PGP Endpoint 4.4 User guide

Type
User guide
Administrator Guide
PGP Endpoint 4.4 SR1
02_108P 4.4 SR1 Administrator Guide
- 2 -
- 3 -
Notices
Version Information
PGP Endpoint Administrator Guide - PGP Endpoint Version 4.4 SR1 - Released: August 2009
Document Number: 02_108P_4.4 SR1_092322120
Copyright Information
Copyright© 1991-2009 by PGP Corporation. All Rights Reserved. No part of this document can be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without
the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the
US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered
trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a
trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks
of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered
trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business
Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH
and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X
are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered
trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech
AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-
free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent
rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of
California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a
Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under
the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL.
If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact
PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent
applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
Acknowledgements
This product includes or may include:
• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with
permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2,
the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under
the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by
the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted
by Julian Seward, © 1996-2005. • Application server (http://jakarta.apache.org/), web server (http://
PGP Endpoint
- 4 -
www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a
Java-based library used to parse HTML, developed by the Apache Software Foundation. The license
is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework for
moving data from XML to Java programming language objects and from Java to databases, is released
by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html.
• Xalan, an open-source software library from the Apache Software Foundation that implements the
XSLT XML transformation language and the XPath XML query language, is released under the Apache
Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is
an implementation of the SOAP (“Simple Object Access Protocol”) used for communications between
various PGP products is provided under the Apache license found at http://www.apache.org/licenses/
LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX),
is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html.
• jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/)
• libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version
4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006.
The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and
Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium,
Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, ©
1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie
Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge
Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and
Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license
agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed
by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol
developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of
the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation.
The license agreement is at http://www.openldap.org/software/release/license.html. • Secure shell
OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under
a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?
rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is
released under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under
the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL,
a free software object-relational database management system, is released under a BSD-style license,
available at http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program
used to connect to a PostgreSQL database using standard, database independent Java code, (c)
1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available
at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software
object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX
daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used
by permission. • JacORB, a Java object used to facilitate communication between processes written in
Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL)
available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The ACE
ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for
communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by
Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/
ACEcopying. html. • libcURL, a library for downloading files via common network services, is open source
Notices
- 5 -
software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.
Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is
released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/
COPYING. Copyright (C) 1996, 1997 Theodore Ts’o. • libpopt, a library that parses command line options,
is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/
libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. • gSOAP, a development
tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is
distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html.
• Windows Template Library (WRT) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. • The Perl Kit
provides several independent utilities used to automate a variety of maintenance functions and is provided
under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations
promulgated from time to time by the Bureau of Export Administration, United States Department of
Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of
the End User License Agreement provided with the software. The information in this document is subject
to change without notice. PGP Corporation does not warrant that the information meets your requirements
or that the information is free of errors. The information may include technical inaccuracies or typographical
errors. Changes may be made to the information and incorporated in new editions of this document, if and
when made available by PGP Corporation.
PGP Endpoint
- 6 -
- 7 -
Table of Contents
Preface: About This Document................................................................11
Typographical Conventions.......................................................................................... 11
Getting Assistance........................................................................................................11
Chapter 1: PGP Endpoint System Architecture..................................... 13
About Application Control and Device Control Architecture.........................................13
The Database...............................................................................................................15
The Administration Server............................................................................................15
The Management Server Console............................................................................... 16
The Client..................................................................................................................... 17
Chapter 2: Understanding Cryptography................................................21
About Encryption...........................................................................................................21
Advanced Encryption Standard....................................................................................22
RSA Encryption.............................................................................................................23
Chapter 3: Device Control Encryption Methodology............................. 25
Encrypting Removable Storage Devices......................................................................25
Easy Exchange Encryption................................................................................... 26
Encrypting Media...................................................................................................26
Centralized Encryption...........................................................................................29
Decentralized Encryption.......................................................................................29
Chapter 4: Application Control Methodology.........................................31
About File, Macro, and Script Execution Control......................................................... 32
Identifying DLL Dependencies......................................................................................32
Maintaining Application Control....................................................................................33
Operating System Updates and Patches..............................................................33
Frequently Changing Software Use......................................................................33
Software Updates..................................................................................................34
New Software Installations....................................................................................34
Table of Contents
- 8 -
Macros and Other Changing Files........................................................................34
Deleting Local Authorization Files.........................................................................35
Chapter 5: Understanding Administration Server-Client Communications37
About Administration Server-Client Communications...................................................37
Administration Server Communications................................................................ 38
Changing Licenses for the Administration Server.................................................39
Changing the SysLog Server................................................................................39
About Administration Server-Client Communication Encryption...................................40
Digital Signatures and Certificate Authorities (CA)............................................... 40
Digital Signatures...................................................................................................40
About Administration Server-Client Proxy Communications.........................................41
Configuring Administration Server-Client Proxy Communication.......................... 42
Chapter 6: Deploying the Client...............................................................45
About PGP Endpoint Client Deployment......................................................................45
Deploying the Client with a Ghost Image.....................................................................46
Deploying the Client with Windows Group Policy........................................................ 47
Deploying the Client with Other Tools..........................................................................48
Chapter 7: Controlling Administrative Rights........................................ 51
About PGP Endpoint Access Control Rights................................................................51
Defining User Access...................................................................................................52
Using the Access Control Visual Basic Script..............................................................53
Chapter 8: Using File Tools..................................................................... 57
About File Tools............................................................................................................57
Using the PGP Endpoint Authorization Service Tool................................................... 57
Using the PGP Endpoint Application Control File Tool................................................61
Using the SXDomain Tool............................................................................................64
Chapter 9: Managing Registry Keys........................................................67
Database Connection Loss Registry Key.....................................................................67
Authorization Service Registry Key..............................................................................68
Debugging Registry Key...............................................................................................69
Table of Contents
- 9 -
General Registry Keys................................................................................................ 70
Security Registry Keys................................................................................................. 71
Configure MaxSockets...........................................................................................73
Configuring MaxSockets and TLSMaxSockets..................................................... 74
Command & Control Registry Key...............................................................................74
Client Kernel Registry Key........................................................................................... 75
Software Registry Key..................................................................................................76
Administration Server Registry Key..............................................................................77
Authorization Wizard Registry Key...............................................................................77
Table of Contents
- 10 -
- 11 -
Preface
About This Document
This Administrator Guide is a resource written for all users of PGP Endpoint 4.4 SR1. This
document defines the concepts and procedures for installing, configuring, implementing, and
using PGP Endpoint 4.4 SR1.
Tip:
PGP documentation is updated on a regular basis. To acquire the latest version of this or
any other published document, please refer to the PGP Support Portal Web Site (https://
support.pgp.com).
Typographical Conventions
The following conventions are used throughout this documentation to help you identify various
information types.
Convention Usage
bold Buttons, menu items, window and screen objects.
bold italics Wizard names, window names, and page names.
italics New terms, options, and variables.
UPPERCASE SQL Commands and keyboard keys.
monospace File names, path names, programs, executables, command
syntax, and property names.
Getting Assistance
Getting Product Information
Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files
that are installed with PGP Endpoint. Online help is available within the PGP Endpoint product.
Release notes are also available, which may have last-minute information not found in the
product documentation.
Preface
- 12 -
Contacting Technical Support
To learn about PGP support options and how to contact PGP Technical Support, please visit
the PGP Corporation Support Home Page (http://www.pgp.com/support).
To access the PGP Support Knowledge Base or request PGP Technical Support, please visit
PGP Support Portal Web Site (https://support.pgp.com).
Note:
You may access portions of the PGP Support Knowledge Base without a support agreement;
however, you must have a valid support agreement to request Technical Support.
For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://
www.pgp.com/company/contact/index.html).
For general information about PGP Corporation, please visit the PGP Web Site (http://
www.pgp.com).
To access the PGP Support forums, please visit PGP Support (http://
forums.pgpsupport.com). These are user community support forums hosted by PGP
Corporation.
- 13 -
Chapter
1
PGP Endpoint System Architecture
In this chapter:
About Application Control
and Device Control
Architecture
The Database
The Administration Server
The Management Server
Console
The Client
Application Control and Device Control architecture is a
3-tier structure composed of an Administration Server,
database, and one or more clients. A Management Server
Console provides the administrative interface between the
system administrator and Administration Server.
About Application Control and Device Control Architecture
PGP Endpoint architecture is a multi-tier system composed of a database, an Administration
Server, and a client.
The three primary components that form the basis of PGP Endpoint system architecture interact
as follows. The Administration Server component runs as a service that:
Keeps track of the connected clients and their status.
Coordinates data flow between the Administration Server(s) and the SQL database.
The database component serves as the central repository of the authorization and permission
policies. The client component stores file authorization and device permission policies locally,
and controls user access from the endpoint to software applications and all connected devices.
To change authorization and permission policies, an administrator uses a Management Server
Console to interface with the Administration Server(s), which then communicate with the
database and the client(s).
PGP Endpoint system architecture is scalable to meet the needs of any enterprise. You can use
multiple Administration Server(s) and clients.
PGP Endpoint
- 14 -
The Application Control and Device Control architecture components are:
The database which serves as the central repository of authorization information for devices
and applications.
One or more Administration Servers that communicate between the database, the protected
clients, and the Management Server Console.
The client (installed on each computer, endpoint or server that you want to protect).
The Management Server Console, which provides the administrative user interface for the
Administration Server.
The following figure illustrates the relationships between the components.
Figure 1: Application and Device Control Architecture
PGP Endpoint System Architecture
- 15 -
The Database
The database serves as the central repository of software and device permission data.
Administrator and user access logs are also stored in the database.
The database uses one of the following Microsoft
®
SQL
®
Server products:
Microsoft SQL Server 2005
Microsoft SQL Server 2008
Microsoft SQL Server 2005 Express
Microsoft SQL Server 2008 Express
For evaluations and test environments Microsoft SQL Server 2005 Express and Microsoft SQL
Server 2005 Express are sufficient. Enterprise implementation must use the Microsoft SQL
Server 2005 or 2008 edition.
The Administration Server
The Administration Server runs as a Windows
®
service that coordinates and tracks data flow
between Administration Server(s), connected clients, and the SQL
®
database.
The Administration Server service runs under any domain account capable of reading domain
users, user groups, and computer accounts from the domain controller. The Administration
Server performs the following functions:
Retrieves user access and device permission policies from the database which are stored in
the Administration Server cache.
Signs and/or encrypts the user access and/or device permission list, compresses the list,
and communicates updated user access and/or device permission lists to client servers and
computers, where the permission policies are stored locally. Permission policy updates only
communicate changes to the existing user access and device permission policies, rather
than retransmitting entire policies.
Saves a log of administrator actions and, optionally, users actions including information about
when application or device access is denied.
Each PGP Endpoint product installation requires at least one Administration Server and a
corresponding DataFileDirectory (DFD). The DFD can reside on the same computer or a shared
network resource, to store log information. All servers can write to a shared DataFileDirectory or
to a different directory for each Administration Server, depending upon the unique architecture
of your network environment.
Up to three Administration Servers can be defined during client installation. Additional servers
can be assigned by:
Changing the Server Address default option in the Management Server Console Tools
menu, as outlined in the Application Control User Guide or Device Control User Guide
(https://support.pgp.com).
Modifying the Server parameter for the Command & Control Registry Key on page 74
PGP Endpoint
- 16 -
The Administration Server sends user access and device permission changes to users when:
A user logs in.
An administrator sends updated information to all computers, specific computers, or export
changes to a file.
A user requests updated information from a client computer.
An administrator uses the Management Server Console to interact with Administration Server.
The Management Server Console
The Management Server Console is the administrative interface for the Administration Server.
This product component is used to configure Application Control and Device Control.
You can install the console on one or more computers, including the database or Administration
Server hosts.
The Management Server Console does not connect directly to the database. All communication
with the database is conducted via the Administration Server(s). The Management Server
Console and Administration Server use Remote Procedure Call (RPC) protocol authenticate
encrypted communications.
You use the console to:
Define administrator roles.
Monitor system administrator and user activity logs and options.
Define default settings for administrative tools.
Generate standard or custom reports.
When you are using Device Control, you can:
Manage access to removable storage devices.
Authorize user access to specific CD/DVD media for use with CD/DVD drives.
Encrypt removable media and devices.
View lists of files and data transferred using authorized media.
View the content of files transferred using authorized removable storage devices.
View information about user attempts to access or connect unauthorized removable storage
devices.
When you are using Application Control, you can:
Build and manage centrally authorized lists of executable files, scripts, and macros.
Organize authorized application software files into logical file groups.
Assign file groups to users and user groups.
Manage and maintain the software authorization database.
PGP Endpoint System Architecture
- 17 -
The Client
The client is installed on each client computer to enforce file authorization and device
permissions policies.
You can install the client on the same computer as the Management Server Console when
you are using Device Control. Each protected computer can maintain local authorization and
device permission files, so that routine application requests do not have to traverse the network.
Only log files and periodic differential updates are sent from client computers to the using the
Management Server Console.
When a client requests a connection to the Administration Server listed by DNS name, the
name is resolved and the first IP address returned is selected, as required by round-robin DNS
conventions for a server-client connection attempt. This behavior is controlled by the FirstServer
registry key.
If the connection attempt fails, the client selects the next server name from the list and repeats
the process. After reaching the end of the list and no server-client connection is established,
the client uses the locally cached user access and device permission list. The first connected
server receives client logs and shadow files in a compressed format that is stored in the
DataFileDirectory (DFD) defined during installation.
When you are using Device Control, the client:
Ensures that only removable storage devices and media that the user is authorized for can
be accessed. Any attempt to access unauthorized devices or media is denied, regardless of
the computer the user logs into.
When you are using Application Control, the client performs the following:
Calculates the digital signature, or hash, for files requiring authorization.
Checks the digital signature against the locally stored authorization list for a matching digital
signature.
Denies and logs any user attempts to run unauthorized files.
Allows, when expressly permitted, a user to locally authorize a denied file.
Generates log records of all application access attempts, approved and denied. The Log
Access Denied option is enabled by default.
PGP Endpoint
- 18 -
The client is composed of the following components:
Kernel driver (Sk.sys), that runs on supported operating systems to enforce defined policies
for determining which applications and/or devices users can access.
Communication service (scomc.exe), which provides communication with the Administration
Server(s). This component, PGP Endpoint Command & Control (SCC), runs as a service,
that sends log data to the Administration Server that can be viewed via the Management
Server Console.
User interface (RtNotify), which informs the user of updated policy changes completed by
the administrator (these messages can be deactivated). RtNotify is used by the client to
retrieve user certificates on demand.
Auxiliary dynamically linked library (DLL) files, which provide additional features to the
core components. These files contain support for RtNotify localization information, 16-bit
application control, and macro and script protection.
The following illustrates the relationships between the client component layers.
Figure 2: Client Component Layers
After the client is installed, RTNotify appears as an icon in the system tray. Through RTNotify
the user receives information about permission changes via pop-up messages. End-users can
interact with the client to:
Locally authorize software application files
Manage user access to removable storage devices
Update permissions changes when the client receives event notifications
.
Important: A user cannot change any Application Control or Device Control administrative
settings or permissions.
PGP Endpoint System Architecture
- 19 -
The administrator can query the client to obtain the salt value used for endpoint maintenance,
when the computer is not connected to the network and this value cannot be obtained using the
Management Server Console.
When an Administration Server is unavailable at login, the client uses the locally cached
permission list from the last successful Administration Server connection. If no permission list
exists, the client denies user access to all device and application requests. Permissions lists
can be imported to a computer, as necessary, when no server connection is available or the
computer is disconnected from the network.
A key security principle of Application Control or Device Control is that, even when the
communication service or user interface is disabled, the kernel driver always protects the
client computer. Protection remains in force and the least privilege principle applies. This
principle denies user access to applications or devices that are not expressly permitted. Client
components use client hardening functionality as described in the Application Control User
Guide (https://support.pgp.com) to protect against user tampering.
PGP Endpoint
- 20 -
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78

PGP Endpoint 4.4 User guide

Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI