PGP Endpoint Device Control 4.3 User guide

Brand: PGP

Model: Endpoint Device Control 4.3

Type: User guide

PGP Endpoint Device Control

Version 4.3.0

User’s Guide

Version Information

PGP Endpoint Device Control User's Guide. PGP Endpoint Version 4.3.0. Released: June 2008.

02_103_4.3.0.55

any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP

Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries.

IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a

registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are

trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or

registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines

Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are

trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of

Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective

owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128

encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-

commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number

10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-

blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is

licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you

would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support

(http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in

this software or its documentation; the furnishing of this software or documentation does not give you any license to these

patents.

Acknowledgments

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-

ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome

project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html.

Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by

the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source,

databinding framework for moving data from XML to Java programming language objects and from Java to databases, is

released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an

open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language

and the XPath XML query language, is released under the Apache Software License, version 1.1, available at

http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol")

used for communications between various PGP products is provided under the Apache license found at

http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions

(JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version

6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) • libxslt the XSLT C library developed for

the GNOME project and used for XML transformations is distributed under the MIT License

http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler, copyrighted and

Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems

version 4.2 developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access

Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the

at http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version 4.2.1 developed by OpenBSD

project is released by the OpenBSD Project under a BSD-style license, available at

http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a

specification for SmartCard integration is released under the BSD license. • Postfix, an open source mail transfer agent (MTA),

is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free

software object-relational database management system, is released under a BSD-style license, available at

http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL

released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression

Library, a free software object-relational database management system, is released under a BSD-style license, available at

http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified

facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library

ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication

at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is

available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. • libcURL, a library for downloading files via common network

services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.

Ts'o. • libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License

development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed

under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library

(WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at

http://opensource.org/licenses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of

maintenance functions and is provided under the Perl Artistic License, found at

http://www.perl.com/pub/a/language/misc/Artistic.html.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time

to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export

of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User

License Agreement provided with the software. The information in this document is subject to change without notice. PGP

Corporation does not warrant that the information meets your requirements or that the information is free of errors. The

information may include technical inaccuracies or typographical errors. Changes may be made to the information and

incorporated in new editions of this document, if and when made available by PGP Corporation

PGP Endpoint Device Control User Guide 4.3.0 1

Contents

About this guide ......................................................................................................... 7

Introduction ..................................................................................................................................... 7

Complete security .............................................................................................................................. 8

What’s in this guide ........................................................................................................................... 8

Conventions ..................................................................................................................................... 9

Notational conventions .................................................................................................................. 9

Typographic conventions ................................................................................................................ 9

Keyboard conventions ................................................................................................................... 9

Getting Assistance ............................................................................................................................. 9

Getting product information ........................................................................................................... 9

Contacting Technical Support ......................................................................................................... 10

Chapter 1: Introducing PGP Endpoint Device Control .......................................................... 13

Welcome to PGP Endpoint Device Control................................................................................................ 13

What is PGP Endpoint Device Control ..................................................................................................... 13

What can you do with PGP Endpoint Device Control .................................................................................. 14

Benefits of using PGP Endpoint Device Control ......................................................................................... 14

Major features of PGP Endpoint............................................................................................................ 15

What is new on this version ................................................................................................................ 17

Device types supported ...................................................................................................................... 17

Conclusions ..................................................................................................................................... 20

Chapter 2: Using the PGP Endpoint Console ..................................................................... 21

Starting the PGP Endpoint Management Console ...................................................................................... 21

Connecting to the Server ............................................................................................................... 22

Log in as a different user............................................................................................................... 22

The PGP Endpoint Management Console screen ........................................................................................ 23

Customizing your workspace .......................................................................................................... 24

The PGP Endpoint Device Control modules .............................................................................................. 26

The PGP Endpoint Management Console menus and tools .......................................................................... 28

File menu .................................................................................................................................. 28

View menu ................................................................................................................................ 28

Tools menu ................................................................................................................................ 28

Endpoint Maintenance ................................................................................................................. 29

Reports menu ............................................................................................................................. 31

Explorer menu ............................................................................................................................ 32

Window menu ............................................................................................................................ 32

Help menu ................................................................................................................................. 32

Other administrative functions ............................................................................................................ 33

Setting and changing default options .............................................................................................. 33

Synchronizing domain members ..................................................................................................... 33

Synchronizing with Novell eDirectory ............................................................................................... 33

Adding workgroup computers......................................................................................................... 34

Performing database maintenance .................................................................................................. 34

Defining PGP Endpoint administrators .............................................................................................. 35

Sending updated permissions to client computers............................................................................... 37

Everyday work .................................................................................................................................38

Identifying and organizing users and user groups ...............................................................................38

Identifying the devices to be managed .............................................................................................38

Working with the PGP Endpoint system’s pre-defined device classes ....................................................... 39

Adding your own, user-defined devices to the system ........................................................................ 40

Identifying specific, unique, removable devices ................................................................................ 40

Organizing devices into logical groups .............................................................................................. 41

Identifying specific computers to be managed ................................................................................... 42

Defining different types or permissions ............................................................................................ 42

Encrypting removable media & authorizing specific DVDs/CDs................................................................. 43

Forcing users to encrypt removable media ....................................................................................... 44

Practical setup examples ................................................................................................................... 44

DVD/CD burner permissions assignments .......................................................................................... 44

Removable permissions assignments .............................................................................................. 45

Contents

2 PGP Endpoint Device Control User Guide 4.3.0

Assigning permissions to groups instead of users ................................................................................ 45

Shadowing notes ........................................................................................................................ 45

Chapter 3: Using the Device Explorer ............................................................................. 49

How does the Device Explorer work ...................................................................................................... 50

Restricted and unrestricted devices ...................................................................................................... 51

Optimizing the way you use the Device Explorer ...................................................................................... 52

Context menu and drag & drop ...................................................................................................... 52

Keyboard shortcuts ...................................................................................................................... 52

Adding comments to an entry ........................................................................................................ 53

Computer groups ........................................................................................................................ 53

Renaming Computer Groups/Device Groups/Devices ............................................................................. 53

Event notification ....................................................................................................................... 54

Device Groups ............................................................................................................................ 57

Supported devices types .................................................................................................................... 58

Managing permissions ....................................................................................................................... 58

Chapter 4: Managing permissions/rules ......................................................................... 59

Using the Permissions dialog .............................................................................................................. 59

Special case: Working with Removable Storage Devices ........................................................................ 61

Using file filters ............................................................................................................................... 63

To remove File Filtering settings from a permission ............................................................................. 65

File Filtering examples ................................................................................................................. 66

Adding a user or group when defining permissions .................................................................................. 68

To assign default permissions ............................................................................................................. 69

Root-level permissions ................................................................................................................. 69

To assign default permissions to users and groups .............................................................................. 69

Priority of default permissions ........................................................................................................ 71

Read/Write permissions ................................................................................................................ 72

To assign computer-specific permissions to users and groups ..................................................................... 73

To modify permissions.................................................................................................................. 74

To remove permissions ................................................................................................................. 75

To assign scheduled permissions to users and groups ............................................................................... 75

To modify scheduled permissions.................................................................................................... 76

To remove scheduled permissions ....................................................................................................77

To assign temporary permissions to users ...............................................................................................77

To remove temporary permissions ................................................................................................... 78

To assign temporary permissions to offline users ..................................................................................... 78

To assign online and offline permissions ............................................................................................... 82

To remove offline or online permissions ........................................................................................... 83

To export and import permission settings .............................................................................................. 84

To manually export or import permissions settings ............................................................................. 84

Shadowing devices ........................................................................................................................... 85

To shadow a device ..................................................................................................................... 85

To remove the shadow rule ........................................................................................................... 87

To view a ‘shadowed’ file ............................................................................................................. 87

Copy limit ....................................................................................................................................... 87

To add a copy limit ......................................................................................................................88

To remove a copy limit ................................................................................................................. 89

Applying multiple permissions to the same user ...................................................................................... 89

Forcing users to encrypt removable storage devices .................................................................................. 90

Setting permissions to force users to encrypt removable storage devices .................................................. 91

Managing devices ............................................................................................................................ 95

To add a new device .................................................................................................................... 95

To remove a device ...................................................................................................................... 97

Specific, unique, removable devices ................................................................................................ 97

Changing permissions mode .......................................................................................................... 97

Priority options when defining permissions ...................................................................................... 98

Informing client computers of permission changes .................................................................................. 99

Chapter 5: Using the Log Explorer ................................................................................ 101

Introduction .................................................................................................................................. 101

Monitoring user input/output device actions .................................................................................... 101

Monitoring administrator actions ................................................................................................... 103

Accessing the Log Explorer ................................................................................................................. 103

Log Explorer templates ..................................................................................................................... 104

To use an existing template .......................................................................................................... 105

Predefined templates .................................................................................................................. 105

To create and use a new template ................................................................................................. 107

Backing-up your templates .......................................................................................................... 108

Log Explorer window........................................................................................................................ 108

Navigation/Control bar ................................................................................................................ 109

Column headers ......................................................................................................................... 109

Results panel / custom report contents ............................................................................................ 114

Contents

PGP Endpoint Device Control User Guide 4.3.0 3

Criteria/Properties panel .............................................................................................................. 116

Control button panel ................................................................................................................... 116

Select and edit templates window ....................................................................................................... 117

Template settings window ................................................................................................................. 119

General tab ............................................................................................................................... 120

Query & Output tab ..................................................................................................................... 120

Criteria ..................................................................................................................................... 121

The advanced view ..................................................................................................................... 123

Schedule tab ............................................................................................................................. 127

Viewing access attempts to devices ...................................................................................................... 130

Viewing client error reports ................................................................................................................ 131

Viewing shadow files ........................................................................................................................ 132

When the Data File Directory is not available .................................................................................... 133

Shadowing file names only ................................................................................................................ 134

DVD/CD Shadowing ........................................................................................................................... 134

Forcing the latest log files to upload .................................................................................................... 134

To manage devices using the Log Explorer module .................................................................................. 135

Viewing administrator activity ............................................................................................................ 136

Audit events .............................................................................................................................. 136

Chapter 6: Using the Media Authorizer ......................................................................... 139

Introduction ................................................................................................................................... 139

Creating a DVD/CD hash .................................................................................................................... 140

What happens when a user wants access to the DVD/CD...................................................................... 140

Accessing the Media Authorizer ........................................................................................................... 141

Authorizing users to use specific DVDs/CDs ............................................................................................. 141

Pre-requisites ........................................................................................................................... 141

To authorize the use of a specific DVD/CD .......................................................................................... 141

Encrypting removable storage devices .................................................................................................. 142

Pre-requisites ........................................................................................................................... 143

Decentralized encryption..............................................................................................................144

Limitations ...............................................................................................................................144

To encrypt a specific removable storage device ..................................................................................144

Removable device encryption methods comparison ........................................................................... 146

Problems encrypting a device ....................................................................................................... 146

Authorizing access. ......................................................................................................................... 148

Selecting users for a device. ......................................................................................................... 149

Selecting devices for a user .......................................................................................................... 150

Removing media from the database .................................................................................................... 151

To remove a DVD/CD .................................................................................................................... 151

To remove an encrypted removable storage device ............................................................................. 152

To remove lost or damaged media from the database ......................................................................... 152

Other Media Authorizer utilities .......................................................................................................... 153

To rename a DVD, CD, or removable storage device ............................................................................. 153

Exporting encryption keys ............................................................................................................ 153

Ejecting a CD or DVD ....................................................................................................................154

Recovering a password for decentralized encryption when connected ....................................................154

Permissions Priority ......................................................................................................................... 157

Encrypting devices without a Certificate Authority .................................................................................. 159

To encrypt a removable media without installing a Certificate Authority ................................................. 159

Chapter 7: Accessing encrypted media outside of your organization ................................... 161

Exporting encryption keys ................................................................................................................. 161

Exporting encryption keys centrally ................................................................................................ 161

Exporting encryption keys locally ................................................................................................... 161

To export the encryption key to a file .............................................................................................. 162

To export the encryption key to the device itself ................................................................................ 163

Accessing encrypted media outside your organization ............................................................................. 164

Accessing media on a machine with PGP Endpoint Client Driver installed ............................................... 164

Accessing media without using PGP Endpoint Client Driver .................................................................. 169

Using encryption inside and outside your organization ....................................................................... 174

Decentralized encryption ................................................................................................................... 175

How to configure PGP Endpoint so that users can encrypt their own devices ............................................ 175

Recovering a decentralized encryption password without PGP Endpoint Client .......................................... 175

Chapter 8: Setting and changing options ...................................................................... 181

Default options ............................................................................................................................... 181

Computer-specific options ................................................................................................................. 182

To change an option setting ............................................................................................................... 182

Sending updates to client computers .............................................................................................. 183

Individual option settings ................................................................................................................. 183

Certificate generation .................................................................................................................. 183

Contents

4 PGP Endpoint Device Control User Guide 4.3.0

Client hardening ........................................................................................................................ 183

Device log ................................................................................................................................ 184

Device log throttling ................................................................................................................... 184

eDirectory translation ................................................................................................................. 184

Encrypted media password ........................................................................................................... 185

Endpoint status ......................................................................................................................... 185

Log upload interval .................................................................................................................... 185

Log upload threshold .................................................................................................................. 185

Log upload time ........................................................................................................................ 186

Log upload delay ....................................................................................................................... 186

Online state definition ................................................................................................................ 186

Server address ........................................................................................................................... 187

Shadow directory ....................................................................................................................... 187

Update notification .................................................................................................................... 187

USB Keylogger ........................................................................................................................... 188

Checking settings on a client machine.................................................................................................. 188

Chapter 9: Generating PGP Endpoint Reports................................................................. 189

User Permissions report .................................................................................................................... 191

Device Permissions report ................................................................................................................. 192

Computer Permissions report ............................................................................................................. 193

Media by User report ........................................................................................................................ 194

Users by Medium report .................................................................................................................... 195

Shadowing by Device report .............................................................................................................. 196

Shadowing by User report ................................................................................................................. 197

Online Machines report .................................................................................................................... 198

Machine Options report .................................................................................................................... 199

Server Settings Report ..................................................................................................................... 200

Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data .................. 201

How it works .................................................................................................................................. 201

Limitations and supported media ....................................................................................................... 201

Pre-requisites ................................................................................................................................ 202

Encrypting a CD/DVD ......................................................................................................................... 202

To assign a user permission to encrypt a DVD/CD ................................................................................ 203

To assign a user permission to read an already encrypted DVD/CD ......................................................... 204

To encrypt a DVD/CD ................................................................................................................... 204

Using an already encrypted CD/DVD ..................................................................................................... 208

To use an already encrypted CD/DVD on a machine protected by PGP Endpoint ........................................ 208

To use an already encrypted CD/DVD on a machine not protected by PGP Endpoint ................................... 208

If you forget the CD/DVD password ...................................................................................................... 208

DVD/CD icons ................................................................................................................................. 208

Chapter 11: Using PGP-Encrypted Removable Devices ........................................................ 211

Introduction ................................................................................................................................... 211

Defining Permission Using the PGP Endpoint Management Console ............................................................. 212

To Allow Users to Encrypt a Device Using PGP WDE .............................................................................. 213

To Allow User to Use a PGP WDE Encrypted Removable Device ............................................................... 213

To Check the Client Status .................................................................................................................. 214

To Decrypt or Re-encrypt a Removable Device Using PGP’s Desktop ............................................................. 214

Shadow ........................................................................................................................................ 215

Reports ......................................................................................................................................... 215

Using the Log Explorer ...................................................................................................................... 215

Auditing Logs ................................................................................................................................. 216

Appendix A: DVD/CD Shadowing .................................................................................. 219

Introduction .................................................................................................................................. 219

Operation of the PGP Endpoint Client Driver ..................................................................................... 219

Disk space requirements .............................................................................................................. 219

Supported formats when shadowing ................................................................................................... 220

Handling of unsupported shadowing formats ........................................................................................ 220

CD image analysis ............................................................................................................................ 221

Files ........................................................................................................................................ 221

Logs ........................................................................................................................................ 221

Saved image ............................................................................................................................. 221

Sample analysis log ......................................................................................................................... 221

Supported and unsupported CD formats ............................................................................................... 223

Summary ................................................................................................................................. 223

Supported data block formats and recording modes ........................................................................... 223

Supported and unsupported file system features ............................................................................... 223

Supported DVD/CD burning software ............................................................................................... 225

Contents

PGP Endpoint Device Control User Guide 4.3.0 5

Appendix B: Important notes ..................................................................................... 227

Appendix C: PGP Endpoint Device Control encryption ...................................................... 231

Introduction ................................................................................................................................... 231

PGP Endpoint Device Control encryption ................................................................................................ 231

Centralized encryption using the Full Encryption Method .......................................................................... 231

Centralized encryption using Easy Exchange ........................................................................................... 232

Decentralized encryption ................................................................................................................... 232

How is the medium assigned to a user/user group ..................................................................................233

Centralized versus decentralized encryption ...........................................................................................233

Full Encryption vs. Easy Exchange ....................................................................................................... 235

Other available encryption methods ................................................................................................... 236

Access to encrypted data using the PGP Endpoint Client Driver ................................................................... 237

If a MS Enterprise Certificate Authority (CA) is installed ........................................................................ 237

If no MS Enterprise Certificate Authority (CA) installed ........................................................................ 238

Access to encrypted data outside the network ....................................................................................... 239

Accessing encrypted data outside the network when using Full Encryption ............................................. 239

PGP Endpoint Stand-Alone Decryption Tool, SADEC ............................................................................ 239

Accessing encrypted data outside the network when using Easy Exchange .............................................. 240

Encryption scenarios ....................................................................................................................... 243

Simple examples ....................................................................................................................... 243

Complex examples ..................................................................................................................... 244

Understanding Cryptography ..............................................................................................................247

Defining cryptography .................................................................................................................247

How do we achieve privacy? ............................................................................................................. 248

Signing communications ............................................................................................................. 249

The security principles of SDC encryption explained ................................................................................ 249

The AES algorithm ...................................................................................................................... 249

Public/private key based communication between SDC tiers ................................................................ 250

The Key Pair Generator ............................................................................................................... 250

Symmetric AES key public/private key based encryption ...................................................................... 250

Digital Signatures ...................................................................................................................... 250

Digital Signatures & Certificate Authorities (CA) .................................................................................. 251

The AES Algorithm ........................................................................................................................... 252

What is AES? ............................................................................................................................. 252

How does AES work? ................................................................................................................... 252

AES and PGP Endpoint Device Control ............................................................................................. 253

Why is AES so secure? ................................................................................................................. 253

Other useful info ............................................................................................................................ 254

What is considered as a removable media? ..................................................................................... 254

What happens if I have forgotten my password? ............................................................................... 254

Recovering a password when using decentralized encryption .............................................................. 254

What happens to my unencrypted data when I encrypt the device it is on?............................................. 254

How do I decrypt a device? .......................................................................................................... 254

Appendix D: PGP Endpoint’s Architecture ...................................................................... 257

The whitelist approach ..................................................................................................................... 257

Concepts .................................................................................................................................. 257

Advantages/disadvantages of using a white list ................................................................................. 257

Whitelist and blacklist examples ................................................................................................... 258

A complete security solutions portfolio ................................................................................................ 258

PGP Endpoint Application Control Suite ........................................................................................... 259

PGP Endpoint Device Control ........................................................................................................ 259

PGP Endpoint for Embedded Devices .............................................................................................. 259

PGP Endpoint components ................................................................................................................ 259

The PGP Endpoint Database ......................................................................................................... 260

The PGP Endpoint Administration Server .......................................................................................... 261

PGP Endpoint Client Driver ........................................................................................................... 262

Protocol and ports ..................................................................................................................... 264

Operation overview .................................................................................................................... 265

Key usage ................................................................................................................................ 266

If the PGP Endpoint Administration Server is not reachable ................................................................. 266

The PGP Endpoint Management Console.......................................................................................... 270

Administration Tools ................................................................................................................... 271

Network communications ............................................................................................................. 272

PGP Endpoint Client Driver communications ...................................................................................... 272

PGP Endpoint Administration Server communications ......................................................................... 272

How PGP Endpoint works .................................................................................................................. 272

PGP Endpoint Application Control Suite ............................................................................................ 272

PGP Endpoint Device Control .........................................................................................................274

Contents

6 PGP Endpoint Device Control User Guide 4.3.0

Glossary................................................................................................................. 279

Index of Figures ...................................................................................................... 285

Index of Tables ....................................................................................................... 291

Index .................................................................................................................... 293

PGP Endpoint Device Control User Guide 4.3.0 7

About this guide

Introduction

PGP Endpoint provides policy-based control for all devices and applications that can be used on enterprise

endpoints. Using a whitelist approach (see a detailed explanation in Appendix D: PGP Endpoint’s

Architecture) , PGP Endpoint enables the development, enforcement, and auditing for application and device

use in order to maintain IT security, reduce the effort and cost associated with supporting endpoint

technologies, and ensure compliance with regulations. By using a whitelist approach, administrator can

concentrate in approving a list of a few selected device/application accesses instead of banning

devices/applications and maintaining endless blacklist subscriptions.

PGP Endpoint links application and device policies to eDirectory- and Active Directory-based identities,

dramatically simplifying the management of endpoint application and device resources.

As a security officer or network administrator, you are not only aware but also concerned of the potential

damage a typical user can cause on your network. It has been proven that most attacks and damage come

from within the bound of the internal firewall performed by employees — intentionally or unintentionally. If the

typical end user can be limited in its ability, then it scope of damage can also be restricted and, most

probably, stopped. This is what the “Least Privilege Principle” advocates: give users only the access and

privileges needed to complete the task at hand.

PGP Endpoint Device Control controls access to devices by applying permission rules to each device type.

Based on the Least Privilege Principle, access to any device is prohibited by default for all users. To grant

access, the administrator associates users or user groups with the devices — or complete device classes —

for which they should have read and/or write privileges. In this way, PGP Endpoint Device Control extends

the standard Windows security model to control input/output (I/O) devices.

The PGP Endpoint Device Control approach contrasts traditional security solutions that use ‘black lists’ to

specify devices that cannot be used. With PGP Endpoint Device Control, your IT infrastructure is protected

from unauthorized devices until you decide to include them in the whitelist and, thus, authorize them.

About this guide

8 PGP Endpoint Device Control User Guide 4.3.0

Complete security

PGP offers a portfolio of security solutions for regulating your organization’s applications and devices.

> Our PGP Endpoint Application Control Suite, which includes any of the following programs depending

on your needs:

> PGP Endpoint Application Control Terminal Services Edition extends application control to

Citrix or Microsoft Terminal Services environments, which share applications among multiple users.

> PGP Endpoint Application Control Server Edition delivers application control to protect your

organization’s servers, such as its Web server, email server, and database server.

> PGP Endpoint Device Control prevents unauthorized transfer of applications and data by controlling

access to input/output devices, such as memory sticks, modems, and PDAs.

> PGP Endpoint for Embedded Devices moves beyond the traditional desktop and laptop endpoints and

onto a variety of platforms that include ATMs, industrial robotics, thin clients, set-top boxes, network area

storage devices and the myriad of other systems running Windows XP Embedded.

What’s in this guide

This guide explains how to use PGP Endpoint Device Control to control end user access to I/O devices,

including floppy disk drives, DVDs/CDs drives, serial and parallel ports, USB devices, hot swappable and

internal hard drives as well as other devices.

We have divided this manual in three sections:

Part I contains a general introduction to the PGP Endpoint Device Control program. It is strongly

recommended that you review this section:

> Chapter 1: Introducing PGP Endpoint Device Control provides a high-level overview of PGP Endpoint

Device Control, how it works and how it benefits your organization.

> Chapter 2: Using the PGP Endpoint Console describes the basic principles of how to use PGP Endpoint

Device Control.

Part II contains reference material. It provides information about how to use each of the PGP Endpoint

Device Control modules. The functionality of each module is explained in detail.

> Chapter 3: Using the Device Explorer explains how to set the Access Control List permissions on I/O

devices.

> Chapter 4: Managing permissions/rules shows you how to create, delete, modify, organize, combine

permissions and rules, and how to force a user to encrypt removable storage devices.

> Chapter 5: Using the Log Explorer provides information on both how to view a copy of traced files, errors,

access attempts on client computers, and how to display administrative logs and copies of files (known

as “shadow files”) users have been written to or read from specific devices.

> Chapter 6: Using the Media Authorizer illustrates how to create a database of known DVD/CDs and

encrypted media and how to assign their rights to individual users and groups.

> Chapter 7: Accessing encrypted media outside of your organization explains how to use encrypted media

outside the company.

> Chapter 8: Setting and changing options describes how to customize default and computer-specific

options for your organization.

> Chapter 9: Generating PGP Endpoint Reports explains how to obtain the HTML reports generated by

PGP Endpoint Device Control.

> Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data demonstrates how to

encrypt DVDs/CDs and use then outside your organization in a secure way.

> Chapter 11: Using PGP-Encrypted Removable Devices show you how to define permissions to use

removable devices encrypted with PGP in a PGP Endpoint-protected environment.

About this guide

PGP Endpoint Device Control User Guide 4.3.0 9

Part III contains additional information to help you in day-to-day operations.

> Appendix A: DVD/CD Shadowing describes how to copy the contents of files written/read to/from

DVD/CD (shadowing), the DVD/CD disk and file formats supported by the shadowing operations, and

how to interpret the files written to the Log Explorer module.

> Appendix B: Important notes shows some key comments you should take into account when using PGP

Endpoint Device Control.

> Appendix C: PGP Endpoint Device Control encryption describes complete behind the scene comparison

between the different encryption methods available in PGP Endpoint Device Control and an explanation

of how this encryption is achieved.

> Appendix D: PGP Endpoint’s Architecture provides you with an overview of PGP Endpoint solution

architecture.

> The Glossary provides definitions of standard acronyms and terms used throughout the guide.

> The several indexes (Index of Figures, Index of Tables, and Index) provide quick access to specific

figures, tables, information, items, or topics.

Conventions

Notational conventions

The following symbols are used throughout this guide to emphasize important points about the information

you are reading:

 Take note. You can find here more information about the topic in question. These may

relate to other parts of the system or points that need particular attention.

 Shortcut. Here is a tip that may save you time.

 Caution. This symbol means that proceeding with a course of action introduces a risk —

data loss or potential problem with the operation of your system, for example.

Typographic conventions

The following typefaces are used throughout this guide:

> Italic — Represents fields, menu commands, and cross-references.

> Fixed width — Shows messages or commands typed at a command prompt.

> SMALL CAPS — Represents buttons you click.

Keyboard conventions

A plus sign between two keyboard keys means that you must press those keys at the same time. For

example, ALT+R means that you hold down the ALT key while you press R.

A comma between two or more keys signifies that you must press each of them consecutively. For example

‘Alt, R, U’ means that you press each key in sequence.

Getting Assistance

For additional resources, see these sections.

Getting product information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed

with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also

available, which may have last-minute information not found in the product documentation.

About this guide

10 PGP Endpoint Device Control User Guide 4.3.0

Once PGP Endpoint is released, additional information regarding the product is entered into the online

Knowledge Base available on the PGP Corporation Support Portal (https://support.pgp.com).

Contacting Technical Support

> To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP

Corporation Support Home Page (http://www.pgp.com/support).

> To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP

Support Portal Web Site (https://support.pgp.com). Note that you may access portions of the PGP

Support Knowledge Base without a support agreement; however, you must have a valid support

agreement to request Technical Support.

> For any other contacts at PGP Corporation, please visit the PGP Contacts Page

(http://www.pgp.com/company/contact/index.html).

> For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).

> To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are

user community support forums hosted by PGP Corporation.

PGP Endpoint Device Control User Guide 4.3.0 11

Part I: Administration

PGP Endpoint Device Control User Guide 4.3.0 13

Chapter 1: Introducing PGP Endpoint Device

Control

This chapter introduces PGP Endpoint Device Control, and explains how it benefits your organization,

protects your data, and improves your productivity. It also contains an overview of the entire PGP Endpoint

system and an explanation of the how the program works.

Welcome to PGP Endpoint Device Control

PGP Endpoint Device Control eliminates many of the dangers associated with the abuse of network

resources and mission critical information from within your organization. PGP Endpoint Device Control

enhances security by controlling end user access to I/O devices, including:

> Floppy disk drives

> DVDs/CDs drives

> Serial and parallel ports

> USB devices

> Hot swappable and internal hard drives

> and other devices

This is a very effective way of preventing data leakage and theft of electronic intellectual property and

proprietary information.

PGP Endpoint Device Control also prevents the upload and installation of malicious code, unlicensed

software, and other counterproductive applications on your system preventing inappropriate use of corporate

resources, which can incur unnecessary expenses.

PGP Endpoint Device Control allows you to increase employee productivity and lower corporate legal

liabilities while protecting your organization’s reputation, image, and assets.

What is PGP Endpoint Device Control

PGP Endpoint Device Control controls access to I/O devices by applying an Access Control List (ACL) to

each device type. By default, access to any device is prohibited for all users. Designated administrators can

assign access and permissions to specific users or groups of users for the devices that they require in their

day-to-day tasks. These permissions can be temporary, online or offline, scheduled, copy limit, shadow (a

copy of transferred data), read, read/write, and so on.

The PGP Endpoint Device Control approach works in contrast to traditional security solutions that utilize a list

of specific devices that cannot be used which have administrators scrambling to update systems whenever

some new class of device is introduced. With PGP Endpoint Device Control, your IT infrastructure is

protected from any kind of device until you sanction it use.

Chapter 1: Introducing PGP Endpoint Device Control

14 PGP Endpoint Device Control User Guide 4.3.0

What can you do with PGP Endpoint Device Control

As previously stated, using PGP Endpoint Device Control you can boost your IT security levels by:

> Controlling and managing I/O devices through any port including USB, firewire, WiFi, Bluetooth, etc.

> Preventing data theft and data leakage

> Preventing malware introduction via removable media usage

> Auditing I/O device usage

> Blocking USB keyloggers (hardware artifacts that captures and save all keystrokes)

> Encrypting removable media

> Enabling regulatory compliance

And many other features that we will be enumerated in this introductory chapter.

With PGP Endpoint Device Control, you can add or change access rights quickly and without the need to

reboot the computer while controlling and monitoring all activities from a central location.

This solution is network friendly and uses a three-tiered architecture that minimizes policy-checking traffic.

Actual control is performed within the client computer itself and is transparent to the user. Because the

implementation of the control feature is also local, the power of PGP Endpoint Device Control extends to

employees using disconnected laptops delivering the same security regardless of their physical location.

PGP Endpoint Device Control allows you to do the following:

> Define user and group-based permissions on all or specific machines.

> Prevent unknown devices from being installed on your networks.

> Authorize particular device types within a class.

> Uniquely identify individual devices.

> Schedule I/O access for a predefined time or day of the week.

> Create a temporary device access (same day or planned for future timeframe).

> Restrict the amount of data copied to a device.

> Assign administrator’s roles.

> Create shadow files (i.e. copies of transferred data) of all data written or read, to or from external devices

or specific ports.

> Encrypt media with the powerful AES algorithm.

> Block some media (DVDs/CDs) while permitting other specific ones to be used.

> Enforce specific users and user groups to encrypt their removable devices.

You can find a full list of characteristics in the Major features section on page 15.

Benefits of using PGP Endpoint Device Control

The advantages of using PGP Endpoint Device Control include the following:

> Strict user policy enforcement: With no more data leakage, you are in control of the four w’s — who,

where, what, and when.

> Specific device permission rules: Permissions enforce a specific organization-approved model.

> Administrators’ actions logging: A complete report of what your administrators are doing.

Chapter 1: Introducing PGP Endpoint Device Control

PGP Endpoint Device Control User Guide 4.3.0 15

> Comprehensive reporting: Useful information to keep everything under the strictest control. For example

you can create a daily or weekly scheduled report of all user attempts to access an unauthorized device.

> Data scrutiny: You can optionally enable a copy (shadow) of all data written/read to/from certain devices.

> Copied data restrictions: You have the choice of establishing a daily limit on, or simply stopping, data

being written to external devices.

> Media restrictions: Define in advance which DVDs/CDs can be used in your company.

> Data encryption: Encrypt data as it is being written to a device.

Major features of PGP Endpoint

PGP Endpoint Device Control is designed for large organizations with complex needs. It offers many powerful

features such as:

Centralized device access management

PGP Endpoint Device Control's core functionality is its ability to centrally define and manage user, user

groups, computers and computer groups access to devices on the computer.

Intuitive user interface

Access to devices is controlled using a native Access Control List, arranged in the same way as navigating

through files and folders in Windows Explorer. You can apply permissions at different levels: users, user

groups, all machines, machine groups, specific machines, groups of devices, or even specific devices.

Novell support

PGP Endpoint Device Control fully supports Novell’s eDirectory/NDS structure. The Novell’s eDirectory trees

are synchronized using an external script. These objects appear on the Device Explorer structure and

permissions and rules can be assigned to them explicitly. Administrators can schedule the synchronization

script using Windows’s scheduler task manager (see PGP Endpoint Setup Guide).

Support for a wide variety of device types and buses

You can grant or deny access permissions for a wide variety of devices using USB, FireWire, ATA/IDE, SCSI,

PCMCIA (or Cardbus), Bluetooth and IrDA buses. See Device types supported on page 17 for a list of the

supported device types.

Read-only access

PGP Endpoint Device Control lets you define a particular device as read-only. You can set read-only

permissions for all file-system based devices, for example, a floppy drive, DVD/CD writer, PCMCIA hard

drive, and so on. Other device permissions you can set restrict writing, encrypting, decrypting, exporting data

to file/media and importing data.

Copy limit

You can limit the quantity of data users can write to floppy disks and removable storage devices on a daily

basis so they cannot abuse their writing permissions.

Temporary access

PGP Endpoint Device Control lets you grant users temporary access to their devices. This means that you

can switch access on without having to remember to switch it off again later. You can also use it to grant

access “in the future” for a limited period.

Scheduled device access

PGP Endpoint Device Control lets you grant or deny permissions to use a device during a specific period.

This lets you develop sophisticated security policies where certain devices can only be used from, for

example, 9 A.M. to 5 P.M., Monday to Friday.

Chapter 1: Introducing PGP Endpoint Device Control

16 PGP Endpoint Device Control User Guide 4.3.0

Context-sensitive permissions

You can apply different permissions depending on their context while others are valid regardless of the

connection status. However, you can create others that are only relevant when the machine either is or is not

connected to the network. For example, this allows you to disable the WiFi cards when laptops are connected

to the company network and enable them when the machine does not have a wired connection to the system.

File shadowing

PGP Endpoint Device Control's shadow technology enables full auditing of all data written and/or read to/from

file-system based devices such as Recordable DVD/CD, removable storage devices, floppy disks, Zip and

PCMCIA drives, as well as to serial and parallel ports (only written data). This feature is available on a per

user basis. Some of these devices only support a partial shadowing — only the file’s name and not the

complete content.

User-defined devices

PGP Endpoint Device Control gives you the ability to manage other kind of devices in addition to those

supported by default. You can add any device that is not managed by the default installation to the database

as a user-defined device and apply permissions in the usual way.

Offline updates

You can update the permissions of remote machines that cannot establish a network connection toyou’re

your corporate network. New permissions can be exported to a file that is later imported onto the client

computer.

Per-device permissions

Sometimes a device type is too general for you to control access to sensitive data effectively. Therefore, you

may want to implement greater control at a lower level — a device model or even for a specific device within

a model. For instance, rather than grant permissions to use any type of removable media, you can restrict

access to a specific device of a company-approved model.

Unique, serial identified, removable devices

Administrators can control devices by defining permissions at a class level (for example, all DVD/CD

devices), classify devices in logical entities called device groups, or include a device model. When working

with removable devices, administrators can go up to a fourth level by defining permissions for a unique, serial

identified removable device.

Per-device encryption

Restricting access for a specific device to a particular user also incorporates an encryption process to ensure

that sensitive data is not inadvertently exposed to those without authorized access.

Centralized and/or decentralized encryption

Using PGP Endpoint Device Control you, as an administrator, can not only grant user(s)/group(s) access to a

removable storage device (defined at the class, group, model, or uniquely identified device level) but can also

force users to encrypt their devices locally. This decentralized encryption schema is a work-around for those

organizations that do not want (or need) to manage device encryption centrally while ensuring that the

company’s data is not inadvertently exposed.

DVD/CD recorder shadowing

Shadowing, a copy of the file’s data, can be used in the following writable media formats: CD-R, CD-RW,

DVD-R, DVD+R, DVD-RW, DVD+RW and DVD-RAM. Shadowing means that data written/read to/from these

media is intercepted and made available to the administrators. By default, PGP Endpoint Device Control

disables writing to such media and, when writing must be enabled, you can optionally select to shadow the

data.

 DVD/CD Recorder shadowing is supported on Windows 2000 (Service Pack 4 or later) and

later only. Windows NT4 is no longer supported by PGP Endpoint Device Control.

Page is loading ...

PGP Endpoint Device Control 4.3 User guide

PGP Endpoint Device Control 4.3 User guide

PGP Endpoint Device Control 4.3 User guide

Related papers

Other documents