Pointsec Protector v4.91 Training Manual. This document is to be used as a guide to the Pointsec Protector training course

Transcription

1 Pointsec Protector v4.91 Training Manual This document is to be used as a guide to the Pointsec Protector training course Check Point Software Technologies Ltd 2008

2 1. Server Installation Splash Screen Program Folder Location Screen SMTP Setup screen Service setup screen Summary Screen Microsoft SQL Server Database Engine Server Installation Exercises Server Concept Profile Templates Users and Groups Interface Layout MediaID Backup Media Export Wizard Pointsec Protector Administration Console Profile Creation User Group Creation New Group Wizard Groups name screen Groups Profile Screen Groups Selection Screen Confirmation Screen Adding a user manually Select Users and Groups dialog Computer Group Creation New Group Wizard Groups name screen Groups Profile Screen Summary Screen Computer Profile Properties Profile, Groups and Users Exercises Client Installation Welcome Screen License Agreement Screen Setup Type screen Server Connections screen Summary Screen Client Interface System Tray Icon Version Information Server/Client Interaction Clients registered on the server Profile Updating To push a profile To pull a profile Checking a Pointsec Protector profile from the client Device Manager Device list Removable Media Manager Inserting unauthorised media Browsing Media Media Authorisation Scanner selection... 52

3 12.5 DataScan Authorising media with EXE files Writing Media Signature Encryption Policy Manager Encrypting a device Changing The Size Of The Encryption Assigning An Owner and Limbo Mode The Encryption Process Using Device Manager, Removable Media Manager and Encryption Policy Manager Program Security Guard File Introduction File modification Process exemptions Logging and Auditing Event Logging Removable Media Audits Profile Templates Introduction Stacked Profile Define Box General Profile name User Interface User Interface options Display PSG alerts as balloons checkbox User can disable Removable Media Manager / Program Security Guard / Device Manager Changing the Client Menu PSG Messages (Program Security Guard) PSG alert text Contact Information RMM (Removable Media Manager) Alert Text Alert Text Contact Information Device Manager Tab Device List Encrypting Removable Devices (USB drives, etc) Encrypting External Hard Drives Adding a device to the Device Manager Removable Media Manager (RMM) Removable Media Authorisation No media authorisation check Automatic Media Authorisation Automatic Media authorisation with an option to delete files Allow users the following rights (wizard mode) User can authorise removable media User can select scanners User can skip media scan User can delete files on unauthorised media Encryption Policy manager (EPM) Encryption Policy Manager (EPM) Access rights Selecting the Configure button for Automatic Access Encryption to Protected Media Access to media encrypted by any user Only grant access to the owner of the encrypted media Access to media encrypted by members with the same profile template Access to all encrypted media except members of the following groups Selecting the configure button of Access to Password Protected Media No access to any password protected media Allow access to all password protected media Allow access to password protected media from this site only

4 Allow access only to media from the following sites Advanced Settings Protect media with a password for offline mode Providing the external workstation has either: Password configuration Constraints Advanced User Can Change Size Of Encrypted Media Copy EPM Explorer To Encrypted Media For Offline Access User Can Create Media for Other Users User Can Recover Their Password Using Challenge/Response Users Can Remove EPM Encryption From Media Program Security Guard (PSG) Configure File Types Adding New PSG Protected File Types Removing Previously Created Extensions PSG Exempt Products Product Declaration Editing Exempt Products Disable Process Executable Check PSG Exemption Examples Adding an exemption to the server Auditing Events list Authorised Device Manager Event Encrypted Removable Media Exported Fixed Hard Disk Configuration Changed Pointsec DataScan Event Pointsec Protector Client Service Was Shutdown Removable Media Scan Was Skipped Removable Media Was Encrypted Scanner Event Service Startup Error Successful Media Authorisation Suspected Keylogger detected Unauthorised (PSG) File Operation Unauthorised Device Event Unauthorised Program Execution Unauthorised Removable Media Found Unsuccessful Media Authorisation User has disabled a system component User has enabled a system component Audit Event Propagation Ignore Register Immediate Removable Media Audit rules Reset Log all Add Media Rule Name Recorded in server log Recorded in server log and raised alert Advanced Tab Pointsec client anti-tampering features Enable Pointsec Protector client anti-tamper protection Protector client profile reload Only reload the profile on logon or network connection change Check for updated profile every XXX minutes Protector client log synchronization Every day at Every minutes Manually Pointsec webrh Support Use webrh profile for challenge/response Advanced Profiles...102

5 27.1 Multiple Profiles Shared Profiles Default Profile Advanced Group Creation Domain group importing Domain Group Synchronisation Modify Group Properties Group Tab Profiles Tab Offline User Profiles Setting up Offline profiles Selecting Offline user groups Configuring the profile settings Selecting/Creating computers for offline profile operation Demonstrating and testing Offline profile setup Domain Synchronisation Group Order Advanced Advanced User Management Viewing all users Filtering user lists Removing the filter Moving users Special Users User Properties General Configuration Profile Computer Management General Client ID Client Version Computer Name Last Known IP Connection time Last User Is Logged on Configuration Active Module Program Security Guard Removable Media Manager Device Manager Dynamic Control Updating client details Filtering computer list Audit Events Viewing Audit Logs Filtering event list Event details Device information Log Export Log Properties Archive period Automatic Log archival period Archive Location RMM Audit Events Viewing event summary View user/machine events Displaying event details DVD/CD Audit events Filter event list...134

6 34.6 Viewing all events SQL Database Microsoft SQL Desktop Engine Advantages Disadvantages MSDE management through Command line Limitation reasons to upgrade Reducing the size of the database MS SQL Server MS SQL 2005 Express Migration Detaching the database Attaching the database Configuring Protector to use a new database Server and Database Configurations Using a local Database Using a Remote Database Configuring SQL Database user rights (using SQL 2000) Upgrading Multiple Server Configuration License Message Warning

7 Installation and Basic Setup This section of the course will guide you through a basic server and client installation and give a basic overview of how the server is configured and how the client software interacts with the Pointsec Protector Server

8 1. Server Installation During this section of the course we will complete a Pointsec Protector Server installation. Prior to this a demonstration of the product will be given followed by an exercise to install a Pointsec Protector Server on your training workstation. Begin by inserting your Pointsec Protector Installation CD-ROM into the CD Drive. The CD should autorun, if not, double click on the AutoRun.exe located on the root of the CD. This will display the following menu screen. It is also possible to install the software from a local drive or network share. Advanced installations will be covered later in the course. Select the Pointsec Protector Server and then Install Pointsec Protector Server for Windows 2000/2003/XP from the list of options. The setup program will launch and display the following splash screen on page 9. Page 8

9 1.1 Splash Screen The welcome screen is displayed. Click Next to continue: Page 9

10 The license agreement is displayed. The terms and conditions must be read fully. To continue with the installation, the I accept the agreement radio button must be selected. Click Next to continue: Click Next to continue for the Registration screen. This dialog is used to enter your unique company registration information (this would have been supplied to you when you purchased the Pointsec Protector software). This code is unique to your organisation and includes licence code information. The user name field should be left as the default but Company Name and Serial Number must be entered exactly as they are supplied. Note that all 0 s in the serial number are zeros. You will be given a valid registration code to use for this training course only. Click Next to continue. Page 10

11 Click Next to display the Setup Type dialog. Select the type of installation required: Complete: Will perform a complete installation of Pointsec Protector Server including the Server components, MSSQL database (MSDE) and the administration console. Custom: Provides the option to select which components are required. Pointsec Protector Administration Console: Will install just the administration console for remote administration of a Pointsec Protector Enterprise Server. Using this dialog you can select the setup that you require. We will discuss the other options during the Advanced Server setup section of this training course. For this exercise select Complete and click Next to continue. Page 11

12 1.2 Program Folder Location Screen Select the Program Folder where you wish to place the Pointsec Protector shortcut within the Start menu. For this exercise leave it as the default and click Next to carry on with the installation, next step being the installation of the Microsoft SQL Server Database Engine. Page 12

13 1.3 SMTP Setup screen This dialog is used to configure the Pointsec Protector Server communication port and SMTP settings. Port Number this is the TCP/IP port number that the server will use to communicate with the client. SMTP Server- if you wish to use the alert feature of Pointsec Protector you need to enter the name of the SMTP server and provide a logon name and password for an account to access this SMTP server. For this exercise we will leave the Port Number as the default 9738 and for the SMTP server setting use the following information. Host Name : srvr-test User Name : administrator Password: password From Address: admin@domain.com Subject: Automated Pointsec Protector Alert Click Next to continue. Page 13

14 1.4 Service setup screen The Pointsec Protector service may require a domain administrator account to enable it to enumerate and access users located on the domain. Some networks have a security option selected that denies access to user account information on the domain to anonymous accounts. The Pointsec Protector runs as a service on the server machine. The service requires an account within which to run. It is recommended that a domain user account is selected. The user account must have access to the domain(s) and have local administration rights on the machine where the server is installed. Select the desired user account using the Browse button and click Next to continue: For this exercise we will select to use the local system account for the server. You will be shown later in the course how to change this after the server has been installed. Click Next to continue. Page 14

15 1.5 Summary Screen This dialog displays a summary of the installation options you have selected. Check this information is correct and click Next to continue. The installation will now copy all files required to complete the installation and display the Finish dialog when complete. 1.6 Microsoft SQL Server Database Engine The Pointsec Protector Pro Server uses a Microsoft SQL database to store the profile and user information and installs the Microsoft SQL Database Engine during setup. During this automatic install the following two windows will pop-up: Page 15

16 Click the Finish button to complete the installation. 1.7 Server Installation Exercises Exercise No. Description Complete 1 Install a Pointsec Protector Sever to your training Workstation Page 16

17 2 Server Concept This section will give you a brief understanding of the concepts behind the Pointsec Protector Server. It will introduce you to a Pointsec Protector profile and how these relate to users and groups in the Pointsec Protector database. 2.1 Profile Templates A Profile template is a collection of Pointsec Protector policy settings that determine what rights a user has within the Pointsec Protector Client software and what settings are to be applied to the client machine for that user. 2.2 Users and Groups Groups of users are created within the Pointsec Protector Database and a profile template is then assigned to the group. When a user logs in to a client workstation, the client software will communicate with the Pointsec Protector Server. The Pointsec Protector Server checks what groups the user is a member of and sends the correct profile to the client workstation, which is then used to apply the Pointsec Protector policy setting to the client software. Page 17

18 3 Interface Layout The Pointsec Protector Server administrator console has been developed as a Microsoft Management console snap-in to ensure a common feel with other server based applications that you may have used. To open the Pointsec Protector Server console select Start>All Programs->Check Point->Pointsec Protector Server->Administration Console from the Windows Start menu. The administration console will now attempt to connect to the Pointsec Protector Server installed on the local workstation. 3.1 MediaID Backup The first time you open the Pointsec Protector Administration console you will be prompted to backup your unique MediaID. The MediaID is a randomly generated number that is created each time a server is installed. This ID is used to ensure that any two networks that are installed running Pointsec Protector can not interchange authorised media. It is important to back-up this MediaID in case you need to re-install the server at any point or install a second server with the same ID. You can then import your existing Media id and ensure all authorised media remain authorised. Select Yes to start the media export Wizard. Page 18

19 3.2 Media Export Wizard Click Next to continue From this dialog you can select to Import an existing MediaID or Export the current one. Select the Export media ID radio button. Click Next to Continue. Page 19

20 Use this dialog to select the file name and location of the exported MediaID file. Click Next to continue. You can also use the Browse button to select a location and file name for the exported MediaID. Save the MediaID export file to the root of the C:\ drive. Click the Finish button to complete the Import/Export Media ID Wizard. This has only to be completed once. Now that you have backed up the Media ID you will not be asked again. It is possible to back-up the Media ID again manually from the server console. This will be explained in the Advanced Server Configuration section of this course. Page 20

21 3.3 Pointsec Protector Administration Console The default console view is split into two main windows. The top window is split into two panes, the lefthand pane contains a TreeView control with nodes for each of the areas of Pointsec Protector that can be configured. The Right-hand pane of the top window is a ListView control that lists the contents of the currently selected node. The bottom window is a view of the logged on computers, which are currently running Pointsec Protector. This is the same as selecting the Computers node from the top window. The window and view can be moved and configured to suit your own needs. If changed, you will be prompted to save the current layout when you close the Administration Console. Page 21

22 4 Profile Creation During this section we will create a new profile template to be used during this training course. Open the Pointsec Protector Administration Console as described in the previous section. Right-click on Profile Templates node and select New Profile from the menu. This will create a new profile template and display the profile configuration dialog. Page 22

23 Rename the profile to Administrator Profile and click OK to save. You can check the profile has been created by selecting the profile node in the Server Console and checking the ListView pane on left to verify the new profile has been created. We will discuss all the profile settings in the Advanced training section. The new profile named Administrator Profile. Page 23

24 5 User Group Creation During this section we will create a Pointsec Protector user group assigning our profile to the group and add a user from the domain. Right click the Groups node and select New->Group of users from the context sub menu. This will start the new group wizard. 5.1 New Group Wizard Click Next to display the Group Name dialog. Page 24

25 5.2 Groups name screen This dialog is used to specify a name and description for the new groups. For this exercise we will use the following information for the first groups we create. Group Name: Administrator Group Group Description: Training Course Test Admin Users Click Next to display the Group Profile dialog. The new group Administrator Group and the group description. Page 25

26 5.3 Groups Profile Screen This dialog is used to select the profile template(s) that will be assigned to the group. This option can be changed after the group has been created. This will be explained in the Advanced Profile, User and Group management section of this training course. For this exercise we will select the Administrator Profile that we created in the previous exercise and add it to the Group profiles field on the right. Click Next to display the Group Selection dialog. Page 26

27 5.4 Groups Selection Screen From here you can select which type of group you wish to create. There are two options: 1. Create an Empty group 2. Add all users from a domain group There is also an additional option to enable domain synchronisation for this group. Using this dialog it is possible to automatically import all users from a domain group and enable synchronisation between the groups. This will be explained in the Advanced Profile, User and Group management section of this training course. For this exercise we are going to create an empty group. Select the Create an empty group radio button and click Next. Click Next to display the Summary Dialog. Page 27

28 5.5 Confirmation Screen Confirm the details are correct and Click Finish to create the new group. This will have a created an empty group. You can check the group has been created by selecting the Groups node and checking the Groups list in the left-hand pane. Page 28

29 6 Adding a user manually We will now add a user from the domain to this group manually. Once added to the group this user will be assigned the profile that was used when they log in to Pointsec Protector client workstation. Groups Node Group Lists Expand the Groups node to view the list of group on the server. You will notice there are two additional groups as well as the group you have just created. default Users with custom profiles These are special groups used internally by the Pointsec Protector Server and were created as standard when you first installed the software. These groups will be covered in more detail in the Advanced Profile, User and Group management section. Right-click the group you wish to add a user to and select Add user to Group from the context sub menu. Make sure you select the correct group before selecting the 'add a user' to the group option. Page 29

30 6.1 Select Users and Groups dialog This is a standard Microsoft Windows dialog for selecting users and groups from the local workstation and domain. Make sure you are browsing the domain and not the local workstation by clicking the Locations button and select the domain you are adding the user from. This dialog will look different on Windows 2000 and Windows Please refer to the Microsoft Windows on-line help for details on selecting users and groups using this dialog. Enter the name of the user you want to add to the group. For this exercise enter Administrator (this is the name of the domain admin account). It is also possible to add a domain group to the Pointsec Protector group from this dialog. This is not the preferred way to add domain groups to the Pointsec Protector Server. Further details will be given in the Advanced Profile, Users and Groups section. When you have finished adding users to the list click the OK button and the selected users will be added to the Pointsec Protector Group Group Node Group To confirm the user has been added to the group select the group in the tree to view the member of the Group. You can also select the Users node to view all users in the database. Page 30

31 7 Computer Group Creation Within this section we will discuss how to create Computer Groups and how to assign a profile to that group. A Computer Group is created much in the same way as a User Group, the only difference being that no users are assigned to the group on initial creation. In order to assign a computer to a Group, a simple Drag & Drop method is used. Computer Groups allow any user to log into a computer and use the facilities that have been made available to the user in the Computer Profile. If the computer profile states that the machine can access and write to a CD then regardless of who logs in, the user will have access to record their own media. Right-click the Groups node and select New->Group of computers from the context sub menu. This will start the new group wizard. 7.1 New Group Wizard Click Next to display the Group Name dialog. 7.2 Groups name screen Page 31

32 This dialog is used to specify a name and description for the new groups. For this exercise we will use the following information for the first groups we create. Group Name: Administrator Group Group Description: Training Course Test Admin Users Click Next to display the Group Profile dialog. The new group Administrator Group and the group description. Page 32

33 7.3 Groups Profile Screen This dialog is used to select the profile template(s) that will be assigned to the group. This option can be changed after the group has been created. This will be explained in the Advanced Profile, User and Group management section of this training course. For this exercise we will select the Administrator Profile that we created in the previous exercise and add it to the Group profiles field on the right. Click Next to display the Summary screen. 7.4 Summary Screen Confirm the details are correct and Click Finish to create the new group. This will have created an empty computer group. You can check the group has been created by selecting the Computer Groups node and checking the Groups list in the left-hand pane. Page 33

34 7.5 Computer Profile Properties Accessing the property pages of the computer group profile will allow the user to decide the priority of the computer profiles, i.e. whether or not the computer profile will come before User and Group profiles, or whether computer profiles will override User and Group profiles. To access the Computer Profile Properties, Right-click the newly created computer group and select Properties. The Computer Profile Property page will now appear where you can configure whether the Computer Profile will take priority over the User Group profile. Page 34

35 7.6 Profile, Groups and Users Exercises Exercise No. Description Complete 2 Create another new profile for domain users 3 Create a new group using the new profile above 4 Add TestUser from the domain to the group you have just created 5 Create a new profile which allows CD-ROM access and name it Computer Profile CD-ROM Access 6 Create a new Computer Group and call it CD-ROM access Page 35

36 8 Client Installation In this section of the course we will complete a Pointsec Protector Client installation. First a demonstration will be given, and then an exercise to install a Pointsec Protector Client on your training workstation. Start the installation by inserting the Pointsec Protector installation CD into your CD-ROM Drive. The CD should autorun displaying the Pointsec Protector splash screen as shown below. If it doesn t, browse the CD through windows explorer and double click on the AutoRun.exe located on the root of the CD. This will display the following menu screen. Select the Pointsec Protector Client and then Install Pointsec Protector Client for Windows 2K/XP from the list of options. The setup program will launch and display the following splash screen. It is also possible to install the software from a local drive or network share. Advanced installations will be covered in a section later on in this training course. Page 36

37 8.1 Welcome Screen Click Next to continue. 8.2 License Agreement Screen To continue the I accept the agreement radio button must be selected. Click Next to continue. Page 37

38 8.3 Setup Type screen. Select the installation type either Complete or Custom. It is advisable to select a custom installation as you will be given the opportunity to select the install components. Click Next to continue: There are two options that you can select from the dialog. Complete Performs a complete installation. Custom - Allows you to select which client components you wish to install. We will discuss a custom install during the Advanced Client Setup section of the course. Page 38

39 If a custom installation was selected the components required must be selected. Pointsec Protector DataScan Pointsec Protector 4 is supplied with a data authorisation module, which is integrated within the media authorisation process. Employing this module, users can be given the right to authorise their own media providing the device contains only permitted file types. The module can be configured to only allow the authorisation of data only files. Any executable/active code will be rejected even if renamed or hidden. Select the required components and click Next to continue: Click Next to continue. Page 39

40 8.4 Server Connections screen. You can use this dialog to select the location(s) of the Pointsec Protector Server the client will communicate with. To add a server to the list: 1. Enter the name of your Pointsec Protector Server in the Server Name text box (or use the Browse button to select from the domain). 2. Enter the Pointsec Protector Server communication Port number configured on the server it is using (this was set when you installed the server). 3. Click the Add button. This will perform a test connection and add the server to the list. Continue adding servers until your entire Pointsec Protector Server has been added and click Next to continue. Multiple Servers and advanced client setup will be covered in the Advanced Client Setup section of this course. For this exercise enter the name of your local workstation as the server (the machine name will be on a sticker on the front of the PC case) or you can use localhost as the server name. Leave the Port number as the default Page 40

41 8.5 Summary Screen. Click next to confirm and install the Pointsec Protector client software with the selected options. On completion you will be prompted to reboot the workstation to complete the installation. Click Finish to reboot the workstation. Page 41

42 9 Client Interface 9.1 System Tray Icon Once the installation has completed and the workstation rebooted, you can verify that the Pointsec Protector Client software is installed by checking for the Pointsec Protector system tray icon. 9.2 Version Information Pointsec Protector Icon Right click the system tray icon to display the Pointsec Protector Client Menu. Select About to display the about box. Client Version Module versions This will display the Pointsec Protector Client about box. From here you can get information regarding the Pointsec Protector product version number, as well as the versions of each module installed on the machine. There are more menu items contained on the client menu that we will cover later in the training course Page 42

43 10 Server/Client Interaction This section will explain in more detail how the client and server interact and also demonstrate how to update profiles from either the server or client Clients registered on the server When a client workstation is installed the first process it performs is to register itself with the Pointsec Protector Server. To view the machine on the server: 1. Open the Pointsec Protector Server Administration Console (See section 3 for details on how to open the administrator console). Installed client(s) 2. Select the Computers node to view the list of registered computers. This will list all client workstations on the network that currently have Pointsec Protector installed. The computers list contains information regarding the current state of the Pointsec Protector Client software. We will discuss this in more detail in the Dynamic Configuration section of the training course. Page 43

44 10.2 Profile Updating A user s profile is automatically loaded each time a user logs in to a workstation, but it is also possible to push a profile update from the server console to the workstation. This means that changes can be made to a profile and then these changes pushed to a client machine To push a profile. 1. Right click the machine you want to reload the profile. 2. Select Reload Profile from the sub menu. 3. A request is then sent to the client to contact the server to obtain a new profile. 4. A balloon will then be displayed on the client showing that profile has been updated. Page 44

45 To pull a profile. Users profile permitting (the Pointsec Protector tray icon can be disabled), it is also possible for users to update their profile from their client workstation at any time. 1. Right-click the system tray icon and select Options. 2. Click the Update button to force the client to get a new profile from the server. The Test button can be used to perform a simple ping test to ensure the server machine can be contacted over the network (local administrators only). Page 45

46 Checking a Pointsec Protector profile from the client Click to expand/hide Profile Type To check which profile has been downloaded and currently in use, from the client options dialog (shown above) press CTRL-SHIFT-F6. This will open a Profile view window that displays the current loaded profile. The two most important pieces of information on this dialog are: - name param servername param templateinfo name - This states if a default or a cumulative profile is used. - This states the server-name the profile was downloaded from. - This states the profiles that make up the cumulative profile. Page 46

47 Client Functionality This section of the course gives a detailed explanation of the Pointsec Protector Client components, how they work and how they can be combined to create a comprehensive security policy to match virtually any desktop security requirements. Page 47

48 11 Device Manager Pointsec Protector contains the ability to control the many different types of devices that can be used on a client workstation. Device Manager can be considered as the first line of protection that Pointsec Protector provides by managing the use of these devices and/or ports. Device Manager can also be configured to allow read only access to any device type that is writeable e.g. floppy disks, USB removable storage etc Device list Below is a list of some of the supported ports and devices and the access rights that can be granted using Pointsec Protector such as R/O (Read Only) and Encryption (EPM): To ensure you have a good understanding of how Device Manager works we will perform some tests on your workstation. Your instructor will modify device permissions for your workstation and you will be asked to attempt to access various devices. Page 48

49 Attempt to access the floppy diskette provided to you. You will see a Windows Access Denied message. Update the profile to allow read only access to the floppy disk. Access the floppy and attempt to write a file to the Diskette. You will see a Pointsec Protector PSG alert warning that an unauthorised file operation has occurred. Full access will not be granted. Access the floppy and write a new text file to the Diskette. You will now have full access to the floppy diskette. Each device type can be independently controlled allowing different access types to be configured for each profile you create. It is also possible to add new devices to an existing device type (e.g. a specific brand and model of USB memory stick) as well as specifying a new device type should this be necessary. Setting CD/DVD drives to read only will block the burning of any CD-R\CD-RW or DVD-RW disks from any type of client application (e.g. Nero, WinOnCD, Roxio, etc). Page 49

50 12 Removable Media Manager Removable Media Manager (RMM) takes the control and management of removable media devices a step further. By using RMM you will be able to authorise individual media such as floppy disks, USB removable disks etc. for use on all your Pointsec Protector workstations on your network. Once removable media has been authorised it can be used on the Pointsec Protector network environment. Authorisation is performed at the client workstation. This part of the authorisation process can be made to enforce a virus scan of the media to ensure the contents are virus free before allowing it onto the network. There is also an additional check that can be performed to reject any media that contains executable and other unwanted or active code file types (EXE s, DLL s, MP3 s etc) Inserting unauthorised media Insert the USB memory stick you have been provided with and attempt to access the media. You will see the Pointsec Protector unauthorised media inserted message. Along the bottom of the dialog are four buttons. Browse - Allow users to browse the contents of the media. Authorise - Start the authorisation wizard. Ignore - Close the dialog and cancel the authorisation process. Help - Display the on-line help for this dialog. Page 50

51 12.2 Browsing Media Click the Browse button to display the Browse Media dialog. With the Tree Control you can browse the media contents and, if your profile permits, also right-click a file and delete it from the media prior to attempting to authorise the media (useful if you have accidentally left executable code on the device that is failing the authorisation process). Close the Browse Media dialog and return to the unauthorised media dialog Media Authorisation Click the Authorise button to start the media authorisation wizard. Click Next to continue. This screen shows a summary of the media to be authorised. The drive letter, media label and capacity. Page 51

52 12.4 Scanner selection Skip Scan button Scanner list This dialog contains a list of the scanners that will be used to perform the pre-authorisation checks. Note on the example above that there are two scanners listed. Pointsec Protector will automatically detect and utilise most popular AV products, displaying them in the Virus Scanners dialog windows if supported. 1. Sophos SWEEP Sophos SWEEP AV scanner 2. Pointsec DataScan This scanner supplied by Check Point Software Technologies checks for any executable code. If found the scan will reject the media Click Next to start the scan process. You will notice that Pointsec DataScan rejects the media as it contains executable code. Page 52

53 12.5 DataScan This will then display a summary of the scan process. Scan result: DataScan failed Click Next to display the scan results screen. You will not be given access to this device and the unauthorised devices inserted message will be displayed again. What would allow this media or device to pass the RMM scans? Have a look at the browse option again. Page 53

54 12.6 Authorising media with EXE files If you need to authorise media with legitimate executable code you will need to disable the Pointsec DataScan check from the authorisation process. This is performed by de-selecting the Pointsec DataScan option from the Scanner selection screen of the Authorisation wizard. De-select this option Click Next to start the scan process. Depending on your profile, you may not be allowed to de-select scanners and/or skip the scan Writing Media Signature. Page 54

55 Once the scan process has been successfully completed, with no viruses detected a summary will be displayed on the screen. Click the Next button to write the MediaID to the device and display the Virus Scan Complete screen. Click Finish to write the MediaID signature to the device. Once the media has been tagged with the MediaID, it can be freely used within the Pointsec Protector protected environment without any further authorisation required. If the media is taken to a workstation not running Pointsec Protector and files are written to or removed from the device, the MediaID would become invalid. This would mean the media item would need to be re-authorised to be used within the protected environment. Page 55

56 13 Encryption Policy Manager The next step to ensure the use of Removable Media used on the network is secured, is to enable Pointsec Protector s Encryption Policy Manager transparent media encryption. Pointsec Protector s EPM component provides data encryption of USB media storage devices regardless of the make or brand. All encryption is performed seamlessly using AES 128 bit encryption and once media has been encrypted it appears as conventional media to the users that have been granted access. This transparency is a key feature of EPM. Only when a user is denied access to EPM media, or an attempt is made to access the encrypted data from a computer that is not part of your Pointsec Protector s secure environment, will the user be aware that the media is EPM protected Encrypting a device Pointsec Protector EPM can be utilised as a part of the Removable Media Manager authorisation process. Once enabled, a device that has been authorised will prompt the user to encrypt. Re-Insert your authorised memory stick to display the EPM wizard. This dialog can be dismissed with the Cancel button. This temporarily cancels the EPM operation giving non-encrypted access to the devices. You can also tick the Do not display for this device until media is changed checkbox to stop the EPM Import Wizard dialog appearing until the device is reinserted. This dialog displays general information about this device and various warnings. Take note of the warning that this process will make storage devices unreadable outside of this organisation unless offline access is specified (password required). Enabling offline access for EPM media allows any data currently stored on the encrypted media to be readable on machines not running Pointsec Protector. By using Device Manager to make the device read only, full access will only be granted if the device is encrypted. This method ensures that all USB media contains secured data. Page 56

57 13.2 Changing The Size Of The Encryption Users that have this option enabled in their profile can set how much of the media will be encrypted. For example, to encrypt half the media set Use for encrypted storage % to 50 will encrypt half the media. The other half will be left with the standard filing system. Users will only be able to access the encrypted portion of the media but when the media is inserted into a non-pointsec Protector the users will only have access to the information that is not encrypted. Once again the only way for users of non-pointsec Protector PC users to gain access to the encrypted information is if the media was encrypted with offline access enabled (password required). Click Next to select whether the device will be encrypted in Limbo mode or a user will be assigned as the owner. Page 57

58 13.3 Assigning An Owner and Limbo Mode Provided that the user has the permission set in their profiles, they will have the option to set the Owner of the Device or alternatively, set the device to assign the owner on first use otherwise known as Limbo mode. In order for this screen to appear the user would need to have the User can create media for other users option selected in their profile. Click Next to enter a password for the media. Note that if the selection was made to assign owner on first use this screen will not appear. Click Next to begin the encryption process. Page 58

59 13.4 The Encryption Process The Performing Media Import screen is displayed which shows the progress of the encryption process. To complete the encryption the following steps are performed automatically. Backup files from media - All contents are moved from the media and stored in a temporary location. Create encrypted storage - An encrypted container file is created on the device. Format device - The encrypted container file is mounted as a removable media drive and then formatted. Restore File - Contents are then replaced back on to this removable media encrypted. Click the Finish button to complete the media import wizard. You should now have full access to the encrypted device. Plugging the device in to any machine not running Pointsec Protector will mean all the encrypted data will be unavailable. Passwords can be set during the import process that will allow off-site access to the data using one of the two offline reading methods. These will be explained in the Advanced Profile Settings section of this training course. Page 59

60 14 Using Device Manager, Removable Media Manager and Encryption Policy Manager This section explains how the combined use of these three components enables you to create a complex policy for device access on any Pointsec Protector protected network. What follows is a recap on what features each component offers. Device Manager is used to either block or allow (and if applicable read only or write) access to devices. Removable Media Manager is used to allow access to authorised media only. Encryption Policy Manager is used to provide encryption of media items. This flow chart below shows an example of which module is responsible for defining the different levels of access required to the devices. Page 60

61 15 Program Security Guard Program Security Guard (PSG) is a simple to configure and yet powerful feature of Pointsec Protector. PSG is used to block the introduction or modification of any file type you specify. This can be any executable file (EXE, DLL, SYS etc.), media and audio files (AVI, MP3, WMA etc.) or can be customised to include any other file type that you would like to control. All file types protected by PSG will be blocked from being introduced to the system from any location including the Internet File Introduction Unless pre-configured the.exe extension is not protected by default. For the purpose of the exercise, enable.exe protection. (see 23.1) Attempt to copy an executable file from the server to the local workstation. When a PSG event occurs the users will be notified by the following dialog: File and process information When PSG is triggered a dialog appears telling the users that an unauthorised file operation has occurred. The dialog will show the user what process caused the alert and what file the process tried to operate on. In the above example explorer.exe was the blocked process used to copy the file RefRegGUI.exe File modification PSG will also trigger an alert when an attempt is made to modify an existing protected file type from the system. This can be an attempt to write to a file, delete a file, or rename a file. Attempt to delete the following file from your local workstation. C:\Windows\Notepad.exe The file types that are protected by PSG are fully configurable from the Pointsec Protector Server. We will discuss this in the Advanced Profile Settings section of this course. Page 61

62 15.3 Process exemptions Due to the nature of Program Security Guard and the fact that it blocks the introduction of files from any source, it can stop some applications that have a legitimate need to create protected files on the workstation from performing their task. This can affect various applications from Virus Scanners that may need to unpack a file to a temporary location or perform silent upgrades to network deployment tools (e.g. SMS, WinInstall). Due to this PSG has what is known as an exemption list. This is a list of known processes that will need to bypass PSG protection to allow them to function correctly. We will discuss PSG exemptions in more detail in the Advanced Profile Settings section of this course. Page 62

63 16 Logging and Auditing 16.1 Event Logging Pointsec Protector provides detailed logs of attempted security breaches. All events are centrally logged in the Pointsec Protector Servers Microsoft SQL database providing the ability to create structured queries and detailed reports as well as ed alerts Removable Media Audits Pointsec Protector also provides central auditing of all file operations on CDs/DVDs and other removable media. The administrator can configure the auditing of certain events to produce alerts to defined addresses. Page 63

64 Page 64

65 Advanced Profile Settings This section of the course is intended to give a detailed description of all profile configuration options. Page 65

66 17 Profile Templates 17.1 Introduction In this section of the course we will cover each profile setting in detail and also explain the best way to configure a profile for different scenarios and configurations. Open the Pointsec Protector Server Administration console. Open your profile template you created in section one of this training course (double-clicking the profile on the server is a quick way to open the profile required). Each profile template is split in to 8 tabbed areas. Tab Name Description General This tab contains general client settings User Interface Allows the configuration of Pointsec Protector user interface Device Manager Device Manager settings RMM Removable Media Manager settings Auditing Auditing settings EPM Encryption Policy Manager settings PSG Program Security Guard settings Advanced This tab contains Client Anti-tamper protection, Polling server intervals, client log synchronisation and webrh support Stacked Profile The resultant profile or security policy sent to the clients workstation is constructed by combining chosen profile templates. The default profile - which is always the bottom part of the stacked profile - is restricted to give users who are unknown to the Pointsec Protector Server minimum access rights. For example a standard user profile is layered on top of the default profile to set permissions to the various components of Pointsec Protector. The resulting profile is then sent to the client workstation. This enables the Pointsec Protector administrator to create groups and individual profiles with ease, as he can take a given profile set (e.g. default and standard users ) and layer a further profile on top which alters the resulting profile as required (e.g. access to a special USB device) Define Box By selecting the define box the component of the profile is defined and therefore does not inherit the setting from underlying profiles. If the define box is left undefined is inherited from the underlying profile(s), which is the default. on the other hand, the setting We will now discuss each of the tabs in detail. As we complete each tabbed section you will be given the opportunity to test what has been explained to you so you fully understand how each setting affects the client software. Page 66

67 18 General This tab is used to set general profile and client settings that will apply for this profile Profile name Enter a unique name for the profile template. Page 67

68 19 User Interface This tab is used to configure the Pointsec Protector Client user interface and PSG (Program Security Guard) and RMM (Removable Media Manager) messages that appear on the client workstations when these events occur. The user can configure whether the Client menu will appear as the full menu with all the options available to disable/enable the Pointsec Protector modules, whether only a short menu will appear, allowing the user to manually update their profile and test the connection. There is also the option to have just the Pointsec Protector icon displayed, so that the user is aware that Pointsec Protector is installed on the machine but is unable to change any of the settings or access the menu. Alternatively, the user can set the User Interface so that no icon is displayed at all making Pointsec Protector completely hidden from the user User Interface options Display PSG alerts as balloons checkbox. Check this box to have XP-style balloon alerts instead of a pop-up window User can disable Removable Media Manager / Program Security Guard / Device Manager. This option is used to allow the user to be able to disable the primary Pointsec Protector modules. Check the RMM / PSG / DM if the user(s) with this profile is allowed to disable the various components Changing the Client Menu To change what menu the client sees on their machine, select the drop-down box under the heading Pointsec Protector Pro System Tray Icon and the following options will appear. Page 68

69 19.2 PSG Messages (Program Security Guard) PSG alert text If the alerts are displayed as pop-up windows you can define your own alert texts (e.g. Your policy at My Company does not allow. ) Alert being displayed as pop-up windows (customisable) Contact Information Additional support contact information can be specified (e.g. telephone number). Alert being displayed as balloon When setting the messages, ensure not to exceed more than 64 characters as the font could become difficult to read. Modify your PSG message RMM (Removable Media Manager) Alert Text Alert Text This message will be displayed on the Pointsec Protector Client software when a user from the selected profile inserts an unauthorised media device (e.g. Floppy disk, flash memory, Zip drive etc). Please note this message will not be displayed if the Removable Media Manager has been set to automatic authorisation Contact Information Additional support contact information can be specified (e.g. telephone number). Modify your RMM message. Page 69

70 20 Device Manager Tab This tab is used to configure the rights that are assigned to each device in the Device Manager component of Pointsec Protector Device List As mentioned before, use the Define box to set and define the rights for a device in contrast to inheriting it from an underlying profile. All devices have the option Access, the writeable devices can be set to read only (R/O) and if possible can be set to encrypt the data transferred to the device Encrypting Removable Devices (USB drives, etc) This option will enable encryption on all removable storage devices. By selecting this option users running this profile will have the ability to execute and encrypt new devices Encrypting External Hard Drives By selecting this option all removable hard drives will require encryption before full access is granted. By selecting this option users running this profile will have the ability to execute and encrypt new removable devices. To enforce that users can only have full access to encrypted devices (e.g. a special brand of USB memory sticks), read only access should be selected for this device under the Device Manager tab. Modify the device permissions for the floppy disk and USB removable media. Save and reload the profile and test what effect this has on the client. Page 70

71 20.2 Adding a device to the Device Manager It is possible to add a specific device to the Device Manager to provide a more granular approach in enforcing security policies. For example, a specific brand of USB memory sticks can be allowed full access to and all other removable media devices no access or read only access. The approved way of adding a new device to the Device Manager is by first selecting the Audit flag in the Device Manager tab for a specific Device Class. The diagram below shows that any attempt to access a device or endpoint will be audited. This can also be done by selecting Unauthorised Device Event or Authorised Device Event in the Auditing tab as shown below. Page 71

72 When an attempt is made to insert any new removable media by a user of this profile, an entry will be created in the Pointsec Protector Server logs in the Administration Console. See section 33 Page 72

73 21 Removable Media Manager (RMM) This tab is used to configure the users setting and rights for the RMM authorisation process Removable Media Authorisation No media authorisation check. The removable media connected to the client will not be checked Automatic Media Authorisation. If the Automatic media authorisation radio button is selected within a profile, whenever a user inserts a removable media device and attempts to access it through MS Windows Explorer/My Computer, access will be blocked. The authorisation process will automatically execute and attempt to authorise the media. During automatic authorisation, Pointsec Protector client will automatically detect compatible Anti-Virus scanners installed on the machine. If no anti-virus scanner or the Pointsec Protector DataScan is not detected on the client machine then automatic authorisation will not be possible and access will not be granted. Set the profile to Automatic Authorisation save and reload on the client workstation. Insert an unauthorised device and attempt to access it. Page 73

74 Pointsec Protector will automatically scan the media and if successful, digitally tag and authorise it Automatic Media authorisation with an option to delete files As above for Automatic Media Authorisation but the user will have the option to delete the files which failed the media scan authorisation attempt Allow users the following rights (wizard mode). The media authorisation process can either be invoked automatically (as discussed above) or the user can be presented with a simple authorisation wizard. This mode requires user interaction to authorise media User can authorise removable media. This option allows users within the selected profile to authorise removable media with any installed and compatible Anti-Virus/Data Authorisation scanner detected. If this option is not selected users will be presented with a message only and no rights to authorise the media User can select scanners. If this option is selected users will be able to select which scanner to use during authorisation of removable media devices. The user must select at least 1 scanner to continue the authorisation process. It is not advisable to select this option when using the Pointsec DataScan as users may be able to import unauthorised file types by deselecting and choosing just to invoke an Anti-Virus scan User can skip media scan. Allow users the ability to skip the media scan completely. This option will allow a user to bypass Anti-Virus and Data Authorisation scans and potentially allow virus infected or unauthorised file types onto the system User can delete files on unauthorised media. This option should be used in conjunction with the Pointsec DataScan. If an unauthorised file type is detected during the media authorisation process, it is possible to delete the unauthorised file(s) using the browse option from within the RMM unauthorised message box. Re-authorisation can then be performed. Please note this facility is only available in wizard mode. Set your profile to wizard mode and try the different sub options and see how they affect the client. Page 74

75 22 Encryption Policy manager (EPM) EPM s Encryption setting tab Please Note: The following options permit users to encrypt new devices during the authorisation process. The Encryption Policy Manager is always active in the background irrespective of these options. This means users can access previously created encrypted devices providing they are correctly authenticated and are approved for access. Page 75

76 22.1 Encryption Policy Manager (EPM) Access rights Selecting the Configure button for Automatic Access Encryption to Protected Media. By selecting this Configure button the following menu will appear: By selecting the first option entitled No access to EPM protected media, any users running the selected profile will have no access to any encrypted media. The only exception to this rule will be users that are part of the EPM Key Recovery group. This option when selected denies all access to encrypted media Access to media encrypted by any user. This option will permit access to any encrypted media that has been created within the current organisation irrespective of the user group that imported the device Only grant access to the owner of the encrypted media. This option will permit access to any encrypted media that has been created only by the same user Access to media encrypted by members with the same profile template. By selecting this option users of the current profile will only be able access devices imported by other users using the same profile. For example, if a user is part of the standard users profile he or she will only be able to access devices imported by other users who are also running the Standard users profile Access to all encrypted media except members of the following groups. By selecting this option it is possible to specify that users running the selected profile can access devices imported by all groups except defined groups. For example, it may be desirable to allow full access to all devices except for those imported by members of the Sales group. Page 76

77 Selecting the configure button of Access to Password Protected Media. By selecting this Configure button the following menu will appear: No access to any password protected media. The user will not have access to any password protected media, regardless of where the device was created Allow access to all password protected media. By selecting this option, all media that is protected with a password may be accessed provided the correct password is entered Allow access to password protected media from this site only. Any media which has been protected with a password on the same site which contains the Pointsec Protector Server can be accessed, however, any media which was created with a password outside the current network cannot be accessed Allow access only to media from the following sites. Only media that has been created from the sites that have been ticked from the list below can be accessed on the network. You may add more sites by selecting Configure but this information will be looked at in the Advanced course. Once you have made your selection, press Ok to continue. Page 77

78 22.2 Advanced Settings Protect media with a password for offline mode. The Pointsec Protector EPM client operates transparently within a network. When accessed externally in standard mode, the user by default will have no access to the encrypted data on the storage device. It is often desirable to grant external access when a network connection is not present or when access on a separate network running Pointsec Protector EPM is required. This can be achieved by enabling the Protect media with a password for offline mode option Providing the external workstation has either:- Pointsec Protector Client Freeware EPM Client The EPM Standalone has been copied to the device so access to encrypted media can be achieved providing a password is entered. Note: If the EPM Standalone option is selected during the creation process of any removable media, the user will be required to choose a password. The minimum password criteria can be set by clicking the Configure button. Page 78

79 22.3 Password configuration Constraints From the password constraints tab it is possible to configure minimum and maximum password lengths and required character types. The test dialog can be used to confirm that the password settings are correctly implemented Advanced Page 79

80 Users can be given policy notes detailing password constraints by entering the relevant information into the text box. The number of password attempts permitted and the amount of time in minutes that the drive is locked out for when used in password mode can also be configured. There is also the option to lock the drive completely after predefined number of attempts User Can Change Size Of Encrypted Media Ticking this option allows users to configure how much of the device they wish to encrypt. By default 100% of the device is encrypted however by ticking this option allows the user to, for example, configure 50% of the device for internal use and 50% of the device for external use Copy EPM Explorer To Encrypted Media For Offline Access By enabling this option the EPM reader is automatically copied to encrypted removable media. The EPM Explorer enables offline access to encrypted data on third party machines without the need to install any software. Even if the third party machine does not have either Pointsec Protector or the EPM Freeware client installed, access can be granted to encrypted removable media via a password. Page 80

81 22.6 User Can Create Media for Other Users With this enabled, a user (normally an administrator) would be able to create encrypted media for users. The following screen will be displayed allowing the user to either assign a user to the media or alternatively assign the owner on first use of the media User Can Recover Their Password Using Challenge/Response If a user enters their password incorrectly after a number of attempts, they will eventually be locked out of their removable media. In order for the user to regain access to their media, a screen will appear asking the user to copy a long string of text which can be sent to the Administrator. With this information the Administrator will be able to generate a Response Code which in-turn can be sent back to the user. With this Response Code the user will be able to unlock the encrypted media and change the forgotten password Users Can Remove EPM Encryption From Media If this option is enabled users are permitted to decrypt encrypted removable media devices. This can be achieved by clicking on the Export button from within the EPM Client console. Removing encryption will back up the contents of the device, decrypt the information and then copy the data back in clear text. This option should only be given to the administrator or trusted users. Enable EPM for Removable Storage Set access to all EPM encrypted devices Enable Password for offline access Copy the EPM reader to the device Insert an unauthorised memory stick, authorise, encrypt and access the device Change the EPM access type to No Access and reload the client profile Remove and re-insert the memory stick Page 81

82 23 Program Security Guard (PSG) 23.1 Configure File Types Click the Configure file types button to manage the list of unsafe file types within the current profile. Page 82

83 Program Security Guard (PSG) is a powerful yet flexible mechanism for blocking the introduction of unauthorised/malicious file types. PSG allows the system administrator to define a list of unauthorised file types that cannot be created on a Pointsec Protector machine, either locally or on network resources. In addition to blocking creation, PSG also prevents existing file types from being modified/deleted either accidentally or maliciously. PSG also provides an additional layer of defence against the introduction of unlicensed software and a further defence against malicious/virus infected code. Pointsec Protector is shipped with a default list of recommended file types (BAT, COM, DLL, SCR, VXD, EXE etc.) Adding New PSG Protected File Types To add a new PSG protected file type select Add. The following dialog will be displayed. Enter the file extension and description if required and then click OK. Please note the new extension will not be enabled unless the check box is selected. New file types will appear in all profiles and can be set to selected or de-selected by default using the checkbox at the bottom Removing Previously Created Extensions To remove a previously created PSG extension select the extension and click Remove. Please note a file extension can be switched off from the selected profile simply by deselecting the check box. Add the following extension, TST to the list of protected files. Reload the client profile. Attempt to create the following file on the desktop TestFile.tst. Page 83

84 23.2 PSG Exempt Products By clicking on the Configure Products button in the main PSG tab, this window appears: Pointsec Protector Client can be configured to prevent the introduction of, and unauthorised modification of defined file types (defined in the PSG file types tab). Due to the nature of PSG, it is often desirable to allow certain defined programs to be exempt from PSG protection. Anti- Virus scanners and software deployment utilities generally require full access to modify and create new programs/files. Rather than disabling PSG during file modifications, a PSG exempt process is authorised to run leaving the machine secured against unauthorised processes. Page 84

85 Selecting Exempt Products To select an existing PSG exempt application tick the relevant tick box and click OK. Adding a New Exempt Product If a particular application requires PSG exemption it is possible to add new program(s) to the selected profile. This can be achieved by completing the following tasks: Click the Add button to open the PSG product declaration dialog Product Declaration Enter a product name and click Add and the following dialog will be displayed: Enter the name(s) of the processes that you wish to exempt. This information can be obtained from the PSG audit logs created when the PSG unauthorised operation occurred. There are 3 options as to when the defined program is exempt (System account, Administrator account, and any account). Page 85

86 The resulting window is shown here: Please exercise caution when exempting an application with the any account option selected. This option, if used incorrectly, could leave PSG insecure (e.g. avoid adding explorer.exe, setup.exe etc) By selecting This product is exempted by default in new profiles, all new profiles have that product exempted. Page 86

87 Editing Exempt Products To edit an existing PSG exempt product, highlight the product and click on Edit. This will give you the product declaration where you can see which executables are exempted and gives you the option of removing and adding exempted executables Disable Process Executable Check To enhance security, PSG can also be configured to block the execution of non-executable file extensions. By default PSG will only allow the execution of.exe.com and.sys file types. Page 87

88 24 PSG Exemption Examples Below is an example of how you would add a PSG Process exemption to the system. For this example we will use NOTEPAD.EXE to attempt to write an.exe file to the system. Open Windows Notepad. Select File->Save As. Select to save the file to the Desktop. Make sure you enter test.exe for the file name. Click the Save button. You will receive a PSG Alert on the client workstation. Process Name Note the process name is NOTEPAD.EXE. Page 88

89 24.1 Adding an exemption to the server Open the Pointsec Protector administration console. Open the Profile Template the client is using. Go to the PSG tab. Under the PSG exempt products section click the Configure button. Click the Add button to add a new product exemption. Change the product name to Notepad Test. Click the Add button to add a process to this product. Enter the process name as notepad.exe. Select Any Account as the account access (this is because notepad.exe is running as the user so needs to be exempt for any account). Save the settings and the profile and push it out to the client workstation. Repeat the Notepad test above and you will notice that the.exe file can now be created. Page 89

90 25 Auditing The Auditing tab allows the system administrator to decide which security breaches/events require auditing and how the events should be processed. Please note that there are more audit rules for removable media as can be seen on this screenshot and these will be discussed as well in this chapter Events list Before going through the list of events, take a look at which information is audited for all events: ID: The log ID number is an incremental number and is used to make searching events easier. Unique ID: The unique ID is assigned to each audit event. Time: Records information about the time and date at which the audit event occurred. Event: The name of the event (e.g. Unauthorised (PSG) File operation). Alert: Details whether there is an alert configured for the selected event (Yes/No). User ID: The User ID within the Pointsec Protector user database. User Name: The Microsoft Windows user name of the user who was logged on when the event occurred. Computer Name: The machine name on which the event occurred. Source: The source of the audited event (e.g. PSG, RMM, DM etc). Message: Contains other relevant information about the event. (e.g. virus infection details, unauthorised file audits etc). Page 90

91 Authorised Device Manager Event. This audit event records all Device Manager alerts for accessible devices. This information can be used to add new specific devices to the Device Manager configuration direct from the audit event Encrypted Removable Media Exported. This event audits when an EPM encrypted device is exported back to clear text Fixed Hard Disk Configuration Changed. This event audits when there has been a physical change in hard disk configuration. This could be either the unauthorised addition of a new hard disk or the unauthorised removal of a hard disk. The addition of such devices can be blocked using Device Manager Pointsec DataScan Event. The Pointsecx DataScan provides a detailed audit of media scan results including detailed analysis of file types and unsuccessful authorisation of media Pointsec Protector Client Service Was Shutdown. Where local administration rights are present on a client workstation and the Pointsec Protector Pro service is not locked, the shutdown of the Pointsec Protector Pro client service can be audited Removable Media Scan Was Skipped. During the media authorisation process, if permission to skip a virus or DataScan scan is permitted this event can be audited Removable Media Was Encrypted. If the Encryption Policy Manager (EPM) component is enabled and permission to import new devices is granted, the import of all new devices can be audited Scanner Event. Pointsec Protector can audit the results of Anti-Virus scans (provided supported within the AV scanner) Service Startup Error The core of Pointsec Protector client is a Microsoft Windows service. It is possible to audit the service start-up and whether it has succeeded or failed. The Pointsec Protector Client service is started during boot up. If the service is not started, Pointsec Protector Client will not operate correctly and all devices will be secured and the default profile selected. An audit of this event will only be received the next time the service is successfully started Successful Media Authorisation. During media authorisation it is possible to audit when media is successfully authorised Suspected Keylogger detected This event is generated if a suspected USB key logger is detected. The Pointsec Protector client software can detect any suspicious keyboard configuration changes. Page 91

92 Unauthorised (PSG) File Operation. Unauthorised PSG file operations can be recorded. As well as recording unauthorised user file access, this feature can also be useful for tracing new applications that require PSG exemption. A detailed log also contains information about the process that triggered PSG. This information can be used to create new exempt application Unauthorised Device Event A device was inserted that was not granted access in the Device Manager user profile. Extra information about the inserted device can be obtained from within this event when logged that can be used to add this as a custom device to the Pointsec Protector Pro Device Manager list Unauthorised Program Execution. Program Security Guard automatically blocks the execution of files without defined executable extensions. Only programs with a.exe/.com/.sys/.vbs file extension are allowed to be executed Unauthorised Removable Media Found. Unauthorised Removable Media detection can be recorded. In addition to the standard audit information it is also possible to view the capacity and type of the unauthorised media Unsuccessful Media Authorisation. If media authorisation fails the event is logged as well as the reason for failure User has disabled a system component. Disabling of the core Pointsec Protector Pro client components RMM, PSG and DM can be audited when available in the client software User has enabled a system component. Enabling of the core Pointsec Protector Pro client components RMM, PSG and DM can be audited when available in the client software Audit Event Propagation Ignore. If the propagation of an audit event is set to Ignore, the selected event will not be logged locally or centrally Register. If the propagation of an audit event is set to Register, the event audit will be stored locally on the client machine until the next schedule client/server synchronisation takes place Immediate. If the propagation of an audit event is set to Immediate, as soon as the event occurs the client will immediately connect to the Pointsec Protector Enterprise Server (if available) and upload the audit information. This mode overrides the settings in the Client log synchronisation section below. This mode can be used in conjunction with the Alerts section. Page 92

93 25.3 Removable Media Audit rules Removable Media Manager is a very powerful component for controlling the use of removable media storage devices. The Removable Media Audit tab provides the ability to audit all file operations performed on removable media devices and CD/DVD drives. From the RMM Audit field it is possible to configure a profile to either audit every file operation performed or to build a complex set of rules based on certain defined criteria. Removable Media Audit can record the following information: ID: The log ID number is an incremental number and is used to make searching events easier. Time: Records information about the time and date at which the audit event occurred. Operation: The type of operation that was performed on the removable media device: Create: Audits the creation of new files. Open for Write: Audits any files that are opened for write access. Move/Rename: Audits file moves and renames. Delete: Audits file deletions. Computer Name: The machine name on which the event occurred. Process: Records the process name that performed the file operation (e.g Winword.exe, Explorer.exe etc.). Filename1: Records the file name & extension. Filename2: Records the new filename if a file rename is performed. User ID: Records the user name of the current user. User account: Records the domain user account name of the current user Reset. Disables all removable media auditing from the current profile Log all. By selecting this option all removable media file operations will be audited within the current profile. IMPORTANT NOTE: This option can generate large amounts of audit information and should be used with caution. Page 93

94 Add It is possible to build a set of defined rules to control which removable media events are audited. To build a removable media audit rule click the Add button Media Rule Name Enter a unique name for the rule Recorded in server log. By selecting this option all audit events will automatically be uploaded to the server log Recorded in server log and raised alert By selecting this option, it is possible to audit the defined events and trigger an alert. Select an appropriate alert from the drop down menu. IMPORTANT NOTE: Please use this option with care as the number of alerts generated could be VERY large. Page 94

95 Conditions By using the drop down menus it is easy to build complex rules. The following expressions can be used: Is: equal to (e.g. Filename is Mydata.doc). Is not: is not equal to (e.g. Process is not test.exe). Please Note * can be used as wild card entry for IS and IS NOT expressions. Example 1 To audit the creation of all files on removable media devices the following rule would be used: Example 2 To audit all file operations except for those performed by the Sherlock Anti-Virus scanner the following rule would be used: Page 95

96 Example 3 To audit all file operations for a defined user (waynerooney) except for operations created by sherlock.exe and on a specific machine (man-utd-009) the following would be used: Example 4 To audit all file operations on any file containing database the following would be used: Page 96

97 26 Advanced Tab 26.1 Pointsec client anti-tampering features Enable Pointsec Protector client anti-tamper protection Pointsec Protector is implemented using kernel mode device drivers and hence provides unrivalled security. Organisations often have to enable local administration rights for certain defined users to ensure flexibility and support for legacy applications. To enhance security the Pointsec Protector client can be enabled to include additional anti-tamper protection. By enabling this option, users with local administration rights will be unable to modify/delete key Pointsec Protector registry keys or system files. Note: It is advisable to disable this feature for system administrators as this feature will prevent any debug of the Pointsec Protector client software Protector client profile reload By default the Pointsec Protector client only connects to the Pointsec Protector server at logon or when a manual profile reload is instigated from the client or the server. Additional options can be configured to ensure that the profile applied is always current and based on location and status: Page 97

98 Only reload the profile on logon or network connection change A profile reload will automatically be performed on logon and if the network connection status is changed, for example when changing from a wired network to wireless Check for updated profile every XXX minutes An automatic profile reload can be performed at scheduled intervals to ensure that the Pointsec Protector policy is always up to date. This feature is particularly applicable where users do not log off of workstations/laptops regularly Protector client log synchronization Immediately after an event occurs With this option selected the client workstation will perform an immediate connection to the Pointsec Protector Server (if available) and upload the latest audit log information Every day at. The client workstation can be configured to upload the latest log information every day at a defined time Every minutes The client workstation can be configured to upload the latest log information at defined intervals Manually With this option selected log information will only be uploaded at logon or when a user selects the update profile button from the Pointsec Protector Client Options>Update tab. Page 98

99 26.2 Pointsec webrh Support Use webrh profile for challenge/response By selecting this option it is possible to use the Pointsec webrh challenge/response service for remote password reset/recovery of EPM encrypted devices. Click the Use WebRH profile for challenge/response tick box and then select the Import button to load the required webrh profile. The following dialog will be displayed: Select the required WebRH profile and click Open. Enter the WebRH profile security password: On completion of the import process the WebRH profile will be displayed in the Advanced tab dialog: Page 99

100 Page 100

101 Advanced Profile, User and Group Management This section of the course is intended to give an advanced understanding of group creation, user and profile management. You will be asked to follow through each section and then you will be set a task to complete. By the end of this section you will have a fully configured Pointsec Protector Server for use in a typical networked environment. Page 101

102 27 Advanced Profiles 27.1 Multiple Profiles To allow for multiple Pointsec Protector configuration settings for different groups of users on the network, a profile template must be created for each configuration required. Each profile template needs to be configured to allow only the rights required for that group of users and then associated with the group during the group creation wizard Shared Profiles It is also possible to configure Pointsec Protector to have multiple groups sharing one profile template. In the above example the Sales and Accounts group are using the same Standard Users profile template. Any changes made to the template file would automatically apply to both groups of users. You can configure as many groups as you like using the same profile template Default Profile You should also notice that you have an additional built-in Default profile on the server. This profile is used when a user logs on to a client workstation, requests a profile from the Pointsec Protector server, and can not be located in any of the user groups. When this situation occurs they will be sent the Default profile. Also, the Default profile will be used when a machine is left in a logout state. Note that the Default profile template is the base of all stacked profiles. The default profile can be configured just like any profiles you have created. It is usually best to ensure that this profile is locked down as much as possible. For this exercise you will need to create three profiles: Administrator Profile (you should already have this profile) Power Users Standard Users Leave the profile templates with all default options for now. Page 102

103 28.1 Domain group importing 28 Advanced Group Creation Rather than create empty groups and then manually add users as we did earlier, Pointsec Protector can also import all users from a domain group during the group creation wizard. This would then populate the groups with all the users in the domain group automatically. To create a group and import users: Right click the Groups node and select New->Group from the menu. This will start the new group wizard. Click Next and as in the previous section give the group a name. For this exercise we will create a Help Desk users group so call this group Help Desk. Click Next and select the profile to assign to the group. Page 103

104 You can select the profile templates you want to use to build your profile by selecting the profile and clicking the >> button. If you want to add more than one profile template (e.g. Standard Users and Administrator Profile, make sure that you place them in the desired order). For this exercise the Help Desk users will be assigned the Help Desk profile. Click Next to display the Users screen. Click the Add all users from a domain group radio button and click the Browse button to select a group from the domain. Page 104

105 Domain This is the standard Microsoft Windows domain object select dialog and should be familiar. Make sure you have selected the correct domain by using the Location button and enter the name of the group you want to add users from and click OK. For this exercise select your domain and then select the Help Desk group. The User selection screen will be displayed again with the name of the domain groups that users will be added from Domain Group Synchronisation Select the Synchronise this Pointsec Protector Group with a domain group radio button. This will enable automatic synchronisation of the domain and Pointsec Protector Pro groups. As users are added to the domain group they will be automatically added to the Pointsec Protector Pro Group. We will look at configuring the synchronisation option in section 30. Click the Next button and then Finish to build the group and automatically populate with the users. Page 105

106 Now create two more groups on your Pointsec Protector Pro server using the following guide for the groups details. Group Name Domain Group Profile Template Sales Dept REFLEX2\Sales Group Standard Users Accounts Dept REFLEX2\Accounts Group Standard Users Page 106

107 28.3 Modify Group Properties Once a group has been created, you can modify the group s properties by right clicking the group and selecting properties from the popup menu. This will display the Group Properties window consisting of two tabs Group Tab General Properties Group Name: Modify or set the name of this group. Goup Description: Modify or set a description for this group Synchronisation Load members of this group from the domain group. If this radio button is selected, members of this group will be loaded from the domain group below. You can use the Browse button if you want to change the domain group. Page 107

108 Profiles Tab Active Profiles In this tab, the currently selected profile template(s) can be selected. The order within which profile security rights are assigned can be defined by using the Up and Down buttons Custom profile Define custom settings. This option is used to create a custom profile for the current group. This results in a custom profile template to be layered above the existing profile(s) Resulting Profile Click on View/Edit to view or change the resulting profile. Please note if the group is currently using a profile template(s) and the Edit button is selected, any changes made will also affect other groups using this profile template(s). Page 108

109 29 Offline User Profiles Once the administrator has finished configuring the User Groups and applied the relevant profiles, the next step is to decide the policies for users whose networked computers are occasionally used offline. Browse through the Pointsec Protector Pro Server console to Offline users (see illustration below) Setting up Offline profiles Selecting Offline user groups. To configure right-click the required user configuration icon of either Offline user or Offline admin. Select Properties from the drop-down menu and the Profiles tab at the top. Page 109

110 Configuring the profile settings. As shown in the above illustration, there will only be the default profile listed. In order to configure the specific settings for your offline users, select the Define custom settings for this user radio button. Click the Edit button to then select and configure your required profile option as shown in previous chapters Selecting/Creating computers for offline profile operation. To select which computers will receive the configured offline profile, build a new or select an existing computer group, right-click and select Properties. Select the Disconnected computers use offline profiles radio button (as shown above). When a computer is added to this computer group, not only will the users profile be cached on the client workstation but also the Offline user and Offline admin profiles will be copied as an XML file. When the computer is disconnected from the Pointsec Protector Pro Server, users will experience these profiles depending whether they have local user or local admin rights on their computer Demonstrating and testing Offline profile setup. To show this, configure your offline profiles and add your workstation to a computer group that has been enabled for offline profiles while disconnected. Next perform a profile reload. Then to simulate a client computer working offline, change the registry so that the client no longer points to a valid Pointsec Protector Pro Server. Manually update the client profile via the Pointsec Protector Pro Client tray icon and options menu. If you now check the profile (see section ) you will see a display similar to the one shown above. Page 110

111 30 Domain Synchronisation If you have enabled domain synchronisation with your Pointsec Protector groups, you will need to configure the group order and the synchronisation interval period in the advanced tab of Group Properties. To configure the synchronisation options right-click the Groups node and select Properties from the context menu. This will display the Groups Properties dialog box. Page 111

112 30.1 Group Order To ensure that users are placed in the correct Pointsec Protector group when a domain synchronisation occurs, you must set the correct group order for the groups. This order will dictate which groups are synchronised first and which are done last. Groups are synchronised from the bottom to the top. So in the above example the Users would come first, followed by the Network Configuration Operatives group and thereafter the Help Services Group is synchronised before the Administrators group. The most important groups should be synchronised last and therefore put in the top of the list. This would then ensure that users that are members of multiple domain groups would be placed in the correct Pointsec Protector groups. As an example we have two domain groups: Domain Admins Domain Users Domain Users has the following members. User 1 User 2 Administrator Domain Admins has the following members. Administrator As you can see the Administrator account is a member of both groups. To ensure that a correct domain synchronisation occurs the Administrator account is placed in the admin groups which should be at the top of the synchronisation list, being synchronised last.ensure that your synchronisation order is correct so you should have the following order: Administrator Group Accounts Group Sales Group Help Desk Group Page 112

113 30.2 Advanced From this tab you can set the frequency when an automatic domain synchronisation will occur. Synchronise every: Select this option to enable automation synchronisation and then select the synchronisation period use the boxes provided. Synchronise Now: Click the button to force a domain synchronisation. Leave the synchronisation period as 1 Hour and click the OK button to close the dialog User group membership User can be a member of one Protector group at a time When this mode is selected users can only be a member of one Pointsec Protector group and the synchronisation order will define which group they are a member of. Users can be a member of multiple Protector groups at a time When this mode is selected users can be members of multiple Pointsec Protector groups. The resulting policy will be a merge of all applied group memberships dependent on group order. Page 113

114 31 Advanced User Management 31.1 Viewing all users You can view all users that are currently in the node. Pointsec Protector database by selecting the Users This view displays the following information for each user. User ID Full User Name Domain User Name Pointsec Protector Pro Group Page 114

115 31.2 Filtering user lists To find a user in the Pointsec Protector Database you can apply a filter to the users list. To do this click the filter button on the tool bar. This will open the Configure Filter dialog box. Using this dialog you can build complex filters to apply to the user list. You build conditions by selecting a field to filter on and then a condition (either IS or IS NOT), then an expression to use for the query. Wildcards can also be used when building filters, so you could enter test* and it would filter all users whose user names start with the name Test. Complex filters can be built by stacking multiple expressions together by using the More button to add a new expression to the filter Removing the filter When you want to remove a filter from the user list click the Show all records toolbar button. Page 115

116 31.4 Moving users Users can be moved between Pointsec Protector groups by dragging and dropping them into the group you want them to become a member of. If you are using Domain Synchronisation the users will automatically be put back into the group domain which they are a member of Special Users Occasionally it may be necessary to give an individual user different rights for a short period of time. Rather than creating a new profile and separate group for that user, it is possible to make them a Special User. Special Users have their own custom profile template that is associated only with that user. Any changes to this custom profile will then only apply to this user and will not affect the global profile template. To make special users right-click the user in the users list and select Properties from the pop-up menu. This will display the User Properties dialog 31.6 User Properties Page 116

117 General User Name: User s ID. Full Name: Full name for the current user. User account: domain user name. Pointsec Protector Group: Pointsec Protector Pro Group this user is a member of Configuration Profile This section is where you can configure the selected user s profile. This modification of the profile applies to a single user and not a group. If you modify a Special Users custom profile it will not change any of your other global profile templates and will only affect this user Page 117

118 Page 118

119 Dynamic Configuration and Computer Management This section of the course details how Pointsec Protector can be dynamically controlled over the network. Page 119

120 32 Computer Management Every Pointsec Protector Client workstation will register with the Pointsec Protector Server during the client installation. Once registered with the Pointsec Protector Server, they will appear under the Computers node in the Administrator console. The computers node is also displayed in the bottom pane of the default Pointsec Protector administration console layout. This can be changed or removed if required. Page 120

121 32.1 General Double-click or right-click and selecting Properties from the popup menu to display the workstation s properties dialog Client ID. Unique client ID used internally by Pointsec Protector Client Version. Version number of the Pointsec Protector Client running on that workstation Computer Name. Name of the client workstation Last Known IP. IP Address that client workstation was assigned the last time a connection was made with the Pointsec Protector Pro server Connection time. Last time this workstation connected to the Pointsec Protector Server Last User. Name of the last user who was logged on to this client workstation Is Logged on. Current logged on status of the workstation. Page 121

122 32.2 Configuration The configuration tab displays the Pointsec Protector Client components are currently active on the client workstation Active Module Program Security Guard. If this option is selected PSG is currently active Removable Media Manager. If this option is selected RMM is currently active Device Manager. If this option is selected Device Manager is currently active Dynamic Control Using the checkboxes it is possible to disable or enable any of the components dynamically over the network in real time. This is useful when you have a support engineer at a users workstation and they require Pointsec Protector to be disabled but the user does not have the rights to disable components locally. To disable a component deselect the checkbox and click OK to send the request to the client workstation. Try disabling and re-enabling components on your test workstation. Page 122

123 32.5 Updating client details To ensure that you have the latest client information you can request a client refresh. Right-click the computer and select Refresh Host from the pop-up menu Filtering computer list It is also possible to filter the computers list to limit the machines that are displayed. To build a filter, click the Apply Filter button on the tool bar as described in section Filtering user lists on page 115. Page 123

124 Page 124

125 Auditing and Event logging This section of the course will give details of how to view and manage the Pointsec Protector audit events that are generated by the Pointsec Protector client software. Page 125

126 33 Audit Events Pointsec Protector Pro provides the ability to audit various Pointsec Protector related events. We discussed how to enable events logged and what events could be logged in the Advanced Profile Settings section of this course (Page 90). When an event occurs on a client workstation that has been selected for auditing, it will be sent to the Pointsec Protector server and stored in the database. You can then use the Pointsec Protector administrator console to view this audited information Viewing Audit Logs Select the Logs node to view all saved audit events. Logs Node Events can be sorted by clicking the column headers to sort on that column Filtering event list This list can also be filtered by click the Build Filter button on the tool bar. We discussed building filters earlier in the course. Details can be found on page Page 126

127 33.3 Event details Double-click the event or Right-click and select properties to display the audit event details. Each audit log event has the following information. ID: ID for this audit event. Unique ID: Unique ID for this event. Time: Data and Time the event occurred on the client workstation. Event: Event type. Alert Sent: Has an alert been raised and sent. User ID: User name of the person who generated this event. User account: User account of the person who generated this event. Computer Name: Workstation this alert was generated on. Event Source: Source for this event. Message: Details of the audit event. You can browse to the next and previous events in the list using the buttons on the top of the dialog. Page 127

128 33.4 Device information Display a Device information tab from an inserted USB removable media device that was denied access. When the Add this device to the device manager is clicked a device properties window is displayed allowing the various configuration options to be selected. The option in Device capabilities defines the various tick boxes that appear in Device Manager for this device when configuring a profile. Default device access rights sets the defaults for this device when creating a new profile. Page 128

129 33.5 Log Export The data can be exported to a comma delimited text file for importing in to any third party data analysis tools. Export the data by doing a right-click on the Logs node and select Export list from the pop-up menu. Select the location you wish to save the file to and click Save to create the text file. Page 129

130 33.6 Log Properties The server can also be configured to auto archive old events to a location on the machine. To configure auto archiving right-click the Log node and select Properties from the pop-up menu Archive period. Enter the number of days that an event will stay in the database before it is archived to the log file Automatic Log archival period. Select how and when the log will be archived. Select from one of the two following options: Archive Logs manually Logs will only be archived when the Archive Now button is pressed. Archive Logs automatically every use this option to auto archive the logs at specified times. If using this option configure how often you wish to archive using the interval and time boxes Archive Location. Log Archive Folder - configure where the logs are to be saved on the machine. This location is relative to the location of the Pointsec Protector Pro Server service and not the machine where the administrator console is currently being run. Page 130

131 34 RMM Audit Events When RMM auditing is enabled all selected activities for the defined users will be logged to the Pointsec Protector Server database. These can then be viewed using the Administrator Console. We discussed configuring Removable Media Audits in the Advanced Profile Setting section of this training course (section 25.3 on page 93) Viewing event summary To view all RMM audit logs select the Removable Media Log node from the Administrator Console. Removable Media Log node Due to the fact that these audit events can be very large, they are displayed using a pre-defined summary listing. The top list gives you the top ten users and the number of events they have generated. The bottom display shows the same data by machine name View user/machine events To view the event details for the selected user or machine Right-click the list entry and select Display these events (New window) from the pop-up menu. This will open a new window with all the events for the selected user or machine. Page 131

132 34.3 Displaying event details You can view the full details for each audit event by double-clicking the entry in the list. This will display the Log Event details dialog. ID: Unique Log event ID. Time: Date and Time the event occurred. Operation: The operation type. Computer Name: Machine the event occurred on. Process: The process that caused the alert. FileName1: File name that this event applies to. FileName2: This is used for a rename operation as the new file name. UserID: User who generated this event. User account: The full user account. Page 132

133 34.4 DVD/CD Audit events CD/DVD audit events are stored in a slightly different way. Each disk that the users create generates one entry in the RMM audit log list. Note the operation type is CD/DVD Audit When viewing the detail of these events you will see an extra button on the Details form. Click the Browse disk directory button to view the contents of the disk the user created. Page 133

134 This dialog gives you a copy of the entire directory structure of the CD that the user created Filter event list These lists are also filtered to display only events that occurred in the last 24 hours. This can be changed by selecting a different time frame from the Media Events to process drop-down list or by setting a filter rule as described in the manual in various sections. Page 134

135 34.6 Viewing all events You can change the display to show all events in a standard list view by selecting the Show Media Audit log button on the toolbar. You can switch back to the media summary by clicking the Show media audit summary button ( ). Page 135

136 Page 136

137 System Configuration and Design This section of the course will give ideas and considerations when building, designing or recommending Pointsec Protector system solutions. Page 137

138 Introduction 35 SQL Database 35.1 Microsoft SQL Desktop Engine As we have already seen Pointsec Protector provides everything needed to perform a successful installation. This also includes an SQL compatible database engine Microsoft SQL Desktop Engine MSDE. MSDE is a fully functional SQL server engine. That can perform all the same tasks as the full SQL Server we will review next. Here is a list of things to consider when installing the Protector Server with MSDE Advantages Free Comes with Protector Easy to configure Protector installation wizard sets everything up for you. Easy to maintain no need for expensive training as it s a fit and forget. Stability from a support prospective actual database problems are rare. Manageable If a full SQL server exists on the network then its management console can connect to the MSDE engine to perform common tasks such as backup and restore and migration Disadvantages No GUI Management via command line only unless there exists a full SQL server (see above) Size Restriction the supplied version MSDE has a data limit of 2GB. Installations are inflexible not easy to install and configure other than through the Protector installation wizard making it difficult to have separate remote MSDE database for use with Protector. Performance restrictions Will not take full advantage of multi-process hardware MSDE management through Command line OSQL.EXE is a command line tools used to connect to a MS-SQL or MSDE Database Using OSQL to check for a Disknet Database Command Line Params -S : Server -E : Trusted connection -U : User Name -P : Password -H : Hostname -d : Database name Examples: To connect to a local MSDE database installed on machine TEST-PC using Microsoft Trusted authenitcation (default used by MSDE supplied with Disknet) OSQL.EXE -S TEST-PC -E -d Disknet To connect to a remote SQL instance using trusted authentication OSQL.EXE -S REMOTE-MACHINE\INSTANCENAME -E -d Disknet To connect to an SQL server using SQL authentication OSQL.EXE -S TEST-PC -U sa -P -d Disknet Page 138

139 Results If this connection was successful you will see the OSQL command line. >1 If there was any error connecting OSQL will return an error message. [DBNETLIB]SQL Server does not exist or access denied. [DBNETLIB]ConnectionOpen (Connect()) Limitation reasons to upgrade As mentioned there is a significant restriction with regards the actual data size for the MSDE database which is 2GB. With more than 2000 workstations it would be recommended to upgrade or use an MS SQL (unlimited) or MS SQL 2005 Express (4GB). It is well to understand what it is that would be the cause of the need for increased capacity. As mentioned in the introduction to this section the SQL database is the heart of the entire system. It stores everything including the license. Most information is either static or constantly being updated. The main cause of capacity problems, or capacity decrease are the event logs themselves. These are the one thing that will be constantly growing just through daily ordinary use. There for when installing and building a system around an MSDE database there should be deliberate thought taken into what events and audits will take priority. Archive frequency is of importance too. If left too long before an archive is performed will cause events to build up in the database and may risk hitting the limit. Once the events are archived old events will be removed from the database but stored in log files freeing capacity in the database Reducing the size of the database. All the above is academic if the database limit has been already reached. The following OSQL command should be run to either remove old Protector event logs from the database or if needed remove all event logs from the database: Removing all logs OSQL.EXE -S TEST-PC -E -d Disknet 1>use Disknet 2>delete from log where 1>0 3>go Removing RMMLogs OSQL.EXE -S TEST-PC -E -d Disknet 1>use Disknet 2>delete from rmmlog where 1>0 3>go Page 139

140 Delete RMM Logs Older than 30 Days 1>use Disknet 2>delete from rmmlog 3>where datediff(day,time,getutcdate()) <=30 4>go NOTE - YOU MAY HAVE TO STOP THE DISKNET SERVICE, RUN THE OSQL AND THEN START IT Compressing Disknet_log.LDF Regarding the Disknet_log.LDF increasing in size, this is the file where the logs actually go, it's a transaction log file and there is a way to compress it if it becomes much larger: 1>dbcc shrinkdatabase (disknet, 10) 2>go Note that these commands may be the only option or way out when a customer has realised too late that they need to move things to a full SQL server or that they forgot to archive. When the MSDE has reached its capacity the data has to be reduced to below the limit in order to use or even migrate it to another server MS SQL Server This is the very popular and very power version of SQL. The Database of choice for many thousands of organisations throughout the world. Protector supports all versions from SQL2000 onwards. There is virtually no limitations or restrictions in SQL server only the actual storage capacity available and therefore will often be installed and enabled on major network systems prior to the installation of Protector, being used for many other tasks. It is possible to use this existing server to host the DB for use with Protector. To set this see 36.3 Upgrading Multiple Server Configuration section. Microsoft SQL server has no limitation except the storage capacity of the server it is installed on. Even so it is still worth considering and facilitating good housekeeping. This is because when the database grows to a significant size Protector server console performance suffers. There has been recorded support requests from a very large organisation who neglected to set a satisfactory archive schedule for their logs and audits and experience extremely poor performance and DB query failure statuses when trying to use the Protector management console. The remedy in this case was to use the SQL Query feature in their SQL 2005 Server s Management Studio console. Page 140

141 Advantages Capacity Only physical limit is the available storage capacity of the server. Management With GUI and management console makes performing common tasks easier. Flexible Easy to host several DBs on the same server. Efficiency able to take advantage or powerful hardware to maximise performance Disadvantages Cost It is not free Expertise there would be a requirement to have a DB administrator to look after system MS SQL 2005 Express Like MSDE, Microsoft SQL 2005 Express is free but is seen as a modern major step up from it. Immediately installing MSSQL2005 Express gives to significant advantages: Advantages Capacity Only physical limit is the available storage capacity of the server. Management With GUI and management console makes performing common tasks easier. Flexible Easy to host several DBs on the same server. Economic Free to download and install from Microsoft Disadvantages Performance restrictions Will not take full advantage of multi-process hardware. Size Restriction the supplied version MSDE has a data limit of 4GB. Expertise there will be a learning curve. Page 141

142 35.4 Migration A mentioned in the previous sections it is possible to migrate or move the restricted MSDE DB into versions of SQL with less restrictions. By far the easiest of methods is to simply detach from on database engine and attach to the other. To perform this task 2 files that contain the protector database information need to be located and preferably relocated to a common location utilised by the preferred version of SQL Detaching the database For this we are going to detach the locally install database and attach it to a locally installed version or SQL 2005 Express using the GUI of the latter. Note that the Protector Server service will need to be stopped to perform the processes below. 1. Open the SQL 2005 Management Studio console. If prompted to choose to connect to default instance which will be the be in the format <ComputerName>\SQLExpress. Windows Authentication selected. Similar to screen shot below. 2. Right click the top node to get the drop-down menu and select connect. You will see the connection selection screen as before but this time select Server name from the drop-down that has just the computer name. When connect is clicked you will see the additional database engine connection. Page 142

143 3. Open the database tree of the MSDE database at the bottom of the console to reveal the existing Disknet database. 4. Right click and select Tasks - Detach 5. Ticket the Drop Connection box and detach it from the database connection by clicking ok. 6. Database Disknet will be removed from the display. Page 143

144 Attaching the database 7. To attach it to the SQLExpress database we first need to copy the Disknet.mdf and Disknet.mdf files from their present location to a location accessible by SQLExspress i.e. coy them from C:\Program Files\Microsoft SQL Server\MSSQL\Data to location C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data 8. Once this has been performed within the Management Studio open the Database tree from SQLExpress engine at the top half of the console and right click it. 9. From the drop-down select Attach. 10. Click the Add button in the centre of the attach database window and browse the tree to the location: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data. Page 144

145 11. Select the Disknet.mdf file and click okay. You will now see the following information regarding this database. 12. Click OK to complete the attachment to SQL Express Configuring Protector to use a new database The next step is to configure the Protector Server to use the database in its new location with SQL Express. 1. Open the Windows registry editor regedit and browse to the key location HKLM\\Software\\Reflex\\Disknet Server Page 145

146 2. Edit the value or the string data entry for SqlServer to show there same server name displayed in the initial server name selection of SQL Express <ComputerName>\SQLEXPRESS. 3. Close the editor and restart the Protector Server service. Now when you open the Protector console even though exactly the same information will be display as it will be the same database but the engine will now be SQL Express. 36 Server and Database Configurations Protector is not fussy with regards the database system used and we have many customers with configuration beyond the scope of this document. Below however is a brief out line of options available Using a local Database This is of course can be a standard installation of Protector. But note it could be that the installation is being recovered to a new server. In situations that require moving or configuring of the server it would recommended to install the free GUI rich version of SQL SQL 2005 Express and use the procedures as shown in the previous section on Migration Page 146

147 36.2 Using a Remote Database Here a custom installation option needs to be selected during the installation. This allows the MSDE SQL option to be deselected forcing the installation wizard to prompt for the location of the required SQL server Configuring SQL Database user rights (using SQL 2000) Once the installation is completed it is important to configure and set the correct rights on the SQL database to allow the Protector Server service access and possibly exclusive access. See the following section taken from a customer installation guide. Install the Pointsec Protector Server pointing to the SQL server. Before opening the Protector Server administrative console, you will need to perform the following procedures on SQL from within SQL Server Enterprise Manager: Create a new login under Security>Logins (the Pointsec Protector Server service domain logon account) and assign rights to the Disknet database: Page 147

148 Under the Database Access tab select the Disknet database and select public and db_owner : Start the Pointsec Protector Server service. Open the Pointsec Protector Server administration console to ensure that the Pointsec Protector Server is able to communicate successfully with the SQL database. Page 148

149 36.3 Upgrading Multiple Server Configuration As ultimately all the protector servers will be communicating back and forth to a single SQL database their needs be a controlled procedure and strategy when performing major upgrades to the server software. The reason for this is that there often differences to the database scheme between versions. As new features are added the references and information is set into the database. In a single Protector environment simply running the installation of the later version would upgrade both the server and the database schema to the latest. But when multiple servers are used they all will be updating and downloading information to the database. Thu there is a need to make sure that after the first upgrade is performed the remaining servers running the old versions don t try to update or retrieve information from this updated database schema. 1. We could simply stop the Protector Server service. What we would recommend however in order to keep this simple and complication free is to uninstall all but one of the servers. Please note that at the dialog to remove the database should be answered no. The last remaining server should be upgraded to the latest version v4.91 by running the setup.exe of this version and agreeing to the upgrade. 2. After the server upgrade has completed the other servers (now without Protector installed) can be installed with Page 149

150 3. Custom installation will need to be selected so that MSDE is not installed and the installation wizard prompts and checks for the correct MS SQL credentials. 4. The Database server entered and the type of security used selected the click next to the dialog where the option to Keep existing Pointsec Protector Server database. Page 150

151 5. Enter the credentials required for the Protector Server account and click next to commence the installation of the software. When complete click the Finish when the installation is completed License Message Warning Opening the remote server console from one of the newly installed servers for the first time will produce the following message box. This is because Protector is now able to accept new style license codes and information to fall in line with Check Point licenses which will be following later in the year. When this message appears simply click the License manager button. Once in the License manager window you will see that there is 2 or more duplicate licenses. Simply select a duplicate then click Remove. After removing all duplicates so the a single license remains click OK. Page 151

152 You will then see the message box stating that software license is correctly registered on the system. Continue re-installing to the other uninstalled servers using the process for step 2. Note: Check Point licenses can be issued not only as a code but also as a license file which allows licenses to be stacked up to add extra client accesses when needed. This is an improvement to previous where a whole new code which had to be for the new total had to be installed overwriting the existing. Page 152