Chapter 1 Scenario 1: Acme Corporation

Transcription

1 Chapter 1 Scenario 1: Acme Corporation In This Chapter Description of the Customer Environment page 18 Introduction to Deploying Pointsec PC page 20 Prepare for Deployment page 21 Install Pointsec PC page 24 Deploy Pointsec PC page 30 This chapter describes how the Acme Corporation configured and deployed Pointsec PC within its organization. If your environment resembles Acme Corporation s, it is recommended that you configure Pointsec PC the same way. The information provided in this chapter contains, among other things: a description of the customer environment, an overview of the workflow when deploying Pointsec PC, a description of the different roles, preparations that need to be done before installation, a description of the installation profile needed, and how to deploy. 17

2 Description of the Customer Environment Description of the Customer Environment The Acme Corporation is a middle-sized company developing software for call center optimization. It has 500 employees at three different sites; London (UK), Boston (US), and Perth (Australia). Most of the employees are working at the company headquarters in London. The computer environment consists of 500 laptops and workstations all running Windows XP. All users are within one Windows domain regardless of which country they work in. Acme Corporation and Pointsec PC The Acme Corporation purchased Pointsec PC to protect both its own internal information but also its customers confidential information. The objective was to install Pointsec PC on all laptops and workstations in three different sites within the organization to protect all information against illegitimate access. The company s system administrators are placed in London but each site also has its own local IT administrators. These local administrators have the right to deploy Pointsec PC, read logs, and create recovery. All users authenticate themselves with fixed passwords in Pointsec PC and no smart cards are used. The deployment tool Acme Corporation uses is the Systems Management Server (SMS) from Microsoft. The company has a helpdesk to help users who have forgotten their passwords or experience any other problems with Pointsec PC. The helpdesk users use webrh to provide Remote Help over the telephone to end users. In short, the Acme Corporation environment has the following characteristics: 500 seats three different sites, all using the same language version of Pointsec PC both laptops and workstations running Windows XP all users are within one Windows domain end users have no admin rights GPOs are used no smart cards are used deployment tool: SMS 18

3 Description of the Customer Environment Pointsec PC System Administrator Workstation Installation and update profiles Boston London Perth File shares at sites Profile Storage, Update Profile, Install, Log, Recovery, Upgrade directories Laptops and workstations Role Separation at Acme Corporation The following roles and their tasks were identified at Acme: System Administrator The System Administrator is responsible for the deployment and maintenance of Pointsec PC throughout the entire organization. It is the system administrator who decides on security and password policies, configurations, updates, upgrades, etc. The system administrator is also responsible for delegating rights and tasks to the local administrators and helpdesk users. During the first deployment of Pointsec PC, the system administrator creates file shares and service account, installs Pointsec PC on a master administrator computer, decides on configuration, creates sets and installation profiles, and finally verifies the configuration by running a pilot. The system administrator also makes sure that local administrators and helpdesk users are trained and certified on the Pointsec PC product before they commence any work. Local Administrator The Local Administrators at Acme are responsible for creating and publishing update profiles based on configurations received from the system administrator. The local administrators are also responsible for adding and removing users, monitor the environment (making sure all clients are encrypted, checking log files), and performing backups and maintenance. Chapter 1 Scenario 1: Acme Corporation 19

4 Introduction to Deploying Pointsec PC During the first deployment of Pointsec PC, the local administrators at each site decides on when to push out the installation profile. They are also responsible for verifying the deployment after the installation profile has been pushed out. Helpdesk Users The helpdesk users are responsible for proving remote help to end users who have forgotten their passwords, need to recover encrypted information, etc. These users are set up with special helpdesk user accounts in webrh. End Users All laptops and workstations at Acme Corporation have Pointsec PC installed and their drives are encrypted and boot protected. The end users must authenticate themselves with fixed passwords to access their data. The company uses password synchronization which means that the end user s Pointsec PC password is set to the Windows password, the end user will only have to remember one password. The end user does not have full permissions to the Pointsec registry items on the PC (it is the service account which has these rights). The logged on user account requires List, Read, and Execute permissions to the local Pointsec program folder, generally: C:\Program Files\Pointsec. See Create Service Account on page 23 for more information on the service account. Introduction to Deploying Pointsec PC Overview of the Workflow The installation and deployment of Pointsec PC went smoothly at the Acme Corporation and caused no disturbances to the users in the organization. This smooth installation was facilitated by the Acme Corporation s thorough preparations before the actual deployment. To deploy Pointsec PC smoothly, follow the steps outlined in the overview below. Steps 1 to 9 are the responsibility of the system administrator and steps 10 and 11 are the local administrator s responsibility. The steps are described more in detail further on in this chapter. 1. Identify the roles needed in the environment; Installation, webrh/helpdesk, Users. Who will do what in your organization? 2. Set up one file share per site. 3. Make sure that the file shares have the correct rights; local administrators and service account must have full access to the file shares. 20

5 Prepare for Deployment 4. Set up a Windows service account for access to the file shares. 5. Set up training for both the administrators and the helpdesk users. 6. Decide on the company configuration depending on your security policy. The Acme configuration contains/follows: fixed password users Windows password policy password synchronization Windows group policy, users should be stored in an Active Directory environment and the policy settings in Group Policy Objects (GPOs) - end users have no administrator rights clear division of roles webrh used for recovery/lost passwords all drives/volumes encrypted (AES) and boot protected the Enable status export to file feature activated 7. Install Pointsec PC on an administrator s PC, create a set and an installation profile and test the profile. 8. Set up the helpdesk. 9. Decide how the pilot should be run. Run the pilot and verify the installation. 10. Inform end users of logon and Remote Help functions. 11. Finally deploy Pointsec PC throughout the organization and verify the deployment. Prepare for Deployment Identify Roles Before deploying Pointsec PC it is important to identify the roles in the organization; who will do what and when. In this Acme case it is important to have system administrators, local administrators and helpdesk users. The system administrator(s) has the overall responsibility for the company security policy and for the deployment of Pointsec PC. The local administrators will enforce the security policy, deploy Pointsec PC and run the actual day-to-day administrative tasks. The helpdesk users are responsible for helping end users who have forgotten their passwords etc. The separation of roles at Acme Corporation are described more in detail in section Role Separation at Acme Corporation on page 19. Chapter 1 Scenario 1: Acme Corporation 21

6 Create File Shares Create File Shares When the roles and their tasks have been decided, it is also important to make sure that all roles have received the access rights and the training needed to perform their tasks. It is best practice to set up one file share for each site (London, Boston, and Perth for Acme Corp.), where the site s clients save their log and recovery files, look for update profiles and software upgrades. This is because all log and recovery files from the clients are stored in the same directory. If they are separated by site, it is easier for the local administrators to handle the files. Note - Specify the paths in UNC format: \\<server>\<share>\... On the file share it is recommended to have the following six directories; Profile Storage, Update Profile, Install, Log, Recovery, and Upgrade. These directories can be automatically created at the same time you create an installation profile, see Create an Installation Profile on page 26. Profile Storage This is the directory that will hold profiles while you edit them. The profiles will remain in this directory until you publish them, see Update Profile below. As long as they are in the storage directory, they cannot be pulled by remote clients. This path is configured in the set. Update Profile This is the directory from which clients will pull updated profiles. Note that the path to this directory must be set in the profiles that are put in this directory. In the profile it is set by editing this path System Settings Install Set Update Profile Path. Install This is the directory where you set up installation packages (installation profiles, MSI package, precheck.txt, etc.) and where installation profiles are published. This path is configured in the set. Log In the Log directory all log files from the Pointsec PC protected computers are stored. It is set under System Settings Install Set Central Log Path in the profile. 22

7 Create Service Account Recovery This is the directory in which Pointsec PC stores information about the Pointsec PC protected computers. This information is needed to provide Remote Help. It is also used to recover encrypted information in the event of an operating system crash. It is set under System Settings Install Set Recovery Path in the profile. Upgrade The Upgrade directory is where clients look for software upgrades. It is set under System Settings Install Set Upgrade Path in the profile. Example: Acme Corporation set up their file shares like this: London office: \\Acme_Corp\London_Pointsec\ with the following directories: \\Acme_Corp\London_Pointsec\Profile Storage \\Acme_Corp\London_Pointsec\Update Profile \\Acme_Corp\London_Pointsec\Install \\Acme_Corp\London_Pointsec\Log \\Acme_Corp\London_Pointsec\Recovery \\Acme_Corp\London_Pointsec\Upgrade Boston office: \\Acme_Corp\Boston_Pointsec\ with the same subdirectories as on the London file share Perth office: \\Acme_Corp\Perth_Pointsec\ Create Service Account with the same subdirectories as on the London and Boston file shares Create a Windows service account (for example with the name SA_user) which limits user access to the file share and to the respective Recovery, Update Profile, Log, and Upgrade directories while still allowing the clients necessary access to create recovery files, download update profiles placed in the update path and download system upgrade packages (patch files). The SA_user account does not have to be able to log on to Windows. Use the same password policy for the service account as you use for the rest of the company. The SA_user shall belong to the local admin group. Chapter 1 Scenario 1: Acme Corporation 23

8 Install Pointsec PC Rights Required on the File Share The user account logging on to the local client PC requires no permissions on the file share once service is configured. The account configured as Pointsec Service Start requires full control to the file share. 1. Create a domain wide account (the Service Account), with the name SA_user, which all client PCs within the organization can use (e.g., added to the Power Users on each machine via GPO). 2. Assign full permissions on the created files shares, including subfolders and content to the Service Account, other permissions can be set as wanted. 3. Set the Pointsec Service Start service to log on with the SA_user account. 4. When finished the Service Account should have the following rights: If configured correctly, the creation of recovery file, download of update profiles and download of software upgrades are now made via the Service Account. You can find more detailed information regarding the Pointsec Start Service and how to set it up in the Pointsec PC Administrator s Guide. Install Pointsec PC Install Pointsec PC on Administration PC Install Pointsec PC on your administration workstation to evaluate and configure Pointsec PC before deploying it in your entire organization. As a safety precaution two system administrator accounts are mandatory and must be created during installation. These two mandatory administrator accounts shall use dynamic tokens for authentication. The installation process is described in detail in the Pointsec PC Installation Guide. Configure Pointsec PC Tip - Have a look at the demo delivered with your Pointsec PC product. The demo shows how the Acme installation profile was set up. 24

9 Configure Pointsec PC Create a Set In order to create an installation profile, you must first create a set. A set is a tool for the administrator to group, for example, related installation and update profiles together. You also specify in the set where the Pointsec PC Management Console will look for log and recovery files. The paths in the set are inherited to profiles created in the set, unless the profiles are based on local settings or another profile. When you create the set, make sure you select the Automatically create a set directory structure checkbox, see Figure on page 25. Enter the root directory of one of your file shares and click Next. Click Next and specify the paths to the Profile Storage directories in the three file shares, as in this example: Chapter 1 Scenario 1: Acme Corporation 25

10 Configure Pointsec PC In the following dialog boxes of the wizard, enter the paths to the Update Profiles, Install, Log, Recovery, and Upgrade directories on all your file shares. These directories do not exist yet but once you have finished the wizard and click Finish, they will be automatically created and the installation profile will contain paths to all directories on all file shares. Create an Installation Profile The installation profile contains the group and user account information and system settings. In this profile you specify the configuration, which rights the user account shall have, password policies, where log and recovery files are saved, where the clients will look for update profiles and software upgrades, etc. Only one installation profile is needed since it is possible to specify multiple paths to directories. This means that you in the installation profile specify the paths to all three file shares. The service account will then make sure that the log and recovery files from the London client machines are saved in the London file share since the London users only have access to the London file share. The same will happen with the Boston and Perth log and recovery files, they will be saved on the Boston and Perth file shares respectively. To deploy Pointsec PC on all your computers you need to create a silent installation profile. When a silent installation profile is deployed on a computer, Pointsec for PC is installed on the computer without any interaction with the user. To create an installation profile: 1. Before you can create a profile, you must set the Profile Validation Password in order to protect the profile (Local Edit Settings System Settings Install). For more information on the Profile Validation Password, see Pointsec PC Administrator s Guide. 2. Create a silent installation profile belonging to the set you have created (Acme_Installation in our example). Note - If you base the installation profile on your local settings, remember that users based on local settings can t bring their authentication into the profile. This means that the passwords needs to be re-set in profiles based on local settings. 3. Change the following settings from their default values and leave the rest as they are: System Settings Install Log Protection Password: set a password complying with the company policy Enable status export to file: Yes 26

11 Configure Pointsec PC Set Upgrade Path: \\Site\FileShare\Upgrade for all sites and file shares, for example: \\Acme_Corp\London_Pointsec\Upgrade, \\Acme_Corp\Boston_Pointsec\Upgrade, \\Acme_Corp\Perth_Pointsec\Upgrade Set Update Profile Path: \\Site\FileShare\Update Profiles for all sites and file shares Set Recovery Path: \\Site\FileShare\Recovery for all sites and file shares Set Central Log Path: \\Site\FileShare\Log for all sites and file shares Pointsec Service Start Account Username: DOMAIN\SA_user Pointsec Service Start Account Password: set a password complying with the company policy Group System and Group Settings Add the following users in group System: User #1 Name: SITEADMIN1, for example LONDONADMIN1 Password: set a password complying with the company policy User #2 Name: SITEADMIN2, for example LONDONADMIN2 Password: set a password complying with the company policy User #3 Name: SITEADMIN1, for example BOSTONADMIN1 Password: set a password complying with the company policy User #4 Name: SITEADMIN2, for example BOSTONADMIN2 Password: set a password complying with the company policy User #5 Name: SITEADMIN1, for example PERTHADMIN1 Password: set a password complying with the company policy User #6 Name: SITEADMIN2, for example PERTHADMIN2 Password: set a password complying with the company policy Chapter 1 Scenario 1: Acme Corporation 27

12 Configure Pointsec PC Note - If you based your profile on local settings you will already have two system administrators in the profile; you will only have to add four more system administrators. Group Users and Group Settings Add a new user group with the name Users: Set Expiration Date to one month from the current date Permissions Remote Help Receive Remote Help: Yes Receive 'Remote Password Change': Yes Groups Users Group Settings Password Synchronization Synchronize Windows Password to Preboot: Yes Synchronize Preboot Password to Windows: Yes Groups Users Group Settings Authentication Settings Fixed Passwords Windows Complexity Requirements: Yes Set Maximum Age: 42 Add a user to the new user group: User type: temporary Name: TEMPUSER Password: set a password complying with the company policy 4. Test the installation profile on a client, that is, verify that the installation turned out the way you wanted it. Set Up Helpdesk Set up the helpdesk environment and make sure that the helpdesk and administration personnel have received the appropriate training for their tasks. With Pointsec Smart Center installed on a server, webrh can be used for the task of authenticating helpdesk users and updating Pointsec PC clients with the ability to give remote help. From webrh an update profile is automatically generated which can be imported on your Pointsec PC clients. This allows your helpdesk to log on to webrh and provide remote help to the Pointsec PC users if they forget their password or have been locked out from the PC for other reasons (too many failed logons etc.). 28

13 Configure Pointsec PC Note: The alternative to webrh would be to create a user profile in Pointsec PC containing the user accounts which will be used for providing Remote Help. The profile could have a similar setup as follows: Group and Group Settings: One group with the following settings: Name: HELPDESK Group Authority Level: <= 5 Provide 'Remote Password Change': Yes Provide 'One-Time Logon': Yes Logon Authorized: No User Settings Two users with the following settings: User #1 Name: GLOBAL1 Password: H3lpd3sk1 User #2 Name: GLOBAL2 Password: H3lpd3sk2 Run Pilot Run a pilot before deploying Pointsec PC to all clients in your environment. 1. Start by informing users affected by the pilot of how they will authenticate themselves for the first time and how they can receive Remote Help once Pointsec PC has been installed. 2. Run the pilot on 25 seats in all sites (London, Boston, Perth) and on all types of clients (HP, Dell, etc.) in the environment. The clients used for the pilot should be installed with all types of images/applications used in the environment. 3. Deploy the profile, with silent install options, with the System Management Server (SMS). 4. Verify the pilot by checking the text and recovery files found in the Log and Recovery directories on the file shares. One text (.txt) file for each client machine is created in the Log directory if the System Settings Install Enable status export to file setting has been activated in the profiles. The text file tells you if Chapter 1 Scenario 1: Acme Corporation 29

14 Deploy Pointsec PC Pointsec PC has been installed, provided the client machine has been encrypted, which volumes have been encrypted and if a recovery file has been created for the specific client machine. The text files contain the client machine name in the file name, for example: london_pc_1.txt, london_pc_2.txt, london_pc_3.txt and so on. The recovery (.rec) files found in the Recovery directory should correspond to the 25 seats deployed in the pilot, that is, there should be 25 recovery files in the directory, each identified with the client machine name in the file name. For example: london_pc_1.rec, london_pc_2.rec, london_pc_3.rec and so on. Deploy Pointsec PC When you have verified that the pilot was deployed properly, deploy Pointsec PC to the remaining clients in the organization by using SMS. 1. Start by informing all users in the organization of the deployment of Pointsec PC and how they will authenticate themselves for the first time and how they can receive Remote Help once Pointsec PC has been installed. 2. Deploy Pointsec PC with SMS. 3. Verify the deployment and that encryption has completed by using the text and recovery files found on the file shares, see step 4 on page