COMPUSEC COURSE No 279
Demonstrations
NCSAN
AT
O CIS SERVICES A
GEN
CY
To remain at NCISS Please do not take away
NATO UNCLASSIFIED
NATO UNCLASSIFIED
Table of Contents Module 07 TrendMicro ScanMail Install Demo v1_________________ 1
Module 07 TrendMicro ScanMail Config Demo v1 ________________ 19
Module 08 McAfee AV Install and Update Demo v1_______________ 37
Module 08 McAfee AV Config V8.0 Demo v1____________________ 56
Module 09 ePO 3_6 Demo v1 ________________________________ 88
Module 10 WAC Demo v1 __________________________________ 105
NATO UNCLASSIFIED
NATO UNCLASSIFIED
1
NATO UNCLASSIFIED
Trend Micro Scan Mail Module 7
Installation
NATO UNCLASSIFIED
Overview
• Demonstration describes step by step all actions required to install the Trend Micro Scan Mail for Microsoft Exchange Server.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 1
2
NATO UNCLASSIFIED
Requirementsfor Scan Mail 8.0
• Operating System and Service PacksMicrosoft Windows Server 2003 with Service Pack 1 (32-bit)Microsoft Windows Server 2003 R2 (32-bit)Microsoft Windows Server 2003 with Service Pack 2 (32-bit)
• Microsoft Exchange Server 2003 Microsoft Exchange Server 2003 with Service Pack 2 or above
• Applications the latest approved version of the Java Runtime Environment (Jre-1_5_0_10 or above)
NATO UNCLASSIFIED
PreparationsFollowing installation files to be downloaded from
NCIRC web site (you can also request your product CD issued by NITC NCIRC TC):
• “SMEXV8.0-b1.zip” - contains installation files for Scan Mail V8.0.
• “smex_80_win_en_patch2.exe” - contains installation files for ScanMail V8.0 Patch 2
It is recommended to download and unzip files into a separate temporary folder on the server before commencing the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 2
3
NATO UNCLASSIFIED
Step 1: Verify that your system meets requirements:Windows Server 2003 with Service Pack 2 or aboveExchange Server 2003 with Service Pack 2 or aboveJava Runtime Environment 1_5_0_10 or above
NATO UNCLASSIFIED
• Step 2: Locate the SMEX v8 application on the hard drive and <Double Click> Setup.exe to start the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 3
4
NATO UNCLASSIFIED
Step 3: The Welcome to Trend Micro ScanMail Setup screen opens. Click Next to continue the installation
NATO UNCLASSIFIED
• Step 4: The License Agreement window opens.• To continue the installation, <Click> the “I accept the terms
in the license agreement” radio button, then <Click> the [Next]
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 4
5
NATO UNCLASSIFIED
• Step 5: The Select an Action screen appears. To perform a fresh installation or upgrade, <Click> the “Install/Upgrade”option then <Click> [Next] to continue with the installation.
NATO UNCLASSIFIED
• Step 6: The Server Role Selection screen opens. Specify the server role onto which ScanMail will be installed. <Click> the “Exchange Server 2000/2003” option. And then <Click> [Next] to continue with the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 5
6
NATO UNCLASSIFIED
Step 7: The Select Target Server(s) screen appears. The Setup program can install ScanMail to a number of single servers or to multiple servers in a domain. You must be using an account with the appropriate admin privileges to access every target server. <Click> Browse and browse the computers that are available on your network.
NATO UNCLASSIFIED
Step 8: Select the server where you want to install ScanMail. <Double click> on SCHOOL and then <Click> on EXSERVER2003. <Click> OK to continue.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 6
7
NATO UNCLASSIFIED
Step 9: After the server selection window closes, verify that the server names listed in the Select Target Server(s) window are correct, and if so, <Click> [Next].
NATO UNCLASSIFIED
Step 10: The Log On screen opens. Log on to target servers where you want to install ScanMail. You must log on using an account with Domain Administrator privileges unless you have manually created the "SMEX Admin group" and user account for the Web management
console administrator account in your domain. Type domain\user_name and password (e.g. “SCHOOL\Administrator” and “xxxxxxxx” in the VMWareenvironment created for this class) to log on to the target server to install ScanMail. Click Next to accept the Logon credentials for the target servers and continue the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 7
8
NATO UNCLASSIFIED
Step 11: Accept the default directory path to where you will install ScanMail on the target server. Accept also the shown default share name for which the specified user has access rights or keep the default temporary share directory, C$. The Setup program uses the share directory to copy temporary files during installation and can be accessed only by the administrator. Click Next to accept the Logon credentials for the target servers and continue the installation.
NATO UNCLASSIFIED
• Step 12: The Checking Target Server System Requirements window opens. SMEX checks that your Exchange server and system requirements. It needs minimum Exchange 2003 SP2.
• Verify that the correct Exchange Virtual server is displayed. <Click> [Next>].
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 8
9
NATO UNCLASSIFIED
• Step 13: The Web Server Information screen opens. <Click> the radio button to select “Microsoft Internet Information Services 5.0 or 6.0”. Keep the default drop down selection, “Virtual Web Site” and the Port Number 16372.
NATO UNCLASSIFIED
• Step 14: The Connection Settings screen appears. By default, the proxy server is disabled. If a proxy server handles Internettraffic on your network, you must enter the proxy server information at this screen.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 9
10
NATO UNCLASSIFIED
Step 15: Activate the product
Enter Activation Code to get full ScanMail protection. You can contact the COMPUSEC NCIRC Malware Protection Cell at [email protected] for the official Activation key. You can copy the Activation Code and paste it in the first input field of the Activation Code on this screen. The Setup program parses the entire string and populates the remaining fields for the Activation Code. <Click> Next to continue the installation.
NATO UNCLASSIFIED
• Step 16: The World Virus Tracking Program screen appears. Read the statement and <Click> “No, I don’t want to participate”. <Click> [Next] to continue installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 10
11
NATO UNCLASSIFIED
• Step 17: The End User Quarantine Setting screen opens. <Click> “Integrate with Outlook Junk E-mail” to send all ScanMail detected spam messages to the Junk E-mail folder in Outlook. <Click> [Next] to continue.
NATO UNCLASSIFIED
• Step 18: The Control Manager Server Settings screen opens. Generally the Trend Micro Control Manager is not used in NATO so leave the “Register ScanMail agent to Control Manager Server” check box empty. <Click> [Next] to continue.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 11
12
NATO UNCLASSIFIED
• Step 19: The Web Management Console Configuration screen opens. This screen is used to create the Active DirectoryDomain Group and Account used to manage SMEX from web management console. For a new installation <Click> “Create a new account”. <Click> [Next] to continue.
NATO UNCLASSIFIED
Step 20: Create the administrator account for Scan Mail
Accept the Trend Micro default Username, or change it to a simple Username. For this class use:• User name: “SMEXadmin”. • Password: “xxxxxxxx”
Setup creates the "SMEX Admin Group" and your SMEX administrator account on the Active Directory; your SMEX administrator account is then added to the SMEX Admin Group.<Click> Next to continue the installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 12
13
NATO UNCLASSIFIED
• Step 21: The Review Settings screen opens. Read and verify the configuration settings; if you are happy with the choices, <Click> [Next]
NATO UNCLASSIFIED
• Step 22: The Installation Progress Screen opens. This screen shows the installation process. <Click> [View Details] to display a list of all computers to which ScanMail is being installed and their current status.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 13
14
NATO UNCLASSIFIED
• Step 23: Progress status screen opens. <Click> [OK] to return to the Installation Progress screen.
NATO UNCLASSIFIED
• Step 24: Return to the Installation Progress Screen. <Click> [Next] to continue installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 14
15
NATO UNCLASSIFIED
• Step 25: The Installation Complete screen appears. This screen informs you that the installation was successful. When the installation is completed, <Click> the View the Readme file check box to open the readme file when finished. Please read thefile, especially the “Known Issues” section. <Click> [Finish] to exit the Setup program. Read the Readme file.
NATO UNCLASSIFIED
Step 26: Verify a Successful Installation
• Check that Scan Mail is installed to the following directory: C:\Program Files\Trend Micro\SMEX\
• Check for following services, using Microsoft’s Services component (click Start\All Programs\Administrative Tools\Services:
ScanMail for Microsoft Exchange Master ServiceScanMail for Microsoft Exchange Remote Configuration ServerScanMail for Microsoft Exchange System watcher
• Verify that Scan Mail added the following keys to the registry:HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ScanMail for ExchangeHLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScanHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Private-<MDB-GUID>\VirusScanEnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Private-<MDB-GUID>\VirusScanBackgroundScanningHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Public-<MDB-GUID>\VirusScanEnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Server-Name>\Public-<MDB-GUID>\VirusScanBackgroundScanning
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 15
16
NATO UNCLASSIFIED
• Step 27: Install the latest SMEX software update patch. The latest SMEX patch can be found on the NCIRC NS web portal at the following URL: http://www.ncirc.nato.int/software/antimalware.htm. On the website, <Click> on the [Mail Server Solutions] tab then go to the Patches Trend Micro ScanMail v.8.0 section. Patches are normally cumulative; currently the latest patch is SMEX 8.0 Patch 2. Download and unzip the file into a temp folder on all the servers that need to be patched.
NATO UNCLASSIFIED
• Step 28: A ScanMail for Microsoft Exchange 8.0 Patch 1 window opens. This window shows the Trend Micro License Agreement. <Click> the “I accept the terms of the legal agreement” radio button then <Click> [Next] to continue installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 16
17
NATO UNCLASSIFIED
• Step 29: The ScanMail for Microsoft Exchange Patch Installation -Welcome window opens. You could scroll down within this install screen to read the installation notes. <Click> [Install] to continue patch installation.
NATO UNCLASSIFIED
• Step 30: The Trend Micro Install package window opens. Do not close any command window that may appear during installation. <Click> [Yes] to continue.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 17
18
NATO UNCLASSIFIED
• Step 31: The ScanMail for Microsoft Exchange Patch Installation - Welcome opens. This window shows the installation progress. NOTE: Please do not close any command prompt during patch installation.
NATO UNCLASSIFIED
• Step 32: Using the Microsoft Services Manager, verify that the ScanMail servers are running.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 18
1
NATO UNCLASSIFIED
Trend Micro Scan Mail Module 7
Configuration
NATO UNCLASSIFIED
Overview
• Demonstration 2 provides basic steps required to configure the Trend Micro ScanMail for Microsoft Exchange Server.
• A Web management console is used to access, configure and control ScanMail. The console allows to manage multiple MS Exchange servers and remote servers from any computer on the network. The management console is password protected, ensuring only ScanMail administrator can modify ScanMailsettings.
• Java-enabled web browser, such as internet explorer 5.5 with sp3 and above, that supports frames is required to access and manage the Web management console.
• Make sure the Java virtual machine is installed on your computer before you start ScanMail Web Management Console.
• The settings as ticked in this demonstration are recommended by NATO NCIRC.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 19
2
NATO UNCLASSIFIED
Step 1: View the Web management console:
<Click> [Start > programs > Trend Micro ScanMail for Microsoft Exchange > ScanMail management Console] in order to view the Web management console
or
Use Internet Explorer and access the following site: http://<Scanmail servername>:<portnumber>/smex,e.g. http://localhost:16382/smex (by default HTTP port number is
16382).
NATO UNCLASSIFIED
Step 2: Enter your SMEX User name and Password
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 20
3
NATO UNCLASSIFIED
Step 3: ScanMail “Summary” page is downloaded when you are logged on successfully.
NATO UNCLASSIFIED
Step 4: Verify that SMTP scanning is activated .
Both SMTP and VSAPI (Mailstore) Scanning is enabled by default. While scanning in both SMTP and VSAPI modes may result in some files being scanned twice, with SMTP scanning also enabled, it is possible for SMEX to perform the “Delete entire message” and “Quarantine Entire Message” actions. This functionality is more important than the possible small performance increase from disabling SMTP scanning.
If the SMTP scanning is disabled the icon is RED, enable SMTP Scanning by <Clicking> the icon so it turns GREEN.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 21
4
NATO UNCLASSIFIED
Step 5: <Click> Virus Scan on the sidebar and then <Click> Enable real-time virus scan. Configure Target tab:
Default scan section: <Click> the All attachment filesIntelliTrap section: deselect Enable IntelliTrap checkboxAdditional Threat Scan section: deselect all checkboxesAdvanced Options section: set Scan Restriction Criteria
• Message Body size exceeds: 30 MB• Attachments size exceeds: 30 MB• Decompressed file count exceeds: 9999• Size of decompressed file exceeds: 100 MB• Number of layers of compression exceeds: 5• Size of decompressed file is “x” times the
size of compressed file: 1000to save all changes, <Click> on the Save button
NATO UNCLASSIFIED
Step 6: Configure the Virus Scan > Action tab.
<Click> the radio button Customized Action for detected threats.<Click> the check box Enable Action on Mass-mailing behaviour (This overwrites all other actions.) In the drop down boxes <Select> Quarantine entire message action and Notify for notification. In Detected Threats subsection, <Select> Specify action per detected threat. For each case <Specify>: • Quarantine entire message action
item, and • Notify for notification
For the option “Uncleanable files”, choose “Quarantine entire message”from the drop down box<Click> the check box to select the option “Do not clean infected compressed files to improve performance”.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 22
5
NATO UNCLASSIFIED
Step 7: continue Virus Scan > Action tab configuration: Advanced Options section
In “Macros” section, <Select> the option “Enable advanced macro scanning”. Then <Select> “Heuristic Levels” option and in the drop down box, set option to “2-Default filtering”.In “Backup and Quarantine settings”section, view the default settings and ensure they are set as follows:• Backup Directory: <Drv>:\<system
directory>\Trend Micro\smex\storage\backup• Quarantine Directory: <Drv>:\<system
directory>\Trend Micro\smex\storage\quarantine
In “Replacement Settings” section, review to ensure the default settings are configured as follows:• Replacement File name:
VIRUS_DETECTED_AND_REMOVED.TXT• Replacement text: ScanMail detected and
removed a virus from the original mail entity. You can safely save or delete this replacement attachment.
To save all the changes, <Click> the Save button.
NATO UNCLASSIFIED
Step 8: Configure “Virus Scan > Notification” tab
<Expand> “Notify Administrator”view, <Select> “To” radio button and add• NCIRC email address, i.e.
[email protected](in the demonstration it is mapped to “Testuser1”)
• all local notification e-mail addresses (use the semicolon sign without spaces to separate e-mail addresses).
In the “Subject” field add meaningful information that identifies your organization and site. An example of a subject field entry is “Virus Scanning Notification from NATO School”.In “Advanced Notification” section, <Select> “Write to Windows event Log”.<Click> on the Save icon to save all your changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 23
6
NATO UNCLASSIFIED
Step 9: Configure Attachment Blocking – Target tab
Enable real-time attachment blocking.
Go to the subsection “Block these attachments”. <Click> to select the option “Specified Attachments”. Then <Click> to select the option “Specified file extensions to block”. The default specified file extensions being blocked are: “ADE; ADP; ASX; BAS; BAT; BIN; CHM; CMD; COM; CPL; CRT; DLL; EML; EXE; HIV; HLP; HTA; INF; INS; ISP; JS; JSE; JTD; MSC; MSI; MSP; MST; OCX; OFT; OVL; PCD; PIF; PL; PLX; SCR; SCT; SH; SHB; SHS; SYS; VB; VBE; VBS; VSS; VST; VXD; WSC; WSF; WSH”. Remember to use a semicolon [;] to separate the file extensions
Next, <Click> to select the option “Block attachment types or names with zip files”.
To save your changes, <Click> the Save button.
NATO UNCLASSIFIED
Step 10: Go to the Attachment Blocking > [Action] tab.
Go to the subsection Select an action and <Click> to select Replace attachment with text/file. The default text currently states “ScanMaildetected and removed a file that violated policy from the original mail entity. You can safely save or delete this replacement attachment.”.Go to the subsection AND, then <Click> the radio button to select Notify option.To save changes, <Click> the Save button.To save your changes, <Click> the Savebutton.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 24
7
NATO UNCLASSIFIED
Step 11: Go to the Attachment Blocking > [Notification] tab
Go to subsection People to notify. <Click> the check box to select the Notify Administrator option. Expand the Notify Administrator to show all the configuration options.• In the To field, add local system
notification email addresses and the NCIRC-TC ScanMail alerts email address, [email protected] . Use a semicolon [;] to separate the email addresses.
• In the Subject field, include the name of your organization and site in the attachment blocking notification wording; for example: “Attachment Blocking Notification from NATO School”.
Go to the Settings section and <Click> to select the option “Send consolidated notification every” and the default values of 2 hours.Go to the subsection Advanced Notification then <Click> to select Write to windows event Log.To save changes <Click> the Savebutton.
NATO UNCLASSIFIED
Step 12: <Click> Content Filtering on the side bar, then make sure that the option Enable real-time content filtering is NOT selected. See figure below.
<Click> the Save button.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 25
8
NATO UNCLASSIFIED
Step 13: On the left side bar, <Click> Anti-Spam. Ensure that the option Anti-Spam is disabled. See figure below.
<Click> the Save button.
NATO UNCLASSIFIED
Step 14: Configure Scheduled Scan
<Click> Scheduled Scan on the sidebar and then select the Add tab to add a new scan task.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 26
9
NATO UNCLASSIFIED
Step 15: Continue Scheduled Scan configuration
In the [Scan task name:] field, enter a title for scan task, for example “Daily Mailbox Scan <classification> (e.g. Daily Mailbox Scan NS) ".Go to the subsection Scheduling. <Click> to select the option “Daily”. In the Start Time choose the quietest local time, for example 03(hh) 00 (mm) (24hr), to start the Exchange database scan.Next, go to the “Database Selection” section. <Click> to select ALL databases on your exchange server/s.Next, go to the “Select scan type”section and <Click> to select the options “Virus scan” and “Attachment blocking”.<Click> the Save button.
NATO UNCLASSIFIED
• Step 16: When saved, make sure the scheduled is enabled as shownin the screenshot below.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 27
10
NATO UNCLASSIFIED
Step 17: Configure the updates for the scan engine and virus pattern.
On the sidebar <Click> Updates to expand the Updates side bar drop down menu.
On the sidebar, <Click> the option Scheduled from the previously expanded Updates drop down menu. In this section, <Click> to select Enable scheduled updates.
In Components Update section, from the list of options <Click> appropriate check boxes to select “Virus pattern”, “Additional threat pattern” and “Scan engine”.
In Update Schedule section, Update every: subsection, <Click> the radio button to select the option Hour(s). The option Hour(s) can be set to 4 so that updates are attempted every 4 hours. Adjust the update frequency to match local requirements.
To save changes <Click> the Savebutton.
NATO UNCLASSIFIED
Step 18: Configure the Download Source
On the sidebar, from the previously expanded Updates drop down menu, <Click> the option Download Source. The Classification of your network will determine the download source address:• NU network: <Click> the radio
button to select Trend Micro’s ActiveUpdate Server.
• NS network: <Click> the radio button to select Other Update Source. Enter the URL http://www.ncirc.nato.int/data/av-updates/activupdate
To save changes <Click> the Savebutton.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 28
11
NATO UNCLASSIFIED
Step 19: For the demonstration purposes, updates are downloaded locally from EXSERVER2003 server. See the screenshot below for settings used in the demonstration. The updates were downloaded from NCIRC website.
NATO UNCLASSIFIED
Step 20: Test your server’s connectivity with the anti-virus repository by initiating the Manual Update
On the Side Bar, from the previously expanded Updates drop down menu, <Click> the option Manual.Ensure that at least the options “Virus pattern”, “Additional threat pattern” and “Scan Engine”are selected. If any of these options are NOT selected, then <Click> the check box to make the selection.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 29
12
NATO UNCLASSIFIED
Step 21: Monitor the manual updates screen to view the progress of the update and make sure it was able to connect to the update location.
NATO UNCLASSIFIED
Step 22: Verify successful Manual Update.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 30
13
NATO UNCLASSIFIED
Step 23: Configure the alerts for System Events
<Click> Alerts > System EventsEnsure that the following options are selected. If not, then <Click> the relevant checkboxes to select them:• ScanMail Service process did not start
successfully• ScanMail service is unavailable.• Update – Each time update was: unsuccessful• Manual/Scheduled scan tasks were: Unsuccessful• The disk space on the local drive (volume) of the
backup, quarantine, and archive directory is less than; (set this to) 1 GB.
• Specify time interval to send consecutive alerts if above problem still exists; (set this to) 1 hr(s)
• The size of the database to keep quarantine and logs exceeds: (set this to) 1 GB
• Specify time interval to send consecutive alerts if above problem still exists; (set this to) 1 hr(s)
To save changes <Click> the Savebutton.
NATO UNCLASSIFIED
Step 24: configure the Outbreak Alert events
<Click> Alerts > Outbreak AlertIn the section Outbreak Alert >Conditions, <Click> the checkboxes to select, and configure, the following options:• Viruses detected exceed the
following number within the shown time: 25 in 24hr(s)
• Uncleanable viruses exceed the following number within the shown time: 25 in 24hr(s)
• Blocked attachments exceed the following number within the shown time: 25 in 24hr(s)
To save changes <Click> the Save button.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 31
14
NATO UNCLASSIFIED
Step 25: Configure Logs
On the sidebar <Click> Logs to expand the Logs side bar drop down menu.<Click> to select Maintenance, then the [Automatic] tab.• <Click> the check box to select
Enable Automatic Maintenance.• In the subsection Target, <Click>
the radio button to select All logs.
Go to subsection Action; for the option Delete logs older than, enter the value 90 days.
To save changes <Click> the Save button.
NATO UNCLASSIFIED
Step 26: Configure Quarantine
<Click> Quarantine on the sidebar to expand the sidebar menu.
<Click> to select Maintenance, then <Click> the [Automatic] tab. Ensure that the option “Enable automatic maintenance” is selected; if not <Click> the check box to select it.
Subsection Files to delete <Click> the radio button to select All quarantined files
In the Subsection Action, increase the value of the option Delete selected files older than to 90 days.
To save changes <Click> the Save button.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 32
15
NATO UNCLASSIFIED
Step 27: Configure Administration > Proxy (If you use a proxy on your network)
If your environment uses a proxy sever to access websites, from the Administration side bar drop down menu, <Click> to select Proxy.
In the Proxy configuration window, <Click> the check box to select the option use a proxy server for update and product license notification.
In the setting s subsection, fill in the Address field with the HTTP address of the proxy server and the Port field with the port number (e.g. 8080).
In the subsection Proxy Password, fill in the user credentials required for SMEX to use the proxy to access the antivirus update website.
To save changes <Click> the Save button.
NATO UNCLASSIFIED
Step 28: Configure Administration Notification settings
From the left Administration side bar drop down menu, <Click> to select “Notification Settings”.
In the “Notification Settings” window, configure the following subsections:• In the “Administrator Notification” subsection, fill
in the “Email Address:” field with the email addresses of the administrators and other mandated entities. Enter the email address for NCIRCTC [email protected] into this field. To add the email addresses, <Click> the [Apply All] button. (NOTE: use a semicolon ‘;’ to separate multiple email addresses).
• In the subsection “Sender Settings”, fill in the “Sender:” field with the email address of the local system administrator. This email address is the reply-to address on all alerts sent from the system.
To save the changes, <Click> the Save button.
Email notifications should be tested. Coordinate the verification with local administrators, NCIRCTC and other intended recipients. The NCIRC TC watch keepers can be reached at the below address: • NCN: 254-6666 / 6670
• Civil: +32 (0)65 44-6666 / 6670
• NS/NU email: [email protected]
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 33
16
NATO UNCLASSIFIED
Step 29: Check your Product License
From the “Administration” side bar drop down menu, <Click> to select “Product License”.View the details of your license in the Product License window.If you need a license, please contact the COMPUSEC NCIRCTC to get your up to date license.
NATO UNCLASSIFIED
Step 30: Configure the World Virus Tracking
From the “Administration” side bar drop down menu, <Click> to select World Virus tracking.Make sure the radio button “No, I don’t want to participate to the request to participate in the world virus tracking program”is selected.
To save changes <Click> the Save button.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 34
17
NATO UNCLASSIFIED
Step 31: Verify monitoring with Real-time monitor
The Real-time monitor application displays details of the SMEX server Scan Engine and Pattern versions as well as near real-time information for all incoming and outgoing messages. It also shows the current count for detected viruses.<Click> the Real-Time monitor link on the overhead bar to display monitoring information about your local server, or remotely monitored ScanMail server.
NATO UNCLASSIFIED
Step 32: Sample Real Time Monitor view
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 35
18
NATO UNCLASSIFIED
Step 33: View the Server Management Console
The ScanMail server management console enables you to view all of the ScanMailservers on a network.<Click> Server Management link on the overhead bar to view features of all the ScanMail servers on a network.
NATO UNCLASSIFIED
Step 34: The following features are viewable from the Server management console: Pattern and engine version, Scanning result, Scanning status, Last replication.
• The Server Management Console can be used to replicate any or all SMEX configurations from one ScanMail server to other ScanMail servers. Replicating configuration settings to other servers in this way is much faster and easier than configuring each server separately. In addition, it ensures that SMEX configuration is consistent across all ScanMail servers- or group of servers- that provide the same kind of protection.
• NOTE**: Replicate SMEX settings ONLY with the prior knowledge and Approval of all Exchange server system administrators within your domain.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 36
NATO UNCLASSIFIED 1
McAfee Enterprise Virus Scan
Installation
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 37
NATO UNCLASSIFIED 2
McAfee EnterpriseVirus Scanner
• Part One – Installation– Version V8.0
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 38
NATO UNCLASSIFIED 3
Download from NCIRC
Download the latest McAfee NATO installation file from www.ncirc.nato.int. The file is located via Security & Software tab under Server and Workstation Solutions.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 39
NATO UNCLASSIFIED 4
Unzip …
…And open
Unzip the downloaded file (in this case it is called VSE710LEN) to a folder on the desktop.Open the folder.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 40
NATO UNCLASSIFIED 5
Start installion Setup
Start the installation by double clicking on the Setup icon.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 41
NATO UNCLASSIFIED 6
Progress bar
A progress bar appears whilst the system is being prepared for installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 42
NATO UNCLASSIFIED 7
README text
The McAfee Virus Enterprise Setup dialog appears – click on Next to proceed.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 43
NATO UNCLASSIFIED 8
License to agree
• Choose All Other Countries and Perpetual on the license agreement page.
• Select I accept the terms in the license agreement and click “OK”.
A license agreement dialog box appears.On the Country List Box select “All Other Countries”.On the expiry type select “Perpetual”.
Select the accept radio button option and click OK to proceed.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 44
NATO UNCLASSIFIED 9
Select typical install
A setup type dialog box appears, select the radio button option for typical install and click next.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 45
NATO UNCLASSIFIED 10
Finishing preparation
A ready to install dialog box appears, click Install to proceed with installation.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 46
NATO UNCLASSIFIED 11
During installation a progress dialog box appears.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 47
NATO UNCLASSIFIED 12
Start scan …
Once installation is complete a dialog box appears denoting the successful install and provides two options. The first; Update Now may only be used if the host machine is connected to the Internet and invokes an automatic check at the McAfee web site for the latest virus definition files. Leave this option unchecked. The second option invokes an immediate scan, select this option to confirm the software is running correctly. Click Finish to start the scan.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 48
NATO UNCLASSIFIED 13
Accept or Update …
Depending on how old the virus definitions are a warning that the virus definitions files are out of date will appear:click OK to confirm notification and allow the scan to run (update of virus
definitions will follow).Alternatively an Update can be enforce by clicking on “Update”.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 49
NATO UNCLASSIFIED 14
Watch progress
During the scan a progress dialog box will appear.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 50
NATO UNCLASSIFIED 15
McAfee EnterpriseVirus Scanner
• Part Two – Updating the Signature File.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 51
NATO UNCLASSIFIED 16
Download signatures
Download the latest signature file from http://www.mcafee.com/apps/downloads/security_updates/ or obtain from the local network administrator. Activate the update by double clicking on the file (in this case 5087xdat).
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 52
NATO UNCLASSIFIED 17
Start update
An installation dialog box will appear, click Next to continue.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 53
NATO UNCLASSIFIED 18
A progress dialog box appears whilst the system is prepared for update.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 54
NATO UNCLASSIFIED 19
Complete update
On completion a dialog box appears confirming correct installation of the update. Click Finish to end, there is no requirement to restart the computer as the update is activated immediately.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 55
NATO UNCLASSIFIED 1
McAfee Enterprise V 8.0 Virus
Configuration(as per exercise)
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 56
NATO UNCLASSIFIED 2
Open McAfee Scan item
From the toolbar in the lower right hand corner, right click on the McAfee Virus Scan icon (a small shield) and select On-Access Scan Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 57
NATO UNCLASSIFIED 3
General settings - overview
A properties dialog box will appear defaulting a tab marked General. Ensure that the following configuration options are applied;In the Scan boxBoot Sectors - SelectedFloppy during shutdown – Selected
In the General box;Enable on access scanning at system startup – SelectedQuarantine Folder – Set to \quarantine\
In the Scan time box;
Maximum archive scan time (seconds) Set to 60Enforce a maximum scanning time for all files – SelectedMaximum scan time (seconds) set to 61After these settings have been configured click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 58
NATO UNCLASSIFIED 4
General settings - Scriptscan
In the same dialog box under the ScriptScan tab the following configuration items will be applied;Ensure that the Enable ScriptScan tick box is selected.
After these settings have been configured click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 59
NATO UNCLASSIFIED 5
General settings - Blocking
In the same dialog box under the Blocking tab the following configuration items will be applied;Ensure that the Send a message tick box is clear.
Ensure that the Block the connection tick box is selected.Ensure that the Unblock connections after (minutes) option is set to
10 (minutes).Ensure that the Block if an unwanted program is detected tick box
is selected.After these settings have been configured click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 60
NATO UNCLASSIFIED 6
General settings - messages
In the same dialog box under the Messages tab the following configuration items will be applied;
In the Messages box;Show the messages dialog when a virus is detected – SelectedText to display in message – Set to Alert!! Call <ADP Co-ordinator> on
Helpdesk Ext <local Helpdesk extension number>Remove messages from the list – SelectedClean infected files – SelectedDelete files – SelectedMove infected files to the quarantine folder – SelectedClick Apply after making configuration changes
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 61
NATO UNCLASSIFIED 7
General settings - Reports
In the same dialog box under the Reports tabIn the Log file box Log to file -Select (retaining the existing default text of
%VSEDEFLOGDIR%\OnAccessScanLog.txt.)Limit size of log file to – Select and amend to 2 megabyte.
Format - Unicode (UTF8)In the What to log in addition to virus activity boxSession settings – SelectedSession summary – SelectedFailure to scan encrypted files – SelectedUser name – SelectedClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 62
NATO UNCLASSIFIED 8
All Processes - Processes
In the left hand side of the dialog box click on All Processes. The default tab Processes is open. Select option Use the settings on these tabs for all processes option.
Click Apply
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 63
NATO UNCLASSIFIED 9
All Processes - Detection
Open the Detection tabIn the Scan files box;When writing to disk – SelectWhen reading from disk – SelectOn network drives – DeselectIn the What to scan box;All files – SelectDefault + additional file types – De-selectSpecified file types – De-select
Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 64
NATO UNCLASSIFIED 10
All Processes - Advanced
Open the Advanced tabIn the Heuristics box;Find unknown program viruses – SelectFind unknown macro viruses – SelectIn the Compressed files box;Scan inside archives (e.g. ZIP) – De-SelectDecode MIME encoded files – De-SelectClick Apply after making configuration changes
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 65
NATO UNCLASSIFIED 11
All Processes - Actions
Open the Actions tabUnder When a virus is found – Select Clean infected files automaticallyUnder If the above Action fails – Select Move infected files to a folderClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 66
NATO UNCLASSIFIED 12
All Processes – Unwanted Programs
Open the Unwanted Programs tabDetect unwanted programs – SelectUnder When an unwanted program is found;
Primary Action – Clean files automaticallySecondary action – Move files to a folder
Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 67
NATO UNCLASSIFIED 13
On Delivery E-Mail Scanner
1. Open the VirusScan Console and right click on the On-Delivery E-mail Scanner item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 68
NATO UNCLASSIFIED 14
E-Mail Scanner -- Detection
Open the Detection tabIn the Scanning of e-mail box;In the Attachments to scan box;All file types – SelectDefault + additional file types [0] – De-selectSpecified file types [0] – De-selectClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 69
NATO UNCLASSIFIED 15
E-Mail Scanner -- Advanced
Open the Advanced tabIn the Heuristics box;Find unknown program viruses – SelectFind unknown macro viruses – SelectFind attachments with multiple extensions – SelectIn the Compressed files box;Scan inside archives (e.g. ZIP) – SelectDecode MIME encoded files – SelectIn the E-mail message body box;Scan e-mail message body – SelectClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 70
NATO UNCLASSIFIED 16
E-Mail Scanner -- Actions
Open the Actions tabUnder When an infected attachment is found –Select Primary Action – When a virus is found Clean infected attachmentsSelect Secondary Action – If the first action fails Move infected
attachments to a folderSelect Move To Folder - Quarantine.Under Allowed actions in prompt dialog box -Clean attachment – SelectedDelete attachment – SelectedMove attachment - SelectedClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 71
NATO UNCLASSIFIED 17
E-Mail Scanner -- Alerts
Open the Alerts tab. In the E-mail alert box select Send alert to mail user then click Configure.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 72
NATO UNCLASSIFIED 18
E-Mail Scanner – Unwanted Programs
Open the Unwanted Programs tabDetect unwanted programs – Selected
Under When an unwanted attachment is foundSet Primary Action to Clean attachmentsSet Secondary Action to Move attachments to a folder
Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 73
NATO UNCLASSIFIED 19
E-Mail Scanner -- Reports
Open the Reports tabIn the Log file box;Log to file – Select (leave at default file location of
%VSEDEFLOGDIR%\EmailOnDeliveryLog.txtSelect option Limit size of log file to and set size to 2 megabyte.Set Format: Unicode (UTF8).In the What to log in addition to virus activity box;Session settings – SelectSession summary – SelectFailure to scan encrypted files – SelectUser name – SelectClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 74
NATO UNCLASSIFIED 20
User Interface Options
In the VirusScan Console open the menu item Tools and select User Interface Options from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 75
NATO UNCLASSIFIED 21
User Interface Options-- Display
Open the Display Options tabIn the System tray icon box;Show the system tray icon with all menu options – De-selectShow the system tray icon with minimal menu options – SelectDo not show the system tray icon – De-selectAllow this system to make remote console connections to other
systems - SelectClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 76
NATO UNCLASSIFIED 22
User Interface Options -- Password
Open the Password options tab and make the following configuration changes:
No password – SelectClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 77
NATO UNCLASSIFIED 23
Access Protection
Open the VirusScan Console and right click on the Access protection item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 78
NATO UNCLASSIFIED 24
Access Protection – Port Blocking
In the Access Protection Properties dialog box select the Port Blocking tabReport access attempts in the log file and /or by generating alertManager, and ePO events. Specify …….. - SelectSet Minimum time interval between reports (minutes) to 1Under the Ports to block heading tick the following rules:Prevent mass mailing worms from sending mail - tickPrevent IRC communication - tickPrevent IRC communication - tickPrevent FTP inbound (stops viruses such as Nimda spreading) – tickClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 79
NATO UNCLASSIFIED 25
Access Protection – File/Folder Protection
In the Access Protection Properties dialog box select the File, Share and Folder Protection tabLeave shares with existing access rights – SelectSet file and folders to block: Rule: as follows;Prevent Internet Explorer from launching anything from the temp folder - tickPrevent Internet Explorer from launching files from the downloaded program folder (.exe) - tickPrevent Outlook from launching anything from the Temp folder - tickPrevent outlook Express from launching anything from the Temp folder - tickPrevent packager from launching anything from the Temp folder - tickPrevent MSN from launching anything from the Temp folder - tickPrevent WinZip32 from launching anything from the Temp folder - tickPrevent WinRaR from launching anything from the Temp folder - tickPrevent execution of scripts from the Temp folder - tickPrevent access to suspicious startup items (.exe) - tickPrevent access to suspicious startup items (.scr) - tickPrevent access to suspicious startup items (.hta) - tickPrevent access to suspicious startup items (.pif) - tickPrevent access to suspicious startup items (.com) - tickPrevent remote modification of files (.exe) - tickPrevent remote modification of files (.scr) - tickPrevent remote modification of files (.ocx) - tickPrevent remote modification of files (.dll) - tickPrevent remote creation/modification/deletion of anything in the windows folders and subfolders - tickPrevent remote creation/modification/deletion of files in the windows folders and subfolders (.ini) - tickPrevent remote creation/modification/deletion of anything in the system Root - tickPrevent remote creation/modification/deletion of files (.pif) - tickPrevent remote creation of autorun.inf files - tickClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 80
NATO UNCLASSIFIED 26
Access Protection – Reports
In the Access Protection Properties dialog box select the Reports tabLog to file - SelectEnsure log location is set “%VSEDEFLOGDIR%\AccessProtectionLog.txt”Limit size of log file - Select
Set Maximum log file size (MB): 2Set Format: Unicode (UTF8)
Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 81
NATO UNCLASSIFIED 27
Buffer Overflow Protection
Open the VirusScan Console and right click on the Buffer Overflow Protection item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 82
NATO UNCLASSIFIED 28
Buffer Overflow Protection - Options
In the Buffer Overflow Protection Properties dialog box select the Buffer Overflow Protection tab.
Enable buffer overflow protection - SelectProtection mode - SelectShow the message dialog box when a buffer overflow is detected -
SelectClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 83
NATO UNCLASSIFIED 29
Buffer Overflow Protection - Reports
In the Buffer Overflow Protection Properties dialog box select the Reportstab.Log to file: - SelectEnsure log location is set to “%VSEDEFLOGDIR%\BufferOverflowProtectionLog.txt”Limit size of log file - SelectSet Maximum log file size (MB): to 1Set Format: Unicode (UTF8)Click Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 84
NATO UNCLASSIFIED 30
Unwanted Programs Policy
Open the VirusScan Console and right click on the Unwanted Programs Policy item, select Properties from the sub menu.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 85
NATO UNCLASSIFIED 31
Unwanted Programs Policy -Detection
In the Unwanted Programs Policies Properties dialog box select the Detection tab.
Select The categories of detections that are in the DATsSpyware - tickAdware - tickRemote Administration Tools - tickDialers - tickPassword Crackers - tickJokes - tickOther Potentially Unwanted Programs – tickClick Apply after making configuration changes.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 86
NATO UNCLASSIFIED 32
.
• McAfee Enterprise AV configuration is now completed
Finished
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 87
1
Enterprise PolicyOrchestrator (ePO)
Module 9Demonstration
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 88
2
Demonstration Overview
• Section One: – ePO Server and Console Installation
• Section Two:– ePO Configuration
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 89
3
Section One
ePO Server and Console Installation
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 90
4
ePO Server and Console Install
• Download the following files and extract in separate temporary folders– Installations files for ePO 3.6 server, console and
database• epo361LMN.zip
– EPO Patch file• ePO361P3N.zip
• Must logon to the server with an account that has domain admin rights for a successful install.
Record the two temporary folders for future reference.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 91
5
Start server installation
• Run setup.exe in from directory• During the initial stage a number of
warnings will appear regarding additional files in the package – these can safely be accepted.
Locate setup.exe file located in the temp folder where EPO350NML.ZIP was extracted.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 92
6
Start server installation
• Setup Screen Appears – click “Next”
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 93
7
License Agreement
• Choose All Other Countries and Perpetual on the license agreement page.
• Select I accept the terms in the license agreement and click “OK”.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 94
8
Installation Options• select Install Server and Console and click
“Next”.
If you see a message box stating that your server does not have a static IP address, stop the installation. Please restart with the installation after defining a static IP address.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 95
9
Set Server Password• select Install Server and Console and click
“Next”.
Enter the password you would like to use for the ePO server. You cannot leave this blank.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 96
10
Server Service Account
• Deselect Use Local System Account• Enter in the Account Information.
In the Account Information area, enter a domain or select your domain, user name and password to be used by the ePO server service.
Note: If the account you specified is not an administrator account, you will see a warning that you cannot use ePO to deploy agents. If you want the ePOserver service to have rights to deploy agents, click OK then Back and type a user account and password with appropriate administrator rights.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 97
11
Select Database Server
• Select Install a server on this computer and use it. click “Next”.
By selecting the Install a server on this computer and use it option installs the free MSDE database included with ePolicy Orchestrator.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 98
12
Database Server Account
• Deselect Use the same account as the Server service, then select This is SQL Server account
• Click “Next”
On the Database Server Account dialog box, deselect Use the same account as the Server service, then select This is SQL Server account. Type in and verify a secure password. This is the SA account that your ePO server service uses to access the MSDE database. Please note down this password as it could be valuable for maintenance reasons.
Click Next to save the database account information
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 99
13
HTTP Configuration
• change HTTP ports to those defined in document epo361_ports.pdf available on the NCIRC site.
• Click “Next”.
Change the HTTP port for Agent communication to 8090 and the HTTP port for Console communication to 8091. Please change all the ports ranging starting from 8090 to 8096 accordingly as shown in the screen capture above.
Click Next to save the port information.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 100
14
Set E-mail Address
• In an operational setting this address would be [email protected]
Type the email address to which the default notification rules send messages are sent once they are enabled. This address is: [email protected] e-mail address is used by the ePO Notifications feature
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 101
15
Installation Completion
• Click “Install” to begin the installation on the Ready to Install dialog box
• During installation some messages Digital Signature not found will come up. Please answer yes to all of these.
• Click “OK” when prompted to reboot. Log back in with the same account at the beginning of the installation to allow the installation to continue.
On the Ready to Install dialog box, click Install to begin the installation.
The installation takes approximately 25 minutes to complete and may prompt you to reboot the computer during the installation. During the installation some messages Digital Signature not found will come up. Please answer yesto all of these.
Click OK when prompted to reboot and be sure to log back in with the same account when the computer reboots to allow the installation to continue.
When installation is finished, click Finish. Reboot if requested.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 102
16
Section Two
ePO Server Configuration
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 103
17
Configuration Highlights
• Master Repository Setup• Populating the ePO Server with Servers and
Computers• Importing of VirusScan and ePO Agent
policies• Deploying the ePO Agent
Refer to Exercise 1 for details of the configuration requirements.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 104
1
Pointsec Protector Module 10
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 105
2
Overview
• Section One: – Demonstration of Protector installation
• Section Two:– Implementation of the Approved Profiles with
Demonstration
• Section Three:– Procedure for changing templates
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 106
3
Section One
Demonstration of Protector installation
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 107
4
Exercise architecture
Windows XP Workstation 1(CLIENT1)
Windows 2003 Domain Controller
(W2003DC1)
Windows 2003Member Server 1
(W2003MS1)
Windows XP Workstation 2(CLIENT2)
Ensure that all four VMware guest operating systems are on the “Baseline Security Settings” Template.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 108
5
Protector Server Install
• Protector stores profiles and logs in a SQL database
• Two installation options– Existing Microsoft SQL 2000 (or later)– Microsoft SQL Desktop Engine (MSDE)
• MSDE is a lightweight version of MS SQL• This exercise is based on a full SQL install
Full version of Microsoft SQL requires a valid licence and must be installed and configured before installation of the Protector server.
MSDE is a stripped down version of SQL 2000 that vendors bundle with products to avoid customers having to pay for the additional SQL licence. MSDE is selected automatically during a standard install if no existing SQL server is found on the system.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 109
6
Start server installation• Run setup.exe from the server distribution
directory• The Splash Screen appears
Note that the normal installation procedure begins by inserting the PointsecProtector Installation CD-ROM into the CD Drive. The CD should autorun, if not, double click on the AutoRun.exe located on the root of the CD. This will display the a menu screen. Select the ‘Software’ menu and then ‘Install Reflex Pointsec Protector Enterprise Server for Windows NT/2000/2003/XP’from the list of options. The setup program will launch and this splash screen will display. From this point the installation procedures are identical.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 110
7
To continue, click Next
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 111
8
Accept the agreement
Like all other software that we use on a daily basis you must accept the license agreement before you may continue with the installation. Clicking on I do not accept the agreement and pressing next will cancel the installation.
Selecting the “I accept the agreement” radio button and then clicking on Next will take you to the Setup Type dialog box.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 112
9
Licence Information• Enter Licence details on the Information Screen
The Registration screen requires a User Name, Company Name and Serial Number. The Serial number is generated using the Company Name so it is vital that when entering the Company Name it is entered exactly as it is written in the licence file.
Note that all 0’s are the number zero. A serial number will never be released from Pointsec that contains the letter O.
It is also possible so load the licence directly from a text file delivered from Pointsec.
Pressing “Next” will take you to the “Setup Type” dialogue box.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 113
10
Setup Type
• Select a Custom Install
CompleteCustom
The three possible types of installation are detailed on this screen.
“Complete” installs all modules.
“Custom” allows the selection of specific Protector components.
The option to install a “Server Administration Console” allows a management console to be installed on a system other than the one running the PointsecProtector server.
Selecting Complete and pressing Next displays the Select program Folder dialog box.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 114
11
Select Features
• Deselect Microsoft SQL Database Engine
If the installer does not detect an existing SQL Server installation on the local machine it automatically selects the MSDE installation unless prevented from doing so.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 115
12
Type in the SQL Server• Protector Service Account must be member
of “Database Creators” on this server
DATABASE1
Click Next to carry on
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 116
13
Select Program Folder• Accept the default and press Next
This will allow you to change the location that the software will install its shortcuts.
Pressing Next displays the SMTP Setup dialog box.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 117
14
TCP Port and SMTP Setup• Accept the default TCP port number• Configure appropriate SMTP settings
smtp.school.nato.int
*************
validuser1
The SMTP Setup screen allows us to set the information that will allow DiskNet to automatically send email alerts.
Reflex Disknet Pro Server Port Number – this is the TCP/IP port number that the server will use to communicate with the client.
SMTP Server- if you wish to use the email alert feature of Reflex DisknetPro you need to enter the name of the SMTP server and provide a logon name and password for an account to access this SMTP server (if required).
Pressing Next will take Select Service Account dialog box.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 118
15
Select the Service Account
This is the account that the Protector will run as, protector_service should be selected from the users on the local machine (not from the “School” domain).
Note that protector_service account was created prior to the install and added to both the Local Administrators and LG_ServiceLogonRight groups. The LG_ServiceLogonRight is added to the domain wide “Logon as a Service”group by the application of the NATO security settings. Note that the installation of the Protector client also adds this protector_service account to the domain wide “Logon as a Service” group but the subsequent re-application of the security settings later removes it again. The use of local groups in this way allows Administrators to assign local rights without the need for domain wide administrative privileges.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 119
16
Summary Screen• Last chance to go back and make
changes
This dialog displays a summary of the installation options you have selected. Check this information is correct and click ‘Next’ to continue. The installation will now copy all files required to complete the installation and display the Finish dialog when complete.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 120
17
Installing Microsoft SQL Desktop Engine
The Disknet Pro Server uses a Microsoft SQL database to store the profile and user information and installs the Microsoft SQL Database Engine during setup. During this automatic install the these two windows will pop-up:
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 121
18
Installation Wizard Complete• Pointsec Protector server is installed
Click the Finish button to complete the installation
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 122
19
Protector Client Install• Four main options for the client install
1. Pointsec Deployment Server2. Active Directory Group Policy3. Add to Disk Image (Windows Baseline)4. Manual Install
• Instruction for options 1 to 3 can be found on the WAC Portal on the NCIRC NS site
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 123
20
NCIRC WAC Web Portal
http://nww.ncirc.nato.int/
WAC SecOps
Instructions for using the deployment server, Active Directory Group Policy, creating a Windows Image (Baseline) or manually installing the client are provided on the NCIRC WAC Portal on the NATO Secret WAN.
Note that manual installation, the deployment server and disk image installs can be used interchangeably. For group policy, however, if the client is installed using group policy it must be upgraded or removed using group policy.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 124
21
Splash Screen• Double click on the client install “setup.exe”
Wait until Welcome Screen
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 125
22
Welcome Screen• Click on “Next” to proceed
Wait until Welcome Screen
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 126
23
Accept Licence Agreement
Click Next to accept licence agreement
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 127
24
Setup Type• Select “Complete” and click “Next”
Leave set to Complete and press Next to continue
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 128
25
Server Name and Port• Use “Browse” then “Add” to select the server
Select the name of the Protector server (or alternatively type in its IP address 10.10.10.11. Leave port at default (9738) and press Next to continue
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 129
26
Start Copying Files• Click on “Next” to proceed
Press Next to continue
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 130
27
Setup Status
Wait until installation is complete
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 131
28
Install Wizard Complete• Click on “Finish” to restart the workstation
Press Finish to reboot and complete the Installation
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 132
29
Section Two
Implementation of the Approved DNP Profiles with Demonstration
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 133
30
Introduction to Profiles
This window shows the current standard set of NATO profiles, only a brief description is given here as ore detail is given on the important profiles later in the presentation.
Admin – Allows an administrator to optionally disable each of the Protector protection modules and thus bypass the protection mechanisms.
Authorise – Allows a user to authorise media using the Removable Media Manager
Baseline – This is the profile used for all non privileged users. It basically takes the default profile and adds CD/DVD ROM read access and turns on auditing for most unauthorised device access events.
CDRW – Adds the CD/DVD ROM Write privilege
Default – The default profile is the basis on which all other profiles are built and it is also the profile of any user not explicitly added to ant particular group.
Encrypt Profile – Allows a user to create encrypted USB mass storage devices
Fixed Disk – Allows access to External Hard Drives
Floppy – Allows READ/WRITE Access to floppy disk drives
STI Device – Allows access to still image devices such as digital cameras and scanners
USB – Allows user access to encrypted USB mass storage devices
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 134
31
NITC Standard Groups
Each of the profiles is linked to a group with a similar sounding name. A user is simply added to the appropriate group in order to acquire the appropriate rights. The profiles are designed in such a way so that they can be nested. i.e. a user added to the “CDRW Access” and the “Floppy Device access” group will get both rights.
The synchronisation order determines how to handle the situation when different groups define different settings, the lower the number the higher the priority.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 135
32
Adding a user to a group
To add a user to a group simply ‘right click’ on the appropriate group and select ‘Add users to group’ from the menu. Type the name of the user in the ‘Enter object names to select’ field and press ‘Check Names’. If the correct user is displayed in the window press ‘OK’ to apply.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 136
33
The Default Profile
The default program is used here as an introduction to the three most important modules in the Protector security architecture.
Device Manger provides the ability to control the many different types of devices that can be used on a client workstation. Device Manager can be considered as the first line of protection by managing the use of these devices and/or ports. DM can also be used to apply audit rules, allow write access (where appropriate), enforce encryption. It can also control whether or not files can be run directly from external media or not. This Default Profile allows only CDROM Read Only access and enables locally connected printers.
Removable Media Manager (RMM) takes the control and management of removable media devices a step further. By using RMM you will be able to authorise individual media such as floppy disks, USB removable disks etc. for use on the Protector enabled workstations on your network. Once removable media has been authorised it can be used anywhere within the Protector network environment. The current setting does not allow removable media authorisation.
Authorisation is performed at the client workstation. This part of the authorisation process can be made to enforce a virus scan of the media to ensure the contents are virus free before allowing it onto the network. There is also an additional check that can be performed to reject any media that contains executable and other unwanted or active code file types (EXE’s, DLL’s, MP3’s etc).
The Encryption tab controls all aspects of encrypting removable media, the Default Profile disables all access to encrypted media.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 137
34
CDRW Access Group
The CD (and DVD) Access group is used here to show the relationship between a group and a profile. The group properties window on the left indicates that two profile templates are applied; the Default and the CDRW Profile.
The CDRW Access Group only defines settings for the Device Manager. A view of the Device Manager properties for this profile shows that Access has been granted to DVD/CD-ROM Drive drives. Note that as the R/O (Read Only) box is not selected for DVD/CD-Rom devices therefore Read/Write access is granted.
This slide also gives an introduction to the concept of the define column, which indicates whether or not a particular access right is defined in this profile. A closed blue padlock indicates that the property is inherited from a previously applied profile, in this case the Default. An open green padlock indicates that the particular right is defined in this profile.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 138
35
Authorise Profile
The ‘Authorise Profile’ defines settings only for the Removable Media Manager (RMM). A member of the ‘Authorise users’ group is allowed to authorise removable media for use within the Protector enabled network. Authorisation involves two automated scans of the files on the removable media. The first uses a standard third party virus checker, in this case MacAfee, to check for malicious code. The second, Reflex Datascan, compares the file types to a user defined list of prohibited file types. Members of this group have the option to select which scanners to use ( if more than one virus checker is installed), they also have the right to delete and rejected files during the authorisation procedure, thus allowing authorisation to complete successfully.
Authorisation in this context involves creating a digital signature comprised of information about the files on the media and a “Media Key” that is unique to this particular installation. Each time the media is removed the signature is re-calculated and written back to the device. When the device is next plugged into a Protector protected system the signature is calculated and compared with the stored value, if they are equal then the device can be accessed. If they differ then it means that something has changed with one or more files on the device and so the device must be re-authorised as described earlier.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 139
36
Encrypt Profile
The “Encrypt profile” defines settings for the Encryption tab and applies to members of the “Encrypt Users” group.The ‘Encrypt’ check box has to be selected on the Removable Media Devices tab.
The most important setting here is that a member of this group can create an encrypted Removable Media Device for other users. Members of this group would normally be an Infosec Officer or worker in The Registry depending on the local policy for issuing authorised USB mass storage devices.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 140
37
USB Profile
The USB Profile should only be used temporarily to access USB tokens that have originated outside of the Protector protected environment.
The devices are mounted in Read Only mode so that can only be used to import data into the protected environment.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 141
38
Combining Profiles (1)
Testuser1 has been made a member of two groups, which in turn has lead to the application of two profiles in addition to the Default. This combination of group memberships would enhance the Baseline with the ability allow Read/Write access to floppy drives.
The Resulting Profile window on the right is the result of pressing the View/Edit button.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 142
39
Combining Profiles (2)
This is the same view as the previous slide but testuser1 has also been added to the CDRW Group. Pressing View/Edit now shows that the Device Manager settings have been extended to include write access to CD/DVD ROMs (i.e. the R/O check mark has been removed).
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 143
40
Program Security Guard
The above settings for user testuser1 for Program Security Guard (PSG) are defined in the Default profile, they therefore apply to all other profiles.
PSG is used to block the introduction or modification of any file type specified in the box on the right. This can be any executable file (EXE, DLL, SYS etc.), media and audio files (AVI, MP3, WMA etc.) or can be customised to include any other file type that you would like to control.All file types protected by PSG will be blocked from being introduced to the system from any location, i.e. not just removable media devices. Note that these settings will also apply to files downloaded by a web browser from the Internet.
Note that this list is different from the list of unsafe file types used by the Data Scan process during the USB media authorisation procedure.The DataScan list can be found in an XML file located with the Protector client executable files known as CheckDat.xml.
The picture in the bottom right shows what happens on the client workstation when PSG is triggered. A dialog appears telling the users that an ‘unauthorised file operation’ has occurred. The dialog will show the user what process caused the alert and what file the process tried to operate on. In the above example ‘VMWareUser.exe.exe’ was the blocked process attempting to copy the file ‘setup.cmd’.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 144
41
User Interface Properties
The User Interface, or what the user of the client workstation sees can also be controlled by the use of profiles. Users can also be given the right to disable individual modules if required. These rights are only available in the Administrators profile in the standard NCIRC profiles.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 145
42
Audit Properties
Protector has extensive auditing capabilities which are controlled by the use of profiles. The standard NCIRC audit profile has been defined in the Default profile, which in turn is inherited by all other profiles. There is an option to either ignore or log the standard events. The logging is further divided into immediate or register. Registered events are transferred to the database at a pre-programmed regular intervals whereas immediate events are transferred as the name implies, immediately.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 146
43
Log Archive • Audit policy generates lots of events• Ensure period archiving of logs
The WAC Portal contains a document that describes how to clear the log if the database file gets too large for the normal log archival mechanism to function correctly. The title of the document is
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 147
44
Log Archive (2)
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 148
45
Computer Groups
A Computer Group is created much in the same way as a User Group, profiles can then be linked to computer groups in the same way as user groups. Workstation policies are of minimal use in a classified environment where the security policy requires individual accountability. As a result of this the NCIRC default templates do not currently define any workstation groups.
In order to assign a computer to a Group, a simple Drag & Drop method is used. Computer Groups allow any user to log into a computer and use the facilities that have been made available to the user in the Computer Profile. If the computer profile states that the machine can access and write to a CD then regardless of who logs in, the user will have access to record their own media.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 149
46
Section Three
Procedure for changing Protector templates
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 150
47
Steps in making a change
• A change request is made to the local Compusec officer
• The Compusec officer forwards the request to NITC
• NITC assesses the change and determines if the change will impact everyone or only the local headquarters
How do we make a change to Protector? It’s a long process, but a simple one. The people who make the decisions are Compusec/Infosec officers for the headquarters in question and NITC. The Compusec officer is involved in the chain because it is up to the Compusec officer to allow or deny the end user’s request. They are the people who say “Yes you can have access to your USB ports” or “No, you can’t”.
However, the Compusec/Infosec person is not the only person in the chain. NITC are the controllers of the template/profile. They will determine if changes to the profile need to be made NATO wide or if the change can be made locally. It is vital that they be kept up to date on any changes that users wish to have made to the system.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 151
48
Steps in making a change (continued)
• Authorisation for the change will occur via email to the system administration team
• The change will be input into the system• The profile that has changed will be resent
to all of the machines in the network
If the change is local to the headquarters an email will be sent to the system administration team authorising them to change the profile locally. This email will need to be printed off and stored with their change management documentation for later audit purposes.
If it is a change that would be best to implement NATO wide a change will be made to the templates/profiles that are on the NCIRC website (http://nww.ncirc.nato.int). The script file can then be downloaded and run on the Protector server.
The templates/profiles will then have to be resent to the workstations (either by the users logging off and logging on or via the automatic method through the administrative console).
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 152
49
Step by step through a simple request
Scenario• The site has decided to upgrade its
infrastructure to allow for desktop VTC to all of the users on the network
This is a simple scenario because “everyone” will be impacted by the change that is coming in. Upgrading to a desktop VTC capacity puts a web cam on everyone’s desk. If everyone is supposed to be able to use the camera then a change to the “baseline” profile is needed.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 153
50
Step one – Compusec
• Compusec will receive a request to alter the user’s rights and privileges with respect to the webcam.
• Compusec will approve or deny the request.• Compusec will forward that request to
NITC, once it is approved, to have them determine what should be done.
In this case, as part of the upgrade procedure that the Compusec officer has already agreed to, he/she will need to send a request to NITC outlining the approved change that is being made to the network in the office.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 154
51
Step two - NITC
• Once NITC receives the request they will assess the change by testing in their testbedto ensure that the change can be done without giving the end user to many rights.
• Once the change has been tested NITC will then assess whether the change should be made to NATO as a whole, or only to the individual headquarters.
NITC is responsible for the testing and approval of all software and software updates/patches. Their website contains things like the approved software listing, antivirus signature files and patch notices. With respect to DiskNet they have documentation, scripts and software updates listed on the website.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 155
52
Step two – NITC (cont’d)
• If it is determined that the change would benefit all of NATO then NITC will alter their script and republish it on the website.
• If it is determined that the change would only benefit the individual headquarters then NITC will send an email authorizing the alteration of the profile.
Once the change has been approved and tested NITC will send an email back to the requestor. This note will either authorise the site to make the change or will state that the change has been approved and the site needs to download the script file again and run it on their DiskNet server.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 156
53
Step three – System Administration
• Once the approval notice has been received back at the site the change will need to be made inside the Administrative Console.
• The System Administrator will download the script file from the NITC website (http://nww.ncirc.nato.int) and run the executable file on the server.
The script file is located by going to the website, http://nww.ncirc.nato.int on an NS machine. Found within the left hand bar on the site is a section labelled software and within that box is a link to Workstation Access Control. Click on that link and the Workstation Access Control documents, policies, profiles and settings will appear in the main window.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 157
54
Step three – System Administration (cont’d)
• In the case of a change that is only to be made at the local site, the person in charge of the profiles will need to open the console and make the approved change, and file the approval email from NITC.
The person in charge of the profiles may be the Compusec officer, it may be a System Administrator. This is a policy decision made by the individual headquarters in conjunction with their NCSA representatives.
NATO UNCLASSIFIED
NATO UNCLASSIFIED Page 158