CompuSec Course 279 Demonstrations V1.0

COMPUSEC COURSE No 279

Demonstrations

NCSAN

AT

O CIS SERVICES A

GEN

CY

To remain at NCISS Please do not take away

NATO UNCLASSIFIED

NATO UNCLASSIFIED

Table of Contents Module 07 TrendMicro ScanMail Install Demo v1_________________ 1

Module 07 TrendMicro ScanMail Config Demo v1 ________________ 19

Module 08 McAfee AV Install and Update Demo v1_______________ 37

Module 08 McAfee AV Config V8.0 Demo v1____________________ 56

Module 09 ePO 3_6 Demo v1 ________________________________ 88

Module 10 WAC Demo v1 __________________________________ 105

NATO UNCLASSIFIED

NATO UNCLASSIFIED

1

NATO UNCLASSIFIED

Trend Micro Scan Mail Module 7

Installation

NATO UNCLASSIFIED

Overview

• Demonstration describes step by step all actions required to install the Trend Micro Scan Mail for Microsoft Exchange Server.

NATO UNCLASSIFIED

NATO UNCLASSIFIED Page 1

2

NATO UNCLASSIFIED

Requirementsfor Scan Mail 8.0

• Operating System and Service PacksMicrosoft Windows Server 2003 with Service Pack 1 (32-bit)Microsoft Windows Server 2003 R2 (32-bit)Microsoft Windows Server 2003 with Service Pack 2 (32-bit)

• Microsoft Exchange Server 2003 Microsoft Exchange Server 2003 with Service Pack 2 or above

• Applications the latest approved version of the Java Runtime Environment (Jre-1_5_0_10 or above)

NATO UNCLASSIFIED

PreparationsFollowing installation files to be downloaded from

NCIRC web site (you can also request your product CD issued by NITC NCIRC TC):

• “SMEXV8.0-b1.zip” - contains installation files for Scan Mail V8.0.

• “smex_80_win_en_patch2.exe” - contains installation files for ScanMail V8.0 Patch 2

It is recommended to download and unzip files into a separate temporary folder on the server before commencing the installation.

NATO UNCLASSIFIED


3

NATO UNCLASSIFIED

Step 1: Verify that your system meets requirements:Windows Server 2003 with Service Pack 2 or aboveExchange Server 2003 with Service Pack 2 or aboveJava Runtime Environment 1_5_0_10 or above

NATO UNCLASSIFIED

• Step 2: Locate the SMEX v8 application on the hard drive and <Double Click> Setup.exe to start the installation.

NATO UNCLASSIFIED


4

NATO UNCLASSIFIED

Step 3: The Welcome to Trend Micro ScanMail Setup screen opens. Click Next to continue the installation

NATO UNCLASSIFIED

• Step 4: The License Agreement window opens.• To continue the installation, <Click> the “I accept the terms

in the license agreement” radio button, then <Click> the [Next]

NATO UNCLASSIFIED


5

NATO UNCLASSIFIED

• Step 5: The Select an Action screen appears. To perform a fresh installation or upgrade, <Click> the “Install/Upgrade”option then <Click> [Next] to continue with the installation.

NATO UNCLASSIFIED

• Step 6: The Server Role Selection screen opens. Specify the server role onto which ScanMail will be installed. <Click> the “Exchange Server 2000/2003” option. And then <Click> [Next] to continue with the installation.

NATO UNCLASSIFIED


6

NATO UNCLASSIFIED

Step 7: The Select Target Server(s) screen appears. The Setup program can install ScanMail to a number of single servers or to multiple servers in a domain. You must be using an account with the appropriate admin privileges to access every target server. <Click> Browse and browse the computers that are available on your network.

NATO UNCLASSIFIED

Step 8: Select the server where you want to install ScanMail. <Double click> on SCHOOL and then <Click> on EXSERVER2003. <Click> OK to continue.

NATO UNCLASSIFIED


7

NATO UNCLASSIFIED

Step 9: After the server selection window closes, verify that the server names listed in the Select Target Server(s) window are correct, and if so, <Click> [Next].

NATO UNCLASSIFIED

Step 10: The Log On screen opens. Log on to target servers where you want to install ScanMail. You must log on using an account with Domain Administrator privileges unless you have manually created the "SMEX Admin group" and user account for the Web management

console administrator account in your domain. Type domain\user_name and password (e.g. “SCHOOL\Administrator” and “xxxxxxxx” in the VMWareenvironment created for this class) to log on to the target server to install ScanMail. Click Next to accept the Logon credentials for the target servers and continue the installation.

NATO UNCLASSIFIED


8

NATO UNCLASSIFIED

Step 11: Accept the default directory path to where you will install ScanMail on the target server. Accept also the shown default share name for which the specified user has access rights or keep the default temporary share directory, C$. The Setup program uses the share directory to copy temporary files during installation and can be accessed only by the administrator. Click Next to accept the Logon credentials for the target servers and continue the installation.

NATO UNCLASSIFIED

• Step 12: The Checking Target Server System Requirements window opens. SMEX checks that your Exchange server and system requirements. It needs minimum Exchange 2003 SP2.

• Verify that the correct Exchange Virtual server is displayed. <Click> [Next>].

NATO UNCLASSIFIED


9

NATO UNCLASSIFIED

• Step 13: The Web Server Information screen opens. <Click> the radio button to select “Microsoft Internet Information Services 5.0 or 6.0”. Keep the default drop down selection, “Virtual Web Site” and the Port Number 16372.

NATO UNCLASSIFIED

• Step 14: The Connection Settings screen appears. By default, the proxy server is disabled. If a proxy server handles Internettraffic on your network, you must enter the proxy server information at this screen.

NATO UNCLASSIFIED


10

NATO UNCLASSIFIED

Step 15: Activate the product

Enter Activation Code to get full ScanMail protection. You can contact the COMPUSEC NCIRC Malware Protection Cell at [email protected] for the official Activation key. You can copy the Activation Code and paste it in the first input field of the Activation Code on this screen. The Setup program parses the entire string and populates the remaining fields for the Activation Code. <Click> Next to continue the installation.

NATO UNCLASSIFIED

• Step 16: The World Virus Tracking Program screen appears. Read the statement and <Click> “No, I don’t want to participate”. <Click> [Next] to continue installation.

NATO UNCLASSIFIED


11

NATO UNCLASSIFIED

• Step 17: The End User Quarantine Setting screen opens. <Click> “Integrate with Outlook Junk E-mail” to send all ScanMail detected spam messages to the Junk E-mail folder in Outlook. <Click> [Next] to continue.

NATO UNCLASSIFIED

• Step 18: The Control Manager Server Settings screen opens. Generally the Trend Micro Control Manager is not used in NATO so leave the “Register ScanMail agent to Control Manager Server” check box empty. <Click> [Next] to continue.

NATO UNCLASSIFIED


12

NATO UNCLASSIFIED

• Step 19: The Web Management Console Configuration screen opens. This screen is used to create the Active DirectoryDomain Group and Account used to manage SMEX from web management console. For a new installation <Click> “Create a new account”. <Click> [Next] to continue.

NATO UNCLASSIFIED

Step 20: Create the administrator account for Scan Mail

Accept the Trend Micro default Username, or change it to a simple Username. For this class use:• User name: “SMEXadmin”. • Password: “xxxxxxxx”

Setup creates the "SMEX Admin Group" and your SMEX administrator account on the Active Directory; your SMEX administrator account is then added to the SMEX Admin Group.<Click> Next to continue the installation.

NATO UNCLASSIFIED


13

NATO UNCLASSIFIED

• Step 21: The Review Settings screen opens. Read and verify the configuration settings; if you are happy with the choices, <Click> [Next]

NATO UNCLASSIFIED

• Step 22: The Installation Progress Screen opens. This screen shows the installation process. <Click> [View Details] to display a list of all computers to which ScanMail is being installed and their current status.

NATO UNCLASSIFIED


14

NATO UNCLASSIFIED

• Step 23: Progress status screen opens. <Click> [OK] to return to the Installation Progress screen.

NATO UNCLASSIFIED

• Step 24: Return to the Installation Progress Screen. <Click> [Next] to continue installation.

NATO UNCLASSIFIED


15

NATO UNCLASSIFIED

• Step 25: The Installation Complete screen appears. This screen informs you that the installation was successful. When the installation is completed, <Click> the View the Readme file check box to open the readme file when finished. Please read thefile, especially the “Known Issues” section. <Click> [Finish] to exit the Setup program. Read the Readme file.

NATO UNCLASSIFIED

Step 26: Verify a Successful Installation

• Check that Scan Mail is installed to the following directory: C:\Program Files\Trend Micro\SMEX\

• Check for following services, using Microsoft’s Services component (click Start\All Programs\Administrative Tools\Services:

ScanMail for Microsoft Exchange Master ServiceScanMail for Microsoft Exchange Remote Configuration ServerScanMail for Microsoft Exchange System watcher

• Verify that Scan Mail added the following keys to the registry:HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ScanMail for ExchangeHLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScanHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Private-<MDB-GUID>\VirusScanEnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Private-<MDB-GUID>\VirusScanBackgroundScanningHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Public-<MDB-GUID>\VirusScanEnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Public-<MDB-GUID>\VirusScanBackgroundScanning

NATO UNCLASSIFIED


16

NATO UNCLASSIFIED

• Step 27: Install the latest SMEX software update patch. The latest SMEX patch can be found on the NCIRC NS web portal at the following URL: http://www.ncirc.nato.int/software/antimalware.htm. On the website, <Click> on the [Mail Server Solutions] tab then go to the Patches Trend Micro ScanMail v.8.0 section. Patches are normally cumulative; currently the latest patch is SMEX 8.0 Patch 2. Download and unzip the file into a temp folder on all the servers that need to be patched.

NATO UNCLASSIFIED

• Step 28: A ScanMail for Microsoft Exchange 8.0 Patch 1 window opens. This window shows the Trend Micro License Agreement. <Click> the “I accept the terms of the legal agreement” radio button then <Click> [Next] to continue installation.

NATO UNCLASSIFIED


17

NATO UNCLASSIFIED

• Step 29: The ScanMail for Microsoft Exchange Patch Installation -Welcome window opens. You could scroll down within this install screen to read the installation notes. <Click> [Install] to continue patch installation.

NATO UNCLASSIFIED

• Step 30: The Trend Micro Install package window opens. Do not close any command window that may appear during installation. <Click> [Yes] to continue.

NATO UNCLASSIFIED


18

NATO UNCLASSIFIED

• Step 31: The ScanMail for Microsoft Exchange Patch Installation - Welcome opens. This window shows the installation progress. NOTE: Please do not close any command prompt during patch installation.

NATO UNCLASSIFIED

• Step 32: Using the Microsoft Services Manager, verify that the ScanMail servers are running.

NATO UNCLASSIFIED


1

NATO UNCLASSIFIED

Trend Micro Scan Mail Module 7

Configuration

NATO UNCLASSIFIED

Overview

• Demonstration 2 provides basic steps required to configure the Trend Micro ScanMail for Microsoft Exchange Server.

• A Web management console is used to access, configure and control ScanMail. The console allows to manage multiple MS Exchange servers and remote servers from any computer on the network. The management console is password protected, ensuring only ScanMail administrator can modify ScanMailsettings.

• Java-enabled web browser, such as internet explorer 5.5 with sp3 and above, that supports frames is required to access and manage the Web management console.

• Make sure the Java virtual machine is installed on your computer before you start ScanMail Web Management Console.

• The settings as ticked in this demonstration are recommended by NATO NCIRC.

NATO UNCLASSIFIED


2

NATO UNCLASSIFIED

Step 1: View the Web management console:

<Click> [Start > programs > Trend Micro ScanMail for Microsoft Exchange > ScanMail management Console] in order to view the Web management console

or

Use Internet Explorer and access the following site: http://<Scanmail servername>:<portnumber>/smex,e.g. http://localhost:16382/smex (by default HTTP port number is

16382).

NATO UNCLASSIFIED

Step 2: Enter your SMEX User name and Password

NATO UNCLASSIFIED


3

NATO UNCLASSIFIED

Step 3: ScanMail “Summary” page is downloaded when you are logged on successfully.

NATO UNCLASSIFIED

Step 4: Verify that SMTP scanning is activated .

Both SMTP and VSAPI (Mailstore) Scanning is enabled by default. While scanning in both SMTP and VSAPI modes may result in some files being scanned twice, with SMTP scanning also enabled, it is possible for SMEX to perform the “Delete entire message” and “Quarantine Entire Message” actions. This functionality is more important than the possible small performance increase from disabling SMTP scanning.

If the SMTP scanning is disabled the icon is RED, enable SMTP Scanning by <Clicking> the icon so it turns GREEN.

NATO UNCLASSIFIED


4

NATO UNCLASSIFIED

Step 5: <Click> Virus Scan on the sidebar and then <Click> Enable real-time virus scan. Configure Target tab:

Default scan section: <Click> the All attachment filesIntelliTrap section: deselect Enable IntelliTrap checkboxAdditional Threat Scan section: deselect all checkboxesAdvanced Options section: set Scan Restriction Criteria

• Message Body size exceeds: 30 MB• Attachments size exceeds: 30 MB• Decompressed file count exceeds: 9999• Size of decompressed file exceeds: 100 MB• Number of layers of compression exceeds: 5• Size of decompressed file is “x” times the

size of compressed file: 1000to save all changes, <Click> on the Save button

NATO UNCLASSIFIED

Step 6: Configure the Virus Scan > Action tab.

<Click> the radio button Customized Action for detected threats.<Click> the check box Enable Action on Mass-mailing behaviour (This overwrites all other actions.) In the drop down boxes <Select> Quarantine entire message action and Notify for notification. In Detected Threats subsection, <Select> Specify action per detected threat. For each case <Specify>: • Quarantine entire message action

item, and • Notify for notification

For the option “Uncleanable files”, choose “Quarantine entire message”from the drop down box<Click> the check box to select the option “Do not clean infected compressed files to improve performance”.

NATO UNCLASSIFIED


5

NATO UNCLASSIFIED

Step 7: continue Virus Scan > Action tab configuration: Advanced Options section

In “Macros” section, <Select> the option “Enable advanced macro scanning”. Then <Select> “Heuristic Levels” option and in the drop down box, set option to “2-Default filtering”.In “Backup and Quarantine settings”section, view the default settings and ensure they are set as follows:• Backup Directory: <Drv>:\<system

directory>\Trend Micro\smex\storage\backup• Quarantine Directory: <Drv>:\<system

directory>\Trend Micro\smex\storage\quarantine

In “Replacement Settings” section, review to ensure the default settings are configured as follows:• Replacement File name:

VIRUS_DETECTED_AND_REMOVED.TXT• Replacement text: ScanMail detected and

removed a virus from the original mail entity. You can safely save or delete this replacement attachment.

To save all the changes, <Click> the Save button.

NATO UNCLASSIFIED

Step 8: Configure “Virus Scan > Notification” tab

<Expand> “Notify Administrator”view, <Select> “To” radio button and add• NCIRC email address, i.e.

[email protected](in the demonstration it is mapped to “Testuser1”)

• all local notification e-mail addresses (use the semicolon sign without spaces to separate e-mail addresses).

In the “Subject” field add meaningful information that identifies your organization and site. An example of a subject field entry is “Virus Scanning Notification from NATO School”.In “Advanced Notification” section, <Select> “Write to Windows event Log”.<Click> on the Save icon to save all your changes.

NATO UNCLASSIFIED


6

NATO UNCLASSIFIED

Step 9: Configure Attachment Blocking – Target tab

Enable real-time attachment blocking.

Go to the subsection “Block these attachments”. <Click> to select the option “Specified Attachments”. Then <Click> to select the option “Specified file extensions to block”. The default specified file extensions being blocked are: “ADE; ADP; ASX; BAS; BAT; BIN; CHM; CMD; COM; CPL; CRT; DLL; EML; EXE; HIV; HLP; HTA; INF; INS; ISP; JS; JSE; JTD; MSC; MSI; MSP; MST; OCX; OFT; OVL; PCD; PIF; PL; PLX; SCR; SCT; SH; SHB; SHS; SYS; VB; VBE; VBS; VSS; VST; VXD; WSC; WSF; WSH”. Remember to use a semicolon [;] to separate the file extensions

Next, <Click> to select the option “Block attachment types or names with zip files”.

To save your changes, <Click> the Save button.

NATO UNCLASSIFIED

Step 10: Go to the Attachment Blocking > [Action] tab.

Go to the subsection Select an action and <Click> to select Replace attachment with text/file. The default text currently states “ScanMaildetected and removed a file that violated policy from the original mail entity. You can safely save or delete this replacement attachment.”.Go to the subsection AND, then <Click> the radio button to select Notify option.To save changes, <Click> the Save button.To save your changes, <Click> the Savebutton.

NATO UNCLASSIFIED


7

NATO UNCLASSIFIED

Step 11: Go to the Attachment Blocking > [Notification] tab

Go to subsection People to notify. <Click> the check box to select the Notify Administrator option. Expand the Notify Administrator to show all the configuration options.• In the To field, add local system

notification email addresses and the NCIRC-TC ScanMail alerts email address, [email protected] . Use a semicolon [;] to separate the email addresses.

• In the Subject field, include the name of your organization and site in the attachment blocking notification wording; for example: “Attachment Blocking Notification from NATO School”.

Go to the Settings section and <Click> to select the option “Send consolidated notification every” and the default values of 2 hours.Go to the subsection Advanced Notification then <Click> to select Write to windows event Log.To save changes <Click> the Savebutton.

NATO UNCLASSIFIED

Step 12: <Click> Content Filtering on the side bar, then make sure that the option Enable real-time content filtering is NOT selected. See figure below.

<Click> the Save button.

NATO UNCLASSIFIED


8

NATO UNCLASSIFIED

Step 13: On the left side bar, <Click> Anti-Spam. Ensure that the option Anti-Spam is disabled. See figure below.

<Click> the Save button.

NATO UNCLASSIFIED

Step 14: Configure Scheduled Scan

<Click> Scheduled Scan on the sidebar and then select the Add tab to add a new scan task.

NATO UNCLASSIFIED


9

NATO UNCLASSIFIED

Step 15: Continue Scheduled Scan configuration

In the [Scan task name:] field, enter a title for scan task, for example “Daily Mailbox Scan <classification> (e.g. Daily Mailbox Scan NS) ".Go to the subsection Scheduling. <Click> to select the option “Daily”. In the Start Time choose the quietest local time, for example 03(hh) 00 (mm) (24hr), to start the Exchange database scan.Next, go to the “Database Selection” section. <Click> to select ALL databases on your exchange server/s.Next, go to the “Select scan type”section and <Click> to select the options “Virus scan” and “Attachment blocking”.<Click> the Save button.

NATO UNCLASSIFIED

• Step 16: When saved, make sure the scheduled is enabled as shownin the screenshot below.

NATO UNCLASSIFIED


10

NATO UNCLASSIFIED

Step 17: Configure the updates for the scan engine and virus pattern.

On the sidebar <Click> Updates to expand the Updates side bar drop down menu.

On the sidebar, <Click> the option Scheduled from the previously expanded Updates drop down menu. In this section, <Click> to select Enable scheduled updates.

In Components Update section, from the list of options <Click> appropriate check boxes to select “Virus pattern”, “Additional threat pattern” and “Scan engine”.

In Update Schedule section, Update every: subsection, <Click> the radio button to select the option Hour(s). The option Hour(s) can be set to 4 so that updates are attempted every 4 hours. Adjust the update frequency to match local requirements.

To save changes <Click> the Savebutton.

NATO UNCLASSIFIED

Step 18: Configure the Download Source

On the sidebar, from the previously expanded Updates drop down menu, <Click> the option Download Source. The Classification of your network will determine the download source address:• NU network: <Click> the radio

button to select Trend Micro’s ActiveUpdate Server.

• NS network: <Click> the radio button to select Other Update Source. Enter the URL http://www.ncirc.nato.int/data/av-updates/activupdate


NATO UNCLASSIFIED


11

NATO UNCLASSIFIED

Step 19: For the demonstration purposes, updates are downloaded locally from EXSERVER2003 server. See the screenshot below for settings used in the demonstration. The updates were downloaded from NCIRC website.

NATO UNCLASSIFIED

Step 20: Test your server’s connectivity with the anti-virus repository by initiating the Manual Update

On the Side Bar, from the previously expanded Updates drop down menu, <Click> the option Manual.Ensure that at least the options “Virus pattern”, “Additional threat pattern” and “Scan Engine”are selected. If any of these options are NOT selected, then <Click> the check box to make the selection.

NATO UNCLASSIFIED


12

NATO UNCLASSIFIED

Step 21: Monitor the manual updates screen to view the progress of the update and make sure it was able to connect to the update location.

NATO UNCLASSIFIED

Step 22: Verify successful Manual Update.

NATO UNCLASSIFIED


13

NATO UNCLASSIFIED

Step 23: Configure the alerts for System Events

<Click> Alerts > System EventsEnsure that the following options are selected. If not, then <Click> the relevant checkboxes to select them:• ScanMail Service process did not start

successfully• ScanMail service is unavailable.• Update – Each time update was: unsuccessful• Manual/Scheduled scan tasks were: Unsuccessful• The disk space on the local drive (volume) of the

backup, quarantine, and archive directory is less than; (set this to) 1 GB.

• Specify time interval to send consecutive alerts if above problem still exists; (set this to) 1 hr(s)

• The size of the database to keep quarantine and logs exceeds: (set this to) 1 GB

• Specify time interval to send consecutive alerts if above problem still exists; (set this to) 1 hr(s)


NATO UNCLASSIFIED

Step 24: configure the Outbreak Alert events

<Click> Alerts > Outbreak AlertIn the section Outbreak Alert >Conditions, <Click> the checkboxes to select, and configure, the following options:• Viruses detected exceed the

following number within the shown time: 25 in 24hr(s)

• Uncleanable viruses exceed the following number within the shown time: 25 in 24hr(s)

• Blocked attachments exceed the following number within the shown time: 25 in 24hr(s)

To save changes <Click> the Save button.

NATO UNCLASSIFIED


14

NATO UNCLASSIFIED

Step 25: Configure Logs

On the sidebar <Click> Logs to expand the Logs side bar drop down menu.<Click> to select Maintenance, then the [Automatic] tab.• <Click> the check box to select

Enable Automatic Maintenance.• In the subsection Target, <Click>

the radio button to select All logs.

Go to subsection Action; for the option Delete logs older than, enter the value 90 days.


NATO UNCLASSIFIED

Step 26: Configure Quarantine

<Click> Quarantine on the sidebar to expand the sidebar menu.

<Click> to select Maintenance, then <Click> the [Automatic] tab. Ensure that the option “Enable automatic maintenance” is selected; if not <Click> the check box to select it.

Subsection Files to delete <Click> the radio button to select All quarantined files

In the Subsection Action, increase the value of the option Delete selected files older than to 90 days.


NATO UNCLASSIFIED


15

NATO UNCLASSIFIED

Step 27: Configure Administration > Proxy (If you use a proxy on your network)

If your environment uses a proxy sever to access websites, from the Administration side bar drop down menu, <Click> to select Proxy.

In the Proxy configuration window, <Click> the check box to select the option use a proxy server for update and product license notification.

In the setting s subsection, fill in the Address field with the HTTP address of the proxy server and the Port field with the port number (e.g. 8080).

In the subsection Proxy Password, fill in the user credentials required for SMEX to use the proxy to access the antivirus update website.


NATO UNCLASSIFIED

Step 28: Configure Administration Notification settings

From the left Administration side bar drop down menu, <Click> to select “Notification Settings”.

In the “Notification Settings” window, configure the following subsections:• In the “Administrator Notification” subsection, fill

in the “Email Address:” field with the email addresses of the administrators and other mandated entities. Enter the email address for NCIRCTC [email protected] into this field. To add the email addresses, <Click> the [Apply All] button. (NOTE: use a semicolon ‘;’ to separate multiple email addresses).

• In the subsection “Sender Settings”, fill in the “Sender:” field with the email address of the local system administrator. This email address is the reply-to address on all alerts sent from the system.

To save the changes, <Click> the Save button.

Email notifications should be tested. Coordinate the verification with local administrators, NCIRCTC and other intended recipients. The NCIRC TC watch keepers can be reached at the below address: • NCN: 254-6666 / 6670

• Civil: +32 (0)65 44-6666 / 6670

• NS/NU email: [email protected]

NATO UNCLASSIFIED


16

NATO UNCLASSIFIED

Step 29: Check your Product License

From the “Administration” side bar drop down menu, <Click> to select “Product License”.View the details of your license in the Product License window.If you need a license, please contact the COMPUSEC NCIRCTC to get your up to date license.

NATO UNCLASSIFIED

Step 30: Configure the World Virus Tracking

From the “Administration” side bar drop down menu, <Click> to select World Virus tracking.Make sure the radio button “No, I don’t want to participate to the request to participate in the world virus tracking program”is selected.


NATO UNCLASSIFIED


17

NATO UNCLASSIFIED

Step 31: Verify monitoring with Real-time monitor

The Real-time monitor application displays details of the SMEX server Scan Engine and Pattern versions as well as near real-time information for all incoming and outgoing messages. It also shows the current count for detected viruses.<Click> the Real-Time monitor link on the overhead bar to display monitoring information about your local server, or remotely monitored ScanMail server.

NATO UNCLASSIFIED

Step 32: Sample Real Time Monitor view

NATO UNCLASSIFIED


18

NATO UNCLASSIFIED

Step 33: View the Server Management Console

The ScanMail server management console enables you to view all of the ScanMailservers on a network.<Click> Server Management link on the overhead bar to view features of all the ScanMail servers on a network.

NATO UNCLASSIFIED

Step 34: The following features are viewable from the Server management console: Pattern and engine version, Scanning result, Scanning status, Last replication.

• The Server Management Console can be used to replicate any or all SMEX configurations from one ScanMail server to other ScanMail servers. Replicating configuration settings to other servers in this way is much faster and easier than configuring each server separately. In addition, it ensures that SMEX configuration is consistent across all ScanMail servers- or group of servers- that provide the same kind of protection.

• NOTE**: Replicate SMEX settings ONLY with the prior knowledge and Approval of all Exchange server system administrators within your domain.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 1

McAfee Enterprise Virus Scan

Installation

NATO UNCLASSIFIED


NATO UNCLASSIFIED 2

McAfee EnterpriseVirus Scanner

• Part One – Installation– Version V8.0

NATO UNCLASSIFIED


NATO UNCLASSIFIED 3

Download from NCIRC

Download the latest McAfee NATO installation file from www.ncirc.nato.int. The file is located via Security & Software tab under Server and Workstation Solutions.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 4

Unzip …

…And open

Unzip the downloaded file (in this case it is called VSE710LEN) to a folder on the desktop.Open the folder.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 5

Start installion Setup

Start the installation by double clicking on the Setup icon.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 6

Progress bar

A progress bar appears whilst the system is being prepared for installation.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 7

README text

The McAfee Virus Enterprise Setup dialog appears – click on Next to proceed.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 8

License to agree

• Choose All Other Countries and Perpetual on the license agreement page.

• Select I accept the terms in the license agreement and click “OK”.

A license agreement dialog box appears.On the Country List Box select “All Other Countries”.On the expiry type select “Perpetual”.

Select the accept radio button option and click OK to proceed.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 9

Select typical install

A setup type dialog box appears, select the radio button option for typical install and click next.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 10

Finishing preparation

A ready to install dialog box appears, click Install to proceed with installation.

NATO UNCLASSIFIED



During installation a progress dialog box appears.

NATO UNCLASSIFIED



Start scan …

Once installation is complete a dialog box appears denoting the successful install and provides two options. The first; Update Now may only be used if the host machine is connected to the Internet and invokes an automatic check at the McAfee web site for the latest virus definition files. Leave this option unchecked. The second option invokes an immediate scan, select this option to confirm the software is running correctly. Click Finish to start the scan.

NATO UNCLASSIFIED



Accept or Update …

Depending on how old the virus definitions are a warning that the virus definitions files are out of date will appear:click OK to confirm notification and allow the scan to run (update of virus

definitions will follow).Alternatively an Update can be enforce by clicking on “Update”.

NATO UNCLASSIFIED



Watch progress

During the scan a progress dialog box will appear.

NATO UNCLASSIFIED



McAfee EnterpriseVirus Scanner

• Part Two – Updating the Signature File.

NATO UNCLASSIFIED



Download signatures

Download the latest signature file from http://www.mcafee.com/apps/downloads/security_updates/ or obtain from the local network administrator. Activate the update by double clicking on the file (in this case 5087xdat).

NATO UNCLASSIFIED



Start update

An installation dialog box will appear, click Next to continue.

NATO UNCLASSIFIED



A progress dialog box appears whilst the system is prepared for update.

NATO UNCLASSIFIED



Complete update

On completion a dialog box appears confirming correct installation of the update. Click Finish to end, there is no requirement to restart the computer as the update is activated immediately.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 1

McAfee Enterprise V 8.0 Virus

Configuration(as per exercise)

NATO UNCLASSIFIED


NATO UNCLASSIFIED 2

Open McAfee Scan item

From the toolbar in the lower right hand corner, right click on the McAfee Virus Scan icon (a small shield) and select On-Access Scan Properties from the sub menu.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 3

General settings - overview

A properties dialog box will appear defaulting a tab marked General. Ensure that the following configuration options are applied;In the Scan boxBoot Sectors - SelectedFloppy during shutdown – Selected

In the General box;Enable on access scanning at system startup – SelectedQuarantine Folder – Set to \quarantine\

In the Scan time box;

Maximum archive scan time (seconds) Set to 60Enforce a maximum scanning time for all files – SelectedMaximum scan time (seconds) set to 61After these settings have been configured click Apply

NATO UNCLASSIFIED


NATO UNCLASSIFIED 4

General settings - Scriptscan

In the same dialog box under the ScriptScan tab the following configuration items will be applied;Ensure that the Enable ScriptScan tick box is selected.

After these settings have been configured click Apply

NATO UNCLASSIFIED


NATO UNCLASSIFIED 5

General settings - Blocking

In the same dialog box under the Blocking tab the following configuration items will be applied;Ensure that the Send a message tick box is clear.

Ensure that the Block the connection tick box is selected.Ensure that the Unblock connections after (minutes) option is set to

10 (minutes).Ensure that the Block if an unwanted program is detected tick box

is selected.After these settings have been configured click Apply

NATO UNCLASSIFIED


NATO UNCLASSIFIED 6

General settings - messages

In the same dialog box under the Messages tab the following configuration items will be applied;

In the Messages box;Show the messages dialog when a virus is detected – SelectedText to display in message – Set to Alert!! Call <ADP Co-ordinator> on

Helpdesk Ext <local Helpdesk extension number>Remove messages from the list – SelectedClean infected files – SelectedDelete files – SelectedMove infected files to the quarantine folder – SelectedClick Apply after making configuration changes

NATO UNCLASSIFIED


NATO UNCLASSIFIED 7

General settings - Reports

In the same dialog box under the Reports tabIn the Log file box Log to file -Select (retaining the existing default text of

%VSEDEFLOGDIR%\OnAccessScanLog.txt.)Limit size of log file to – Select and amend to 2 megabyte.

Format - Unicode (UTF8)In the What to log in addition to virus activity boxSession settings – SelectedSession summary – SelectedFailure to scan encrypted files – SelectedUser name – SelectedClick Apply after making configuration changes.

NATO UNCLASSIFIED


NATO UNCLASSIFIED 8

All Processes - Processes

In the left hand side of the dialog box click on All Processes. The default tab Processes is open. Select option Use the settings on these tabs for all processes option.

Click Apply

NATO UNCLASSIFIED


NATO UNCLASSIFIED 9

All Processes - Detection

Open the Detection tabIn the Scan files box;When writing to disk – SelectWhen reading from disk – SelectOn network drives – DeselectIn the What to scan box;All files – SelectDefault + additional file types – De-selectSpecified file types – De-select

Click Apply after making configuration changes.

NATO UNCLASSIFIED



All Processes - Advanced

Open the Advanced tabIn the Heuristics box;Find unknown program viruses – SelectFind unknown macro viruses – SelectIn the Compressed files box;Scan inside archives (e.g. ZIP) – De-SelectDecode MIME encoded files – De-SelectClick Apply after making configuration changes

NATO UNCLASSIFIED



All Processes - Actions

Open the Actions tabUnder When a virus is found – Select Clean infected files automaticallyUnder If the above Action fails – Select Move infected files to a folderClick Apply after making configuration changes.

NATO UNCLASSIFIED



All Processes – Unwanted Programs

Open the Unwanted Programs tabDetect unwanted programs – SelectUnder When an unwanted program is found;

Primary Action – Clean files automaticallySecondary action – Move files to a folder


NATO UNCLASSIFIED



On Delivery E-Mail Scanner

1. Open the VirusScan Console and right click on the On-Delivery E-mail Scanner item, select Properties from the sub menu.

NATO UNCLASSIFIED



E-Mail Scanner -- Detection

Open the Detection tabIn the Scanning of e-mail box;In the Attachments to scan box;All file types – SelectDefault + additional file types [0] – De-selectSpecified file types [0] – De-selectClick Apply after making configuration changes.

NATO UNCLASSIFIED



E-Mail Scanner -- Advanced

Open the Advanced tabIn the Heuristics box;Find unknown program viruses – SelectFind unknown macro viruses – SelectFind attachments with multiple extensions – SelectIn the Compressed files box;Scan inside archives (e.g. ZIP) – SelectDecode MIME encoded files – SelectIn the E-mail message body box;Scan e-mail message body – SelectClick Apply after making configuration changes.

NATO UNCLASSIFIED



E-Mail Scanner -- Actions

Open the Actions tabUnder When an infected attachment is found –Select Primary Action – When a virus is found Clean infected attachmentsSelect Secondary Action – If the first action fails Move infected

attachments to a folderSelect Move To Folder - Quarantine.Under Allowed actions in prompt dialog box -Clean attachment – SelectedDelete attachment – SelectedMove attachment - SelectedClick Apply after making configuration changes.

NATO UNCLASSIFIED



E-Mail Scanner -- Alerts

Open the Alerts tab. In the E-mail alert box select Send alert to mail user then click Configure.

NATO UNCLASSIFIED



E-Mail Scanner – Unwanted Programs

Open the Unwanted Programs tabDetect unwanted programs – Selected

Under When an unwanted attachment is foundSet Primary Action to Clean attachmentsSet Secondary Action to Move attachments to a folder


NATO UNCLASSIFIED



E-Mail Scanner -- Reports

Open the Reports tabIn the Log file box;Log to file – Select (leave at default file location of

%VSEDEFLOGDIR%\EmailOnDeliveryLog.txtSelect option Limit size of log file to and set size to 2 megabyte.Set Format: Unicode (UTF8).In the What to log in addition to virus activity box;Session settings – SelectSession summary – SelectFailure to scan encrypted files – SelectUser name – SelectClick Apply after making configuration changes.

NATO UNCLASSIFIED



User Interface Options

In the VirusScan Console open the menu item Tools and select User Interface Options from the sub menu.

NATO UNCLASSIFIED



User Interface Options-- Display

Open the Display Options tabIn the System tray icon box;Show the system tray icon with all menu options – De-selectShow the system tray icon with minimal menu options – SelectDo not show the system tray icon – De-selectAllow this system to make remote console connections to other

systems - SelectClick Apply after making configuration changes.

NATO UNCLASSIFIED



User Interface Options -- Password

Open the Password options tab and make the following configuration changes:

No password – SelectClick Apply after making configuration changes.

NATO UNCLASSIFIED



Access Protection

Open the VirusScan Console and right click on the Access protection item, select Properties from the sub menu.

NATO UNCLASSIFIED



Access Protection – Port Blocking

In the Access Protection Properties dialog box select the Port Blocking tabReport access attempts in the log file and /or by generating alertManager, and ePO events. Specify …….. - SelectSet Minimum time interval between reports (minutes) to 1Under the Ports to block heading tick the following rules:Prevent mass mailing worms from sending mail - tickPrevent IRC communication - tickPrevent IRC communication - tickPrevent FTP inbound (stops viruses such as Nimda spreading) – tickClick Apply after making configuration changes.

NATO UNCLASSIFIED



Access Protection – File/Folder Protection

In the Access Protection Properties dialog box select the File, Share and Folder Protection tabLeave shares with existing access rights – SelectSet file and folders to block: Rule: as follows;Prevent Internet Explorer from launching anything from the temp folder - tickPrevent Internet Explorer from launching files from the downloaded program folder (.exe) - tickPrevent Outlook from launching anything from the Temp folder - tickPrevent outlook Express from launching anything from the Temp folder - tickPrevent packager from launching anything from the Temp folder - tickPrevent MSN from launching anything from the Temp folder - tickPrevent WinZip32 from launching anything from the Temp folder - tickPrevent WinRaR from launching anything from the Temp folder - tickPrevent execution of scripts from the Temp folder - tickPrevent access to suspicious startup items (.exe) - tickPrevent access to suspicious startup items (.scr) - tickPrevent access to suspicious startup items (.hta) - tickPrevent access to suspicious startup items (.pif) - tickPrevent access to suspicious startup items (.com) - tickPrevent remote modification of files (.exe) - tickPrevent remote modification of files (.scr) - tickPrevent remote modification of files (.ocx) - tickPrevent remote modification of files (.dll) - tickPrevent remote creation/modification/deletion of anything in the windows folders and subfolders - tickPrevent remote creation/modification/deletion of files in the windows folders and subfolders (.ini) - tickPrevent remote creation/modification/deletion of anything in the system Root - tickPrevent remote creation/modification/deletion of files (.pif) - tickPrevent remote creation of autorun.inf files - tickClick Apply after making configuration changes.

NATO UNCLASSIFIED



Access Protection – Reports

In the Access Protection Properties dialog box select the Reports tabLog to file - SelectEnsure log location is set “%VSEDEFLOGDIR%\AccessProtectionLog.txt”Limit size of log file - Select

Set Maximum log file size (MB): 2Set Format: Unicode (UTF8)


NATO UNCLASSIFIED



Buffer Overflow Protection

Open the VirusScan Console and right click on the Buffer Overflow Protection item, select Properties from the sub menu.

NATO UNCLASSIFIED



Buffer Overflow Protection - Options

In the Buffer Overflow Protection Properties dialog box select the Buffer Overflow Protection tab.

Enable buffer overflow protection - SelectProtection mode - SelectShow the message dialog box when a buffer overflow is detected -

SelectClick Apply after making configuration changes.

NATO UNCLASSIFIED



Buffer Overflow Protection - Reports

In the Buffer Overflow Protection Properties dialog box select the Reportstab.Log to file: - SelectEnsure log location is set to “%VSEDEFLOGDIR%\BufferOverflowProtectionLog.txt”Limit size of log file - SelectSet Maximum log file size (MB): to 1Set Format: Unicode (UTF8)Click Apply after making configuration changes.

NATO UNCLASSIFIED



Unwanted Programs Policy

Open the VirusScan Console and right click on the Unwanted Programs Policy item, select Properties from the sub menu.

NATO UNCLASSIFIED



Unwanted Programs Policy -Detection

In the Unwanted Programs Policies Properties dialog box select the Detection tab.

Select The categories of detections that are in the DATsSpyware - tickAdware - tickRemote Administration Tools - tickDialers - tickPassword Crackers - tickJokes - tickOther Potentially Unwanted Programs – tickClick Apply after making configuration changes.

NATO UNCLASSIFIED



.

• McAfee Enterprise AV configuration is now completed

Finished

NATO UNCLASSIFIED


1

Enterprise PolicyOrchestrator (ePO)

Module 9Demonstration

NATO UNCLASSIFIED


2

Demonstration Overview

• Section One: – ePO Server and Console Installation

• Section Two:– ePO Configuration

NATO UNCLASSIFIED


3

Section One

ePO Server and Console Installation

NATO UNCLASSIFIED


4

ePO Server and Console Install

• Download the following files and extract in separate temporary folders– Installations files for ePO 3.6 server, console and

database• epo361LMN.zip

– EPO Patch file• ePO361P3N.zip

• Must logon to the server with an account that has domain admin rights for a successful install.

Record the two temporary folders for future reference.

NATO UNCLASSIFIED


5

Start server installation

• Run setup.exe in from directory• During the initial stage a number of

warnings will appear regarding additional files in the package – these can safely be accepted.

Locate setup.exe file located in the temp folder where EPO350NML.ZIP was extracted.

NATO UNCLASSIFIED


6

Start server installation

• Setup Screen Appears – click “Next”

NATO UNCLASSIFIED


7

License Agreement

• Choose All Other Countries and Perpetual on the license agreement page.

• Select I accept the terms in the license agreement and click “OK”.

NATO UNCLASSIFIED


8

Installation Options• select Install Server and Console and click

“Next”.

If you see a message box stating that your server does not have a static IP address, stop the installation. Please restart with the installation after defining a static IP address.

NATO UNCLASSIFIED


9

Set Server Password• select Install Server and Console and click

“Next”.

Enter the password you would like to use for the ePO server. You cannot leave this blank.

NATO UNCLASSIFIED


10

Server Service Account

• Deselect Use Local System Account• Enter in the Account Information.

In the Account Information area, enter a domain or select your domain, user name and password to be used by the ePO server service.

Note: If the account you specified is not an administrator account, you will see a warning that you cannot use ePO to deploy agents. If you want the ePOserver service to have rights to deploy agents, click OK then Back and type a user account and password with appropriate administrator rights.

NATO UNCLASSIFIED


11

Select Database Server

• Select Install a server on this computer and use it. click “Next”.

By selecting the Install a server on this computer and use it option installs the free MSDE database included with ePolicy Orchestrator.

NATO UNCLASSIFIED


12

Database Server Account

• Deselect Use the same account as the Server service, then select This is SQL Server account

• Click “Next”

On the Database Server Account dialog box, deselect Use the same account as the Server service, then select This is SQL Server account. Type in and verify a secure password. This is the SA account that your ePO server service uses to access the MSDE database. Please note down this password as it could be valuable for maintenance reasons.

Click Next to save the database account information

NATO UNCLASSIFIED


13

HTTP Configuration

• change HTTP ports to those defined in document epo361_ports.pdf available on the NCIRC site.

• Click “Next”.

Change the HTTP port for Agent communication to 8090 and the HTTP port for Console communication to 8091. Please change all the ports ranging starting from 8090 to 8096 accordingly as shown in the screen capture above.

Click Next to save the port information.

NATO UNCLASSIFIED


14

Set E-mail Address

• In an operational setting this address would be [email protected]

Type the email address to which the default notification rules send messages are sent once they are enabled. This address is: [email protected] e-mail address is used by the ePO Notifications feature

NATO UNCLASSIFIED


15

Installation Completion

• Click “Install” to begin the installation on the Ready to Install dialog box

• During installation some messages Digital Signature not found will come up. Please answer yes to all of these.

• Click “OK” when prompted to reboot. Log back in with the same account at the beginning of the installation to allow the installation to continue.

On the Ready to Install dialog box, click Install to begin the installation.

The installation takes approximately 25 minutes to complete and may prompt you to reboot the computer during the installation. During the installation some messages Digital Signature not found will come up. Please answer yesto all of these.

Click OK when prompted to reboot and be sure to log back in with the same account when the computer reboots to allow the installation to continue.

When installation is finished, click Finish. Reboot if requested.

NATO UNCLASSIFIED


16

Section Two

ePO Server Configuration

NATO UNCLASSIFIED


17

Configuration Highlights

• Master Repository Setup• Populating the ePO Server with Servers and

Computers• Importing of VirusScan and ePO Agent

policies• Deploying the ePO Agent

Refer to Exercise 1 for details of the configuration requirements.

NATO UNCLASSIFIED


1

Pointsec Protector Module 10

NATO UNCLASSIFIED


2

Overview

• Section One: – Demonstration of Protector installation

• Section Two:– Implementation of the Approved Profiles with

Demonstration

• Section Three:– Procedure for changing templates

NATO UNCLASSIFIED


3

Section One

Demonstration of Protector installation

NATO UNCLASSIFIED


4

Exercise architecture

Windows XP Workstation 1(CLIENT1)

Windows 2003 Domain Controller

(W2003DC1)

Windows 2003Member Server 1

(W2003MS1)

Windows XP Workstation 2(CLIENT2)

Ensure that all four VMware guest operating systems are on the “Baseline Security Settings” Template.

NATO UNCLASSIFIED


5

Protector Server Install

• Protector stores profiles and logs in a SQL database

• Two installation options– Existing Microsoft SQL 2000 (or later)– Microsoft SQL Desktop Engine (MSDE)

• MSDE is a lightweight version of MS SQL• This exercise is based on a full SQL install

Full version of Microsoft SQL requires a valid licence and must be installed and configured before installation of the Protector server.

MSDE is a stripped down version of SQL 2000 that vendors bundle with products to avoid customers having to pay for the additional SQL licence. MSDE is selected automatically during a standard install if no existing SQL server is found on the system.

NATO UNCLASSIFIED


6

Start server installation• Run setup.exe from the server distribution

directory• The Splash Screen appears

Note that the normal installation procedure begins by inserting the PointsecProtector Installation CD-ROM into the CD Drive. The CD should autorun, if not, double click on the AutoRun.exe located on the root of the CD. This will display the a menu screen. Select the ‘Software’ menu and then ‘Install Reflex Pointsec Protector Enterprise Server for Windows NT/2000/2003/XP’from the list of options. The setup program will launch and this splash screen will display. From this point the installation procedures are identical.

NATO UNCLASSIFIED


7

To continue, click Next

NATO UNCLASSIFIED


8

Accept the agreement

Like all other software that we use on a daily basis you must accept the license agreement before you may continue with the installation. Clicking on I do not accept the agreement and pressing next will cancel the installation.

Selecting the “I accept the agreement” radio button and then clicking on Next will take you to the Setup Type dialog box.

NATO UNCLASSIFIED


9

Licence Information• Enter Licence details on the Information Screen

The Registration screen requires a User Name, Company Name and Serial Number. The Serial number is generated using the Company Name so it is vital that when entering the Company Name it is entered exactly as it is written in the licence file.

Note that all 0’s are the number zero. A serial number will never be released from Pointsec that contains the letter O.

It is also possible so load the licence directly from a text file delivered from Pointsec.

Pressing “Next” will take you to the “Setup Type” dialogue box.

NATO UNCLASSIFIED


10

Setup Type

• Select a Custom Install

CompleteCustom

The three possible types of installation are detailed on this screen.

“Complete” installs all modules.

“Custom” allows the selection of specific Protector components.

The option to install a “Server Administration Console” allows a management console to be installed on a system other than the one running the PointsecProtector server.

Selecting Complete and pressing Next displays the Select program Folder dialog box.

NATO UNCLASSIFIED


11

Select Features

• Deselect Microsoft SQL Database Engine

If the installer does not detect an existing SQL Server installation on the local machine it automatically selects the MSDE installation unless prevented from doing so.

NATO UNCLASSIFIED


12

Type in the SQL Server• Protector Service Account must be member

of “Database Creators” on this server

DATABASE1

Click Next to carry on

NATO UNCLASSIFIED


13

Select Program Folder• Accept the default and press Next

This will allow you to change the location that the software will install its shortcuts.

Pressing Next displays the SMTP Setup dialog box.

NATO UNCLASSIFIED


14

TCP Port and SMTP Setup• Accept the default TCP port number• Configure appropriate SMTP settings

smtp.school.nato.int

*************

[email protected]

validuser1

The SMTP Setup screen allows us to set the information that will allow DiskNet to automatically send email alerts.

Reflex Disknet Pro Server Port Number – this is the TCP/IP port number that the server will use to communicate with the client.

SMTP Server- if you wish to use the email alert feature of Reflex DisknetPro you need to enter the name of the SMTP server and provide a logon name and password for an account to access this SMTP server (if required).

Pressing Next will take Select Service Account dialog box.

NATO UNCLASSIFIED


15

Select the Service Account

This is the account that the Protector will run as, protector_service should be selected from the users on the local machine (not from the “School” domain).

Note that protector_service account was created prior to the install and added to both the Local Administrators and LG_ServiceLogonRight groups. The LG_ServiceLogonRight is added to the domain wide “Logon as a Service”group by the application of the NATO security settings. Note that the installation of the Protector client also adds this protector_service account to the domain wide “Logon as a Service” group but the subsequent re-application of the security settings later removes it again. The use of local groups in this way allows Administrators to assign local rights without the need for domain wide administrative privileges.

NATO UNCLASSIFIED


16

Summary Screen• Last chance to go back and make

changes

This dialog displays a summary of the installation options you have selected. Check this information is correct and click ‘Next’ to continue. The installation will now copy all files required to complete the installation and display the Finish dialog when complete.

NATO UNCLASSIFIED


17

Installing Microsoft SQL Desktop Engine

The Disknet Pro Server uses a Microsoft SQL database to store the profile and user information and installs the Microsoft SQL Database Engine during setup. During this automatic install the these two windows will pop-up:

NATO UNCLASSIFIED


18

Installation Wizard Complete• Pointsec Protector server is installed

Click the Finish button to complete the installation

NATO UNCLASSIFIED


19

Protector Client Install• Four main options for the client install

1. Pointsec Deployment Server2. Active Directory Group Policy3. Add to Disk Image (Windows Baseline)4. Manual Install

• Instruction for options 1 to 3 can be found on the WAC Portal on the NCIRC NS site

NATO UNCLASSIFIED


20

NCIRC WAC Web Portal

http://nww.ncirc.nato.int/

WAC SecOps

Instructions for using the deployment server, Active Directory Group Policy, creating a Windows Image (Baseline) or manually installing the client are provided on the NCIRC WAC Portal on the NATO Secret WAN.

Note that manual installation, the deployment server and disk image installs can be used interchangeably. For group policy, however, if the client is installed using group policy it must be upgraded or removed using group policy.

NATO UNCLASSIFIED


21

Splash Screen• Double click on the client install “setup.exe”

Wait until Welcome Screen

NATO UNCLASSIFIED


22

Welcome Screen• Click on “Next” to proceed

Wait until Welcome Screen

NATO UNCLASSIFIED


23

Accept Licence Agreement

Click Next to accept licence agreement

NATO UNCLASSIFIED


24

Setup Type• Select “Complete” and click “Next”

Leave set to Complete and press Next to continue

NATO UNCLASSIFIED


25

Server Name and Port• Use “Browse” then “Add” to select the server

Select the name of the Protector server (or alternatively type in its IP address 10.10.10.11. Leave port at default (9738) and press Next to continue

NATO UNCLASSIFIED


26

Start Copying Files• Click on “Next” to proceed

Press Next to continue

NATO UNCLASSIFIED


27

Setup Status

Wait until installation is complete

NATO UNCLASSIFIED


28

Install Wizard Complete• Click on “Finish” to restart the workstation

Press Finish to reboot and complete the Installation

NATO UNCLASSIFIED


29

Section Two

Implementation of the Approved DNP Profiles with Demonstration

NATO UNCLASSIFIED


30

Introduction to Profiles

This window shows the current standard set of NATO profiles, only a brief description is given here as ore detail is given on the important profiles later in the presentation.

Admin – Allows an administrator to optionally disable each of the Protector protection modules and thus bypass the protection mechanisms.

Authorise – Allows a user to authorise media using the Removable Media Manager

Baseline – This is the profile used for all non privileged users. It basically takes the default profile and adds CD/DVD ROM read access and turns on auditing for most unauthorised device access events.

CDRW – Adds the CD/DVD ROM Write privilege

Default – The default profile is the basis on which all other profiles are built and it is also the profile of any user not explicitly added to ant particular group.

Encrypt Profile – Allows a user to create encrypted USB mass storage devices

Fixed Disk – Allows access to External Hard Drives

Floppy – Allows READ/WRITE Access to floppy disk drives

STI Device – Allows access to still image devices such as digital cameras and scanners

USB – Allows user access to encrypted USB mass storage devices

NATO UNCLASSIFIED


31

NITC Standard Groups

Each of the profiles is linked to a group with a similar sounding name. A user is simply added to the appropriate group in order to acquire the appropriate rights. The profiles are designed in such a way so that they can be nested. i.e. a user added to the “CDRW Access” and the “Floppy Device access” group will get both rights.

The synchronisation order determines how to handle the situation when different groups define different settings, the lower the number the higher the priority.

NATO UNCLASSIFIED


32

Adding a user to a group

To add a user to a group simply ‘right click’ on the appropriate group and select ‘Add users to group’ from the menu. Type the name of the user in the ‘Enter object names to select’ field and press ‘Check Names’. If the correct user is displayed in the window press ‘OK’ to apply.

NATO UNCLASSIFIED


33

The Default Profile

The default program is used here as an introduction to the three most important modules in the Protector security architecture.

Device Manger provides the ability to control the many different types of devices that can be used on a client workstation. Device Manager can be considered as the first line of protection by managing the use of these devices and/or ports. DM can also be used to apply audit rules, allow write access (where appropriate), enforce encryption. It can also control whether or not files can be run directly from external media or not. This Default Profile allows only CDROM Read Only access and enables locally connected printers.

Removable Media Manager (RMM) takes the control and management of removable media devices a step further. By using RMM you will be able to authorise individual media such as floppy disks, USB removable disks etc. for use on the Protector enabled workstations on your network. Once removable media has been authorised it can be used anywhere within the Protector network environment. The current setting does not allow removable media authorisation.

Authorisation is performed at the client workstation. This part of the authorisation process can be made to enforce a virus scan of the media to ensure the contents are virus free before allowing it onto the network. There is also an additional check that can be performed to reject any media that contains executable and other unwanted or active code file types (EXE’s, DLL’s, MP3’s etc).

The Encryption tab controls all aspects of encrypting removable media, the Default Profile disables all access to encrypted media.

NATO UNCLASSIFIED


34

CDRW Access Group

The CD (and DVD) Access group is used here to show the relationship between a group and a profile. The group properties window on the left indicates that two profile templates are applied; the Default and the CDRW Profile.

The CDRW Access Group only defines settings for the Device Manager. A view of the Device Manager properties for this profile shows that Access has been granted to DVD/CD-ROM Drive drives. Note that as the R/O (Read Only) box is not selected for DVD/CD-Rom devices therefore Read/Write access is granted.

This slide also gives an introduction to the concept of the define column, which indicates whether or not a particular access right is defined in this profile. A closed blue padlock indicates that the property is inherited from a previously applied profile, in this case the Default. An open green padlock indicates that the particular right is defined in this profile.

NATO UNCLASSIFIED


35

Authorise Profile

The ‘Authorise Profile’ defines settings only for the Removable Media Manager (RMM). A member of the ‘Authorise users’ group is allowed to authorise removable media for use within the Protector enabled network. Authorisation involves two automated scans of the files on the removable media. The first uses a standard third party virus checker, in this case MacAfee, to check for malicious code. The second, Reflex Datascan, compares the file types to a user defined list of prohibited file types. Members of this group have the option to select which scanners to use ( if more than one virus checker is installed), they also have the right to delete and rejected files during the authorisation procedure, thus allowing authorisation to complete successfully.

Authorisation in this context involves creating a digital signature comprised of information about the files on the media and a “Media Key” that is unique to this particular installation. Each time the media is removed the signature is re-calculated and written back to the device. When the device is next plugged into a Protector protected system the signature is calculated and compared with the stored value, if they are equal then the device can be accessed. If they differ then it means that something has changed with one or more files on the device and so the device must be re-authorised as described earlier.

NATO UNCLASSIFIED


36

Encrypt Profile

The “Encrypt profile” defines settings for the Encryption tab and applies to members of the “Encrypt Users” group.The ‘Encrypt’ check box has to be selected on the Removable Media Devices tab.

The most important setting here is that a member of this group can create an encrypted Removable Media Device for other users. Members of this group would normally be an Infosec Officer or worker in The Registry depending on the local policy for issuing authorised USB mass storage devices.

NATO UNCLASSIFIED


37

USB Profile

The USB Profile should only be used temporarily to access USB tokens that have originated outside of the Protector protected environment.

The devices are mounted in Read Only mode so that can only be used to import data into the protected environment.

NATO UNCLASSIFIED


38

Combining Profiles (1)

Testuser1 has been made a member of two groups, which in turn has lead to the application of two profiles in addition to the Default. This combination of group memberships would enhance the Baseline with the ability allow Read/Write access to floppy drives.

The Resulting Profile window on the right is the result of pressing the View/Edit button.

NATO UNCLASSIFIED


39

Combining Profiles (2)

This is the same view as the previous slide but testuser1 has also been added to the CDRW Group. Pressing View/Edit now shows that the Device Manager settings have been extended to include write access to CD/DVD ROMs (i.e. the R/O check mark has been removed).

NATO UNCLASSIFIED


40

Program Security Guard

The above settings for user testuser1 for Program Security Guard (PSG) are defined in the Default profile, they therefore apply to all other profiles.

PSG is used to block the introduction or modification of any file type specified in the box on the right. This can be any executable file (EXE, DLL, SYS etc.), media and audio files (AVI, MP3, WMA etc.) or can be customised to include any other file type that you would like to control.All file types protected by PSG will be blocked from being introduced to the system from any location, i.e. not just removable media devices. Note that these settings will also apply to files downloaded by a web browser from the Internet.

Note that this list is different from the list of unsafe file types used by the Data Scan process during the USB media authorisation procedure.The DataScan list can be found in an XML file located with the Protector client executable files known as CheckDat.xml.

The picture in the bottom right shows what happens on the client workstation when PSG is triggered. A dialog appears telling the users that an ‘unauthorised file operation’ has occurred. The dialog will show the user what process caused the alert and what file the process tried to operate on. In the above example ‘VMWareUser.exe.exe’ was the blocked process attempting to copy the file ‘setup.cmd’.

NATO UNCLASSIFIED


41

User Interface Properties

The User Interface, or what the user of the client workstation sees can also be controlled by the use of profiles. Users can also be given the right to disable individual modules if required. These rights are only available in the Administrators profile in the standard NCIRC profiles.

NATO UNCLASSIFIED


42

Audit Properties

Protector has extensive auditing capabilities which are controlled by the use of profiles. The standard NCIRC audit profile has been defined in the Default profile, which in turn is inherited by all other profiles. There is an option to either ignore or log the standard events. The logging is further divided into immediate or register. Registered events are transferred to the database at a pre-programmed regular intervals whereas immediate events are transferred as the name implies, immediately.

NATO UNCLASSIFIED


43

Log Archive • Audit policy generates lots of events• Ensure period archiving of logs

The WAC Portal contains a document that describes how to clear the log if the database file gets too large for the normal log archival mechanism to function correctly. The title of the document is

NATO UNCLASSIFIED


44

Log Archive (2)

NATO UNCLASSIFIED


45

Computer Groups

A Computer Group is created much in the same way as a User Group, profiles can then be linked to computer groups in the same way as user groups. Workstation policies are of minimal use in a classified environment where the security policy requires individual accountability. As a result of this the NCIRC default templates do not currently define any workstation groups.

In order to assign a computer to a Group, a simple Drag & Drop method is used. Computer Groups allow any user to log into a computer and use the facilities that have been made available to the user in the Computer Profile. If the computer profile states that the machine can access and write to a CD then regardless of who logs in, the user will have access to record their own media.

NATO UNCLASSIFIED


46

Section Three

Procedure for changing Protector templates

NATO UNCLASSIFIED


47

Steps in making a change

• A change request is made to the local Compusec officer

• The Compusec officer forwards the request to NITC

• NITC assesses the change and determines if the change will impact everyone or only the local headquarters

How do we make a change to Protector? It’s a long process, but a simple one. The people who make the decisions are Compusec/Infosec officers for the headquarters in question and NITC. The Compusec officer is involved in the chain because it is up to the Compusec officer to allow or deny the end user’s request. They are the people who say “Yes you can have access to your USB ports” or “No, you can’t”.

However, the Compusec/Infosec person is not the only person in the chain. NITC are the controllers of the template/profile. They will determine if changes to the profile need to be made NATO wide or if the change can be made locally. It is vital that they be kept up to date on any changes that users wish to have made to the system.

NATO UNCLASSIFIED


48

Steps in making a change (continued)

• Authorisation for the change will occur via email to the system administration team

• The change will be input into the system• The profile that has changed will be resent

to all of the machines in the network

If the change is local to the headquarters an email will be sent to the system administration team authorising them to change the profile locally. This email will need to be printed off and stored with their change management documentation for later audit purposes.

If it is a change that would be best to implement NATO wide a change will be made to the templates/profiles that are on the NCIRC website (http://nww.ncirc.nato.int). The script file can then be downloaded and run on the Protector server.

The templates/profiles will then have to be resent to the workstations (either by the users logging off and logging on or via the automatic method through the administrative console).

NATO UNCLASSIFIED


49

Step by step through a simple request

Scenario• The site has decided to upgrade its

infrastructure to allow for desktop VTC to all of the users on the network

This is a simple scenario because “everyone” will be impacted by the change that is coming in. Upgrading to a desktop VTC capacity puts a web cam on everyone’s desk. If everyone is supposed to be able to use the camera then a change to the “baseline” profile is needed.

NATO UNCLASSIFIED


50

Step one – Compusec

• Compusec will receive a request to alter the user’s rights and privileges with respect to the webcam.

• Compusec will approve or deny the request.• Compusec will forward that request to

NITC, once it is approved, to have them determine what should be done.

In this case, as part of the upgrade procedure that the Compusec officer has already agreed to, he/she will need to send a request to NITC outlining the approved change that is being made to the network in the office.

NATO UNCLASSIFIED


51

Step two - NITC

• Once NITC receives the request they will assess the change by testing in their testbedto ensure that the change can be done without giving the end user to many rights.

• Once the change has been tested NITC will then assess whether the change should be made to NATO as a whole, or only to the individual headquarters.

NITC is responsible for the testing and approval of all software and software updates/patches. Their website contains things like the approved software listing, antivirus signature files and patch notices. With respect to DiskNet they have documentation, scripts and software updates listed on the website.

NATO UNCLASSIFIED


52

Step two – NITC (cont’d)

• If it is determined that the change would benefit all of NATO then NITC will alter their script and republish it on the website.

• If it is determined that the change would only benefit the individual headquarters then NITC will send an email authorizing the alteration of the profile.

Once the change has been approved and tested NITC will send an email back to the requestor. This note will either authorise the site to make the change or will state that the change has been approved and the site needs to download the script file again and run it on their DiskNet server.

NATO UNCLASSIFIED


53

Step three – System Administration

• Once the approval notice has been received back at the site the change will need to be made inside the Administrative Console.

• The System Administrator will download the script file from the NITC website (http://nww.ncirc.nato.int) and run the executable file on the server.

The script file is located by going to the website, http://nww.ncirc.nato.int on an NS machine. Found within the left hand bar on the site is a section labelled software and within that box is a link to Workstation Access Control. Click on that link and the Workstation Access Control documents, policies, profiles and settings will appear in the main window.

NATO UNCLASSIFIED


54

Step three – System Administration (cont’d)

• In the case of a change that is only to be made at the local site, the person in charge of the profiles will need to open the console and make the approved change, and file the approval email from NITC.

The person in charge of the profiles may be the Compusec officer, it may be a System Administrator. This is a policy decision made by the individual headquarters in conjunction with their NCSA representatives.

NATO UNCLASSIFIED


Date post:	26-Oct-2014
Category:	Documents
Upload:	hmumay
View:	50 times
Download:	3 times

CompuSec Course 279 Demonstrations V1.0

Documents