PGP Universal Server 2.5 SmartLine DeviceLock 6.2



Similar documents
DriveLock Quick Start Guide

Enterprise Data Protection

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Omniquad Exchange Archiving

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

SafeGuard Enterprise Web Helpdesk

Installing the BlackBerry Enterprise Server Management console with a remote database

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Archiving User Guide Outlook Plugin. Manual version 3.1

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Symantec Endpoint Encryption Device Control Release Notes

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Essential Managing the BlackBerry Enterprise Server using the BlackBerry Administration Service

ACTIVE DIRECTORY DEPLOYMENT

CTERA Agent for Windows

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Administering Group Policy with Group Policy Management Console

ProtectDrive. User Manual Revision: B00

Setting Up SSL on IIS6 for MEGA Advisor

Integration with Active Directory

NetWrix USB Blocker. Version 3.6 Administrator Guide

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

Advanced Configuration Steps

2X SecureRemoteDesktop. Version 1.1

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Symantec Endpoint Encryption Full Disk

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Web-Access Security Solution

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

LogMeIn Backup. Getting Started Guide

Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

VMware Horizon FLEX User Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Technical White Paper BlackBerry Enterprise Server

Active Directory Manager Pro Quick start Guide

The Encryption Anywhere Data Protection Platform

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

FileMover 1.2. Copyright Notice. Trademarks. Patents

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

VMware Horizon FLEX User Guide

Symantec Backup Exec 2010 R2. Quick Installation Guide

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

Goverlan Remote Control

User Self-Service Configuration Overview

safend a w a v e s y s t e m s c o m p a n y

ManageEngine Desktop Central Training

Module 8: Implementing Group Policy

User Guide. CTERA Agent. August 2011 Version 3.0

Dell InTrust Preparing for Auditing Microsoft SQL Server

BlackBerry Enterprise Server. BlackBerry Administration Service Roles and Permissions Version: 5.0 Service Pack: 4.

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

Dell Spotlight on Active Directory Deployment Guide

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

CRM to Exchange Synchronization

Check Point FDE integration with Digipass Key devices

Cloud Attached Storage

Symantec Endpoint Encryption Full Disk

TIBCO Spotfire Metrics Prerequisites and Installation

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

Administration Guide. Wireless software upgrades

Citrix Systems, Inc.

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

Quick Start Guide FLIR Firmware Update Tool

Delegated Administration Quick Start

Setup and Configuration Guide for Pathways Mobile Estimating

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

Getting Started with Symantec Endpoint Protection

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

Accessing BlackBerry Data Services Using Wi-Fi Networks

User-ID Configuration

NetWrix USB Blocker Version 3.6 Quick Start Guide

Host Access Management and Security Server

XyLoc Security Server w/ AD Integration (XSS-AD 5.x.x) Administrator's Guide

Did you know your security solution can help with PCI compliance too?

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

DeviceLock Management via Group Policy

Managing Remote Access

Symantec AntiVirus Corporate Edition Patch Update

How To Install Help Desk Premier

NOVELL ZENWORKS ENDPOINT SECURITY MANAGEMENT

Generating an Apple Push Notification Service Certificate

Best Practice Document Hints and Tips

NetBak Replicator 4.0 User Manual Version 1.0

IBM Aspera Add-in for Microsoft Outlook 1.3.2

CLIENT CERTIFICATE (EAP-TLS USE)

WatchDox Administrator's Guide. Application Version 3.7.5

1) No configuration is necessary in ZDMC nor in RescueNet Field Data Configuration.

2. To encrypt the drive for future use, click Yes (Fig 1, 2). This will start the encryption process.

Ensuring the security of your mobile business intelligence

visionapp Remote Desktop 2010 (vrd 2010)

Transcription:

PGP Integration Guide October 2007 PGP Universal Server 2.5 SmartLine DeviceLock 6.2 Version 1.0

2 Table of Contents INTRODUCTION...3 STRUCTURE...3 CAVEATS...4 POLICY OVERVIEW...4 SPAN OF CONTROL...4 COMPUTER GROUPS...4 SETUP...5 1. PGP UNIVERSAL SERVER AND PGP DESKTOP...5 2. CREATE DEVICELOCK POLICY...7 Enable PGP Integration... 7 Removable Permissions... 7 Set Removable Policy... 8 4. CREATE BLOCKED MESSAGE (OPTIONAL)...9 5. POLICY TRANSMISSION... 10 POLICY OPTIONS... 10 FORCED ENCRYPTION... 10 PERMIT DECRYPTION... 10 DISTRIBUTING PRE-ENCRYPTED DRIVES... 11 DEVICELOCK OPTIONS... 12 USER EXPERIENCE... 13 ENCRYPTED USB OR FIREWIRE STORAGE DEVICE INSERTED... 13 UNENCRYPTED USB OR FIREWIRE STORAGE DEVICE INSERTED... 13 TROUBLESHOOTING... 14 PGP UNIVERSAL SERVER... 14 SMARTLINE DEVICELOCK... 14

3 Introduction SmartLine DeviceLock is an enterprise-grade solution for controlling, monitoring, and logging access to removable media, portable devices, and communication interfaces. By implementing policies at the endpoints, SmartLine s solution effectively controls and monitors all I/O activities. Unauthorized transactions are blocked, and all transactions are monitored and logged. Security administrators can define granular policies that assign permissions to users or PCs to access any device, media, or communication interface. The PGP Encryption Platform provides a strategic enterprise encryption framework for key management, policy, and automated provisioning across multiple, integrated encryption applications. The integration of PGP Universal Server, PGP Desktop, and SmartLine DeviceLock enables organizations to deploy automated encryption as needed with the data security functions required to enforce robust security policy. This data-centric approach protects data in motion and in transit anywhere, anytime. Structure This guide outlines the configuration and management of highly granular port control policy using these software components: Company Management Component Client PGP Corporation PGP Universal Server 2.5 or greater SmartLine DeviceLock Snap-in for Microsoft Group Policy Management DeviceLock Management Console (MMC) for direct computer management DeviceLock Enterprise Manager (DLEM) console for managing multiple computers simultaneously Any PGP Desktop 9.5 or greater product with PGP Whole Disk Encryption DeviceLock Service 6.2 or greater Table 1: Software and Version Requirements In this setup, DeviceLock permits or denies device use for a group of users or computers. DeviceLock can granularly manage access by device port, device class, device type, device model, device ID, time-of-day, and day-of-week. DeviceLock can also require attached devices (see Table 2) to be encrypted by PGP Desktop s Whole Disk Encryption feature. Many PGP Desktop products are compatible with this configuration, but PGP Whole Disk Encryption is a required component. The combination of PGP Desktop and the DeviceLock Service permits greater policy granularity than is available from each separate product. How is policy delivered by each product? How is policy created and what policy combinations are permissible? This guide will address policy design, policy deployment, and policy management issues. However, this is not an installation guide for either

4 product. The software packages shown in Table 1 on page 3 should already be deployed prior to using this guide. Caveats PGP Universal Server s forced encryption option is used in this guide. This option increases security and simplifies deployment, but reduces the granularity of this integration. See the Enforced Encryption section in Policy Options on page 10 for more details. Policy Overview Span of Control Policy Issue PGP Universal Server SmartLine DeviceLock Computer Group Policies Controlled Devices PGP Desktop users with PGP Whole Disk Encryption and storage devices attached via USB or FireWire Default Policy Permit All Permit All Table 2: Policy Comparison Users with attached storage, CD/DVD/CDR, floppy, modem, infrared, WiFi, Bluetooth, FireWire, USB, and COM & LTP ports By default, PGP Universal Server permits full unencrypted read/write capability for all attached removable storage devices. This capability can be restricted by the PGP NetShare and PGP Whole Disk Encryption products and by the PGP Universal Server option shown at right, which forces encryption for USB and FireWire devices. By contrast, DeviceLock can apply policy to particular types of USB devices and to a much broader variety of devices that are unknown to PGP Universal Server, such as infrared ports and WiFi devices. Computer Groups As shown in Table 2, DeviceLock permits policy to be applied to groups of computers. These groups are actually Microsoft Active Directory (AD) container structures such as Domains and/or Organization Units (OUs.) Because policy by computer is not supported by PGP Universal Server, do not rely solely on computer groups to enforce policy. If Group Policy is the policy delivery mechanism, assign all users to at least one user policy in PGP Universal Server and make sure their AD accounts reside in a container (Domain or OU) that is managed by a linked DeviceLock Group Policy ObjectGPO.

5 Setup There are many ways to set up integrated encryption policy. This guide presumes a specific policy example, uses specific tools, and then discusses optional modifications. The assumptions are: PGP Universal Server has been installed. All machines have the DeviceLock Service and bound PGP Desktop clients installed. All unencrypted removable storage devices are read-only. Removable storage devices are writeable only after they have been secured with PGP Whole Disk Encryption. The following steps are used to define and disseminate policy using both products. A review of each step and its purpose precedes a discussion of the possible policy options. 1. PGP Universal Server and PGP Desktop For the client machine, PGP Desktop with PGP Whole Disk Encryption encrypts or decrypts removable storage. PGP Desktop clients can be bound to the settings within PGP Universal Server. MSI files used to install bound clients are downloaded from PGP Universal Server, as shown at right. If PGP Desktop clients are bound, they can be forced to encrypt removable devices with PGP Whole Disk Encryption. If they are not bound, PGP Desktop users can choose to encrypt devices on their own. Step 1: PGP Universal Server should be configured to enforce bound PGP Desktop users to apply whole disk encryption to removable devices. Edit the internal user policy, as shown in Figure 1 (below): Figure 1: Modify Internal User Policy

6 Step 2: Select the option to enforce whole disk encryption of USB and FireWire devices. Figure 2 is a shortened version of this screen. Note that bound users are not permitted to encrypt and decrypt. This option is discussed further on page 10. Figure 2: Force Whole Disk Encryption for Bound Clients Save this configuration change. All bound clients created after this change will include this option. Any bound clients that are deployed before this change will realize the new policy after 24 hours or when they next login, whichever comes first. For now, assume DeviceLock is configured to permit all devices. Users under the control of the Figure 2 policy setting will see the screen shown in Figure 3 when they install a new device. Within 30 seconds, the user must decide whether to encrypt the device or use the device in a read-only mode called Lock. After 30 seconds, Lock is selected automatically and the device is unmodified and unwriteable. Without DeviceLock, this same policy would have to apply to all devices. Figure 3: Encrypt or Lock

7 2. Create DeviceLock Policy The remaining configuration steps occur within DeviceLock, using either the DeviceLock snap-in for the Microsoft Group Policy Management Console (GPMC), the raw DeviceLock Management MMC Console, or the DeviceLock Enterprise Manager (DLEM). Enable PGP Integration Enable PGP Integration, as shown in Figure 4: Figure 4: Set Removable Permissions Set Removable Permissions Set permissions for removable devices, as shown in Figure 5: Figure 5: Set Removable Permissions

8 Set Removable Policy Figure 6 demonstrates the application of group policy to accounting users. Unencrypted devices are granted read-only and eject permission. Full read and write access is granted for removable devices that have been encrypted via PGP Whole Disk Encryption. Other encryption technologies are not recognized by this setting. This setting works in concert with PGP Universal Server policy, which can require that unencrypted storage devices are encrypted upon insertion or locked for read-only access. Figure 6: Set Encryption Policy Figure 7: Access Control Make sure that access control for USB storage devices is enabled, as shown in Figure 7. This setting will generally block USB storage device access except as users/groups are granted access in the USB Port & Removable Permissions lists.

9 4. Create Blocked Message (optional) The policy shown at right is stricter than the policy created on page 8. This policy only permits encrypted removable devices. In this instance, an inserted unencrypted device will not be accessible even if the drive letter appears in the client s My Computer window. To provide some indication of why the unencrypted device is not visible, enable the display of a blocked message. Start by selecting Service Options, as shown in Figure 7. Figure 7: Enable Blocked Message Create an appropriate error message, as shown at right. This message will appear in the system tray when an unencrypted or unauthorized device is inserted into the client machine.

10 5. Policy Transmission Table 3 shows the different mechanisms PGP Universal Server and DeviceLock use to drive policy. PGP Universal Server cannot push policy to the PGP Desktop clients. Generally, PGP Universal Server policy is set and forget, whereas DeviceLock policy will change as new security devices are implemented and approved. Action PGP Universal Server SmartLine DeviceLock Push: Admin manually sends policy N/A DeviceLock Management MMC console or DLEM console Push: Automatic policy updates N/A If setup via Microsoft GPO, every 90 minutes by default Pull: Client requests policy from server Requested by client every 24 hours or at user login Table 3: Policy Communications At user login or if GPO is in force, select Start / Run: gpupdate /force Policy Options Forced Encryption As discussed on page 6, PGP Universal Server policy can force all USB and FireWire devices to be whole disk encrypted. This option has a variety of policy and process implications. If both boxes are checked and a user inserts an unencrypted USB or FireWire drive, the encrypt or lock message shown on page 6 will appear. Enabling forced encryption is a two-sided coin. It permits simpler deployment because any unencrypted storage device can easily be encrypted by an end user and put to use. Unlike DeviceLock, however, PGP Universal Server does not distinguish one device from another. And PGP Universal Server policy trumps DeviceLock policy. This setup eliminates the ability to manage devices distinctly. One viable alternative is to disable forced encryption and distribute encrypted drives to users. This option is discussed on page 11. Permit Decryption PGP Universal Server also provides an option that controls a bound user s ability to encrypt and decrypt devices. If the user is permitted to decrypt the USB or FireWire drive, an encrypted drive can be placed into a machine and decrypted. The USB or FireWire drive can then be transported without encryption, which may break policy. To prevent this possibility, disable allow user-initiated whole disk encryption and decryption, as shown here. If the user-initiated option is disabled, sensitive data cannot be removed without whole disk encryption. This configuration also permits the USB or FireWire device to be force encrypted upon first insertion.

11 Distributing Pre-Encrypted Drives If desired, bulk distribution of whole disk encrypted USB or FireWire devices can be performed using the administrator s copy of PGP Desktop. Begin by searching for all user keys, as shown below. Select all the keys in the result and export all keys to a file. Minimize PGP Desktop. Double-click on the exported file and import all keys to the administrator s keyring, as shown below. Insert the first USB drive into the administrator s PC. From the PGP Disk menu, select Encrypt Whole Disk. Select Add User Key and choose the public key of the first user. You must also add a second user with a passphrase. This could be the private key of the administrator or a randomly created user whose name and password is (or is not) recorded for future use. Select Encrypt, as shown at right. When encryption begins, PGP Desktop will display this symbol the notification area. in Encryption time depends on the size of the drive, the speed of the processor, and USB/FireWire port speed. When finished, insert the next USB drive and repeat the process.

12 DeviceLock Options The setup outlined by this guide resulted in the creation of the policy shown at right. If all Allow boxes are checked, all removable devices and all encrypted devices would have full read and write permission. If the encrypted options are not selected, the PGP Desktop client will still recognize the encrypted device and request the passphrase. However, after the passphrase is entered, this DeviceLock policy will prevent the drive from being recognized by the system. If forced PGP encryption is in place, the removable storage device will be unreadable after it is encrypted. If the encrypted device is placed into a system that permits encrypted devices, it will be accessible.

13 User Experience What is the sequence of events when a removable storage device is accessed? The PGP policy options are checked before the DeviceLock policy is enforced. Encrypted USB or FireWire Storage Device Inserted If the inserted device is already encrypted, a passphrase will be requested, as shown at right. Unencrypted USB or FireWire Storage Device Inserted If forced encryption (page 6) is enabled and the device is not whole disk encrypted, the user is prompted to encrypt or lock the device, regardless of DeviceLock policy. However, PGP Desktop access to the device is strictly limited by DeviceLock settings. For example, if encrypted removable devices are not permitted by DeviceLock, PGP Desktop will be unable to successfully read the device. When encryption begins, PGP Desktop will display this symbol in the notification area. Whole disk encryption time depends on the size of the drive, the speed of the processor, and USB/FireWire port speed.

14 Troubleshooting PGP Universal Server PGP Universal s logging system features detailed logging. Administrative activities such as setting the forced encryption option are tracked in the Administration log. Figure 8 follows the bound PGP Desktop client from a client with a particular IP address as it connects and authenticates to PGP Universal Server. The movement and disposition of removable devices is not tracked by PGP Universal Server. Figure 8: PGP Universal Server Client Log SmartLine DeviceLock The DLEM permits access/auditing/shadowing permissions. The DLEM also tracks permissions and plug-n-play devices on all endpoints. These log views permit user activities and administrative actions to be collected, viewed, filtered, and sorted centrally on demand. The optional DeviceLock Enterprise Server component can be configured to automatically collect logs and shadow data to a central storage area for further analysis.

15 PGP Corporation 3460 West Bayshore Road Palo Alto, CA 94303 USA Tel: +1 650 319 9000 Fax: +1 650 319 9001 Sales: +1 888 515 4920 Support: support.pgp.com Website: www.pgp.com 2007 PGP Corporation All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form by any means without the prior written approval of PGP Corporation. The information described in this document may be protected by one or more U.S. patents, foreign patents, or pending applications. PGP and the PGP logo are registered trademarks of PGP Corporation. RIM, Research In Motion, and BlackBerry are the registered trademarks of Research In Motion. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners. The information in this document is provided as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. All strategic and product statements in this document are subject to change at PGP Corporation's sole discretion, including the right to alter or cancel features, functionality, or release dates. Changes to this document may be made at any time without notice.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information