SE
RVICES
To remain at NCISS
Please do not take away
NATO UNCLASSIFIED
CI
NATO UNCLASSIFIED
Table of Contents
Module 07 TrendMicro ScanMail Install Demo v1 _________________ 1 Module 07 TrendMicro ScanMail Config Demo v1 ________________ 19 Module 08 McAfee AV Install and Update Demo v1 _______________ 37 Module 08 McAfee AV Config V8.0 Demo v1____________________ 56 Module 09 ePO 3_6 Demo v1 ________________________________ 88 Module 10 WAC Demo v1 __________________________________ 105
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Overview
Demonstration describes step by step all actions required to install the Trend Micro Scan Mail for Microsoft Exchange Server.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 1
NATO UNCLASSIFIED
Requirements
for Scan Mail 8.0
Applications
the latest approved version of the Java Runtime Environment (Jre-1_5_0_10 or above)
NATO UNCLASSIFIED
Preparations
Following installation files to be downloaded from NCIRC web site (you can also request your product CD issued by NITC NCIRC TC): SMEXV8.0-b1.zip - contains installation files for Scan Mail V8.0. smex_80_win_en_patch2.exe - contains installation files for ScanMail V8.0 Patch 2 It is recommended to download and unzip files into a separate temporary folder on the server before commencing the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 2
NATO UNCLASSIFIED
Windows Server 2003 with Service Pack 2 or above Exchange Server 2003 with Service Pack 2 or above Java Runtime Environment 1_5_0_10 or above
NATO UNCLASSIFIED
Step 2: Locate the SMEX v8 application on the hard drive and <Double Click> Setup.exe to start the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 3
NATO UNCLASSIFIED
Step 3: The Welcome to Trend Micro ScanMail Setup screen opens. Click Next to continue the installation
NATO UNCLASSIFIED
Step 4: The License Agreement window opens. To continue the installation, <Click> the I accept the terms in the license agreement radio button, then <Click> the [Next]
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 4
NATO UNCLASSIFIED
Step 5: The Select an Action screen appears. To perform a fresh installation or upgrade, <Click> the Install/Upgrade option then <Click> [Next] to continue with the installation.
NATO UNCLASSIFIED
Step 6: The Server Role Selection screen opens. Specify the server role onto which ScanMail will be installed. <Click> the Exchange Server 2000/2003 option. And then <Click> [Next] to continue with the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 5
NATO UNCLASSIFIED
Step 7: The Select Target Server(s) screen appears. The Setup program can install ScanMail to a number of single servers or to multiple servers in a domain. You must be using an account with the appropriate admin privileges to access every target server. <Click> Browse and browse the computers that are available on your network.
NATO UNCLASSIFIED
Step 8: Select the server where you want to install ScanMail. <Double click> on SCHOOL and then <Click> on EXSERVER2003. <Click> OK to continue.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 6
NATO UNCLASSIFIED
Step 9: After the server selection window closes, verify that the server names listed in the Select Target Server(s) window are correct, and if so, <Click> [Next].
NATO UNCLASSIFIED
Step 10: The Log On screen opens. Log on to target servers where you want to install ScanMail. You must log on using an account with Domain Administrator privileges unless you have manually created the "SMEX Admin group" and user account for the Web management console administrator account in your domain. Type domain\user_name and password (e.g. SCHOOL\Administrator and xxxxxxxx in the VMWare environment created for this class) to log on to the target server to install ScanMail. Click Next to accept the Logon credentials for the target servers and continue the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 7
NATO UNCLASSIFIED
Step 11: Accept the default directory path to where you will install ScanMail on the target server. Accept also the shown default share name for which the specified user has access rights or keep the default temporary share directory, C$. The Setup program uses the share directory to copy temporary files during installation and can be accessed only by the administrator. Click Next to accept the Logon credentials for the target servers and continue the installation.
NATO UNCLASSIFIED
Step 12: The Checking Target Server System Requirements window opens. SMEX checks that your Exchange server and system requirements. It needs minimum Exchange 2003 SP2. Verify that the correct Exchange Virtual server is displayed. <Click> [Next>].
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 8
NATO UNCLASSIFIED
Step 13: The Web Server Information screen opens. <Click> the radio button to select Microsoft Internet Information Services 5.0 or 6.0. Keep the default drop down selection, Virtual Web Site and the Port Number 16372.
NATO UNCLASSIFIED
Step 14: The Connection Settings screen appears. By default, the proxy server is disabled. If a proxy server handles Internet traffic on your network, you must enter the proxy server information at this screen.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 9
NATO UNCLASSIFIED
Enter Activation Code to get full ScanMail protection. You can contact the COMPUSEC NCIRC Malware Protection Cell at antivirus@ncirc.nato.int for the official Activation key. You can copy the Activation Code and paste it in the first input field of the Activation Code on this screen. The Setup program parses the entire string and populates the remaining fields for the Activation Code. <Click> Next to continue the installation.
NATO UNCLASSIFIED
Step 16: The World Virus Tracking Program screen appears. Read the statement and <Click> No, I dont want to participate. <Click> [Next] to continue installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 10
10
NATO UNCLASSIFIED
Step 17: The End User Quarantine Setting screen opens. <Click> Integrate with Outlook Junk E-mail to send all ScanMail detected spam messages to the Junk E-mail folder in Outlook. <Click> [Next] to continue.
NATO UNCLASSIFIED
Step 18: The Control Manager Server Settings screen opens. Generally the Trend Micro Control Manager is not used in NATO so leave the Register ScanMail agent to Control Manager Server check box empty. <Click> [Next] to continue.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 11
11
NATO UNCLASSIFIED
Step 19: The Web Management Console Configuration screen opens. This screen is used to create the Active Directory Domain Group and Account used to manage SMEX from web management console. For a new installation <Click> Create a new account. <Click> [Next] to continue.
NATO UNCLASSIFIED
Accept the Trend Micro default Username, or change it to a simple Username. For this class use: User name: SMEXadmin. Password: xxxxxxxx Setup creates the "SMEX Admin Group" and your SMEX administrator account on the Active Directory; your SMEX administrator account is then added to the SMEX Admin Group. <Click> Next to continue the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 12
12
NATO UNCLASSIFIED
Step 21: The Review Settings screen opens. Read and verify the configuration settings; if you are happy with the choices, <Click> [Next]
NATO UNCLASSIFIED
Step 22: The Installation Progress Screen opens. This screen shows the installation process. <Click> [View Details] to display a list of all computers to which ScanMail is being installed and their current status.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 13
13
NATO UNCLASSIFIED
Step 23: Progress status screen opens. <Click> [OK] to return to the Installation Progress screen.
NATO UNCLASSIFIED
Step 24: Return to the Installation Progress Screen. <Click> [Next] to continue installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 14
14
NATO UNCLASSIFIED
Step 25: The Installation Complete screen appears. This screen informs you that the installation was successful. When the installation is completed, <Click> the View the Readme file check box to open the readme file when finished. Please read the file, especially the Known Issues section. <Click> [Finish] to exit the Setup program. Read the Readme file.
NATO UNCLASSIFIED
Check for following services, using Microsofts Services component (click Start\All Programs\Administrative Tools\Services:
ScanMail for Microsoft Exchange Master Service ScanMail for Microsoft Exchange Remote Configuration Server ScanMail for Microsoft Exchange System watcher
Verify that Scan Mail added the following keys to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ScanMail for Exchange HLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Private-<MDB-GUID>\VirusScanEnabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Private-<MDB-GUID>\VirusScanBackgroundScanning HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Public-<MDB-GUID>\VirusScanEnabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Public-<MDB-GUID>\VirusScanBackgroundScanning NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 15
15
NATO UNCLASSIFIED
Step 27: Install the latest SMEX software update patch. The latest SMEX patch can be found on the NCIRC NS web portal at the following URL: http://www.ncirc.nato.int/software/antimalware.htm. On the website, <Click> on the [Mail Server Solutions] tab then go to the Patches Trend Micro ScanMail v.8.0 section. Patches are normally cumulative; currently the latest patch is SMEX 8.0 Patch 2. Download and unzip the file into a temp folder on all the servers that need to be patched.
NATO UNCLASSIFIED
Step 28: A ScanMail for Microsoft Exchange 8.0 Patch 1 window opens. This window shows the Trend Micro License Agreement. <Click> the I accept the terms of the legal agreement radio button then <Click> [Next] to continue installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 16
16
NATO UNCLASSIFIED
Step 29: The ScanMail for Microsoft Exchange Patch Installation -Welcome window opens. You could scroll down within this install screen to read the installation notes. <Click> [Install] to continue patch installation.
NATO UNCLASSIFIED
Step 30: The Trend Micro Install package window opens. Do not close any command window that may appear during installation. <Click> [Yes] to continue.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 17
17
NATO UNCLASSIFIED
Step 31: The ScanMail for Microsoft Exchange Patch Installation - Welcome opens. This window shows the installation progress. NOTE: Please do not close any command prompt during patch installation.
NATO UNCLASSIFIED
Step 32: Using the Microsoft Services Manager, verify that the ScanMail servers are running.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 18
18
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Overview
Demonstration 2 provides basic steps required to configure the Trend Micro ScanMail for Microsoft Exchange Server. A Web management console is used to access, configure and control ScanMail. The console allows to manage multiple MS Exchange servers and remote servers from any computer on the network. The management console is password protected, ensuring only ScanMail administrator can modify ScanMail settings. Java-enabled web browser, such as internet explorer 5.5 with sp3 and above, that supports frames is required to access and manage the Web management console. Make sure the Java virtual machine is installed on your computer before you start ScanMail Web Management Console. The settings as ticked in this demonstration are recommended by NATO NCIRC. NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 19
NATO UNCLASSIFIED
<Click> [Start > programs > Trend Micro ScanMail for Microsoft Exchange > ScanMail management Console] in order to view the Web management console or Use Internet Explorer and access the following site: http://<Scanmail servername>:<portnumber>/smex, e.g. http://localhost:16382/smex (by default HTTP port number is 16382).
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 20
NATO UNCLASSIFIED
Step 3: ScanMail Summary page is downloaded when you are logged on successfully.
NATO UNCLASSIFIED
Both SMTP and VSAPI (Mailstore) Scanning is enabled by default. While scanning in both SMTP and VSAPI modes may result in some files being scanned twice, with SMTP scanning also enabled, it is possible for SMEX to perform the Delete entire message and Quarantine Entire Message actions. This functionality is more important than the possible small performance increase from disabling SMTP scanning.
If the SMTP scanning is disabled the icon is RED, enable SMTP Scanning by <Clicking> the icon so it turns GREEN.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 21
NATO UNCLASSIFIED
Step 5: <Click> Virus Scan on the sidebar and then <Click> Enable real-time virus scan. Configure Target tab:
Default scan section: <Click> the All attachment files IntelliTrap section: deselect Enable IntelliTrap checkbox Additional Threat Scan section: deselect all checkboxes Advanced Options section: set Scan Restriction Criteria
Message Body size exceeds: 30 MB Attachments size exceeds: 30 MB Decompressed file count exceeds: 9999 Size of decompressed file exceeds: 100 MB Number of layers of compression exceeds: 5 Size of decompressed file is x times the size of compressed file: 1000
NATO UNCLASSIFIED
Page 22
NATO UNCLASSIFIED
Step 7: continue Virus Scan > Action tab configuration: Advanced Options section
In Macros section, <Select> the option Enable advanced macro scanning. Then <Select> Heuristic Levels option and in the drop down box, set option to 2-Default filtering.
In Backup and Quarantine settings section, view the default settings and ensure they are set as follows:
Backup Directory: <Drv>:\<system directory>\Trend Micro\smex\storage\backup Quarantine Directory: <Drv>:\<system directory>\Trend Micro\smex\storage\ quarantine
In Replacement Settings section, review to ensure the default settings are configured as follows:
Replacement File name:
VIRUS_DETECTED_AND_REMOVED.TXT
Replacement text: ScanMail detected and removed a virus from the original mail entity. You can safely save or delete this replacement attachment.
NATO UNCLASSIFIED To
NATO UNCLASSIFIED
Page 23
NATO UNCLASSIFIED
Next, <Click> to select the option Block attachment types or names with zip files.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 24
NATO UNCLASSIFIED
Go to the Settings section and <Click> to select the option Send consolidated notification every and the default values of 2 hours. Go to the subsection Advanced Notification then <Click> to select Write to windows event Log.
NATO UNCLASSIFIED
Step 12: <Click> Content Filtering on the side bar, then make sure that the option Enable real-time content filtering is NOT selected. See figure below. <Click> the Save button.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 25
NATO UNCLASSIFIED
Step 13: On the left side bar, <Click> Anti-Spam. Ensure that the option Anti-Spam is disabled. See figure below. <Click> the Save button.
NATO UNCLASSIFIED
Step 14: Configure Scheduled Scan <Click> Scheduled Scan on the sidebar and then select the Add tab to add a new scan task.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 26
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Step 16: When saved, make sure the scheduled is enabled as shown in the screenshot below.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 27
NATO UNCLASSIFIED
Step 17: Configure the updates for the scan engine and virus pattern.
On the sidebar <Click> Updates to expand the Updates side bar drop down menu. On the sidebar, <Click> the option Scheduled from the previously expanded Updates drop down menu. In this section, <Click> to select Enable scheduled updates. In Components Update section, from the list of options <Click> appropriate check boxes to select Virus pattern, Additional threat pattern and Scan engine. In Update Schedule section, Update every: subsection, <Click> the radio button to select the option Hour(s). The option Hour(s) can be set to 4 so that updates are attempted every 4 hours. Adjust the update frequency to match local requirements.
NATO UNCLASSIFIED
Page 28
10
NATO UNCLASSIFIED
Step 19: For the demonstration purposes, updates are downloaded locally from EXSERVER2003 server. See the screenshot below for settings used in the demonstration. The updates were downloaded from NCIRC website.
NATO UNCLASSIFIED
Step 20: Test your servers connectivity with the anti-virus repository by initiating the Manual Update
On the Side Bar, from the previously expanded Updates drop down menu, <Click> the option Manual. Ensure that at least the options Virus pattern, Additional threat pattern and Scan Engine are selected. If any of these options are NOT selected, then <Click> the check box to make the selection.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 29
11
NATO UNCLASSIFIED
Step 21: Monitor the manual updates screen to view the progress of the update and make sure it was able to connect to the update location.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 30
12
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 31
13
NATO UNCLASSIFIED
On the sidebar <Click> Logs to expand the Logs side bar drop down menu. <Click> to select Maintenance, then the [Automatic] tab. <Click> the check box to select Enable Automatic Maintenance. In the subsection Target, <Click> the radio button to select All logs. Go to subsection Action; for the option Delete logs older than, enter the value 90 days.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 32
14
NATO UNCLASSIFIED
Step 27: Configure Administration > Proxy (If you use a proxy on your
network) If your environment uses a proxy sever to access websites, from the Administration side bar drop down menu, <Click> to select Proxy. In the Proxy configuration window, <Click> the check box to select the option use a proxy server for update and product license notification. In the setting s subsection, fill in the Address field with the HTTP address of the proxy server and the Port field with the port number (e.g. 8080). In the subsection Proxy Password, fill in the user credentials required for SMEX to use the proxy to access the antivirus update website.
NATO UNCLASSIFIED
To save the changes, <Click> the Save button. Email notifications should be tested. Coordinate the verification with local administrators, NCIRCTC and other intended recipients. The NCIRC TC watch keepers can be reached at the below address:
NCN: 254-6666 / 6670 Civil: +32 (0)65 44-6666 / 6670 NS/NU email: NCIRCTC@ncirc.nato.int
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 33
15
NATO UNCLASSIFIED
NATO UNCLASSIFIED
From the Administration side bar drop down menu, <Click> to select World Virus tracking. Make sure the radio button No, I dont want to participate to the request to participate in the world virus tracking program is selected.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 34
16
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 35
17
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Step 34: The following features are viewable from the Server management console: Pattern and engine version, Scanning result, Scanning status, Last replication.
The Server Management Console can be used to replicate any or all SMEX configurations from one ScanMail server to other ScanMail servers. Replicating configuration settings to other servers in this way is much faster and easier than configuring each server separately. In addition, it ensures that SMEX configuration is consistent across all ScanMail servers- or group of servers- that provide the same kind of protection. NOTE**: Replicate SMEX settings ONLY with the prior knowledge and NATO Approval of all Exchange server UNCLASSIFIED system administrators within your domain.
NATO UNCLASSIFIED
Page 36
18
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 37
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 38
NATO UNCLASSIFIED
Download the latest McAfee NATO installation file from www.ncirc.nato.int. The file is located via Security & Software tab under Server and Workstation Solutions.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 39
NATO UNCLASSIFIED
Unzip
And open
Unzip the downloaded file (in this case it is called VSE710LEN) to a folder on the desktop. Open the folder.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 40
NATO UNCLASSIFIED
Start installion
Setup
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 41
NATO UNCLASSIFIED
Progress bar
A progress bar appears whilst the system is being prepared for installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 42
NATO UNCLASSIFIED
README text
The McAfee Virus Enterprise Setup dialog appears click on Next to proceed.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 43
NATO UNCLASSIFIED
License to agree
Choose All Other Countries and Perpetual on the license agreement page. Select I accept the terms in the license agreement and click OK.
A license agreement dialog box appears. On the Country List Box select All Other Countries. On the expiry type select Perpetual. Select the accept radio button option and click OK to proceed.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 44
NATO UNCLASSIFIED
A setup type dialog box appears, select the radio button option for typical install and click next.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 45
NATO UNCLASSIFIED
Finishing preparation
A ready to install dialog box appears, click Install to proceed with installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 46
10
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 47
11
NATO UNCLASSIFIED
Start scan
Once installation is complete a dialog box appears denoting the successful install and provides two options. The first; Update Now may only be used if the host machine is connected to the Internet and invokes an automatic check at the McAfee web site for the latest virus definition files. Leave this option unchecked. The second option invokes an immediate scan, select this option to confirm the software is running correctly. Click Finish to start the scan.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 48
12
NATO UNCLASSIFIED
Accept or Update
Depending on how old the virus definitions are a warning that the virus definitions files are out of date will appear: click OK to confirm notification and allow the scan to run (update of virus definitions will follow). Alternatively an Update can be enforce by clicking on Update.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 49
13
NATO UNCLASSIFIED
Watch progress
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 50
14
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 51
15
NATO UNCLASSIFIED
Download signatures
Download the latest signature file from http://www.mcafee.com/apps/downloads/security_updates/ or obtain from the local network administrator. Activate the update by double clicking on the file (in this case 5087xdat).
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 52
16
NATO UNCLASSIFIED
Start update
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 53
17
NATO UNCLASSIFIED
A progress dialog box appears whilst the system is prepared for update.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 54
18
NATO UNCLASSIFIED
Complete update
On completion a dialog box appears confirming correct installation of the update. Click Finish to end, there is no requirement to restart the computer as the update is activated immediately.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 55
19
NATO UNCLASSIFIED
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 56
NATO UNCLASSIFIED
From the toolbar in the lower right hand corner, right click on the McAfee Virus Scan icon (a small shield) and select On-Access Scan Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 57
NATO UNCLASSIFIED
A properties dialog box will appear defaulting a tab marked General. Ensure that the following configuration options are applied; In the Scan box Boot Sectors - Selected Floppy during shutdown Selected In the General box; Enable on access scanning at system startup Selected Quarantine Folder Set to \quarantine\ In the Scan time box; Maximum archive scan time (seconds) Set to 60 Enforce a maximum scanning time for all files Selected Maximum scan time (seconds) set to 61 After these settings have been configured click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 58
NATO UNCLASSIFIED
In the same dialog box under the ScriptScan tab the following configuration items will be applied; Ensure that the Enable ScriptScan tick box is selected. After these settings have been configured click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 59
NATO UNCLASSIFIED
In the same dialog box under the Blocking tab the following configuration items will be applied; Ensure that the Send a message tick box is clear. Ensure that the Block the connection tick box is selected. Ensure that the Unblock connections after (minutes) option is set to 10 (minutes). Ensure that the Block if an unwanted program is detected tick box is selected. After these settings have been configured click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 60
NATO UNCLASSIFIED
In the same dialog box under the Messages tab the following configuration items will be applied; In the Messages box; Show the messages dialog when a virus is detected Selected Text to display in message Set to Alert!! Call <ADP Co-ordinator> on Helpdesk Ext <local Helpdesk extension number> Remove messages from the list Selected Clean infected files Selected Delete files Selected Move infected files to the quarantine folder Selected Click Apply after making configuration changes
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 61
NATO UNCLASSIFIED
In the same dialog box under the Reports tab In the Log file box Log to file -Select (retaining the existing default text of %VSEDEFLOGDIR%\OnAccessScanLog.txt.) Limit size of log file to Select and amend to 2 megabyte. Format - Unicode (UTF8) In the What to log in addition to virus activity box Session settings Selected Session summary Selected Failure to scan encrypted files Selected User name Selected Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 62
NATO UNCLASSIFIED
In the left hand side of the dialog box click on All Processes. The default tab Processes is open. Select option Use the settings on these tabs for all processes option. Click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 63
NATO UNCLASSIFIED
Open the Detection tab In the Scan files box; When writing to disk Select When reading from disk Select On network drives Deselect In the What to scan box; All files Select Default + additional file types De-select Specified file types De-select Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 64
NATO UNCLASSIFIED
Open the Advanced tab In the Heuristics box; Find unknown program viruses Select Find unknown macro viruses Select In the Compressed files box; Scan inside archives (e.g. ZIP) De-Select Decode MIME encoded files De-Select Click Apply after making configuration changes
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 65
10
NATO UNCLASSIFIED
Open the Actions tab Under When a virus is found Select Clean infected files automatically Under If the above Action fails Select Move infected files to a folder Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 66
11
NATO UNCLASSIFIED
Open the Unwanted Programs tab Detect unwanted programs Select Under When an unwanted program is found; Primary Action Clean files automatically Secondary action Move files to a folder Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 67
12
NATO UNCLASSIFIED
1. Open the VirusScan Console and right click on the On-Delivery E-mail Scanner item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 68
13
NATO UNCLASSIFIED
Open the Detection tab In the Scanning of e-mail box; In the Attachments to scan box; All file types Select Default + additional file types [0] De-select Specified file types [0] De-select Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 69
14
NATO UNCLASSIFIED
Open the Advanced tab In the Heuristics box; Find unknown program viruses Select Find unknown macro viruses Select Find attachments with multiple extensions Select In the Compressed files box; Scan inside archives (e.g. ZIP) Select Decode MIME encoded files Select In the E-mail message body box; Scan e-mail message body Select Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 70
15
NATO UNCLASSIFIED
Open the Actions tab Under When an infected attachment is found Select Primary Action When a virus is found Clean infected attachments Select Secondary Action If the first action fails Move infected attachments to a folder Select Move To Folder - Quarantine. Under Allowed actions in prompt dialog box Clean attachment Selected Delete attachment Selected Move attachment - Selected Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 71
16
NATO UNCLASSIFIED
Open the Alerts tab. In the E-mail alert box select Send alert to mail user then click Configure.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 72
17
NATO UNCLASSIFIED
Open the Unwanted Programs tab Detect unwanted programs Selected Under When an unwanted attachment is found Set Primary Action to Clean attachments Set Secondary Action to Move attachments to a folder Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 73
18
NATO UNCLASSIFIED
Open the Reports tab In the Log file box; Log to file Select (leave at default file location of %VSEDEFLOGDIR%\EmailOnDeliveryLog.txt Select option Limit size of log file to and set size to 2 megabyte. Set Format: Unicode (UTF8). In the What to log in addition to virus activity box; Session settings Select Session summary Select Failure to scan encrypted files Select User name Select Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 74
19
NATO UNCLASSIFIED
In the VirusScan Console open the menu item Tools and select User Interface Options from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 75
20
NATO UNCLASSIFIED
Open the Display Options tab In the System tray icon box; Show the system tray icon with all menu options De-select Show the system tray icon with minimal menu options Select Do not show the system tray icon De-select Allow this system to make remote console connections to other systems - Select Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 76
21
NATO UNCLASSIFIED
Open the Password options tab and make the following configuration changes: No password Select Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 77
22
NATO UNCLASSIFIED
Access Protection
Open the VirusScan Console and right click on the Access protection item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 78
23
NATO UNCLASSIFIED
In the Access Protection Properties dialog box select the Port Blocking tab Report access attempts in the log file and /or by generating alert Manager, and ePO events. Specify .. - Select Set Minimum time interval between reports (minutes) to 1 Under the Ports to block heading tick the following rules: Prevent mass mailing worms from sending mail - tick Prevent IRC communication - tick Prevent IRC communication - tick Prevent FTP inbound (stops viruses such as Nimda spreading) tick Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 79
24
NATO UNCLASSIFIED
In the Access Protection Properties dialog box select the File, Share and Folder Protection tab Leave shares with existing access rights Select Set file and folders to block: Rule: as follows; Prevent Internet Explorer from launching anything from the temp folder - tick Prevent Internet Explorer from launching files from the downloaded program folder (.exe) - tick Prevent Outlook from launching anything from the Temp folder - tick Prevent outlook Express from launching anything from the Temp folder - tick Prevent packager from launching anything from the Temp folder - tick Prevent MSN from launching anything from the Temp folder - tick Prevent WinZip32 from launching anything from the Temp folder - tick Prevent WinRaR from launching anything from the Temp folder - tick Prevent execution of scripts from the Temp folder - tick Prevent access to suspicious startup items (.exe) - tick Prevent access to suspicious startup items (.scr) - tick Prevent access to suspicious startup items (.hta) - tick Prevent access to suspicious startup items (.pif) - tick Prevent access to suspicious startup items (.com) - tick Prevent remote modification of files (.exe) - tick Prevent remote modification of files (.scr) - tick Prevent remote modification of files (.ocx) - tick Prevent remote modification of files (.dll) - tick Prevent remote creation/modification/deletion of anything in the windows folders and subfolders - tick Prevent remote creation/modification/deletion of files in the windows folders and subfolders (.ini) - tick Prevent remote creation/modification/deletion of anything in the system Root - tick Prevent remote creation/modification/deletion of files (.pif) - tick Prevent remote creation of autorun.inf files - tick Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 80
25
NATO UNCLASSIFIED
In the Access Protection Properties dialog box select the Reports tab Log to file - Select Ensure log location is set %VSEDEFLOGDIR%\AccessProtectionLog.txt Limit size of log file - Select Set Maximum log file size (MB): 2 Set Format: Unicode (UTF8) Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 81
26
NATO UNCLASSIFIED
Open the VirusScan Console and right click on the Buffer Overflow Protection item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 82
27
NATO UNCLASSIFIED
In the Buffer Overflow Protection Properties dialog box select the Buffer Overflow Protection tab. Enable buffer overflow protection - Select Protection mode - Select Show the message dialog box when a buffer overflow is detected Select Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 83
28
NATO UNCLASSIFIED
In the Buffer Overflow Protection Properties dialog box select the Reports tab. Log to file: - Select Ensure log location is set to %VSEDEFLOGDIR%\BufferOverflowProtectionLog.txt Limit size of log file - Select Set Maximum log file size (MB): to 1 Set Format: Unicode (UTF8) Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 84
29
NATO UNCLASSIFIED
Open the VirusScan Console and right click on the Unwanted Programs Policy item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 85
30
NATO UNCLASSIFIED
In the Unwanted Programs Policies Properties dialog box select the Detection tab. Select The categories of detections that are in the DATs Spyware - tick Adware - tick Remote Administration Tools - tick Dialers - tick Password Crackers - tick Jokes - tick Other Potentially Unwanted Programs tick Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 86
31
NATO UNCLASSIFIED
Finished .
McAfee Enterprise AV configuration is now completed
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 87
32
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 88
NATO UNCLASSIFIED
Demonstration Overview
Section One:
ePO Server and Console Installation
Section Two:
ePO Configuration
NATO UNCLASSIFIED
Page 89
NATO UNCLASSIFIED
Section One
ePO Server and Console Installation
NATO UNCLASSIFIED
Page 90
NATO UNCLASSIFIED
Must logon to the server with an account that has domain admin rights for a successful install.
NATO UNCLASSIFIED
Page 91
NATO UNCLASSIFIED
Locate setup.exe file located in the temp folder where EPO350NML.ZIP was extracted.
NATO UNCLASSIFIED
Page 92
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 93
NATO UNCLASSIFIED
License Agreement
Choose All Other Countries and Perpetual on the license agreement page. Select I accept the terms in the license agreement and click OK.
NATO UNCLASSIFIED
Page 94
NATO UNCLASSIFIED
Installation Options
select Install Server and Console and click Next.
If you see a message box stating that your server does not have a static IP address, stop the installation. Please restart with the installation after defining a static IP address.
NATO UNCLASSIFIED
Page 95
NATO UNCLASSIFIED
Enter the password you would like to use for the ePO server. You cannot leave this blank.
NATO UNCLASSIFIED
Page 96
NATO UNCLASSIFIED
In the Account Information area, enter a domain or select your domain, user name and password to be used by the ePO server service. Note: If the account you specified is not an administrator account, you will see a warning that you cannot use ePO to deploy agents. If you want the ePO server service to have rights to deploy agents, click OK then Back and type a user account and password with appropriate administrator rights.
NATO UNCLASSIFIED
Page 97
10
NATO UNCLASSIFIED
By selecting the Install a server on this computer and use it option installs the free MSDE database included with ePolicy Orchestrator.
NATO UNCLASSIFIED
Page 98
11
NATO UNCLASSIFIED
On the Database Server Account dialog box, deselect Use the same account as the Server service, then select This is SQL Server account. Type in and verify a secure password. This is the SA account that your ePO server service uses to access the MSDE database. Please note down this password as it could be valuable for maintenance reasons. Click Next to save the database account information
NATO UNCLASSIFIED
Page 99
12
NATO UNCLASSIFIED
HTTP Configuration
change HTTP ports to those defined in document epo361_ports.pdf available on the NCIRC site. Click Next.
Change the HTTP port for Agent communication to 8090 and the HTTP port for Console communication to 8091. Please change all the ports ranging starting from 8090 to 8096 accordingly as shown in the screen capture above. Click Next to save the port information.
NATO UNCLASSIFIED
Page 100
13
NATO UNCLASSIFIED
Type the email address to which the default notification rules send messages are sent once they are enabled. This address is: epo-alert@ncirc.nato.int This e-mail address is used by the ePO Notifications feature
NATO UNCLASSIFIED
Page 101
14
NATO UNCLASSIFIED
Installation Completion
Click Install to begin the installation on the Ready to Install dialog box During installation some messages Digital Signature not found will come up. Please answer yes to all of these. Click OK when prompted to reboot. Log back in with the same account at the beginning of the installation to allow the installation to continue.
On the Ready to Install dialog box, click Install to begin the installation. The installation takes approximately 25 minutes to complete and may prompt you to reboot the computer during the installation. During the installation some messages Digital Signature not found will come up. Please answer yes to all of these. Click OK when prompted to reboot and be sure to log back in with the same account when the computer reboots to allow the installation to continue. When installation is finished, click Finish. Reboot if requested.
NATO UNCLASSIFIED
Page 102
15
NATO UNCLASSIFIED
Section Two
ePO Server Configuration
NATO UNCLASSIFIED
Page 103
16
NATO UNCLASSIFIED
Configuration Highlights
Master Repository Setup Populating the ePO Server with Servers and Computers Importing of VirusScan and ePO Agent policies Deploying the ePO Agent
NATO UNCLASSIFIED
Page 104
17
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 105
NATO UNCLASSIFIED
Overview
Section One:
Demonstration of Protector installation
Section Two:
Implementation of the Approved Profiles with Demonstration
Section Three:
Procedure for changing templates
NATO UNCLASSIFIED
Page 106
NATO UNCLASSIFIED
Section One
Demonstration of Protector installation
NATO UNCLASSIFIED
Page 107
NATO UNCLASSIFIED
Exercise architecture
Windows 2003 Domain Controller (W2003DC1) Windows 2003 Member Server 1 (W2003MS1)
Ensure that all four VMware guest operating systems are on the Baseline Security Settings Template.
NATO UNCLASSIFIED
Page 108
NATO UNCLASSIFIED
MSDE is a lightweight version of MS SQL This exercise is based on a full SQL install
Full version of Microsoft SQL requires a valid licence and must be installed and configured before installation of the Protector server. MSDE is a stripped down version of SQL 2000 that vendors bundle with products to avoid customers having to pay for the additional SQL licence. MSDE is selected automatically during a standard install if no existing SQL server is found on the system.
NATO UNCLASSIFIED
Page 109
NATO UNCLASSIFIED
Note that the normal installation procedure begins by inserting the Pointsec Protector Installation CD-ROM into the CD Drive. The CD should autorun, if not, double click on the AutoRun.exe located on the root of the CD. This will display the a menu screen. Select the Software menu and then Install Reflex Pointsec Protector Enterprise Server for Windows NT/2000/2003/XP from the list of options. The setup program will launch and this splash screen will display. From this point the installation procedures are identical.
NATO UNCLASSIFIED
Page 110
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 111
NATO UNCLASSIFIED
Like all other software that we use on a daily basis you must accept the license agreement before you may continue with the installation. Clicking on I do not accept the agreement and pressing next will cancel the installation. Selecting the I accept the agreement radio button and then clicking on Next will take you to the Setup Type dialog box.
NATO UNCLASSIFIED
Page 112
NATO UNCLASSIFIED
Licence Information
Enter Licence details on the Information Screen
The Registration screen requires a User Name, Company Name and Serial Number. The Serial number is generated using the Company Name so it is vital that when entering the Company Name it is entered exactly as it is written in the licence file. Note that all 0s are the number zero. A serial number will never be released from Pointsec that contains the letter O. It is also possible so load the licence directly from a text file delivered from Pointsec. Pressing Next will take you to the Setup Type dialogue box.
NATO UNCLASSIFIED
Page 113
NATO UNCLASSIFIED
Setup Type
Select a Custom Install
Complete Custom
The three possible types of installation are detailed on this screen. Complete installs all modules. Custom allows the selection of specific Protector components. The option to install a Server Administration Console allows a management console to be installed on a system other than the one running the Pointsec Protector server. Selecting Complete and pressing Next displays the Select program Folder dialog box.
NATO UNCLASSIFIED
Page 114
10
NATO UNCLASSIFIED
Select Features
Deselect Microsoft SQL Database Engine
If the installer does not detect an existing SQL Server installation on the local machine it automatically selects the MSDE installation unless prevented from doing so.
NATO UNCLASSIFIED
Page 115
11
NATO UNCLASSIFIED
DATABASE1
NATO UNCLASSIFIED
Page 116
12
NATO UNCLASSIFIED
This will allow you to change the location that the software will install its shortcuts. Pressing Next displays the SMTP Setup dialog box.
NATO UNCLASSIFIED
Page 117
13
NATO UNCLASSIFIED
*************
The SMTP Setup screen allows us to set the information that will allow DiskNet to automatically send email alerts. Reflex Disknet Pro Server Port Number this is the TCP/IP port number that the server will use to communicate with the client. SMTP Server- if you wish to use the email alert feature of Reflex Disknet Pro you need to enter the name of the SMTP server and provide a logon name and password for an account to access this SMTP server (if required). Pressing Next will take Select Service Account dialog box.
NATO UNCLASSIFIED
Page 118
14
NATO UNCLASSIFIED
This is the account that the Protector will run as, protector_service should be selected from the users on the local machine (not from the School domain). Note that protector_service account was created prior to the install and added to both the Local Administrators and LG_ServiceLogonRight groups. The LG_ServiceLogonRight is added to the domain wide Logon as a Service group by the application of the NATO security settings. Note that the installation of the Protector client also adds this protector_service account to the domain wide Logon as a Service group but the subsequent reapplication of the security settings later removes it again. The use of local groups in this way allows Administrators to assign local rights without the need for domain wide administrative privileges.
NATO UNCLASSIFIED
Page 119
15
NATO UNCLASSIFIED
Summary Screen
Last chance to go back and make changes
This dialog displays a summary of the installation options you have selected. Check this information is correct and click Next to continue. The installation will now copy all files required to complete the installation and display the Finish dialog when complete.
NATO UNCLASSIFIED
Page 120
16
NATO UNCLASSIFIED
The Disknet Pro Server uses a Microsoft SQL database to store the profile and user information and installs the Microsoft SQL Database Engine during setup. During this automatic install the these two windows will pop-up:
NATO UNCLASSIFIED
Page 121
17
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 122
18
NATO UNCLASSIFIED
Instruction for options 1 to 3 can be found on the WAC Portal on the NCIRC NS site
NATO UNCLASSIFIED
Page 123
19
NATO UNCLASSIFIED
WAC SecOps
Instructions for using the deployment server, Active Directory Group Policy, creating a Windows Image (Baseline) or manually installing the client are provided on the NCIRC WAC Portal on the NATO Secret WAN. Note that manual installation, the deployment server and disk image installs can be used interchangeably. For group policy, however, if the client is installed using group policy it must be upgraded or removed using group policy.
NATO UNCLASSIFIED
Page 124
20
NATO UNCLASSIFIED
Splash Screen
Double click on the client install setup.exe
NATO UNCLASSIFIED
Page 125
21
NATO UNCLASSIFIED
Welcome Screen
Click on Next to proceed
NATO UNCLASSIFIED
Page 126
22
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 127
23
NATO UNCLASSIFIED
Setup Type
Select Complete and click Next
NATO UNCLASSIFIED
Page 128
24
NATO UNCLASSIFIED
Select the name of the Protector server (or alternatively type in its IP address 10.10.10.11. Leave port at default (9738) and press Next to continue
NATO UNCLASSIFIED
Page 129
25
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 130
26
NATO UNCLASSIFIED
Setup Status
NATO UNCLASSIFIED
Page 131
27
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 132
28
NATO UNCLASSIFIED
Section Two
Implementation of the Approved DNP Profiles with Demonstration
NATO UNCLASSIFIED
Page 133
29
NATO UNCLASSIFIED
Introduction to Profiles
This window shows the current standard set of NATO profiles, only a brief description is given here as ore detail is given on the important profiles later in the presentation. Admin Allows an administrator to optionally disable each of the Protector protection modules and thus bypass the protection mechanisms. Authorise Allows a user to authorise media using the Removable Media Manager Baseline This is the profile used for all non privileged users. It basically takes the default profile and adds CD/DVD ROM read access and turns on auditing for most unauthorised device access events. CDRW Adds the CD/DVD ROM Write privilege Default The default profile is the basis on which all other profiles are built and it is also the profile of any user not explicitly added to ant particular group. Encrypt Profile Allows a user to create encrypted USB mass storage devices Fixed Disk Allows access to External Hard Drives Floppy Allows READ/WRITE Access to floppy disk drives STI Device Allows access to still image devices such as digital cameras and scanners USB Allows user access to encrypted USB mass storage devices
NATO UNCLASSIFIED
Page 134
30
NATO UNCLASSIFIED
Each of the profiles is linked to a group with a similar sounding name. A user is simply added to the appropriate group in order to acquire the appropriate rights. The profiles are designed in such a way so that they can be nested. i.e. a user added to the CDRW Access and the Floppy Device access group will get both rights. The synchronisation order determines how to handle the situation when different groups define different settings, the lower the number the higher the priority.
NATO UNCLASSIFIED
Page 135
31
NATO UNCLASSIFIED
To add a user to a group simply right click on the appropriate group and select Add users to group from the menu. Type the name of the user in the Enter object names to select field and press Check Names. If the correct user is displayed in the window press OK to apply.
NATO UNCLASSIFIED
Page 136
32
NATO UNCLASSIFIED
The default program is used here as an introduction to the three most important modules in the Protector security architecture. Device Manger provides the ability to control the many different types of devices that can be used on a client workstation. Device Manager can be considered as the first line of protection by managing the use of these devices and/or ports. DM can also be used to apply audit rules, allow write access (where appropriate), enforce encryption. It can also control whether or not files can be run directly from external media or not. This Default Profile allows only CDROM Read Only access and enables locally connected printers. Removable Media Manager (RMM) takes the control and management of removable media devices a step further. By using RMM you will be able to authorise individual media such as floppy disks, USB removable disks etc. for use on the Protector enabled workstations on your network. Once removable media has been authorised it can be used anywhere within the Protector network environment. The current setting does not allow removable media authorisation. Authorisation is performed at the client workstation. This part of the authorisation process can be made to enforce a virus scan of the media to ensure the contents are virus free before allowing it onto the network. There is also an additional check that can be performed to reject any media that contains executable and other unwanted or active code file types (EXEs, DLLs, MP3s etc). The Encryption tab controls all aspects of encrypting removable media, the Default Profile disables all access to encrypted media.
NATO UNCLASSIFIED
Page 137
33
NATO UNCLASSIFIED
The CD (and DVD) Access group is used here to show the relationship between a group and a profile. The group properties window on the left indicates that two profile templates are applied; the Default and the CDRW Profile. The CDRW Access Group only defines settings for the Device Manager. A view of the Device Manager properties for this profile shows that Access has been granted to DVD/CD-ROM Drive drives. Note that as the R/O (Read Only) box is not selected for DVD/CD-Rom devices therefore Read/Write access is granted. This slide also gives an introduction to the concept of the define column, which indicates whether or not a particular access right is defined in this profile. A closed blue padlock indicates that the property is inherited from a previously applied profile, in this case the Default. An open green padlock indicates that the particular right is defined in this profile.
NATO UNCLASSIFIED
Page 138
34
NATO UNCLASSIFIED
Authorise Profile
The Authorise Profile defines settings only for the Removable Media Manager (RMM). A member of the Authorise users group is allowed to authorise removable media for use within the Protector enabled network. Authorisation involves two automated scans of the files on the removable media. The first uses a standard third party virus checker, in this case MacAfee, to check for malicious code. The second, Reflex Datascan, compares the file types to a user defined list of prohibited file types. Members of this group have the option to select which scanners to use ( if more than one virus checker is installed), they also have the right to delete and rejected files during the authorisation procedure, thus allowing authorisation to complete successfully. Authorisation in this context involves creating a digital signature comprised of information about the files on the media and a Media Key that is unique to this particular installation. Each time the media is removed the signature is re-calculated and written back to the device. When the device is next plugged into a Protector protected system the signature is calculated and compared with the stored value, if they are equal then the device can be accessed. If they differ then it means that something has changed with one or more files on the device and so the device must be re-authorised as described earlier.
NATO UNCLASSIFIED
Page 139
35
NATO UNCLASSIFIED
Encrypt Profile
The Encrypt profile defines settings for the Encryption tab and applies to members of the Encrypt Users group. The Encrypt check box has to be selected on the Removable Media Devices tab. The most important setting here is that a member of this group can create an encrypted Removable Media Device for other users. Members of this group would normally be an Infosec Officer or worker in The Registry depending on the local policy for issuing authorised USB mass storage devices.
NATO UNCLASSIFIED
Page 140
36
NATO UNCLASSIFIED
USB Profile
The USB Profile should only be used temporarily to access USB tokens that have originated outside of the Protector protected environment. The devices are mounted in Read Only mode so that can only be used to import data into the protected environment.
NATO UNCLASSIFIED
Page 141
37
NATO UNCLASSIFIED
Testuser1 has been made a member of two groups, which in turn has lead to the application of two profiles in addition to the Default. This combination of group memberships would enhance the Baseline with the ability allow Read/Write access to floppy drives. The Resulting Profile window on the right is the result of pressing the View/Edit button.
NATO UNCLASSIFIED
Page 142
38
NATO UNCLASSIFIED
This is the same view as the previous slide but testuser1 has also been added to the CDRW Group. Pressing View/Edit now shows that the Device Manager settings have been extended to include write access to CD/DVD ROMs (i.e. the R/O check mark has been removed).
NATO UNCLASSIFIED
Page 143
39
NATO UNCLASSIFIED
The above settings for user testuser1 for Program Security Guard (PSG) are defined in the Default profile, they therefore apply to all other profiles. PSG is used to block the introduction or modification of any file type specified in the box on the right. This can be any executable file (EXE, DLL, SYS etc.), media and audio files (AVI, MP3, WMA etc.) or can be customised to include any other file type that you would like to control. All file types protected by PSG will be blocked from being introduced to the system from any location, i.e. not just removable media devices. Note that these settings will also apply to files downloaded by a web browser from the Internet. Note that this list is different from the list of unsafe file types used by the Data Scan process during the USB media authorisation procedure. The DataScan list can be found in an XML file located with the Protector client executable files known as CheckDat.xml. The picture in the bottom right shows what happens on the client workstation when PSG is triggered. A dialog appears telling the users that an unauthorised file operation has occurred. The dialog will show the user what process caused the alert and what file the process tried to operate on. In the above example VMWareUser.exe.exe was the blocked process attempting to copy the file setup.cmd.
NATO UNCLASSIFIED
Page 144
40
NATO UNCLASSIFIED
The User Interface, or what the user of the client workstation sees can also be controlled by the use of profiles. Users can also be given the right to disable individual modules if required. These rights are only available in the Administrators profile in the standard NCIRC profiles.
NATO UNCLASSIFIED
Page 145
41
NATO UNCLASSIFIED
Audit Properties
Protector has extensive auditing capabilities which are controlled by the use of profiles. The standard NCIRC audit profile has been defined in the Default profile, which in turn is inherited by all other profiles. There is an option to either ignore or log the standard events. The logging is further divided into immediate or register. Registered events are transferred to the database at a pre-programmed regular intervals whereas immediate events are transferred as the name implies, immediately.
NATO UNCLASSIFIED
Page 146
42
NATO UNCLASSIFIED
Log Archive
Audit policy generates lots of events Ensure period archiving of logs
The WAC Portal contains a document that describes how to clear the log if the database file gets too large for the normal log archival mechanism to function correctly. The title of the document is
NATO UNCLASSIFIED
Page 147
43
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Page 148
44
NATO UNCLASSIFIED
Computer Groups
A Computer Group is created much in the same way as a User Group, profiles can then be linked to computer groups in the same way as user groups. Workstation policies are of minimal use in a classified environment where the security policy requires individual accountability. As a result of this the NCIRC default templates do not currently define any workstation groups. In order to assign a computer to a Group, a simple Drag & Drop method is used. Computer Groups allow any user to log into a computer and use the facilities that have been made available to the user in the Computer Profile. If the computer profile states that the machine can access and write to a CD then regardless of who logs in, the user will have access to record their own media.
NATO UNCLASSIFIED
Page 149
45
NATO UNCLASSIFIED
Section Three
Procedure for changing Protector templates
NATO UNCLASSIFIED
Page 150
46
NATO UNCLASSIFIED
How do we make a change to Protector? Its a long process, but a simple one. The people who make the decisions are Compusec/Infosec officers for the headquarters in question and NITC. The Compusec officer is involved in the chain because it is up to the Compusec officer to allow or deny the end users request. They are the people who say Yes you can have access to your USB ports or No, you cant. However, the Compusec/Infosec person is not the only person in the chain. NITC are the controllers of the template/profile. They will determine if changes to the profile need to be made NATO wide or if the change can be made locally. It is vital that they be kept up to date on any changes that users wish to have made to the system.
NATO UNCLASSIFIED
Page 151
47
NATO UNCLASSIFIED
If the change is local to the headquarters an email will be sent to the system administration team authorising them to change the profile locally. This email will need to be printed off and stored with their change management documentation for later audit purposes. If it is a change that would be best to implement NATO wide a change will be made to the templates/profiles that are on the NCIRC website (http://nww.ncirc.nato.int). The script file can then be downloaded and run on the Protector server. The templates/profiles will then have to be resent to the workstations (either by the users logging off and logging on or via the automatic method through the administrative console).
NATO UNCLASSIFIED
Page 152
48
NATO UNCLASSIFIED
This is a simple scenario because everyone will be impacted by the change that is coming in. Upgrading to a desktop VTC capacity puts a web cam on everyones desk. If everyone is supposed to be able to use the camera then a change to the baseline profile is needed.
NATO UNCLASSIFIED
Page 153
49
NATO UNCLASSIFIED
In this case, as part of the upgrade procedure that the Compusec officer has already agreed to, he/she will need to send a request to NITC outlining the approved change that is being made to the network in the office.
NATO UNCLASSIFIED
Page 154
50
NATO UNCLASSIFIED
NITC is responsible for the testing and approval of all software and software updates/patches. Their website contains things like the approved software listing, antivirus signature files and patch notices. With respect to DiskNet they have documentation, scripts and software updates listed on the website.
NATO UNCLASSIFIED
Page 155
51
NATO UNCLASSIFIED
Once the change has been approved and tested NITC will send an email back to the requestor. This note will either authorise the site to make the change or will state that the change has been approved and the site needs to download the script file again and run it on their DiskNet server.
NATO UNCLASSIFIED
Page 156
52
NATO UNCLASSIFIED
The script file is located by going to the website, http://nww.ncirc.nato.int on an NS machine. Found within the left hand bar on the site is a section labelled software and within that box is a link to Workstation Access Control. Click on that link and the Workstation Access Control documents, policies, profiles and settings will appear in the main window.
NATO UNCLASSIFIED
Page 157
53
NATO UNCLASSIFIED
The person in charge of the profiles may be the Compusec officer, it may be a System Administrator. This is a policy decision made by the individual headquarters in conjunction with their NCSA representatives.
NATO UNCLASSIFIED
Page 158
54