Anda di halaman 1dari 37

McAfee Host Data Loss Prevention 9.

0
Installation Guide for ePolicy Orchestrator 4.5

COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.

McAfee Host Data Loss Prevention 9.0 Installation Guide

Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Components and their relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Getting started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Pre-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Configuring the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Installing ePolicy Orchestrator 4.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 WCF installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Installing the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Troubleshooting the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Installing or Upgrading McAfee Host Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . 20


First-time installation issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Creating and configuring repository folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Installing the McAfee Host Data Loss Prevention extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Upgrading issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Upgrading McAfee Host Data Loss Prevention software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Post-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Initializing the Host DLP Policy Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Upgrading the license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Applying the policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Initializing the Host DLP Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Checking in the DLP Agent package to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Deploying the DLP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Defining a default rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Deploying the DLP Agent in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Verifying the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Appendix I Deploying McAfee Host Data Loss Prevention with SMS. . . . . . . . . . . . . 32


Creating an installation package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating the advertisement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Creating the SMS uninstall package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

McAfee Host Data Loss Prevention 9.0 Installation Guide

Contents

Appendix II Users and permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


Creating and defining DLP administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Creating and defining permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 DLP permission set options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

McAfee Host Data Loss Prevention 9.0 Installation Guide

Introduction
This guide provides the necessary information for installing McAfee Host Data Loss Prevention software version 9.0. It provides detailed steps and verification of the installation process. This guide demonstrates how to configure the recommended architecture, and when completed the user will have a fully functional McAfee Host Data Loss Prevention implementation that is properly configured. McAfee recognizes that many configuration possibilities exist and that McAfee Host Data Loss Prevention is very flexible in meeting a variety of implementation architectures. The recommended architecture represents only one path. Contents Components and their relationships Getting started

Components and their relationships


McAfee Host Data Loss Prevention software version 9.0 is more tightly integrated with ePolicy Orchestrator than version 2.x. As a result, the recommended installation is now on a single server, and is in compliance with the FIPS 140-2 standard.

McAfee Host Data Loss Prevention 9.0 Installation Guide

Introduction Components and their relationships

The DLPWCF Service can be installed on a separate server from the ePO database.

Figure 1: McAfee Host Data Loss Prevention components and relationships Figure 1 depicts the elements that comprise McAfee Host Data Loss Prevention and the communication patterns among the elements. The recommended architecture includes: ePO server Hosts the embedded user interfaces, (Host DLP Monitor and Host DLP Policy Manager) and communicates with the McAfee Agents. ePO Reports A list of Host DLP Events within the ePolicy Orchestrator reporting service replaces DLP Reports. DLP WCF (Windows Communication Foundation) Service Communicates between ePolicy Orchestrator and the Host DLP Policy Manager to distribute policies, and with the Host DLP Monitor to display events. ePO Event Parser Communicates with the McAfee Agent and stores event information in a database.

McAfee Host Data Loss Prevention 9.0 Installation Guide

Introduction Components and their relationships

DLP Event Parser Collects Host DLP events from the ePO Event Parser and stores them in DLP tables in the SQL database. ePO database Communicates with the ePO Policy Distributor to distribute policies, and with the DLP Event Parser to collect events and evidence. Administrator workstation Accesses ePolicy Orchestrator, the Host DLP Monitor, and Host DLP Policy Manager in a browser through the DLP WCF Service. Client workstation Applies the security policies using the following software: DLP Agent Provides the DLP processes. In McAfee Host Data Loss Prevention software version 9.0 the DLP Agent communicates exclusively with the ePO Agent. McAfee Agent Provides the communication channel between the ePolicy Orchestrator server and the DLP Agent. Backward compatible installation To allow an orderly upgrade in large enterprises that have deployed previous versions of the DLP Agent in their production environment, an option exists to deploy backward compatible policies to computers still running the older agents. DLP Agent 2.2 Patch 2 is the earliest version supported by this feature. Enterprises running earlier versions must upgrade to DLP Agent 2.2 Patch 2 or later before upgrading to DLP Agent 9.x. McAfee Host Data Loss Prevention software version 9.0 utilizes a standardized XML policy format. The new format is more intuitive, and facilitates integration with other ePolicy Orchestrator applications. As a result, the backward compatibility option that allows communication with both old and new agents now has two levels: DLP Agent 3.0 or later, and DLP 2.2 Patch 2 or later. Compatibility with version 3.0 DLP Agents uses the standard installation. The agent compatibility option is selected during the policy manager initialization. For enterprises upgrading from DLP 2.2 Patch 2, old events in the Host DLP database are converted to tables in the ePO database. The installation for backward compatibility contains elements of both version 2.x and version 3.x. In particular, the DLP Event Collector is installed to collect events from the version 2.x DLP Agents. This means that the two server system

McAfee Host Data Loss Prevention 9.0 Installation Guide

Introduction Getting started

recommended in McAfee Host Data Loss Prevention version 2.x is maintained during the transition phase. The backward-compatible architecture is as follows:

Figure 2: McAfee Host Data Loss Prevention components with backward compatibility

Getting started
Classifying corporate information into different data loss prevention categories is a key step in deploying and administering McAfee Host Data Loss Prevention software. While guidelines and best practices exist, the ideal schema is dependent on your enterprise goals and needs, and is unique for each installation. For this reason, McAfee recommends initial deployment to a sample group of 15 to 20 users for a trial period of about a month. During this trial, no data is classified, and a policy is created to monitor, not block, transactions. The monitoring data helps the security officers make good decisions about where and how to classify corporate data. The policies created from this information should be tested on a larger

McAfee Host Data Loss Prevention 9.0 Installation Guide

Introduction Getting started

test group (or, in the case of very large companies, on a series of successively larger groups) before being deployed to the entire enterprise. McAfee Device Control vs McAfee Host Data Loss Prevention McAfee Device Control prevents unauthorized use of removable media devices. McAfee Host Data Loss Prevention gives you a fuller set of tools to inspect enterprise users actions concerning sensitive content anywhere on their computers. The following table compares the features.
Feature Applications Enterprise Applications List Database Administration Database Administration Database Statistics Content Based Definitions Dictionaries Registered Documents Repositories Text Patterns Definitions Application Definitions Document Properties Email Destinations File Extension Definitions File Server Definitions Network Definitions Printer Definitions Tags and Categories Yes Yes No Yes No No No Yes Content categories and groups only Web Destinations Whitelist Repository Device Management Device Classes Device Definitions Device Rules Whitelisted Applications Policy Assignment User Assignment Groups Privileged Users RM and Encryption Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Content categories, tags, and groups Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes McAfee Device Control McAfee Host Data Loss Prevention

McAfee Host Data Loss Prevention 9.0 Installation Guide

Introduction Getting started

Feature RM Servers RM Policies Encryption Keys Rules Classification Rules Discovery Rules Protection Rules

McAfee Device Control No No Yes

McAfee Host Data Loss Prevention Yes Yes Yes

Yes No Yes Removable Storage Protection only

Yes Yes Yes Application File Access Protection Clipboard Protection Email Destinations Protection File System Protection Network Communication Protection PDF/Imagewriter Protection Printing Protection Removable Storage Protection Screen Capture Protection Web Post Protection

Tagging Rules

No

Yes

10

McAfee Host Data Loss Prevention 9.0 Installation Guide

Pre-Installation
This section contains information on required Microsoft system components, and ePolicy Orchestrator installation requirements. Review this section completely before installing McAfee Host Data Loss Prevention software version 9.0. Contents System requirements Configuring the server Installing ePolicy Orchestrator 4.5 WCF installation

System requirements
Hardware requirements The following hardware is recommended for running McAfee Host Data Loss Prevention software version 9.0.
Hardware type Servers Specifications CPU: Intel Pentium IV 2.8GHz or higher. RAM: Agent workstations 512 MB minimum for McAfee Device Control only (1 GB recommended). 1 GB minimum for full McAfee Host Data Loss Prevention (2 GB recommended).

Hard Disk: 80GB minimum. CPU: Pentium III 1GHz or higher. RAM: 256 MB minimum for McAfee Device Control (1 GB recommended). 512 MB minimum for full McAfee Host Data Loss Prevention (1 GB recommended).

Network

Hard Disk: 200 MB minimum free disk space.

100 Mbit LAN serving all workstations and the ePO sever. Agents must be able to access port 8731 on the server running the WCF Service. Administrators running the Event Monitor must be able to access TCP port 8731 on the server running the WCF Service.

The following operating system software is supported:

McAfee Host Data Loss Prevention 9.0 Installation Guide

11

Pre-Installation Configuring the server

Computer type Servers

Software Microsoft

Windows

2003 Server Standard (SE) SP1 or later

Microsoft Windows 2003 Enterprise (EE) SP1 or later Microsoft Windows 2008 Server Standard

NOTE: For installation in ePolicy Orchestrator 4.5, SP2 or later and Internet Microsoft Explorer 7 or later are required. These are requirements for ePolicy Orchestrator, not McAfee Host Data Loss Prevention. Agent workstations Microsoft Windows 2000 SP 4 or later Microsoft Windows XP Professional SP1 or later (32-bit only) Microsoft Windows Vista SP1 or later (32-bit only) Microsoft Windows 7 (32-bit only)

The user installing McAfee Host Data Loss Prevention software version 9.0 on the servers must be a member of the local administrator group. Because McAfee Host Data Loss Prevention software version 9.0 requires .NET 3.5, Windows 2000 server is no longer supported. Server software requirements The following software is required on the server running Host DPL Policy Manager and Monitor:
Software McAfee ePolicy Orchestrator McAfee Agent

Version 4.5 4.0 Patch 1 or later download the HDLP 9.0 Help extension. 3.5 (Patch 1 recommended) NOTE: All agent handlers on remote servers require the .NET Framework.

McAfee ePolicy Orchestrator Help System Microsoft .NET

Microsoft SQL Server

2005 compatibility mode 90 or later

The McAfee Host Data Loss Prevention software version 9.0 package includes the following: DLP Agent DLP Windows Communication Foundation (DLPWCF) DLP Migration Tool (used to import events from the version 2.2 database to the 9.0 database) DLP Extension (contains the components installed through ePolicy Orchestrator)

Configuring the server


Use this task for the basic configuration of the server. Before you begin Verify that the server meets the minimum system requirements.

12

McAfee Host Data Loss Prevention 9.0 Installation Guide

Pre-Installation Installing ePolicy Orchestrator 4.5

Task 1 2 3 4 Install Microsoft Windows 2003 SE SP1 with the role of file server (configured on the Server Role page of the Configure Your Server wizard.) Install Windows Installer 3.0 and restart the system. Install the Microsoft Windows 2003 service packs. Run Windows Update and install all updates. Disable Microsoft Internet Explorers Enhanced Security Configuration Window Component using the Windows Control Panel Add/Remove Windows Components option. NOTE: This Microsoft product can hinder proper installation of Host DLP components. Disable it before installation, then reconfigure it after installation if it is required. 5 6 Install Microsoft .NET Framework 3.5 SP1. Set the server to a static IP address. NOTE: McAfee recommends using a subnet separate from your company's production network for initial testing. If you are setting up a production environment, set the servers static IP address within that range.

Installing ePolicy Orchestrator 4.5


Use this task to install ePolicy Orchestrator 4.5. Before you begin Read the ePolicy Orchestrator 4.5 Installation Guide and Release Notes to familiarize yourself with all installation issues. CAUTION: Some of the installation scripts require the NETWORK SERVICE account to have write permission for the C:\Windows\Temp folder. In secure systems, this folder might be locked down. In that case, you must temporarily change the permissions for this folder. Otherwise, the installation fails. McAfee recommends completing all software installations before resetting the permissions. Pay attention to the following points when installing ePolicy Orchestrator: 1 In the ePolicy Orchestrator installation wizard, use the following settings:
Installation wizard screen Installation Options Setup Requirements Setting Select Install Server and Console Install SQL Server 2005 Express. Another configuration option is to create an ePolicy Orchestrator instance on an existing SQL Server 2005 server and select it. CAUTION: After verification that you want to install the software, the SQL installation continues without user input. If prompted to install SQL Server 2005 Backward Compatibility, you must install it. Database Server Account McAfee recommends using a SQL Server account. If preferred, an NT account can also be used. Do not use the default setting for the Agent-to-Server communication port. Instead, set the port to 1080.

HTTP Configuration

McAfee Host Data Loss Prevention 9.0 Installation Guide

13

Pre-Installation WCF installation

During the installation, you might see a warning about trusted sites. Write down the recommended additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add them later.

WCF installation
There are two basic options for installing the Windows Communication Foundation (WCF) service: on the same server as the ePO (SQL) database (local installation) or on a separate server (remote installation). Where ePolicy Orchestrator is installed, together with its database or on a separate server, is not relevant to this discussion; only the relative locations of WCF and the database.

Figure 3: WCF installation options Web access authorized groups When installing the WCF service, you are asked to specify the Web Access Authorized Groups (WAAG). McAfee recommends setting up a group or groups in Windows Active Directory with the names of users authorized to log on to the database. When the HDLP Policy Manager attempts to connect to WCF, it impersonates the logged on user. After the user name is authenticated, WCF checks to see if the user is a member of the WAAG before connecting to the database.

14

McAfee Host Data Loss Prevention 9.0 Installation Guide

Pre-Installation WCF installation

Option 1: Installing WCF locally When installing WCF on the same server as the ePO database, you can use Windows authentication or SQL authentication. The option is selected on the WCF service installation wizard. The selected authentication applies only to the connection between WCF and the database. The connection between the administration workstation and WCF always uses Windows authentication. If you have selected Windows authentication, and the logged on user is a member of the WAAG, connection to the database proceeds without further checking. The user must be defined in the SQL database. See Adding a user in SQL Server. Option 2: Installing WCF remotely When installing WCF on a separate server from the ePO database, you can now use Windows authentication or SQL authentication. The former limitation to only SQL authentication has been eliminated. The description of the connection details are the same as in local installation.

Installing the DLP WCF service


Use these tasks to prepare the SQL database for WCF and to install the DLP WCF service. Both of these tasks are required and should be performed in the order given. Tasks Adding a user in SQL Server Running the DLP WCF installer

Adding a user in SQL Server


To use either Windows or SQL authentication with WCF and the ePO database, an authorized user must be defined in the SQL database. The authorized user can be a Windows user or a SQL user. Typically, an account with the minimal permissions to run WCF is created. Use this task to create such an account. Before you begin To perform this task, you must have Microsoft SQL Server Management Studio installed. If you are using SQL Server Express, you should install the Express version of Management Studio. The administrator performing the task should have system administrator rights on the server(s) involved. Task 1 Open Microsoft SQL Server Management Studio (Express) and connect to the EPOSERVER instance.

McAfee Host Data Loss Prevention 9.0 Installation Guide

15

Pre-Installation WCF installation

In the Object Explorer, right-click the database name and select Properties.

On the Security page, select either Window Authentication mode or SQL Server and Windows Authentication mode, according to which type of authentication you want to use.

Navigate to Security | Logins. Right-click in the Logins page, and select New Login.

16

McAfee Host Data Loss Prevention 9.0 Installation Guide

Pre-Installation WCF installation

On the General page of the Login Properties dialog box, select SQL Server authentication or Windows authentication and type a login name. Set the default database to ePO4_SERVER. Enforcing a password policy is optional.

On the User Mapping page of the Login Properties dialog box, in the Users mapped to this login section, select ePO4_SERVER and verify that the new login user is listed under User. Click OK. Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the login user name.

8 9

On the Securables page, click Add. Select Specific objects, and click OK. In the Select Objects dialog box, click Object Types and select Databases. Click OK.

10 Click Browse. Select [ePO4_SERVER] and click OK twice.

McAfee Host Data Loss Prevention 9.0 Installation Guide

17

Pre-Installation WCF installation

11 Click Effective Permissions, and verify the following permissions:

Figure 4: Setting database user permissions 12 Click OK.

Running the DLP WCF installer


Use this task to install and configure the Windows Communication Foundation (WCF) service. McAfee Host Data Loss Prevention software version 2.x used the DLP Web Service, which ran under IIS, to communicate between components. In response to client requests for a non-IIS dependent communication service, McAfee Host Data Loss Prevention implemented a self-hosted WCF service with version 3.0. The new service is faster, lighter, and more secure than the IIS-based service. Before you begin Add the login user to the SQL database as a Windows or SQL user, according to which form of authorization you plan to use. Log out of ePolicy Orchestrator. Task 1 2 Browse to and run the DLPWCFServiceInstaller.msi installer. In step 4 of the installation wizard (WCF Service Settings), do the following: a You should not change the WCF Server Port value without first consulting your McAfee representative. b McAfee recommends setting up a group or groups in Windows Active Directory with the names of users authorized to login to the database. You must change the default Web Access Authorized Groups entry from Everyone to a group or user with authorized access, as described in WCF installation options. c If you are using the confidential data redaction feature, select Obfuscate Sensitive Data in RSS Feed. 3 In step 5 of of the installation wizard (SQL Database) do the following: a Review the defaults for Database Server and Database Name. Type other values if necessary. b Select Windows Authentication or SQL Authentication and fill in the associated fields.

18

McAfee Host Data Loss Prevention 9.0 Installation Guide

Pre-Installation Troubleshooting the DLP WCF service

This change in the installer fixes the problem of installing the DLP WCF Service on a remote server using Windows authentication. You can now use either form of authentication for local or remote installations. Named users must be defined in the SQL database. 4 Click Finish to complete the installation.

Troubleshooting the DLP WCF service


To troubleshoot the DLP WCF service, use the browser page http://localhost:8731/DLPWCF/Admin/Testing.

Figure 5: The DLP WCF service testing page

McAfee Host Data Loss Prevention 9.0 Installation Guide

19

Installing or Upgrading McAfee Host Data Loss Prevention


This section covers a clean installation and upgrading from an earlier version. In both cases, the default installation is a 90-day license for McAfee Device Control. If you purchased a license for full McAfee Host Data Loss Prevention, you must upgrade the license after you complete the installation. Contents First-time installation issues Installing the McAfee Host Data Loss Prevention extension Upgrading issues

First-time installation issues


The McAfee Host Data Loss Prevention installation wizard requires certain inputs for proper completion. To assure an uninterrupted installation, do the following before installing. Evidence and whitelist folder Two folders and network shares must be created, and their properties and security settings must be configured appropriately. The folders do not need to be on the same computer as the Host DLP/Database server, but it is usually convenient to put them there. McAfee suggests the following folder paths, folder names, and share names, but you can create others as appropriate for your environment. c:\dlp_resources\ c:\dlp_resources\evidence c:\dlp_resources\whitelist Evidence folder Certain protection rules allow for storing evidence, so you must designate, in advance, a place to put it. If, for example, an email is blocked, a copy of the email is placed in the Evidence folder. Whitelist folder Text fingerprints to be ignored by the DLP Agent are placed in a whitelist repository folder. An example is boilerplate text such as disclaimers or copyright. McAfee Host Data Loss Prevention saves time by skipping these chunks of text that are known to not include sensitive content.

20

McAfee Host Data Loss Prevention 9.0 Installation Guide

Installing or Upgrading McAfee Host Data Loss Prevention First-time installation issues

Roles and permissions Consider the administrator roles you need to manage the system, and create the necessary user profiles. Roles such as Host DLP administrators, policy makers, monitor viewers, manual taggers, and others may be necessary, depending on the size of the system and how centralized you want control to be. The system can be modified at any time, so the list does not have to be comprehensive.

Creating and configuring repository folders


Use these tasks to configure the repository folders. Tasks Configuring the evidence folder Configuring the whitelist folder

Configuring the evidence folder


Use this task to configure the evidence folder with its specific security settings. Before you begin Create the evidence folder, as described in First-time installation issues. Task 1 2 Right-click the evidence folder icon and select Sharing and Security. In the dialog box that appears, select Share this folder, then modify Share name to evidence$. NOTE: The $ ensures that the share is hidden. 3 4 5 Click Permissions. With the default user name Everyone selected, allow Full Control, then click OK. Click the Security tab, then click Advanced. On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritable permissions. A confirmation box explains the effect this change will have on the folder. Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated except administrators. NOTE: As a security precaution, you can set the permissions to only those administrators who deploy policies. 7 8 9 Double-click Administrators entry to open the Permission Entry dialog box. Change the Apply onto option to This folder, subfolders and files. Click OK. Click Add to select an object type. In the Enter the object name to select text box, type Domain Computers, then click OK to display the Permission Entry dialog box.

10 In the Allow column, select Create Files/Write Data and Create Folders/Append Data. Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers.

McAfee Host Data Loss Prevention 9.0 Installation Guide

21

Installing or Upgrading McAfee Host Data Loss Prevention Installing the McAfee Host Data Loss Prevention extension

11 Click OK twice to close the dialog box. First-time installation issues

Configuring the whitelist folder


Use this task to configure the whitelist folder with its specific security settings. Before you begin Create the whitelist folder, as described in First-time installation issues. Task 1 2 Right-click the whitelist folder icon and select Sharing and Security. In the dialog box that appears, select Share this folder, then modify Share name to whitelist$. NOTE: The $ ensures that the share is hidden. 3 4 Click the Security tab, then click Advanced. On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritable permissions. A confirmation box explains the effect this change will have on the folder. Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated except administrators. NOTE: As a security precaution, you can set the permissions to only those administrators who deploy policies. 6 7 8 9 Double-click the Administrators entry to open the Permission Entry dialog box. Change the Apply onto option to This folder, subfolders and files. Click OK. Click Add to select an object type. In the Enter the object name to select text box, type Domain Computers, then click OK to display the Permission Entry dialog box. In the Allow column, select List Folder/Read Data. Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers. First-time installation issues

10 Click OK twice to close the dialog box.

Installing the McAfee Host Data Loss Prevention extension


Use this task for a clean installation of the McAfee Host Data Loss Prevention software version 9.0 extension in ePolicy Orchestrator. Before you begin Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the Internet Explorer security settings.

22

McAfee Host Data Loss Prevention 9.0 Installation Guide

Installing or Upgrading McAfee Host Data Loss Prevention Upgrading issues

Task 1 2 In ePolicy Orchestrator, click Menu | Software | Extensions, then click Install Extension. Browse to and select the policy manager zip file (..\HDLP_9_0_0_xxx.zip). Click Open, then OK. The installation dialog box displays the file parameters to verify that you are installing the correct extension. Click OK. The extension is installed. The following applications are installed: Host DLP Policy Manager (in ePolicy Orchestrator | Data Protection) Host DLP Event Monitor (in ePolicy Orchestrator | Data Protection) DLP Event Parser 4 Click Install Extension again, Browse to and select the Help zip file (...help_dlp_900.zip). Click Open, then OK. NOTE: This file contains the HDLP extension to the ePO Help system. 5 Click OK.

Upgrading issues
Upgrade installation is similar to first-time installation, but the following points must be considered. Backward compatibility The Host DLP Policy Manager version 9.0 initialization has a backward compatibility option that, when selected, allows communication with both old and new agents. Backward compatibility can be set to Version 3.0 and later or Version 2.2 Patch 2 and later Unsupported items If the policy contains any of the following when backward compatibility mode is selected, the policy will fail to be applied to ePolicy Orchestrator. Items unsupported in McAfee Host Data Loss Prevention 3.0 and above backward compatibility mode: An application file access, email, file system, removable storage, or web post protection rule contains a document property definition. A discovery rule contains a document property definition with unsupported properties. Version 3.0 only supports the Date Created and Date Modified properties. An email or web post protection rule, or a discovery rule, contains an Adobe RM encryption definition. A discovery rule contains an Apply RM Policy action. Removable storage file access rules are enabled. Hit-highlighting is selected on the Evidence tab in the Agent Configuration .

McAfee Host Data Loss Prevention 9.0 Installation Guide

23

Installing or Upgrading McAfee Host Data Loss Prevention Upgrading issues

Queries and computer assignments Queries and Dashboards are saved when you upgrade McAfee Host Data Loss Prevention, as long as you use the recommended procedure. If you remove the existing Data Loss Prevention extension before installing the new one, all queries and Dashboards are lost. To customize a sample query, McAfee recommends using the Duplicate option, to rename the query before changing it. To use the new sample queries in My Queries in a Dashboard, use the Make Public option. If a public query exists with the same name, remove or rename the public query first. ePolicy Orchestrator requires all query names to be unique. The first time you install McAfee Host Data Loss Prevention in ePolicy Orchestrator, the sample queries are installed as Public Queries. To view this, go to Reporting | Queries, and scroll down the queries on the left side of the screen. When you upgrade Host DLP, ePolicy Orchestrator notices that the names of the sample queries are already used, and installs the samples in My Queries instead. However, to use a query in a Dashboard, it must be a public query.

Upgrading McAfee Host Data Loss Prevention software


Use this task to upgrade an earlier version of McAfee Host Data Loss Prevention software to version 9.0 in ePolicy Orchestrator. CAUTION: If you want to be able to view previous events in the Host DLP Monitor, do not delete the existing McAfee Host Data Loss Prevention extension in ePolicy Orchestrator. Removing the extension removes all events from the Host DLP Database. Before you begin When downloading the files from the McAfee download site for McAfee Host Data Loss Prevention, follow the link to the download page for ePolicy Orchestrator Help, and download the latest Help zip file. Log out of ePolicy Orchestrator and close the browser window. Task 1 2 From the Windows Control Panel, using Add or Remove Programs, uninstall the DLP Management Tools. In ePolicy Orchestrator, go to Software | Extensions. Click Install Extension, then click Browse and select the McAfee Host Data Loss Prevention policy manager zip file (..\HDLP_Extension_9_0_0_xxx.zip). Click Open, then OK twice. The extension is installed, and appears in the extension list. If you are installing without removing the previous extension, you see a warning that the new extension will replace the existing one. Click OK. Install Extension again, Browse and select the Help zip file (..\help_dlp_900.zip). Click Open, then clickOK. The installation dialog box warns you that you will replace the existing Help system. Click OK. NOTE: This file contains the HDLP extension to the ePO Help system.

24

McAfee Host Data Loss Prevention 9.0 Installation Guide

Post-Installation
Several steps are needed to complete the McAfee Host Data Loss Prevention software installation. You must configure the Host DLP Policy Manager and Monitor, install an agent, deploy a test policy, and verify the installation. Contents Initializing the Host DLP Policy Manager Upgrading the license Applying the policy Initializing the Host DLP Monitor Checking in the DLP Agent package to ePolicy Orchestrator Deploying the DLP Agent

Initializing the Host DLP Policy Manager


The first time you open the Host DLP Policy Manager, a wizard runs for first-time initialization. NOTE: The wizard can be run at any time by selecting Initialization Wizard from the Tools menu in the Host DLP Policy Manager console. Before you begin The DLP Management Tools installer and policy manager initialization wizard use ActiveX technology. To prevent the installer from being blocked, verify that the following are enabled in Internet Explorer Tools | Internet Options | Security | Custom level: Automatic prompting for ActiveX controls Download signed ActiveX controls Task 1 In ePolicy Orchestrator 4.5, click Menu | Data Protection | DLP Policy. The DLP Management Tools installer runs and, after a brief delay, the Welcome screen of the DLP Management Tools Setup wizard appears. Complete the steps in the wizard. After the DLP Management Tools installation has completed, the Host DLP Policy Manager console begins loading. If you have an existing policy, you are prompted to convert it to the new standard XML format. Click Convert and skip to step 4. If no previous policy exists, the message DLP global policy is unavailable. Loading default policy appears. Click OK to continue. When the message, Agent configuration is unavailable. Loading a default agent. appears, click OK.

3 4

McAfee Host Data Loss Prevention 9.0 Installation Guide

25

Post-Installation Initializing the Host DLP Policy Manager

When the Host DLP Policy Manager First Time Initialization wizard appears, complete the following steps:
Step 1 of 8 2 of 8 Page Welcome General configuration Action Click Next. By default, the discovery crawler places sensitive files in quarantine. Though McAfee does not recommend it, you can delete these files instead by selecting the Support discovery delete option. This option is not available until you update to full McAfee Host Data Loss Prevention. For troubleshooting, when you need to review an easily readable version of the policy, select Generate verbose policy. For most installations, McAfee recommends leaving these checkboxes unselected. In very large organizations where the roll-out of DLP Agent 9.0 is staged over time, earlier versions of the DLP Agent need to coexist. Select the appropriate Backward compatibility mode: No compatibility (all agents are version 9.0) DLP Agent 3.0 and later DLP Agent 2.2 patch 2 and later

In very large organizations where search times could be excessive, select Restrict AD searches to default domain. Deselect Deploy policy to reporting database if you want prevent deploying the policy to the DLP tables in the ePO database. This option does not require WCF being installed on the server, but might result in the DLP Monitor not working as expected. Configure the Policy Manager WCF service path. For the standard installation, accept the default. Click Test Connection to verify. Click Next. 3 of 8 Configure the manual tagging authorization list Type user names, or click Add to search for user names (optional). Click Next. NOTE: McAfee recommends creating a role-based group in Active Directory, such as DLP Manual Tagging Users, and using the group when configuring Access Control.

4 of 8

Configure the Type a password and confirmation (required). If you don't want agent key Agent override key generation events reported to the database, deselect the checkbox. See the password McAfee Host Data Loss Prevention Product Guide for more information on Agent bypass. Click Next. Whitelist configuration Browse to the Whitelist storage share, then click Next. The UNC whitelist path is required to apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot be changed in the Initialization wizard. Modify the default Agent notification messages (optional). Select each event type in turn, and type the message in the text box. Click Next.

5 of 8

6 of 8

Agent popup service configuration

7 of 8

Event collector and Browse to the Evidence storage share and click Next. The evidence storage replication servers path is required to apply the policy to ePolicy Orchestrator. Set the required configuration Evidence Replication option. See the Readme: New Features for more information. Click Next. Configuration completed Click Finish.

8 of 8

The Initialization Wizard dialog box appears with the message, Apply McAfee DLP initial configuration? If you have not skipped any required steps, you can click Yes and apply the initial policy. If you have skipped required steps, click No to complete the initialization. NOTE: A password is required to complete initialization. The other steps indicated as required are necessary to complete the policy. They can be skipped during initialization

26

McAfee Host Data Loss Prevention 9.0 Installation Guide

Post-Installation Upgrading the license

and completed at a later time. If you did not apply the policy, select File | Save to save the policy to a file.

Upgrading the license


McAfee Host Data Loss Prevention software comes in two versions, McAfee Device Control and McAfee Host Data Loss Prevention with two licensing options for each, 90-day trial and unlimited. The default installation is McAfee Device Control with a 90-day trial license. If you purchased a different licensing option, use this task to change the licensing of your software. Before you begin Before starting this task, purchase your upgrade license and get an activation key from your McAfee sales representative. Task 1 On the Host DLP Policy Manager menu bar, select Help | Update License. The View and Update License window displays the current (default) activation key and expiration date. Click Update. Type or paste the Activation Key in the text box and click Apply. A warning that you must log on again for the change to take effect appears. Click OK to close the message box, and click Close to close the Update License window, then log off ePolicy Orchestrator. Log on to ePolicy Orchestrator to complete the upgrade. From the Agent Configuration menu, select Edit Global Agent Configuration. Go to the File Tracking tab and select Enable file tracking. Go to the Miscellaneous tab. Only the Device Control, Agent Popup service, Replicating, and Reporting modules are selected. Select the remaining modules to enable them and click OK. NOTE: Do not enable modules you don't use. They increase the agent size and slow its operation unnecessarily. 9 On the Toolbar, click . The policy changes are applied to ePolicy Orchestrator.

2 3 4 5 6 7 8

10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.

Applying the policy


Use this task to apply the default policy. You are automatically prompted after the initialization wizard closes. Before you begin

McAfee Host Data Loss Prevention 9.0 Installation Guide

27

Post-Installation Initializing the Host DLP Monitor

If you are upgrading from a previous version of McAfee Host Data Loss Prevention, and have backed up the policy, open the saved policy and run the conversion wizard before applying the policy. NOTE: If the old policy is from full McAfee Host Data Loss Prevention, you must upgrade the default license before proceeding. Task 1 Click Yes to apply the policy. The Applying to ePO window appears.

Figure 6: Verifying the application to ePolicy Orchestrator 2 Click Close when the task is complete.

Initializing the Host DLP Monitor


Use this task to initialize the Host DLP Monitor. Task 1 In ePolicy Orchestrator 4.5, click Menu | Data Protection | DLP Monitor. NOTE: The first time you select Host DLP Monitor, a warning window requests the WCF server path. 2 Click OK.

28

McAfee Host Data Loss Prevention 9.0 Installation Guide

Post-Installation Checking in the DLP Agent package to ePolicy Orchestrator

For a standard installation, accept the default. For a backward-compatible installation, type the WCF service address in the dialog box, then click OK. The Host DLP Monitor opens.

Figure 7: Initializing the Host DLP Monitor

Checking in the DLP Agent package to ePolicy Orchestrator


Any client computer with data protected by McAfee software must have the McAfee and DLP Agents installed, making it a managed computer. The DLP Agent installation can be performed using the ePolicy Orchestrator infrastructure. Use this task to install the DLP Agent in ePolicy Orchestrator. Task 1 2 3 On the ePolicy Orchestrator 4.5 console, click Menu | Software | Master Repository. In the Master Repository, click Actions | Check In Package. Select package type Product or Update (.ZIP), browse to ..\HDLPAgentPackage_9_0_0_xxx.zip, then click Next. The Check in Package page appears. NOTE: If you are upgrading, you are prompted that the product already exists. Click OK. The new agent package replaces the old one. 4 Review the details on the screen, then click Save. The package is added to the master repository.

McAfee Host Data Loss Prevention 9.0 Installation Guide

29

Post-Installation Deploying the DLP Agent

Deploying the DLP Agent


Use these tasks to deploy the DLP Agent to the workstations. Tasks Defining a default rule Deploying the DLP Agent in ePolicy Orchestrator Verifying the installation

Defining a default rule


To verify that the DLP Agent has been deployed properly, McAfee recommends defining a default rule before deploying the agent. Use this task to define a default rule. The rule described is an example of a simple rule that can be used to test the system. Task 1 Create a classification rule: a In the Host DLP Policy Manager navigation bar under Content Protection, select Classification Rules. b Right-click in the Classification Rules window and select Add New | Content Classification Rule. Rename the rule "Email Classification Rule". c Double-click the rule icon to modify the rule. d In step 1 of the rule creation wizard, scroll down the text patterns and select Email Address. Click Next twice, skipping step 2. e In step 3 of the rule creation wizard, click Add New to create a new category. Name it Email Category, click OK to accept the new category, then click Finish. f 2 Right-click the rule icon and select Enable. Create a protection rule: a In the Host DLP Policy Manager navigation bar under Content Protection, select Protection Rules. b Right-click in the Protection Rules window and select Add New | Removable Storage Protection Rule. c Double-click the rule icon to modify the rule. d Click through to step 2 of the rule creation wizard and add the Email Category created when creating the classification rule in the Included column. e Click through to step 6 of the rule creation wizard. Select Monitor, then click Finish. f 3 4 Right-click the rule icon and select Enable. On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no errors. On the Toolbar, click . The policy is applied to ePolicy Orchestrator.

30

McAfee Host Data Loss Prevention 9.0 Installation Guide

Post-Installation Deploying the DLP Agent

Deploying the DLP Agent in ePolicy Orchestrator


Use this task to deploy the DLP Agent when working in ePolicy Orchestrator. Before you begin McAfee Agent 4.0 must be installed in ePolicy Orchestrator and deployed to the target computers before the DLP Agent is deployed. Consult the ePolicy Orchestrator documentation on how to verify this, and how to install it if necessary. Task 1 2 In ePolicy Orchestrator 4.5, click System Tree. In the System Tree, select the level at which to deploy the DLP Agents. TIP: Leaving the level at My Organization deploys to all workstations managed by ePolicy Orchestrator. If you select a level under My Organization, the right-hand pane displays the available workstations. You can also deploy the DLP Agent to individual workstations. 3 4 5 6 7 8 9 Click the Client Tasks tab. Under Actions, click New Task. The Client Task Builder wizard opens. In the Name field, type a suitable name, for (McAfee Agent)example, Install DLP Agent. In the Type field, select Product Deployment . Click Next. In the Products and Components field, select Data Loss Prevention 9.0.0.x. The Action field automatically resets to Install. Click Next. Change the Schedule type to Run immediately. Click Next. Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduled for the next time the McAfee Agent updates the policy. To force the installation to take place immediately, issue an agent wake-up call.

10 After the DLP Agent has been deployed, restart the agent computers.

Verifying the installation


Use this task to verify the Host DLP Monitor installation. Task 1 2 Click Menu | Data Protection | DLP Monitor. The Host DLP Monitor opens with a list of events, which should include Agent Installation Events. Verify the agent installation and apply the policy enforcement by using the cmdagent.exe /s command. Refer to the ePolicy Orchestrator/McAfee Agent documentation for information.

McAfee Host Data Loss Prevention 9.0 Installation Guide

31

Appendix I Deploying McAfee Host Data Loss Prevention with SMS


This appendix reviews the creation of Microsoft System Management Server packages for deployment of the DLP Agent without using ePolicy Orchestrator. Microsoft Systems Management Server (SMS) provides a comprehensive solution for deploying and managing applications and operating systems on Windows desktops and servers. The following tasks assume working in the Microsoft SMS 2003 environment. Contents Creating an installation package Creating the advertisement Creating the SMS uninstall package

Creating an installation package


Use this task to create an installation package for deploying DLP Agents using SMS. Before you begin Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). The package can be downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647. Task 1 2 3 4 In the Systems Management Server console, right-click Packages and select New | Package. On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional). On the Data Source tab, select This Package Contains Source Files, then click Set. In the Set Source Directory window under Source Directory Location, select the type of connection to the set-up files in the source directory. Type the source directory path in the text box and click OK. On the Distribution Settings tab, select High from the Sending Priority drop-down menu, and click OK. The package appears under the Packages node of the site tree. Expand the new package under the Packages node. Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want to be the distribution points for this package, then click Finish. Right-click Programs and select New | Program. Type the program name.

5 6 7 8

32

McAfee Host Data Loss Prevention 9.0 Installation Guide

Appendix I Deploying McAfee Host Data Loss Prevention with SMS Creating the advertisement

In the Command Line text box, type the DLP command line executable, for example: msiexec /I DLPAgentInstall.msi /qn /forcerestart. NOTE: McAfee recommends restarting the managed computer after DLP Agent package installation. To enable this option use the /forcerestart parameter. To enable the installation log use /log <LogFile>.

10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down menu. Click OK. NOTE: Verify that Run with Administrative Rights is selected. McAfee Host Data Loss Prevention setup requires administrative rights to complete installation successfully.

Creating the advertisement


SMS packages need to be "advertised." Use this task to create the SMS package advertisement. Task 1 2 3 4 5 In the Systems Management Server console, right-click Advertisements and select New | Advertisement. Type the advertisement name. From the Package drop-down menu, select the McAfee DLP package name . From the Program drop-down menu, select the McAfee DLP program name . Click Browse and select the collection that the McAfee DLP installation package should apply to, then click OK. On the Schedule tab, confirm the time that the advertisement is offered, specify if the advertisement should expire, and when. Click OK.

Creating the SMS uninstall package


Use this task to create the SMS uninstall package. Task 1 2 3 4 In the Systems Management Server console, right-click Packages and select New | Package. On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional). On the Data Source tab, select This Package Contains Source Files, then click Set. In the Set Source Directory window under Source Directory Location, select the type of connection to the set-up files in the source directory. Type the source directory path in the text box and click OK. On the Distribution Settings tab, select High from the Sending Priority drop-down menu, and click OK. The package appears under the Packages node of the site tree. Expand the new package under the Packages node. Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want to be the distribution points for this package, then click Finish. Right-click Programs and select New | Program. Type the program name.

5 6 7 8

McAfee Host Data Loss Prevention 9.0 Installation Guide

33

Appendix I Deploying McAfee Host Data Loss Prevention with SMS Creating the SMS uninstall package

In the Command Line text box, type the DLP command line executable, for example:
msiexec /x DLPAgentInstall.msi /qn /forcerestart

10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down menu. Click OK.

34

McAfee Host Data Loss Prevention 9.0 Installation Guide

Appendix II Users and permission sets


McAfee Host Data Loss Prevention roles and permissions are created and set in ePolicy Orchestrator. McAfee recommends creating specific administrator roles and permissions for the DLP Policy Manager and the DLP Monitor. Roles include creating and saving policies, viewing (but not changing) policies, generating override, uninstall, and quarantine release keys, viewing the DLP Monitor and revealing sensitive fields in the Monitor. Sensitive data redaction and the DLP Monitor permission sets To meet the legal demand in some markets to protect confidential information in all circumstances, McAfee Host Data Loss Prevention software version 9.0 offers a data redaction feature. Fields in the DLP Monitor containing confidential information are encrypted to prevent unauthorized viewing. The feature is designed with a "double key" release. This means that to use the feature, you must create two permission sets: one to view the monitor and another to view the encrypted fields. Both roles are required to use the feature. Contents Creating and defining DLP administrators Creating and defining permission sets DLP permission set options

Creating and defining DLP administrators


Use this task to create and define a DLP adminstrator in ePolicy Orchestrator. Task For option definitions, click ? in the interface. 1 2 3 On the ePolicy Orchestrator menu, select User Management | Users. Click New User. Type a user name and specify logon status, authentication type, and permission sets. McAfee recommends creating user groups related to the role, for example DLP Monitor Viewer. NOTE: The order of creating users and permission sets is not critical. If you create users first, user names appear in the permission set form and you can attach them to the set. If you create permission sets first, the permission set names appear in the user form and you can attach the user to them. 4 Click Save.

McAfee Host Data Loss Prevention 9.0 Installation Guide

35

Appendix II Users and permission sets Creating and defining permission sets

Creating and defining permission sets


Use this task to create and define a DLP administrator permission set in ePolicy Orchestrator. Task For option definitions, click ? in the interface. 1 2 3 On the ePolicy Orchestrator menu, select User Management | Permission Sets. Click New Permission Set. Type a name for the set and select users. NOTE: The order of creating users and permission sets is not critical. If you create users first, user names appear in the permission set form and you can attach them to the set. If you create permission sets first, the permission set names appear in the user form and you can attach the user to them. 4 5 6 Click Save. In the Data Loss Prevention field for the new permission set, click Edit. Select the required permissions and click Save.

Figure 8: Editing a permission set for HDLP NOTE: To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.

DLP permission set options


Permission set options are designed to give granular control over administrator roles. While the division of roles is generally optional, if you are using the sensitive data redaction feature, you must create separate permission sets for the monitor viewer and the administrator who can reveal the encrypted data. Use this page to specify permission sets for DLP administrators in ePolicy Orchestrator. Option definitions
Option User cannot view policies. Definition User is not a policy administrator.

36

McAfee Host Data Loss Prevention 9.0 Installation Guide

Appendix II Users and permission sets DLP permission set options

Option User can only generate Agent Override, Agent Uninstall, and Agent Quarantine Release keys. User can only view policies. User can view and save policies. User cannot view DLP Monitor

Definition User administrator role is limited to override, uninstall, and release keys. User can review but not edit policies. User has full policy administrator permissions. User is not a monitor administrator

User can partially view DLP Monitor (cannot view private New in McAfee Host Data Loss Prevention software fields) version 9.0 one of the required roles for sensitive data redaction. User can reveal sensitive data but cannot view DLP Monitor. User can only reveal sensitive data with the presence of a user with view permissions. User can view DLP Monitor New in McAfee Host Data Loss Prevention software version 9.0 one of the required roles for sensitive data redaction. User has full policy administrator permissions. Use this option if you are not using the sensitive data redaction feature.

McAfee Host Data Loss Prevention 9.0 Installation Guide

37

Anda mungkin juga menyukai