Transcription
Endpoint Security MediaEncryptionR73Administration Guide23 February, 2010
More InformationThe latest version of this document is ion download?ID sk10629For additional technical information about Check Point visit Check Point Support ckCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending yourcomments to us (mailto:cp techpub feedback@checkpoint.com?subject Feedback on Endpoint SecurityMedia Encryption R73 Administration Guide). 2010 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed underlicensing restricting their use, copying, distribution, and decompilation. No part of this product or relateddocumentation may be reproduced in any form or by any means without prior written authorization of CheckPoint. While every precaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein are subject to changewithout notice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.TRADEMARKS:Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd party copyright.html) for alist of relevant copyrights.
ContentsPreface . 5About This Guide .5Who Should Use This Guide? .5Conventions.5Contact Information .6Feedback .6More Information .6Introduction . 7Overview .7Administration Console.7Features .7Removable Media Manager .8Encryption Policy Manager .8Device Manager .8DataScan .8Program Security Guard .8Auditing and Alerts .9Licensing Model .9Additional Information .9Getting Started . 10Introducing the Administration Console.10Administration Console User Interface .11Launching the Administration Console .13First Steps after Installation .14Connecting to a Remote or Local Server .14Configuring Media Encryption Server.16Media Encryption Server Properties .16General Properties Tab .16Applications Tab .17Security Tab .25Email Configuration Tab .27Console Settings Tab .28Server Key Tab.28Configuring Removable Media Manager .29Importing and Exporting Remote Media ID .29Recovering EPM Passwords .30Working with Profiles . 32Overview .32The Default Profile .32Profile Priority and Inheritance .32Profile Templates.33Working with Profile Templates .33Overview.33Defining Profiles .33General Settings .34Device Manager Settings .35Removable Media Manager Settings .37Encryption Settings.39User Interface Tab .43Auditing Settings.44Removable Media Audit Rules Section .46Program Security Guard Settings .48Advanced Tab .51
Exporting Profile Templates .53Users and User Groups. 56Working with Users .56Defining New Users .56Creating Custom User Profile Settings .57Working with User Groups .58Creating a User Group Using the Wizard .58Creating a User Group by Synchronizing with a Domain .60Custom Profiles for Users and Groups .61Adding Users to Groups .61Offline Users .62Working with Existing Group Settings .62Working with Group Synchronization .63Computers and Computer Groups . 66Working with Computers .66Computers View .66Filtering the Computer List .67Working with Computer Settings .68Working with Computer Groups .69Creating a New Computer Group .69Adding Computers to a Group .70Working with Computer Group Properties .71Monitoring and Auditing . 74Alerts .74Creating a New Alert .74Logs .75Log Event Tab .76Filtering the Log .77Exporting Logs.77Archiving Log Entries.77Removable Media Log .78Filtering RMM Log Events .79Viewing Individual RMM Events .80CD and DVD Events Log .80Removable Media Log Archive.80Reports .81Creating Reports .82DataScan . 85Introduction .85Using DataScan .85Functionality .85Understanding the XML Script .86CheckDat.XML Contains All Possible File Types .86DataScan installed files .90Command Line Parameters.90Glossary of Terms . 92Index . 97
Chapter 1PrefaceIn This ChapterAbout This GuideContact InformationFeedbackMore Information5666About This GuideThis guide explains, among other things, how to: configure Media Encryption Server and Removable Media Manager recover EPM passwords work with profile templates work with users, user groups and computer groups create alerts and reports how to view, filter, and export log informationWho Should Use This Guide?This guide is intended for administrators using Media Encryption to manage device and port security forendpoint clients.Note - We strongly recommend that anyone planning to install, deployand/or administer Check Point products attend certification trainingfirst. Contact your sales representative or visit: www.checkpoint.comhttp://www.checkpoint.com/ for more information.ConventionsThis guide uses the following formatting and graphics conventions.ConventionDescriptionBoldUsed for user interface elements, such as panels,tabs, files, buttons, and menu options.ItalicUsed for emphasis.MonospaceUsed for file names and paths. The is used to illustrate menu choices. Forexample, File Open means that you should chooseOpen from the File menu.Page 5
ConventionDescriptionTip icon. Suggests for example an alternative methodfor accomplishing tasks or procedures.Note icon. Emphasizes related, reinforcing, orimportant information.Caution icon. Indicates actions or processes that canpotentially damage data or programs.Contact InformationIf you require information on Check Point’s other security products or services, or if you should encounterany problems with Endpoint Security Media Encryption, please visit our web site or call us.Table 1-1 Contact informationTelephone:AreaTechnical SupportSalesThe Americas972-444-66001-800-429-4391International 972-3-6115100Web site: http://support.checkpoint.com http://supportcenter.checkpoint.comFeedbackCheck Point is engaged in a continuous effort to improve our documentation. Please help us by sendingyour comments to: techpub swe@checkpoint.com techpub swe@checkpoint.com.More Information For additional technical information about Check Point products, consult Check Point’sSecureKnowledge database at http://support.checkpoint.com http://supportcenter.checkpoint.com.PrefacePage 6
Chapter 2IntroductionThis chapter provides an overview of the Media Encryption features.In This ChapterOverviewFeaturesLicensing ModelAdditional Information7799OverviewEndpoint Security Media Encryption prevents unauthorized copying of sensitive data by combining port anddevice management, content filtering and centralized auditing with robust media encryption. Based onmarket-leading technologies, Endpoint Security Media Encryption plugs potential leak points and logs datamovement to and from any plug and play devices, providing comprehensive control of security policies.Administration ConsoleAdministrators use the Administration Console to manage Endpoint Security Media Encryption. A familiarMicrosoft Management Console (MMC) interface provides the ability to define and manage user profiles,deploy profiles to client computers, perform real-time monitoring and auditing, and configure MediaEncryption options. User profile management and product configuration data are stored in an SQLdatabase.FeaturesMedia Encryption is a unique policy driven solution for securing enterprise information and ensuring dataintegrity. It includes the following features.Page 7
Removable Media ManagerMedia Encryption ensures that all removable media and other input/output devices are authorized beforeaccess is granted to client users. Authorization rules are defined by administrators as part of the profilesassigned to users.Removable Media Manager (RMM) authorizes devices by means of a unique digital signature, whichidentifies them as authorized. Whenever contents are altered on a Media Encryption protected computer,the digital signature is automatically updated. If the contents are altered outside of the protectedenvironment, the device will require re-authorization before it can be used in the protected environment.Media Encryption ensures that all devices are scanned for viruses, malware and other prohibited contentusing the DataScan scanner and/or third-party anti-virus and anti-malware software. This preventsunauthorized transfer of sensitive data.Encryption Policy ManagerEncryption Policy Manager (EPM) uses 256 bit AES encryption to provide unrivalled security for all types ofremovable storage devices in a manner that is transparent to the user. EPM grants trusted users offlineaccess to encrypted media with password authentication. Users can also install a freely distributed EPMplug-in on non-protected computers as an alternative to password authentication.Encryption Policy Manager includes the following features: Administrator-defined access (full, read-only, or blocked) to encrypted removable media devices Password authentication to protected media on external computers without special software Extract encrypted data to non-encrypted data on target computers Secure deletion of encrypted documents on target computersDevice ManagerDevice Manager controls access to devices attached to endpoint computer ports, such as IrDA, COM, USB,Firewire, LPT, and network adapters. You can use Device Manager to control access to specific devices ordevice types or all devices attached to a given port type.By applying security rules to specific device types, you can manage access to Flash drives, memory sticks,CD/DVD drives, PDAs, Blackberries, Dot4Prt printers, Bluetooth and USB hard disks. This feature preventsusers from connecting unauthorized devices to the PC ports, such as modems, and provides On/Off/readonly protection.DataScanDataScan a unique file-based protection feature that automatically prevents the introduction of potentiallydangerous and undesirable file types on protected endpoint computers. Unlike traditional virus and malwarescanners, DataScan does not scan files for known signatures or patterns. It allows or blocks access to filesbased on the file type as determined by its internal structure and extension.DataScan is integrated with the Removable Media Manager and prevents authorization of removable mediacontaining specific file types on local drives, network drives and removable media. By default this includesexecutables (.exe, .com, .dll), script files (.vbs, .scr, .js, etc.) and other files (.mpg, .mp3, .mov, etc.)If DataScan is designated as a device scanner for Removable Media Manager, no media or device thatcontains prohibited files type can be authorized until the offending files are deleted.Program Security GuardProgram Security Guard is a profile-based security feature that prevents users from creating, modifying ordeleting specific file types on endpoint computers and network drives. Administrators create rules thatspecify which file extensions are prohibited as well as exceptions for trusted applications using prohibitedextensions.IntroductionPage 8
Auditing and AlertsMedia Encryption provides configurable, detailed logs stored in an SQL database. Administrators createstructured queries and detailed reports to extract and analyze log contents.Media Encryption also allows administrators to centrally monitor and audit file operations on protectedremovable devices. Administrators can also define email alerts to be sent to designated users based oncertain events.Licensing ModelThe Media Encryption server comes with a time-limited evaluation license which is used during the firstinstallation of the server. When you have installed the server, you can add a license file in the LicenseManager, see General Properties Tab (on page 16) for more information on how to do this. The license filecovers a fixed number of connected endpoint computers. When the number of endpoints connected to aMedia Encryption server exceeds the licensed quantity, you must purchase additional licenses.Additional InformationMedia Encryption is supplied with fully indexed online help. In addition to these resources further informationis available from the Check Point web site http://www.checkpoint.com/.The website provides a support area http://supportcenter.checkpoint.com including: A fully searchable support knowledge base that provides up to date information on the latest supportproblems and frequently asked questions Downloads of the latest software updates and patches for licensed customers The latest product documentation Discussion forums on Check Point productsIntroductionPage 9
Chapter 3Getting StartedThis chapter describes how to get started with Media Encryption, and also how to use the AdministrationConsole and utilities.In This ChapterIntroducing the Administration ConsoleLaunching the Administration ConsoleFirst Steps after InstallationConnecting to a Remote or Local ServerConfiguring Media Encryption ServerConfiguring Removable Media ManagerRecovering EPM Passwords10131414162930Introducing the Administration ConsoleThe Media Encryption Administration Console allows administrators to centrally manage multiple endpointclient computers. You use the Management Console to perform the following tasks: Create and manage user and group-based policy profiles governing all Media Encryption features onendpoint clients Perform dynamic management of Media Encryption Client workstations View and process audit events Manage automated alerts Manage the Media Encryption infrastructure Manage removable media encryption settings (EPM)Page 10
Administration Console User InterfaceThe Media Encryption Administration Console provides a powerful, but user-friendly user interface based onthe familiar Microsoft Management Console (MMC).WindowsThe Administration Console contains two windows by default. Each window can display different groups ofsettings and information. You can resize the Administration Console, open additional windows in the consoleand close open windows.Each window contains a Details Pane that displays a list of detailed settings or information. The ConsoleTree Pane, which appears by default in the Main window and in new windows, provides convenientnavigation to the various settings groups and information.Getting StartedPage 11
To open a new window, right-click on a branch in the Console Tree and select New Window from Here.The new window opens on top of the others.The ToolbarThe toolbar provides convenient access to various Administration Console functionality.IconFunctionMove backward and forward between data viewed in current windowMove up to higher level in Console TreeToggle display of Console Tree in current windowRefresh details view in current windowExport contents of current window details view to a text fileDisplay online helpDefine filter for displaying records in current window details viewToggle between filter and showing all records in details viewGetting StartedPage 12
The Console TreeThe Console Tree provides convenient access to profile definition categories and to options for viewing logentries.If the Console Tree does not appear, click theicon on the toolbar.Settings CategoryDescriptionUsersEndpoint users and user-specific profile definitionsComputersComputers and computer-specific profile definitionsGroupsUser and computer groups and group-specific profilesProfile TemplatesTemplates for defining individual profilesAlertsCustom email alert definitionsLogView log entriesRemovable Media LogView selected removable media log entriesReportsDefine and review reports based on log entriesLaunching the Administration ConsoleTo open the Administration Console:Select Start Programs Check Point Media Encryption Server Administration Console.Getting StartedPage 13
First Steps after InstallationThis section describes the procedures to be followed after installing Media Encryption Server for the firsttime.1. Connect to a serverConnect to a Media Encryption server using the Administration Console.2. Modify the predefined Default profileThis is the global profile that is assigned to all endpoint computers and users that have not yet beenassigned a profile. The default profile should provide a high security level and contain settings that areunlikely to be changed by custom policies assigned to users, computers and groups.3. Create custom profile templatesDefine custom profiles for administrators as well as for other user and computer groups.4. Create user and computer groupsGroups are an efficient way to define profiles and settings for users and endpoint computers sharingcommon security requirements. Profile settings assigned to a group apply to all members of a groupunless overridden by a customized profile specific to a particular user.5. Define custom email alertsDefine custom email alerts to be sent to users for various events and actions.6. Configure Media Encryption Server PropertiesConfigure the application, security, email and console settings.7. Backup the media IDBack up the media ID using the Export Media ID wizard.8. Export the default profileExport the default profile to the Media Encryption Client installation folder.9. Install Media Encryption Client computers for testingTest your default and custom profiles by installing Media Encryption client on several test computers.Perform various activities with removable media and devices to insure proper operation.10. Create and configure silent Media Encryption Client installation packagesUse the Endpoint Security Deployment Utility to create silent installation packages to install MediaEncryption client in your production environment.11. Assign computers to groupsAfter you install Media Encryption Client on endpoint computers, they appear as computers on theAdministration Console. Assign these computers to groups.Connecting to a Remote or Local ServerThe Administration Console supports local and remote server connections. You can install multipleadministration consoles to manage one Media Encryption Server.Getting StartedPage 14
To connect to a remote or local server:1. In the Administration Console, right-click the Media Encryption Server branch in the Console Tree.Select Connect to from the option menu.2. In the Server Location window, select one of the following connections:Media Encryption Server on this computer: Connect to the server on this computer. Remote Media Encryption Server: Connect to a server located on a remote host. Enter the serverhost computer name or IP address and port number (default 9738).Important - You must configure both the client and server firewallsto allow UDO traffic over the designated port.3. Click Finish to complete the connection. The following connection process message appears:The current connection status appears on the title bar.Note - Access privileges must be granted in the SecurityPermissions tab before you can connect to a remote server.Getting StartedPage 15
Configuring Media Encryption ServerMedia Encryption Server PropertiesThis section presents procedures for configuring Media Encryption Server.To define Media Encryption Server properties:Right-click the Media Encryption Server server name branch and select Properties. The MediaEncryption Server Properties window opens, which contains a variety of settings grouped together onseveral tabs.General Properties TabThe General tab displays the server version and build number. You can also revoke authorization forpreviously authorized devices and add or remove server licenses.Getting StartedPage 16
To revoke authorization for previously authorized devices:1. In the Media revocation section, click Revoke all.2. Click Yes in the confirmation window.Note - This process can be reversed by re-importing the media IDproviding a backup was made during installation.To add or remove server licenses:1. Click License Manager. The License Manager window opens, showing license type (full or evaluation),number of clients, and expiration date.2. Perform one or more of the following steps: To add a new license, click Add from license file and navigate to the license file. Alternatively, youcan click Add license and manually enter the license information. To remove a license, select a license from the list and then click Remove. To change the license string for an existing license, click Edit.Applications TabThe Applications tab contains configuration options for the Program Security Manager, Device Managerand Encryption Policy Manager features.Getting StartedPage 17
Program Security Guard (Expreset.ini)Program Security Guard uses a database, the expreset.ini file, that contains protected file typedefinitions and a list of trusted applications that are permitted to create or modify protected file types.We recommend that you periodically backup the expreset.ini file. You can also use this backup file totransfer Program Security Guard file type definitions to other Media Encryption servers.To restore the expreset.ini file, click Restore and navigate to the backup file.To backup the expreset.ini file, click Backup. Enter a file name and navigate to the desired file location.To restore the expreset.ini file, click Restore and navigate to the backup file.Device ManagerDevice Manager includes a default list of ports and device types. You can add new device classes andspecific d
Encryption Policy Manager (EPM) uses 256 bit AES encryption to provide unrivalled security for all types of removable storage devices in a manner that is transparent to the user. EPM grants trusted users offline access to encrypted media with password authentication. Users can also install a freely distributed EPM
