 Staying out of the Front Page Headlines Using NEPS Lab ZEN04 Novell Training Services ATT LIVE 2012 LAS VEGAS

2 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page ( for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page ( and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA U.S.A. Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page ( Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list ( Third-Party Materials All third-party trademarks are the property of their respective owners. 2

3 Contents SECTION 1 Setup your Virtual Lab Environment 3 Exercise 1-1 SECTION 2 Exercise 2-1 Exercise 2-2 SECTION 3 Exercise 3-1 Exercise 3-2 Configuring Your Virtual Environment Task I: Configure VMware Workstation to Work with the FDE PBA Task II: Launching Your VMs Task III: Configure the Win7-Client VM Working with Configuration and Security Locations in ZCM Configure and Test Configuration Locations Setting up Security Locations in ZCM Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies27 Managing Thumb Drives with the USB Connectivity Policy Implementing Encryption on Removable Devices SECTION 4 Implementing FDE Using the PBA Dialog 41 Exercise 4-1 Implementing Software-based FDE Using PBA Task I: Accessing User Data Without Authenticating to Windows Task II: Configuring FDE Policy for Software-based FDE Using the Pre-boot Authentication (PBA) Dialog Task III: Verifying Encryption of User Data

4 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab 2

5 Setup your Virtual Lab Environment SECTION 1 Setup your Virtual Lab Environment During this exercise you will configure VMware Workstation cursor and mouse behavior that best suites the FDE Pre-boot Authentication (PBA) Dialog. You will also configure an additional drive on the Win7-Client VM to be used in the FDE lab. 3

6 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Exercise 1-1 Configuring Your Virtual Environment Before you can configure and implement FDE Policies you need to complete some configuration activities for your Virtual Machines (VMs). In this lab you will do some minor configuration of VMware Workstation and launch all your VMs. You ll perform the following tasks in this exercise: Task I: Configure VMware Workstation to Work with the FDE PBA on page 4 Task II: Launching Your VMs on page 6 Task III: Configure the Win7-Client VM. on page 7 IMPORTANT: Check with your instructor regarding the step from which you should begin doing this lab. Some of these steps may have already been completed for you during classroom setup. Task I: Configure VMware Workstation to Work with the FDE PBA There are known issues when working with the Full-Disk Encryption Pre-boot Authentication Dialog in a VM. You need to set the VMware input preferences in order for the VM not to freeze up when moving the mouse in the PBA dialog. You will also check the IP Configuration of VMnet9 in VMware Workstation. This is required for the Win2K3-Router VM that does routing between two virtual networks. Follow the steps listed below to ensure that VMware Workstation is configured properly to work with the PBA and that VMNet9 is configured for routing: 1. From the VMware Workstation Main Menu click Edit > Preferences This will display the Preferences Dialog. 2. Click the Input tab. 3. Under the Keyboard and mouse heading make sure that: Grab keyboard and mouse input on mouse click is checked Grab keyboard and mouse input on key press is checked 4. Under the Cursor heading make sure that: Ungrab when cursor leaves window is checked Hide cursor on ungrab is checked Grab when cursor enters window is unchecked. 5. For Optimize mouse for games click the drop-down and select Always. Your Preferences Dialog should appear like that shown in Figure 1-1 on page 5. 4

7 Setup your Virtual Lab Environment Figure 1-1 VMware Keyboard and Mouse Settings 6. From the VMware Workstation Main Menu click Edit > Virtual Network Editor This will display the Virtual Network Editor Dialog. 7. Select VMnet9 8. Make sure that Host-only (connect VMs internally in a private network) is selected. 9. In the Subnet IP field type In the Subnet mask field type Your Virtual Network Editor Dialog should appear like that shown in Figure 1-2 on page 6. 5

8 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Figure 1-2 VMware Virtual Network Editor 11. Click OK. Task II: Launching Your VMs First you will launch your Virtual Machines (VMs) using the required snapshots. Use Table 1-1 on page 6 in this procedure to properly launch your VMs. Table 1-1 Class VMs and Snapshots Ord. VM Name VMX File Snapshot 1 SLES bit c:\vms\zcm11-zesm-intro\sles bit\SLES bit.vmx Updated-to- ZCM Win2K3-Router c:\vms\zcm11-zesm-intro\win2k3- Router\Win2K3-Router.vmx 3 Win7-Client c:\vms\zcm11-zesm-intro\win7-client\win7- Client.vmx 4 XP-Client c:\vms\zcm11-zesm-intro\xp-client\xp- Client.vmx Updated-to- ZCM11.2 Sysprep Client in ZCM 11.2 Zone For each of the VMs listed above complete the following: 1. From the VMware Menu Bar click File > Open. 6

9 Setup your Virtual Lab Environment 2. Browse to and select the vmx file from the table above. Click Open. 3. From the VMware Menu Bar click VM > Snapshot > <Name of snapshot from table above>. 4. On the VMware Workstation dialog click Yes. 5. Under the Commands heading click Power on this virtual machine. (You can also use the VMware Menu Bar by clicking VM > Power > Power On.) IMPORTANT: When you power up your Win7-Client VM it will go through the Windows Setup process. This process will configure the VM for use. 6. Authenticate into the VM you just started using the credentials for the VM shown in Table 1-2 on page 7 below. When you authenticate locally on the XP-Client the ZCM Authentication Dialog will be displayed. Click Cancel.: TIP: Click into a VM to give it focus. This means that the VM has control of the host s keyboard and mouse. Press the Ctrl-Alt keys to release focus so that you can move to another VM. To authenticate into a Windows VM, click into the VM to give it focus and type Ctrl-Alt- Ins. Table 1-2 VM Login Credentials VM Name Username Password SLES bit geeko n0v3ll Win2K3-Routerr administrator n0v3ll XP-Client administrator n0v3ll Win7-Client AUser n0v3ll Task III: Configure the Win7-Client VM. You will need to get the Win7-Client VM registered in the zone. You will create a small 4GB second formatted drive to be used for encryption purposes in the following labs. Use the following procedure to format the second drive on the Win7- Client VM and create snapshots for VMs named Win7-Registered: 1. Give you Win7-Client VM focus. If you haven t already logged into Windows, authenticate to Windows 7 as AUser with a password of n0v3ll 2. Launch Windows Explorer using the icon in the Quick Launch Tray. 3. In the left pane of Windows Explorer right-click Computer and select Manage. After a minute you should see the Computer Management screen shown in Figure 1-3 on page 8. 7

10 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Figure 1-3Computer Management 4. In the left pane select Disk Management under the Storage Heading. The Initialize Disk dialog should be displayed. 5. Click OK. 6. Right-click on the bar for the 4 GB Unallocated Disk 1 and select New Simple Volume. The New Simple Volume Wizard dialog will be displayed. 7. Click Next. 8. On the Specify Volume Size dialog click Next. 9. On the Assign Drive Letter or Path dialog and click Next. The Format Partition dialog should be displayed. 10. In the Volume label field type UserData as depicted in Figure 1-4 on page 9 and click Next. 8

11 Setup your Virtual Lab Environment Figure 1-4Computer Management - Format Partition 11. Click Finish 12. When the E: (UserData) drive is formatted, exit the AutoPlay dialog and exit the Computer Management utility. The E: drive is only 4GB in size and so will encrypt faster than the system volume. You ll be applying FDE Policies that only encrypt this drive. 13. Exit Windows Explorer. (End of Exercise) 9

12 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab 10

13 Working with Configuration and Security Locations in ZCM 11.2 SECTION 2 Working with Configuration and Security Locations in ZCM 11.2 In this section of exercises you will implement Configuration and Security Locations within the ZCM 11.2 zone. The impact on the managed device as it moves from one network to another will be reflected in a change in the device s location status. In order to implement ZENworks Endpoint Security Management (ZESM) policies in ZENworks Configuration Management you must configure and assign Security Locations. However before Security Locations can be configured you must configure Configuration Locations. Configuration Locations can be used as system requirements for ZCM policies and bundles. But only Security Locations can be used for the enforcement of ZESM policies. Security Locations are Configuration Locations that have been designated to also be Security Locations by being specified in a Location Assignment Policy. The Location Assignment Policy is a ZESM Policy that specifies what Configuration Locations are to be also used for the enforcement of ZESM policies by being Security Locations as well. In this exercise you will create Configurations Locations and move your workstation VM from one virtual network to another and see the change in Configuration Location. After creating Configuration Locations you will configure Security Locations by the creation and assignment of a Location Assignment Policy. This Location Assignment Policy will designate which Configuration Locations should also be used for ZESM policy enforcement as Security Locations. 11

14 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Exercise 2-1 Configure and Test Configuration Locations During this exercise you will create both a HQ-Config and a Branch-Config Configuration Location for the Digital Airlines environment. The HQ-Net1 and HQ-Net2 Network Environments will be assigned to the HQ- Config Configuration Location. And the BR-Net1 Network Environment will be assigned to the Branch-Config Configuration Location. These Configuration Locations will be configured to ensure that whether a managed device is on the Headquarters network ( /16) or the Branch network ( /16), it will attempt get its services from the nearest Primary or Satellite first. Task I: Configure the HQ-Net1, HQ-Net2, and BR-Net1 Network Environments 1. Give your SLES bit VM focus. 2. If necessary, launch the ZCC and authenticate to the zone as administrator with a password of n0v3ll 3. In the upper left pane of the ZCC, click Configuration. 4. Scroll to the right and click the Locations Tab. 5. Create the HQ-Net1 Network Environment that will be assigned later to the HQ- Config Configuration Location: a. Under the Network Environments heading click New. The Step 1: Define Details screen is displayed. b. In the Network Environment Name field type HQ-Net1 and click Next. The Step 2: Network Environment Details screen is displayed. c. Notice that the Gateways tab is highlighted by default. Click Add. The Add Gateway dialog should be displayed. d. In the IP Address field type and check the box for Match Required. Click OK. This is shown in Figure 2-1 on page 12. Figure 2-1Defining Gateway Criteria in Network Environment e. Click the DNS Servers Tab; click Add. f. In the IP Address field type

15 Working with Configuration and Security Locations in ZCM 11.2 Do not require a match here. Click OK. g. Click the DHCP Servers Tab; click Add. h. In the IP Address field type Do not require a match here. Click OK. i. Click the Client IP Address Tab; click Add. j. In the IP Address field type /16 Check the box for Match Required This is shown in Figure 2-2 on page 13. Figure 2-2Defining Client IP Address in Network Environment Click OK. k. Change the value in the Minimum Match field to 3. This means that to be considered to be in this Network Environment the device must be assigned a gateway address of and the device must be on the /16 network and have either a DNS Server address or DHCP Server address of l. Click Next. The Step 3: Summary screen should be displayed now. m. Scroll down and click Finish. 6. Using the steps shown in Step 5 on page 12 as your guide, create another Network Environment with the following configuration: Network Environment Name: HQ-Net2 Gateway: IP Address with Match Required. 13

16 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Client IP Address: Equal to /16, Assignment either Static or DHCP and Match Required. Minimum Match: 2 7. Using the steps shown in Step 5 on page 12 as your guide, create another Network Environment with the following configuration: Network Environment Name: BR-Net1 Gateway: IP Address with no Match Required. DNS Servers: IP Addresses: and and no Match Required Client IP Address: Equal to /16, Assignment either Static or DHCP and Match Required. Minimum Match: 2 Task II: Configure the HQ-Config and Branch-Config Configuration Locations 1. In the ZCC, under the Locations heading (on the Locations Tab) click New. 2. In the Location Name field type HQ-Config and click Next. The Step 2: Assign Network Environments screen is displayed. 3. Select Assign existing Network Environments to the Location and click Add. The Select Network Environments dialog shown in Figure 2-3 on page 14 is displayed. Figure 2-3Select Network Environments Dialog 4. Select both the HQ-Net1 and HQ-Net2 Network Environments by clicking and using Ctrl-Click. 5. Click the Greater Than (>) icon to move HQ-Net1 and HQ-Net2 to the Selected List pane. Click OK. 6. Click Next. The Step 3: Summary screen should now be shown. 14

17 Working with Configuration and Security Locations in ZCM Click Finish. 8. Create another Location named Branch-Config using steps Step 1 on page 14 through Step 7 on page 15 as your guide that has the following configuration: Location Name: Branch-Config Assigned Network Environments: BR-Net1 9. Now you need to configure the Closet Server information for each of these new Configuration Locations. Under the Locations heading, click the link for HQ-Config. 10. Click the Servers tab. The screen depicted in Figure 2-4 on page 15 is displayed. Figure 2-4Servers Tab in Network Environment Definition 11. Check the box for Exclude the Closest Server Default Rule. 12. Under the Collection Servers heading click Add. 13. Click the blue down-arrow to the left of the Devices folder. 14. Click the blue down-arrow to the left of the Servers folder. 15. Click the link for sles1164b. 16. Click the blue down-arrow to the left of the Satellites folder. 17. Click the link for win2k3-rtr and click OK. 18. Use Step 12 on page 15 through Step 17 on page 15 as your guide to configure the Content Servers and Authentication Servers the same as in the Collection Servers. 19. Configure the Configuration Servers so that the sles1164b server is listed. 15

18 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab NOTE: Only Primary Servers can be selected as Configuration Servers. Your configuration for the HQ-Config Configuration Location should appear as that shown in Figure 2-5 on page 16. Figure 2-5HQ-Config Configuration Location Be sure to click the Apply button before leaving the Servers tab. 20. Click the Locations link at the top of the screen above the Servers tab. 21. Click the link for Branch-Config. 22. Configure the Branch-Config Configuration Location as follows: Exclude the Closest Server Default Rule Configure Collection Servers in this order: 1. /Devices/Servers/Satellites/win2k3-rtr 2. /Devices/Servers/sles1164b Configure Content Servers in this order: 1. /Devices/Servers/Satellites/win2k3-rtr 2. /Devices/Servers/sles1164b Configure Configuration Servers in this order: 1. /Devices/Servers/sles1164b 16

19 Working with Configuration and Security Locations in ZCM 11.2 Configure Authentication Servers in this order: 1. /Devices/Servers/sles1164b 2. /Devices/Servers/Satellites/win2k3-rtr This is shown in <NEPSv2-01> Figure 2-6 on page 17. Be sure to click the Apply button to save your work. Figure 2-6Branch-Config Configuration Location Task III: Demonstrate Impact of Configuration Locations 1. Give your Win7-Client VM focus. 2. Right-click on the ZAA Icon and select Refresh. You should see an information bubble appear over the ZAA Icon stating that the Configuration Location has changed to HQ-Config. 3. After the refresh completes, right-click the ZAA Icon again and select Show Properties. You ll see under the ZENworks Adaptive Agent Properties heading that the Configuration Location is shown as HQ-Config. 4. Now you ll see how the Configuration Location will change when the Win7- Client VM is attached to a different Virtual Network. a. From VMware Workstation s menu select VM > Settings The Virtual Machine Settings dialog is displayed. b. Select Network Adapter under the Device heading in the left pane. c. In the right pane click the drop-down under Custom: Specific virtual network and select VMnet9. 17

20 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab d. Click OK. In a few moments you should see the screen depicted in Figure 2-7 on page 18. Figure 2-7 Detecting Configuration Location Change to Branch-Config You ll note that the endpoint s Configuration Location has been automatically changed to the Branch-Config location. e. On the Windows Set Network Location dialog select Work network f. Click Close. 5. Right-click the ZAA Icon and select Show Properties. Note that the Configuration Location is shown as Branch-Config. 6. Click the Servers link in the left pane. Note that the Closest Servers for devices detected to be in the Branch-Config Configuration Location has changed. The order of the Closest Servers reflect the satellite server that is physically closest to the endpoints in the Branch-Config Location. This is shown in <NEPSv2-02> Figure 2-8 on page

21 Working with Configuration and Security Locations in ZCM 11.2 Figure 2-8 Closest Servers for Branch-Config Configuration Location TIP: If you don t see the above change in the Closest Servers refresh the ZAA again and click the Refresh Page link in the upper right corner. WARNING: It can take up to 10 minutes before the ZAA on the endpoint VM reports the changes in its Servers order. If the ZAA GUI shows a Configuration Location (shown on the Agent link) of Branch-Config but the closest servers haven t changed, wait a few minutes and then see if the closest servers change. 7. Close the ZAA GUI. 8. Reset the Network Adapter for the Win7-Client VM back to VMnet5 (Hostonly). (End of Exercise) 19

22 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Exercise 2-2 Setting up Security Locations in ZCM 11.2 Having configured and applied Configuration Locations for the Digital Airlines environment you are now going to configure Security Locations. Security Locations have the following characteristics: are only used for the enforcement of ESM Policies can use the same or different Network Environment definitions created for Configuration Locations only exist if a Location Assignment Policy is enforced on the device. In this exercise you will define: Location Assignment Policy that will define and configure the following - HQ-Config Security Location BR-Config Security Location Unknown Security Location and set the Location Assignment Policy to be a Global policy (zone-wide) Task I: Create and configure a Global Location Assignment Policy for Digital Airlines. 1. Give your SLES bit VM focus. 2. In the upper left pane of the ZCC click Policies. 3. Click New > Policy The Step 1: Select Platform screen is displayed. 4. Select Windows and click Next. The Step 2: Select Policy Category screen is displayed. 5. Select Windows Endpoint Security Policies and click Next. The Step 3: Select Policy type screen should be displayed. 6. Select Location Assignment Policy and click Next. 7. In the Policy Name field type Global-Loc-Assign-Policy and click Next. The Step 5: Configure Allowed Locations screen is shown. 8. Click Add. 9. On the Select Locations dialog click the links for Branch-Config and HQ- Config and click OK. 10. On the Step 5: Configure Allowed Locations screen check the box to the left of the HQ-Config and click Edit. The Location Settings dialog will appear. 11. Configure the Locations Settings dialog for the HQ-Config Location as follows: Allow Manual Change: Yes 20

23 Working with Configuration and Security Locations in ZCM 11.2 Show Location in Agent List: Yes Use location message: Check the box. Title of Message Window: Security Location Dialog Body: Welcome to DA Headquarters. 12. Using Step 10 on page 20 and Step 11 on page 20 as your guide configure the Branch-Config Location as follows: Allow Manual Change: Yes Show Location in Agent List: Yes Use location message: Check the box. Title of Message Window: Security Location Dialog Body: Welcome to the DA Branch Office. 13. Using Step 10 on page 20 and Step 11 on page 20 as your guide configure the Unknown Location as follows: Allow Manual Change: Yes Show Location in Agent List: Yes Use location message: Check the box. Title of Message Window: Security Location Dialog Body: Your machine is in an UNKNOWN security location. 14. Your Step 5: Configure Allowed Locations screen should appear as that shown in Figure 2-9 on page 21. Figure 2-9Configuring Allowed Locations Click Next. 15. On the Step 6: Summary screen click Finish. 16. Assign your Location Assignment Policy to the DA-ZCM11-ZONE. a. In the upper left pane of the ZCC, click Configuration. 21

24 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab b. Under the Management Zone Settings heading, expand the Endpoint Security Management snapshot. c. Click the link for Zone Policy Settings. d. Click Add. e. Select the link for your Global-Loc-Assign-Policy and click OK. f. Click OK Task II: Test your Location Assignment Policy 1. Give your Win7-Client VM focus. 2. Right-click the ZAA Icon and select Security Location. You will see Security Location information like that depicted in Figure 2-10 on page 22. Figure 2-10Security Location without Location Assignment Policy 3. Refresh the ZAA. You should see the dialog indicating the enforcement of your global Location Assignment Policy as depicted in Figure 2-11 on page

25 Working with Configuration and Security Locations in ZCM 11.2 Figure 2-11Location Assignment Policy Enforced 4. On the Security Location Dialog click OK. 5. You should also note that if you right-click on the ZAA icon and select Security Location that you can manually change to any of the three Security Locations configured in your global Location Assignment Policy. Task III: Create and configure a Global Security Settings Policy for Digital Airlines. In this task you will create a global Security Settings Policy that establishes an uninstall password for the ESM components of the ZAA, creates a ESM Override Password. 1. Give your SLES bit VM focus. 2. In the upper left pane of the ZCC click Policies. 3. Click New > Policy. 4. Select Windows > Next. 5. Select Windows Endpoint Security Policies and click Next. 6. On the Step 3: Select Policy Type screen select Security Settings Policy and click Next. 7. In the Policy Name field type Global-Sec-Settings-Policy and click Next. 23

26 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab 8. On the Step 5: Configure Security Settings screen make the following configuration changes: Enable Client Self Defense for Endpoint Security Agent: Yes Enable Uninstall Password for Endpoint Security Agent: Yes 1. Click the blue Change link to the right of the Password field. 2. Type remove-esm in both password fields. 3. Click OK. Enable Password Override for Endpoint Security Agent: Yes 1. Click the blue Change link to the right of the Password field. 2. Type override-esm in both password fields. 3. Click OK. Click Next. 9. On the Step 6: Summary screen click Finish. 10. Use Step 16 on page 21 as your guide for assigning the Global-Sec-Settings- Policy to the DA-ZCM11-ZONE. Task IV: Test Your Global Security Settings Policy for Digital Airlines. 1. Give your XP-Client VM focus. 2. Right-click the ZAA icon and select Show Properties. 3. In the left pane of the ZAA GUI click Endpoint Security. 4. Under the Endpoint Security Agent Actions heading click the About link. You ll note that on the ZESM About Box dialog there are only two buttons available, Diagnostics and OK. 5. Close the ZESM About Box and ZAA GUI; then refresh the ZAA. 6. Right-click the ZAA icon and select Show Properties. 7. In the left pane of the ZAA GUI click Endpoint Security. 8. Under the Endpoint Security Agent Actions heading click the About link. Now you should see four Administrator buttons - Override Policy View Policy, Agent Status, and Settings. This proves that your global Security Settings Policy has been enforced. 9. Click the View Policy button. The ZESM Override Password dialog is displayed. 10. Type override-esm in the password field and click OK. 11. Feel free to peruse the various drop-downs and tabs on this ZESM View Policy dialog. When done, click Close. 12. On the ZESM About Box dialog click OK. 24

27 Working with Configuration and Security Locations in ZCM Exit the ZAA GUI dialog. 14. Give your Win7-Client VM focus and refresh the ZAA. This will enforce the global Security Settings Policy on your Windows 7 VM. (End of Exercise) 25

28 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab 26

29 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies SECTION 3 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies Scenario: Digital Airlines needs to ensure that any thumb drives that users insert into their machines at the Corporate Headquarters location has been approved by IT Security. Digital Airlines has both systems and applications that are regarded as absolutely mission critical. These must be protected from users uploading harmful data or programs (either intentionally or accidently) from unapproved removable devices attached to their machines. As the NEPS Administrator you have been asked by Digital Airlines IT Management to implement controls over thumb drives that are plugged into any device detected to be in the HQ-Config Security Location. The IT Security department wants to ensure that only those thumb drives that have been specifically approved by them can be plugged into a device only when that device is detected to be in the HQ-Config Security Location. You have also been asked to implement the ZESM Policies necessary to encrypt important business data on thumb drives used on Digital Airlines managed endpoints. You will be executing the following using ZESM Policies available in Novell Endpoint Protection Suite. Each exercise will have multiple tasks. 1. Managing Thumb Drives with the USB Connectivity Policy on page Implementing Encryption on Removable Devices on page 36 27

30 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Exercise 3-1 Managing Thumb Drives with the USB Connectivity Policy In this exercise you will use the Device Scanner to generate an XML document of allowed USB Devices. This XML document will be imported in a USB Connectivity Policy that is based on the HQ-Config Security Location. When user s devices are in that Security Location they will be only able to use approved thumb drives. However if their device is shifted to another Security Location the user will not be able to use their approved thumb drives. Task I: Configure a Global USB Connectivity Policy to Disable the use of USB Drives In this task you will create a USB Connectivity Policy and make it global in scope. The purpose of this particular ZESM policy is to disable the use of all USB devices that the user attaches to a Digital Airlines ZCM managed device. Later you will create another USB Connectivity Policy that will allow USB devices to be plugged into endpoints so long as that USB drive has been approved by the IT Department and the endpoint is located in the Digital Airlines Headquarters Location. (This is the HQ-Config Security Location you created previously.) Complete the following steps to set up your Global USB Connectivity Policy: 1. Give your XP-Client VM focus 2. Launch Internet Explorer. 3. If you see the Set Up Windows Internet Explorer 8 dialog click Ask me later. 4. Enter the following URL into IE s address field to access the ZCC: 5. If prompted, click Continue to this website (not recommended). 6. Authenticate to the zone as administrator with a password of n0v3ll On the License Notification dialog click OK. 7. In the upper left pane of the ZCC click Policies 8. Click New > Policy 9. On the Step 1: Select Platform screen select Windows and click Next. 10. On the Step 2: Select Policy Category screen select Windows Endpoint Security Policies and click Next. 11. Select USB Connectivity Policy and click Next. The Step 4: Define Details screen is displayed. 12. In the Policy Name field type Global-USB-DA-Policy and click Next. 13. On the Step 5: Configure Inheritance and Location Assignments screen click Next. 28

31 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies 14. Under the Device Group Access Settings heading click the drop-down for Mass Storage Class and select Disable. 15. Click Next. The Step 7: Summary screen is displayed. 16. Scroll down and click Finish. 17. Click Configuration in the upper left pane of the ZCC. 18. Expand the Endpoint Security Management snapshot. 19. Click the link for Zone Policy Settings. 20. Click Add. 21. Click the link for Global-USB-DA-Policy and click OK 22. Click OK. At this point, any managed device would not be able to use a USB thumb drive or external drive since you have just implemented a zone-wide USB Connectivity Policy that prevents its use. Next you will need to install and use the ZESM Device Scanner to white-list those USB device that will be allowed on DA managed devices. Task II: Download and Install the ZESM Device Scanner Utility Complete the following steps: 1. From IE s button bar on the right, click Page > New Window. 2. Click the drop-down in the URL Address field and select: 3. Download the Device Scanner from the zenworks-setup page: a. Click Administrative Tools in the upper left of the ZCC. b. Click the Endpoint Security tab. c. Click the link for ZESMDeviceSnannerUtilitySetup.exe d. On the File Download - Security Warning dialog click Save. e. In the Save As dialog browse to and double-click the c:\test directory and click Save. f. On the Download complete dialog click Close. g. Close this browser window. 4. Right-click the start button and select Explore. 5. In the left pane browse to and select the c:\test directory volume. 6. In the right pane. double-click the ZESMDeviceScannerUtilitySetup.exe After several seconds the Open File - Security Warning dialog will be displayed. 7. Click Run. 29

32 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab 8. On the setup language dialog click OK. 9. On the Welcome to... dialog click Next. 10. On the License Agreement dialog select I accept the terms... and click Next. 11. Click Install. 12. On the InstallShield Wizard Completed dialog click Finish. 13. Exit Windows Explorer. Task III: Use the ZESM Device Scanner to Generate a List of Allowed Thumb Drives For this task you will need to obtain a thumb drive from your instructor. You will also need to work with another student in class when time comes to swap thumb drives with them. 1. This step will work best if the XP-Client VM is in either Quick Switch or Full Screen viewing Mode. Take the thumb drive and insert it into a USB port on your lab machine. You may see the VMware Removable Devices dialog, if so click OK. Open Windows Explorer to ensure that your XP-Client VM owns the thumb drive and not the host machine. TIP: If the VM does not show the thumb drive do the following: from VMware s menu bar click VM > Removable Devices > [name of thumb drive] > Connect 2. Close Windows Explorer. 3. Click start > All Programs > Novell > ZENworks > ZES Device Scanner > ZES Device Scanner This should display the screen shown in Figure 3-1 on page 30. Figure 3-1ZESM Device Scanner opening screen 4. Click the Scan Devices button shown in Figure 3-2 on page

33 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies Figure 3-2Scan Devices Button 5. After two or three minutes, you will see scan results similar to that depicted in Figure 3-3 on page 31. Figure 3-3Scan Results Notice that the scanner picked up USB devices that are not thumb drives (Thumb Drives show the Device Class as Mass Storage - 08) Click and Ctrl-Click the first column (left most cell) of each line that is not your thumb drive. This will highlight each entire row. NOTE: You could keep ejecting, inserting new thumb drives, and clicking the Scan Devices button as many times as you had thumb drives you wanted to be allowed. 6. Click the Delete Rows button on the Button Bar to delete the highlighted rows. 7. From the Device Scanner Menu Bar click File > Save as 8. In the Save in field browse to and double-click the c:\test directory. 9. In the File name field type AllowedUSBs 10. In the Save what field click the drop-down and select USB Devices 11. Click Save. 12. Exit the Device Scanner. 13. Safely remove the thumb drive from the XP-Client Client VM. Task IV: Use AllowedUSBs.xml file as Input to a Location-based USB Connectivity Policy 31

34 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab You will create a USB Connectivity Policy that will be enforced in the HQ-Config Security Location. The XML file generated by the Device Scanner will be imported during the creation of the policy. This will provide a white-list of allowed USB thumb drives. 1. Maximize the browser window where the ZCC is running on your XP-Client VM. 2. Click Policies If the ZCC has timed out, you will need to re-authenticate into the zone as administrator with a password of n0v3ll 3. Click New > Policy The Step 1: Select Platform screen is displayed. 4. Select Windows and click Next. 5. Select Windows Endpoint Security Policies and click Next. 6. On the Step 3: Select Policy type screen, select USB Connectivity Policy and click Next. 7. In the Policy Name field type Allowed-HQ-Thumb-Drives and click Next. The Step 5: Configure Inheritance and Location Assignments screen is displayed. 8. Select Location Based Policy and click Add. 9. Click the HQ-Config link and click OK. 10. Click Next The Step 6: Configure USB Connectivity Settings screen is displayed. 11. Under the Device Group Access Settings heading, click the drop-down for the Mass Storage Class field and select Disable. 12. Under the USB Device Access Settings heading click Add > Import In less than a minute the Import File dialog is displayed. 13. On the Import File dialog, click the drop-down for the Select source of data field and select ZESM Device Scanner Tool. 14. Click the browser button for the Select the exported file field. 15. On the Select File dialog click Browse. 16. Browse to c:\test and select the AllowedUSBs.xml file and click Open. 17. On the Select File dialog click OK. 18. On the Import File dialog click OK. Your screen should appear similar to that shown in Figure 3-4 on page

35 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies Figure 3-4Configure USB Connectivity Settings 19. Under the USB Device Access Settings heading click the link for the imported USB device. The Edit USB Connectivity Controls dialog should be displayed. 20. In the Access field click the drop-down and select Always Enable. IMPORTANT: What you have done with this configuration is this: all Mass Storage Class (where the Device Class is 08) devices have been disabled ( black-listed ). However one particular Mass Storage Class device has been allowed ( white-listed ). 21. Scroll down and click OK. 22. On the Step 6: Configure USB Connectivity Settings screen click Next. 23. On the Step 7: Summary screen check the box for Define Additional Properties and click Finish. 24. Click the Relationships Tab. 25. Under the Device Assignments heading click Add. 26. Click the Workstations link and click OK. 27. Click Next. 28. On the Step 2: Policy Conflict Resolution screen click Next. 29. On the Step 3: Finish screen, check the box for Enforce policies immediately on all assigned devices and click Finish. Task V: Test Your USB Connectivity Policies. 33

36 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab First you will see that the two ESM USB Connectivity Policies you have configured will allow your approved USB thumb drive to be used while the Win7-Client client VM is in the HQ-Config Security Location. Then you will remove your thumb drive from the Win7-Client VM and move the endpoint to a new network by changing the VM s Network Adapter to a different setting. While the endpoint is in this Security Location the approved USB thumb drive will be unavailable to the user. 1. Give your Win7-Client VM focus. 2. Right-click the ZAA icon and select Show Properties. 3. In the left pane click Policies Your USB Connectivity Policy should show Success under the Effective heading as shown in Figure 3-5 on page 34. If not refresh the ZAA and check again. Figure 3-5 Enforcement of USB Connectivity Policy 4. Close the ZAA GUI. 5. With your Win7 VM in either Quick Switch or Full-Screen Mode, insert your assigned thumb drive into a USB port on the host machine running all your VMs. 6. If you see the VMware Removable Devices dialog click OK. 7. You should see Windows 7 install the USB drivers for your thumb drive and then the AutoPlay dialog should be displayed. Click Open folder to view files and you will see that you have access to the thumb drive while in the HQ-Config Security Location. 8. Close Windows Explorer. 9. Launch Notepad and type in any line of text into the file. 10. From Notepad s main menu click File > Save As 11. Browse to the root of the thumb drive and save the file as hq-config.txt. 12. Exit Notepad. You have just proven that your approved USB thumb drive can be used while in the DA Headquarters Security Location. (If you launch Windows Explorer again you will see your hq-config.txt file at the root of the thumb drive.) 34

37 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies 13. Gracefully remove the USB thumb drive through the icon in the System Tray. 14. From VMware Workstation s menu select VM > Settings. 15. Select the Network Adapter and change the adapter setting to VMnet9 and click OK. In less than a minute you should see the Security Location change to the Branch- Config location. 16. Click OK to clear the Security Location Dialog 17. Re-insert your USB Drive into the USB port on your host machine. 18. If you see the VMware Removable Devices dialog click OK. 19. The Windows Autoplay dialog will briefly appear and then be automatically closed by ESM. Bring up Windows Explorer. You ll note that the USB thumb drive is unavailable to the user while the endpoint is in the Branch-Config Security Location. 20. Pull out the thumb drive and reset the Network Adapter setting on the Win7 VM back to VMnet5 (Host-only). (End of Exercise) 35

38 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Exercise 3-2 Implementing Encryption on Removable Devices In this exercise you will demonstrate ZESM s ability to encrypt data stored on removable devices. Only the machines where the Data Encryption Policy is enforced will be able to read the data written to an encrypted drive. This exercise is written in a more general format to challenge you when configuring the Data Encryption Policy using the ZCC. 1. Give your XP-Client VM focus. 2. Using the ZCC, authenticate into the zone as administrator with a password of n0v3ll if needed (your ZCC session may have timed out). 3. From the left hand pane select Policies > New > Policy > Windows > Windows Endpoint Security Policies. 4. On the Step 3: Select Policy Type screen select Data Encryption Policy. 5. Configure a simple Data Encryption Policy as follows: Policy Name: DA-Encrypt-Policy On the Step 5: Configure Data Encryption Settings screen check the box for Enable encryption for removable storage devices. Using the Policy s Relationship Tab assign the policy to the /Devices/ Workstations/HQ folder. Enforce the policy immediately on all assigned devices. 6. Give your Win7-Client VM focus. 7. In order for the Data Encryption Driver to activate the workstation affected by the Data Encryption Policy must be rebooted. Within a minute you should see the ZENworks System Change dialog depicted in Figure 3-6 on page 36. Figure 3-6 Activating the Data Encryption Driver Click Yes to reboot your Win7-Client VM. 8. Authenticate as AUser with a password of n0v3ll. 36

39 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies NOTE: Since the Data Encryption Policy can only be assigned to Devices, the user does not have to be authenticated to the ZCM User Source in order to have the policy enforced on any thumb drive placed in the machine by any user capable of logging into the machine locally. 9. Once the desktop has been painted and the ZAA has refreshed, make sure your Win7-Client VM is in Quick Switch or Full-Screen Mode. Insert your USB thumb drive into a USB port on your host machine. After Windows fully recognizes the thumb drive, you should see the screen depicted in Figure 3-7 on page 37. Figure 3-7ZESM Data Encryption Driver Detecting Thumb Drive Click Continue 10. Launch Notepad on your Win7-Client VM. 11. Type in the line: Top Secret Business Data into the file and then save the file to the root of your thumb drive as biz-data.txt After saving the file you can use Windows Explorer and double-click on the biz-data.txt file and see that the contents of the file are displayed properly. 12. Properly remove the thumb drive from the Win7-Client VM - do not just yank it out of your host machine. Once Windows 7 has gracefully removed the thumb drive from the OS pull the thumb drive out of the USB port on your host machine. 13. Verify that a machine not being managed by ZCM and enforcing the DA- Encrypt-Policy can not read the biz-data.txt file: a. Minimize VMware Workstation completely so you can see the desktop of the host machine. Do not exit VMware Workstation! 37

40 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab b. Place the thumb drive back into the USB port of your host machine. c. The Windows 7 OS of the host should pick up and mount the thumb drive. If it does not you may have to manually release it to the host by disconnecting it from the Win7-Client VM. Open Windows Explorer and you should see the names of both files on you USB thumb drive. d. In Windows Explorer on the host machine, double-click the biz-data.txt and hq-config.txt files at the root of the thumb drive. You will be able to see that the file physically exists on the drive, but you should not be able to read the contents of the file. 14. Close Windows Explorer and gracefully remove the USB Drive from the host Operating System. (End of Exercise) 38

41 Managing USB Devices in NEPS Using USB Connectivity and Data Encryption Policies What you have proven: You have seen that the ZENworks Endpoint Security Management component of the Novell Endpoint Protection Suite can be used to: Enforce security polices based on the current Security Location of the endpoint Dictate whether or not external devices can be used on the endpoint at all or only while in give Security Locations Encrypt the contents of any files written to allowed USB devices. What s next? Next you will see how even if the user leaves their laptop at the airport, the company s mission critical and proprietary data can be protected by ZENworks Full-Disk Encryption (ZFDE). 39

42 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab 40

43 Implementing FDE Using the PBA Dialog SECTION 4 Implementing FDE Using the PBA Dialog This exercise is designed to introduce you to new encryption capabilities that are available in the ZENworks 11.2 Configuration Management (ZCM 11.2) product. These new encryption capabilities are provided by ZENworks Full-Disk Encryption (ZFDE) product. ZFDE provides the following capabilities: Software-based FDE for Windows laptops for that have standard drives in them. Hardware-based FDE for Windows laptops that have drives that have on-board encryption chips build into the drive itself. Transparent Pre-boot Authentication (PBA) - In this configuration the machine has a fully encrypted hard drive, however the user sees only the normal Windows authentication dialog. PBA Dialog - In this configuration the machine has a hardened Linux partition from which a special Authentication Dialog is displayed. The FDE Policy can be configured to display the Windows Authentication Dialog or pass the credentials entered via the PBA on through to the Windows Credential Provider (or Login GINA in the case of Windows XP). Scenario: IT Management of Digital Airlines wants to protect company data on the laptops of traveling employees. As the administrator responsible for Novell Endpoint Protection Suite, you will be configuring the necessary FDE policies to ensure that if an employee loses a laptop that it will not result in a data breach. 41

44 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Exercise 4-1 Implementing Software-based FDE Using PBA In this exercise you will see how easy it is to get access to data on a Windows machine without even authenticating to the operating system and see how ZENworks FDE can prevent that access. You will implement Software-based FDE using the PBA dialog. This means that the user will be presented with a special authentication dialog prior to the Windows login process. However as you will see, the drive contents will be encrypted and can not be accessed unless the user successfully authenticates to the FDE PBA dialog. The following activities will be completed in this exercise: Task I: Accessing User Data Without Authenticating to Windows on page 42 Task II: Configuring FDE Policy for Software-based FDE Using the Pre-boot Authentication (PBA) Dialog on page 45 Task III: Verifying Encryption of User Data on page 50 Task I: Accessing User Data Without Authenticating to Windows Here you will see how user data can be accessed without authenticating to the Windows Operating System. This can be accomplished by: removing the drive from the original machine and installing it as a secondary drive in another machine or by simply booting up the machine under a different OS from a boot CD or floppy. You will use the ZENworks Imaging Distro (which is based on SLES 11) to mount the Windows partition to access and view user data. Complete the following steps: 1. Make sure your Win7-Client VM has focus. 2. Create a file on your E: drive called biz-data.txt by completing the following: a. Click Start > Notepad. b. Type any line of text you want into the file. c. From Notepad s menu click File > Save The Save As dialog is displayed. d. In the left pane select UserData (E:) e. In the File name: field type biz-data and click Save. f. Exit Notepad. 3. Gracefully restart the VM. 4. As the VM starts its PXE-boot process click into the VM and press and hold down the Ctrl-Alt-Shift keys until the PXE Menu shown in Figure 4-1 on page 43 is displayed. 42

45 Implementing FDE Using the PBA Dialog Figure 4-1PXE Menu 5. Cursor down and select Start ZENworks Imaging Maintenance The ZENworks Imaging Distro will take a couple minutes to load on your Win7- Client VM. When completed you will see the distro s bash prompt ( /# ). 6. Issue the following commands from the bash prompt. These commands will demonstrate the vulnerability of data on the Windows partitions. hwinfo --disk grep /dev/sd Figure 4-2Windows Drives Under Linux This command will display the Linux names of the drives on the Windows 7 machine. You should see what s shown in Figure 4-2 on page 43. You ll note there is a /dev/sda and a /dev/sdb device. The /dev/sda drive is the first 60GB drive and /dev/sdb is the second 4GB drive of the VM hwinfo --partition more This command will show output like that seen in Figure 4-3 on page

46 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Figure 4-3Windows Partitions Under Linux The /dev/sda1 partition is the 100MB Windows recovery partition on the 60GB disk, /dev/sda2 is the Windows OS partition on the 60GB disk, and / dev/sdb1 is the partition on the 4GB drive. Press the space bar to terminate the command. mount -t ntfs-3g /dev/sdb1 /mnt/harddisk This will make the UserData (the E: drive) of the Windows machine fully accessible via the /mnt/harddisk directory. ll /mnt/harddisk/ The ll command (that s two lower-case Ls) will display the contents of the mounted partition which in this case is the Windows E: drive. cat /mnt/harddisk/biz-data.txt This will display the contents of your biz-data.txt file. This file could have just as easily been modified or deleted. reboot This will reboot your Win7-Client VM back into Windows. 7. Authenticate into Windows 7 as AUser with a password of n0v3ll You can move ahead and start configuring your FDE Policy while your Windows 7 VM is coming up. 44

47 Implementing FDE Using the PBA Dialog Task II: Configuring FDE Policy for Software-based FDE Using the Pre-boot Authentication (PBA) Dialog Now you will configure an FDE Policy that implements Software-based encryption on the Windows E: drive. The PBA will be used in this policy which means that the user will need to authenticate to the PBA before they can access their Windows machine in any way. 1. Give your SLES bit VM focus. TIP: If the screen saver has activated the password for the Geeko user is novell. 2. If the ZCC is not running, double-click the Firefox - ZCC icon on the desktop to launch the ZENworks Control Center (ZCC). 3. Authenticate into the zone using the ZCC by using the following credentials: Username: administrator Password: n0v3ll 4. On the License Notification dialog click OK. 5. In the upper left pane of the ZCC click Policies. 6. Under the Policies header click New > Policy. 7. On the Step 1: Select Platform screen select Windows and click Next. 8. On the Step 2: Select Policy Category screen select Windows Full Disk Encryption Policies and click Next. 9. On the Step 3: Select Policy type screen click Next. 10. On the Step 4: Define Details screen type FDE-with-PBA in the Policy Name field. 11. In the Administrator Notes field type, Policy implements PBA and encrypts the user s E: drive and click Next. 12. On the Step 5: Configure Disk Encryption - Volumes and Algorithm screen click Encrypt specific local fixed volumes 13. Under the Local Fixed Volumes header click Add. 14. On the Drive or Partition dialog click the drop-down and select E: and click OK. NOTE: You are only encrypting the small E: drive to save time during the exercise. 15. Click Next. 16. Configure the Step 6: Configure Disk Encryption - Admin Password and Encryption Initialization screen as follows: a. Click the Set link to the right of the FDE Admin Password field. 45

48 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab b. In the Set FDE Admin Password dialog type N0v3ll123 as the password and click OK. TIP: That password is: Capital N - Zero - Lower-case V - Lower-case L - Lower-case L - One - Two - Three. c. Check the box for Display predefined message to user before rebooting d. Check the box for Override predefined message with custom message e. In the Title of message window field type SECURITY MESSAGE f. In the Body frame type: Your machine must be rebooted in order to activate the Full-Disk Encryption Driver. g. Under the CheckDisk Options heading select Do not run Windows check disk WARNING: In a production environment it is highly recommended that you leave the CheckDisk Options at the default setting. You are not running chkdsk in this exercise to simply save you some time. h. Click Next. 17. On the Step 7: Configure Pre-boot Authentication - Authentication Methods screen check the box for Enable user ID/password authentication 18. Check the box for Activate single sign-on for ZENworks PBA and Windows login TIP: This capability allows the PBA to capture the user s Windows credentials so that they can be passed on to the Windows Credential Provider at the next boot. So if the ZCM Dynamic Local User Policy was enforced, once the user entered their credentials into the PBA Dialog those credentials would be passed on to the Windows Credential Provider and the ZAA Authentication Dialog as well. 19. Scroll down in the ZCC until you see the User ID/Password Authentication Settings heading. 20. Check the boxes for During PBA login, show user name of last successfully logged-in user and Create PBA account for first user who logs in to Windows after the policy is applied (User Capturing). 21. Scroll down and click Next. 22. On the Step 8: Configure Pre-Boot Authentication - Reboot and Lockout screen, under the Reboot Options heading configure the following: a. Check the box for Display predefined message to user before rebooting b. Check the box for Override predefined message with custom message 46

49 Implementing FDE Using the PBA Dialog c. In the Title of message window field type SECURITY MESSAGE d. In the Body field type Your machine needs to be rebooted again to encrypt the contents of your E: Drive. 23. Scroll down and click Next. 24. On the Step 9: Configure Pre-Boot Authentication - Hardware Compatibility screen scroll down and click Next. The Step 10: Summary screen is displayed. If you have made any configuration errors you can use the Back button to correct your mistake. 25. Scroll down to the bottom of the Summary Screen. Check the box for Define Additional Properties and click Finish. 26. Click the Relationships Tab. 27. Under the Device Assignments heading click Add. 28. In the Select Objects dialog click the blue down arrow to the left of the Workstations link. 29. Click the blue down arrow to the left of the HQ link. 30. Click the link for win7-client and click OK. 31. On the Step 1: Devices to be Assigned screen click Next. 32. On the Step 2: Finish screen check the box for Enforce policies immediately on all assigned devices and click Finish. 33. Give your Win7-Client VM focus. 34. Right-click the ZAA icon in the System Tray of your VM and select Refresh After a minute or two the dialog shown in Figure 4-4 on page 47 should be displayed. This is the first dialog you configured in the FDE policy. Figure 4-4 Reboot Required for FDE Driver Click Reboot Now. 35. After the VM reboots authenticate as AUser with a password of n0v3ll 47

50 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab 36. Shortly after the Windows 7 desktop is painted (one or two minutes) you should see the second dialog configured in your FDE Policy as depicted in Figure 4-5 on page 48. Figure 4-5 Reboot Needed for Encryption Click Reboot Now After the reboot you will get your first glimpse of the FDE dialog. Your VM will be rebooted automatically so that the User Capturing can be activated. 37. Authenticate to Windows as AUser with a password of n0v3ll At this point, the FDE Encryption Driver has been activated, your E: Drive has been encrypted, and the Windows credentials for AUser have been captured. 38. Optional Step: To see details about your FDE Policy being enforced complete the following: a. Right-click the ZAA icon in the System Tray and select Show Properties. b. In the left pane click Full Disk Encryption c. Click the About link. In less then a minute the ZFDE About Box dialog should be displayed. Note that the FDE-with-PBA policy status should show as Policy enforced, with drive encrypted d. Click the Agent Status button. This will display a small ZENworks FDE Password dialog box. This is the FDE Admin Password you configured in your FDE policy. e. In the Administrator Password field type N0v3ll123 and click OK. The Full Disk Encryption tab is displayed. Note the information about all the drives on the VM under the File System Status List. f. Feel free to investigate the information show on the various tabs. When you are done click the Close button. g. On the ZFDE About Box dialog click OK. h. Exit the ZAA GUI. 39. Now gracefully reboot your Windows 7 VM. The PBA Dialog as pictured in Figure 4-6 on page 49 is displayed. Note that the Username field is already populated with AUser. 48

51 Implementing FDE Using the PBA Dialog Figure 4-6 ZFDE PBA Dialog 40. Click into the PBA s Password field and type n0v3ll Then click OK 41. The AUser credentials will be passed on to the Windows Credential Provider and the ZAA Authentication Dialog. 42. Optional Step: If you get back into Disk Management (under the Computer Management applet as described in Step 2 on page 7 through Step 4 on page 8 inclusive) you should see the newly created PBA Partition at the end of Disk 0 as shown in Figure 4-7 on page

52 ZEN04-Staying out of the Front Page Headlines Using Novell EndPoint Security Suite (NEPS) / Lab Figure 4-7PBA Partition Under Windows Exit the Computer Management applet. Task III: Verifying Encryption of User Data Now you will verify that important user data on drive E: can no longer be modified or even seen by booting into a non-windows OS. 1. Gracefully restart the Win7-Client VM. 2. As the VM starts its PXE-boot process click into the VM and press and hold down the Ctrl-Alt-Shift keys until the PXE Menu shown in Figure 4-1 on page 43 is displayed. 3. Cursor down and select Start ZENworks Imaging Maintenance The ZENworks Imaging Distro will take a couple minutes to load on your Win7- Client VM. When completed you will see the distro s bash prompt ( /# ). 4. Issue the following commands from the bash prompt. These commands will demonstrate how the data on the encrypted E: drive is no longer vulnerable. hwinfo --disk grep /dev/sd This command will display the Linux names of the drives on the Windows 7 machine. You should see what s shown in Figure 4-2 on page 43. You ll note there is a /dev/sda and a /dev/sdbdevice. The /dev/sda drive is the first 60GB drive and /dev/sdb is the second 4GB drive of the VM. So the enforcement of the FDE Policy did not change this. hwinfo --partition more 50

53 Implementing FDE Using the PBA Dialog However this command will now show four partitions. Three on /dev/sda. This additional partition is the FDE PBA Partition. Press the space bar to terminate the command. mount -t ntfs-3g /dev/sdb1 /mnt/harddisk Now that the E: drive is fully encrypted this command will fail as shown in Figure 4-8 on page 51. Figure 4-8Failure to Mount Encrypted Windows Partition Under Linux Therefore the only way to access the data on the E: drive is to be able to successfully authenticate to the Windows 7 Operating System via the PBA. 5. Get back into Windows by completing the following steps: a. At the bash prompt on your Win7-Client VM enter the following command: reboot b. Authenticate to the PBA Dialog as AUser with a password of n0v3ll c. Now you ll be able to access the data on the E: drive that you have successfully authenticated to the PBA Dialog. Now you have demonstrated how ZFDE of the Novell Endpoint Protection Suite can fully protect the data on a laptop s drives. So even if the machine is lost or stolen, a data breach can not occur. (End of Exercise) 51