PGP Endpoint 4.4 User guide

Brand: PGP

Model: Endpoint 4.4

Type: User guide

Administrator Guide

PGP Endpoint 4.4 SR1

02_108P 4.4 SR1 Administrator Guide

- 2 -

- 3 -

Notices

Version Information

PGP Endpoint Administrator Guide - PGP Endpoint Version 4.4 SR1 - Released: August 2009

Document Number: 02_108P_4.4 SR1_092322120

reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without

the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the

US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered

trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a

trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks

of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered

trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business

Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH

and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X

are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered

trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech

AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-

free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent

rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of

California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a

Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under

the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL.

If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact

PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent

applications covering subject matter in this software or its documentation; the furnishing of this software or

documentation does not give you any license to these patents.

Acknowledgements

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with

permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2,

the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under

the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted

PGP Endpoint

- 4 -

www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a

Java-based library used to parse HTML, developed by the Apache Software Foundation. The license

is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework for

moving data from XML to Java programming language objects and from Java to databases, is released

by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html.

• Xalan, an open-source software library from the Apache Software Foundation that implements the

XSLT XML transformation language and the XPath XML query language, is released under the Apache

Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is

an implementation of the SOAP (“Simple Object Access Protocol”) used for communications between

various PGP products is provided under the Apache license found at http://www.apache.org/licenses/

LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX),

is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html.

• jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/)

• libxslt the XSLT C library developed for the GNOME project and used for XML transformations is

distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version

The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and

Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium,

Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, ©

1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie

agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed

by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol

developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of

The license agreement is at http://www.openldap.org/software/release/license.html. • Secure shell

OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under

a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?

rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is

released under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under

the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL,

a free software object-relational database management system, is released under a BSD-style license,

available at http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program

used to connect to a PostgreSQL database using standard, database independent Java code, (c)

1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available

at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software

object-relational database management system, is released under a BSD-style license, available at

http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX

by permission. • JacORB, a Java object used to facilitate communication between processes written in

Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL)

ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for

Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and

Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/

ACEcopying. html. • libcURL, a library for downloading files via common network services, is open source

Notices

- 5 -

software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.

released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/

is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/

tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is

distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html.

• Windows Template Library (WRT) is used for developing user interface components and is distributed

under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. • The Perl Kit

provides several independent utilities used to automate a variety of maintenance functions and is provided

under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations

promulgated from time to time by the Bureau of Export Administration, United States Department of

Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of

the End User License Agreement provided with the software. The information in this document is subject

to change without notice. PGP Corporation does not warrant that the information meets your requirements

or that the information is free of errors. The information may include technical inaccuracies or typographical

errors. Changes may be made to the information and incorporated in new editions of this document, if and

when made available by PGP Corporation.

PGP Endpoint

- 6 -

- 7 -

Table of Contents

Preface: About This Document................................................................11

Typographical Conventions.......................................................................................... 11

Getting Assistance........................................................................................................11

Chapter 1: PGP Endpoint System Architecture..................................... 13

About Application Control and Device Control Architecture.........................................13

The Database...............................................................................................................15

The Administration Server............................................................................................15

The Management Server Console............................................................................... 16

The Client..................................................................................................................... 17

Chapter 2: Understanding Cryptography................................................21

About Encryption...........................................................................................................21

Advanced Encryption Standard....................................................................................22

RSA Encryption.............................................................................................................23

Chapter 3: Device Control Encryption Methodology............................. 25

Encrypting Removable Storage Devices......................................................................25

Easy Exchange Encryption................................................................................... 26

Encrypting Media...................................................................................................26

Centralized Encryption...........................................................................................29

Decentralized Encryption.......................................................................................29

Chapter 4: Application Control Methodology.........................................31

About File, Macro, and Script Execution Control......................................................... 32

Identifying DLL Dependencies......................................................................................32

Maintaining Application Control....................................................................................33

Operating System Updates and Patches..............................................................33

Frequently Changing Software Use......................................................................33

Software Updates..................................................................................................34

New Software Installations....................................................................................34

Table of Contents

- 8 -

Macros and Other Changing Files........................................................................34

Deleting Local Authorization Files.........................................................................35

Chapter 5: Understanding Administration Server-Client Communications37

About Administration Server-Client Communications...................................................37

Administration Server Communications................................................................ 38

Changing Licenses for the Administration Server.................................................39

Changing the SysLog Server................................................................................39

About Administration Server-Client Communication Encryption...................................40

Digital Signatures and Certificate Authorities (CA)............................................... 40

Digital Signatures...................................................................................................40

About Administration Server-Client Proxy Communications.........................................41

Configuring Administration Server-Client Proxy Communication.......................... 42

Chapter 6: Deploying the Client...............................................................45

About PGP Endpoint Client Deployment......................................................................45

Deploying the Client with a Ghost Image.....................................................................46

Deploying the Client with Windows Group Policy........................................................ 47

Deploying the Client with Other Tools..........................................................................48

Chapter 7: Controlling Administrative Rights........................................ 51

About PGP Endpoint Access Control Rights................................................................51

Defining User Access...................................................................................................52

Using the Access Control Visual Basic Script..............................................................53

Chapter 8: Using File Tools..................................................................... 57

About File Tools............................................................................................................57

Using the PGP Endpoint Authorization Service Tool................................................... 57

Using the PGP Endpoint Application Control File Tool................................................61

Using the SXDomain Tool............................................................................................64

Chapter 9: Managing Registry Keys........................................................67

Database Connection Loss Registry Key.....................................................................67

Authorization Service Registry Key..............................................................................68

Debugging Registry Key...............................................................................................69

Table of Contents

- 9 -

General Registry Keys................................................................................................ 70

Security Registry Keys................................................................................................. 71

Configure MaxSockets...........................................................................................73

Configuring MaxSockets and TLSMaxSockets..................................................... 74

Command & Control Registry Key...............................................................................74

Client Kernel Registry Key........................................................................................... 75

Software Registry Key..................................................................................................76

Administration Server Registry Key..............................................................................77

Authorization Wizard Registry Key...............................................................................77

Table of Contents

- 10 -

- 11 -

Preface

About This Document

This Administrator Guide is a resource written for all users of PGP Endpoint 4.4 SR1. This

document defines the concepts and procedures for installing, configuring, implementing, and

using PGP Endpoint 4.4 SR1.

Tip:

PGP documentation is updated on a regular basis. To acquire the latest version of this or

any other published document, please refer to the PGP Support Portal Web Site (https://

support.pgp.com).

Typographical Conventions

The following conventions are used throughout this documentation to help you identify various

information types.

Convention Usage

bold Buttons, menu items, window and screen objects.

bold italics Wizard names, window names, and page names.

italics New terms, options, and variables.

UPPERCASE SQL Commands and keyboard keys.

monospace File names, path names, programs, executables, command

syntax, and property names.

Getting Assistance

Getting Product Information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files

that are installed with PGP Endpoint. Online help is available within the PGP Endpoint product.

Release notes are also available, which may have last-minute information not found in the

product documentation.

Preface

- 12 -

Contacting Technical Support

• To learn about PGP support options and how to contact PGP Technical Support, please visit

the PGP Corporation Support Home Page (http://www.pgp.com/support).

• To access the PGP Support Knowledge Base or request PGP Technical Support, please visit

PGP Support Portal Web Site (https://support.pgp.com).

Note:

You may access portions of the PGP Support Knowledge Base without a support agreement;

however, you must have a valid support agreement to request Technical Support.

• For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://

www.pgp.com/company/contact/index.html).

• For general information about PGP Corporation, please visit the PGP Web Site (http://

www.pgp.com).

• To access the PGP Support forums, please visit PGP Support (http://

forums.pgpsupport.com). These are user community support forums hosted by PGP

Corporation.

- 13 -

Chapter

PGP Endpoint System Architecture

In this chapter:

• About Application Control

and Device Control

Architecture

• The Database

• The Administration Server

• The Management Server

Console

• The Client

Application Control and Device Control architecture is a

3-tier structure composed of an Administration Server,

database, and one or more clients. A Management Server

Console provides the administrative interface between the

system administrator and Administration Server.

About Application Control and Device Control Architecture

PGP Endpoint architecture is a multi-tier system composed of a database, an Administration

Server, and a client.

The three primary components that form the basis of PGP Endpoint system architecture interact

as follows. The Administration Server component runs as a service that:

• Keeps track of the connected clients and their status.

• Coordinates data flow between the Administration Server(s) and the SQL database.

The database component serves as the central repository of the authorization and permission

policies. The client component stores file authorization and device permission policies locally,

and controls user access from the endpoint to software applications and all connected devices.

To change authorization and permission policies, an administrator uses a Management Server

Console to interface with the Administration Server(s), which then communicate with the

database and the client(s).

PGP Endpoint system architecture is scalable to meet the needs of any enterprise. You can use

multiple Administration Server(s) and clients.

PGP Endpoint

- 14 -

The Application Control and Device Control architecture components are:

• The database which serves as the central repository of authorization information for devices

and applications.

• One or more Administration Servers that communicate between the database, the protected

clients, and the Management Server Console.

• The client (installed on each computer, endpoint or server that you want to protect).

• The Management Server Console, which provides the administrative user interface for the

Administration Server.

The following figure illustrates the relationships between the components.

Figure 1: Application and Device Control Architecture

PGP Endpoint System Architecture

- 15 -

The Database

The database serves as the central repository of software and device permission data.

Administrator and user access logs are also stored in the database.

The database uses one of the following Microsoft

SQL

Server products:

• Microsoft SQL Server 2005

• Microsoft SQL Server 2008

• Microsoft SQL Server 2005 Express

• Microsoft SQL Server 2008 Express

For evaluations and test environments Microsoft SQL Server 2005 Express and Microsoft SQL

Server 2005 Express are sufficient. Enterprise implementation must use the Microsoft SQL

Server 2005 or 2008 edition.

The Administration Server

The Administration Server runs as a Windows

service that coordinates and tracks data flow

between Administration Server(s), connected clients, and the SQL

database.

The Administration Server service runs under any domain account capable of reading domain

users, user groups, and computer accounts from the domain controller. The Administration

Server performs the following functions:

• Retrieves user access and device permission policies from the database which are stored in

the Administration Server cache.

• Signs and/or encrypts the user access and/or device permission list, compresses the list,

and communicates updated user access and/or device permission lists to client servers and

computers, where the permission policies are stored locally. Permission policy updates only

communicate changes to the existing user access and device permission policies, rather

than retransmitting entire policies.

• Saves a log of administrator actions and, optionally, users actions including information about

when application or device access is denied.

Each PGP Endpoint product installation requires at least one Administration Server and a

corresponding DataFileDirectory (DFD). The DFD can reside on the same computer or a shared

network resource, to store log information. All servers can write to a shared DataFileDirectory or

to a different directory for each Administration Server, depending upon the unique architecture

of your network environment.

Up to three Administration Servers can be defined during client installation. Additional servers

can be assigned by:

• Changing the Server Address default option in the Management Server Console Tools

menu, as outlined in the Application Control User Guide or Device Control User Guide

(https://support.pgp.com).

• Modifying the Server parameter for the Command & Control Registry Key on page 74

PGP Endpoint

- 16 -

The Administration Server sends user access and device permission changes to users when:

• A user logs in.

• An administrator sends updated information to all computers, specific computers, or export

changes to a file.

• A user requests updated information from a client computer.

An administrator uses the Management Server Console to interact with Administration Server.

The Management Server Console

The Management Server Console is the administrative interface for the Administration Server.

This product component is used to configure Application Control and Device Control.

You can install the console on one or more computers, including the database or Administration

Server hosts.

The Management Server Console does not connect directly to the database. All communication

with the database is conducted via the Administration Server(s). The Management Server

Console and Administration Server use Remote Procedure Call (RPC) protocol authenticate

encrypted communications.

You use the console to:

• Define administrator roles.

• Monitor system administrator and user activity logs and options.

• Define default settings for administrative tools.

• Generate standard or custom reports.

When you are using Device Control, you can:

• Manage access to removable storage devices.

• Authorize user access to specific CD/DVD media for use with CD/DVD drives.

• Encrypt removable media and devices.

• View lists of files and data transferred using authorized media.

• View the content of files transferred using authorized removable storage devices.

• View information about user attempts to access or connect unauthorized removable storage

devices.

When you are using Application Control, you can:

• Build and manage centrally authorized lists of executable files, scripts, and macros.

• Organize authorized application software files into logical file groups.

• Assign file groups to users and user groups.

• Manage and maintain the software authorization database.

PGP Endpoint System Architecture

- 17 -

The Client

The client is installed on each client computer to enforce file authorization and device

permissions policies.

You can install the client on the same computer as the Management Server Console when

you are using Device Control. Each protected computer can maintain local authorization and

device permission files, so that routine application requests do not have to traverse the network.

Only log files and periodic differential updates are sent from client computers to the using the

Management Server Console.

When a client requests a connection to the Administration Server listed by DNS name, the

name is resolved and the first IP address returned is selected, as required by round-robin DNS

conventions for a server-client connection attempt. This behavior is controlled by the FirstServer

registry key.

If the connection attempt fails, the client selects the next server name from the list and repeats

the process. After reaching the end of the list and no server-client connection is established,

the client uses the locally cached user access and device permission list. The first connected

server receives client logs and shadow files in a compressed format that is stored in the

DataFileDirectory (DFD) defined during installation.

When you are using Device Control, the client:

• Ensures that only removable storage devices and media that the user is authorized for can

be accessed. Any attempt to access unauthorized devices or media is denied, regardless of

the computer the user logs into.

When you are using Application Control, the client performs the following:

• Calculates the digital signature, or hash, for files requiring authorization.

• Checks the digital signature against the locally stored authorization list for a matching digital

signature.

• Denies and logs any user attempts to run unauthorized files.

• Allows, when expressly permitted, a user to locally authorize a denied file.

• Generates log records of all application access attempts, approved and denied. The Log

Access Denied option is enabled by default.

PGP Endpoint

- 18 -

The client is composed of the following components:

• Kernel driver (Sk.sys), that runs on supported operating systems to enforce defined policies

for determining which applications and/or devices users can access.

• Communication service (scomc.exe), which provides communication with the Administration

Server(s). This component, PGP Endpoint Command & Control (SCC), runs as a service,

that sends log data to the Administration Server that can be viewed via the Management

Server Console.

• User interface (RtNotify), which informs the user of updated policy changes completed by

the administrator (these messages can be deactivated). RtNotify is used by the client to

retrieve user certificates on demand.

• Auxiliary dynamically linked library (DLL) files, which provide additional features to the

core components. These files contain support for RtNotify localization information, 16-bit

application control, and macro and script protection.

The following illustrates the relationships between the client component layers.

Figure 2: Client Component Layers

After the client is installed, RTNotify appears as an icon in the system tray. Through RTNotify

the user receives information about permission changes via pop-up messages. End-users can

interact with the client to:

• Locally authorize software application files

• Manage user access to removable storage devices

• Update permissions changes when the client receives event notifications

Important: A user cannot change any Application Control or Device Control administrative

settings or permissions.

PGP Endpoint System Architecture

- 19 -

The administrator can query the client to obtain the salt value used for endpoint maintenance,

when the computer is not connected to the network and this value cannot be obtained using the

Management Server Console.

When an Administration Server is unavailable at login, the client uses the locally cached

permission list from the last successful Administration Server connection. If no permission list

exists, the client denies user access to all device and application requests. Permissions lists

can be imported to a computer, as necessary, when no server connection is available or the

computer is disconnected from the network.

A key security principle of Application Control or Device Control is that, even when the

communication service or user interface is disabled, the kernel driver always protects the

client computer. Protection remains in force and the least privilege principle applies. This

principle denies user access to applications or devices that are not expressly permitted. Client

components use client hardening functionality as described in the Application Control User

Guide (https://support.pgp.com) to protect against user tampering.

PGP Endpoint

- 20 -

Page is loading ...

PGP Endpoint 4.4 User guide

PGP Endpoint 4.4 User guide

PGP Endpoint 4.4 User guide

Related papers

Other documents