Home

Sanctuary Setup Guide V4.3

image

Contents

1. Decentralized encryption File type filtering 233 Installation Checklist Table J 3 Defining permissions SJ9 0J1U02 95 amp j191ul JoM39U SS IN SS9J9JIM pjeupueu 35 SMOpulM peujgoep a1esf soAup eder pleJ Hews spjeypuey WITH 5 S340d Z Sd asn 5293029 SadIAep pjeupueu S92IA9p SS9dde JJO MJ U A1epuo2es 5 spod jojjeJed 1d1 lt 51 spod jenes WOD So2IA9p 2u39uioig Permissions R R W or None Online permissions Offline permissions Scheduled permissions Temporary permissions Copy Limit Event notification Decentralized encryption File type filtering Permission type Description Computer Level 234 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup
2. 79 93 79 263 Upgrade 169 170 Using the Key Pair Generator 29 V ado 25 Virtual IP 25 42 Well known Security Identifiers 263 Windows 2003 SP1 175 Windows Authentication 35 Windows Installer 261 Windows XP Embedded 243 Client components 245 Installing 245 Shells ek erc de aea res 244 Thin clients 243 0565 243 Windows XP 5 2 175 WINS 263 lui mm 264 WSUS steer urb Rena xi 85 264 270 Lumension SECURITY Lumension Security 15880 North Greenway Hayden Loop Suite 100 Scottsdale AZ 85260 www lumension com phone 480 970 1025 fax 480 970 6323 Lumension Security Inc 1997 2008 ALL RIGHTS RESERVED U S Patent No 6 990 660 02 102 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide
3. 97 Using the Sanctuary Client Deployment Tool to Install the Sanctuary Client 106 Using the Command Line to Install Clients eee eee ee nearer 117 Using Windows Group Policy to Install Clients _ 118 Querying the Client Status 124 Sanctuary Client Deployment Tool Menus 124 Packages i iie cesse aceite eaa Cori CHR EXE T AR ETAT RETI Hae ARR CET RA FE Rd 124 Computers Menu eos ete bee coma cocks eeu teer a CH bI b rur ede Ri 126 Help E ines eda PER 128 Context Menus x tdi 128 The Options Screen dre KH EAR 130 Chapter 9 Using the SXDomain Command Line Tool 133 lintrodu ction coser ER ENER 133 The SXDomain Parameters memes eene nnne nnns 133 Sca 134 Scheduling Domain Synchronizations sse 135 Chapter 10 Registering your Sanctuary Product 141 LICENSING serrera Pc 141 Obtaining a inani err a a ne EOD PER E Re RR Den Ee ERE 141 Evaluation License mmm mene nennen rere nnns 141 Full License ENTER 142 License File location iiu diour eieaa ETNEA EZRARR 142 License File Format i
4. 177 Installing a Certificate Authority 203 Mop MM 25 Novell senda 187 eee 261 187 FAQ EE 190 K Interface 188 Key 29 30 31 224 Synchronization script 187 29 NTP 261 103 WNTLM sse 178 Known issues 256 L Open last 109 127 LICENSE 39 130 File format 142 Installation Transform 97 JON Organizational Unit 119 n RE 156 Overview 1 Log insertion process 154 P Lumension Security Package95 97 99 106 111 116 122 XIV xvi 124 125 COlOES i direi 106 M Warning 106 Maximum number of nodes 25 Packages 34 148 175 261 Men enaena 99 Microsoft Certificate Authority 150 Packages 124 Minimum requirements 256 policies dat 63 101 5 25 ig 175 MSDE iicet tub
5. 15 Recovery Corisole eere AT ERR URERRM MERE EA 15 Safle ce dim ten nada bene dare 15 Service Packs and Hot Fixes 00 00 meme meme eene nnns 15 Firewalls RAE ER REIR ME breve 16 Password en tne ke a Rab Co Pub bed ete bee 16 Access POLICY en a re eer el d nce Pepe ate cede 16 Private and Public Key Generation 16 Chapter 2 Installing the Sanctuary Database 17 Choosing a SQL Englfie e ER e betta ern cuta di RA er d Te eU RU ERU 17 Before you linistall neret obe ert Rr Pe endet Pe 18 Stage 1 Install the SQL Database Engine 19 Stage 2 To Install the Sanctuary Database 20 Database Cl stering cioe casei imet prisa tae LIRE EO DUET IURE YARD CERTE 24 Table of Contents What is Database Clustering taces ated t d aee Hed e 24 Tetrmiliology em dines POR as 25 Requirements n odes bre rise E eR LR P 25 To Implement a Database Cluster 26 Items Created During the Sanctuary Database Setup 28 Chap
6. 79 Uninstalling the Sanctuary Client sss 79 Load Balancing Methods ere ee ere ed ne ert Rn De REDE E ond E 81 What is Load Balancing meme mme eene 81 How Does Round Robin DNS Works sssssssem e 81 Advantages of DNS Round Robin sss 81 Items Created During the Sanctuary Client Setup 83 Chapter 7 The Sanctuary Authorization Service Tool __ 85 What is the Sanctuary Authorization Service Tool 85 To Install the Sanctuary Authorization Service 86 Configuring WSUS 1 ded eee RR x ER ede E bed 91 a iv Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Chapter 8 Unattended Client I nstallation 1 93 Whatis an MSI File ee et ra as ee re si Du E ade SY EE DE cadet 95 Creating a Transform File MST for an Existing MSI File 95 Prerequisites for Creating a Sanctuary Client Deployment Tool Package 95 To Install the Sanctuary Client Deployment Tool 96 TO Install Packages ere rd ad a D o d d eiu t ven Doll De ae 97 To Install the Sanctuary Client MST File Generation
7. 155 rbi pet 165 EventLog 165 EventMessageFile 162 9 P 165 5 163 166 268 HardeningMode 164 HardeningStatus 164 p 164 HistoryPeriodSecs 164 165 ImportDir sesser cece eee eee ees 164 IpaqDetectDelay 164 LastSeenComputerName 164 LastSxLogUploadTime 164 LitYiltS vines uie 165 Log file name 155 164 Log to console 155 164 Log to dbwin 155 164 Log to 155 164 LogMonitorDlls 155 LogMonitorPeriod 156 LogMonitorResetOptions 156 LogMonitorThreshold 156 158 OnLineMonitorPeriod 157 OnLineStateExpiry 157 orc rm 158 Products 157 ReportGenerationTimeout 162 ReportMaxRecords 162 ReportStoragePath 163 ReportThreads 162 RpcProtectionLevel 158 164 Securel 5 5 159 165 Servers 164 ServersOverride 164 Sha
8. Figure 4 15 Sanctuary Application Server installation Valid certificate new clients 39 Sanctuary Application Server Wise Solutions Wizard Server communication protocol Setup could not find a valid certificate to be used for encrypted communications certificate was not acquired If you continue encryption will be disabled but integrity of system policy will be ensured To retry certificate setup select the back button Figure 4 16 Sanctuary Application Server installation Could not retrieve or generate a valid certificate BH 47 EB mH Installing the Sanctuary Application Server Sanctuary Application Server Wise Solutions Wizard es Server communication protocol m Please specify port s For communication Encrypted Communication Port 65229 Mon Encrypted Communication Port 65129 lt Back Next gt Cancel Figure 4 17 Sanctuary Application Server installation Communication port configuration E Note You should only configure the Communication Port fields when the proposed ones are used by another software application or blocked for security reasons 1 1 Note The parameters selected in the previous dialogs should also be used if you are installing more than one Sanctuary Application Server See Using TLS for the Inter Sanctuary Application Server Communication on page 10 for more information Note For a detailed manual tun
9. spod jojjeJed 1d1 lt 51 spod jenes WOD So2IA9p 2u39uioig Permissions R R W or None Online permissions Offline permissions Scheduled permissions Temporary permissions Copy Limit Event notification Decentralized encryption File type filtering Permission type Description Device Group level 232 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table J 3 Defining permissions Permission type Device Level Description Permissions R R W or None i 2 o is E 5 ta Serial ports DVD CD drives Floppy disk drives I maging devices LPT Parallel ports Modems Secondary network access devices Palm handheld devices Printers USB PS 2 Ports Removable storage devices RI M BlackBerry handhelds Smart Card readers Tape drives Wireless NI Cs network interface controllers Windows CE handheld devices User defined devices Online permissions Offline permissions Scheduled permissions Temporary permissions Shadow Copy Limit Event notification
10. Note Only user group OU and Organization objects are synchronized If ZEN works is installed Workstation objects are also synchronized 189 He Using the Synchronization Script for Novell Script Examples In this section we give some typical usage examples Remember that you can always run the script through Windows Scheduler Task 1 cscript exe NDSSync vbs Novell server tree In this example we are trying to synchronize objects from the Novell tree called Novell server tree and place them on the local database SQL server You will need to run it directly from the SQL server machine so you need Novell s client synchronization script NDAP and the database on the same physical machine You can find these components on Novell s Web site or on your Sanctuary CD 2 Inthe next example the script is not run locally from the SQL server machine You need to specify besides the Novell server the emplacement of the database server cscript exe NDSSync vbs Novell Server tree DB server 3 The next example explicitly sets the user and password to access the table in the database since they are not the same as the logged user who runs the script cscript exe NDSSync vbs Novell Server tree DB server Authorized user User s Password 4 Ifyou want to save the results in a log file you can use redirection characters cscript exe NDSSync vbs Novell Server tree gt log txt Note Remember that you require Novel
11. 8 sanctuary Application Server Wise Solutions Wizard Server communication protocol Setup could not find a valid certificate which can be used for encrypted communications Setup did not find valid certificate Would you like to acquire a certificate to enable encrypted communications No continue without encryption but ensure integrity of system Yes automatically request a certificate Yes manually generate a certificate lt Back Next gt Cancel Figure 4 13 Sanctuary Application Server installation No certificate H sanctuary Application Server Wise Solutions Wizard E Server communication protocol Setup found a valid certificate which can be used for encrypted NU Do you want to implement encrypted communications between the client and the server _ No but ensure integrity of system policy Yes but allow unencrypted communications as well lt Back Next gt Cancel Figure 4 14 Sanctuary Application Server installation Valid certificate old clients Ha 46 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 8 sanctuary Application Server Wise Solutions Wizard Server communication protocol Setup generated a valid certificate to be used for encrypted communications A certificate was successfully acquired Encrypted communications will be enabled Require encrypted communications Yes 9 No
12. Client deployment 2K3EENTFSP1 i ployment state Source Bg e Computer Configuration J Assigned C su Client SanctuaryClient msi H E Software Settings Software installation Windows Settings E Administrative Templates User Configuration Software Settings E Windows Settings Administrative Templates 8 8 gm 4 Group Policy object s Figure 8 27 Using the Group Policy Management Console to install Sanctuary Client Note As with all major changes to Group Policy it is recommended that any new Policy or changes to existing ones are tested on a development Organizational Unit first before implementing in a production environment Note You should define the group policy package with the Run logon script synchronously option activated This will force a reboot Beware that the client installation requires an extra reboot 1 Create a Deployment package 119 EH Unattended Client I nstallation 2 Copy the whole Deployment package folder to a local directory on the server referred to as Deploy from which the client is to be deployed This directory should normally contain at least one file with the msi extension one file with the mst extension one sx public key file one or several files with a cab extension and some other files 3 Select Programs Administrative Tools menu to display the Active Directory Users and Computers dialog 4 Active D
13. Identifying Information Enter information to identify this CA Common name for this CA tadca Distinguished name suffix DC luDC Secure Preview of distinguished name CN tadca DC lu DC Secure Validity period Expiration date 5 Yeas 5 10 2011 1 50 PM Ce Cee Figure H 4 The Windows components wizard 2nd page 207 Bs 2E Installing a Certificate Authority for Encryption and TLS Communication 8 Choose an appropriate location for the Certificate Database Settings and click Next Windows Components Wizard Certificate Database Settings Enter locations for the certificate database database log and configuration information Certificate database Certificate database log CAWINDOWS eystem32 CertLog Store configuration information in a shared folder Shared folder _ Browse Preserve existing certificate database Figure H 5 The Windows components wizard 3rd page 208 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Windows proceeds with the certificate services installation Windows Components Wizard Configuring Components Setup is making the configuration changes you requested 6 Please wait while Setup configures the components This may take several minutes depending on the components selected Status Copying files Figure H 6 The Windows compon
14. Purge Online Table Offline Update Offline Update Reports v Supported X Not Supported N A Not Applicable a 248 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table L 1 Functionalities supported by Sanctuary Client Windows XP Embedded Functionality Windows XP SP3 View reports Sanctuary Device Control Default Options Device Control Status Window Shadow Files Upload Delay or Time Shadow Directory Sanctuary Application Server Address Encrypted Media Key Export Encrypted Media Export Password Certification generation Centralized Device Control Logging Suppress recurring log events Device Explorer Default Settings Manage Devices Assigning Permissions Assigning Schedule Permissions Assigning Temporary Permissions Assigning Online and Offline Permissions Shadow Copy Limit Computer Group File Filtering Media Authorizer Media Authorizer Shadow Files Explorer View Shadowed Files v Supported X Not Supported N A Not Applicable 249 Es 2E Installing Sanctuary in Windows XP Embedded Table L 1 Functionalities supported by Sanctuary Client Windows XP Embedded Functionality Windows XP SP3 Encrypted communications TLS protocol Sanctuary Client Sanctuary Application Server SXS and intra SXS SXS enc
15. The Sanctuary Application Server SXS has to be up and running when your client boots so that it can retrieve the initial permissions You will also need to start the client machine with the Enhanced Write Filter EWF disabled so that the default permissions are kept You can enable EWF once the client machine has started 257 2E Installing Sanctuary in Windows XP Embedded SEL am 258 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide M Glossary ACE Access Control Entries An entry in the Access Control List ACL that contains a set of access rights and a security identifier SID identifying a trustee ACL Access Control List A list of security protections that apply to an object file process event or anything else having a security descriptor ADC Advanced Data Connector See RDC ADSI Acronym for Active Directory Service Interface Previously known as OLE Directory Services ADSI makes it easy to create directory management applications using high level tools such as Java or C C without having to worry about the underlying differences between the dissimilar namespaces AES Advanced Encryption Standard A symmetric key encryption technique that is replacing the commonly used DES standard It is the result of a worldwide call for submissions of encryption algorithms issued by NIST in 1997 and completed in 2000 CAB File extension for cabinet files which are mul
16. new installation A computer certificate exists Choose among generating a certificate e Manual certificate Select if all client Application Server SXS and intra SXS SXS Setup attempts to request a Failure communications will be encrypted or generation certificate from not s Automatic certificate the CA e integrity is still assured by generation signing messages e Optionally depending of the client driver installation parameters e Encrypted not available if you choose an older client version Manual certificate Setup could not acquire the certificate You You now select a valid existing Failure can continue with the installation but certificate from the store or a encryption will be disabled Nevertheless file to continue the installation integrity is assured by signing messages with a private key A certificate was successfully selected or acquired Encrypted communications will be enabled Configure Ports for Encrypted Communication and Non Encrypted Communication depending of previous choices Continue setup Figure 4 12 Sanctuary Application Server installation Protocol selection flowchart 45 EB mH Installing the Sanctuary Application Server The following screens may appear depending of the options selected as stated in the flowchart depicted in Figure 4 12
17. All communication between servers is encrypted when using TLS communication Domain Controller amp Certificate Authority Figure 1 5 Sanctuary Application Server Using the TLS protocol for intra Sanctuary Application Server communication Sanctuary Application Server machines may have multiple DNS names and multiple certificates The certificate selected by Sanctuary Application Server must match the DNS name used by the Sanctuary Client and other Sanctuary Application Servers when they communicate over secure TLS im 11 Installing Sanctuary s Components ports These values can be manually overridden by modifying a registry key see Chapter B Sanctuary Application Server registry keys security registry keys on page 157 for more information The value in ServerName can be used to specify a fully qualified DNS name that Sanctuary Application Servers register in the servers table and communicate to clients in callbacks The value ServerCertSerial is used to specify the serial number of the certificate that Sanctuary Application Server should use for TLS communication The format of this value is exactly the same as the one that Sanctuary Application Server displays when a certificate is loaded for example 3738DCAE0003000001C0 The MMC Certificates snap in uses almost the same format except it has blanks after every two digits These blanks must NOT be specified for the Sanctuary Application Server value Se
18. DNSXSECSRVAForward Lookup Zonest_msdcs lu Lumension dc _tcp 2 File Action Window e amx aR es DNS tcp 2 record s E 8 SECSRY mE Data a aii d Zones 2 Service Location SRY 0 100 88 secsrv lu secur medee duiLumensi n I Service Location SRV 0 100 389 secsrv lu sec O de sites cmm 22 domains 8 E lu Lumension Reverse Lookup Zones Figure H 1 Verifying the DNS zone Please refer to the Microsoft s Web site to get more information about how to check the configuration of your DNS servers Installing the Certificate Services If there are no certificate services installed on your network you should follow this step by step procedure for the installation of the Microsoft Certificate Services 1 Log on to one of the Active Directory Domain controllers as a domain administrator 2 Go to the Start gt Settings 2 Control Panel menu 3 Click on the ADD OR REMOVE PROGRAMS icon 4 Select ADD REMOVE WINDOWS COMPONENTS located on the left part of the screen 204 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 5 Select the Certificate Services entry in the list of components and click Next 9 Add or Remove Programs m Add a program from CD ROM or Floppy disk chenge or Windows Components Wizard Rad D or Remove Programs Windows Components You can add or remove componen
19. In the Connect dialog of the Sanctuary Management Console specify the fixed port to use to communicate with the server such as secsrv secure com 1234 Connecting Using the Endpoint Mapper If you do not want to specify the fixed port in the Connect dialog of the Sanctuary Management Console it is possible to instruct the Console to retrieve the port in use directly from the Endpoint Mapper on the Sanctuary Application Server In Windows XP 2003 or Vista by default the RPC Endpoint Mapper interface port 135 is not accessible anonymously This is a significant security improvement but it changes the task of resolving an endpoint Currently an RPC client that attempts to make a call using a dynamic endpoint first queries the RPC Endpoint Mapper on the server to determine to which endpoint it should connect This query is performed anonymously even if the RPC client call is itself done using RPC security Anonymous calls to the RPC Endpoint Mapper interface fail by default on Windows XP Windows 2003 or Windows Vista because of the default value for the RestrictRemoteClients key This makes it necessary to modify the RPC client runtime to perform an authenticated query to the Endpoint Mapper If the EnableAuthEpResolution key is set on the client the RPC client runtime uses NTLM to authenticate to the Endpoint Mapper 177 EB BE Installing Sanctuary Components on Windows XP 2003 Vista Setting the EnableAuthEpResol
20. Security Identifier This is a unique alphanumeric character string It identifies each operating system and user in a network SMC See Sanctuary Management Console 262 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide SQL Server The industry standard database server supported by Sanctuary Either MSSQL 2000 SP4 MSSQL 2005 SP2 or SQL Server 2005 Express Edition SP2 can be used with Sanctuary SK The Sanctuary Kernel Driver the client component that runs as a kernel driver SUS Software Update Services is a tool provided by Microsoft to assist Windows administrators with the distribution of security fixes and critical update releases SXS See Sanctuary Application Server TCP IP Transmission Control Protocol Internet Protocol The protocol used by the client computers to communicate with the Sanctuary Application Server TLS Transport Layer Security The protocol based on SSL Secure Socket Layers that addresses security issues related to message interception during communication between hosts UAC User Account Control A new security component used in Windows Vista that enables users to permform common tasks as non administrators called standard users and as administrators without having to switch users log off or use the Run As command UPC Universal Uniform Naming Convention A path convention that uses a server volume directory file convention instead of arbitrary mapped
21. 194 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Using Novell Shares for your DataFileDirectory The information in this appendix is relevant to all Sanctuary products If you are using Sanctuary Application Control Server Edition be aware that this client cannot be installed on Windows XP Windows 2000 Pro or Windows Vista you will be limited to an installation on Windows Server 2003 DataFileDirectory Access to a Novell Share When installing the Sanctuary Application Server the setup asks for a data file directory where all logs files are stored All servers can optionally write to the same shared directory or you can opt for having different ones for each server see Figure 1 1 on page 2 It is possible to define such directory on a Novell server in the same way as it is done for a Windows server To do this Sanctuary Application Server must meet two conditions e They must be able to have create read write erase access on the Novell share e They should have a transparent authentication access to the Novell server In this appendix we explain how to create this shared directory to use transparently in a Novell environment Transparent Sanctuary Application Server authentication for Novell eDirectory Due to the interaction between Novell eDirectory and Microsoft Windows Active Directory or domain environment is not required in this case it is possible to have a transparent aut
22. Figure 6 10 Sanctuary Client Test failed 11 Choose the target directory for the installation and click on NEXT to continue 33 Sanctuary Client Wise Solutions Wizard es Destination Folder Click Next to install to this Folder or click Change to install to a different Folder C Install Sanctuary Client to c Program Files Sanctuary Figure 6 11 Sanctuary Client Change the target directory 73 BE 2E Installing the Sanctuary Client on Your Endpoint Computers 12 Choose how the uninstall process is controlled You can select the first option so that the program is not listed on Windows Add Remove Programs dialog or select the second one to show the program in the list but not provide a REMOVE button 33 Sanctuary Client Wise Solutions Wizard Add or Remove Programs list Configure if and how the product will be displayed in the Add or Remove Programs list By default the product will be listed with a Remove button Select the don t display this product option if you don t want the product to be listed select the don t display a Remove button for this product if you want to suppress the Remove button only don t display this product don t display a Remove button for this product Figure 6 12 Sanctuary Client How will the program appear on the Windows Add Remove Program dialog BE 74 Sanctuary Application amp Device Contro
23. Unattended Client I nstallation During deployment the dialog displays the status for each computer The progress of the deployment is shown on the status bar and the color of the progress bar indicates different conditions of the task as explained in the following table Table 8 1 Task progress color code BLEU NN Task completed successfully Task in progress with no warning Task in progress or completed with warnings Task in progress or stopped with an error The status column gives you information about the deployment progress for every machine It reports the error or the warning message when the deployment did not succeed If the error message reported does not allow you to find the cause of the problem unknown error hexadecimal error code often 0x00000643 highlight the computer in the list and select Open Last Log from the Computers menu or from the context menu The MSI verbose setup log file displayed should contain information about why the setup was aborted and rolled back You can contact Lumension s Technical Support Department for further help in analyzing the log file The dialog also displays a progress bar for the package being deployed This progress bar has a mix of green turquoise yellow and red indicating the clients at the various stages of deployment The progress bar color changes to Turquoise when all tasks are completed successfully The dialog eventually has all progress bars fil
24. e Verifies the signature and integrity of the message for the packages that have been accepted When a client receives a valid Sanctuary Application Server command it begins sending back the requested data through a TLS connection if configured This data can comprise e Scan results Log files Shadow files e Permission updates m u T mu Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide e Ping information All communication between the The public key resides The private and on the client computer public key resides on server s and the and it is used to verify the server client is always signed amp encrypted uds signed communication AD Port Port 65129 TCP IP 33115 Port TLS channel Aem 65229 All communication Client between client and server is encrypted when using TLS communication SXS server f the SXS server initiates the communication it uses port 33115 and expects the client to respond using the same port If the client initiates the communication it uses port 65129 or 65229 if TLS is used Domain Controller amp Certificate Authority Figure 1 3 Sanctuary Client Using the TLS protocol for client Sanctuary Application Server communication HH EH Installing Sanctuary s Components If the program does not auto generate the required certificate by attempting to obtain it fro
25. 262 Scheduling domain Synchronizations 135 Select computers 111 114 Serverless mode 101 5 1 SED 262 Standard File Definitions 262 269 SHA J icone eed us 261 D EA 259 262 SK q 263 IHE 264 cuo 262 SQL Server 17 18 34 154 261 263 6 contacting Lumension Support xvi Supported functionalities 248 SUS fe 85 263 sx 20 133 SXS 262 263 Synchronize Domain Members 156 System 61 Shutdown dialog 117 System Requirements 147 153 167 175 181 187 195 203 215 221 243 T M sad teueaeen 175 Mei v 34 263 DP ED 175 Terminal Services 151 151 9 33 133 141 The RunAs command limitation 152 TICK Cts 80 242 MR P T 6 10 252 263 Transform files 95 Transport Layer Security 263 Troubleshooting 147 EH Index U WAC osi casas vite eae Reda dia 64 263
26. Administration tools 1 ADO p 175 ADSL uia 259 Advanced Encryption Standard 259 AES uic T 259 Anonymous 176 Architecture 1 85 Automatic Load Balancing 102 B Basic Security Rules 13 Access policy 15 16 Administrative rights 14 BIOS password 14 Boot 13 Firewalls esses 16 Hot fiX6S c 15 NTFS partition 15 Password policies 16 Power 15 Private and public key generation16 Recovery console 15 Safe 15 Seal chassis intrusion protection14 265 Service 15 C CA M 259 tr nee 259 CD DVD 13 Certificate authority 259 Certificate revocation list 259 Certificate 259 Certificates7 210 211 212 213 214 Installing 204 Requirements 203 Services 204 Verifying ssusse 210 214 Checklist see installation ch
27. For example files containing scans or shadow data You can define several data file directories DFD spread over your network if needed Each server can use its own This improves performance in multi server installations as it can be in a location that is physically closer or reachable through a high speed network connection It also helps spread disk load If you plan to share this directory with more than one Sanctuary Application Server then you must use a network share eg myserver datafiledirectory as all servers use this same location Store data files in C DataFileDirectory Change lt Back Next gt Cancel Figure 4 8 Sanctuary Application Server installation Data file directory m BH 42 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide spread over your network to be used by the Sanctuary Application Server s Each server can use its own This improves performance in multi server installations as each server can be configured to store its data files in a location that is physically closer or reachable through a high speed network connection It also helps spread disk load as each defined directory only contains part of the files Note that it 1s still possible for more than one server to use the same DFD all servers can still access all data files it does not matter if only one or multiple directories are used when a server does not find a file in i
28. Installing the Sanctuary Client on Your Endpoint Computers using Sanctuary Device Control Install Microsoft Enterprise Certificate Authority optionally on a Domain Controller See Sanctuary Device Control User Guide Microsoft s Web site Are you using TLS for your clients or intra Sanctuary Application Server communications Install Microsoft Enterprise Certificate Authority on a Domain Controller See Sanctuary Device Control User Guide Microsoft s Web site Install a single client machine for testing purposes Better to do this on a test machine that you can fully control 229 See the Sanctuary Quick Setup Guide Installation Checklist Table J 2 Installation checklist Description Test your installation Done Resolved Comments Test device application denial when accessing a device e g CD drive Define simple permissions for a device application e g CD drive or Calculator Re test for the permission defined in previous step Check different permissions and options to understand how the program works Reference Consult the Sanctuary Quick Setup Guide Deploy clients Create MSI installation packages using public key generated on step 7 To Install Packages on page 97 Do you already have permission definitions from a subsidiary pre
29. Network Connections from the Start menu 5 Delete the value in reference to sxd vdd d11 in the registry HKEY LOCAL MACHINENSYSTEMNCurrentControlSetWN Control VirtualDeviceDrivers 6 Remove the rtnotify entry from the registry key note the path to add it back when deploying the ghost image HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run Reboot the computer The driver is installed but does not run 8 Proceed to create the Ghost image from this standard computer uH 28 m EM Installing Sanctuary s Components When deploying the Ghost image 1 Change the SID which uniquely identifies the computer and the name of the computer This can be done using Ghostwalker or the freeware SIDchanger tool available from the SYSinternals website http technet microsoft com en us sysinternals default aspx Change the starting mode of each driver back to its original state To do this use Regedit to modify the following values found in HKLM System CurrentControlSet Services Scomc Start REG DWORD 2 Sk Start REG DWORD 0 Sk ndis Start REG DWORD 3 Add in the registry key HKEY LOCAL MACHINENSYSTEMNCurrentControlSetV ControlNVirtualDeviceDrivers the following value SYSTEMROOT S System32 sxd vdd dll Add back rtnotify entry to the registry key HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run Reboot
30. To generate the final certificate signed by a certificate located in your store use the Generate certificate signed by certificate located in store button If no appropriate certificate is present in your store you can first import an appropriate certificate into your store using the Import into store button and then generate the final certificate using the Generate certificate signed by certificate located in store button To generate the final certificate signed by a certificate located in a file use the Generate certificate signed with certificate located in file button Generate certificate signed by certificate located in store Import into store Generate certificate signed by certificate located in file Certificate parameters lt Back Next gt Cancel Figure 4 18 Sanctuary Application Server installation Server authentication certificate location 49 2E Installing the Sanctuary Application Server Setup is now ready to install the Sanctuary Application Server Component 33 Sanctuary Application Server Wise Solutions Wizard Ready to Install the Program The wizard is ready to begin installation Click Install to begin the installation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard es ni Figure 4 19 Sanctuary Application Server installa
31. Version 1 2600 620 Gy Coe Run Tene vergon L 2690 1 09 Sanctuary G Motherboard resources verson 5 12600 8620 gy MSPS verson 1 2600 13046 1507 Cj Nettes Dever Versen 5 1 2600 11051507 gj Netlogon Netion Verson 5 1 2600 1106 amp 1507 lezent i Sg etch ted verson 12800 2620 SKS name or IP Address ServerameOriPAddrem Port 529 5 G irf Version 5 1 2600 8620 Sg Inf verson 1 2600 A620 SxS name or P Address EerverameorPAddrem Port 65129 9 Netto Inf 5 1 2600 deri arii toe Sus name o P adien adde Pert NS Locale Mao IDs Verson 1 2600 A620 NS Tene Zones Version 5 1 2600 R621 Encrypted Communication i GY NT Loader Version 1 2600 1106 8 1507 Select your Secureiiave Application Server is usa an encrypted protocol for communication with Sanctuary Cent 9 NIPS Veron 5 1 2600 1106 81507 lageri NTFS Format verson S 12600 2620 i Numenc data processor Version 1 2600 A620 9 G PCI bus Version 5 1 2600 0620 oct wil be copied marzany The wil have to be placed manualy on the target mage i Cg PCI standard host CPU bridge Verson 5 1 2600 2620 c Gy PCI standard PCI ao 0 bridge Vern 5 1 2800 2620 Ajtentcaton cert amp cate v be automaticaly retrieved fom a Sj Plug and Play Software Device Enumerator V
32. or modify the Manage Sanctuary Settings control rights in the Active Directory It allows Active Directory administrators to delegate Sanctuary management for computers users groups and organizational units without entrusting any other tasks which is required by default to them This script may also be use to show the other control rights defined in the Active Directory forest You can find Ctrlacx vbs in the installation folder usually under the SCRIPTS directory You can also locate it on your installation CD When Ctrlacx vbs runs it creates a special entry in the permissions list of the organization unit called Manage Sanctuary Settings This entry only affects Sanctuary Device Control software administrator users and the devices they control If you assign this setting to a specific user who is also a Sanctuary Administrator as defined on the User Access Manager dialog of the console he would only be able to manage the designated users groups computers for which he has rights directly from the Sanctuary Management Console You must synchronize with the domain after running Ctlacx vbs before these rights are activated To do this use the Synchronize Domain Members item of the Tools menu or from the Control Panel Note This tools does not modify the Active Directory Schema only those users assigned as Enterprise Administrators are allowed to create set or view Note You can only use this tool to create authorizations
33. 14 Click on Open 15 Click on OK A new computer based policy that installs the Sanctuary Client with the configuration settings chosen as described above is installed for all computers at boot up time prior to client logon A reboot is required after installation before the software becomes fully effective 123 BE 2E Unattended Client I nstallation Querying the Client Status Once you have installed the Sanctuary Client on some client computers it is necessary to keep track of where and which packages are installed E Sanctuary Client Deployment Packages Computers Help Packages Name i Key Progress Product Versior Client B bits yes Sanctuary Client 430 4 Computers 2 Name Domain w orkgroup Progress Status LUMENSION1 lu Lumension zr Windows XP Service Pack 2 Hardening active I LUMENSION2 lu Lumension gt New Package Add Computer Install Uninstall 4 Figure 8 33 Manage deploy Query When you click on the QUERY button the Sanctuary Client Deployment Tool Tool reports which version of the MSI package is installed on each computer selected in the list It also checks if all clients are still in place and running and reports the client operating system and version if it is using TLS protocol or not client hardening status etc D Note This allows you to detect for instance whether or not a user has the client installed on their machine but has di
34. 2048 Validity months 12 Signature shal 160 bits OID 1 3 14 3 2 26 v OK Cancel Figure 6 5 Sanctuary Client Certificate s parameters 68 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide If you select Import into store Windows Certification Wizard opens to allow you to retrieve the computer certificate All other options require a valid certificate to exist in a store special location where the Certificate authority saves valid certificates or directly in a file that is imported to the local certificate store An administrator can generate a valid one using the MMC console Start 2 Run mmc exe Select Certificate n Select the certificate you want to use to sign the prototype certificate Issuedto Issuedby Intende Friendly Expirati Location Admin LU Encrypti None 4 1 2008 Not avail 4 l OK Cancel View Certificate Figure 6 6 Sanctuary Client Certificate s parameters 7 Enterthe Server name of at least one Sanctuary Application Server on your network You can enter up to three server names during the setup and more afterwards in the client registry see Appendix B Registry Keys on page 153 for details The dialog accepts fully qualified domain names FQDNs or IP addresses If you are using TLS protocol you MUST specify 69 2E Installing the Sanctuary Client on Your Endpoint Computers fully qualified DNS
35. 79 for more details You can push these modifications to all clients using Group Policies with ADM templates Note The client setup package is available for 32 bit and 64 bit operating systems If you create an installation package that includes the 32 bit client and try to install it on a machine with a 64 bit OS the installation will fail and rollback The same is true the other way around If you are working on a mixed environment containing both 32 bit and 64 bit machines you should create two distinctive installation packages one for each type of OS Even though you can use other deployment packages to install Sanctuary Client our specialized silent unattended installation deployment tool offers you the advantage of doing among other things e Port unblocking e Policy import e Standalone client installation and licensing e Import client communication layer parameters e Generated public key installation e Removal of obsolete data files e Client hardening detection and if required deactivation e Client communication layer s Windows Management Instrumentation WMI interface registration e Installation of WMI redistributable components The installation process is carried out in five stages 1 The original client s setup MSI file is used as the base for a client deployment This file is copied to whatever directory you choose when you first start the Sanctuary Client Deployment Tool tool After dec
36. Buil Resetting cached aio Machine poe va BRungngine 5dcldd62 202a 4dd7 a36d e2 Client side and UI is Grabbed execution mutex Cloaking enabled Attempting to enable al Incrementing counter Grabbed execution mutex Resetting cached policy Machine policy va RunEngine 50 10062 202a 4dd7 as6d e2 Machine policy value End dialog not enabled original package gt C Pac APPCOMPAT MSCOREE not loaded load Note Machine policy value D Machine policy value A a age we re running f looking for no matching 1 2262 2 MsiFil b Help Menu The Help menu has the following items Help Displays the online help About Deploy Figure 8 37 Sanctuary Client Deployment Tool menus Log example Displays a dialog giving copyright and version information about the Sanctuary Client Deployment Tool Context Menus You have two context menus displayed depending on which panel you right click In the Packages panel the available options are those of the Packages menu 128 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide In the Computers panel the available options are those found in the Computers menu Figure 8 38 Package panel context menu New Delete Rename Import public key Set License Set Policies T Install Uninstall Opti
37. Guide Table J 3 Defining permissions Permission type Computer Group Level Description Permissions R R W or None i 2 o is E 5 ta Serial ports DVD CD drives Floppy disk drives I maging devices LPT Parallel ports Modems Secondary network access devices Palm handheld devices Printers USB PS 2 Ports Removable storage devices RI M BlackBerry handhelds Smart Card readers Tape drives Wireless NI Cs network interface controllers Windows CE handheld devices User defined devices Online permissions Offline permissions Scheduled permissions Temporary permissions Shadow Copy Limit Event notification Decentralized encryption File type filtering 235 Installation Checklist Table J 3 Defining permissions Permission type Description Permissions R R W or None Biometric devices Serial ports DVD CD drives Floppy disk drives I maging devices LPT Parallel ports Modems Secondary network access devices Palm handheld devices Printers USB PS 2 Ports Removable storage devices RI M BlackBerry handheld
38. IP addresses such as 10 0 0 1 Subnet descriptions such as 10 2 3 0 24 The string localsubnet Supported Atleast Microsoft Windows XP Professional with 5 2 Previous Setting Nest Setting ms Figure E 4 Open firewall ports Enable the required ports 6 Choose Enabled and then enter Localsubnet in the Allow unsolicited incoming messages from field 7 To save these settings click on APPLY and then on OK Enabling File and Printer Sharing access opens TCP ports 139 and 445 and UDP ports 137 and 138 making them available to other machines on the same local IP subnet These machines appear completely blocked for systems outside of the local subnet To I mprove Security To enhance further the security you can replace localsubnet in step 6 of the preceding procedure with the specific IP address or addresses comma separated of the computers allowed to deploy the client au 186 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Using the Synchronization Script for Novell The information in this appendix is relevant to all Sanctuary products When using Sanctuary Application Control Server Edition be aware that the client cannot be installed on Windows XP Windows 2000 Pro or Windows Vista computers you will be limited to an installation in a Windows Server 2003 I ntroduction Novell has always been an active part of the network community Its roots go back to
39. SQL Server DbLossLatency The graceful DB loss period in seconds during which the server accepts client and console connections after DB loss has been detected 3600 is one hour DbPingPeriod The periodicity in seconds of DB pinging when the server has stopped accepting client and console connections 60 is one minute Log Insertion Process Registry Keys The following table shows all registries that can be modified to fine tune the endpoint data reception facility that controls logs and shadow files received from the Sanctuary Client The endpoint data reception facility places all incoming data in a staging queue from which endpoint data batches are generated and dispatched in a regular fashion without stressing the database Advanced configuration parameters are available to fine tune batching and dispatching of endpoint data statistical information is available in the Windows Application Event Log to help examine and fine tune the configuration Table B 2 Sanctuary Application Server registry keys Log insertion process Description Default edrBatMaxDuration Max batching time per batch in seconds If a batch has not reached the minimal number of entries but exceeded this duration being batched it will be put into the queue edrBatMinEntries Minimum entries per batch A batch will be put into the queue as soon as it has at least this number of entries or it has been being batched longer than the max batch d
40. Sanctuary Device a eee re ER EY br RR Ta e elena 168 Sanctuary Server Edition 2 5 meme meme mme nene enis 169 Upgrading Server side Components meme een 169 Upgrading from a Previous Sanctuary Application Server Version 170 Upgrading Guidellle n ier ete de 173 D Installing Sanctuary Components on Windows XP 2003 Vista Connection Between Sanctuary Application Server and the Sanctuary Database 175 Connection Between the Sanctuary Management Console and the Sanctuary Application sre IET 176 Stage 1 Configuring a Fixed Port on the Server 176 Stage 2 Opening the Port on the Server Firewall 177 Connecting to the Server Using the Fixed Port 177 Connecting Using the Endpoint Mapper ssssem He 177 SUMMA AIITEM 179 Connection between the Sanctuary Client and the Sanctuary Application Server 179 Configuring the Firewall ccc mmm hne 179 Appendix E Opening Firewall Ports for Client Deployment 181 To Manually Open the Ports on a Computer by Computer Basis 181 To Open the Ports a Computer by Computer Basis with bat File 182 To open the Firewall Ports via an Active Directory Group po
41. Server IP or name The two grayed out options are only valid if you are installing older versions of our client Do not validate name or IP before installing Used to give a Server address or name that is not currently available but will be accessible afterwards Enable wireless LAN protection An option available in older clients v2 8 and before that has now been superseded by permissions rules On the other hand the Specify the policy import timeout in minutes is only available for client version 3 2 or later value between 20 and 100 minutes Warning Although the Client Deployment Tool supports installing an older version of our client on Windows NT4 the tool itself does not work with this operating system 100 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 8 Click on Import public key 9 Select the sx public key file located in the sSYSTEMROOT SXSdata folder of the Sanctuary Application Server machine Warning If you do not find a sx public key file in the S YSTEMROOT9 0SYSTEM32 or the SYSTEMROOT SXS Data recommended location folders of the Sanctuary Application Server this means that your installation currently uses the default keys You should not deploy clients in a production environment without having generated your own set of keys See Appendix 3 Using the Key Pair Generator on page 29 for more details Bear in mind if you are using Sanctuary Device Control that r
42. Task Wizard Enter the name and password of a user The task will Tun as if it were started by that user Enter the user name LU administrator Enter the password 000000000 Confirm password eecccccce If a password is not entered scheduled tasks might not run lt Back Next gt Cancel Figure 9 6 Scheduled task Select account 6 Click on FINISH to end the Wizard Scheduled Task Wizard You have successfully scheduled the following task sxsynch bat Windows will perform this task At 3 21 PM every day starting 10 22 2007 Open advanced properties for this task when click Finish Click Finish to add this task to your Windows schedule lt Back Finish Cancel Figure 9 7 Scheduled task Ending the wizard Warning It is important to synchronize domains in order to have fresh information available If you do not do this in a regular basis you could have bad surprises when some users machines or domains do not appear in your database i 138 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide ag 139 EH Using the SXDomain Command Line Tool sm 140 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 1 Registering your Sanctuary Product This chapter explains what happens when you register your Sanctuary product It provides examples of information contained in a typica
43. Thin Clients Flash Memory Minimum 256 MB RAM Minimum 256 MB Additional Free Space Minimum 10 MB Component Required Microsoft Software Installer Known Issues The following issues have been encountered when installing Sanctuary in Windows Embedded The user notification is only displayed in the Explorer Shell The Rtnotify icon is only displayed in the Explorer Shell 256 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The RTNotify icon is displayed only when the Show notification in Taskbar setting is selected within the user interface core component Any changes to default settings of the client install would require to disable EWF If the Sanctuary Application Server SXS is unavailable permissions acquired on initial installation of client are applied As XP embedded is used for building custom Operating Systems even if Microsoft Installer Service is available as part of the run time images other components may not be present for Sanctuary Client to run correctly For this reason Lumension also provides a componentized application You cannot deploy Sanctuary Client on XP Embedded Thin Clients using deploy exe The public file key sx public key import is currently not possible using the componentized application This deployment has to be done manually into the SystemRoot sxdata directory This can be done by copying this file into your run time image before deploying it
44. certificate issued by your Certificate Authority installed and configured as explained in the Appendix H Installing a Certificate Authority for Encryption and TLS Communication Warning The decision whether or not to use encrypted communications TLS protocol should not be taken lightly Once you decide to use TLS for your Sanctuary Client Sanctuary Application Server and or intra Sanctuary Application Server communications and install Sanctuary in this mode it is very difficult to roll this back You must completely uninstall all Sanctuary s components and modify registry keys Client Computer Requirements Make sure that the computer meets the minimum hardware and software requirements See Appendix A Detailed System Requirements and Limitations on page 147 for details Warning If the target computers have been installed using prepared hard drive images for example using Symantec Ghost Powerquest Driveimage etc please make sure that every machine has received a different SID Security Identifiers and a different name before starting the deployment You can use GhostWalker exe SidChanger exe etc to do this m 62 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Note Although the installation dialog only lets you input three Sanctuary Application Servers you can easily add more if needed You can also change how the Sanctuary Application Server s is selected
45. changes concerning the TCP IP communication protocol RPC firewall and other points since Windows XP SP2 Please refer to Microsoft s Web site for more information Stage 1 Configuring a Fixed Port on the Server By default Sanctuary Application Server uses dynamic ports for the RPC communication with the Console The ports change every time the Sanctuary Application Server is started making it impossible to configure the firewall mE a 176 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide In order to be able to configure the firewall it is mandatory to instruct the Sanctuary Application Server to use a fixed port To do this open RegEdit and set the following entry Key HKEY LOCAL MACHINENSystemNCurrentControlSetNServices sxs parameters Name Protocols Type REG SZ Value ncacn ip tcp 1234 where 1234 represents the fixed TCP port number that you want to use for the communication between the Consoles and the Sanctuary Application Server You should restart the Sanctuary Application Server for the setting to take effect using the line commands net stop sxsandnet start sxs Stage 2 Opening the Port on the Server Firewall On the computer where the console is installed open the chosen ports on the firewall If you have the console installed on Windows XP 2003 Vista see Configuring the Firewall on page 179 for more details Connecting to the Server Using the Fixed Port
46. copied to your hard disk The installed tools are e The Sanctuary Application Server SXDomain Tool Warning Although you can use Windows XP 2000 Pro or Vista x 86 for the database or and console you cannot use it for the Sanctuary Application Server or client component in the case of Sanctuary Application Control Server Edition If you are planning to spread Sanctuary components among several machines one of them in an XP operating system database and or management console you should read carefully Appendix D Installing Sanctuary Components on Windows XP 2003 Vista on page 175 before proceeding Before you Install Before you begin installing the Sanctuary Application Server you must do the following Make sure that the computer meets the minimum requirements see on page for details e Have the database already installed on the computer that is to hold your information see Chapter 2 Installing the Sanctuary Database on page 17 for details Make sure that Microsoft Data Access Components MDAC version 2 6 SP1 or later is installed Generate the Key Pair see Chapter 3 Using the Key Pair Generator on page 29 for details EH 33 EB mH Installing the Sanctuary Application Server gt Note If the server setup cannot find the MDAC component on your computer it prompts you to download it from Microsoft web site You must restart the setup after installing MDAC MDAC en
47. for these requirements 143 Es 2E Registering your Sanctuary Product License Related Sanctuary Application Server Actions at Start Up On start up Sanctuary Application Server immediately verifies the license file If any of the following conditions is true Sanctuary Application Server quits directly e The license is invalid has been tampered with or is missing The project name is invalid The product expiry date has ended The number of licensed servers has been exceeded No other license related conditions cause Sanctuary Application Server to refuse to start License Related Sanctuary Application Server Actions While Running Once every hour or thereabouts Sanctuary Application Server verifies the license file This means that an upgrade to a license is done by simply copying the new license file over the old one Sanctuary Application Server terminates if the license file is missing has been tampered with the project name is invalid or the expiry date is exceeded If any of the following license related conditions are true Sanctuary Application Server logs a message when running interactively The expiry date has ended The LicensedCPUs value is less than the number of processors installed in the computer The IPAddress key does not list at least one IP address belonging to the computer LicensedClients value has been exceeded The LicensedSessions value has b
48. however if it is placed on a share you must change the security of the share directory so that computer accounts are able to access it If you have already installed the client using the client hardening feature and want to uninstall modify repair it you must first issue an Endpoint Maintenance Ticket and copy it to the required directory See the relevant User s Guide for more information To Install the Sanctuary Client Deployment Tool The Sanctuary Client Deployment Tool tool is installed among others tools when setting up the Sanctuary Management Console See Chapter 5 Installing the Sanctuary Management Console on page 53 for more information When considering the choice of the computer on which you install the Sanctuary Client Deployment Tool and from which you start the deployment consider the following The deployment of the Sanctuary Client on a long list of computers may take some time You cannot log off the computer during that period The tool makes significant use of the network resources of the computer on which you are installed You must NEVER interrupt an ongoing deployment Note If you wish to administer many machines at once with the deployment tool use a server operating system like Windows 2000 Server or Windows Server 2003 96 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide To Install Packages The installation process is carried out in the followin
49. in the database table I get the message DBComplete failed Several SQL statements failed to execute Check you have the proper rights to insert delete update in the database table There is no synchronization when running NDSSync vbs script If you installed SQL Server 2005 Express Edition with our installation wizard or manually using the Windows Authentication mode you cannot connect to the Sanctuary Database machine using credentials different from those of the system administrator provided as script s parameters Login as administrator of the Database Server machine or enable SQL Authentication for your SQL Server 2005 Express Edition installation I get the message ActiveX component can t create object NWDirLink NWDDirCtrl 1 Check that NDAP is installed on the machine from where you are running the script If it is already installed run Regocx bat found on your installation CD or on Novell s Web site on the Novell client machine which is used to synchronize with the Sanctuary Application Server Installing your Synchronization Script Please follow these steps to quickly get your synchronization script installation up and running your Novell server must be ready before proceeding 1 Install the database server This is the first component to install since Sanctuary solution uses this database to store diverse information The database is stored in a SQL server full blown version or SQL Server 2005 Expr
50. is local to the machine as local A SQLExpress Example c gt cscript exe Npath to folderNNDSSync vbs Novell Server Tree local SQLExpress How to use Novell s Synchronization Script Once all the Sanctuary components are installed the Sanctuary Database Sanctuary Application Server and Sanctuary Management Console make sure that the console can communicate with the Sanctuary Application Server and that the administrators can define or modify Sanctuary policies Once this done follow these simple steps 1 Configure initial policies using the well known accounts Everyone LocalSystem etc 2 Deploy Sanctuary Client 3 The Sanctuary Clients must be able to communicate with the Sanctuary Application Server and they must adhere to the policies that apply to the well known accounts 4 Run the synchronization script either manually or automatically 5 Once the script finishes the account selection dialogs in the console should display the user accounts groups and OUs Make the changes you want to the Sanctuary policies Update the clients and check whether they follow the new policies Note Although any user can start the synchronization process just like in the Active Directory case some eDirectory objects may require additional permissions This depends on the organization s structure and policy The user must be the database owner or have insert delete update permissions to do the synchronization
51. letters to describe the actual location of a file or directory Well Known Security I dentifiers A security identifier SID is a unique value used to identify a security principal or security group The values of certain SIDs remain constant across all installations of Windows systems and for this reason are termed well known SIDs Everybody Local Guest Domain Guest etc are some examples of such SIDs WINS Windows Internet Naming Service formerly known as WBEM A system that determines the IP address associated with a particular network computer called name resolution WINS uses a distributed database thatis automatically updated with the names of computers currently available and IP addresses assigned to them 263 aS 2E Glossary WMI Windows Management Instrumentation WMI is a set of extensions that provide an operating system management technology allowing scripts to monitor and control managed resources throughout the network WSUS Windows Server Update Services previously SUS v2 0 is a new version of Software Update Services SUS Sid file File extension for an object definition file Applies to Windows Embedded m BH a 264 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide N I ndex Symbols 17 A 259 DOE ete ME 259 Active directory 203 204 209 214 Active Directory Service Interface 259 pom E 259
52. menu The SQL Server Client Network Utility dialog is displayed Choose the Alias tab Click on ADD The Add Network Library Configuration dialog opens PF Type in a name in the Server Alias field If you are using Network Libraries select the TCP IP option 6 in the Server name and change the port in the lower field Pipe name located on the right panel of the dialog Connection parameters 7 Click on OK to close the dialog and accept the new Alias During the setup process you must then provide this Alias instead of the SQL server name You can find more details in the Microsoft knowledge base article How Windows XP Service Pack 2 SP2 Affects SQL Server and MSDE 2000 available at the Microsoft s Web site Connection Between the Sanctuary Management Console and the Sanctuary Application Server A number of changes have been made in the Remote Procedure Call RPC service for Windows XP 2003 Vista that help make RPC interfaces secure by default and reduce the attack surface on these operating systems The most significant change is the addition of the RestrictRemoteClients registry key This key modifies the behavior of all RPC interfaces on the system and by default eliminates remote anonymous access to RPC interfaces with some exceptions The Sanctuary Management Console uses the RPC protocol to connect to the Sanctuary Application Server Please note that there have been several important
53. names for the servers You can also proceed without providing a server address 33 Sanctuary Client Wise Solutions Wizard gt Sanctuary Application Servers Enter the names or IP addresses of the Sanctuary Application Servers in your organization Click Test to check the connection with the Sanctuary Application Servers Click Next to continue Click Cancel to exit setup Server name ServerNameOrIPAddress Port 65229 address Server name ServerNameOrIPAddress Port 65229 address Server name ServerNameOrIPAddress Port 65229 address Select a server at random to spread the load AS Client uses TLS please specify Fully qualified DNS names and TLS ports For the server address Test lt Back Next Cancel Figure 6 7 Sanctuary Client Sanctuary Application Server name or address 8 Click on the TEST button to check that the Sanctuary Client can establish a connection with the Sanctuary Application Server s listed A test is considered successful if the computer is online a Sanctuary Application Server could be contacted and the key pair match is correct The ports are different if you are using TLS 65229 or not 65129 If using TLS there is a REQUEST CERTIFICATE button that is used to contact the Certificate Authority and ask for a valid computer certificate There are three different cases You specify a correct address for the Sanctuary Application Server This address is validated and if c
54. of the client should at least meet the following ones e Memory 256 MB 512 recommended e CPU Pentium 3 or 4 processor or equivalent AMD processor HD SCSI or IDE 10 Mb to install the client and several GB of free space if you are planning to activate or not the full shadow feature when installing Sanctuary Device Control e NIC 100 MBits s Network Configuration e Select the corresponding DNS server Configure the NIC for receiving IP by the DHCP service 223 Es 2E Installation Checklist Additional Settings e Ifyou are using Sanctuary Client in a Novell eDirectory Install the Novell and optionally the ZENworks client Change the Event viewer settings to 1024 KB in size and choose to overwrite events as needed Firewall Configuration Unblock firewall ports as needed to communicate with the Sanctuary Application Server This is particularly important if you are using Windows XP SP3 or Windows Vista License Each Sanctuary Application Server has a license file that specifies whether you have a valid copy of one or several of our Sanctuary programs for example Sanctuary Application Control Server Edition Sanctuary Device Control and so on There are two types of license available Evaluation license license When you receive the license file copy it to the sSYSTEMROOT S SYSTEM32 folder of each computer that runs the Sanctuary Application Server It is not required on cl
55. on which you want to install the SQL Database engine You must use an account with administrative rights 2 Close all programs running on the computer 3 Insert the Sanctuary CD in your DVD CD drive and execute run vbs located in the SERVER SQL2005 folder on the installation CD The setup starts E Note You must have Microsoft Installer v3 1 or later installed on your system The setup prompts you to install this if you do not have it gt Note If you do not have Microsoft s Net Framework v2 0 or later installed on your computer the following dialog is displayed Click on OK and follow the instructions to install Net Framework v2 0 or later Microsoft SOL 2005 Express Edition installation BA The Microsoft Net Framework 2 0 must be present before Microsoft SQL 2005 Express Edition can be installed Click OK to install the Net Framework Figure 2 1 Installing SQL Server 2005 Express Edition Net not available 4 If you accept the terms of the license agreement select the I accept the terms in the license agreement option and click on Next 5 Click INSTALL to continue the installation 5 19 EH EH Installing the Sanctuary Database IW S Note Make sure that the TCP IP protocol is enabled for your SQL database You can use the SQL Server Configuration Manager tool in the Start gt Programs gt Microsoft SQL Server 2005 menu to check or manage protocols Stag
56. per forest not per domain and control rights Requirements You must have the Windows Script Host WSH which includes wscript exe and cscript exe interpreter installed on your system before you can run any VBScript Some antivirus programs reject the execution of these types of scripts 215 Controlling Administrative Rights for Sanctuary s Administrators Usage To use ctrlacx vbs e Open a command screen Start gt Run gt Command to run the script e Execute the script directly from the Run dialog In both cases use the following syntax cscript Ctrlacx vbs parameter list gt file txt where the parameters are explained in the following list The previous syntax sends the output directly to a text file specified in this case by file txt If you want to use it interactively utilize the following syntax ctrlacx vbs parameter list or wscript Ctrlacx vbs parameter list You can use the following parameters for the Ctrlacx script e Displays a brief description of each possible parameter You must run this script in interactive mode or from the command line in order to see the text e e Enumerate all control access rights Condensed output e y Enumerate all control access rights Detailed output verbose e qcn Displays a control right by its canonical name cn e S Display Lumension s Manage Sanctuary Settings rights e create Creates or updates Lumension s Manage Sanctuary Set
57. provide your Sanctuary Application Server machine with a valid certificate if you are planning to use TLS Transport Layer Security protocol to communicate between Sanctuary Application Servers if you are planning to install more than one and or Sanctuary Application Server client communications See Transport Layer Security on page 6 and Appendix H Installing a Certificate Authority for Encryption and TLS Communication for more information Warning The decision to use or not TLS should not be taken lightly Once you decide to use TLS for your client Sanctuary Application Server and or intra Sanctuary Application Server communications and install Sanctuary in this mode it is very difficult to roll this back and you will need to completely uninstall all Sanctuary s components and modify registry keys To Install the Sanctuary Application Control The Sanctuary Application Server handles client logons and is the only component that connects to the database 1 Logon to computer that is going to hold the Sanctuary Application Server component The account you use must have e Administrative rights e Access to SQL Server 2 Close all programs running on the computer 3 Insert the Sanctuary CD in your DVD CD drive and run setup exe located in the SERVER sxs folder 36 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The Welcome dialog is displayed E Sanctuary Application Server
58. provided fields Please refer to the previous figure and section ag 251 EB mH Installing Sanctuary in Windows XP Embedded Encrypted Communications communications between the Sanctuary Client and the Sanctuary Application Server SXS can be fully encrypted if desired To do this you will need a valid Certificate Authority installed to issue and manage certificates If no certificate authority is found the certificate cannot be issued or you do not select encrypted communications the communication channel is still assured by signing messages with a private key The Sanctuary Client installation can be done in three distinctive modes e Server is using unencrypted protocol No TLS Communication between Sanctuary Application Server s and the Sanctuary Client and is not encrypted but is still signed using the private key This is essentially a legacy communication protocol and not recommended for high security installations Authentication certificate will be copied manually The certificate will have to be placed manually on the target image Manual mode using TLS communication The administrator generates and provides the machine certificate used in all communications All communication between Sanctuary Client and Sanctuary Application Server s is encrypted This mode is used when there is no Certification Authority installed in the network or cannot be reached when doing the client installation T
59. re Permet EE GER DX ed 142 License Related Sanctuary Application Server Actions at Start Up 144 License Related Sanctuary Application Server Actions While Running 144 License Related Client Actions 2 0 0 0 mene 144 Appendix A Detailed System Requirements and Limitations 147 System Requirements nenne rennen nnne 147 Sanctuary Device Control nennen enne 151 Terminal Services Limitations memes 151 The RunAs Command Limitations sss emen 152 P EH EN Table of Contents Appendix B Registry Keys __________________________________ 153 Sanctuary Application Server Registry Keys 153 Database Connection Loss Registry Keys 153 Log Insertion Process Registry Keys 00 eene 154 Debugging Registry Keys nennen 155 General Registry Keys meme ener nnn 156 Security Registry Keys eder d e eR ER ke e P EX SER RR 157 Sanctuary Client Registry Keys oo mme ener 163 Sanctuary Management Console ssssssssssessse emen nne 166 Appendix C Upgrading from Old Versions 167
60. related to DNS round robin You must apply the latest patches solves them m m a 82 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Items Created During the Sanctuary Client Setup When doing a Sanctuary Client installation the setup creates the following items Table 6 2 Items created by a Sanctuary Client installation Directory NSTALLDIR Client Purpose Contains the Sanctuary Client and all required components Restricted access granted to Administrators and LocalSystem read execute access granted to Everyone The security settings are propagated to child objects Directory 96 NSTALLDI R 6M mport Used for a special file that is used to import permissions This file is created by exporting permissions using the Sanctuary Management Console and has a two week validity Read write access granted to Everyone Directory 96 NSTALLDI R26 VTicket Where the endpoint maintenance ticket has to be copied in order to relax client hardening Read write access granted to Everyone Directory 96 SYSTEMROOT SXData Contains several files that are required for the program to work Restricted access granted to Administrators and LocalSystem The security settings are propagated to child objects Directory 96 SYSTEMROOT SXData shado w Contains the write read shadow data if necessary and defined by Sanctuary s Administrator Inherits i
61. the early 1980s when it offered a product to share files and printers in a small LAN structure based on PCs Still going strong today Novell networks have the same security and data control problems as all other LAN and WAN products in the market Many modern WANs and LANs share different network operating systems in a heterogeneous environment that often include Novell as a solution In this appendix we analyze the extra component offered by Sanctuary to synchronize those eDirectory objects OU group user and workstations so that an administrator can manage them and deny allow access to I O devices in a Novell setting Note You should activate the File and Print Sharing to Microsoft Networks service amp Client for Microsoft Networks in all your machines These services are used for the endpoint driver deployment eDirectory synchronization and if you are planning to install SQL Server 2005 Express Edition SP2 What Components are Required There are four distinct components necessary for the implementation of Sanctuary on Novell systems e Novell server version 6 5 or later version 5 x requires Lumension approval A SQL server that holds the Sanctuary Database it does not need to have a Novell client but it may if you are trying to run the synchronization script directly from the server so you do not need to specify the SQL address user name and password A Sanctuary s script file written in VB
62. to confirm your settings The server address is verified but you can still continue if it is invalid or unspecified See details in the Sanctuary Setup Guide 12 In the next step ou are prompted for the target directory You normally will accept the proposed one Click Next button to continue 13 You can now proceed to select the way the uninstall process is controlled in Windows Add or Remove Programs dialog After the final screen where the actual installation process begins the Sanctuary Client setup prompts you to reboot one final time 241 2E Installing Sanctuary Application Control Terminal Services Edition Once installation is complete if you do not want to reboot run change user execute in the command prompt window you used at the beginning of the installation Uninstalling the Sanctuary Client At any time after installing Sanctuary Client you can uninstall it from your MetaFrame server To do this you must log onto the computer using an account with administrative rights Since you are now in a highly secure environment changes to the client when using the Client Hardening mode and its components have to be done in an orderly fashion Even if you are an administrator the services registry entries and special directories of the client cannot be modified before taking some measures to certify that you have the right to do so To uninstall the client you should either e Deactivate the Hardenin
63. to the limitation described in this section Note Writing a DVD CD requires a proxy and is subject to the RunAs limitation whereas reading a DVD CD is not Example 2 Bill has no access to the Floppy John has Read Write access to the Floppy If Bill uses a RunAs command to run the Windows File Explorer under the credentials of John he will be able to read and write to the Floppy Indeed access to the Floppy is done without a proxy The limitation described in this section does not apply to this device 152 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide B Registry Keys The information in this appendix applies to all Sanctuary software suite products Sanctuary Application Server Registry Keys The following table contains details of each registry key entry used for Sanctuary Application Server All Sanctuary Application Server entries are of type REG SZ string value The entries in the following table are found within the following key HKLM system CurrentControlSet services sxs parameters Warning Keys whose names are marked with an asterisk should not be modified except under the supervision of Lumension Support personnel Database Connection Loss Registry Keys The Sanctuary Application Server continues to run even if it has an intermittent database connection It ignores database connection problems for a certain period of time retrying connections to the Sanctuary Dat
64. to use this mode then you should turn to the manual mode Note The semi automatic mode is not available when installing Sanctuary Client in Windows Embedded machines 252 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide How to Update Policies If policies are not defined beforehand or for example when doing an update or installing another component or software you will need to update permissions Permissions and policies are defined using the Sanctuary Management Console and are send in two modalities 1 Online when all machines are connected through a network or using Internet 2 Offline when the clients are not connected among them and work as independent units Remember that the Sanctuary Client only communicates to the Sanctuary Application Server permissions and rules are stored in the Sanctuary Database When doing an online update policies are defined using the Sanctuary Management Console and then send to all clients in one of three available methods e Push The administrator force the update using the SEND UPDATES TO command of the management console e Manual Pull The client explicitly asks for the updates using the UPDATE command of the right click menu e Auto pull the client automatically asks for new permissions when the users logs in a reboot when the update time defined in the console option is up etc 253 Es 2E Installing Sanctuary
65. to use this mode then you should use the semi automatic mode if you are using our Client Deployment Tool see Chapter 8 Unattended Client Installation on page 93 and manual mode in all other cases Although you can select the port default values you can always change them if desired to fine tune the communication protocol by modifying the corresponding registry entries See Appendix B Registry Keys for more information Remember that you require a valid certificate on both machines the one with Sanctuary Application Server and the one with the Sanctuary Client in order to use a TLS channel that encrypts all communication Even if you are not using TLS all data transfer is signed with the private key generated before installing the Sanctuary Application Server See Chapter 3 Using the Key Pair Generator on page 29 for more information about how to create these keys 67 Bs 2E Installing the Sanctuary Client on Your Endpoint Computers If selecting the second option you should already have a valid machine certificate 1 e not one that is revoked or has expired The following screen is displayed as 33 Sanctuary Client Wise Solutions Wizard e Client Authentication Generate a certificate that will be used to authenticate the client machine when communicating with the Sanctuary Application Server Setup generates a prototype certificate which has to be signed by a CA certificate and will then automatically be sto
66. tools are included with Windows XP Embedded as part of the Windows Embedded Studio e Target Designer provides a development environment to create a bootable runtime image for a target device The Component Designer is the development tool that enables you to turn your unique application service or driver into a component definition that can then be incorporated in the runtime image The Database Manager facilitates easy management of the component database and the repositories which are used by the Component Designer and the Target Designer tools e The Target Analyzer probe utility enables automated analysis of the target device eliminating the need to collect device specific details manually Once you have the image the next step consists on mounting it on the target device This can be done in one of several ways the most common being using the First Boot agent to complete the installation when first booting the device You can learn more about how to componentize design run time images and creating your final image in Microsoft s Web site To install Sanctuary in Windows XP Embedded you have currently two options 1 Microsoft Software Installer MSI 245 2E Installing Sanctuary in Windows XP Embedded Sanctuary Client is installed the same way as installing any program on Windows XP professional Windows Installer Service component is available as part of XP embedded OS See also Enh
67. un partitioned disk space This EWF volume stores configuration information about all EWF protected volumes on the device There are three different modes of EWF based on the different configurations for the EWF overlay and the EWF volume Disk on Disk used to maintain the state of the system between reboots The EWF volume is created on disk in an un partitioned space RAM in RAM utilized to discards any write information after reboot or to delay writing the overlay to the media The EWF volume is created on disk in an un partitioned space RAM Reg in RAM similar to EWF RAM types RAM Reg overlays stores information in RAM However the configuration information about EWF is not stored in a separate EWF volume but within the registry Sanctuary Client amp EWF Enhanced Write Filter needs to be disabled prior to installing Sanctuary Client and re enabled afterwards If you fail to do this no changes will be written to the disk volume and the disk volume will be reverted back to its previous state after rebooting the machine The client running with EWF enabled is able to pick up all permissions from the server after a re boot including managed devices and temporary permission You can activate deactivate Enhance Writer Filter from within the Control Panel Minimum Requirements The following list specifies the minimum system requirements needed for a Microsoft Software Installer installation of Sanctuary Client on XP Embedded
68. using boot disks with other operating systems encrypting the machine s disk s with third party software This also adds another security layer in the event a machine containing legally protected data is lost or stolen The Seal Chassis I ntrusion Protector Protect the hardware with a seal and or chassis intrusion protection hardware Otherwise an intruder could obtain administrator level access to the system using an external boot device to bypass workstation security software Password Protect the BI OS Although this is important its effectiveness is greatly reduced without chassis intrusion security see previous point since someone just needs to locate the CMOS reset jumper to gain access to data on the local hard drive Note Some workstations have an intrusion trigger which is stored in the BIOS and displayed when the machine cover has been removed Administrative Rights Even though Sanctuary can enforce policies for local administrators and limit their ability to change or remove the Sanctuary Client through client hardening users should NEVER be members of the local group called Administrators If a user is the administrator of his own computer then he has complete unrestricted access to this computer There are many ways to uninstall disable or change the configuration of programs and services and time settings when you are a local administrator For example one could delete files registry keys uninstall the pr
69. which the license is valid ExpiryDate Validity of the license file LicensedClients Number of clients that can be registered in the Sanctuary Database This corresponds to the sum of the number of computers where Sanctuary Client is used LicensedSessions This limits the number of sessions that Sanctuary Application Server allows Exceeding this limit only causes warnings to be displayed A session in this context refers to a logon session Such a logon session is created for every interactive logon of a user on a Sanctuary protected computer Logon sessions are also created for services that run under a real user account as opposed to LocalSystem and under certain circumstances by some server programs mail web FTP servers and so on 142 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide e LicensedServers Number of instances of Sanctuary Application Server that may be run at the same time Sanctuary Application Server refuses to start if it detects a number of already running Sanctuary Application Server instances exceeding this limit e ProductName The full name of the product for which the license was created e ClientName The name of the customer to whom the product was licensed e GeneratedOn The date on which the license was created This is useful if you are unsure when to renew your maintenance contract Serial The serial number of this license e LicensedTo The na
70. 0 Client registry keys 2 2 Enum Subkey Description Contains device list Default value Limits Subkey Copy limit settings UpdateTime CachedSize and so on EventLog REG_DWORD Internal use FileLog REG_DWORD Internal use Classes REG_DWORD Contains device names and permissions HistoryPeriodSecs REG_DWORD Internal use ShadowDirHistory REG_BINARY Internal use n a Debug REG_DWORD Use for debugging purposes 3 reboot to activate Security Subkey Internal use n a ComputerName Do not modify REG SZ Internal use 165 n a Registry Keys Sanctuary Management Console The following table contains details of the registry key entry that controls various aspects of how the management console interface works The key is located in HKEY_CURRENT_USER Software Lumension Security Sanctuary Table B 11 Console registry keys T Default ForceL CI D Defines the console s interface language 1033 1033 English 1031 German 166 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide C Upgrading from Old Versions The information in this appendix is product specific If you are upgrading from a previous version of Sanctuary you should be aware that the upgrade process should always be done in the following order 1 Ifyouare using any
71. 0 Server SP4 or later Windows Server 2003 SP1 or later operating systems are 32 bit unless noted otherwise 149 Disk space 8 MB free disk space for program files 15 MB for the installation With Shadowing enabled when using Sanctuary Device Control disk space requirements can grow up to several GB Using an NTFS disk partition 256 MB 512 MB recommended Others Novell cli ent v4 91 SP1 or later if con nected to a Novell environ ment A Certifi cate Authority installed and config ured if TLS protocol is chosen for Client Sanctuary Application Server communi cation Detailed System Requirements and Limitations Table A 5 Sanctuary common requirements If using central encryption or TLS communication protocol A valid Certificate Authority installed to issue and manage certificates if you want encrypted client Sanctuary Application Server and intra Sanctuary Application Server TLS communications This authority is also needed if you plan to centrally encrypt removable devices if using Sanctuary Device Control If no Certificate Authority is found you can still encrypt devices with some limitations and the communication channel is assured by signing messages with a private key If using Novell On the computer used to synchronize Novell s objects we recommend installing all these components on the same machine as the one used to host the databas
72. 005 Express Edition requires Microsoft NET Framework 2 0 MDAC V2 6 SP1 if using Windows 2000 All operating systems are 32 bit unless noted otherwise Table A 3 Sanctuary Administration Tools system requirements Operating System Disk space Display Microsoft Windows 150 MB free disk 1024x768 2000 Server SP4 or space for program later files Windows 2000 15 MB for the Professional installation Windows XP Professional SP2 or later Windows Server 2003 SP1 or later Windows Vista 256 MB 512 MB recommended Using an NTFS disk partition operating systems are 32 bit unless noted otherwise Consult us before installing the Sanctuary Management Console in this system 148 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table A 4 Sanctuary Client system requirements Operating System Sanctuary Device Control or Sanctuary Application Control Microsoft Windows 2000 Professional SP 4 or later Windows XP Professional SP2 or later 32 amp 64 bit Windows XP Tablet PC Edition SP2 Windows Vista SPO or later 32 amp 64 bit Windows 2003 SP1 or later 32 amp 64 bit Sanctuary Embedded Devices Microsoft Windows Embedded for Point of Service WEPOS Windows XPe SP2 or later Sanctuary Application Control Server Edition or Sanctuary Application Control Terminal Services Edition Microsoft Windows 200
73. 2 The database server you choose depends on the size of your implementation and which if any of these Microsoft SQL Server databases you are currently using within your organization SQL Server 2005 Express Edition is certainly sufficient for installations of up to 200 connected Sanctuary clients when you are using Sanctuary Device Control or 50 Sanctuary clients when you are using Sanctuary Application Control Suite Please note that there are inherent limits when using SQL Server 2005 Express Edition including e 4 GB Database size limit e No parallel processing of index operations e Only uses up to 1GB RAM Only one CPU no workload governor e No query analyzer SQL Server 2005 Express Edition may be an attractive option for sites that do not already use SQL Server It is available free of charge eliminating the expense of purchasing the SQL Server EE 17 Es 2E Installing the Sanctuary Database We recommend using a full blown SQL Server at sites in which it is already installed SQL Server should always be used for sites serving 200 or more connected Sanctuary clients See our online knowledgebase at www Lumension com for advice about which Microsoft SQL Server database you should choose The Sanctuary Setup CD includes an installation of SQL Server 2005 Express Edition Note You can start using SQL Server 2005 Express Edition and migrate to SQL Server later should this be necessary You cannot create a clu
74. 260 62 edrDspPauseFail 155 Embedded 260 EnableAuthEpResolution 177 Encrypted Communications 252 Endpoint Maintenance Ticket 80 96 101 127 242 Enhance Write Filter 255 Sanctuary Client 256 Enterprise 35 266 aq 255 260 Executable Files re e Re 260 Executable program 261 Exploit ceret teer 261 e dero 127 F Fallback ctrca aden 25 Failover cesses 25 E MI 261 File 261 175 179 POMES 181 Fixed Endpoints 177 G Generating a Key Pair 30 qom 62 Ghost 5 35 Group Policy 118 H Hardening option 80 242 pe 261 Heartbeat 25 Help 128 13 125 127 Install Uninstall Reboot Options dialog 113 117 Installation Transform 100 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Installing i 1 sanctuary Management Console 53
75. 29 sxs example com 65130 Those defined during the client installation ServersOverride Internal use Do not modify ShadowDirHistory optional Internal use Do not modify TicketDir Directory where the endpoint maintenance ticket has to be copied in order to relax client hardening 164 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table B 9 Client registry keys 1 2 Description Default UseTLS yes when TLS is used all communication is encrypted Defined during no when TLS is not used all communication Is signed client installation TcpConnTimeout Defines the default connection timeout the client uses when Value in importing policies and permissions from a file miliseconds used If not present 3 minutes is used If an incorrect value or a value less than 30 000 milliseconds 30 seconds is provided then 30 seconds is When used for exporting setting from the management console you should define the same registry key but in SOFTWARE Lumension Security smcV Note This registry key does not controls client hardening itself it is for information purposes only The following table contains details of the major registry key entries for Sanctuary Client Kernel The Parameters subentry is used to save different program options Its keys are located in HKLM system CurrentControlSet services sk parameters Table B 1
76. 5 1 Sanctuary Management Console installation First step EB mE 54 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The next dialog displays the License Agreement iz Sanctuary Management Console Wise Solutions Wizard License Agreement Please read the following license agreement carefully TERMS AND CONDITIONS OF INSTALLATION Your access to and installation of this software product is subject to the terms and conditions contained the Lumension Security Inc Lumension website For your convenience the links are provided below By clicking on Acceptance you agree that you have read understand and agree to be bound by the terms and conditions contained on the link below Terms and Conditions of Use If you do not agree to these Terms and Conditions of Us FECIT nT me ey mam nh in shall elem me mra ad the Omnibus End User License Agreement EULA Product Use Rig Maintenance Product Support OT accept the terms in the license agreement do not accept the terms in the license agreement oluti s Figure 5 2 Sanctuary Management Console installation License agreement 4 If you accept the terms of the license agreement select the I accept the terms in the license agreement option and click on Next You can also click on any of the three available buttons to read the license agreements Note The license agreement text
77. Application Control Terminal Services Edition CD ROM Click the Import button to start the process Once the file definitions importation finishes you should select the User Explorer module from the same console and assign the newly created File Groups to users as follows m Everyone Windows Common Logon Files LocalSystem Boot Files m LOCAL SERVICE Boot Files NETWORK SERVICE Boot Files m Administrators all These assignments represent the minimum that we recommend Additionally you may want to assign Entertainment Communication Accessories Control Panel DOS Applications and 16bit Applications to users or groups as required other files can be authorized either by means of the execution logs Log Explorer module or by scanning the target computer Scan Explorer module Please refer to the Sanctuary Application Control Suite User Guide for further details Installing the Sanctuary Client The I nstallation Procedure To install the Sanctuary Client on your MetaFrame Presentation Servers follow the steps below 1 Logon to the MetaFrame Presentation Server with administrative rights 2 Start a command line prompt and type change user install which will change your session from execution to installation mode 3 Select the Client folder on the Sanctuary Application Control Terminal Services Edition CD ROM or navigate to the network share where the Sanctuary Client setup files are located Run Setup
78. Cancel Figure 9 2 Scheduled task First step 2 Click on Next 3 In the following screen click on Browse and select the sxsynch bat file Scheduled Task Wizard Click the program you want Windows to run To see more programs click Browse Application Version 84 Sanctuary Device Control Re Ba Sanctuary Device Control sta E Sanctuary Embedded E Sanctuary Management 4 3 0 84 cA Bd Setup Guide w Solitaire 5 1 2600 0 e ci Figure 9 3 Scheduled task Select program 136 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 4 Inthe next two screens choose how often you want the task to be performed Scheduled Task Wizard Type a name for this task The task name can be the same name as the program name sxsynch bal Perform this task Daily Weekly Monthly One time only When my computer starts When log on ci Figure 9 4 Scheduled task Select period 1 2 Scheduled Task Wizard Select the time and day you want this task to start Start time 3 21 PM Perform this task Every Day Weekdays Every Start date 10 22 2007 lt Back Next gt Cancel Figure 9 5 Scheduled task Select period 2 2 137 BH 2E Using the SXDomain Command Line Tool 5 Specify an account that has rights to use the Sanctuary Management Console This is the account that runs the sxdomain command Scheduled
79. Firewall Configuration If you are using Windows SP2 or later Windows 2003 Server SP1 or later or Windows Vista for the database the firewall may be active and blocking certain ports needed to communicate with the Sanctuary Application Server The Sanctuary Application Server The Sanctuary Application Server handles client logons and is the only component that connects to the database Software e Windows 2000 2003 Server with latest service packs e Install Microsoft Enterprise Certificate Authority root for central encryption e A PDF Viewer to read the documents e MDAC v2 6 with SP1 or later if you are using Windows 2000 server Hardware The hardware specifications of the Sanctuary Application Server should be the following as a minimum depending on your enterprise size and number of clients e Memory 256 MB 512 recommended e CPU Pentium 3 or 4 processor or equivalent AMD processor HD 3 GB SCSI or IDE bigger if you plan to use shadow when installing Sanctuary Device Control and if the Data File Directory see Data file directory on page 224 is defined on this machine e NIC 100 MBits s The Sanctuary Management Console The Sanctuary Management Console is the application that you use to administer your Sanctuary suite You can install it on as many computers as you want m mm 222 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Note You must install t
80. INCLUDING BUT NOT LIMITED TO SPECIAL INCIDENTAL CONSEQUENTIAL OR OTHER DAMAGES Trademarks Lumension Corporation Sanctuary Sanctuary Application Control Suite Sanctuary Sanctuary Application Control Custom Edition securing the enterprise Sanctuary Application Control Sanctuary Application Control Server Edition Sanctuary Application Control Sanctuary for Embedded Devices Sanctuary Application Control Terminal Services Edition and their associated logos are registered trademarks or trademarks of Lumension Corporation RSA Secured is a registered trademark of RSA Security Inc SECURITY Apache is a trademark of the Apache Software Foundation In addition other companies names and products mentioned in this document if any may be either registered trademarks or trademarks of their respective owners Feedback Your feedback lets us know if we are meeting your documentation needs E mail the Lumension Technical Publications department at techpubs Lumension com to tell us what you like best what you like least and to report any inaccuracies Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table of Contents About This coco co eere de re be eae i ed EE ER e RR co xi Document Conventions emm meses eene nne enne nnne xiii Contacting Lumension Security sssssssese emen mens xiv Lumension Security Corporate Offices 0 0 0 eee m
81. IT HE 223 223 Network Configuration excedo inerte p iri n rem 223 Additional Settings Ls echa redes Mia d Pra e do ends 224 Firewall Config ratiol 2 cenae et EU Voie 224 LIGENS Cs M I 224 Private and Public Keys oreet teo remote a dex red da tiene 224 directory esee tdeo daa older e e n tale 224 5 5 ii ii rere ERR RR Ra 225 Certificate gt 225 Implementation spieren aoreet reet e tni ne eru 225 Installation Checklist tea et i Pede n Ed pred ed ridet a dd ee ut 227 Defining Permissions in Sanctuary Device Control 231 Appendix K Installing Sanctuary Application Control Terminal Services Edi Hon a DUREE 237 Introducing Sanctuary Application Control Terminal Services Edition 237 Installing the Server Side Components sssssssee meme 237 Installing the Sanctuary Client mne 238 The Installation Procedure 238 Uninstalling the Sanctuary Client sse meme 242 Appendix L Installing Sanctuary in Windows XP Embedded 243 What is Windows XP Embedded 243 M
82. LATION Your access to and installation of this software product is subject to the terms and conditions L contained on the Lumension Security Inc website For your convenience the links are provided below By clicking on Acceptance you agree that you have read understand and agree to be bound by the terms and conditions contained on the link below Terms and Conditions of Use If you do not agree to these Terms and Conditions of Use PETET E P I ERE RINT apr Cop Omnibus End User License Agreement EULA Product Use Rights Maintenance Product Support O I accept the terms in the license agreement I do not accept the terms in the license agreement Figure 6 2 Sanctuary Client License agreement 5 If you accept the terms of the license agreement select the I accept the terms in the license agreement option and click on Next You can also click on any of the three available buttons to read the license agreements 65 Bs 2E Installing the Sanctuary Client on Your Endpoint Computers 6 Specify whether or not you want the Sanctuary Client to use the TLS protocol to communicate with Sanctuary Application Server see Transport Layer Security on page 6 33 Sanctuary Client Wise Solutions Wizard gt Encrypted communication Select if your Sanctuary Application Server is using an encrypted protocol for communication with the Sanctu
83. QL 2005 Express Edition SP2 Install Sanctuary Database and grant owner rights to the Sanctuary Application Server service account The Database Management System used by Sanctuary is either a Microsoft SQL Server 2000 SP4 2005 SP2 2005 64 bits or Microsoft SQL 2005 Express Edition SP2 depending on the number of clients to be controlled The Sanctuary Database is installed and you grant owner rights to the Sanctuary Application Server Service account before starting the installation of the first Sanctuary Application Server Create a Share DataFileDirectory for the Sanctuary Application Server on a fileserver required in configurations with multiple Sanctuary Application Servers Generate a new key pair to secure the communication between the Sanctuary Application Server and the clients If the sizing analysis has determined that more than one Sanctuary Application Server should be used you must create a network share DataFileDirectory a common repository to all Sanctuary Application Server before installing the first Sanctuary Application Server If you are going to use only one Sanctuary Application Server this can be local to the machine where the Sanctuary Application Server is going to be installed Before the first Sanctuary Application Server is installed create your own key pair and implement this key pair where the first Sanctuary Application Server will be installed copy both keys to the SystemR
84. Sanctuary Application Server Setup During the Sanctuary Application Server installation the setup creates the following items Table 4 2 Items created by the Sanctuary Application Server installation Directory C DataFileDirectory Purpose Directory where the Sanctuary Application Server logs and shadow files are stored Full control for Administrators Directory INSTALLDIR SXTools Folder where the FileTool KeyGen and SXDomain auxiliary tools are placed You can find a full description of these tools in the corresponding administrator s guide and in this setup guide Full control for Administrators Read Execute for authenticated users Directory INSTALLDIR SSF Contains all Sanctuary Application Server support files and tools Full control for Administrators Read Execute for authenticated users Registry keys HKLM system CurrentControlS See Appendix B Registry Keys for a complete n a et services sxs parameters description You can block the use of the RegEdit exe program for all users by using our Sanctuary Application Control Suite Note The 7INSTALLDIR directory points to the folder where the program was installed It is usually C Program Files Lumension Security Sanctuary but can refer to another folder Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide I nstalling the Sanctuary Management Console This chapt
85. Sanctuary Setup Guide Sanctuary Application amp Device Control v4 3 2 Lumension SECURITY 02_102_4 3 2 55 Lumension Security 15880 North Greenway Hayden Loop Suite 100 Scottsdale AZ 85260 Phone 480 970 1025 Fax 480 970 6323 www lumension com Copyright 1997 2008 Lumension Security Inc ALL RIGHTS RESERVED U S Patent No 6 990 660 Other Patents Pending This manual as well as the software described in it is furnished under license No part of this manual may be reproduced stored in a retrieval system or transmitted in any form electronic mechanical recording or otherwise except as permitted by such license LIMIT OF LIABILITY DISCLAIMER OF WARRANTY LUMENSION CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES IN REGARDS TO THE ACCURACY OR COMPLETENESS OF THE INFORMATION PROVIDED IN THIS MANUAL LUMENSION CORPORATION RESERVES THE RIGHT TO MAKE CHANGES TO THE INFORMATION DESCRIBED IN THIS MANUAL AT ANY TIME WITHOUT NOTICE AND WITHOUT OBLIGATION TO NOTIFY ANY PERSON OF SUCH CHANGES THE INFORMATION PROVIDED IN THE MANUAL IS NOT GUARANTEED OR WARRANTED TO PRODUCE ANY PARTICULAR RESULT AND THE ADVICE AND STRATEGIES CONTAINED MAY NOT BE SUITABLE FOR EVERY ORGANIZATION NO WARRANTY MAY BE CREATED OR EXTENDED WITH RESPECT TO THIS MANUAL BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS LUMENSION CORPORATION SHALL NOT BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER DAMAGES ARISING FROM THE USE OF THIS MANUAL
86. Script provided on the installation CD under the scripts directory A Windows machine with a Novell client on which the synchronization script is executed This machine must already have Novell s NDAP ActiveX objects installed You can find these components on Novell s Web site or on your Sanctuary installation CD 187 Es 2E Using the Synchronization Script for Novell How does the Novell I nterface Works Once Sanctuary is installed and configured completely including the Sanctuary Application Server Sanctuary Database and Sanctuary Client Novell s eDirectory trees are synchronized using an external script and appear on the Sanctuary Management Console structure so that permissions and rules can be assigned to explicit objects This VBScript translates and synchronizes the Globally Unique Identifiers GUIDs of eDirectory objects into the Security Identifiers SID used internally by Sanctuary The administrator can still use the Synchronize Domain command of the Tools menu or from the Control Panel to synchronize individual machines or Windows domains The administrator must run the synchronization script on a regular basis to synchronize all eDirectory objects This can either be done manually or with a scheduled execution e In the manual execution the administrator starts the VBScript by running it directly from the Windows Run menu or command window e Fora scheduled execution the administrator uses th
87. Setup Guide Preface This guide explains in detail how to install all components of your Sanctuary solution For a quick introduction on how to test and understand the way Sanctuary works and protects your organization consult the Sanctuary Quick Setup Guide About This Guide This guide contains the following chapters and appendices Chapter 1 Installing Sanctuary s Components shows you the basic Sanctuary architecture security tips and guides you through the process of installing the Sanctuary components Chapter 2 Installing the Sanctuary Database explains how to set up the database needed by Sanctuary Chapter 4 Installing the Sanctuary Application Server explains how to set up the component that serves as a link between the Sanctuary client and the database and or the management console and the database Chapter 5 Installing the Sanctuary Management Console explains how to set up the console used to administer Sanctuary Chapter 3 Using the Key Pair Generator explains how to generate public and private keys before you deploy the Sanctuary Client to the machines you want to protect Chapter 6 Installing the Sanctuary Client on Your Endpoint Computers guides you on how to set up the Sanctuary Client on the computers that will be protected by Sanctuary Chapter 7 The Sanctuary Authorization Service Tool explains the setup procedures for the SUS WSUS Software Update Services amp Windows Server Update S
88. Srv exe is done through a setup Wizard To install the tool follow these steps 1 Localize and run the installation wizard on the Sanctuary CD server AuthSrv Setup exe The welcome screen is shown 3 Sanctuary Authorization Service Wise Solutions Wizard Welcome to the Wise Solutions Wizard for Sanctuary Authorization Service The Wise Solutions R Wizard will install Sanctuary Authorization Service on your computer To continue click Next WARNING This program is protected by copyright law and international treaties Next gt Cancel Figure 7 1 Sanctuary Authorization Service Tool installation Welcome screen 2 Click on NEXT The License Agreement is shown 3 Read the license agreement carefully and providing you agree with its conditions select the accept option and click on NEXT If you do not agree with its stipulations click on the CANCEL button to exit without installing the Sanctuary Authorization Service Tool 8 E BH 86 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 4 Enter the user s name and password the Sanctuary Application Server IP or name and click on NEXT to continue 33 Sanctuary Authorization Service Wise Solutions Wizard n Sanctuary Application Server Please enter information on your Sanctuary Application server Please enter information on the user account that has administrative access to your Sanctuary Application server Sanctuar
89. Wise Solutions Wizard Welcome to the Wise Solutions Wizard for Sanctuary Application Server The Wise Solutions R Wizard will install Sanctuary Application Server on your computer To continue click Next WARNING This program is protected by copyright law and international treaties Next gt Cancel Figure 4 1 Sanctuary Application Server installation First step 4 Click on the NEXT button to continue Warning The Setup does not generate a log file if it is launched running the sanctuaryserver msi file instead of the setup exe file The log file may be important in case of troubleshooting and when contacting Lumension 37 BH 2E Installing the Sanctuary Application Server The next dialog displays the License Agreement ie Application Server Wise Solutions Wizard License Agreement Please read the Following license agreement carefully TERMS AND CONDITIONS OF INSTALLATION Your access to and installation of this software product is subject to the terms and conditions contained on the Lumension Security Inc Lumension website For your convenience the links are provided below By clicking on Acceptance you agree that you have read understand and agree to be bound by the terms and conditions contained on the link below Terms and Conditions of Use 1 you do not agree to these Terms and Conditions of Use Product Use Rights Mai
90. abase until it succeeds If the problems persist the Sanctuary Application Server stops accepting client and console connections until it detects database connectivity has been restored You can configure the following parameters to determine the exact behavior of the Sanctuary Application Servers if they lose connection to the Sanctuary Database Table B 1 Sanctuary Application Server registry keys Database related Description Default DbConnectionCount The number of database connections in the connection pool DbConnectionMaxCount The maximum number of DB connections if it is less than DbConnectionCount it will be assumed equal to it DbConnectionPoolTimeout The timeout in seconds for connection acquisition from the DB pool If no connection can be acquired within the timeout an attempt to grow the pool will be made Note that if the pool has reached the maximum number of connections no new connections will be created and the wait will be repeated 153 Bu 2E Registry Keys Table B 1 Sanctuary Application Server registry keys Database related Description Default DbConnectionString Driver server database and either a trusted See description connection or username and password The default value is Provider sqloledb Data Source Initial Catalog sx Trusted_Connection yes DbinitializationDelay Number of seconds that Sanctuary Application Server waits before contacting the
91. ables computers to connect to SQL Server databases As MDAC is language dependent it is mandatory that you install the correct language version for your operating system E Note If you experience database connectivity problems when installing the Sanctuary Application Server re install MDAC on the computer hosting it e Ensure that the TCP IP protocol is installed This is required so that the Sanctuary Client running on the client computer can communicate with the Sanctuary Application Server The setup program does not check this prerequisite Ensure that the computer on which you want to install Sanctuary Application Server has a fixed IP address This is recommended as the Sanctuary Client uses this address to connect to the Sanctuary Application Server You need at least one valid IP address DHCP Dynamic Host Configuration Protocol and server names can be used provided that the DNS Domain Name System is set up correctly gt Note We recommend using NAT Network Address Translation if you are running Sanctuary Application Server under VMWare Ensure the Sanctuary Application Server can do a fully qualified domain name resolution of the clients it is going to manage You have to set up the mechanism to translate clients names into IP addresses Create or use an existing account to be used by the Sanctuary Application Server service Setup automatically grant this account the rights to log on as a servic
92. allation for testing purposes Remember that it is not secure to communicate in a working environment with the default key You should always generate a key pair when you install Sanctuary in a production machine See Chapter 3 Using the Key Pair Generator on page 29 for more information Sanctuary Client Deployment A The package you want to install is not associated to a public key Do you want to install the package with the default public key 2 Figure 8 20 Sanctuary Client Deployment Tool Missing public key during client deployment 1 2 You can choose not to associate a public key pair with your client deployment not recommended see previous paragraph If you click on TEST CONNECTION in the Set Package Policies dialog and you have not yet generated a public private key pair the following warning is displayed Sanctuary Client Deployment Could not find a public key using the default public key The key is required for secure communication with SXS To use a custom public key please place the sx public key file in the same directory with the MSI file pinging secsrv on port 65229 gt Failed to connect to server Figure 8 21 Sanctuary Client Deployment Tool Missing public key during client deployment 2 2 112 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide You can also choose to import the public key you should already have generated the key pair at th
93. alling the Sanctuary Client on Your Endpoint Computers Ensure that the Sanctuary Database Sanctuary Application Server and Sanctuary Management Console are already installed on their respective computers e sure that the domain information stored in the database is up to date If necessary update it using the Tools gt Synchronize Domain Members menu in the Sanctuary Management Console Define the appropriate or at least minimum policies that are to be used by the clients Failing to do so WILL result in users being denied access to their executable files event the operating system blocking the user from his machine and or devices connected to their computers If you are using Sanctuary Application Control Server Edition or Sanctuary Application Control confirm that the Blocking Mode option is set to Non Blocking Mode in the Default Options dialog of the console e Ifyou have already installed the client using the Client Hardening mode and want to uninstall modify repair it issue an Endpoint Maintenance Ticket using the management console and copy it to the required directory Please consult your corresponding User s Guide and Sanctuary Client Registry Keys on page 163 for more information If you are using our client deployment tool you only need to specify a valid Sanctuary Application Server address from where the ticket is obtained e Ifyou are planning to use the TLS protocol for your client have a valid
94. an executable is explicitly authorized its execution is denied Using Sanctuary Application Control Terminal Services Edition ensures that Your users cannot execute programs such as hacking tools games or unlicensed software e You eliminate the threats posed by Trojans Worms and executable viruses both known and unknown Sanctuary Application Control Terminal Services Edition works exactly the opposite way to most security and anti virus products on the market Rather than creating a black list of files that are not allowed to run Sanctuary Application Control Terminal Services Edition uses a white list of executable files that are allowed to run This is done by identifying these allowed files and creating their digital digest hash which is then stored in the central database These hashes are associated with File Groups that are in turn associated with users user groups that are allowed to run them This innovative approach offers several significant benefits Greater protection It does not matter that new Trojans and viruses are written since you purchased Sanctuary Application Control Terminal Services Edition Any unknown or unauthorized executable regardless of its origin simply will not run e There is no requirement for regular updates for every new virus as there is no black list to maintain Requests for execution are intercepted before an executable file is allowed to run preventing execution a
95. ance Write Filter EWF on page 255 XPe Device setup D Secure Xpe Device Figure L 1 Install using MSI Microsoft Installation file 2 Componentized Application Componentizing an application is the process of creating one or more custom components that contain the application binaries resources and dependencies required by the component that can be included in or excluded from a run time image E 246 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Build Install Secure XPe Device Figure L 2 Install using SLD Microsoft Component Definition file build Componentized the Sanctuary Client The componentized Sanctuary Client created by Lumension is a modular application where the driver functionality is expressed as a set of properties optional script and resources such as files registry entries and dependency information As embedded device run one or more custom applications and or additional device drivers you must truly integrate these applications into a device creating components for those applications and including them in your configuration and run time image a 247 EB mH Installing Sanctuary in Windows XP Embedded Components are individually selectable pieces of functionality that can be included in or excluded from a run time image A component is comprised of properties and resources such as fi
96. anctuary Application Server service account has the right to access the database If the database and Sanctuary Application Server are installed on the same computer there will be no need to create such access as it will be granted by our Setup However when the Sanctuary Database and Sanctuary Application Server run on two different computers you must grant the service account the rights to connect and use the database You can use the Microsoft SQL Server Enterprise Manager to grant domain users the right to log in and use the database available with SQL Server only If running SQL Server 2005 Express Edition you will have to use the grantdb exe command line application for every service account you will use This can be found in the BIN TOOLS folder of your Lumension CD Note Sanctuary Application Server uses Windows Authentication mode to connect to the database Start the Enterprise Manager or Management Studio provided with your SQL Server select your database server expand this branch of the tree and check the Security node This holds the Login definitions By default BUILTIN Administrators have access If the Sanctuary Database and the Sanctuary Application Server are on the same machine the account under which the Sanctuary Application Server runs is granted access to the database during setup If the Sanctuary Database and the Sanctuary Application Server are on different machines you must use grantdb exe to allow
97. anctuary Device Control Sanctuary installation routines can upgrade from Sanctuary Device Control version 3 0 and above If you are running an older version you should first uninstall the program completely before deploying the new server and client components 168 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide E Note Since permission s structure has changed radically from previous versions your risk not transmitting them properly to older clients You should consider an immediate client update in these cases E Note You may have to manually re classify some devices in other classes This is specially true if the class they belong to has been reclassified or disappear Please check the Sanctuary Device Control User Guide and the readme file for more info Sanctuary Server Edition Sanctuary installation routines support upgrading from version 3 x If you have a previous version you should first uninstall it completely before deploying the new server and client components Upgrading Server side Components 1 Ifyou have installed the Sanctuary Application Server on a different computer than the database it is important that you stop the Sanctuary Application Server service on that computer before upgrading net stop sxs 2 Run the setup exe file located in the SERVER db folder on the computer where you installed the Sanctuary Database Warning You should do a database bac
98. and computers Properties WHI Filtering This GPO is linked to the following WMI filter none Open Figure E 2 Open firewall ports Edit the Default Domain Policy 184 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide This opens a Group Policy window for the selected domain hi Group Policy File Action View E Default Domain Policy secure B e Computer Configuration 20 Software Settings 9 Ga Windows Settings Select an item to view its description Setting Stato Administrative Templates amp Windows Firewall Protect all network connections Not configur t 280 Windows Components f Windows Firewall Do not allow exceptions Not configur 3 System E Windows Firewall Define program exceptions Not configur Network Windows Firewall Allow local program exceptions Not configur J Microsoft Peer to P Windows Firewall Allow remote administration exception Not configur DNS Client E Windows Firewall Allow file and printer sharing exception Not configur C offline Files E Windows Firewall Allow ICMP exceptions Not configur E Network Connectior Windows Firewall Allow Remote Desktop exception Not configur Domain Profile H Windows Firewi E Windows Firewall Allow UPnP framework exception Not configur 2 Domain Prol Ga Windows Firewall Prohibit notifications Not configur Standard Pr Win
99. ane nc 243 Available ShellS todo pae erai s act RA eee ea urea Petras 244 What does Windows XP Embedded does not Include 244 Installing Sanctuary in Windows XP Embedded 245 What Server Side Components you Need 245 What Client Components you Need 245 Componentized the Sanctuary Client sssseem 247 Functionalities and Devices Supported by Sanctuary in Windows XP Embedded 248 How to Configure the Cent i esit tite a LEUR Uds ae ER Ce PI ale 251 Sanctuary Application Server SXS 251 Encrypted Communications ias et t E e HR RE E a d a e 252 How to Update Policies i Dot oa I etr potere ibd er RR RA folie ERR RR 253 Enhance Write Filter EWF eme hen nemen nennen 255 Sanctuary Client S EWF mte diet erri erat et edo eg tb apnd exar Pod ohana 256 Minimum Requirements emen menm hem rene nenne nennen nns 256 NIE tini Eaa AEE TETARA EAA 256 Appendix M Glossary ______________________________________ 259 a He oa viii Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Appendix Index 265 EH dx s EH Table of Contents Sanctuary Application amp Device Control v4 3 2 Sanctuary
100. apac lumension com Product Pricing I ndia Office 51 Kalpataru Court Dr C G Road Behind R K Studio Chembur Mumbai 400 074 India Phone 91 22 6515 5403 E mail patchlink apac Iumension com US Federal Solutions Group Virginia Office Federal Solutions Group 13755 Sunrise Valley Drive Suite 203 Herndon VA 20171 USA Phone 1 443 889 3291 Fax 1 301 441 2212 E mail patchlink federalsales lumension com To receive pricing and licensing information please visit the Lumension How Do I Purchase http www lumension com purchase purchase_form html Web page or contact the Lumension Sales Department XV Preface Lumension Security Sales and Support North America Sales Phone 1 480 970 1025 Option 1 E mail sales umension com I nternational Sales Phone 1 480 970 1025 Option 1 E mail internationalsales lumension com PatchLink Technical Support Phone 1 480 970 1025 Option 2 44 0 1908 357 897 United Kingdom 61 02 8223 9810 Australia 852 3071 4690 Hong Kong 65 6622 1078 Singapore E mail patchlink support lumension com patchlink apac support lumension com APAC patchlink emea support lumension com EMEA Sanctuary Technical Support Phone 352 265 364 300 1 877 713 8600 US Toll Free 44 800 012 1869 UK Toll Free E mail sanctuary support lumension com Business Partnerships Phone 1 480 444 1681 E Mail patchlin
101. apter 9 Using the SXDomain Command Line Tool on page 133 You can find a detailed explanation of the functions carried out by the various Sanctuary administration components in the Sanctuary Application Control Suite User Guide and or Sanctuary Device Control User Guide We recommend that you read these through thoroughly before starting the implement Sanctuary products At any time after installing the Sanctuary Database Sanctuary Application Server Sanctuary Management Console or the Sanctuary Client you can modify or uninstall the components by running their respective setup exe files If any setup routine stops e g if a severe error is encountered or if it is canceled by user request the routine attempts to clean up and roll back any modifications it made to your computer It also produces log files containing the reason why the setup failed These are placed in directory of the user account who is doing the installation and named sxdbi log setupcltsu log setupsmc log setupdb log and setupsxs log If your setup fails and you make a support call to Lumension you will be asked to send these files to help us diagnose the problem Warning You should resolve all hardware conflicts before installing Sanctuary solutions You can use Windows Device Manager to troubleshoot and fix software configurable devices All hardware devices that use jumper pins or dip switches must be configured manually Sanctuary Applic
102. ar component including information about component script resources files and registry keys and dependencies The definition is saved in an sld file so it can be imported into the component database Applies to Windows Embedded Delegation The act of assign responsibilities for management and administration of a portion of the resources or items used in a shared computing environment to another user group or organization Dependencies Additional executable files exe dll or others required by executable files to run properly Dependencies are split into two categories static dependencies that are files declared explicitly in the executable file as being required and dynamic dependencies which are additional files an executable may require at runtime Direct cable connection DCC A RAS networking connection between two computers or between a computer and a Windows CE PPC based device which uses a serial or parallel cable directly connected between the systems instead of a modem and a phone line DN Distinguish Name A name that uniquely identifies an object in the Directory Information Tree DNS Domain Name System also Service or Server A service that translates computer names into IP addresses Embedded Software code or commands built into a device as opposed to software that is added In a narrower sense code that is typically stored in ROM and dedicated to either controlling a device or providing a spe
103. ary Client If your Sanctuary Application Server is using an encrypted protocol the client machine needs a certificate For authentication In case of encrypted communication please choose how this certificate will be generated server is using unencrypted protocol authentication certificate will be generated by setup authentication certificate will be retrieved from a lt Back Next gt Cancel Figure 6 3 Sanctuary Client Communication protocol You can install the Sanctuary Client installation in one of three modes e Server is using unencrypted protocol No TLS All communication between Sanctuary Client and Sanctuary Application Server s is not encrypted but is signed using the private key This is essentially a legacy communication protocol and not recommended for high security installations e Authentication certificate will be generated by setup Manual mode using TLS communication The administrator generates and provides the machine certificate that is used in all communications All communication between Sanctuary Client and Sanctuary Application Server s is encrypted This mode is used when there is no Certification Authority installed in the network or the CA cannot be reached when doing the client installation The machine certificate has to be created by a user usually the administrator who already possesses a certificate that can be issued and who trusted as a root or intermediate Ce
104. ary Client The Sanctuary Application Server and kernel clients contain a default embedded key pair that is suitable for evaluation purposes only Warning In a production environment you must create your own key pair BEFORE installing the Sanctuary Application Server This is done using the Key Pair Generation utility If you are using Sanctuary Device Control Warning Never change the key pair after adding encrypted removable media in the Media Explorer Doing so means that your users will no longer be able to recover a lost password of an encrypted media Warning Never change the key pair during a Sanctuary upgrade when client hardening is switched on otherwise your upgrade will fail Note These keys are used to protect the communication between the Sanctuary Application Server and the client computers They play also a role in the media encryption process but they are not media encryption keys 29 2E Using the Key Pair Generator Note We recommend that you install and publish a Microsoft CA on your Active Directory structure before trying to encrypt a removable device Starting the Key Pair Generator 1 Navigate to the bin tools directory found on your installation CD 2 Runthe keygen exe tool The Key Pair Generator dialog is displayed Key Pair Generator Warning Before continuing please read the following remarks Sanctuary relies on metho
105. ary Client on a production network CD DVD Burning Windows own CD DVD recording capacity is controlled by a service called Image Mastering Applications Programming Interface IMAPI run by LocalSystem You should not give R W access to LocalSystem for the DVD CD Drive class or music CDs If you do so and the service is running then the user can create CD DVD copies using Windows Media Player Windows Explorer or any other program that uses this service of any file from the hard disk including private data proprietary information music etc See details in Sanctuary Device Control User Guide Some third party burning software do not need the IMAPI service and can be disabled The Boot Sequence Change the boot sequence so that the machine boots from the Hard Disk Drive first If the Floppy or the DVD CD ROM is the first boot device someone can use a bootable medium that can directly access the hard disk drive and quickly reset the administrator password Note This does not apply for SCSI setups since you can simply change the boot ID or LUN boot and bypass any boot sequence Adaptec PCI BIOS are not password protected but recent PC BIOS versions give you the extra choice to boot from a SCSI DEVICE overriding SCSI controller settings 13 Bs 2E Installing Sanctuary s Components Hard Disk Encryption You can prevent unauthorized user access to a computer hard disk by using off line techniques such as
106. ation amp Device Control v4 3 2 Sanctuary Setup Guide Warning It is critical to determine the Policy Definition that is best for your organization This is where you define which users get access to which devices and or executables This step must be done before any clients are installed or rolled out If you install clients without a good policy definition this will result in a loss of efficiency or it could prevent users from accessing their devices Define policies BEFORE installing any clients Ghost I mage Deployment A common problem that administrators face is how to deploy a standard computer to a new user or when upgrading to new hardware They normally do this by installing all necessary software on a fresh computer and then use Ghost software to create an image of it The administrator then imprints this image on all new computers The Sanctuary Client can be included in the ghost image You can do this using the following steps 1 Install the Sanctuary Client on the machine to be ghosted as you would do on any other client computer Disable the Client Hardening mode if active see your User s Manual Change all drivers to start on demand mode To do this use Regedit to modify the following values found in HKLM System CurrentControlSet Services Scomc Start REG DWORD 4 Sk Start REG DWORD 4 sk ndis Start REG DWORD 4 4 Disable the SKNDIS filter from the TCP IP properties
107. be accessible to the installation program Be aware that if you place it in a network share only valid for Active Directory environments the computer account must have access to it See the To export and import permission settings section of the relevant User s Guide for more information about how to export your settings to a file The policies dat import file is particularly useful when doing client installations on machines that are not actually connected to the network or that cannot communicate with the Sanctuary Application Server Note The policies dat file has a validity period of 14 days default value after which the setup refuses to use it y 63 EH Installing the Sanctuary Client on Your Endpoint Computers In the next step you must specify whether or not you are using TLS protocol for Sanctuary Client Sanctuary Application Server communications If using TLS all transmissions are fully encrypted If the TLS is not selected all communications are signed using the key pair previously generated See Chapter 3 Using the Key Pair Generator on page 29 for more information about how to create these keys To install the Sanctuary Client on your client computers follow these steps on each client computer 1 Logon to the client computer using an account that has administrative rights 2 Close all programs running on the computer 3 Select the Client folder on the Sanctuary CD or navigate to the n
108. bled HardeningStatus Displays if the Hardening Mode is taken or not into consideration inactive HID Internal use Do not modify n a HistoryPeriodSecs optional Internal use Do not modify n a ImportDir The directory used to import the policies file C Program Files Lumension Security Sanctuary I mp ort LastSeenComputer Name Internal use Do not modify n a LastShadowUpload Time Indicates the last time the shadow update was done The update consists on copying the file data or name depending on the shadowing rule from the client computers LastSxLogUploadTi me Indicates the last time logs were transmitted n a Log file name Gives the name of the log file written if Log to file is yes scomc log Log to console If yes or 1 sends debug messages to the console if any no Log to dbwin If yes or 1 sends debug messages to Dbwin32 no Log to file If yes or 1 sends debug messages to the log file see below no Salt An internally generated 15 byte random value used for protection purposes It is calculated when the client starts n a Servers A list of Sanctuary Application Server names FQDN or IP addresses separated by spaces A port number may be specified for any server by appending a colon and the port number to the name address of the server e g 10 34 22 16 651
109. cates are Correctly Issued to the Users 210 Checking Certificates are Correctly Issued to Endpoint Machines 214 Appendix I Controlling Administrative Rights for Sanctuary s Administrators 215 Ctrlacx Vbs iicet ed e E E Ra ME e UD DEDE inline 215 Reg irerrents cette der Tix Fro ERE CO ERAN 215 WI SAGE E ty Say E T 216 Scu 216 What to do After Running the Script 217 Appendix J Installation Checklist 221 Requirements KR ERE 221 If you are Using memes 221 If you are Using Novell etkidir nisitoke tasi mmm memes 221 The Sanictuary Database e p EE aan MEA 221 CDL cH TET 221 HardWare ecd UR EO t IINE EE 221 Network Configuration cte p ved E ta o i Fe eus Pe oca d 222 Additional Settings orent esa er eeu edes trud n Ure IR E NS 222 Firewall Configuration odin i 222 The Sanctuary Application Server 0 me 222 ELI TET 222 zb CINE PT 222 The Sanctuary Management Console sssssssesee mem 222 Firewall Config ratiori 223 Ba VII EH Table of Contents Sanctuary Cent aera ase 223 SDIAVEI ED
110. cess Instead a proxy that normally has privileged access to the system a service or a driver carries them out DVD CD writing is one example there are a few other ones modems scanners smart card readers printers either USB or connected to the LPT port and unknown devices When the Sanctuary Client Driver detects such proxy access it tries to determine the identity of the user who initiated the access This is done successfully when there is only one interactive user 151 EB mH Detailed System Requirements and Limitations When there is one interactive user and one remote user on the same computer 1 when there are more than one logon sessions with different session IDs the client cannot determine reliably the identity of the user that initiated the access In such conditions and only for the DVD CD burning modems scanners smart card readers printers USB or LPT and unknown devices classes the Sanctuary Device Control will deny all proxy access It means for example that the users will not be able to write DVDs CDs when somebody accesses their machine remotely even if both the interactive user and the remote user have a Read Write access to the DVD CD drive The user accessing the machine remotely will not be able to write DVDs CDs either The RunAs Command Limitations There is a situation similar to the Terminal Services issue when using the RunAs Commands or equivalent This type of command is often used in l
111. cific functionality Enhanced Write Filter EWF Tool that protects underlying media or partitions from write operations thus rendering the media read only Write operations to the media are diverted to a secondary storage location Applies to Windows Embedded mu a 260 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Executable Program A computer program that is ready to run The term usually applies to a compiled program translated into computer code in a format that can be loaded in memory and executed by a computer s processor Exploit A piece of software that takes advantage of a bug glitch or vulnerability leading to privilege escalation exploit a bug or denial of service loss of user s services on a computer system FAT File Allocation Table This defines a reserved zone on a magnetic media containing the list of clusters it occupies File Group Organizational groups used to cluster authorized executable files Files must be assigned to File Groups before users can be granted permission to use them You can choose to assign files to File Groups using several Sanctuary Management Console modules Database Explorer Exe Explorer Log Explorer and Scan Explorer Hash A complex digital signature calculated by the Sanctuary Application Control Suite components to uniquely identify each executable file script or macro that can be run The hash is calculated using the SHA 1 algorit
112. ck Password Restrictions located at the right panel of this window and activate the Require a password option Figure G 3 Password restrictions windows for the Novell user Eg 197 EB mH Using Novell Shares for your DataFileDirectory 4 Click on CHANGE PASSWORD and enter the same password and name as for its Windows counterpart Change Password xi Old password a New password Cancel Help Retype new password The password change is effective when OK is clicked and cannot be undone from the main dialog Figure G 4 Change the password for the Novell user 5 Click on RIGHTS TO FILES AND DIRECTORIES located on the right panel of the properties window click on FIND and select the TEST context Begin search in context Search entire subtree ox ce Figure G 5 Selecting the context for the user s rights You should now see a window similar to the following one 198 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 89 User sxs E BOOGIE MYDATA TEST Figure G 6 User rights for DataFileDirectory 6 Click on the ADD button and traverse the tree starting from the context TEST until you reach the location of the data file directory object as show in the next two screenshots pL 199 EH Using Novell Shares for your DataFileDirectory Select Object Figure G 7 Selecting the data file d
113. ck on OK to continue Here are some Sanctuary Client Deployment pinging secure com on port 65229 gt Failed to resolve server name Figure 8 6 Message when the connection test fails Sanctuary Client Deployment secure 65129 gt 127 0 0 1 65129 connection failed public and private key mismatch Do you want to continue Figure 8 7 Message when the connection test fails key related es Sanctuary Client Deployment Lumension com 65129 gt Kernel DNS resolution failed please use a fixed IP address 192 168 1 15 a Figure 8 8 Message when the Kernel DNS resolution fails 103 BB 2E Unattended Client I nstallation Sanctuary Client Deployment lumension 65129 AJ gt 127 0 0 1 65129 OK Figure 8 9 Message when the connection test succeeds 14 Select the options that control how the client is shown in the Add or Remove Programs Programs and Features in Windows Vista Windows dialog and the policy file timeout The following options can be chosen Suppress preventive actions Since the client software depends on the licenses you own it is possible to completely block a computer if you do not export correctly the policies Serverless installation or define them beforehand This is especially true when installing our Sanctuary Application Control Suite and not authorizing those files belonging to the operating system To avoid this the program first verifi
114. client TER 180 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Opening Firewall Ports for Client Deployment The information in this appendix is relevant to all Sanctuary software suite except for Sanctuary Application Control Server Edition as the client cannot be installed on Windows XP Windows 2000 Pro or Windows Vista computers Microsoft Windows XP SP2 and Vista enables the Windows Firewall by default While this firewall configuration helps secure your system it can also prevent legitimate software from interacting with the computer Many NetBIOS and DirectHost services such as our deployment tool rely upon a combination of TCP and UDP network ports specifically TCP 139 TCP 445 UDP 137 and UDP 138 These services are installed by default on Windows NT 4 0 and Windows 2000 systems as well as domain joined Windows XP systems With the advent of Windows XP SP2 and Vista these services are by default no longer available to remote systems This firewall denies access to these services and prevents connections to all network ports The defaults settings prevent our installation tool to connect to the remote computers With the methods described in this appendix you can preserve system security while deploying our software in your organization You can apply these necessary firewall settings on a computer by computer basis or via an Active Directory domain group policy as explained in the fo
115. container only Figure 1 3 Manage Sanctuary Settings object Three important objects exist in the Apply onto field of this dialog that are relevant to the Sanctuary settings Computer objects Group objects and User objects Figure 3 shows only one of them Computer objects The script narrows the Active Directory rights by creating a special entry in each of the above mentioned objects Manage Sanctuary Settings If you assign this permission to a user he she can only manage the designated users groups computers in the Sanctuary Management Console Note the special check box option in the permissions entry Apply these permissions to objects and or containers within this container only If activated you will see only the real objects users or computers from this OU in the console and nothing from the child OUs beneath The new delegated administrator can now manage the objects users computers groups explicitly assigned to him Ha 219 EH Controlling Administrative Rights for Sanctuary s Administrators 220 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide J Installation Checklist Requirements Before starting to install any Sanctuary products make sure to have the following If you are Using Windows e Active Directory installed and configured within a domain Configure DNS as AD integrated and create a reverse lookup zone e A workgrou
116. cted to listen If absent or zero 33115 is used Minimum 1 maximum 65534 SxdConnectTimeoutMS ec The time in milliseconds that Sanctuary Application Server waits for the Sanctuary Client to accept a TCP connection It is useful to keep this time as low as possible but not so low as to impede connectivity In a lightly loaded LAN one second 1000 ms should be quite ample The value should be between 500 and 120 000 ms if it is out of these limits the default value 5 000 ms is used instead The TCP port on which the Sanctuary Client built in server is expected to listen If absent or zero 33115 is used Minimum 1 maximum 65 534 TLSMaxSockets The maximum number of TCP connections that are allowed at any one time when using TLS protocol See description on MaxSockets Minimum 0 maximum 50000 arbitrary See Port TLSPort MaxSockets See also Table B 6 amp Table Bj The TLS port on which the socket based Sanctuary Application Server machine listens for new connections Minimum 1 maximum 65534 This affects only clients Minimum 1 maximum 65534 Transmissions using TLS protocol are always encrypted See Port TLSMaxSockets and MaxSockets See note on next section 159 Registry Keys The next table describes the configuration rules that follow the TLSMaxSockets and MaxSockets parameters as described in the previous table see al
117. ctuary Database installation Destination folder 8 Choose the folder in which you want to create the Sanctuary Database and click on NEXT By default the database is installed in the C Program Files Lumension Security Sanctuary folder To choose another location click on CHANGE and browse to the folder you want Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide If you already have several instances of the database engine on your computer you are asked to select the one you want to use You should use the servername instancename format 33 Sanctuary Database Wise Solutions Wizard Named Instance Choose the SQL Server instance in which you want to create the database Several instances of MSDE or SQL Server have been detected on this computer If you want to create the sx database in a named instance of SQL Server enter the name below Leave the field blank to create the database in the default instance Figure 2 5 Sanctuary Database installation Select SQL instance The setup wizard is ready to start the installation 33 Sanctuary Database Wise Solutions Wizard Ready to Install the Program The wizard is ready to begin installation Y Click Install to begin the installation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard es Figure 2 6 Sanctuary Database installation Final step _ 23 Bs 2E In
118. ctuary Setup Guide The new package appears in the Sanctuary Client Deployment Tool packages list i Sanctuary Client Deployment Packages Computers Help Packages Name n Key Progress Product 7 7 SanctuaryClient yes Sanctuary Client 4 4 Computers 0 Domain w orkaroup Progress Status 4 New Package Add Computer 2 Figure 8 10 Sanctuary Client Deployment Tool New package A small file called Sanctuary Client MST is created in the Deployment package folder C Deploy in our example Select Options from the Packages menu to check the location of the Deployment package folder on your installation The specified directory contains subdirectories corresponding to the packages you have just created You can see the options of each generated package in the main window Name 4 Kev Progress Product Version Server s Last deployment License Policies TLS Client yes Client 422 192 168 1 1 65129 no yes yes Figure 8 11 Sanctuary Client Deployment Tool Package option 105 BE 2E Unattended Client I nstallation without servers are not included in the package they are displayed as shown above with an orange background as a warning If there is no orange background the key policies file and license if applicable are present and the package is ready to be deployed We recommend you do not deploy packages without a public key or license i
119. d above should be typed all in one line Note Replace SanctuaryClient msi with SanctuaryClient64 msi in the above line for 64 bit installations Using Windows Group Policy to Install Clients You can implement a computer based Group Policy for all computers in the secure com domain Group Policies can be applied to Site Domains or Organizational Units depending your requirements and the types of computers they contain a 118 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The following example is used for demonstration purposes only and its application domain or Organizational Unit or site differs according to individual requirements The Group Policy Management Console GPMC has superseded the Active Directory Users and Computers dialog for Windows XP see following image 5 Group Policy Management of E File Action Window x e amag Group Policy Management Group Policy Objects in cadom emilio com E A Forest Secure com B Domains Cui Delegation EEP Secure con Name GPOStsus WMI Filter Modified 55 Default Domain Policy Client deployment Enabled None 10 01 2006 11 19 82 Domain Controllers S Default Domain Controllers P Enabled None 03 10 2005 02 a E an Policy Objects g Default Domain Policy Enabled None 03 10 2005 02 Client denlavment n File Action View e mim 9 265 A
120. d already have a valid computer certificate Only used for migration purposes updates and not recommended for a new installation The entries in the table below are found within the following key HKLM system CurrentControlSet Services EventLog Applications sxs Table B 8 Sanctuary Application Server registry keys Description Default EventMessageFile Path and file name of SXS EXE ReportMaxRecords Maximum number of records a report will contain ReportGenerationTimeout Cancel the report generation of a report if it is not possible to generate it within a specific time The timeout is in milliseconds ReportThreads Number of threads to use A default of 0 implies two threads per processor m au 162 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table B 8 Sanctuary Application Server registry keys ReportStoragePath Description A path Sanctuary Application Server will use for temporary storage Default sxsdata TypesSupported Supported message for the event log 0x10 for are Ox00Success 0x01Error 0x02Warning 0 041 nformation Ox08Success 0x10Failure Sanctuary Client Registry Keys AUDIT_FAILURE and 0x08 for AUDIT_SUCCESS value is of type REG_DWORD You can combine the values in a hexadecimal addition The default value Ox1F stands for Register all type of messages Other values Ox1F The changes t
121. dalone Installation No server found a valid policies file is present Deploy succeeds importing the policies file Serverless Installation When proceeding without specifying any servers you get the following warning message Sanctuary Client Deployment No servers have been specified the setup will install the client software in a serverless mode License and policy files should be attached to that package before deployment Continue Figure 8 5 Message when installing in Serverless mode 11 Choose whether to select the Automatic Load Balancing checkbox If you select this option the Sanctuary Client attempts to contact one of the servers listed in a random manner Alternatively if you leave Automatic Load Balancing unchecked the Sanctuary Client attempts to contact the Sanctuary Application Server in the order in which they are listed 12 Choose whether or not the client uses TLS protocol to communicate with the Sanctuary Application Server See Transport Layer Security on page 6 for more information 13 Click on 7est Connection to verify the fully qualified domain names or IP Addresses you have entered A confirmation or failure dialog box is displayed 102 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide In the case of failure check the error message for further details about the possible cause of failure e g key pair mismatch DNS resolution and cli
122. de Protocol selection dialog 6 Choose to upgrade or keep your old log templates 171 EB mH Upgrading from Old Versions 7 The setup program has now all the necessary elements to begin the installation or upgrade process 33 SecureWave Application Server Wise Solutions Wizard Ready to Upgrade the Program The wizard is ready to begin installation Click Upgrade to begin the installation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard zeen Figure C 3 Sanctuary Application Server upgrade Protocol selection dialog 8 Click Upgrade to begin the process 9 The program verifies you license and RPC protocol 172 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Upgrading Guideline You can use the following flowchart as a general guideline when updating your Sanctuary product Nevertheless you should ALWAYS refer to the appropriate section before attempting an upgrade Stop the Sanctuary Application Server service Backup the Upgrade the Upgrade the Sanctuary Sanctuary eiusd Database SX Database pplication Server done during the upgrade Import new ones and or incorporate xplorer templates modified ones as needed Upgrade the Sanctuary Management Console Verify permissions and settings using the console You may lose the added security advantages Dep
123. dify the default installation location click on CHANGE and select a local path to install the components and documentation By default the files are copied to the ProgramFiles Lumension Sanctuary Console directory 33 Sanctuary Management Console Wise Solutions Wizard Change Current Destination Folder Browse to the destination Folder Look in Sanctuary Empor Ticket Eolder name c Program Files Sanctuary OK Cancel Figure 5 4 Sanctuary Management Console installation Modify destination folder 7 Click on OK to continue the installation n 57 EB BE Installing the Sanctuary Management Console Now Setup is ready to install the files 33 Sanctuary Management Console Wise Solutions Wizard Ready to Install the Program The wizard is ready to begin installation Click Install to begin the installation If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Lum cmi Figure 5 5 Sanctuary Management Console installation Ready to install 8 Click on INSTALL to start the installation process This takes approximately 2 minutes depending on the components selected and the hardware used 9 Ifthe computer is running Windows XP SP2 or Windows 2003 SPI or later click on YES to continue In this case Setup needs to adapt the Windows settings to allow RPC communication between the Sanctuary Management Co
124. does not provide scalability It does not focus on performance or distributing the traffic to different servers m mm BE 24 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Terminology Cluster A group of computers configured to work together to serve clients in a similar fashion Node Each server participating in a cluster is called a node Maximum of nodes in a cluster The maximum number of servers that can form a cluster This is eight in Windows 2003 Enterprise with at most 16 SQL instances Heartbeat The nodes in a cluster remain in constant communication through the exchange of periodic messages called heartbeats Virtual IP VIP The client system communicates with the DB server using a virtual IP address MSCS Microsoft Cluster Service takes care of redirecting the client request to the active server and hence the client does not have to worry about which server in a cluster is active MSCS Microsoft Cluster Service A Windows component which once installed through the Control Panel guides you through the steps needed to create a cluster service cluadmin exe Quorum Physical disk where all configuration parameters are stocked Without quorum the cluster cannot work it must be a backup Failover Capability to switch automatically or manually to a standby computer in a cluster In normal situations one primary or active computer provides the service while a second one fail
125. dowDirHistory 164 165 Sh dPott i oie 159 SxdConnectTimeoutMSec 159 SXQIPOFrt isset tenet ee 159 TicketDir esseessesee 164 TLSMaxSockets 159 159 TypesSupported 163 5 165 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide VerboseSyncLogging 156 Registry 153 REMOVE RR Aces 126 RestrictRemoteClients 176 EE 175 262 RAS sesincsrncasenigstiwaianingatwdasawean ims 152 5 Sanctuary Common requirements 150 Supported devices 248 Sanctuary Administration Tools System requirements 148 Sanctuary Application Server1 33 262 Registry 153 Sanctuary Authorization Service Tool85 Sanctuary Client xi 1 Deployment 106 Installation 238 Installing 61 Registry keys 163 System requirements 149 Uninstall 242 Sanctuary Client Deployment Tool 106 Sanctuary Database 1 17 System requirements 148 Sanctuary Management Console 3 cg cp 262 Sanctuary Command Control
126. dows 2003 SP1 or later Here is a procedure to open a TCP port on the firewall 1 Click on Start and then click Run 5 179 EB Installing Sanctuary Components on Windows XP 2003 Vista 2 Inthe Run dialog box type Firewall cpl and then click OK On Windows Vista click Change Settings first 3 Onthe Exceptions tab click Add Port In the Port number box type the number of the port to open 33115 65129 and 65229 if using TLS protocol and then click TCP 5 In the Name box type a name for the port and then click OK The new service is displayed on the Exceptions tab To enable the port click to select the check box next to your new service and then Click OK phase even if they are already opened Note The Installation Wizard proposes to open these ports for you during the setup Another way of configuring your firewall is by using Windows Netsh command To open a port using this command l Click Start and then click Run 2 Inthe Run dialog box type netsh firewall set portopening TCP 33115 Lumension_33115 ENABLE and then click OK In this example we use port 33115 and name the Lumension 33115 You will also need to open port 65129 and 65229 if using TLS protocol Port 65129 and or 65229 if using TLS protocol Sanctuary Application Server SXS 33115 Client Driver SK Figure D 1 Communication ports between Sanctuary Application Server and the
127. dows Firewall Allow logging Not configur 20 QoS Packet Schedu amp C3 sume E Windows Firewall Prohibit unicast response to multicast Not configur 28 Background Intellige E Windows Firewall Define port exceptions Not configur Printers E Windows Firewall Allow local port exceptions Not configur s c User Configuration E Software Settings C Windows Settings 8 Administrative Templates gt Extended Figure E 3 Open firewall ports Modify file and printer sharing exceptions 4 Expand the Computer Configuration tree and navigate to the Administrative Templates gt Network gt Network Connections gt Windows Firewall gt Domain Profile folder as illustrated in the previous figure The simplest way to enable the ports used by our deployment tool is to enable the policy Windows Firewall Allow file and printer sharing exception 185 BE 2E Opening Firewall Ports for Client Deployment 5 Right click on Windows Firewall Allow file and printer sharing exception and select Properties The following dialog appears Windows Firewall Allow file and printer sharing exc PR Setting Explain Si Windows Firewall Allow file and printer sharing exception O Not Configured Enabled O Disabled Allow unsolicited incoming messages from Syntax Type to allow messages from any network or else type a comma separated list that contains any number or combination of these
128. ds to prevent tampering with the permissions that are sent across the network to client computers Generally the server will use one key the private key ha to sign the data it wishes to send and clients wil use a matching key the public key sx public key to verify the server s signature In practice the Server SXS requires not only the private key but also a copy of the public key to run For media d en prior to changing the keys it is important to note that all information will be lost It wil mot be possible to recover any information from the encrypted media If the public keys used by clients do not match the private key used by the server the clients will summarily reject commands from the server in the case of Sanctuary Application Control this includes permission lists In this situation a Sanctuary Application Control client may well prevent al executables from running including those used during log on Changing the keys used by Sanctuary must therefore be planned beforehand do not indiscriminately generate and distribute keys In particular do nog when running KeyGen colact tha diractore containing GYG ac tha tarnat diracteri vow now Lave will taba affact Directory temp Seed iuplUYI0987987S ecureWwavel Key length bits Create keys Exit Figure 3 1 Key pair generation First step Generating a Key Pair 1 Select the temporary directory in which you want to save the private a
129. ducts Internal use Do not modify Security Registry Keys These registry keys are related to security configuration and parameters Table B 5 Sanctuary Application Server registry keys security registry keys Description Default CertificateQueryPeriod optional Controls the periodicity the Sanctuary Application 180 Server checks user s certificates published in AD CommVer The Sanctuary Application Server uses this key to determine 3 only which communication protocol version it should use 0 zero when indicates that there are still older version of the client in use using TLS prior to v3 1 while 1 is used when the installation only has clients v3 1 or 3 2 A value of 2 indicates a client version 4 0 and 3 is used for version 4 1 or greater when using TLS S 157 EB BE Registry Keys Table B 5 Sanctuary Application Server registry keys security registry keys MaxSockets Description The maximum number of TCP connections that are allowed at any one time The length of the listen queue backlog imposes an additional constraint This queue holds connection requests that cannot be accepted because Sanctuary Application Server is momentarily busy or because it has reached the limit imposed by MaxSockets Sanctuary Application Server always sets the length of the listen queue backlog to the maximum 5 on Home Professional editions of Windows 200 or more on the Server editions Note
130. e Novell and optionally ZENworks client v4 91 SP1 or later NDAP for workstation object synchronization The synchronization script Access to Sanctuary s database Notes Synchronizing environments running versions of NetWare earlier than 6 5 is not supported Note You can find the NDAP components required for Novell synchronization on the installation CD or on Novell s Web site Warning You should resolve all hardware conflicts before installing Sanctuary solutions You can use Windows Device Manager to troubleshoot and fix software configurable devices All hardware devices that use jumper pins or dip switches must be configured manually Note If you plan to use encrypted devices when installing Sanctuary Device Control you will need Active Directory and DNS installed and properly configured The Microsoft Certificate Authority must be installed properly configured and published You will also need this Certificate Authority when using encrypted communications between Sanctuary Application Servers SXS or SXS Sanctuary Client Driver 150 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Warning For the Sanctuary Database installation we strongly recommend that you install the latest Service Packs You should not bring a database into use without installing at least SOL 2000 SP4 Otherwise your database is not protected against the slammer worm Wa
131. e You MUST use an account with local administration rights if you plan to use TLS protocol for Sanctuary Client Sanctuary Application Server or intra Sanctuary Application Server communications See on page for more information information if any from the Windows SAM Security Account Management database One solution is to make the Sanctuary Application Server service account a member of the Domain Users group Note The service account must have the relevant permissions to read domain 1 We will refer to this account as the Service Account 2 Userright Act as part of the operating system and impersonate a client after authentication E un 34 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Note If you are installing the program on a computer that is a member of a workgroup wired to other computers but not member of a domain you may need to use an account with Administrative privileges to connect to the database Using a non privileged account requires that the Setup process adds Access Control Entries ACEs for the user and to several directories as well as granting the account the rights to connect and use the database Note Setup verifies the specified password account before proceeding Setup continues if it fails to verify the password but will be interrupted and rollback if the password cannot be validated when creating the server service Make sure that the S
132. e Sanctuary Application Server can connect via the Sanctuary Management Console You should define who can manage and define policies by selecting User Access from the Tools menu of the Sanctuary Management Console See the relevant Administrator s Guide for further information Note If you are installing Sanctuary Device Control we strongly recommend that you also install the Sanctuary Client on all computers having the Sanctuary Management Console If you do not install it on the administrator s computer it is not possible to use media encryption or to authorize multi sessions DVDs CDs with the Media Authorizer See Chapter 6 Installing the Sanctuary Client on Your Endpoint Computers on page 61 for more details 59 Bs 2E Installing the Sanctuary Management Console Items Created During Sanctuary Management Console Setup During the Sanctuary Management Console installation the setup creates the following items Table 5 1 Items created by the Sanctuary Management Console installation Directory 96 NSTALLDI R96 X Console Purpose Contains all Sanctuary Management Console EXE and DLL files Full control for Administrators Read Execute for authenticated users Directory 96 SYSTEMROOT Help Sanctuary Management Console help files Full control for Administrators Read Execute for authenticated users Shortcuts All Windows Start2 Programs menu shortcuts n a You can bl
133. e based on Simple Network Time Protocol or SNTP to maintain date and time synchronization 95 Es 2E Unattended Client I nstallation If you are running the deployment tool on Windows XP SP2 check Microsoft Knowledge base article 884020 http support microsoft com default aspx scid kb en us 884020 Programs that connect to an IP address that are in the loopback address range and if necessary install the provided patch The deployment tool does not work under Windows NT4 None of Sanctuary s components are designed to work on this operating system If there is a firewall between the Sanctuary Client Deployment Tool and the computer where you want to deploy the Sanctuary Client open the following incoming ports on the client computers see Appendix E Opening Firewall Ports for Client Deployment on page 181 e TCP 33115 TCP 139 445 NetBIOS e UDP 137 138 Browsing You must generate the key pair and have the public key available for the client You also need the license file if you want to do a standalone installation when using Sanctuary Device Control If you plan to install on a client that does not have access to the Sanctuary Application Server you also need to export the policies to a special file policies dat and place it in the same client installation package Note Installing a client using exported policies works well when policies dat is placed locally in the same directory as setup exe
134. e or the virtual server name in case of a cluster server If the database does not reside on a default instance you should suffix the server name with a backslash and the SQL Server instance name where you installed the Sanctuary Database sx P Sanctuary Application Server Wise Solutions Wizard EA Database Server Enter the name of your database server The Sanctuary Application Server will have to connect to a database server The account selected For the Sanctuary Application Server must have been granted access to the sx database name under which the Sanctuary Database is created in SQL Server on this server This can be done easily using the grantdb exe tool located in the Bin Folder of the CD ROM Please enter the name of the computer where the sx database can be found If the database resides a named instance use the syntax SERYER INSTANCE You leave the field blank to connect to the default instance on the local computer If the database has been installed on a cluster type the name of the virtual server to connect to the default instance or VIRTUALSERVERYINSTANCE to connect to a named instance SERVEROWINSTANCED2 lt Back Next gt Cancel Figure 4 7 Sanctuary Application Server installation Sanctuary Database server location 11 Click on NEXT to continue pL 41 EB BE Installing the Sanctuary Application Server The syntax used to enter the name of your database server depends on
135. e 2 To Install the Sanctuary Database The Sanctuary database component requires a Microsoft SQL Server database This can be SQL Server 2000 SP4 2005 SP2 or SQL Server 2005 Express Edition If a database server is found the setup adds a single database called sx 1 Logon to the computer on which the SQL Server is running The account you use must have m Administrative rights Access to SQL Server 2 Close all programs running on the computer Insert the Sanctuary CD in your DVD CD and run SETUP EXE located on the SERVER DB folder 4 The Welcome dialog is displayed 33 Sanctuary Database Wise Solutions Wizard ns Welcome to the Wise Solutions Wizard for Sanctuary Database The Wise Solutions R Wizard will install Sanctuary Database on your computer To continue click Next WARNING This program is protected by copyright law and international treaties Next gt Cancel Figure 2 2 Sanctuary Database installation First step m mm s 20 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 5 Click on NEXT to continue Warning The setup will not generate a log file if it is launched running the db msi file instead of the setup exe file The log file may be important in case of troubleshooting and when contacting Lumension 6 The next dialog displays the License Agreement jj Sanctuary Database Wise Solutions Wizard License Agreement Plea
136. e Offices Global Headquarters 15880 North Greenway Hayden Loop Suite 100 Scottsdale AZ 85260 United States of America Phone 1 480 970 1025 Fax 1 480 970 6323 E mail infoGlumension com Florida Office 2290 West Eau Gallie Suite 212 Melbourne FL 32935 Fax 1 321 751 6454 United Kingdom Office Unit C1 Windsor Place Faraday Road Crawley West Sussex London RH10 9TF United Kingdom Phone 44 0 1293 558 880 Fax 44 0 1293 558 881 E mail patchlink emea lumension com Xiv European Headquarters Atrium Business Park Z A Bourmicht 23 rue du Puits Romain L 8070 Bertrange Luxembourg Phone 352 265 364 11 Fax 352 265 364 12 Hong Kong Office 18 F One International Finance Centre 1 Harbour View Street Central Hong Kong Phone 852 2166 8145 Fax 852 2166 8999 E mail patchlink apac 9 lumension com Australia Office Level 20 Tower II Darling Park 201 Sussex Street Sydney NSW Australia 2000 Phone 61 2 9006 1654 Fax 61 2 9006 1010 E mail patchlink apac lumension com Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Spain Office Paseo de la Castellana 141 pl 20 ed Cusco IV 28046 Madrid Spain Phone 34 91 749 80 40 Fax 34 91 570 71 99 E mail patchlink emea lumension com Singapore Office Level 27 Prudential Tower 30 Cecil Street Singapore 049712 Phone 65 6725 6415 Fax 65 6725 6363 E mail patchlink
137. e Ox qu 17 18 261 Power 15 MSI files 95 97 99 261 pricing 117 product tte MST 105 Private Key sse 262 MST rod emet 95 97 Product DFICING Progress details 127 Public key 106 125 262 HH 267 EB Index RAS cT 262 pcm 262 113 117 127 Registering Sanctuary 141 Registry AdoVersion 156 CertGeneration 163 CertificateQueryPeriod 157 eI i 165 COMMVEF 157 ComputerName 165 156 Data File Directory 157 DbConnectionCount 153 DbConnectionMaxCount 153 DbConnectionPoolTimeout 153 DbConnectionString 154 DbLossLatency 154 DbPingPeriod 154 Debug 155 163 165 edrBatMaxDuration 154 edrBatMinEntries 154 154 edrDspRetryCount 155 edrDspThreads 155 edrQueLength 155 edrStaPeriod 155 edrTmpTimeout
138. e Windows Task Scheduler Service AT or WINAT Please see Scheduling Domain Synchronizations on page 135 for an example Synchronization Script Parameters The script asks for four parameters only one of which is mandatory Table F 1 Novell script s parameters Used for Parameter Novell server tree name Novell server s tree name to be synchronized Compulsory SQL server address or name The address or name of the SQL server hosting the Sanctuary Database Optional If none specified local is used This only works when Novell s client the synchronization script NDAP and the database are on the same physical machine User s name The user s name used to log into the SQL database Optional If none specified a blank user is used User s password The user s password used to log the user into the SQL database 188 Optional If none specified a blank password is used Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The user s name and password used to connect to the Novell server are those of the logged one Take into account that if you do not logon as administrator you will not have access to some objects of the eDirectory tree If the SOL credentials are not specified the current ones are used instead Note If you are using Microsoft SQL 2005 SP2 you should specify the SQL server optionally the user name and password even if it
139. e end of the client installation to avoid interference with the users However the client installation requires a reboot even though the client is installed it only delivers complete functionality after a reboot The client un installation also requires a reboot the client remains active until the computer is rebooted Note If the endpoint maintenance ticket cannot be retrieved from a server you must copy it manually to each machine You cannot modify change delete the client components including directories and registry keys if this maintenance ticket is not present unless you deactivate the client hardening options see your corresponding User s Guide for more information The client is installed using the Disabled option for Client hardening 10 Click on OK The Sanctuary Client Deployment Tool dialog is displayed indicating the progress of each client installation Ei Sanctuary Client Deployment Packages Computers Help Packages N Progress gt Computers 3 Name 4 Domain w orkaroup Progress Status Marketing lu Secure ESSE SU 4 22 0 is already installed Installation sk Sales lu Secure Checking the operating system Client01 luSecure Checking the operating system 4 New Package Add Computer Query Install Uninstall Figure 8 24 Sanctuary Client Deployment Tool Installation progress ag 115 EB mH
140. e options are set Warning Although you can use Windows XP 2000 Pro Vista for the database or and console you should not use it for the Sanctuary Application Server or Sanctuary Client in the case of Sanctuary Application Control Server Edition Connection Between Sanctuary Application Server and the Sanctuary Database The Sanctuary Application Server uses the MDAC Microsoft Data Access Components to connect to Sanctuary Database ADO Microsoft ActiveX Data Objects the technology used by the Sanctuary Application Server relies on a protocol called Tabular Data Stream TDS By default TDS uses port 1433 for incoming database traffic When the Sanctuary Database is installed on a Windows XP 2003 Vista computer make sure that the TCP port 1433 is opened Please refer to Configuring the Firewall on page 179 for information about how to configure Windows XP 2003 175 Bs 2E Installing Sanctuary Components on Windows XP 2003 Vista You can preset the TDS port to another one during SQL Server setup when you select the Select Network Protocols option After you have installed SQL Server you must rerun the setup program and select the Change Network Support option to change the TDS port If you want to use another port instead of the standard one 1433 you need to create an Alias To do this follow these steps 1 Usethe Client Network Utility command found in the Start Programs Microsoft SQL Server
141. e runs with system privileges it has all the rights necessary to perform the installation Depending on the local security policy normal users can be granted the right to make the installer service install certain packages or even any package the user wants Creating a Transform File MST for an Existing MSI File Transform files are similar to MSI files but with a different file extension They alter the installation process in order to encapsulate a set or required customizations The contents of both MSI and MST files are merged together during the installation You can create MST files using a third party tool or directly with our Sanctuary Client Deployment Tool tool Since there are so many variables to control in the client MSI file we strongly recommend using the Sanctuary Client Deployment Tool tool In addition to the original MSI installation package you now have an MST file with all necessary options to install on all your machines Prerequisites for Creating a Sanctuary Client Deployment Tool Package Before you create and install a deployment package you must meet the following conditions e The administrator running the Sanctuary Client Deployment Tool tool must be in the Local Administrators group on all targeted computers You can also use the command net use lt computer gt to log on as an administrator You must synchronize the clocks of the different computers You can use Windows Time Service W32Tim
142. e to store all the deployment packages You can modify this setting by using the Options entry of the Packages menu at a later point in time Do not change other settings EE 97 2E Unattended Client I nstallation Warning Do not specify the root directory of the system drive or any other directory where existing files already reside or might be created by other applications For a description of the other parameters see The Options Screen on page 130 a shared directory where all instances of the deployment tool can access the company packages Note If the deployment tool is installed on different machines you may want to specify 3 Click on OK The following dialog appears E Sanctuary Client Deployment Packages Computers Help Packages Name Kev Progress Product 3 Computers 0 Name Domain w orkaroup Proqress Status gt New Package Add Computer Figure 8 2 Sanctuary Client Deployment Tool Packages and computers Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 4 From the Packages menu select New or click on NEW PACKAGE located in the lower part of the window The following dialog is displayed Hew Package Source MSI File C client Client msi Package Name Client Directory Sdeploy Client OK Cancel Figure 8 3 Sanctuary Client Deployment Tool New package 5 Click on t
143. ecklist Client 245 Configuration 251 253 Client computer32 113 117 124 259 Cl stet i e eode cmt 25 42 Clustering ice eet rs 24 Definition 24 Implementation 26 Mayority node set 26 25 Single node server 26 Single 26 25 117 COMPONEN Es 22 260 Component definition 260 Componentized the Sanctuary Client 247 Index Computers 126 CRI 259 CtrlACX VDS rriro aa 215 Configuration steps 217 216 Requirements 215 BTD Ipp 216 D Data File Directory 1 42 data 154 Database 3 17 18 33 133 142 Choosing 17 Engine 17 19 DataFileDirectory 42 260 260 Deploy Software 122 Deployment package 95 125 pli RE 1 42 Direct cable connection 260 plac 260 DNS 203
144. ection with the Sanctuary Application Servers Click Next to continue Click Cancel to exit setup Server name ServerNameOrIPAddress Port 65229 address Server name ServerNameOrIPAddress Port 65229 address Server name ServerNameOrIPAddress Port 65229 address Select a server at random to spread the load AY Client uses TLS please specify Fully qualified DNS names and TLS ports For the server address Test Next Cancel Figure K 3 Sanctuary Components 8 Click on Test to check that the Sanctuary Client can establish a connection with the Sanctuary Application Server s listed A test is considered to be successful if the computer is online and a Sanctuary Application Server could be contacted 9 By default the driver will choose randomly the available server with which it will work This setting allows sharing the load between the available Sanctuary Application Servers If a server is unavailable then the driver will pick up another one from the list and try to connect to it 10 You can also choose to contact the servers sequentially in the order you enter them This setting is particularly adapted to configurations that have a primary Sanctuary Application Server and backup one The driver will connect preferably to the primary Sanctuary Application Server the first one in the list In case it is not available the driver will try to connect to the next server in the list 11 Click Next
145. ed direct or indirect ability to bypass or tamper with standard Windows based system policies Non trusted users should never be members of the Power Users group unless you secure the execution environment by using Sanctuary Application Control Suite Access Policy In general you should have an network and file access policy as restrictive as possible including using only NTFS partitions By default you should deny all access and then give access only when if necessary NTFS Partition Mandatory to I nstall our Product NTFS New Technology File System is an update of the FAT32 File Allocation Table FAT12 initial version of FAT FAT16 and VFAT systems which in turn are also updates from the old MS DOS FAT system NTFS offers several security and performance enhancements and advantages over older file systems Among them we can quote a superior architecture support for larger files enhanced reliability automatic encryption and decryption disk quota tracking and limiting change journals disk defragmenter sparse file support and improved security and permissions when managing files Recovery Console The Recovery Console which is available on the Windows DVD CD ROM or via a MSDN subscription allows the user to disable any driver related to Sanctuary However this requires the local administrator password This is one of the reasons why you should change the boot sequence as previously described If you fail to do this th
146. een exceeded The LicensedServers value has been exceeded License Related Client Actions The client applies licensed Sanctuary policies immediately even if they have not been correctly configured or defined For example if no proper application permissions have been set in Sanctuary Application Control Server Edition the client blocks all attempts to execute programs in the machine even the logging program with fatal consequences Not configuring device permissions for Sanctuary Device Control applies the most restrictive policy no access to external devices An upgrade may surprise your clients when you install a license for several products but only one is active The client shows unused options 144 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Likewise the client ceases to apply Sanctuary policies if not licensed This only affects customers violating the license but this can also be a result of incorrect license management and can represent a security risk for your organization ag 145 BE Registering your Sanctuary Product m mm 146 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Limitations Detailed System Requirements and The information in this appendix applies to all Sanctuary software suite products unless otherwise specified This appendix specifies the minimum system requirements for the different components u
147. eme xiv Product Pricing erede ER pe exe a d nre Dept ut e Ende En tees XV Lumension Security Sales and Support xvi Chapter 1 Installing Sanctuary s Components 1 Sanctuary Architecture 00 emen nemen nne nne nennen nnns 1 To Install Sanctuary Products i i eddie dte eni d Ee e 3 Ghost Image Deployment sssssssssssse EE mee rne nne nnns 5 Transport Layer Security aed rete o x t D Po E RH ERE dn 6 Using TLS for Client Sanctuary Application Server Communication 7 Using TLS for the Inter Sanctuary Application Server Communication 10 What is a Digital Certificate 12 What is a Certificate Authority mme 13 Basic Security Rules mem meme eene nenne nne nne nnn nnns 13 CD DVD BURNING TTA 13 The Boot Sequere tete terr n ue da E Fon E EEEE US o E e e ERR n RR EYE 13 Hard Disk Encryption E Del RR Pe SE TR REX ERE n 14 The Seal Chassis Intrusion 14 Password Protect the BIOS nena 14 Administrative Rights 20 0 0 emm mee ene enne nnn 14 dO LIMIT E EET 15 5 m 15 NTFS Partition Mandatory to Install our Product
148. en a user may be able to boot the system using a different operating system bypassing system security The user can for example boot from the CD with a Linux OS and manipulate the NTFS partitions to gain access to the stored data Safe Mode Safe mode boot causes no threat to Sanctuary drivers which continue to run even when you boot in this mode Service Packs and Hot Fixes In general you should always install the latest service packs and hot fixes for the operating system and the different applications you use 15 Bu 2E Installing Sanctuary s Components Firewalls Traditional perimeter based security systems like firewalls are complementary to the endpoint protection provided by Sanctuary Software Password Policies You should have a strong security policy in particular regarding the choice of the passwords You should refuse blank short and simple passwords enforcing long and complex character sequences Access Policy In general you should have an access policy as restrictive as possible using NTFS permissions etc By default deny all access and then just give access if and when necessary Private and Public Key Generation You should deploy Sanctuary software in a production environment using a securely generated key pair Use the KEYGEN EXE tool that is included on your installation CD to create your own unique private and public key The private key sx private key is literally the key to the secu
149. ends on factors such as your environment the total number of permissions required if you want to use shadowing or not and so on Unfortunately it is impossible to know beforehand how large the performance loss will be for your particular organization e A TLS environment requires maintenance the system administrator must configure the system and manage certificates You should consider carefully whether your organization needs this extra security i e if your company either uses sensitive data or has to meet certain security regulations Using TLS for Client Sanctuary Application Server Communication There are two ways in which a Sanctuary Client can communicate with a Sanctuary Application Server It can use A Pull operation in which the client establishes a connection with the server to m Obtain the most recent permission updates m Upload its log files m Upload its shadow files If using TLS protocol the authentication and confidentiality of the data exchanged is always guaranteed Push operation m Ina first case the Sanctuary Application Server establishes a connection with the client to request it to e Perform a scan e Upload its log file Upload its shadow files Contact the server to receive the latest permission updates m second case the Sanctuary Application Server Pings the client to update its client list or begin another communication or process Push messages are very li
150. ent and valid The settings are taken from address provided invalid the policies dat file until a address server can be contacted and the permissions updated The policies dat file has a validity period of 14 days after generation default value By default the driver randomly chooses an available server to work with This setting allows the load to be shared between available Sanctuary Application Servers If a server is unavailable the driver picks up another one from the list and tries to connect to it You can also choose to contact the servers sequentially in the order you enter them This setting is ended for particularly adapted to configurations that have a primary Sanctuary Application Server and a backup one The driver connects to the primary Sanctuary Application Server that is the first one on the list unless this is not available in which case the driver tries to connect to the next one on the list Warning If you are installing Sanctuary Device Control and there is no Sanctuary Application Server to contact or exported policies to use the most restrictive policies apply The client has no permissions at all even when some devices have predefined restricted permissions for example read write permissions for the PS 2 port See the Sanctuary Device Control User Guide for a list of the predefined permissions when first installing the program S 71 EB Installing the Sanctuary Client on Your Endpoint C
151. ents secure com Computers Sh Cena secure com Computers E iens secure com Computers IS Client secure com Compulers xl Ada Check Names Figure 8 13 Sanctuary Client Deployment Tool Select computer dialog Sample a Select Computers Select this object type Computers Object Types From this lacation Enter the object names to select examples Advanced Figure 8 14 Sanctuary Client Deployment Tool Select computer dialog Sample b 107 Bs 2E Unattended Client I nstallation Select Computers x Select this object type Computerd Object Types From this lacation luSecure Locations Common Queries Name Starts with v Columns Description Starts with Find Now Disabled accounts Non ex Days since last lagon m ax Name RDN Description In Folder Figure 8 15 Sanctuary Client Deployment Tool Advanced select computer dialog FU Note You can also Drag and Drop between the external Microsoft Windows Network from the My Network Places icon selection dialog L 3 Select the domain you want to search and highlight or enter the names of the computers you want to add to the list You can type in multiple names using a semicolon character to separate computer names mu a 108 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 4 Once you have selected the c
152. ents wizard final page on at least once in order to be able to access any encrypted media for which he was granted access rights During this first logon the user certificate is issued by the Certificate Authority This certificate is used by the Sanctuary Application Server to deliver per media rights for users The Certificate is stored locally on the user s machine and additionally published to the Active Directory Note After installation of the Sanctuary Client on the user s machine the user must log domain controllers setting it may take some time to issue a certificate during the first user logon and publish it to the Active Directory During that period the user is not authorized to access the media Note Depending on your Active Directory configuration and replication between 209 Bs 2E Installing a Certificate Authority for Encryption and TLS Communication Note You must install a root enterprise level CA There are two types of enterprise level Certificate Authority root and subordinate In this case root and subordinate are just Microsoft terms that identify hierarchy thus subordinate cannot exist without root Since we use Active Directory AD integration the CA must be able to publish and issue certificates using AD Only enterprise level CA is integrated with AD The CA software of other vendors that support AD integration can also be used Checking Certificates are Correctly I ss
153. eplacing an existing set of keys or implementing customized keys in an environment where encrypted media are already in use prevents recovering the password of these media Note Although not recommended it is possible to deploy the clients on test environments without a customized set of keys If you do not want to generate custom keys simply skip this step Note The Sanctuary Client can be deployed without specifying a server address s that can immediately be validated The server at the provided address s is contacted during the actual setup to make sure that the client can communicate with it If this communication is not achieved the installation is aborted unless the Serverless Mode option is selected See the following step for more information 10 Enter the fully qualified domain names or IP addresses of the Sanctuary Application Server to which these clients attempts to connect using the Name or IP fields If alternative port numbers are required for these connections then also type in the modified port numbers If you do not specify a fully qualified domain name or address the installation is done in Serverless mode While using this mode the installation routine does not abort if it cannot reach a Sanctuary Application Server Alternatively if these fields are not empty at least one Sanctuary Application Server must be contactable for the installation to continue the install will rollback if all connecti
154. er explains how to install the Sanctuary Management Console used to configure permissions to all the devices and or executables that your organization uses It is also used to carry out day to day administrative tasks and procedures The information in this chapter is relevant to all Sanctuary software suite products Warning You should read Appendix D Installing Sanctuary Components on Windows XP 2003 Vista on page 175 carefully before installing this component on a computer with this operating system and service pack When installing the Sanctuary Management Console you also install some or all of the following depending on the type of license you have purchased Client Deployment Tool see Chapter 8 Unattended Client Installation on page 93 to deploy clients silently The Svolbro exe program see description in the Sanctuary Device Control User Guide needed for one of our USB key encryption methods The Authorization Wizard see description in the Sanctuary Application Control Suite User Guide to search for executable files create their hashes and include them in the database The Versatile File Processor Tool see description in the Sanctuary Device Control User Guide to scan files The Standard File Definitions SFD set of all the hashes digital signatures of various operating systems files supported by Sanctuary Note If you are using Sanctuary Application Control Suite you shou
155. erson 5 1 2 Gp PrP user mode Version 1 2600 110651507 i G Fermer y DE Charred Version 5 126008620 Copyright 2007 Lumersion al Rights Reserved 9 G Programmable interrupt controller Version 5 12600 8621 Server is using unencrypted protocol 8 9 Rich Edi Control Version 3 0 Verson 5 1 2600 1106 15 Sy Raning Common Fies verson 1 2600 A620 Sg RPC Local Support Versen 5 1 2600 1106 81507 Gg Secure Wave Sanctuary Cent Version 4 1 0 196 Sete Fies if Regatry Data Resources E EU MM gt i 1 0 hita 200 entries Tiles 39 di Pixups 032 Rutis complere elapsed time 106 66 seconde estimated run time image size 59 5208 82 6808 esmpressed uncompressed 1 warning Inte 101 Indvielising sew component SecureHave Sanctuary Client Version 4 1 0 R196 7 1116 Adding unselessed component to configuration SecureMave Sanctcary Client Version 4 1 0 21961 inte 101 Estimared footprint 5881856 Byvew Ix Ready 140 Components 1650920 9o m pooni Ibxpert Mode NM Figure L 3 Configuring the Sanctuary Application Server address or name Sanctuary Application Server SXS Sanctuary Application Server SXS used to communicate between the Sanctuary Database and the protected clients should already be installed To configure a Sanctuary Client you must provide its IP address or fully qualified domain name in the
156. ervices update partner tool used for our Sanctuary Application Control Suite programs Sanctuary Application Control Sanctuary Application Control Server Edition or Sanctuary Application Control Terminal Services Edition Chapter 8 Unattended Client Installation shows you how to deploy clients silently Chapter 9 Using the SXDomain Command Line Tool explains how to synchronize information between the Sanctuary Database and the domain controller Chapter 10 Registering your Sanctuary Product explains the Sanctuary licensing model Appendix A Detailed System Requirements and Limitations details the hardware and software you need for an optimum operation of the software Appendix B Registry Keys provides detailed information about registry key settings for servers and clients Appendix C Upgrading from Old Versions explains how to upgrade from a previous version of Sanctuary Device Control and Sanctuary Application Control Suite Appendix D Installing Sanctuary Components on Windows XP 2003 Vista explains how to configure this system to work with Sanctuary programs Appendix E Opening Firewall Ports for Client Deployment covers how to open the required ports needed for the client deployment technique described in Chapter 8 Unattended Client Installation EH ES EH Preface Appendix F Using the Synchronization Script for Novell provides a quick setup guide for synchronizing Novel
157. es 1 Decide whether you are going to use an extra encryption layer for Sanctuary Client Sanctuary Application Server and intra Sanctuary Application Server communications or not If you decide to use it you need to install a Certificate Authority This is also needed if you want to centrally encrypt removable media using Sanctuary Device Control See Transport Layer Security on page 6 Appendix H Installing a Certificate Authority for Encryption and TLS Communication on page 203 and Sanctuary Device Control User Guide Install the Sanctuary Database on the computer that is to hold authorization information for devices and or executables scripts and macros You can find a detailed installation procedure explanation in Chapter 2 Installing the Sanctuary Database on page 17 Generate the key pair that is used to sign encrypt messages media See Chapter 3 Using the Key Pair Generator on page 29 Install the Sanctuary Application Server on the computer or computers that serve as intermediates between the Sanctuary Client and the Sanctuary Database distributing the list of device software permissions for each client computer and or User group See Chapter 4 Installing the Sanctuary Application Server on page 33 Install the Sanctuary Management Console on the computer s you are going to use to configure Sanctuary and subsequently carry out your day to day administrative tasks and procedures See Chapter 5 Installing the Sanctua
158. es e Windows Update Windows XP Embedded does not use the Windows Update Web site to detect and patch software components e System files that support upgrade scenarios Obsolete Windows Image Acquisition files 244 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide e Microsoft Java Virtual Machine Features that are specific to Windows 2000 Server and Windows Server 2003 are also not included in Windows XP Embedded If an application runs on a Windows Server operating system but does not run on Windows XP Professional that application will not run on Windows XP Embedded Installing Sanctuary in Windows XP Embedded What Server Side Components you Need Before you use Sanctuary Client in a device you must first install and configure all the other components required to control the Sanctuary Client notably the Sanctuary Database the Sanctuary Application Server and the administrative tools Without the first two basic components you cannot use Sanctuary Please consult the other chapters of this guide to learn how to install and configure these components What Client Components you Need In order to install an embedded client you need to 1 Create an image 2 Install this image in the device The first step is done using the Windows Embedded Studio available at Microsoft s Web site Using this tool you can generate an image that will then be installed on the target device The following
159. es if there is an update from Sanctuary Device Control to Sanctuary Application Control Suite and that this action does not block the machine If this is the case the installation will not proceed and rolls back Use this option if you do not want this check done and you are sure that you have correctly defined the policies List the program with a Remove button The program is listed in the Add or Remove Programs Programs and Features in Windows Vista Windows dialog in the standard way and it will include a Remove button List the program but suppress the Remove button The program is listed in the Add or Remove Programs Programs and Features in Windows Vista Windows dialog but will not include a Remove button Do not list the program The program will not appear in the Add or Remove Programs Windows Programs and Features in Windows Vista dialog Specify the policy import timeout in minutes only available for client version 3 2 or later set how many minutes should elapse before the program will consider the policy file as out of date Type any value between 20 and 600 minutes 10 hours You can use a value less than 20 minutes using the MSI installation file directly from the command line through parameters policy_import_timeout lt value_in_milliseconds gt 15 Click on the OK button to close the dialog 104 Sanctuary Application amp Device Control v4 3 2 San
160. ess Edition SP2 depending on your company s size To install the database see Chapter 2 Installing the Sanctuary Database on page 17 2 Install the Sanctuary Application Server This provides the interface between the database and the client component and between the console used to define modify delete create permissions and rules and the database You need to install at least one Sanctuary Application Server This can be on the same computer as the database To install the Sanctuary Application Server see Chapter 4 Installing the Sanctuary Application Server on page 33 3 Install the Sanctuary Management Console to manage the definition modification deletion and creation of permissions and rules You can install the console in the same machine as the database and Sanctuary Application Server or in a different one To install the console see Chapter 5 Installing the Sanctuary Management Console on page 53 EH 191 EB mH Using the Synchronization Script for Novell 4 Install a Novell client and our synchronization script on one of your Windows client machines This machine must already have Novell s NDAP ActiveX objects installed available on Novell s Web site or your installation CD You can find the necessary synchronization script NDSSync vbs in the Scripts directory Note Windows Gateway Services for Netware GSNW is not sufficient to run the NDSSync vbs synchronization script Define si
161. ests until the number of active requests drops below the maximum amount Both parameters are combined to allow you to fine tune the application performances The relation that links both parameters is explained in the following figure WUE AN a ace 2 M RD Threads 5 Jo JaquinN Computers Figure 8 41 Sanctuary Client Deployment Tool menus Number of threads vs number of computers 131 BB 2E Unattended Client I nstallation E BB a 132 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Using the SXDomain Command Line Tool This chapter explains how you can synchronize domain information with that contained in the Sanctuary Database The information in this chapter is relevant to all Sanctuary products I ntroduction The SXDomain command line tool is an alternative to the Add Domain Synchronize Domain items in the Tools menu on the Sanctuary Management Console You can use it to Add new domains to the list of those managed by Sanctuary Add and update information about users groups and computers in a domain already managed by Sanctuary e Add synchronize local users and groups e Add synchronize computers that are part of a workgroup SXDomain exe can be found within the C Program Files Lumension Security NSanctuaryNSXTools directory assuming that you installed the Sanctuary software under C NProgram Files Use the comma
162. etup did not detect any Certification Authority Please note that without a Certification Authority the encryption feature of Sanctuary Device Control will not work properly see the user guide for details a Figure 4 10 Sanctuary Application Server installation No Certification Authority found 14 Specify the protocol that Sanctuary Application Server should use You can either choose the standard one used to communicate with older clients or the improved protocol which includes optional TLS protocol that only works with the latest client version Select from the list the type of client you already have installed If this is a new installation select the latest version P Sanctuary Application Server Wise Solutions Wizard RA Client versions supported Specify the mimimum client version deployed in your environment The server is backward compatible with previous versions of the client It is recommended that you only enable support of versions that are deployed in your environment Client versions Version 4 1 or higher v lt Back gt Cancel Figure 4 11 Sanctuary Application Server installation Protocol selection dialog Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 15 For the rest of the installation follow the flowchart below especially if you choose the latest version of the client Communication protocol Select Protocol Version Use 3 if this is
163. etwork shared drive where the Sanctuary Client setup files are located and run the setup exe file Warning If you are installing or uninstalling the Sanctuary Client on a Vista machine with Vista s UAC User Account Control functionality turned on you must use setup exe not using Control Panel gt Add Remove Programs otherwise the operation will fail The Setup program shows the Welcome dialog 33 Sanctuary Client Wise Solutions Wizard Welcome to the Wise Solutions Wizard for Sanctuary Client The Wise Solutions R Wizard will install Sanctuary Client on your computer To continue click Next WARNING This program is protected by copyright law and international treaties Next gt Cancel Figure 6 1 Sanctuary Client First step 4 Click on NEXT to continue m Bm BE 64 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Warning You cannot carry out maintenance if the Client Hardening option is active if you do not first issue an Endpoint maintenance ticket or relax the client security settings using the management console See Uninstalling the Sanctuary Client on page 79 for more information The next dialog displays the License Agreement 33 Sanctuary Client Wise Solutions Wizard License Agreement and Maintenance Contract when applicable Please read the following agreement carefully PN TERMS AND CONDITIONS OF INSTAL
164. every single packet 5 Like 4 with added cryptographic signing of every packet to defend against tampering 6 Like 5 but also encrypts data in both directions The recommended setting is 5 or more Note that any setting except 0 requires the client to be in the same domain as the server or in a domain that is trusted by the server s domain 158 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table B 5 Sanctuary Application Server registry keys security registry keys SecurelnterSxs Description If set to yes all inter Sanctuary Application Server traffic is done using the TLS protocol Note that Sanctuary Application Servers register the fully qualified DNS name in the servers table for compatibility with older versions and depending on the communication mode selected the TLS or the non TLS port Servers with different Inter Sanctuary Application Server modes will not be able to communicate between them they should either all have the yes or no value set for this parameter When this value is set to no communication is done using non TLS ports When setting this value to yes you should also set the number of non TLS sockets MaxSockets see Table B 6 amp Table B 7 to zero and CommVer to 3 clients v4 1 or later to obtain the maximum level of security Default The TCP port on which the Sanctuary Client is expe
165. ewall set portopening protocol UDP port 138 name Sanctuary UDP 138 mode ENABLE profile All netsh firewall set portopening protocol TCP port 139 name Sanctuary TCP 139 mode ENABLE profile All netsh firewall set portopening protocol TCP port 445 name Sanctuary TCP 445 mode ENABLE profile All Save and run on each machine To open the Firewall Ports via an Active Directory Group policy While it is possible to open ports manually in a small network this can also be achieved in a larger scale by centrally configuring the Windows firewall using Group Policy When the XP SP2 or later Vista machines log on to the network they will inherit the customized Group Policies thus opening the Windows Firewall ports required for remote deployment This is the Microsoft recommended method to centrally manage Windows Firewall settings In the following steps we modify a domain group policy to open the needed ports E Note To avoid compatibility problems ensure that the machine has the latest patches and service packs If you are using a Windows Server 2003 with Service Pack 1 or later computer joined to the domain 1 Logon as domain administrator 2 Download and install the NET framework required for the next step 3 Download and install the Microsoft Group Policy Management Console GPMC from Microsoft s Web site mu a 182 Sanctuary Applicati
166. exe The Setup program launches the MSI installer 238 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide When this is complete the Welcome dialog is displayed Click on NEXT to continue 33 Sanctuary Client Wise Solutions Wizard Welcome to the Wise Solutions Wizard for Sanctuary Client The Wise Solutions R Wizard will install Sanctuary Client on your computer To continue click Next WARNING This program is protected by copyright law and international treaties Next gt Cancel Figure K 1 Welcome screen 4 The License Agreement is displayed in the next dialog If you accept the terms of the license agreement select the J accept the terms in the license agreement and click Next to continue 239 Es 2E Installing Sanctuary Application Control Terminal Services Edition 5 Click Cancel to exit without installing your Sanctuary Client 33 Sanctuary Client Wise Solutions Wizard License Agreement and Maintenance Contract when applicable Please read the following agreement carefully P TERMS AND CONDITIONS OF INSTALLATION Your access to and installation of this software product is subject to the terms and conditions contained on the Lumension Security Inc Lumensior website For your convenience the links are provided below By clicking on Acceptance you agree that you have read understand and agree to be bound by the terms and conditions co
167. g option using the management console e Generate an Endpoint Maintenance Ticket that overrules the hardening option Please consult the Sanctuary Application Control Suite User Guide or the help file for a complete description on how to create an Endpoint Maintenance Ticket Select Add Remove Programs from the Windows Control Panel and choose Sanctuary Client from the list of installed programs The Setup program launches and uninstalls Sanctuary Client On completion of the uninstall process you must reboot the server 242 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide I nstalling Sanctuary in Windows XP Embedded What is Windows XP Embedded Windows XP Embedded is a componentized version of Windows XP Professional that contains all of the features functionality and familiarity of Windows XP Professional Based on the same binary files as Windows XP Professional Windows XP Embedded ships with the same set of drivers as the desktop version of Windows XP Professional that is over 9 000 drivers available as individual components for Windows XP Embedded A Windows XP Embedded minimum build size is approximately 5 MB This is a kernel only build An average image size for Windows XP Embedded would be around 40 MB or more This of course is a lot smaller than a typical installation of Windows XP Professional on a desktop When building the operating system image you can pick and choose which ha
168. g two stages l Create package s The deployment tool allows you to select client installations from the CD ROM LAN or local drives It makes a local copy of the client installation and displays the Options Lumension Installation Transform dialog so that you can create an installation transform MST linked to the MSI file gt Note An installation transform is a customization of the installation which predefines settings for the installed application Having an installation transform allows the system administrator to apply identical settings to a group of client computers 2 Install Uninstall package To do this select the package and target computer s to begin the un installation and set the reboot and configuration options After this the deployment starts The following sections describe the installation process To Install the Sanctuary Client MST File Generation 1 On the administrator s machine select Sanctuary Client Deployment Tool from the Start gt Programs Sanctuary menu The following dialog appears on first use Options Directory where deployment s copies are stored C deploy Maximum number of working threads default 128 128 The maximum number of working threads is reached when 5000 the number of computers is equal or above default 5000 OK Cancel Figure 8 1 Sanctuary Client Deployment Tool First start up 2 Choose the folder in which you would lik
169. gn limitations or errors in their configuration do not do a completely silent installation and sometimes fail since they are waiting for user input Warning If you are using encrypted communications using the automatic certificate generation mode the client deployment task cannot be successfully completed unless you guarantee that the machine certificate file s properties located at SystemDrive Documents and Settings All Users VApplication Data Microsoft Crypto RSA MachineKeys are Full Control for Administrators and LocalSystem the usual setting Note If you are installing Sanctuary Device Control or Sanctuary Application Control on Windows XP SP3 or Vista machines you need to open certain blocked ports to be able to do an unattended client installation See Appendix E Opening Firewall Ports for Client Deployment on page 181 for more details Note You cannot install Sanctuary Application Control Server Edition client on Windows XP 2000 Pro or Vista machines 93 EH Unattended Client I nstallation Note Although the installation dialog only lets you input three Sanctuary Application Servers you can easily add more if needed You can also change how the Sanctuary Application Server s is selected round robin vs random pick this is done by modifying certain registry keys See Sanctuary Client Registry Keys on page 163 and Uninstalling the Sanctuary Client on page
170. grade will fail y 167 EB Upgrading from Old Versions Note If you update from older versions of Sanctuary but you keep the old clients device application permissions are NOT sent to them You must consider updating these older clients as soon as possible You also lose the added security that new Sanctuary Client offers against deleting modifying or altering its components Note You must stop Sanctuary Application Server s using net stop SXS from the command line prompt before updating the database Note If you are planning to keep old clients versions do not forget to choose the correct communication protocol supported by your Sanctuary Client when updating your Sanctuary Application Server s Note You must have a Certificate Authority if you want to take advantage of an encrypted channel for Sanctuary Client Sanctuary Application Server and intra Sanctuary Application Server communications To summarize the upgrade is done in two broad stages First upgrade all server side components during this first stage the new server side components have to work with the old client versions e Second deploy the new client upgrade packages the client deployment stage may be organized in batches and may take several days to complete The server side components have not been designed to communicate with old clients older than version 3 x You should also update them S
171. gure 8 35 Sanctuary Client Deployment Tool menus Set policies Computers Menu The Computers menu has the following items e Add Displays a dialog allowing you to add one or more computers to the list of computers This is the same dialog as appears when you click on the ADD COMPUTER button Remove Be BB 126 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Removes the selected computer from the list Import Allows you to import a list of computers from an external ASCII or Unicode text file The file must be a flat text file with one machine per line The machine name is optionally followed by the domain name and separated from it only by a P sign Every line looks like this ComputerNamelDomainName Export Allows you to export a list of computers selected in the computer list to a text file The file produced is a flat text file with one machine per line The machine name is followed by the domain name and separated from it only by a sign Every line looks like this ComputerNamelDomainName Change TLS mode When using this menu item you can control some options governing client installation See the description of Figure 8 17 Reboot Forces a reboot of the selected computers in the list of computers You can also select here the server from where the Endpoint Maintenance Ticket will be retrieved Query Performs the same function as clicking on QUERY see Quer
172. he machine has not been rebooted since You must reboot the client machines after uninstalling When the deployment to a client computer is complete it displays a System Shutdown dialog if configured as shown below The message displayed is the one you typed on the Install Uninstall Reboot Options dialog System Shutdown Ba work in progress and logg off Any unsaved changes will be lost This shutdown was initiated by ISECUREWdministrator This system is shutting down Please save all Time before shutdown 00 02 36 Message A new driver has been installed updated Your computer needs to be rebooted Figure 8 26 Sanctuary Client Deployment Tool Shutdown dialog in client computers Using the Command Line to I nstall Clients If you already own a software deployment tool that you want to use instead of using our visual interface follow these steps 1 Create a Deployment package 2 Copy the whole Deployment package folder to a local directory on the server referred to as 3 Deploy from which the client is to be deployed This directory should include the msi installation file and the public key file sx public key 4 Install the Sanctuary Client on a list of computers by using your chosen software deployment tool to run this command line ag 117 EB BE Unattended Client I nstallation Msiexec i SanctuaryClient msi qn TRANSFORMS SanctuaryClient mst L v TMP Nsetupcltsu log Note The comman
173. he Sanctuary Sanctuary Application the Sanctuary Management Console Server firewall Application Server MyComputer MyDomain com 123 1234 ncacn ip tcp 1234 4 MyComputer 1234 amp 135 ncacn ip tcp 1234 Note Replace 1234 with the actual port you want to use for the communication between the Sanctuary Management Console and the Sanctuary Application Server Connection between the Sanctuary Client and the Sanctuary Application Server If you install the Sanctuary Application Server and the client s on different machines and you have a firewall between them including Windows XP firewall if applicable the communication between them may be blocked The default ports used for the communication between the drivers and Sanctuary Application Server are the following ones e The Sanctuary Application Server listens on port TCP 65129 65229 if using TLS protocol e The Sanctuary Clients listens on port TCP 33115 See the next section Configuring the Firewall for information about how to configure Windows XP 2003 Vista Note You can also manually configure the ports used for the communication between the client and the Sanctuary Application Server See Sanctuary Application Server Registry Keys on page 153 and Sanctuary Client Registry Keys on page 163 Configuring the Firewall Since Windows XP SP2 and Vista SPO the integrated firewall is enabled by default You can also activate it on Win
174. he client in the Sanctuary Management Console machine if you are planning to encrypt and or authorize removable media Firewall Configuration If you are using Windows XP SP2 or later Windows 2003 Server SP1 or later or Windows Vista for the console the firewall may be active and blocking certain ports needed to communicate with the Sanctuary Application Server Sanctuary Client The Sanctuary Client is the software used to manage the devices or authorize software execution on the client s computer You can install it individually in each machine to be protected or in large organizations or when you cannot visit each client computer server individually using our unattended client installation software You can also use any other software that supports MSI packages to install Sanctuary Clients Software If you are using Sanctuary Device Control or Sanctuary Application Control the client requires a Windows SP2 32 bit or 64 bit Windows 2000 SP4 Windows Vista 32 bit 64 bit or Windows 2003 SP1 32 bit or 64 bit machine We recommend defining Windows updates from Windows Server Update Services WSUS if you are installing Sanctuary Application Control Suite If you are using Sanctuary Application Control Server Edition or Sanctuary Application Control Terminal Services Edition the you should only use Windows 2000 Server SP 4 or later Windows Server 2003 SP1 or later Hardware The hardware specifications
175. he ellipsis button to select an MSI file typically from the Client folder of the CD ROM 6 Enter the name you want to give to the package Do not use numbers in the form fHHt HET HET THHE as they are interpreted as an IP address Make a note of the directory which we refer to as the Deployment package folder C Deploy in this example 7 Click on OK y 99 EE Unattended Client I nstallation The installation files are copied to a subfolder of the destination directory as defined in stepl C DEPLOY in our example The Options Lumension Installation Transform dialog is displayed Options Sanctuary Installation Transform Enter the name or IP addresses of Sanctuary Application Servers 55 in your organization Name or IP Port 65229 Name or IP Port 65229 Name or IP Port 65229 Automatic Load Balancing VI TLS Test Connection Import public key Set the option below to suppress preventive actions related to the Application Control feature Suppress preventive actions related to the Application Control feature Select if and how the product will be listed in the Add or Remove Programs list Add or Remove Programs list options List the program with a Remove button List the program but suppress the Remove button Do not list the program Specify the policy import timeout in minutes 20 OK Cancel Figure 8 4 Sanctuary Client Deployment Tool Sanctuary Application
176. he machine certificate has to be created by a user usually the administrator who already possess a certificate good for issuance and trusted as a root or intermediate Certificate Authority by the Sanctuary Application Server This authorized user has to be physically present at the machine to create this certificate Authentication certificate will be retrieved form a CA Automatic mode using TLS communication The program asks for the certificate to one of the selected Certificate Authorities This certificate must be good for issuance and trusted as a root or intermediate Certificate Authority by the Sanctuary Application Server All communication between Sanctuary Client and Sanctuary Application Server s is encrypted You do not need a Certificate Authority at this point but it will be required when first starting the client s since the program request a machine certificate The user who has the rights to create machine s certificates does not have to be physically present at the machine to do the installation if this mode is selected You should ALWAYS use automatic mode when your organization has already deployed a Certificate Authority infrastructure and the Sanctuary servers and clients are part of it In this case deployment of Sanctuary Client using TLS is completely transparent and requires no additional action Always privilege the automatic mode for issuing valid certificates over all other methods If it is not possible
177. hentication for the Sanctuary Application Server Window s user credentials name and password are by default passed to Novell If the same username including the same password exists in Novell this authentication process is transparent If this is not the case Novell rejects the user for all non interactive processes If the process is an interactive one Novell will ask for a new authentication through the Novell Client for Windows In essence the process consists in setting an account in Novell s eDirectory structure with the same name and password as in Windows local or domain user This account is going to be used by the Sanctuary Application Server service We make these assumptions in the following procedure which of course differs from your actual Novell installation Novell Server is called BOOGIE Novell Tree is called Lumension Novell Context is called TEST EE 195 Es 2E Using Novell Shares for your DataFileDirectory The Novell shared directory which will be used as DataFileDirectory for Sanctuary is called BOOGIE MYDATA TEST DataFileDir which is located on server BOOGIE context TEST hosting a shared directory MYDATA which contains a subdirectory named DataFileDir The Sanctuary Application Server account used in Windows is called sxs The shared folder and the sxs account should already exist on the Novell eDirectory Please refer to your No
178. hm that takes into account the entire contents of the file I OCP I O Completion Port MDAC Microsoft Data Access Components This is required by Windows computers to connect to SQL Server and MSDE databases MSI Microsoft s Windows Installer engine Sanctuary supports MSI version 3 1 It is also the extension of the file used by this component An MSI file is basically a database with relationally linked tables and a set of files either inside or accompanying the MSI file This database contains information about what has to be done to the target machine in order to install the application NAT Network Address Translation A technique of trans receiving network traffic through a router and rewriting the source and or destination IP address as they pass through This is done so that multiple host on private networks can access a single public IP address NTFS New Technology File System offers several enhancements and advantages over older FAT systems These include an improved architecture support for larger files enhanced reliability automatic encryption decryption change journals disk defragmenter sparse file support improved security and permissions etc EE 261 Es 2E Glossary Private Key One of two keys used in public key encryption The user keeps the private key secret and uses it to encrypt digital signatures and to decrypt received messages Public Key One of two keys in public key encryption The use
179. ices RI M BlackBerry handhelds Smart Card readers User defined devices n 2 gt xe Te 4 amp a COM Serial ports DVD CD drives Floppy disk drives Imaging devices Tape drives Event notification Root level Permissions R R W or None Permissions R R W or None Online permissions Offline permissions Scheduled permissions Temporary permissions Device Class level Shadow Copy Limit Event notification Decentralized encryption File type filtering 2 231 2E Installation Checklist Table J 3 Defining permissions SJ9 0J1U02 95 amp j191ul JoM39U SS IN SS9J9JIM pjeupueu 35 SMOpulM peujgoep a1esf soAup eder pleJ Hews spjeypuey WITH 5 S340d Z Sd asn 5293029 SadIAep pjeupueu S92IA9p SS9dde JJO MJ U A1epuo2es 5
180. iding on a name for your installation package a new folder is created using this name For example if you want your installation packages to be located in a directory named Deploy and the installation package name is Marketing the program places the client MSI file in C Deploy Marketing 2 After modifying the installation options a new transform file MST is created in the installation package folder 94 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 3 The license policies optionally and public key files are copied exported to the same folder where the MSI and MST files resides 4 The computer s on which the package will be installed are defined 5 The deployment process is started What is an MSI File An MSI file is a database with relationally linked tables and a set of files either inside or accompanying it This database contains information about what has to be done to the target machine in order to install the application The installation process itself is controlled by a list of Actions Several such lists are predefined in the MSI standard These can be adjusted by Custom Actions performing special tasks not covered by the normal MSI behavior Custom actions can even launch scripts and executables to perform special installation tasks The actual installation process is performed by a special MSI installer service running on the computer Because this servic
181. ient machines Private and Public Keys Sanctuary provides a utility that you can use to create a key pair that is used to assure communication integrity between the Sanctuary Application Server and the client In a production environment you must create your own key pair before installing the Sanctuary Application Server and deploying the first Sanctuary Client Data file directory When installing the Sanctuary Application Server the setup asks for at least one data file directory where all shadow and log information is stored We call it DataFileDirectory or DFD A permanent network share should be used when planning to use more than one Sanctuary Application Server as all servers need to write to the same shared directory several ones can be defined On the other hand for evaluation purposes a local directory is better It is possible to define such directory if you are using a Novell server in the same way as it is done for a Windows server If your DFD is defined on a Novell server you should use an account with the same name and password to access this shared directory You should take into consideration the hard disk drive size when defining log options 224 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide SXS Account The Sanctuary Application Server service requires a user account to run Use a domain account any domain user an administrative account is not required if you plan to u
182. ies of the client cannot be modified before taking some measures to certify that you have the right to do so 33 Sanctuary Client Wise Solutions Wizard Client Hardening Deactivation Setup detected that the client hardening Feature is active Client hardening has to be deactivated before setup can continue You can either specify an explicit maintenance ticket to be used in order to deactivate client hardening or you can make setup contact the Sanctuary Application Servers of this client in order to retrieve a maintenance ticket Setup will then use the maintenance ticket to automatically deactivate client hardening specify an explicit maintenance ticket contact the servers of this client explicitly specified ticket C lt Back Next gt Cancel Figure 6 20 Defining from where does the Sanctuary Client gets its maintenance ticket To uninstall the client you should either e Deactivate the client hardening option using the management console e Generate an Endpoint Maintenance Ticket that overrules the client hardening option If you chose to create and save an endpoint maintenance ticket the client will search for it On the same directory where the msi package resides default maintenance ticket called ticket smt In the ticket directory which is created by the setup during the client installation explicit maintenance ticket Request it from a Sanct
183. ies only to the Sanctuary Application Control Suite Sanctuary Application Control Sanctuary Application Control Server Edition or Sanctuary Application Control Terminal Services Edition What is the Sanctuary Authorization Service Tool You can use Sanctuary Authorization Service Tool AuthSrv exe to monitor changes on the approved and synchronized files done by SUS or WSUS and process them when needed using our Versatile File Processor Tool FileTool exe see the Sanctuary Application Control user Guide for more information The aim of this process is to require zero administration effort i e all Microsoft Authorized updates and fixes are automatically approved their Hash created and the database updated See the configuration details in the Sanctuary Application Control User Guide Note Notice that we do not support either Outlook Express or Internet Information Server IIS as clients for sending email messages If there is already an account in these types of clients the SMTP IP address is transferred directly to the AuthSrv configuration Furthermore the LoadConfiguration registry key parameter is always set to 3 see the Sanctuary Application Control User Guide Note SUS does not support Windows Vista 85 Bs 2E The Sanctuary Authorization Service Tool To Install the Sanctuary Authorization Service Tool The installation of the Sanctuary Authorization Service Tool Auth
184. in Windows XP Embedded The following image shows how this update is done Define Policy using Sanctuary Management i Console Push Manual Pull Auto Pull Aditional Features AdHoc Policy Changes Temporary permissions Remote Domain Secure XPe devices Figure L 4 Policy update Online Context through the network m mm 254 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide When doing an offline update once policies are defined new or updated ones they are exported to a special file policies dat and integrated in the installation build to be deployed Define Policy using Sanctuary Management r ae lt Console Build Install Integrate t Secure XPe devices Figure L 5 Policy update Offline context Enhance Write Filter EWF The Enhance Write Filter EWF is used to protect one or more disk volumes by intercepting write requests and redirecting them to an overlay volume RAM or another disk EWF provides the following functionalities e Write protects one or more partitions on your system ag 255 EH Installing Sanctuary in Windows XP Embedded Enables read only media such as CD ROM or flash to boot and run There are two major components for EWF EWF Overlay EWF protects the contents of a volume by redirecting all write operations to an alternative storage location EWF Volume A EWF volume is created on the media in
185. ing see Table B 6 on page 160 and Table B 7 on page 161 When the Automatic request certificate option is selected the program attempts to obtain a valid certificate by requesting it to the Certificate Authority If this fails the installation can continue but communication s encryption is deactivated Nevertheless integrity is assured by signing the messages with a private key see Chapter 3 Using the Key Pair Generator m Bm mE 48 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide If you select the manual option a new dialog opens where you are invited to select the location where a valid machine certificate can be found you must already have a Certificate Authority installed or the required certificate at hand See Appendix H Installing a Certificate Authority for Encryption and TLS Communication for more details The available options are the same ones described for the client installation found in Install Sanctuary Clients on page 63 33 Sanctuary Application Server Wise Solutions Wizard Server Authentication Y Generate a certificate that will be used to authenticate the server machine when communicating with the clients 1 Setup generates a prototype certificate which has to be signed by a CA certificate and will then automatically be stored into the local machine store You need to generate this final certificate and specify which certificate is to be used to sign
186. ing to centrally encrypt removable devices Requirements You must install publish and properly set a Microsoft Windows Certificate Authority in order to configure a specifically managed removable media The use of encryption to control and manage this feature fully protects against the intentional or unintentional loss of sensitive data This section lists all mandatory requirements to install the CA needed to implement this specific product feature E Note If you are planning to install a Certificate Authority on a stand alone server that is going to be integrated to your network later you need to be connected to at least one L computer so that Windows can recognize your network interface connector NIC The Windows Certificate authority is tightly integrated to the Windows Active Directory In order to use encryption of removable storage devices your domain must be configured to use Active Directory Integrating DNS with Active Directory Although it is not a requirement to have the DNS integrated with Active Directory it is important that the DNS server be properly configured EH 203 EB mH Installing a Certificate Authority for Encryption and TLS Communication To check if your Microsoft DNS is properly configured and integrated with Active Directory open the DNS Management Console and check that the DNS zone contains the msdcs records The following screenshot shows how to check the DNS zone dnsmgmt
187. install the program 8 Click on NEXT BACK to change options or CANCEL to stop the setup You will see the progress window and the final screen 9 Click on the FINISH button to close the setup window If you did not activate the Do not automatically start the Sanctuary Authorization Service Tool when Setup is finished option the program starts once the installation ends The tool waits until Achange is made in the default update folder by WSUS e administrator approves the updates on the SUS console e Each hour 8 al BH 90 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Once installed and loaded you get a screen similar to that of Figure 7 6 when choosing Microsoft Update Files in File Group field of the Database Explorer module of the console assuming you have some update files ready to authorize fi Database Explorer Files Groups File Name ID File Name 118 agentsvr exe 120 121 5454 7581 agentsvr exe ctfmon exe ctfmon exe ctfmon exe File Group EXE EXE EXE EXE EXE Microsoft Update files Original Path lt SFD for Windows XP family gt SFD for Windows XP family SFD for Windows XP family gt SFD for Windows XP family SFD for Windows XP family Figure 7 6 Sanctuary Authorization Service Tool initial scan Configuring WSUS seach Once the Sanctuary Authorization Service Tool has been installed yo
188. ion to view and or control applications The Command shell component provides support for the command shell This component configures the system to execute programs batch files and scripts displaying their output in the screen This shell uses Microsoft Windows XP command interpreter cmd exe as the base application What does Windows XP Embedded does not I nclude Even though Windows XP Embedded is built from the same binary files that Windows XP Professional uses they do not share all features The following Windows XP Professional features are not included in Windows XP Embedded e Windows File Protection WFP used to prevent system files from being overwritten unless Microsoft digitally signs the files that are being installed Windows XP Embedded does not enforce system file protection however because embedded device users do not typically install software It is critical for run time images to be built with the correct versions of system files e Windows XP Tour an interactive animated tour of the operating system e Windows Setup Windows XP Embedded does not include certain user interface and infrastructure elements e Online product activation Windows XP Embedded based run time images are activated by using a run time product key in the Microsoft Windows Embedded Studio tools e Out Of Box Experience OOBE welcome screens and wizards to help new users set up Internet connections and other operating system featur
189. irectory Users and Computers 1 Console Window 2481 xl acon vew e SHB mii v So Tree securecom 10objets builtinDomain computers Container E Domain Controllers Organizational Unit ForeignSecurityPrincipals Container lostAndFound Organizational Unit Organizational Unit Container Container infrastructureUpdate Figure 8 28 Deployment package using group policies Select active directory Default container for upgrad Default container for new W Default container for securit Default container for orphan Builtin system settings Default container for upgrad 4 Right click on the Domain or Organizational Unit and select Properties au 120 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 5 Select the GROUP POLICY tab secure com Properties Figure 8 29 Deployment package using group policies Select group policy 6 Click on NEW to create a new Group Policy and click on EDIT 121 BH 2E Unattended Client I nstallation 7 Expand the Software Settings folder gt Group Policy L Of x action view gt gg S 3 2 Tree Deployment of SecureNT client sec CQ Computer Configuration B E Software Settings Software installation Windows Settings Administrative Templates t BIB 1 0 Device Policies amp User Configuration GQ Software Se
190. irectory location on the Novell file server 1 2 t Object Figure G 8 Selecting the data file directory location on the Novell file server 2 2 Once this directory is selected give the user the following rights to it READ Needed by Sanctuary Application Server for opening shadow files and logs m mm oa 200 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide WRITE Required by Sanctuary Application Server to write to log files CREATE Needed by Sanctuary Application Server to save fetched shadow files and create new logs ERASE Required by Sanctuary Application Server when performing database maintenance MODIFY Needed by Sanctuary Application Server when temporary Sanctuary Application Server files are converted into log files FILE SCAN Required at startup of Sanctuary Application Server to enumerate the present shadow files and logs 201 Bs 2E Using Novell Shares for your DataFileDirectory m 202 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide I nstalling a Certificate Authority for Encryption and TLS Communication This appendix explains how to install and set up a Windows Certificate Authority CA You need a Certificate Authority to grant certificates for your clients and Sanctuary Application Server if you are going to use TLS protocol for encrypted message communication You will also need a CA if you are plann
191. is installed with the program If you want to review it later select License agreement from the Start gt Programs gt Sanctuary menu 55 Installing the Sanctuary Management Console 5 Choose the destination directory and other features making a complete or custom installation 33 Sanctuary Management Console Wise Solutions Wizard Custom Setup Select the program Features you want installed Click on an icon in the list below to change how a feature is installed Feature Description Authorization Wizard Standard File Definitions This feature requires 44MB on your hard drive It has 4 of 4 subfeatures selected The subfeatures require 97MB on your hard drive Install to c Program Files Sanctuary 5 lt Back Next gt Cancel Figure 5 3 Sanctuary Management Console installation Custom setup Note The Sanctuary Management Console allows you to configure manage and monitor permissions to devices executables You use the Client Deployment tool to deploy silently clients on a group of computers The Authorization Wizard allows administrators to quickly identify and authorize executables File Definitions let you rapidly populate your database with signatures of all the files needed for running your operating systems 8 E EI 56 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 6 Ifyou decide to mo
192. is point In this case you should choose the file using Windows Open dialog Remember that you can always select to keep this file in an external device for added security 9 Ifthe installation requires rebooting the client computers the nstall Uninstall Reboot Options dialog is displayed If this is the case select the appropriate options and click on OK These options correspond to those already selected when creating the package Install Uninstall Reboot Options When a reboot is needed at the end of deployment Apply to V Reboot after 20 second s Force reboot even if some applications are opened Selection 1 Message Generate Endpoint Maintenance from SX5 Server Certificate generation mode V Use TLS No certificate generation V Automatic certificate generation Semi automatic certificate generation OK Cancel Figure 8 22 Sanctuary Client Deployment Tool Reboot options 113 Bs 2E Unattended Client I nstallation You can choose to require a reboot of the client computers after a defined period You can also enter a text to be displayed to your users System Shutdown This system is shutting down Please save all work in progress and log off amp ny unsaved changes will be lost This shutdown was initiated by LU Administrator Time before shutdown 00 00 27 Message Since we did a critical update on your system we must force a reboot Figure 8 23 Sanctua
193. ive Directory objects synchronization Examples For the following examples Sanctuary Application Server SXS Sanctuary Database SX SXS SERVER is the name of the computer running Sanctuary Application Server CLIENT is the name of the computer running Sanctuary Client To refresh the domain information for the domain pomar use the following command SXDOMAIN s SXS SERVER DOMAIN To refresh details of the local users of the computer CLIENT which can be a domain controller in case it does not show up after its domain was added SXDOMAIN s SXS SERVER CLIENT a 134 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide To refresh details of the local users of the computer CLIENT where CLIENT is part of a workgroup rather than a domain The username and password of the computer s local administrator should be used in the following command SXDOMAIN s SXS SERVER u usernam p password CLIENT Warning Windows XP has by default the Simple file sharing option set This option essentially turns the computer into anonymous access only preventing Sanctuary Application Server from retrieving its local users If it is set turn it off using the Tools gt Options dialog of the Windows Explorer To synchronize a number of domains you can enter the names into a text file one name per line of text and supply it as input to the utility as shown below SXDOMAIN
194. ize resources on a server for administrative conveyance Single quorum This is the traditional cluster model It maintains the cluster configuration data on a single cluster storage device connected to all nodes For n node clusters the cluster is active until the last node in a cluster is working Data is stored on a single cluster storage device SCSI etc Data synchronization is not required We recommend that you use a RAID solution for the cluster storage devices Majority node set Each node maintains its own copy of the cluster configuration data quorum More than half the nodes in a cluster must be running to keep the cluster working This configuration is useful if you need to host applications that can failover but where there is another application specific way to replicate or mirror data between nodes Note that in Single Quorum model there is only one copy of the database stored on a special hardware disk and hence issues like data synchronization never occur 26 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide A typical cluster implementation is shown in the following image Shared device SCSI Shared disk array SAN wn Database Database Server Server E TT Ld Active the one that Passive serves N s client s requests SL Virtual server Clients Figure 2 8 Sanctuary Database installation Clustering Every resource group is published in a virtual
195. k businessdevelopment lumension com Professional Services Phone 1 480 663 8702 E mail patchlink professionalservices lumension com Xvi Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide l Installing Sanctuary s Components The information in this chapter is relevant to all Sanctuary products This chapter guides you through the procedure for installing the various Sanctuary components You can find a complete description of the Sanctuary products in the corresponding User Guide Sanctuary Architecture A Sanctuary solution includes the following four main components for a full description see your User Guide One Sanctuary Database This serves as the central repository of authorization information devices applications One or more Sanctuary Application Server with one or optionally more Data File Directory DFD This is used to communicate between the Sanctuary Database and the protected clients The Sanctuary Client installed on each computer you want to protect You will also need to install the Sanctuary Client on the same computer where the Sanctuary Management Console is installed if you want to encrypt removable devices authorize DVDs CDs see next point Administrative tools including the Sanctuary Management Console This provides the administrative interface to the Sanctuary Application Server This interface which can be installed on one or more com
196. k on a computer name and select CHANGE TLS MODE or select it from the Computers menu When selecting the Semi automatic certificate generation you have the same options as those described for the client installation described Install Sanctuary Clients on page 63 Import to place the machine certificate in the computer s store m Select to choose a certificate from the computer s store m Advanced to set the certificate s cryptographic signature and parameters You must already have a Certificate Authority installed or the required computer certificate at hand See Appendix H Installing a Certificate Authority for Encryption and TLS Communication on page 203 for more details Remember that you also need an Endpoint maintenance ticket if you are updating clients that require this type of permissions to be modified or updated See your corresponding User s Guide for a full description 110 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Select a register to install from the Packages list Optionally select a subset of machines where the package will be installed from the Computers list 8 Click on INSTALL to start the deployment Sanctuary s administrator can decide to use a policy file policies dat to export permissions to clients that are not connected or cannot contact to a server during the installation See the To export and import permission settings section of
197. keys The Sanctuary Application Server Service can be started and stopped through the Windows Services Panel or using command line net stop sxsandnet start sxs Note If the key pair is not in the SYSTEMROOTSNSXSDATA directory physical access to the servers running the Sanctuary Application Server should be strictly controlled because a rogue administrator could replace the key pair by inserting a removable media with a different key pair on it EH 31 EH Using the Key Pair Generator If Sanctuary Application Server starts and cannot find the key it writes an event to the event log and uses the default key pair set provided by Lumension This message does not correspond to a system malfunction it indicates that all components work with default keys This is not recommended for obvious security reasons Information Properties H EN Event Date 9 10 2007 Source SxS Time 2 5309PM Category None Type Information EventID 20 User N Computer SECURET Description SXS was unable to find a valid pair of matching private and public keys It is currently using a pair of default keys You should at your earliest convenience generate and deploy a new key pair as described in the manual For your reference here is the list of directories that SXS searched unsuccessfully CAWINDOWS system32 C AWINDOWS sxsdata DA OK Cancel Figure 3 3 Sanctuary Application Server did
198. kup before proceeding with an update 3 Run the setup exe file located in the SERVER SXS folder on the computer s where you installed the Sanctuary Application Server Run the setup exe file located in the SERVER SMC folder on the computer s where you installed the Sanctuary Management Console a 169 EH Upgrading from Old Versions Application Server s and finally the Management tools Furthermore always upgrade T Note It is very important that you upgrade first the database then the Sanctuary server side components before upgrading the clients Upgrading from a Previous Sanctuary Application Server Version If you are upgrading the Sanctuary Application Server instead of making a clean installation the dialogs and steps change from those found in the Sanctuary Application Server installation chapter as depicted in the following steps 1 Logon to the computer where the Sanctuary Application Server component is installed 2 Close all programs running on the computer and stop the Sanctuary Application Server service Net Stop SXS 3 Insert the Sanctuary CD in your DVD CD drive and run SERVER sxs setup exe The Welcome dialog is displayed informing you that a previous version of the server is already installed and there is an upgrade Sanctuary Application Server Wise Solutions Wizard Welcome to the Wise Solutions Wizard for Sanctuary Application Server existing i
199. l eDirectory objects to define device application permissions Appendix Using Novell Shares for your DataFileDirectory undertakes the task of explaining how to set the data file directory DataFileDirectory or DFD in your Novell server Appendix H Installing a Certificate Authority for Encryption and TLS Communication describes how to install a Microsoft Certificate Authority needed for client Sanctuary Application Server and intra Sanctuary Application Server TLS communication This authority is also needed if you plan to centrally encrypt removable devices if using Sanctuary Device Control Appendix I Controlling Administrative Rights for Sanctuary s Administrators describes a file script used to set and control the rights to administer Organizational Units Users Computers Groups in Active Directory Appendix J Installation Checklist contains several tables to guide you through the initial setup process Appendix K Installing Sanctuary Application Control Terminal Services Edition introduces Sanctuary for Terminals Services Appendix L Installing Sanctuary in Windows XP Embedded discusses how to configure and install Sanctuary on Windows Embedded systems The Glossary provides definitions of standard terms used throughout the guide The Index provides quick access to information items or topics Some of these chapters are only relevant for some programs of our product suite they corres
200. l license file The information in this chapter is relevant to all Sanctuary products Licensing Each Sanctuary Application Server has a license file that specifies whether you have a valid copy of one or several of our Sanctuary programs Sanctuary Application Control Server Edition Sanctuary Device Control etc Depending on the type of license your client computers either show or do not show the options appropriate to each one of the installed programs The following image was taken in a network that has Sanctuary Device Control and Sanctuary Application Control installed Status Deny all applications Deny all modules Deny all scripts Refresh settings Import settings Request temporary access offline Create an Encrypted CD DYD Endpoint maintenance About f 17 Figure 10 1 Client s options when several Sanctuary products installed If the license information changes for example when a new Sanctuary product is added the client is informed and its options changes accordingly Obtaining a License Evaluation License You can obtain an evaluation license by registering on Lumension s website www lumension com From there select the product page for the Sanctuary product you want and then select Evaluation Request Fill out the Evaluation License Request form Once your request is approved you will receive a copy of the license file save it into the SYSTEMROOTSNSYSTEM32 directory An evaluati
201. l s client the synchronization script and NDAP on a Windows machine What Can go Wrong and How do I Fix It In this section you can find a general guidelines to some common errors found when running the script We do not include the obvious ones such as not finding the script or using it directly instead of running it through cscript exe The script is not working or it is missing some objects in the eDirectory structure Check that you have the correct permissions for the Novell server you are specifying If you do not have administration rights the script will fail to synchronize all part of the eDirectory structure I get the message DB connect failed Check you are specifying the correct SQL server address user s name and password Ensure the SQL server is up and running Check there is a valid connection between your machine and the SQL server try troubleshooting using the PING command Check that the database table sx has been correctly installed 190 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide I get the message DBStart failed Check you have the correct database rights You must be a user or specify the correct one as a parameter that has insert delete update permissions for the database in order to do the synchronization I get the message DBFeedDomain failed Several SQL statements failed to execute Ensure you have the proper rights to insert delete update
202. l the database Store permissions rules and Chapter 2 settings Installing the Sanctuary Database 2 Install the Sanctuary Application Interface between database Chapter 4 Server clients console Installing the Sanctuary Application Server 3 Install the console Manage permissions options Chapter 5 and rules Installing the Sanctuary Management Console Install Sanctuary Synchronization script a Novell client and NDAP on a Windows machine Setup required to run Sanctuary Synchronization script Help file User s Guides Script Examples and Novell s guides Define basic permissions Be sure that everything is working correctly by defining some permissions for well know groups Help file Quick Setup Guide and the User s Guides Install clients Begin the protection process 193 Chapter 6 Installing the Sanctuary Client on Your Endpoint Computers and Chapter 8 Unattended Client Installation Using the Synchronization Script for Novell Table F 2 Novell quick guide installation steps Description Purpose Reference Run Sanctuary Synchronization Convey all eDirectory information Script Examples on script to the database page 190 Define new permissions for a Test Help file and User s Novell user in the console Guides Proceed to define all of your Protect and enforce company s company s policies policies
203. l v4 3 2 Sanctuary Setup Guide The program is now ready to be installed J Sanctuary Client Wise Solutions Wizard n Ready to install the program The wizard is ready to begin installation Click Install to begin the installation Click Cancel to exit the wizard Figure 6 13 Sanctuary Client The installation process is ready to start 13 Click on INSTALL to proceed The setup takes about 2 minutes depending on the hardware in use 33 Sanctuary Client Wise Solutions Wizard c e Installing Sanctuary Client The program features you selected are being installed A Please wait while the Wise Solutions Wizard installs Sanctuary Client This may take several minutes Status Figure 6 14 Sanctuary Client The installation progress E 75 BE Installing the Sanctuary Client on Your Endpoint Computers S Note You may also see an error message if you are using Windows XP SP2 or later and the TCP port that the firewall blocks cannot be unblocked by the installation program 14 Click on FINISH to close the dialog and complete the procedure 33 Sanctuary Client Wise Solutions Wizard Wise Solutions Wizard Completed The Wise Solutions Wizard has successfully installed Sanctuary Client Click Finish to exit the wizard Figure 6 15 Sanctuary Client Finishing the installation process 15 Reboot your computer when promp
204. ld also consider installing the Authorization Service see the Sanctuary Application Control Suite User Guide to monitor changes and create updates using Microsoft s SUS or WSUS Before you Install Before you begin the installation of the Sanctuary Management Console you must Ensure that the computer s meet the minimum requirements See Appendix A Detailed System Requirements and Limitations on page 147for details Ensure that the Sanctuary Database and Sanctuary Application Server have been installed either on this computer or on other computers within your network Refer to the previous chapters BE 53 EE 2E Installing the Sanctuary Management Console To Install the Sanctuary Management Console To install the Sanctuary Management Console follow these steps 1 Logon with an account that has administrative privileges in the computer in which you are installing the Sanctuary Management Console 2 Close all programs running on the computer 3 Insert the Sanctuary CD in your DVD CD drive and run setup exe located in the Server smc folder 33 Sanctuary Management Console Wise Solutions Wizard Welcome to the Wise Solutions Wizard for Sanctuary Management Console The Wise Solutions R Wizard will install Sanctuary Management Console on your computer To continue click Next WARNING This program is protected by copyright law and international treaties Next gt Cancel Figure
205. led with diverse colors depending on the result of the different tasks You can also right click on the machine name and use the PROGRESS menu item to view information about the progress of the deployment Report s cai 2s Computer WORKSTAT1 Status 1 waming Progress 100 Checking the operating system perating system detected is Windows XP Service Pack 2 Checking if the product is already installed SU 4 3 0 0 is installed Uninstallation starts Checking client hardening Hardening disabled Creating directory Directory wO RKSTATTSADMINSNTEMP exists already Directory SW ORKSTATTNADMINSSTEMPS BE 746502 8435 46E 3 807B 1B35CF49C74D was created Copying files Copying executable file v Figure 8 25 Sanctuary Client Deployment Tool Installation progress dialog m 116 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Here are some common mistakes to avoid e Trying to deploy a client package with an sx public key file that does not correspond to the key on the Sanctuary Application Server Unspecified error e Trying to deploy a package while the Sanctuary Application Server is offline or cannot be contacted firewall wrong IP address or and you did not export permissions in policies dat except when you are trying to do a Serverless installation Trying to deploy a package on a machine where the client has just been removed and t
206. les registry entries and dependency information The behavior of the component is defined by component script and component DHTML A dependency is an additional component required by another one to function properly Dependencies can either cause the inclusion or exclusion of other components or control the relative order in which components are included during the run time image build process This allows a component to be as small as possible while ensuring that it has all of the resources required to run correctly A dependency can be expressed upon a single component or upon a group of components known as a dependency group For example if component A requires that component B be built before it and also requires the presence of component C the definition of component A must contain a build order dependency upon component B and an include dependency upon component C this data is contained within a SLD file File extension for an object definition file Functionalities and Devices Supported by Sanctuary in Windows XP Embedded The next two tables show all functionalities and devices supported when using Sanctuary in Windows XP Embedded Table L 1 Functionalities supported by Sanctuary Client Windows XP Embedded Functionality Windows XP SP3 Sanctuary Client Setup RTNotify RTNotify Sanctuary Management Console Tools Menu Synchronize Domain Send Updates to All Computers Send Updates to
207. licy 182 To Create the Group Policy sss 183 To Improve Security io csse 186 Appendix F Using the Synchronization Script for Novell 187 187 What Components are Required memes 187 How does the Novell Interface Works 188 Synchronization Script Parameters eene 188 a vi Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide How to use Novell s Synchronization Script 2 0 cect reer eee 189 Script clu EET 190 What go Wrong and How do I Fix It oo mmm 190 Installing your Synchronization 191 Appendix G Using Novell Shares for your DataFileDirectory ________ 195 DataFileDirectory Access to a Novell Share 195 Transparent Sanctuary Application Server authentication for Novell eDirectory 195 Appendix H Installing a Certificate Authority for Encryption and TLS Commu nication _________________________________________________ 203 Requirements dae 203 Integrating DNS with Active Directory sse eme 203 Installing the Certificate Services sss mH 204 Checking Certifi
208. llowing sections for Microsoft Networks services in all your machines These services are used for the Sanctuary Client deployment eDirectory synchronization and if you are planning to install SQL Server 2005 Express Edition SP2 Note You should activate the File and Print Sharing to Microsoft Networks amp Client To Manually Open the Ports on a Computer by Computer Basis 1 Start gt Settings gt Control Panel gt Windows Firewall or click on SECURITY CENTER and then WINDOWS FIREWALL and go to the Exceptions tab On this tab you can choose to enable the File and Print Sharing services as well as other listed services By enabling File and Printer Sharing services TCP ports 139 and 445 and UDP ports 137 and 138 you can install our client remotely using our deployment tool while all other non selected services are blocked If the computer resides on a remote IP subnet you will need to edit the service and choose Subnet as the Scope 2 Click on OK to close the Windows Firewall control panel 5 181 EH Opening Firewall Ports for Client Deployment 3 Restart the computer to enable these choices To Open the Ports on a Computer by Computer Basis with a bat File Open your notepad or your favorite text processor and type or copy and paste the following lines netsh firewall set portopening protocol UDP port 137 name Sanctuary UDP 137 mode ENABLE profile All netsh fir
209. lorer Command and Task Manager The developer can also create a custom shell that offers a specific look for the user interface of the target device which provides access to the applications and services required for the device and restricts access to those that are not necessary 243 Se 2E Installing Sanctuary in Windows XP Embedded A custom shell is whatever application you want to appear when Microsoft Windows XP Embedded device starts up Using the custom shell replaces the standard Explorer Shell Task Manager Shell or Command Shell By using your main application as your shell you can take the user directly to the features you want them to use and prevent them from switching to nonessential applications or accessing the control panel or file system For example if you are creating a retail point of sale RPOS device you can boot directly into the RPOS application that you or a third party vendor have created If you are creating an Internet kiosk you might boot directly into Internet Explorer by creating and configuring a custom component based on the existing Windows Embedded component for Internet Explorer Available Shells The Explorer shell component provides support for Windows Explorer This component configures the operating system to use the Explorer exe application as the shell application The Task Manager Shell component configures the operating system to use the Windows Task Manager as the shell applicat
210. loy new clients Figure C 4 Upgrade flowchart 173 EH Upgrading from Old Versions a 174 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide D I nstalling Sanctuary Components on Windows XP 2003 Vista The information in this appendix is relevant to all Sanctuary software suite products Throughout this chapter we refer to Windows XP Windows 2003 and Windows Vista When we refer to these operating systems we are explicitly unless otherwise noted referring to their latest service packs e Windows SP2 or later e Windows 2003 SP1 or later e Windows Vista SPO or later By default Windows Firewall is enabled on computers that are running Windows XP Windows 2003 or Windows Vista Windows Firewall closes ports such as 33115 65129 and 65229 if using TLS protocol that are used by Sanctuary Client and Sanctuary Application Server to communicate over TCP Sanctuary Clients that are trying to connect to the Sanctuary Application Server will not be able to connect until an exception is set in Windows Firewall With these Service Packs a number of changes have been made in the Remote Procedure Call RPC service that help make RPC interfaces secure by default and reduces the attack surface of Windows XP 2003 Vista Sanctuary Management Console installed on Windows XP 2003 trying to connect to the Sanctuary Application Server will not be able to do so unless the appropriat
211. ltogether e You do not need to know precisely which software is installed on every MetaFrame Presentation Server on your LAN or WAN e It does not matter how the unauthorized application entered the MetaFrame Presentation Server through email Internet or network share Sanctuary Application Control Terminal Services Edition will stop it from being executed I nstalling the Server Side Components Given Sanctuary Application Control Terminal Services Edition three tier architecture you need first to install Sanctuary s server side components The exact procedure has already been described in the first chapters of this guide 237 EB Installing Sanctuary Application Control Terminal Services Edition The server and administrative components should be installed onto another server not the one you wish to control For evaluation purposes any workstation or server will do as long as the Terminal Services or MetaFrame Presentation Server is not installed Once installed you can take advantage of the Standard File Definitions SFD to populate the Sanctuary Database with file signatures for your operating system If not done during the installation you can proceed to the Sanctuary Management Console and select Tools gt Import Standard File Definitions from the menu In the dialog that is displayed begin by selecting the lists to be imported click the Add button you will find them in the SFD folder on the Sanctuary
212. m the Certificate Authority you can either try to import it or generate it with the Wizard You must ensure that it is signed by a private key as shown in the following image Certificate General Details Certification Path Certificate Information This certificate is intended for the following purpose s Allows data on disk to be encrypted Protects e mail messages Proves your identity to a remote computer Issued to Administrator Issued by LU Valid from 4 2 2007 to 4 1 2008 You have a private key that corresponds to this certificate Figure 1 4 Signed certificate Using TLS for the I nter Sanctuary Application Server Communication If your Sanctuary implementation contains several Sanctuary Application Servers and uses distributed Data File Directories DFD then since confidential information is exchanged between these it is a good idea to choose to use the TLS protocol when installing them For example if you 10 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide plan to define read write shadow rules see the Sanctuary Device Control User Guide for a complete explanation there could be a constant flow of shadowed files circulating between them Using the TLS protocol option assures that data is encrypted Data File DFD Data File Directory Directory Port Port 65129 TCP IP 65129 xx Port Port 65229 Optional TLS channel 65229 SXS server SXS server
213. me and or email address of the person to whom the license was issued LicensedCPUs Number of CPUs for which this license was created e IPAddress The IP address assigned to the Sanctuary Application Server Warning The Sanctuary Application Server refuses to start if you modify the license file even just changing or adding a comment or blank line Every computer protected by Sanctuary Client registers itself in the online table of the Sanctuary Application Server during the boot sequence of the client Counting these entries gives the number of clients This licensing mode is ideal for corporate environments where there is essentially one user per computer In ASP and Terminal Services environments one computer may support hundreds of users In these situations the license is expressed in terms of sessions a session being created when a user logs on and removed when a user logs off Inaccuracies are created by services programs that run unattended in the background if the administrator has configured them to run with the identity of a regular user instead of LocalSystem and by server software that verifies the identity of its users by simulating a logon An example would be IIS with password protected pages In addition to that users may create additional sessions using secondary logon services runas command in Windows 2000 XP 2003 Vista In either case Lumension adjusts the actual license limits to account
214. mited and basic and therefore do not use TLS Sanctuary Application Server sends a short message informing the client to callback with an ID number nothing else This message although not encrypted is signed The Sanctuary Client then opens a connection channel with the Sanctuary Application Server either using TLS or not as defined when installed and sends back the ID number The Sanctuary Application Server s verify that there is a pending request for this communication and instruct the client what to do next The callback message see also Chapter 1 Using TLS for the Inter Sanctuary Application Server Communication on page 10 is authenticated using the private public key pair which must be generated before installing the Sanctuary Application Server Messages are always signed with the server private key and clients use the corresponding public key to guarantee that the messages come from genuine servers T Installing Sanctuary s Components Since the messages exchanged with the server do not contain confidential data there is no need to encrypt them i e using TLS for push messages would not provide any significant benefits When the communication mode used is TLS the Sanctuary Client Checks that the size of the package received is at least big enough to hold the server signature rejecting any packages smaller than this minimum size e Rejects packages that are bigger than the maximum allowed size
215. mp Device Control v4 3 2 Sanctuary Setup Guide Table J 2 Installation checklist Done Resolved Description Comments Install MDAC 2 6 SP1 already installed with SQL 2000 SP4 Reference Microsoft s Web site If doing central encryption or using TLS for your clients install a Certification Authority See Sanctuary Device Control User Guide Install Sanctuary Application Server Are you going to Define a fixed IP for his machine Configure DHCP DNS correctly Windows manuals or help file see Before you Install on page 18 have a single Sanctuary Application Server If installing on a different machine from that of the database check that the Sanctuary Application Server has the proper rights to use the database See Before you Install on page 18 Check license file See Before you Install on page 18 Generate key pair to encrypt communication between server s and clients only once Chapter 3 Using the Key Pair Generator Are you going to have a single Install the Sanctuary Management Console Chapter 5 Installing the Sanctuary Management Console Sanctuary Management Console Synchronize domain members to fill up the database Chapter 9 Using the SXDomain Command Line Tool Are you planning to centrally encrypt media if Install client on Console machine Chapter 6
216. mple permissions rules for the well known accounts Everyone LocalSystem etc using the Console installed in step 3 See the Quick Setup Guide Install or deploy the clients through your network to start the protection process To install a single client run setup exe located in the CLIENT folder of your installation CD to deploy several of them consult Chapter 6 Installing the Sanctuary Client on Your Endpoint Computers on page 61 and Chapter 8 Unattended Client Installation on page 93 Note If you are installing uninstalling the Sanctuary Client on a Vista machine with Vista s UAC functionality turned on you must use setup exe not Control Panel Add Remove Programs otherwise the operation will fail Ensure that the clients are communicating with the Sanctuary Application Server and the policies defined in step 5 are enforced Run the script c gt cscript exe path_to_folder NDSSync vbs Novell Server Tree as Administrator on the client machine installed in step 6 You can optionally add the SQL server parameters to the script c gt cscript exe path to foldeNDSSync vbs Novell Server Tree SQL Server SQL User Name SQL Password gt You can run this script manually from time to time if there are not too many changes in your eDirectory structure or automatically using a scheduler software application See an example in Chapter 9 Scheduling Domain Synchronizations on page 135 Note If you are usi
217. n a production network The license file is only required when doing a Serverless installation Note If any of the public key policies file or license in the case of an installation Using the Sanctuary Client Deployment Tool to I nstall the Sanctuary Client The Sanctuary Client Deployment Tool tool is designed to allow you to silently deploy the Sanctuary Client on a list of machines Once the Deployment package has been created you can start the deployment using the following procedure 1 Select Sanctuary Client Deployment Tool from the Start gt Programs gt Sanctuary menu The Sanctuary Client Deployment Tool dialog is displayed i Sanctuary Client Deployment Packages Computers Help Packages Name j Kev Progress Product SanctuaryClient no Sanctuary Client 4 Special package no Sanctuary Client 4 4 Computers 0 Domain Workaroup Progress Status 4 gt New Package Add Computer j 4 Figure 8 12 Sanctuary Client Deployment Tool First screen 106 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 2 Click on Add Computer located in the lower part of the window or select Computer Add from the menu bar One of the following dialogs is displayed depending on your operating system Select Computers 21 SECSRV secure com Domain Controllers ISI CLIENT secure com SALES OU E Cien secure com Computers Cli
218. name For a local account User Account Domain user_name Password Manut lt Back Next Caneel Figure 4 6 Sanctuary Application Server installation Service account 40 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Domain accounts should be entered as DOMAIN User while local accounts should be prefixed by the computer name e g COMPUTER User The domain specified here will be the one that gets synchronized by default at the end of the setup Note Setup checks the validity of the password You must precede the user name with the domain or workstation name and a backslash The account you enter must have full access to the database and the computer containing the DataFileDirectory where the Sanctuary Application Server log shadow and history files are stored Warning Before attempting to connect to a remote server you must grant the service account the rights to connect and use the database You must therefore log on to the computer where the SQL Server or Client is running and grant the user the necessary rights either by means of the SQL Server Enterprise Manager or using the grantdb exe utility located in the BIN TOOLS folder of the Lumension CD Local users should be mirrored same user name and password on both servers 10 Specify the SQL Server instance that Sanctuary Application Server should connect to To do this enter the name of the machin
219. nd pushes the option and then issues another event log message informing if the set push was successful The purpose of this message is to notify the administrator that there was a spread check action VerboseSyncLogging If set to yes the Sanctuary Application Server will log all the important attributes of the objects that it retrieves during a domain synchronization In order to see the results in the Sanctuary Application Server log file the Log to file value must be set to yes If the Log to file value is already set to yes you do not need to restart the Sanctuary Application Server service to take the VerboseSyncLogging Value into account You should not set this option to yes permanently for performance reasons You should specify a R W path accessible by the Sanctuary Application Server service account for this log file General Registry Keys These registry keys are the general ones Table B 4 Sanctuary Application Server registry keys general keys Description Default AdoVersion A string representing the version of ADO objects to use Default For Windows 2000 try 2 5 Note that the leading dot must be present unless an empty string is given Concurrency How many running threads are allowed by the IOCP 0 zero means auto and is equivalent to one thread per CPU Minimum 0 maximum MaxThreads i a 156 Sanctuary Application amp Device Control
220. nd prompt to run the file from this directory The SXDomain Parameters The SXDomain command line should be entered as follows SXDomain s servername domainl domain2 The parameters in this command line are defined below s SO6fvername The fully qualified domain name or IP address of the computer on which Sanctuary Application Server is running i Instructs the utility to read domain names to add or synchronize from a standard input stream interactive mode Instructs the utility to write the domain names that could be neither added nor synchronized to standard error stream u username The user name used to authenticate on the remote computer Do not include the domain prefix only the user name e p password Password SXDomain prompts you for one if not supplied 133 EH Using the SXDomain Command Line Tool q Do not prompt for the user s name or password if they cannot authenticated domain The name of the domain s computer s or IP address that you want to add or refresh If you do not use the i parameter you must at least specify a list of domains to work with SXS queries the directory using LDAP Windows AD Sanctuary Management Console Once synchronized all users user groups computers are available in the console for permission definition 4 You can also force an update using the sxdomain exe utility Figure 9 1 Act
221. nd public key files 2 Enter any random text into the Seed edit field This is used to initiate the random number generator m mm 30 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 3 Click on Generate The key pair is generated A dialog similar to the following one is displayed E Key Pair Generator uas 1 Your key pair has been saved to the files C tempisx public key and C temp sx private key J Please make sure that your private key is not exposed to unauthorized persons Figure 3 2 Key pair generation Final message 4 Click on OK Deploying the Key Pair The key pair can now be distributed To do this copy the private key file sx private key and the public key file sx public key to the computer s where you will be installing the Sanctuary Application Server On startup the Sanctuary Application Server checks for the key pair in the following locations 1 The directory where the Sanctuary Application Server executable is installed usually SYSTEMROOT NSYSTEM32 2 TheSanctuary Application Server s private directory whose recommended location is SYSTEMROOTS NSXSDATA 3 Allremovable drives and DVDs CDs in alphabetical order The search stops at the first valid key pair Note When a new key pair is generated to replace an existing one you must restart the Sanctuary Application Server service in order to start using the newly generated
222. needed wanted in order to assign permissions If you have planned to assign permissions for specific models or uniquely identified media CD DVD or Removable devices add them to the database Assign permissions and options based on the company policy and Devices Applications inventory and define the Sanctuary Administrators Assign the permissions for the devices media and software to the domain groups Also define the Sanctuary Administrators Install a Sanctuary Client on a test workstation Install the client software on a test workstation and connect it to the server components Validate the test client installation and permissions Test your installation on functionality validate the permissions defined in the previous step If necessary adapt the permissions and update the Company Policy Prepare and test the Sanctuary Client Deployment Tool package Prepare the deploy package of the Sanctuary Client software based on the instructions of this Sanctuary Setup Guide and your existing internal procedures Check the public key file policies exportation data and MST Installer Transform file Deploy the client software Installation checklist Deploy Sanctuary Client to all client computers Read the notes regarding policy exportation The following table guides you through the steps needed to install the Sanctuary solution from A to 7 227 Installation Checklist De
223. ng Microsoft SQL 2005 SP1 you should specify the SQL server optionally the user name and password even if it is local to the machine as local SQLExpress c gt cscript exe WMpath to folderNNDSSync vbs Novell Server Tree local SQLExpress 9 When the script finishes open the Sanctuary Management Console You can now select the user accounts groups workstations and OUs when defining permissions Create a simple permissions rule for a device application Send the updates to the client machines 192 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 10 Test the enforcement of the new permissions rule defined in the previous step Note If you use NDSSync vbs script to connect to Sanctuary Database from a remote computer SQL Authentication is used This is also the case when the database and console are installed on the same machine and you login as a different user If you installed SQL 2005 Server Express Edition with our installation wizard or manually using the Windows Authentication mode the login options of the script cannot be used In this case it is impossible to synchronize Novell s eDirectory using user credentials different from those of the system administrator of the Database Server machine as NDSSync vbs script parameters The following table summarizes the previous steps Table F 2 Novell quick guide installation steps Reference Description Purpose 1 Instal
224. not find the public private key pair ONLY the public key file sx public key should be deployed to all client computers by means of the Sanctuary Client setup You should copy the Client folder from the product media to a network share and copy the sx public key into this folder Setup will detect that a new public key is present and will copy it to the target computer Note For machines that already have Sanctuary Client installed copy the public key file NOT the private key file to the 3SYSTEMROOT SXDATA directory of the client computer typically C WINDOWS SXDATA You must reboot the machines to receive the new settings signed with the matching key pair 32 4 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide I nstalling the Sanctuary Application Server This chapter explains how to install the Sanctuary Application Server on the computers that are going to be servers for the application Whereas Chapter 1 Installing Sanctuary s Components provides an overview of the entire setup this chapter focuses exclusively on the Sanctuary Application Server The information in this chapter is relevant to all Sanctuary software suite products Note Be sure to generate a key pair before proceeding to install the Sanctuary Application Server s See Chapter 3 Using the Key Pair Generator on page 29 for more information When you install the Sanctuary Application Server a number of tools are
225. nsole and the Sanctuary Application Server See Appendix D Installing Sanctuary Components on Windows XP 2003 Vista on page 175 Setup es Microsoft introduced important security changes concerning Remote Procedure Calls with Windows XP SP2 and Windows Server 2003 SP1 If you installed your Sanctuary Application Server on this operating system or a later one which is subject to the same security restrictions the management tools will not be able to communicate with the server unless Setup sets the Enable A amp uthEpResolution registry value Details about this registry value are provided on the Microsoft web site Do you want setup to set this registry value Yes No Figure 5 6 Sanctuary Management Console installation Remote Procedure Calls warning Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The final dialog indicates that the installation has been completed successfully 33 Sanctuary Management Console Wise Solutions Wizard Wise Solutions Wizard Completed Setup has finished installing Sanctuary Management Console The Wise Solutions Wizard has successfully installed Sanctuary Management Console Click Finish to exit the wizard Figure 5 7 Sanctuary Management Console installation Finishing the installation 10 Click on the FINISH button to close the dialog and end the procedure By default only users that are members of the Administrators group of the computer running th
226. nstallation of Sanctuary Application Server has been detected on this computer and is going to be upgraded WARNING This program is protected by copyright law and international treaties Upgrade Cancel Figure C 1 Sanctuary Application Server upgrade First step m 170 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 4 Click Next to continue You are now asked what kind of communication protocol the Sanctuary Application Server should use You can choose among m v3 1 or older m v4 0 or older m v4 l or newer 5 Choose your option from the list You can always change this setting later by modifying the CommVer registry key see Table B 8 on page 162 for more information 33 Sanctuary Application Server Wise Solutions Wizard Server communication protocol Specify the version of the communication protocol supported by the Sanctuary Application Server This edition of Sanctuary uses a superior communication protocol between the Server and the Client If this Server will only be used to communicate with these enhanced clients it is recommended to disable the support of older protocols by the Server Specify an older communication protocol version only if older client versions will connect to this server Server communication protocol version Version 4 1 or higher lt Back Next gt Cancel Figure C 2 Sanctuary Application Server upgra
227. ntact or exported policies to use and you are installing Sanctuary Application Control Suite applications are NOT blocked until the first contact has been established S 77 EE Installing the Sanctuary Client on Your Endpoint Computers After finishing the installation you now have all the required components copied in the selected installation folder several directories created and all the required registry keys generated in the client machine E Status a een ml Device i Permission Shado Limit 9 Biometr Daniana Mana Dissbled F COM S Security Warning E Yor DVD C You are about to install a certificate from a certification authority CA claiming to represent Floppy used S Imagine Sanctuary LPT Pe Windows cannot validate that the certificate is actually from Sanctuary You should confirm its origin by ES Modem contacting Sanctuary The Following number will assist you in this process g Palm Thumbprint shal 8B77F3A6 3E0DD995 3562B0D4 EE61DFA2 2DEA312C Printers E PS 2P Warning Star Tf you install this root certificate Windows will automatically trust any certificate issued by this CA Installing gt certificate with an unconfirmed thumbprint is a security risk IF you click res you acknowledge this risk he emov RIM Ble Do you want to install this certificate Smart z User Dt Window wireless NIC
228. ntained on the link below Terms and Conditions of Use If you do not agree to these Terms and Conditions of Use o me emer Omnibus End User License Agreement EULA Product Use Rights Maintenance Product Support Iaccept the terms in the license agreement do not accept the terms in the license agreement lt Back Cancel Figure K 2 License agreement 6 Inthe next step you must decide if the Sanctuary Client use or not TLS protocol to communicate with Sanctuary Application Server SXS We recommend selecting TLS protocol encrypted you must already have a valid certificate for the machine You can use the fist option non encrypted communication but still signed with the private key for testing purposes Click Next 7 Enter the Server name of at least one Sanctuary Application Server on your network You can enter up to three server names The dialog accepts fully qualified domain names FQDN or IP a 240 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide addresses You can also proceed without providing a server address Do not use IP addresses if you are going to use TLS protocol for communication encryption 33 Sanctuary Client Wise Solutions Wizard gt Sanctuary Application Servers Enter the names or IP addresses of the Sanctuary Application Servers in your organization Click Test to check the conn
229. ntenance Product Support accept the terms in the license agreement 1 do not accept the terms in the license agreement Figure 4 2 Sanctuary Application Server installation License agreement 5 If you accept the terms of the license agreement select the I accept the terms in the license agreement option and click on Next You can also click on any of the three available buttons to read the license agreements 6 If you are using an operating system subject to security changes concerning the RPC Remote Procedure Call protocol Windows XP SP2 or Windows Server 2003 SP1 or SP2 the registry key EnableAuthEpResolution must be changed Setup Setup has detected that it is running on an operating system that is subject to the security changes concerning Remote Procedure Calls that Microsoft introduced with Windows XP SP2 and Windows Server 2003 SP1 In order to continue Setup has to make RPC calls to the SecureVVave Application Server this means that a registry value named EnableAuthEpResolution has to be set before continuing Details about this registry value are provided on the Microsoft web site Do you want Setup to set the EnableAuthEpResolution registry value now Yes No Figure 4 3 Sanctuary Application Server installation RPC warning See Appendix D Installing Sanctuary Components on Windows XP 2003 Vista for more information Sanctuary Application amp Device Control v4 3 2 Sanct
230. o communicate through the configured Proxy if available Figure 1 1 Sanctuary s architecture Note We do not describe the installation of Microsoft SQL Server in replication mode in this guide Note We assume that the TCP IP protocol is configured properly network card working protocol installed IP address and mask defined DNS and Gateway configured machine in domain and with correct name consults Windows help file and the proper ports opened 65129 on the server side and 33115 on the computer used as a client as shown in the following image and the proper ports opened prior to the installation Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide If the Application Server initiates the communication Port Port the information goes through 65129 TCP IP 33115 port 33115 and expects that ii the client responds using the same port If the client TLS Port initiates the communication 65229 the information goes through if used ports 65129 or 65229 if TLS is used Application Server Computer to protect communication can also be done using the proxy server configured for IE port 443 only if using TLS Figure 1 2 Sanctuary s TCP IP configuration To Install Sanctuary Products Although Sanctuary Software is an extremely powerful security solution its setup is straightforward The installation routine can be broken down into the following stag
231. o the registry values are only effective after a reboot of the client computer Sanctuary Command amp Control SCC is in charge of all communication between server client s and the CA server Its keys are located in HKLM system CurrentControlSet Services scomc parameters The following table contains details of each registry key entry for SCC all these entries are of type REG SZ string value Table B 9 Client registry keys 1 2 CertGeneration Description yes means that the client is in automatic mode and request the needed certificate no means that the client in manual mode the certificate has to be generated manually Default Defined during client installation Debug optional Use for debugging purposes 3 you must reboot in order to make it work FirstServer optional If this is greater than or equal to the number of IP addresses in the list located on the Servers key Sanctuary Client will use this value as a zero based index into the list If a server cannot be contacted the next one is used in a round robin fashion If the key is missing or has a 1 value existing servers are randomly chosen 163 n a Registry Keys Table B 9 Client registry keys 1 2 HardeningMode Description Displays the level of permissibility allowed to modify repair or remove the client registry keys or special directories disabled basic or extended Default disa
232. ock the use of the RegEdit exe program for all users by using our Sanctuary Application Control Suite component Note The 2INSTALLDIR 6 directory points to the folder where the program was installed It is usually C Program Files Lumension Security NSanctuary but can refer to another folder 5 is usually C Windows 60 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide I nstalling the Sanctuary Client on Your Endpoint Computers The Sanctuary Client is the software used to manage the devices and or applications on the endpoint computer servers This chapter explains how to install the client on the endpoints you want to manage when you only have a few computers in your system or for testing purposes To deploy our client in large organizations or when you cannot visit each computer individually we recommend using our specialized software tool described in Chapter 8 Unattended Client Installation The Sanctuary Client communicates with the Sanctuary Application Server s to retrieve application device control policies This is done using a TCP IP connection with a signed always or encrypted communication depending on the installation options If this connection cannot be established using the Fully Qualified Domain Names FQDN or IP addresses the driver tries to use the Proxy configured for Internet Explorer if available to locate a valid Sanctuary Application Ser
233. oduct delete the driver entries and use the recovery console In addition to this viruses will execute using administrative privileges unless you are using a component of our Sanctuary Application Control Suite Sanctuary Application Control Sanctuary Application Control Server Edition or Sanctuary Application Control Terminal Services Edition Consequently it is not a good practice to grant the users administrative rights to their computers It is impossible to control manage a desktop when the user has local administrative rights thus higher TCO Nevertheless some special programs require administrative rights to run properly You can easily find tools that allow users to run programs with administrative rights only when needed RunAs Professional is one of them Note Sanctuary s Client Hardening feature will protect Sanctuary s clients for a possible tamper even if the user is an administrator See any of the Usre s Guides for more information 14 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Power Users Users who are members of the built in Power Users group are a special case which requires careful consideration Power Users have elevated permissions and privileges on their local machines depending on the operating system version and can generally install and run applications change permissions customize settings modify and create accounts etc This may give them an unwant
234. of the programs that form our Sanctuary Application Control Suite you have to ensure that the computer and user group Blocking Mode option is set to the appropriate unblocking value If this is not done the setup cannot proceed as it would be classified as an unknown executable that needs authorization 2 Stop the Sanctuary Application Server service This service can be started and stopped through the Windows Services Panel or using the command line net stop sxsandnet start sxs The setup Wizard stops updates and starts the service automatically without your intervention only if the Sanctuary Application Server resides on the same machine as the Sanctuary Database If you are using several Sanctuary Application Server please stop their respective services manually before proceeding Note We strongly recommend backing up your database before updating Sanctuary 3 Update the Sanctuary Database in your SQL server SQL Server 2000 SP4 2005 SP2 or SOL Server 2005 Express Edition SP2 Update all existing Sanctuary Application Server 5 Update the Sanctuary Management Console 6 Finally update the Sanctuary Client s Warning Old Sanctuary Management Consoles simply refuses to communicate with a more recent Sanctuary Application Server Warning A Sanctuary Client update requires a reboot Warning Never change the key pair during a Sanctuary upgrade where client hardening is switched on otherwise your up
235. oft Corporation Description Figure H 7 The certificate snap in Description The Certificates snap in allows you to browse the contents of the certificate stores for yourself a service or a computer 211 Installing a Certificate Authority for Encryption TLS Communication 7 Inthe Certificates Snap in dialog choose My user account and click Finish Close and OK Certificates snap in Figure H 8 The certificate snap in User account m a 212 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 8 Open the Certificates Current User of the Personal node You should see at least one entry with the Encrypting File System Secure Email Client Authentication setting in the Intended purposes column m Console Console Root Certificates Current UserWPersonalCertificates BAR File Action Favorites Window m amp x e ame d Console Root Is Iss Expirati Intended Purposes Certificates Current User User E Personal Certificates Trusted Root Certification Authc Enterprise Trust Intermediate Certification Autho J Active Directory User Object Certificates Trusted Publishers w Untrusted Certificates w Third Party Root Certification Ac H E Trusted People w Certificate Enrollment Requests tadca 5 10 2007 Encrypting File System Secure Email Client Authentication Personal store contains 1 cer
236. og 9 Click on the OK button to open the Permissions entry dialog 218 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Active Directory Users and Computers EZ File Action Win m e cS E Active Directory Users and d H E Saved Queries y lu SecureWave amp Builtin Computers 9 81 Domain Controllers E ForeignSecurityPrinc 8 LostAndFound NTDS Quotas Program Data aE System 22 Users lu SecureWave Properties General Managed By Object Security Group Policy Advanced Security Settings for lu _ _ Permissions Permission Entry for lu hnd then click E dit Object Properties Apply To his object only his object only his object only his object only his object only Name Administrator LU NAdministrator Apply onto Computer objects Permissions Create Printer Objects Delete Printer Objects Create Shared Folder Objects Delete Shared Folder Objects Allowed to Authenticate Change Password Manage Sanctuary Settings his object only Receive As Reset Password L1 Send Validated write to DNS host name o 0000000000 Validated write to service principal name o Apply these permissions to objects and or Clear All containers within this
237. ogon scripts Certain kinds of device access are not performed in the context of the user who initiated the access Instead a proxy that normally has privileged access to the system a service or a driver carries them out DVD CD writing is one example there are a few other ones modems scanners smart card readers printers either USB or connected to the LPT port and unknown devices When the Sanctuary Client Driver detects such proxy access it tries to determine the identity of the user who initiated the access This is done successfully when there is only one interactive user The user cannot be determined when there are active RunAs logon sessions When the Sanctuary Client Driver detects RunAs logon sessions and only for DVD CD burning modems scanners smart card readers printers USB or LPT and unknown devices classes the RunAs Logon sessions are mapped to the interactive logon session with the same session ID Thus all RunAs processes will have exactly the same access as the interactive user who launched them Using the RunAs command to change the level of access to these devices is not possible Example 1 Bill has no access to DVD CD John has Read Write access to DVD CD If Bill uses a RunAs command to run the DVD CD burning software under the credentials of John he will not be able to create new CDs Bill will have to log off and log on as John to create new DVDs CDs Since writing a DVD CD requires a proxy it is subject
238. omputers Warning If there is no Sanctuary Application Server to contact or exported policies to use and you are installing Sanctuary Application Control Suite applications are NOT blocked until the first contact has been established 9 Choose between spreading the load through all selected servers random load balancing and selecting them in the order provided in the fields To do this activate or deactivate the Select a server at random to spread the load option 10 Click on NEXT to proceed The server address is validated but you can still continue if it is invalid or unspecified Setup En Please enter at least one valid address or computer name Figure 6 8 Sanctuary Client No address specified Setup Could not connect to server secsrv1 65129 z Info using default public key Failed to resolve server name No import file is provided If you continue the client will start with its default but restrictive policies Click Yes if you want to continue because the servers will become available later Click No if you would like to correct the server addresses or provide an import file Yes Figure 6 9 Sanctuary Client No valid address specified or cannot contact server Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Error Could not connect to server lux secure 65228 z Info using default public key Failed to resolve server name a
239. omputers you want to add to the list click on OK The selected computers are now listed in the Sanctuary Client Deployment Tool dialog as shown below i Sanctuary Client Deployment Packages Computers Help Packages Kev Progress Product Computers 3 Name 4 Domain workaroup Progress Status Marketing lu Secure Sales lu Secure Ulient luSecure 1 4 J Figure 8 16 Sanctuary Client Deployment Tool Selected computer s A Note If the current or newer version of the client is already installed on a machine you select it cannot be re installed ag 109 EH Unattended Client I nstallation 5 Choose whether or not the client will be communicating with the Sanctuary Application Server s using TLS protocol see Transport Layer Security on page 6 and select the reboot options Install Uninstall Reboot Options When a reboot is needed at the end of a deployment Apply to 20 V Reboot after second s AN Force reboot even if some applications are opened Selection 1 Message Generate Endpoint Maintenance from SS Server Certificate generation mode V Use TLS No certificate generation V Automatic certificate generation Semi automatic certificate generation OK Cancel Figure 8 17 Sanctuary Client Deployment Tool Selecting the TLS protocol To select TLS protocol right clic
240. on amp Device Control v4 3 2 Sanctuary Setup Guide To Create the Group Policy GPO 1 Open the Group Policy Management console Start Run gt gpmc msc Group Policy Management E File Action View Window mm 2 E Group Policy Management Domains E A Forest secure com B Contents Cj Stes Domain Current Domain Controller Group Policy Modeling secure com secure com Group Policy Results E 1 object s Figure E 1 Open firewall ports Select domain and forest 2 Select the Forest and the Domain for which you want to create a Windows Firewall Policy 183 Opening Firewall Ports for Client Deployment 3 Right click on the entry for Default Domain Policy and select EDIT Group Policy Management E File Action View Window e 2 s Group Policy Management E A Forest secure com E B Domains B E secure com E Default Domain Policy 9 52 Domain Controllers EH Group Policy Objects t WMI Filters t Cg Sites Group Policy Modeling Group Policy Results Default Domain Policy Scope Details Settings Delegation Links Display links in this location secure com The following sites domains and OUs are linked to this GPO Location Enforced Link Enabled Path gy secure com No Yes secure com lt Security Filtering The settings in this GPO can only apply to the following groups users
241. on attempts fail When installing in Serverless mode you can also control policies by first exporting them to a special file policies dat and you must include the license file See To Install Sanctuary Clients on page 63 for details If you are planning to do a client maintenance it is important that the server s address are reachable since it is also used to retrieve the Endpoint Maintenance Ticket needed to manage the clients if installed in the Client Hardening mode and its associated directories and registry keys Please consult your corresponding User s Guide and Uninstalling the Sanctuary Client on page 79 for more information 101 EE 2E Unattended Client I nstallation The following list shows all the possibilities Valid server no policies file present Deploy succeeds using server information Valid server a valid policies file is present Deploy succeeds importing the policies file Invalid server no policies file present Deploy fails Invalid server a valid policies file is present Deploy succeeds importing the policies file as soon as a server becomes available it is used as the permissions authorization source No server found no policies file present Deploy succeeds enforcing Sanctuary Device Control and or Sanctuary Application Control permissions starting with the built in restrictive policies a valid Sanctuary license file has to be placed along with the msi package gt Stan
242. on license provides you with the full functionality of Sanctuary software but with the following limitations ag 141 EB BE Registering your Sanctuary Product It only lasts one month No more than 10 Sanctuary Application Servers can be installed in parallel No more than 100 client computers can be administered Full License When you purchase one of our Sanctuary products a new license key is sent to you by e mail This license key is specifically configured for the license you have purchased You do not need to uninstall the software when switching from an evaluation license to a full license The Sanctuary Application Server uses the new license file within an hour If you want Sanctuary Application Server to use the new license file immediately restart the Sanctuary Application Server service on every Sanctuary Application Server machine where the new license file was copied License File Location When you receive the license file copy it to the sSYSTEMROOT S SYSTEM32 folder of each computer that runs Sanctuary Application Server It is not required to be present on client machines Warning If you are using more than one Sanctuary Application Server the same license file must be used on all the servers License File Format A Sanctuary license file comprises a series of name and value pairs one per line It includes the following important information ProjectName Identifies the software product for
243. ons Add Remove Import Export Change TLS mode Reboot Query Progress details Open last log Figure 8 39 Computers panel context menu a 129 Unattended Client I nstallation The Options Screen If you select the Options item in the Packages menu the following dialog appears allowing you to modify the Sanctuary Client Deployment Tool options Options Directory where deployment s copies are stored C deploy Maximum number of working threads default 128 128 The maximum number of working threads is reached when 5000 the number of computers is equal or above default 5000 OK Cancel Figure 8 40 Sanctuary Client Deployment Tool menus Options screen The first field lets you choose the folder where you would like to store all the deployment packages Warning Do not specify the root directory of the system drive or any other directory where existing files reside or might be created by other applications Note If the deployment tool is installed on different machines you might want to specify a shared directory where all instances of the deployment tool can access the company packages The value of the maximum number of working threads defines the highest number of deployment tasks that the program can perform in parallel Choosing a lower value reduces the impact on the computer and network performance Choosing a higher value allows faster depl
244. oot V SxsData folder Install the first Sanctuary Application Server Install the first Sanctuary Application Server taking into account the following Use the Sanctuary Application Server service account Connect to the DBMS that hosts the Sanctuary Database Use the defined Network Share for the DataFileDirectory Install additional Sanctuary Application Servers and licenses If more Sanctuary Application Servers are needed you can proceed to install them following the same steps as for the first Sanctuary Application Server You need a license for each installation After each installation copy your own key pair so that all Sanctuary Application Server are using the same ones 226 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table J 1 Implementation actions Install the Sanctuary Management Console Description Install the console on the selected machines Also install the client on the same machine s if you are using Sanctuary Device Control and you are planning to centrally encrypt devices and authorize media Schedule Domain and Novell s objects synchronization Schedule a task with the command line tool sxdomain exe that will synchronize all relevant objects from your domain into Sanctuary Database Create another task if you are working on a Novell environment NDSSync vbs Add devices and media from your inventory into the Sanctuary Database if
245. orrect the setup continues All permissions for the client are retrieve form the server s specified in this dialog You specify a momentary unavailable address invalid address or no address at all The setup continues after warning you You can use this mode to deploy the Sanctuary Client on machines that are not currently connected to a Sanctuary Application Server but you want or need to apply predefined permissions devices and or executables that should be immediately activated after the setup ends In this latter case you also need to generate the policies dat file see your corresponding Administrator s Guide If this file is not available the default built in restrictive settings are applied There is a valid server and the policies dat file exists policies are imported from this file 70 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table 6 1 Server address and import file relationship Sanctuary Application Server address Import file Policies dat Resulting action Valid and reachable Not present The settings are taken from the server Valid and reachable Present and valid The settings are taken from policies dat Valid but not reachable no Not present The settings are the address provided invalid predefined ones most address restrictive see notes and warning below until a server can be contacted and the permissions updated Valid but not reachable no Pres
246. over is present to run the services if the primary fails Failback Operation where a cluster is back and running after a failover Control passes on to the active or primary computer of a cluster Note The same operating system must be installed on the nodes of a cluster database server Requirements Database clustering requires At least two servers up to the maximum that the operating system used in the cluster supports Two network adapters per server one to communicate with clients the other one to communicate between the nodes that form the cluster heartbeat If only two computers are used you can join them using a simple cross link cable A Shared Disk Array SAN or SCSI device to host the database Microsoft Cluster Service MSCS to form the cluster This is provided with Windows Operating Systems One instance of SQL Server 2000 SP4 2005 SP2 including a SQL server SQL server agent and Full text search service 25 EE 2E Installing the Sanctuary Database To Implement a Database Cluster 1 Define the cluster using Microsoft Cluster Service MSCS To do this you need to name the cluster add nodes to it configure the network interfaces to define those that are public and those that are private heartbeat and finally test the cluster configuration MSCS provides three cluster models Single node server cluster This does not provide failover This model is mainly used to organ
247. oyments if there are enough computer and network resources available The maximum number of working threads simultaneous requests specifies the number of simultaneous transactions that the tool can handle The default value is 128 Changes to this value can be used to throttle the installation minimizing latencies for the transactions that are performed Reaching the maximum number of configured threads is not necessarily undesirable but means that the tool needed this many threads at peak load but as long as it is able to serve them in a timely manner it is adequately tuned However at this point connections may queue potentially overflowing when making big size installations If you monitor your server s performance regularly and notice that its lagging you may consider increasing the thread limits 130 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The third parameter defines the number of computers threshold for which the maximum number of threads will be used This parameter specifies how the threads previous parameter are divided among the possible computer installations To compute the number of simultaneous requests the tool counts the number of active requests adding one to the number when a new request arrives or subtracting one when it finishes the request The tool checks to see if it is already processing the maximum number of requests If it has reached the limit it defers processing new requ
248. p network properly configured If you are Using Novell e NDAP installed on the machine you are going to use to synchronize your eDirectory structure We recommend installing it on the same machine as the database server e ZENworks client optionally installed on the client computer The Sanctuary Database The database is used to hold permissions logs available in line machines users devices etc There is only one database per organization but you can use SQL clustering for disaster recovery purposes Software The Database component requires a Microsoft SQL Server database This can either be Microsoft SQL Server 2000 SP4 2005 SP2 2005 SP2 64 bit or Microsoft SQL Server 2005 Express Edition SP2 If you do not have an SQL server you can install Microsoft SQL Server 2005 Express Edition directly from the Sanctuary s CD Hardware The hardware specifications of the database server should be the following as a minimum depending on your enterprise size and number of clients e Memory 512 MB 2GB recommended e CPU Pentium 3 or 4 processor or equivalent AMD processor e HDb 3GB SCSI or IDE e NIC 100 MBits s EE 221 Bs 2E Installation Checklist Network Configuration e Configure your DNS server e DHCP server started Additional Settings Change the Event Viewer settings to 1024 KB in size and choose to overwrite events as needed Change the Performance settings to prioritize for background applications
249. pond Note Each chapter has an introduction paragraph explaining to which part of our suite version of this document please refer to the Lumension Support Documentation Web 2 Tip Lumension documentation is updated on a regular basis To acquire the latest site www lumension com support documentation html Xii Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Document Conventions The following conventions are used throughout Lumension documentation to help you identify various information types Document Conventions Convention bold Command names database names options wizard names window and screen objects i e Click the OK button italics New terms variables and window and page names UPPERCASE SQL commands and keyboard keys monospace File names path names programs executables command syntax and property names The icons used throughout Lumension documentation identify the following types of information Icons Used Alert Label Description Identifies paragraphs that contain notes or D Note recommendations Identifies paragraphs that contain tips shortcuts or other Tip helpful product information Identifies paragraphs that contain vital instructions ER Warning cautions or critical information EH xiii Preface Contacting Lumension Security Lumension Security Corporat
250. puters is used to configure the solution and perform a range of day to day administrative tasks You can install the console on one of the servers you are using for the Sanctuary Database or the Sanctuary Application Server or on any computer that has access to the Sanctuary Application Server An implementation can have more than one Sanctuary Application Server connected over a wide area to one Sanctuary Database This means that Sanctuary can provide a resilient and scalable solution to your security issues HH Installing Sanctuary s Components The relationship between the Sanctuary components is represented in the following figure NDSSync vbs synchronization script Sanctuary Database SX Novell Ag Y 0 ic a Windows AD Sanctuary SXS 1 or more Application 13 Server SXS E va DCOM RPC m eere eee en es eene soos DFD Q ell TCP IP TLS as an option oro a TOTIS Data File Directory i Administration tools 3OpmP P Y TLS as an peee Audit File option AFD Directory E i Client drivers can connect Sanctuary Client optionally to any application Driver s SK server installed on servers AFD is shared by all desktops Thin Clients 5X55 or laptops depending Several SXSs can share on the Sanctuary the same DFD application used The client driver can als
251. r can cause problems if you are working in a remote connection or doing other remote tasks You can use the Client Deployment Tool to do an unattended install uninstall of the client package See Using the Sanctuary Client Deployment Tool to Install the Sanctuary Client on page 106 If the client was installed manually then select Add Remove Programs from the Windows Control Panel and choose Sanctuary Client from the list of installed programs The Setup program launches and uninstalls Sanctuary Client You must reboot the computer once finished Remember that this option may or may not be present depending on choices you made during the setup process Tip If a network shared disk was used during the initial installation and this disk is no longer available during uninstall the MSI program may ask specifically for the original setup file location before it can continue A workaround solution for this problem is to copy the original MSI setup file on the local hard drive then point the MSI uninstaller towards this file You can remove the MSI setup file from the local hard drive once the client is deleted 79 2E Installing the Sanctuary Client on Your Endpoint Computers Since you are now in a highly secure environment and client hardening is enabled changes to the client and its components have to be done in an orderly fashion Even if you are an administrator the services registry entries and special director
252. r releases this key to the public who can use it for encrypting messages to be sent to the user and for decrypting the user s digital signature RAS Remote Access Services is a Windows program that allows most of the available network facilities to be accessed over a modem link RDC Remote Data Connector Formerly known as Advanced Data Connector Technology used in conjunction with ActiveX Data Objects ADO to retrieve a set of data from a database server RPC Remote Procedure Call protocol that allows a computer program running on one host to run a subroutine located on another one RPC is used to implement the client server model of distributed computing Sanctuary Application Server SXS The Sanctuary component that serves as a link between Sanctuary Client and the Sanctuary Database Sanctuary Management Console SMC The console used to define the device permissions and default options Its functions are described in the corresponding User Guide SCC Sanctuary Command amp Control The Sanctuary component that is in charge of all communication between server and client s It also communicates with the CA Certificate Authority Server SFD Standard File Definitions Lumension provides a number of pre computed file hashes for most versions of Windows Operating Systems in several languages and for all the available Service Packs These are typically installed during setup but you can also import new ones SID
253. rdware and software components are needed in your platform E g if you do not need Windows Media Player DCOM RPC Microsoft Internet Explorer then you do not put them in your image XP Embedded is marketed towards developers for OEMs ISVs and IHVs that want the full Win32 API support of Windows but without the overhead of a full Professional installation XP Embedded runs existing Windows applications and device drivers on devices with Compact Flash and RAM XP Embedded is not related to Windows CE They target different devices and they each have their pros and cons which make them attractive to different OEMs for different types of devices Some of the devices where you can use this system include Thin Clients Retail Point of Sale POS Windows based Terminals Connected Clients Set top boxes Gateways Kiosks ATMs Industrial Controls Office Automation and Gaming Systems You can learn more about Windows XP embedded visiting http msdn microsoft com embedded Thin Clients A typical thin client configuration application will be to boot and connect directly to a Citrix Server this is all configured during the creation of the run time image Typical users never access the thin client the same way as they would do with a normal XP Professional Desktop This is only possible by holding down the SHIFT key at boot which would display the logon screen Windows XP Embedded provides several default shells Exp
254. red into the local machine store You need to generate this final certificate and specify which certificate is to be used to sign To generate the final certificate signed by a certificate located in your store use the Generate certificate signed by certificate located in store button If no appropriate certificate is present in your store you can first import an appropriate certificate into your store using the Import into store button and then generate the final certificate using the Generate certificate signed by certificate located in store button To generate the Final certificate signed by a certificate located in a file use the Generate certificate signed with certificate located in file button Generate certificate signed by certificate located in store Import into store Generate certificate signed by certificate located in file Certificate parameters lt Back Next gt Cancel Figure 6 4 Sanctuary Client Communication protocol TLS protocol uses a certificate to encrypt messages sent over the channel In this dialog you can select the machine s certificate location and its parameters When selecting the computer certificate s parameters you can choose the service provider key length validity and signature shown below Advanced parameters Cryptographic service provider Microsoft Strong Cryptographic Provider bal Certificate parameters Key length
255. ribed in step 7 of Using the Sanctuary Client Deployment Tool to Install the Sanctuary Client on page 106 Uninstall Uninstalls the selected package from all machines in the list Open last report Displays a report describing the last install or uninstall indicating which machines were modified and status e g whether the install was successful or not Options 125 Bs 2E Unattended Client I nstallation Allows you to change the root directory where the packages and the Sanctuary Application Server are stored Open Stn n Look in system32 ME 8 I 3com dmi B CatRoot2 F Microsoft whem 8 m 1025 Ly wins My Recent B 1028 m config m mui E xircom Documents 1031 dhcp Li B1033 Directx oobe B1037 dlicache hras Desktop B 1041 B drivers B ReinstallBackups 1042 dy export f Restore 0 1054 hias Lis Setup el 2052 Li ShellExt p R3076 spool Lh inetsrv CatRoot LA Macromed 2 My Computer File name sx public key z Open Files of type Public key Cad My Network C Open as read only Figure 8 34 Sanctuary Client Deployment Tool menus Import public key Set Package Policies En Enter the name or IP addresses of Sanctuary Application Server 5X5 in your organization Name or IP Port 65229 Connection Import public OK Cancel Fi
256. rity that is provided by Sanctuary solutions As with all private keys extra diligence should be used to ensure its confidentiality a 16 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 2 I nstalling the Sanctuary Database This chapter explains how to install the SQL Engine and Sanctuary Database Whereas Chapter 1 Installing Sanctuary s Components provides an overview of the entire setup this chapter focuses exclusively on the database requirements The information in this chapter is relevant to all Sanctuary software suite products Warning Although you can use Windows XP 2000 Pro or Vista x 86 for the database or and console you cannot use it for the Sanctuary Application Server or client component in the case of Sanctuary Application Control Server Edition If you are planning to spread Sanctuary components among several machines one of them in an XP operating system database and or management console you should read carefully Appendix D Installing Sanctuary Components on Windows XP 2003 Vista on page 175 before proceeding Warning If you are updating from a previous version of our software or have one of our products you should always make a backup of your database before proceeding Choosing a SQL Engine The database used by Sanctuary software requires a Microsoft SQL Server database This can be SQL Server 2000 SP4 2005 SP2 or SQL Server 2005 Express Edition SP
257. rning The Sanctuary Application Server cannot be installed on Windows XP Windows 2000 PRO or Windows Vista Warning Memory requirements may vary based on your system operating system and the software you already have installed on the platform where you will be installing Sanctuary Large installations and some operating system will require significant extra memory especially in those cases where the machine is already close to its memory limits The same applies to the client installation where more memory may be required if there is already other memory intensive software installed Sanctuary Device Control Terminal Services Limitations The Terminal Services administration mode and the remote desktop functionality allow access to computers remotely This section details how the Sanctuary Client Driver enforces security when devices are accessed remotely Sanctuary Device Control normally applies the permission of the user accessing the device be it a remote user or the user working interactively with the computer This is the case for the device classes for which the device access is performed in the context of the user who initiated the access BlackBerry USB DVD CD Read access Com LPT not when used for printing Palm OS Handheld Devices USB Removable Tape Unauthorized Encrypted Media Windows CE Devices USB Certain kinds of device accesses are not performed in the context of the user who initiated the ac
258. round robin vs random pick this is done by modifying certain registry keys See Sanctuary Client Registry Keys on page 163 and Uninstalling the Sanctuary Client on page 79 for more details You can push these modifications to all clients using Group Policies with ADM templates Note The setup also lets you retrieve a Maintenance ticket from the Sanctuary Application Server see the relevant Administrator s Guide This is only done if a communication between them exists If the client hardening is enabled the uninstall process allows you to choose how to deactivate it To Install Sanctuary Clients The first step in this procedure is to decide whether or not you want to import the company s permissions and policies as an independent file during the installation process If you want to import them during the client installation you first need to export them This export is done to a special file called policies dat that should be located in the same directory as the MSI installation file package The files needed to install the client are located in the client folder of your installation CD You can copy them to a convenient location on your hard disk You should also include the public key not the private one in this directory Proceed with the installation steps as described below carefully reading step 7 Providing the Sanctuary Application Server address Note The policies dat file should
259. rs defined in the DNS table on the fourth request the first IP address is returned once more Using the above DNS round robin schema all of the requests sent to Sanctuary Application Servers have been evenly distributed among all of the machines in the cluster All of the nodes in the cluster are exposed to the clients Advantages of DNS Round Robin Although very easy to implement round robin DNS has some drawbacks such as inconsistencies in the online DNS tables when remote servers are unpredictably unavailable However this technique together with other load balancing and clustering methods can produce good solutions in many situations The main advantages of DNS round robin are Inexpensive and easy to set up The system administrator only needs to make few changes in the DNS server to support round robin Clients are not even aware of the load balancing scheme they are using e Simplicity You can add or remove servers as you go All clients are identically installed using only one DNS alias provided as a Sanctuary Application Server 5 81 EH Installing the Sanctuary Client on Your Endpoint Computers When servers are added or removed you only need to edit one DNS table not to modify registry settings SXS server 192 168 1 1 lient s SXS request EJ SXS server 192 168 1 2 Round Robin DNS server 192 168 1 3 etc Figure 6 21 Round Robin DNS schema Note Windows 2000 has some bugs
260. rtificate Authority by the Sanctuary Application Server This authorized user has to be physically present at the machine to create the required certificate 66 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Authentication certificate will be retrieved form a CA Automatic mode using TLS communication The program attempts to obtain a valid computer s certificate by requesting one from one of the selected Certificate Authorities This certificate must be able to be issued and the CA trusted as a root or intermediate Certificate Authority by the Sanctuary Application Server communication between Sanctuary Client and Sanctuary Application Server s is encrypted You do not need a Certificate Authority at this point but it is required when you first start the client s since the program requests a machine certificate The user who has the rights to create machine s certificates does not have to be physically present at the machine to do the installation if this mode is selected You should ALWAYS use automatic mode when your organization has already deployed a Certificate Authority infrastructure and the Sanctuary Application Server and clients are part of it In this case deployment of Sanctuary Client using TLS is completely transparent and requires no additional action We recommend you use the automatic mode in preference to all other methods for issuing valid certificates If it is not possible
261. rver callback messages see also Chapter 1 Using TLS for Client Sanctuary Application Server Communication on page 7 include the server s DNS name and port number s This ensures that the client only answers the particular contacting Sanctuary Application Server even if the client has no prior information about it The message also includes a timestamp which prevents the client from replying to old requests What is a Digital Certificate A digital certificate is an electronic presentation card that establishes your identity and credentials when doing transactions over a channel Certificates are issued by a Certification Authority They contain among other things e A digital signature indicating which certificate issuing authority generated them This lets recipient verify that the certificate is genuine e A public key to be used for encrypting messages and digital signatures All messages encrypted using the public key can be decrypted using the corresponding private key pair see a complete description on any of the Sanctuary user s guides Most certificates used today are based on the X 509 v3 certificate standard messages encrypted using the public key can be decrypted using the corresponding private key pair see a complete description on any of the Sanctuary user s guides Typically certificates also contain the following information e Certificate s version and serial number e Signature algorithm e Validi
262. ry Client Deployment Tool Forced reboot message If a subset of machines was selected from the Computers list the Apply to options allow you to choose if you want to target only the selected set of computers Selection or the complete list The Test connection with Sanctuary Application Server option allows you to verify that the Sanctuary Application Server defined in the package is up and running before proceeding to the deployment on the client computers It is a safe precaution to check this option unless you want to do an installation with no servers See To Install Sanctuary Clients on page 63 for more information Specify the server name from where the Endpoint Maintenance Ticket can be retrieved If left empty you must copy this ticket manually to the required directory normally c Program Files Lumension Security VTicket before you can add modify delete any client s component including directories and registry keys See Uninstalling the Sanctuary Client on page 79 and your corresponding User s Guide for more information Warning If the clients are installed while the Sanctuary Application Server s is unavailable they will not be able to obtain the permissions unless they are included with policies dat and access to the applications devices is refused 114 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Note By default client computers are not rebooted at th
263. ry Management Console on page 53 Install a Sanctuary Client and test the predefined permissions for devices and or executables scripts or macros You can install the client on the same machine that you are using for the EI EE EH Installing Sanctuary s Components Sanctuary Database Sanctuary Application Server and Sanctuary Management Console some limitations apply See Chapter 6 Installing the Sanctuary Client on Your Endpoint Computers on page 61 7 Define some test permissions for devices and or executable files using the console installed on step 3 and test these on the client machine See the Quick Setup Guide 8 Define company s policies permissions rules and settings Determining and defining which users get access to which devices and or executables scripts and macros This step is done before installing or rolling out any clients Installing Sanctuary Clients without a good policy definition would result in a loss of productivity Consult the Sanctuary Application Control Control Suite User Guide and or Sanctuary Device ControlSanctuary User Guide for more information 9 Plan the client installation strategy and deploy your clients in production machines to begin enjoying immediately the benefits of being protected by Sanctuary See Chapter 8 Unattended Client Installation on page 93 10 Define a synchronization schema to be used for your Microsoft Domains or Novell eDirectory structure See Ch
264. rypted communications v Supported X Not Supported N A Not Applicable The following table contains those devices supported by Sanctuary Client running on Windows XP Embedded Table L 2 Device Groups supported by Sanctuary Windows XP Device Group Windows XP SP3 Embedded Biometric Devices COM Serial Ports DVD CD Drives Floppy Disk Drives Imaging Devices LPT Parallel Ports Modem Secondary Network Access Devices Palm Handheld Devices Printers USB PS 2 Ports Removable Storage Devices RIM Blackberry Handhelds Smart Card Readers Tape Drives User Defined Devices Windows CE Handheld Devices Wireless NICs Y Supported X Not supported ND No Drivers Installed N A Not Applicable m au 250 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide How to Configure the Client While using the Target Designer component of the Windows Embedded Studio you must provide the Sanctuary Application Server IP address or fully qualified domain name as shown on the following image E Sanchay 281 8 9 Logical Dek Manager Version 5 12600 2620 Lumension MCI Support Veron 1 2600 A820 t 8 G Merosoft ACP Compliant System Verson 5 1 260062 i 3g Audo Compression Manager MME Core verse Sanctuary amp Meronoft Foundation Livery MFC version 5 1 26 9 Morosof Line Services
265. s Smart Card readers Tape drives User defined devices Windows CE handheld devices Wireless NI Cs network interface controllers Online permissions Offline permissions Scheduled permissions Group Settings Temporary permissions Shadow Copy Limit Event notification Permissions R R W or None Online permissions Offline permissions Scheduled permissions Specific Setting Temporary permissions Shadow Copy Limit Event notification 236 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide K Installing Sanctuary Application Control Terminal Services Edition I ntroducing Sanctuary Application Control Terminal Services Edition Sanctuary Application Control Terminal Services Edition is a proactive software security solution that gives you the ability to exercise total control over applications execution on your Citrix MetaFrame Presentation Servers Sanctuary Application Control Terminal Services Edition works on the basis that unless
266. s Options Languages If you are storing update files locally you can limit the updates downloaded to your Windows Server Update Services server by language Download only those updates that match the locale of this server English Download updates in all languages including new languages Download updates only in the selected languages Arabic Traditional Danish Dutch English Finnish i Trusted sites Figure 7 7 WSUS configuration 92 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide ea Unattended Client I nstallation Once you have installed and tested your Sanctuary configuration on few computers satisfied that you can administer it effectively the next step is to deploy it on all or most of the computers on your network If you have a large number of computers to manage this is made much simpler with an unattended installation This is also the easiest way of ensuring that all computers have the correct package In addition you can use our tool to obtain a list of all machines that already have the client deployed This chapter explains how to install the Sanctuary Client using MSI technology and optionally Windows 2000 2003 Group Policy The information in this chapter is relevant to all Sanctuary software suite products Warning If you prefer to use a different deployment tool you should be aware that some of them by desi
267. s Read Write Disabled Computer LU Lumension1 User LU administrator Figure 6 18 Sanctuary Client Certificate generation and installation 1 Certification Authorithy neh ews File Action Vi Favorites window Help 3 Certification Authority Local Request ID Requester Name Binary Ce 4 c Lumension LUISECSRVG wee BEGI Revoked Certificates 3 Issued Certificates we BEGI Pending Requests E Failed Requests Wike eel BEGI Certificate Templates d l gt Figure 6 19 Sanctuary Client Certificate Authority issued certificates 78 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Unattended I nstallation of the Sanctuary Client Once you have installed and tested your Sanctuary software configuration on a few computers you will want to deploy it on all or most of the computers on your network See Chapter 8 Unattended Client Installation on page 93 for information about how to do this without having to physically visit each client computer and run the Setup program Uninstalling the Sanctuary Client At any time after installing Sanctuary Client you can uninstall it from the client computer If you used Group Policy to do an unattended installation then you can also use Group Policy to uninstall the client s Note Uninstalling the Sanctuary Client briefly disconnects the computer from the network This behavio
268. s SXS SERVER i mydomains txt You can also redirect the names of any domain that failed to synchronize to a file by means of the standard error stream SXDOMAIN s SXS SERVER i e lt mydomains txt gt error list txt If you prefer you can synchronize domains interactively SXDOMAIN i Type in the name of each domain followed by the ENTER key Once you are finished use Ctrl C to end the interactive mode and exit to the operating system Scheduling Domain Synchronizations You can schedule domain synchronizations with your favorite task scheduler Here is a procedure using the Windows Task Scheduler In the C Program Files Lumension Security Sanctuary SXTools directory you should create a batch file sxsynch bat containing the following line CMD C SXDOMAIN s SXS_SERVER i e lt mydomains txt gt error_list txt The mydomains txt file holds the names of the domains to synchronize one name per line of text The list of domains that failed to synchronize is redirected to the error_list txt file 135 EH Using the SXDomain Command Line Tool 1 Go to the Control Panel choose Scheduled Tasks and then Add Scheduled Tasks The following screen is displayed Scheduled Task Wizard This wizard helps you schedule a task for Windows to perform You select the program you want Windows to run and then schedule it for a convenient time Click Next to continue Next gt
269. sabled the drivers Sanctuary Client Deployment Tool Menus Packages Menu The Packages menu has the following items m mm 124 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide New Allows the user to create a new deployment package using the process in To Install Packages on page 97 Delete Deletes the selected deployment package Rename Renames the selected deployment package Import public key Allows the user to choose a public key to be included in the selected deployment package The dialog shown in Figure 8 34 is displayed allowing you to select the public key to be added Set Licenses Opens a dialog where you can import a license to include in the package when it is installed in Serverless mode This is done so that the correct options are installed with the client Set Policies Opens a dialog where you can specify a server from where to retrieve the policies Policies are exported from this server and placed in a special file policies dat This file is included in the package See Figure 8 35 Test Connection Allows you to verify that the Sanctuary Application Server defined in the package are up and running before proceeding to thedeployment on the client computers It is not available if you choose the Serverless Mode option Install Installs the selected package on all computers in the list This performs the same function as the INSTALL button as desc
270. scription Verify the minimum requirements for each component Table J 2 Installation checklist Done Resolved Comments Reference Appendix A Detailed System Requirements and Limitations Are you using a firewall or are you installing the Console on Windows XP SP3 Windows Vista with the firewall activated Open needed ports Seal chassis intrusion protector Password protected BIOS NTFS Partition etc Appendix E Opening Firewall Ports for Client Deployment Do all basic protection steps for all your computers Only recommended when testing the product See the Sanctuary Quick Setup Guide Decide between using a full blown SQL Server or the light version Install the SQL Server 2005 Express Edition or use your SQL Server Choosing a SQL Engine on page 17 Are you installing the Sanctuary Database Sanctuary Application Server and Sanctuary Management Console in the same physical machine Create the sx database This is done automatically by installing the database see next step Install the Sanctuary Database Install MDAC 2 6 SP1 already installed with SQL 2000 SP4 Stage 1 To Install the SQL Database Engine on page 19 Create the sx database 228 Stage 2 Install the Sanctuary Database on page 20 Sanctuary Application a
271. se read the following license agreement carefully TERMS AND CONDITIONS OF INSTALLATION Your access to and installation of this software product is subject to the terms and conditions contained on the Lumension Security Inc Lumension website For your convenience the links are provided below By clicking on Acceptance you agree that you have read understand and agree to be bound by the terms and conditions contained on the link below Terms and Conditions of Use If you do not agree to these Terms and Conditions of Use Derr E PE eT ovn E PERE Omnibus End User License Agreement EULA Product Use Rig Maintenance Product Support OI accept the terms in the license agreement 1 do not accept the terms in the license agreement Wise Soluti Figure 2 3 Sanctuary Database installation License agreement 21 Bs 2E Installing the Sanctuary Database 7 If you accept the terms of the license agreement select the accept the terms in the license agreement option and click on Next You can also click on any of the three available buttons to read the license agreements 33 Sanctuary Database Wise Solutions Wizard Bs Destination Folder Click Next to install to this Folder or click Change to install to a different Folder in Install Sanctuary Database to C Program Files Lumension S anctuarys Changers lt Back Next gt Cancel Figure 2 4 San
272. se your Sanctuary software in a domain environment Use a local account if you plan to administer computers in a workgroup Certificate Authority You must have a Certificate Authority installed and configured if you plan to use the TLS protocol when installing the clients and or central encryption if installing Sanctuary Device Control Microsoft s Certificate Authority installation is described in Appendix H Installing a Certificate Authority for Encryption and TLS Communication on page 203 Implementation Actions To help you to implement Sanctuary the following table explains the actions required Table J 1 Implementation actions Action Create devices media and software inventory We provide a special software tool for you device inventory Sanctuary Device Scanner Tool in our Web site Description The inventory lists all devices and media that you want to control depending on which Sanctuary products you bought Write a company policy that defines the permissions shadowing options encrypted devices Sanctuary administrators roles and Add Domain Global Groups for Sanctuary permissions and Sanctuary administrators optional The document of the company s policies lists all the settings that are used to control Sanctuary s installation It includes permissions and to whom they will be assigned users that will become Sanctuary Administrators etc Plan the architecture of the installation based on the
273. sed in a Sanctuary implementation and details the limitations of installing the Sanctuary Client on Terminal Servers and Citrix environments for some products of our suite System Requirements Table A 1 Sanctuary Application Server system requirements Operating System Microsoft Windows 2000 Server SP4 or later Windows Server 2003 SP1 or later Disk space 4 MB free disk space for program files 15 MB for the installation Using an NTFS disk partition All operating systems are 32 bit unless noted otherwise 147 256 MB 512 MB recommended MDAC v2 6 SP1 or later if you are using Windows 2000 Server A Certificate Authority installed and configured if TLS protocol is chosen for intra Sanctuary Application Server communication Detailed System Requirements and Limitations Table A 2 Sanctuary Database system requirements Operating System Microsoft Windows 2000 Server SP 4 or later Windows 2000 Professional Windows XP Professional SP2 or later Windows Server 2003 5 1 or later Windows Vista SPO or later Disk space 1 MB free disk space for program files 40 MB for the installation From 10 Mb up to several GB for data depending on the number of users Using an NTFS disk partition 512 Mb 2 GB recommended Others Microsoft SQL Server 2000 SP4 Microsoft SQL 2005 SP2 or later Microsoft SQL 2005 64 bit SP2 or later SQL Server 2
274. server which is accessible to external clients via a unique IP address and name 2 Install SQL Server add this to the cluster to provide failback services deploy SQL Server to all nodes and finally test your installation 27 2E Installing the Sanctuary Database Items Created During the Sanctuary Database Setup During the Sanctuary Database installation the following items are created Table 2 1 Items created by the Sanctuary Database installation o feme _ Directory Contains all SQL scripts Full control for INSTALLDIR DB needed by Sanctuary s Administrators database setup installed It is usually C Program Files Lumension Note The INSTALLDIR directory points to the folder where the program was Security Sanctuary but it can refer to any other folder m mm s 28 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 3 Using the Key Pair Generator To accompany the Sanctuary Management Console Lumension provides the Key Pair Generator This utility is used to create a key pair to assure the integrity of the communication between the Sanctuary Application Server and the Sanctuary Client The information in this chapter is relevant to all Sanctuary products I ntroduction The Key Pair Generator is used to create a public and private key pair The Sanctuary Application Server uses an asymmetric encryption system to communicate with the Sanctu
275. sizing considerations The resulting document can be a network diagram that reflects the architecture together with server s hostnames and IP addresses Create a Sanctuary Application Server service account in your Domain The Sanctuary Application Server is a standard Windows service that runs under a regular account It is a good practice to create a new dedicated domain account for this purpose and set its options to User cannot change password and Password never expires This account MUST have local administration rights if you plan to use TLS for client Sanctuary Application Server or intra Sanctuary Application Server communications 225 2E Installation Checklist Table J 1 Implementation actions Install a Microsoft Enterprise Certificate Authority for Encryption or TLS protocol for client Sanctuary Application Server or intra Sanctuary Application Server communications Description In case you want to encrypt removable devices such as pen drives memory sticks and so on we recommend you install a Microsoft Enterprise Certificate Authority You also need this component if you plan to use TLS protocol for Sanctuary Client Sanctuary Application Server or intra Sanctuary Application Server communications all messages are encrypted If you do not use TLS protocol all messages are signed using the private key Install DBMS MSSQL 2000 SP4 2005 SP2 2005 SP2 64 bits or MSS
276. so Table B 7 Table B 6 Configuring MaxSockets and TLSMaxSockets TLSMaxSockets and MaxSockets values TLSMaxSockets gt 0 AND MaxSockets 0 Description Only TLS connections are available for Sanctuary Application Server Sanctuary Client communication using the port specified on TLSPort TLSMaxSockets 0 AND MaxSockets gt 0 Only non TLS connections are available for Sanctuary Application Server Sanctuary Client communication using the port specified on Port TLSMaxSockets gt 0 AND MaxSockets gt 0 Both TLS and non TLS connections are available for Sanctuary Application Server Sanctuary Client communication using the ports specified on Port and TLSPort 160 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Several registry keys SecureInterSxs CommVer TLSMaxSockets MaxSockets Port and TLSPort interact together and some combinations are not valid as shown in the following table Table B 7 Configuring SecurelnterSxs CommVer TLSMaxSockets MaxSockets Port and TLSPort Secure InterS Result XS You must set the Non TLS Clients Max Concurrence field to a value gt 0 when selecting an older client protocol Sanctuary Application Server Client and intra Sanctuary Application Server communication will be done using a non TLS channel This is only recommended when you already have an older installation and you are updating it You m
277. stalling the Sanctuary Database 9 Click on the INSTALL button to perform the setup The SQL scripts run and the database is created This process normally takes less than 2 minutes depending on your hardware Once completed the final screen is displayed 33 Sanctuary Database Wise Solutions Wizard E Wise Solutions Wizard Completed The Wise Solutions Wizard has successfully installed Sanctuary Database Click Finish to exit the wizard Figure 2 7 Sanctuary Database installation Ending the installation wizard 10 Click on FINISH to close the wizard Database Clustering The Sanctuary Database is the repository where all permissions and hashes which define whether an application or device can be used or not are stored As an alternative to installing it on a single machine you can choose to install Sanctuary Database on a clustered server to provide a fault tolerant system as described below Once you have at least two servers in a cluster with SQL working you can proceed to install the database as described in the previous procedure What is Database Clustering A cluster is a group of computers or nodes which functions as a single system to provide high availability and fault tolerance Database clustering is a failover technology It ensures that the execution environment and services move to another computer in the cluster in case of a node failure maximizing the database availability Database clustering
278. ster using SQL Server 2005 Express Edition Note To successfully install SQL Server 2005 Express Edition you must already have Microsoft s Net Framework 2 0 and Windows Installer 3 1 or later installed on your machine Warning We strongly recommend downloading and applying the latest SQL Server service packs from www microsoft com before putting the system in production Make sure you download the appropriate file For example service packs for Microsoft SQL Server cannot be applied to a SQL Server 2005 Express Edition database Before you Install Before you start installing your database engine of choice you must first check that the computer meets the minimum requirements See Appendix A Detailed System Requirements and Limitations on page 147 for details Note You must activate the Server service File and Print Sharing to Microsoft Networks before attempting to install SQL Server on your machine This is particularly important for Novell users who do not necessary already have this service running on their machines 18 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Stage 1 To Install the SQL Database Engine E Note This procedure explains how to install SQL Server 2005 Express Edition You can skip this stage if you already have SQL Server 2000 SP4 2005 SP2 running on the machine that you want to host the Sanctuary Database 1 Logonto the computer
279. tabase is installed in the C Program Files Lumension Security Sanctuary folder To choose another location click on CHANGE and browse to the folder you want Some components are always installed on the 39 Bs 2E Installing the Sanctuary Application Server SSystemRoot system32 directory and a 8ystemRoot NV sxsdata directory is always created P Sanctuary Application Server Wise Solutions Wizard es Destination Folder Click Next to install to this Folder or click Change to install to a different Folder Install Sanctuary Application Server to C Program Files Lumension Sanctuary Bake Net Cancel Figure 4 5 Sanctuary Application Server installation Destination folder 9 Specify the user account you want to use to run the Sanctuary Application Server Use a domain account any domain user an administrative account is not required if you plan to use Sanctuary in a domain environment Use a local account if you plan to manage several computers in a workgroup or a Novell environment P Sanctuary Application Server Wise Solutions Wizard as Service account Enter the Sanctuary Application Server credentials The Sanctuary Application Server requires a user account to run as a service The account you specify should have appropriate permissions to request information From the domains and computers protected by Sanctuary Use Domainluser name syntax For a domain account Workstationluser
280. ted to do so by the Sanctuary Client setup program To do this click on YES to restart the computer 33 Sanctuary Client Installer Information changes made to Sanctuary Client to take effect Click A You must restart your system for the configuration Yes to restart now or No if you plan to restart later Figure 6 16 Sanctuary Client Restarting the computer Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide gt Note It is not recommended to delay rebooting and continue working Doing this may result in a network or application instabiility The following dialog is displayed if the policies file could not be retrieved or initialized If you choose to ignore this situation you risk blocking your machine since the most restrictive of all policies applies i e no device access at all Setup The Sanctuary Client Failed to retrieve the current policies This may have been caused by a failure to communicate with the Sanctuary Application Server or to read from the policy import file If you would like to retry please click the Retry button If you would like to skip the policy retrieval and continue the setup please click the Ignore button If you would like to abort the setup please click the Abort button Abort Bey Ignore Figure 6 17 Sanctuary Client No import file and no server address specified Warning If there is no Sanctuary Application Server to co
281. ter 3 Using the Key Pair Generator 1 29 ies 29 Starting the Key Pair Generator eee 30 Generating a Key Pair 5 o tB tnd ru Ert t vt a abe 30 Deploying the Key Pall eroe ro err da d eoa erp tend 31 Chapter 4 Installing the Sanctuary Application Server 33 Before you linstall 33 To Install the Sanctuary Application Control 36 Items Created During Sanctuary Application Server Setup 52 Chapter 5 Installing the Sanctuary Management Console 53 Before YOu Install err e EX EE TEE eed renee TE KR RN ER RENE 53 To Install the Sanctuary Management Console 54 Items Created During Sanctuary Management Console Setup 60 Chapter 6 Installing the Sanctuary Client on Your Endpoint Computers 61 System Requirements meme nemen nne nne nnne nennen nnn 61 Overall System Requirements emen mee ene 61 Client Computer Requirements 0 0 meme enne 62 To Install Sanctuary Clients emnes 63 Unattended Installation of the Sanctuary Client
282. that this entry does not control connections to the RPC server in Sanctuary Application Server see MaxRpcCalls for that Minimum 0 maximum 50000 arbitrary See Port TLSPort and TLSMaxSockets See also Table B 6 amp Table B 7 Default The TCP port on which the socket based Sanctuary Application Server listens for new connections Minimum 1 maximum 65534 This affects only clients The port used by the RPC server for administration clients is controlled by the Protocols setting Minimum 1 maximum 65534 Transmissions that do not use the TLS protocol are always signed See TLSPort TLSMaxSockets and MaxSockets RpcProtectionLevel Determines whether the RPC Remote Procedure Call server will require RPC clients to identify authenticate Valid levels are 0 Instructs the OS to pick a protection level At the time of this writing this is equivalent to 2 1 No protection Should not be used except for testing 2 The client s identity is verified when connecting to Sanctuary Application Server RPC messages are vulnerable to tampering and man in the middle attacks 3 For the connection oriented protocols TCP for instance same as 4 For connectionless protocols UDP this level ensures that a client s connection cannot be hijacked at the request level 4 Examines client credentials not only once per request like 3 but with
283. the new computer Activate the SKNDIS filter from the TCP IP properties Network Connections from the Start menu Transport Layer Security The Transport Layer Security TLS protocol based on SSL Secure Socket Layers addresses security issues related to message interception during communication between hosts The deployment of TLS client and server side is the primary defense against compromised clients or mixed networks where is possible to intercept transmitted messages TLS has specific advantages when addressing message security issues The identities of peers can be authenticated using asymmetric or public key cryptography allowing the safe exchange of encrypted information coupled with a Certificate Authority see Appendix H Installing a Certificate Authority for Encryption and TLS Communication Clients can verify that the IP address and name are consistent with the DNS records inhibiting man in the middle and DNS spoofing exploits Message s contents cannot be modified while en route between two TLS negotiated hosts Either party has the ability of detecting TLS protocol violations However there are also some disadvantages to using the TLS protocol Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide e Cryptography specifically when it involves public key operations is CPU intensive and using TLS may result in a performance loss The level of performance loss dep
284. the account to access the database Geta license for your Sanctuary product The license information is stored in a file called Sanctuary lic YourSanctuary Application Server installation will fail without it The file contains details of the licenses you have purchased for example the number of server and client copies If you have purchased one of our Sanctuary products this file is sent to you by email If you are evaluating a Sanctuary product then you can obtain an evaluation license by registering on the Lumension website www Lumension com selecting the appropriate product page and completing an Evaluation License Request form Once you have a copy of the license file save it into the SYSTEMROOT S YSTEM32 directory If your license has expired Sanctuary Application Server services do not start and a warning message is displayed 35 Ba 2E Installing the Sanctuary Application Server Warning If you are using more than one Sanctuary Application Server the same license file must be used on all the servers Never place this license file in any client e Optional Check that the computer s running Sanctuary Application Server also has a system clock synchronization mechanism to match that of the computer running the database You can use Windows Time Service W32Time based on Simple Network Time Protocol or SNTP to maintain date and time synchronization e Have a Certificate Authority installed and ready to
285. the corresponding fields and click on NEXT 88 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide The program creates a test e mail If the send action is successfully finished you get a message informing you that the test has been sent and everything is working correctly 33 Sanctuary Authorization Service Wise Solutions Wizard E mail configuration Please enter your information Sender s mail adress Secure Authorization Service Recipient s mail address SMTP server name or IP SMTP server port 25 Authentication Level 1 X User name Password Use 55L communication between mail client and SMTP server Send test mail Figure 7 4 Sanctuary Authorization Service Tool installation E mail configuration screen pL 89 EH 2E The Sanctuary Authorization Service Tool 7 Accept or change the installation directory the program proposes c Program Files Lumension Security Sanctuary and click on NEXT 33 Sanctuary Authorization Service Wise Solutions Wizard ma Destination Folder Click Next to install to this Folder or click Change to install to a different Folder n Install Sanctuary Authorization Service to C Program Files Lumension Securitj S anctuarys Change lt Back Next gt Cancel Figure 7 5 Sanctuary Authorization Service Tool installation Choose installation directory The final summary screen is shown You are now ready to
286. the relevant User s Guide for more information about how to export your settings to a file E Note If the installation detects an older version of the client it will update it automatically E Note Installing a client using exported policies works well when policies dat is placed locally in the same directory as setup exe however if it is placed on a share you must change the security of the share directory so that computer accounts are able to access it If the exported policy file was created more than a week ago you get the following message Sanctuary Client Deployment A Package s policies are older than a week Do you want to refresh them Figure 8 18 Sanctuary Client Deployment Tool Refreshing old policies file Note The policies file is valid for only two weeks default value a 111 EB mH Unattended Client I nstallation You can choose to either refresh the file or deny this request If you choose to update these policies you need to provide a Sanctuary Application Server valid address or name Set Package Policies Enter the name or IP addresses of Sanctuary Application Server X5 in your organization NameorlP Port 65229 Test Connection Import public key OK Cancel Figure 8 19 Sanctuary Client Deployment Tool Refreshing policies file A similar scenario happens when you are not using a public key but are using the default one provided with the inst
287. tificate Figure H 9 The console Certificate intended purposes 213 Bs 2E Installing a Certificate Authority for Encryption and TLS Communication 9 Check that the same certificate entry is present under the Certificates Current User node of the Active Directory User Object fi Console Console Root Certificates Current User Active Directory User Object Certificates DER File Action Favorites Window x O a 2 E Console Root Issu Iss Expirati Intended Purposes a E Current User E User 5 10 2007 Encrypting File System Secure Email Client Authentication a Certificates C Trusted Root Certification Authe Enterprise Trust 4 23 Intermediate Certification Autho EH Active Directory User Object Certificates E Trusted Publishers 5 Untrusted Certificates Third Party Root Certification At amp E Trusted People Certificate Enrollment Requests Active Directory User Object store contains 1 certificate Figure H 10 Verifying the user s certificate If the certificates are correctly issued and present on the user s machine as described above this user will be able to access any authorized media for which he has received appropriate permissions Sanctuary Application Server by the client following any of these events The user inserts and accesses an encrypted media The user inserts the encr
288. tings users Container Default container for Description Enables disables advanced features and objects Figure I 1 Advanced feature option of the MMC 4 Right click on the desired Organizational Unit OU and select Properties from the pop up menu 5 Goto the Security tab and click on ADVANCED to open the Advanced Security Settings dialog 6 Go to the Permissions tab and click on ADD or EDIT 7 Select the user or group to which you want to delegate rights as shown in the following image 217 5S 2E Controlling Administrative Rights for Sanctuary s Administrators Active Directory Users and Computers General Managed By Group or user names am E E B E B B B BEeEEBEE Permissions for Adm Full Control Read Write Create All Child 0 Delete All Child Add GUID For special permissic click Advanced To view more information about special permissions select a permission entry and then click Edit Permission entries Select User Computer or Group Select this object type User Group or Built in security principal Erom this location luSecureWave Enter the object name to select examples Administrator Leam more about access control Figure I 2 Select user computer or group to which delegate 8 Click on OBJECT TYPES select Computers and click on OK to close the dial
289. tings rights e delete Deletes Lumension s Manage Sanctuary Settings rights Examples To list all control access rights in condensed mode redirecting the output to MyFile txt file cscript Ctrlacx vbs e gt MyFile txt To show the Manage Sanctuary Settings rights interactively ctrlacx vbs s au 216 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide What to do After Running the Script Once you run the script on a domain machine you have to assign the delegation rights you just created for Sanctuary To do this follow these steps 1 Run the script with the create parameter to generate or update Lumension s rights on the active directory 2 Open the Microsoft Management Console MMC window 3 Activate the Advanced Features option from the View menu amp Active Directory Users and Computers e File Action Window Help mlm Add Remove Columns 4 Active Director Large Icons H Q Saved Que Small Icons us 4 9 Builtin Detail 8 Compu Default container for E Domair Users Groups and Computers as containers i Default container for dom H E Foreign Rd Advanced Features Default container for secu G Lostan Filter Options E NTDS Customize Default container For orph C Progra Quota specifications cont H E System Program Data Container Default location For storag Users system Container Builtin system set
290. tion Final stage 16 Click on INSTALL to proceed A warning message is displayed if you are not using a fixed IP address m 50 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Setup gathers information about the domain structure It retrieves the names of the domain users groups and machines from the domain controller This may take several minutes up to half an hour depending on the size of the domain and connection speed 3 Sanctuary Application Server Wise Solutions Wizard Installing Sanctuary Application Server The program features you selected are being installed Please wait while the Wise Solutions Wizard installs Sanctuary Application Server This may take several minutes Status eI Y Figure 4 20 Sanctuary Application Server installation Installation The final dialog indicates when the installation has been successfully completed 3 Sanctuary Application Server Wise Solutions Wizard Wise Solutions Wizard Completed The Wise Solutions Wizard has successfully installed Sanctuary Application Server Click Finish to exit the wizard Figure 4 21 Sanctuary Application Server installation Finishing the installation 51 EB BE Installing the Sanctuary Application Server 17 Click on FINISH to close the wizard You now have a working Sanctuary Application Server connected to the Sanctuary Database Items Created During
291. tiple files LZx compressed into a single file and extractable with the extract exe utility Such files are frequently found in Microsoft software distribution packages Certificate Authority CA Authority charged of issuing user or computer certificates among other tasks Certificate store The storage location where Windows locally saves certificates requested by a computer or device This store can have several certificates possibly issued by various CAs If you have the user rights to do so you can import or export certificates from any folder or file to the certificate store Certificate revocation list A list containing the compromised revoked or superseded certificates The CRL is used during the digital signature verification process to certificate s validity using the public key extracted from the same certificate Client Computer The computers on your network that Sanctuary Application Control Suite and Sanctuary Device Control protects controls 259 Es 2E Glossary Component Smallest individually selectable piece of functionality that can be included in or excluded from a run time image component is comprised of properties and resources such as files registry entries and dependency information The behavior of the component is defined by component script and component DHTML Applies to Windows Embedded Component definition The Component Definition forms the data that constitutes a particul
292. ts defined directory it requests a copy from a server having access to it Note You can have several data file directories DFD see Figure 1 1 defined and Warning You should pay special attention to the network share security ACL and Directory NTFS permissions Limit access to the server service account and optionally to some administrators You will also need to consider the members of the Power Users group 13 If you want to change the directory location or if you are installing more than one Sanctuary Application Server select a shared network folder To do this click on CHANGE and locate the path you want to use for the DataFileDirectory 1 Sanctuary Application Server Wise Solutions Wizard ns Select datafile directory To select a network Folder that is not mapped to a local drive enter its UNC path like server share directly in the Folder name field Look in DataFileDirectory mj e Folder name C DataFileDirectory Figure 4 9 Sanctuary Application Server installation Change destination folder gt Note Always use a Universal Uniform Naming Convention UNC path name for example server volume directory Do NOT use a mapped drive 43 2E Installing the Sanctuary Application Server If you are installing Sanctuary Device Control and do not have a Certification Authority installed the following warning message is displayed Setup S
293. ts of Windows Windows Update Add New Programs To add or remove a component click the checkbox A shaded box means that only Categories par a MEER Un To see what s included in a component click etails Components cepe Accessories and Utilities Components Application Server Bl E mail Services 1 1 MB 4 Fax Services 79MR Description Installs a certification authority C4 to issue certificates for use with public key security programs Total disk space required 6 2 MB 140944 3MB Space available on disk Figure H 2 Adding certificate services 205 EH Installing a Certificate Authority for Encryption and TLS Communication 6 Select the Enterprise root CA and click Next Windows Components Wizard Type Select the type of CA you want to set up Enterprise root Enterprise subordinate Stand alone root CA O Stand alone subordinate CA Description of C4 type The most trusted in an enterprise Should be installed before any other CA Use custom settings to generate the key pair and CA certificate Figure H 3 The Windows components wizard 1st page a 206 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 7 Choose a Common name and Distinguished name suffix that will identify this CA and click Next Windows Components Wizard
294. ts security settings from 96 SYSTEMROOT SXData Registry keys HKLM system CurrentControlSet Services scomc parameters and HKLM system CurrentControlSet services sk parameters Registry keys See Appendix B Registry Keys n a You can block the use of the RegEdit exe program for all users by using our Sanctuary Application Control Suite component Note The INSTALLDIR directory points to the folder where the program was installed It is usually C Program Files Lumension Security Sanctuary but can refer to another folder 5 is usually C Windows 83 Installing the Sanctuary Client on Your Endpoint Computers un 84 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 7 The Sanctuary Authorization Service Tool Software Update Services SUS assists Microsoft Windows administrators with the distribution of security fixes and critical update releases provided by Microsoft It distributes official updates to Microsoft Windows 2000 XP and 2003 computers including servers and desktops Using SUS is equivalent to running Windows Update service within your own network Windows Server Update Services WSUS previously SUS v2 0 is a new version of Software Update Services SUS WSUS supports updating Windows operating systems as well as all Microsoft corporate software like Office and SQL The information in this chapter appl
295. ttings amp C Windows Settings Administrative Templates Figure 8 30 Deployment package using group policies Software installation 8 Right click on SOFTWARE INSTALLATION and select New Package 9 Browse to Deploy select Sanctuary Client msi and click on OPEN 10 In the Deploy Software dialog box select Advanced published or assigned and click on OK Deploy Software ME Select deployment method Published Assigned Select this option to configure the Published or Assigned options and to apply modifications to a package Co J cw Figure 8 31 Deployment package using group policies Deployment type m au 122 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide 11 Accept the default name of Sanctuary Client click on the Deployment tab and ensure that Assigned is selected Sanctuary Client Properties General Deployment Upgrades Categories Modifications Security Deployment type Published Deployment options Uninstall this application when it falls out of the scope of management Do not display this package in the Add Remove Programs control panel O Install this application at logon Installation user interface options Basic Maximum Figure 8 32 Deployment package using group policies Deployment options 12 Display the Modifications tab and click on Add 13 Browse to Deploy Sanctuary Client mst
296. ty not before not after e Authority and subject s ID Digital signature of the issuer testifying the validity of the binding between the subject s public key and the subject s identifier information 12 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide What is a Certificate Authority A Certificate Authority CA is an entity that issues and manages certificates in a network As part of a public key infrastructure a CA checks with a registration authority RA to verify the information provided by the requestor of a digital certificate If the RA verifies the requestor s information the CA can then issue a certificate stating that the public key contained in it belongs to the person computer or entity noted in the same certificate The idea behind this security process is that the user trusts the CA and can verify its signature and can also corroborate that a certain public key belongs to whoever is identified in the certificate You either trust a CA or not If you trust a CA this means that you have confidence that it has proper policies in place when evaluating certificates requests In addition to this you also trust that the CA will revoke certificates that should no longer be considered as being valid publishing an up to date CRL Certification Revocation List Basic Security Rules This section lists a series of basic security rules that are highly recommended prior to deploying the Sanctu
297. u must configure the WSUS system since this tool does not support express msp installation files To do this 1 2 3 Open Internet Explorer with your WSUS server active http server name2 WSUS Admin On the WSUS console toolbar click on OPTIONS and then select SYNCHRONIZATION OPTIONS Under the UPDATE FILES AND LANGUAGES section click on ADVANCED and accept the warning message by clicking on OK Deselect the Download express installation files checkbox 91 The Sanctuary Authorization Service Tool If you want to reactivate them follow the same procedure and click on the Download express installation files option Microsoft Windows Server Update Services Microsoft Internet Explorer Ele Edit Favorites Help Qs A JD search grates O b GDK Address g http secsrv WSUSAdmin Advanced Synchronization Options Web Page Dialog Update Files You can specify where to store the update files when you synchronize Storing locally requires sufficient disk space ded v Download update files to this server only when updates are approved Only information about the updates will be downloaded during synchronization Download express installation files Express installation files provide Faster download and installation on computers but are larger and will increase download times for your server Do not store updates locally clients install From Microsoft Update puter
298. uary Application Server the user must have valid credentials to do this if you are using our client deployment tool Please consult your corresponding Administrator s Guide or help file for a complete description on how to create an Endpoint Maintenance Ticket 80 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Load Balancing Methods What is Load Balancing When you have two or more Sanctuary Application Servers in your network it is necessary to distribute the processing activity evenly so that the Sanctuary Application Servers work in a more or less balanced state and no single server is overwhelmed Load balancing is especially important when it is difficult to predict the number of requests that will be issued to a server One approach is to use a load balancing technique called round robin which works on a rotating basis i e in a loop How Does Round Robin DNS Works When a DNS server that is configured in a round robin fashion receives a request it resolves the name to one of the available IP addresses stored in its table in a rotated order This redirects the request to one of the Sanctuary Application Server in the group As an example and using Figure 6 21 on page 82 as reference when the first request arrives at the DNS server it returns IP address 192 168 1 1 the first machine On the second request IP address 192 168 1 2 And so on Assuming that we only have three serve
299. uary Setup Guide The installation program checks for the presence of a valid license file is checked If the setup program cannot find one or the file was altered in any way e g due to an email filter introducing linefeed characters or translating foreign characters an error message is displayed License file verification A Setup could not find a valid license file You should copy the license file to your system32 directory If you don t have a license file please contact Lumension Security Phone 352 265 364 300 international 1 877 713 8600 US Toll Free Email sanctuary support lumension com Figure 4 4 Sanctuary Application Server installation No license found 7 Ifyou have a license file and see an error message check the name of the Sanctuary lic file and copy it to the SYSTEMROOT S SYSTEM32 folder If this does not resolve the problem check your email client settings verify that your license file does not has a txt extension which may be hidden in Windows Explorer or contact Lumension s technical support team to obtain a new license file Note The setup will refuse to install Sanctuary Application Server if it cannot find a valid license Warning If you are using more than one Sanctuary Application Server the same license file must be used on all your servers 8 Choose the folder in which you want to install the Sanctuary Application Server and click on NEXT By default the da
300. ued to the Users If a user is denied access to an encrypted medium for which he she has received proper rights verify that the Certificate Authority has correctly issued the certificates for this user The following is a step by step procedure to check that a user certificate has been correctly issued 1 2 3 4 Log on to the user s machine Go to the Start 2 Run menu Enter mmc exe in the Open field and click OK In the Microsoft Management console open the File menu and select Add Remove Snap in or press Ctrl M Click on ADD 210 6 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide In the Add Standalone Snap in dialog choose Certificates and click Add imi Console1 File Action View Favorite 2 Add Remove Snap in Standalone Extensia m Console Root Console Root Use this page to add Snap ins added to Add Standalone Snap in Available Standalone Snap ins Hf NET Framework 1 1 Configuration Bactive Directory Domains and Trusts fi Active Directory Sites and Services Directory Users and Comput z ActiveX Control Ej Authorization Manager Certificate Templates E Certification Authority e Component Services yendo Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Micros
301. ugger and attach it to itself Default Log file name Gives the name of the log file written if Log to file is true sxs log Log to console If yes or 1 sends debug messages to the console if any Log to dbwin If yes or 1 sends debug messages to Dbwin32 Log to file If yes or T sends debug messages to the log file see the Log file name entry LogMonitorDIls Not used for Sanctuary Device Control Key used by Spread Check If configured it would also monitor the spread of DLLs that have been authorized implicitly in the DLL don t care mode If not configured only applications and explicitly authorized DLLs are monitored See the Sanctuary Application Control Suite User Guide for more details 155 Registry Keys Table B 3 Sanctuary Application Server registry keys Debugging purpose Description Default LogMonitorPeriod Not used for Sanctuary Device Control Period in seconds between two checks LogMonitorResetOptions Not used for Sanctuary Device Control Number of distinct users that must execute the same locally authorized executable for an alert to be issued LogMonitorThreshold Not used for Sanctuary Device Control Controls whether the global user option is set to blocking mode when the alert is generated if no Sanctuary Application Server only issues a message in the event log if yes it issues the same message sets a
302. uration see next edrBatThreads The number of batching threads edrDspPause Successful dispatch mean sleep time in seconds Zero by default Once a dispatcher submits a batch to the DB successfully it will sleep that long mm a 154 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Table B 2 Sanctuary Application Server registry keys Log insertion process edrDspPauseFail Description Initial unsuccessful dispatch mean sleep time in seconds Default edrDspRetryCount Max number of retries for unsuccessful dispatches edrDspThreads The number of dispatching threads edrQueLength The length of batch queue edrStaPeriod The periodicity of statistical output in seconds Zero disables statistical output 43200 is 12 hours edrTmpTimeout Max file slot allocation time in seconds When clients upload data temporary files are allocated The temporary directory can contain a limited number of files If the directory becomes congested and no more temp files are available the server will wait up to this duration for a free temp file slot Debugging Registry Keys The following registry keys are used to debug Sanctuary Application Server Table B 3 Sanctuary Application Server registry keys Debugging purpose Debug Description If yes or 1 and if Sanctuary Application Server runs as a service it attempts to launch a deb
303. ust set the Non TLS client Max Concurrence field to a value gt 0 since you did not select the Secure Inter Sanctuary Application Server option You should already have a valid computer certificate Only used for migration purposes updates and not recommended for a new installation The selected protocol is 3 TLS is a requirement The selected protocol is 3 TLS is a requirement You must first select the Secure Inter Sanctuary Application Server option You should already have a valid computer certificate Only used for migration purposes updates and not recommended for a new installation 161 Bs 2E Registry Keys Table B 7 conning SecurelnterSxs CommVer TLSMaxSockets MaxSockets Port and TLSPort Secure InterS XS You cannot select the Secure Inter Sanctuary Application Server option when the TLS Clients Max Concurrence field is set to a value 0 You cannot select the Secure Inter Sanctuary Application Server option when the TLS Clients Max Concurrence field is set to a value 0 You should already have a valid computer certificate You should already have a valid computer certificate Only used for migration purposes updates and not recommended for a new installation The selected protocol is 3 TLS is a requirement The selected protocol is 3 TLS is a requirement You should already have a valid computer certificate You shoul
304. ution Registry Key instructs the Sanctuary Management Console to use NTLM to authenticate to the Endpoint mapper and obtain what endpoint it should connect to on the Sanctuary Application Server You may also experience some authentication problems when running the Sanctuary Management Console on a computer with Windows XP 2003 or Vista The console displays an access denied popup message even when the correct credentials are specified To fix this the following key must be set on the Windows XP 2003 or Vista machine s running the Sanctuary Management Console Key LOCAL MACHINENSOFTWARENPoliciesMMicrosoft Windows NTNRPC Name EnableAuthEpResolution Type REG DWORD Value 0x00000001 and Name RestrictRemoteClients Type REG DWORD Value 0x00000000 See http www microsoft com technet prodtechnol winxppro maintain sp2netwk mspx for more information about these settings Note The Sanctuary Management Console setup prompts you to create this key if it does not exist Note Operating systems prior to Windows XP SP2 2003 SP1 do not support the EnableAuthEpResolution key 178 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Summary The following table summarizes the communication ports and registry keys used in Sanctuary Table D 1 Communication ports in Windows XP Connection string to Port to open on the Protocols registry key use in t
305. v4 3 2 Sanctuary Setup Guide Table B 4 Sanctuary Application Server registry keys general keys Description Default DataFileDirectory The base directory under which the Sanctuary c datafile Application Server stores data files log files for instance If multiple Sanctuary Application Servers are in use their DataFileDirectory entries may all resolve to the same directory on disk This is the directory created during the Sanctuary Application Control setup process All servers can optionally write to the same shared directory or you can opt for having different ones for each server see Figure 1 1 on page 2 OnLineMonitorPeriod A value in minutes stating the period after which a maintenance clean cycle is started This cycle purges all offline machines from the active computer table kept by the Sanctuary Application Server This table is used among other things to generate the Online Machines report This avoids freezing the console while doing and update when your organizations has a large number of machines to monitor This parameter is used in combination with the following one OnLineStateExpiry A value in minutes defining the period in which If a client has not communicated with the Sanctuary Application Server it its drop from its table of active ones with out further notification until another communication is stablished This parameter is used in combination with the previous one Pro
306. vell documentation for further information about how to create shares and users in Novell The sxs account on the Novell eDirectory should have by default no rights to any files or directories Using Novell v5 0 or later follow these steps to enable this transparent authentication 1 Run the Netware Administrator tool nwadmn32 exe located at BOOGIE S YS PUBLIC WIN32 on the Novell server This must be run from a Windows machine with a Novell Client for Windows installed on it and logged on as a Novell administrator Now search the user account sxs in the root of the context TEST This account is used to access the Novell share by Sanctuary Application Server as shown below FE NetWare Administrator TEST SECUREWAVE 8 Fr Object yew pen Toos Window RA asc rav wr gE a amp eGuidePublicUser amp NFAUUser amp test BOOGIE Backup Job Queue IB ADMIN BOOGIE B BOOGIE_MYDATA SILDAP Server BOOGIE 2 LDAP Group BOOGIE SAS Service BOOGIE E Tree SECUREWAVE admin TEST Figure G 1 Searching the account that Sanctuary Application Server is going to use 2 Open the properties window for user sxs To do this right click on the user and select Details 196 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide i Figure 2 Properties of Novell account used for Sanctuary Application Server service 3 Cli
307. ver See any of the administrator s guide architecture section for more info on how to configure this proxy connection Warning Please read Appendix D Installing Sanctuary Components on Windows XP 2003 Vista on page 175 carefully before installing this component on computers that use this operating system and service pack Although you can use Windows XP for the database and console you cannot install the Sanctuary Application Control Server Edition client on it We do not support Windows XP 2000 Pro or Vista for Sanctuary Application Control Server Edition client component Warning Please disable Windows System Restore Windows XP or Vista feature before installing the client If you try to roll back to a previous state after installing the Sanctuary Client the system becomes unstable This is a System Restore design limitation since it will not reinstate all files completely Be aware that System Restore is not a substitute for uninstalling a program Since this is a specific Windows feature you must search your Window s help file to find out how to disable your System Restore points before proceeding using the Control Panel or Policies System Requirements The system requirements can be divided into what is needed for the overall system and what is needed for each client computer Overall System Requirements Before you install the Sanctuary Client on a client computer you must 61 EB Inst
308. vious Sanctuary installation Optionally create policies dat Consult the Users Guides Assign computers to the installation package s Chapter 8 Unattended Client Installation 1 Automatically Chapter 8 Unattended Client Installation Command line Using the Command Line to Install Clients on page 117 Windows group policy Using Windows Group Policy to Install Clients on page 118 Schedule the domain synchronization process Scheduling Domain Synchronizations on page 135 Are you using Novell machines Synchronize eDirectory objects Appendix F Using the Synchronization Script for Novell Define permissions rules and options according to corporate policies 230 Consult the Users Guides See also next table Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Defining Permissions in Sanctuary Device Control Use the following table as guideline when setting permissions It defines which ones can be set depending on the group where you are working Table J 3 Defining permissions Permission type Description Modems Secondary network access devices Wireless NICs network interface controllers Palm handheld devices Printers USB PS 2 Ports Windows CE handheld devices LPT Parallel ports Removable storage dev
309. where you installed the Sanctuary Database Here is a summary of the different cases Table 4 1 Database server name syntax The Sanctuary Database The Sanctuary Database is created in the default is created in a Named instance instance Sanctuary Database server The database is on the local ServerName or leave the field nstanceName computer blank The database is on another ServerName ServerNameV nstanceName server The database is on a cluster VirtualServerName VirtualServerName nstanceNam local or remote e 12 Choose the folder where you want the Sanctuary Application Server log shadow or and scan files are to be stored Setup will suggest a directory named DataFileDirectory DFD under the system s drive root You should use a permanent network share if you are planning to install more than one Sanctuary Application Server or a dedicated file server All servers can optionally write to the same shared directory or you can opt for having different ones for each server see Figure 1 1 For evaluation purposes use a single DFD in a local directory E Sanctuary Application Server Wise Solutions Wizard x Datafile directory Enter the path to the directory where the Sanctuary Application Server is to store its data files To keep database performance optimal the Sanctuary Application Server will store data that is likely to take up some space on a disk directory This data includes
310. y Authorization Service will run under this account Use Domainiuser name syntax For a domain account Workstationluser name For a local account User name lui user_name Password Please enter the name or IP address of the machine on which your Sanctuary Application Server is installed Server name or IP localhost address Figure 7 2 Sanctuary Authorization Service Tool installation Configuration screen _ 87 Bs 2E The Sanctuary Authorization Service Tool 5 Configure the SUS and Sanctuary Authorization Service Tool to suit your requirements and click on NEXT 33 Sanctuary Authorization Service Wise Solutions Wizard Software Update Services Setup could not detect any Windows Update Services on this machine Please specify information on the version you are using content directory Ciwsusl history directory C wsus Change Microsoft Software Update Services SUS version 1 0 Microsoft Windows Server Update Services WSUS version 2 0 Sanctuary Authorization Service Options V Provide information on each scan by e mail Use verbose report mode Do not automatically start Sanctuary Authorization Service when Setup is finished lt Back Next gt Cancel Figure 7 3 Sanctuary Authorization Service Tool installation Option screen 6 If you selected the e mail option in the previous step configure this by completing
311. ying the Client Status on page 124 The program queries the client versions and drivers status for every machine in the list It also reports the operating system version and service pack Progress details Displays an additional window providing details of the install uninstall query operation on the selected computers An example of the progress window is shown in Figure 8 36 Open last log Opens the log of the last installation An example log file is shown in Figure 8 37 Report s Computer Sa2 Status 2 error Progress 52411 Checking the operating system Cannot determine the version of the operating system The network path was not found f 1 Figure 8 36 Sanctuary Client Deployment Tool menus Progress detail 127 EE 2E Unattended Client I nstallation 42 setup log Notepad File Edit Format View MSI verbose lo Cc MSI cj MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI MSI Cc Cc Cc Cc Cc Cc Cs s s s s Cs Cs Cs Cs s Cs 99 8 245 10 26 38 344 48 24 10 26 38 1344 48 24 10 26 38 344 Product OR ee Action Commandline 10 26 38 344 10 26 38 34 1344 7344 7360 2376 2376 1376 A8 D4 10 26 38 376 Product Action commandLine ing started 10 23 2007 10 26 38
312. ypted media and then logs on It is mandatory that the Sanctuary Application Server be online and accessible upon these events The received rights and disk encryption keys are cached locally in a protected area of the hard drive so that the user will be able to access the encrypted media when his computer is disconnected from the network E Note The access permissions to encrypted removable media are retrieved from the Checking Certificates are Correctly Issued to Endpoint Machines If you choose to use TLS for Sanctuary Client Sanctuary Application Server or intra Sanctuary Application Server communications there should exist issued certificates for each machine that uses this mode You can verify if they were correctly emitted by using the procedure described in the Checking Certificates are Correctly Issued to the Users on page 210 Note that you should select Computer Account instead of My user account in step 7 ig Be EH 214 Sanctuary Application amp Device Control v4 3 2 Sanctuary Setup Guide Controlling Administrative Rights for Sanctuary s Administrators When installing your Lumension solution several Visual Basic Script file tools are provided These include Ctrlacx vbs which narrows the administrative rights to control organizational units users computers groups for special users designated as Sanctuary s administrators Ctrlacx vbs Ctrlacx vbs is a Visual Basic Script file that can be used to set view

Download Pdf Manuals

image

Related Search

Related Contents

Manual Técnico Tore - Rev0.indd  電子音目覚まし時計 取扱説明書  HelpSmith - WinFluor V3.7.6 - Spider  abcdef - Smart Fibres Ltd.UK  INSTALACIÓN DEL SOFTWARE DEL SERVIDOR SPLASH RPX-ii  O885 Manual  取扱説明書  Multigauge 3000 Underwater Thickness Gauge User Manual  

Copyright © All rights reserved.
DMCA: DMCA_mwitty#outlook.com.