Dlp 900 Install Epo45 en-us

8/3/2019 Dlp 900 Install Epo45 en-us

1/37

McAfee Host Data Loss Prevention 9.0Installation Guide for ePolicy Orchestrator 4.5


2/37

COPYRIGHT

Copyright 2010 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE

EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,

A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

Refer to the product Release Notes.

McAfee Host Data Loss Prevention 9.0 Installation Guide2


3/37

ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Components and their relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Getting started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Pre-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuring the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Installing ePolicy Orchestrator 4.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

WCF installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Installing the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Troubleshooting the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Installing or Upgrading McAfee Host Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . 20

First-time installation issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating and configuring repository folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Installing the McAfee Host Data Loss Prevention extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Upgrading issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Upgrading McAfee Host Data Loss Prevention software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Post-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Initializing the Host DLP Policy Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Upgrading the license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Applying the policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Initializing the Host DLP Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Checking in the DLP Agent package to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Deploying the DLP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Defining a default rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Deploying the DLP Agent in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Verifying the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Appendix I Deploying McAfee Host Data Loss Prevention with SMS. . . . . . . . . . . . . 32

Creating an installation package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Creating the advertisement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Creating the SMS uninstall package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3McAfee Host Data Loss Prevention 9.0 Installation Guide


4/37

Appendix II Users and permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Creating and defining DLP administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Creating and defining permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

DLP permission set options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36


Contents


5/37

Introduction

This guide provides the necessary information for installing McAfee Host Data Loss Prevention

software version 9.0. It provides detailed steps and verification of the installation process. This

guide demonstrates how to configure the recommended architecture, and when completed the

user will have a fully functional McAfee Host Data Loss Prevention implementation that is properly

configured.

McAfee recognizes that many configuration possibilities exist and that McAfee Host Data Loss

Prevention is very flexible in meeting a variety of implementation architectures. The

recommended architecture represents only one path.

Contents

Components and their relationships

Getting started

Components and their relationshipsMcAfee Host Data Loss Prevention software version 9.0 is more tightly integrated with ePolicy

Orchestrator than version 2.x. As a result, the recommended installation is now on a single

server, and is in compliance with the FIPS 140-2 standard.



6/37

The DLPWCF Service can be installed on a separate server from the ePO database.

Figure 1: McAfee Host Data Loss Prevention components and relationships

Figure 1 depicts the elements that comprise McAfee Host Data Loss Prevention and the

communication patterns among the elements.

The recommended architecture includes:

ePO server Hosts the embedded user interfaces, (Host DLP Monitor and Host DLP Policy

Manager) and communicates with the McAfee Agents.

ePO Reports A list of Host DLP Events within the ePolicy Orchestrator reporting

service replaces DLP Reports.

DLP WCF (Windows Communication Foundation) Service Communicates

between ePolicy Orchestrator and the Host DLP Policy Manager to distribute policies, and

with the Host DLP Monitor to display events.

ePO Event Parser Communicates with the McAfee Agent and stores event information

in a database.

IntroductionComponents and their relationships



7/37

DLP Event Parser Collects Host DLP events from the ePO Event Parser and stores

them in DLP tables in the SQL database.

ePO database Communicates with the ePO Policy Distributor to distribute policies,

and with the DLP Event Parser to collect events and evidence.

Administrator workstation Accesses ePolicy Orchestrator, the Host DLP Monitor, and

Host DLP Policy Manager in a browser through the DLP WCF Service. Client workstation Applies the security policies using the following software:

DLP Agent Provides the DLP processes. In McAfee Host Data Loss Prevention software

version 9.0 the DLP Agent communicates exclusively with the ePO Agent.

McAfee Agent Provides the communication channel between the ePolicy Orchestrator

server and the DLP Agent.

Backward compatible installation

To allow an orderly upgrade in large enterprises that have deployed previous versions of the

DLP Agent in their production environment, an option exists to deploy backward compatible

policies to computers still running the older agents. DLP Agent 2.2 Patch 2 is the earliest version

supported by this feature. Enterprises running earlier versions must upgrade to DLP Agent 2.2Patch 2 or later before upgrading to DLP Agent 9.x.

McAfee Host Data Loss Prevention software version 9.0 utilizes a standardized XML policy format.

The new format is more intuitive, and facilitates integration with other ePolicy Orchestrator

applications. As a result, the backward compatibility option that allows communication with

both old and new agents now has two levels: DLP Agent 3.0 or later, and DLP 2.2 Patch 2 or

later.

Compatibility with version 3.0 DLP Agents uses the standard installation. The agent compatibility

option is selected during the policy manager initialization.

For enterprises upgrading from DLP 2.2 Patch 2, old events in the Host DLP database are

converted to tables in the ePO database. The installation for backward compatibility contains

elements of both version 2.x and version 3.x. In particular, the DLP Event Collector is installedto collect events from the version 2.x DLP Agents. This means that the two server system

IntroductionComponents and their relationships



8/37

recommended in McAfee Host Data Loss Prevention version 2.x is maintained during the transition

phase. The backward-compatible architecture is as follows:

Figure 2: McAfee Host Data Loss Prevention components with backward compatibility

Getting started

Classifying corporate information into different data loss prevention categories is a key step indeploying and administering McAfee Host Data Loss Prevention software. While guidelines and

best practices exist, the ideal schema is dependent on your enterprise goals and needs, and is

unique for each installation.

For this reason, McAfee recommends initial deployment to a sample group of 15 to 20 users

for a trial period of about a month.

During this trial, no data is classified, and a policy is created to monitor, not block, transactions.

The monitoring data helps the security officers make good decisions about where and how to

classify corporate data. The policies created from this information should be tested on a larger

IntroductionGetting started



9/37

test group (or, in the case of very large companies, on a series of successively larger groups)

before being deployed to the entire enterprise.

McAfee Device Control vs McAfee Host Data Loss Prevention

McAfee Device Control prevents unauthorized use of removable media devices. McAfee Host

Data Loss Prevention gives you a fuller set of tools to inspect enterprise users actions concerningsensitive content anywhere on their computers. The following table compares the features.

McAfee Host Data Loss PreventionMcAfee Device ControlFeature

Applications

YesYesEnterprise Applications List

Database Administration

YesYesDatabase Administration

YesYesDatabase Statistics

Content Based Definitions

YesYesDictionaries

YesYesRegistered Documents Repositories

YesYesText Patterns

Definitions

YesYesApplication Definitions

YesYesDocument Properties

YesNoEmail Destinations

YesYesFile Extension Definitions

YesNoFile Server Definitions

YesNoNetwork Definitions

YesNoPrinter Definitions

Yes

Content categories, tags, and groups

Yes

Content categories and groups only

Tags and Categories

YesNoWeb Destinations

YesYesWhitelist Repository

Device Management

YesYesDevice Classes

YesYesDevice Definitions

YesYesDevice Rules

YesYesWhitelisted Applications

Policy Assignment

YesYesUser Assignment Groups

YesYesPrivileged Users

RM and Encryption




10/37

McAfee Host Data Loss PreventionMcAfee Device ControlFeature

YesNoRM Servers

YesNoRM Policies

YesYesEncryption Keys

Rules

YesYesClassification Rules

YesNoDiscovery Rules

YesYes

Removable Storage Protection only

Protection Rules

Application File Access Protection

Clipboard Protection

Email Destinations Protection

File System Protection

Network Communication

Protection

PDF/Imagewriter Protection

Printing Protection

Removable Storage Protection

Screen Capture Protection

Web Post Protection

YesNoTagging Rules




11/37

Pre-Installation

This section contains information on required Microsoft system components, and ePolicy

Orchestrator installation requirements. Review this section completely before installing McAfee

Host Data Loss Prevention software version 9.0.

Contents

System requirements

Configuring the server

Installing ePolicy Orchestrator 4.5

WCF installation

System requirements

Hardware requirements

The following hardware is recommended for running McAfee Host Data Loss Prevention software

version 9.0.

SpecificationsHardware type

Servers CPU: Intel Pentium IV 2.8GHz or higher.

RAM:

512 MB minimum for McAfee Device Control only (1 GB recommended).

1 GB minimum for full McAfee Host Data Loss Prevention (2 GB

recommended).

Hard Disk: 80GB minimum.

Agent workstations CPU: Pentium III 1GHz or higher.

RAM:

256 MB minimum for McAfee Device Control (1 GB recommended).

512 MB minimum for full McAfee Host Data Loss Prevention (1 GB

recommended).

Hard Disk: 200 MB minimum free disk space.

100 Mbit LAN serving all workstations and the ePO sever.Network

Agents must be able to access port 8731 on the server running the WCF Service.

Administrators running the Event Monitor must be able to access TCP port 8731

on the server running the WCF Service.

The following operating system software is supported:



12/37

SoftwareComputer type

Servers Microsoft

Windows

2003 Server Standard (SE) SP1 or later

Microsoft Windows 2003 Enterprise (EE) SP1 or later

Microsoft Windows 2008 Server Standard

NOTE: For installation in ePolicy Orchestrator

4.5, SP2 or later and Internet

Microsoft Explorer

7 or later are required. These are requirements for ePolicyOrchestrator, not McAfee Host Data Loss Prevention.

Agent workstations Microsoft Windows 2000 SP 4 or later

Microsoft Windows XP Professional SP1 or later (32-bit only)

Microsoft Windows Vista SP1 or later (32-bit only)

Microsoft Windows 7 (32-bit only)

The user installing McAfee Host Data Loss Prevention software version 9.0 on the servers must

be a member of the local administrator group.

Because McAfee Host Data Loss Prevention software version 9.0 requires .NET 3.5, Windows

2000 server is no longer supported.

Server software requirements

The following software is required on the server running Host DPL Policy Manager and Monitor:

VersionSoftware

4.5McAfee ePolicy Orchestrator

4.0 Patch 1 or laterMcAfee Agent

download the HDLP 9.0 Help extension.McAfee ePolicy Orchestrator Help System

3.5 (Patch 1 recommended)

NOTE: All agent handlers on remote servers require the.NET Framework.

Microsoft .NET

2005 compatibility mode 90 or laterMicrosoft SQL Server

The McAfee Host Data Loss Prevention software version 9.0 package includes the following:

DLP Agent

DLP Windows Communication Foundation (DLPWCF)

DLP Migration Tool (used to import events from the version 2.2 database to the 9.0 database)

DLP Extension (contains the components installed through ePolicy Orchestrator)

Configuring the serverUse this task for the basic configuration of the server.

Before you begin

Verify that the server meets the minimum system requirements.

Pre-InstallationConfiguring the server



13/37

Task

1 Install Microsoft Windows 2003 SE SP1 with the role of file server (configured on the Server

Role page of the Configure Your Server wizard.)

2 Install Windows Installer 3.0 and restart the system. Install the Microsoft Windows 2003

service packs.

3 Run Windows Update and install all updates.4 Disable Microsoft Internet Explorers Enhanced Security Configuration Window Component

using the Windows Control Panel Add/Remove Windows Components option.

NOTE: This Microsoft product can hinder proper installation of Host DLP components.

Disable it before installation, then reconfigure it after installation if it is required.

5 Install Microsoft .NET Framework 3.5 SP1.

6 Set the server to a static IP address.

NOTE: McAfee recommends using a subnet separate from your company's production

network for initial testing. If you are setting up a production environment, set the servers

static IP address within that range.

Installing ePolicy Orchestrator 4.5Use this task to install ePolicy Orchestrator 4.5.

Before you begin

Read the ePolicy Orchestrator 4.5 Installation Guide and Release Notes to familiarize yourself

with all installation issues.

CAUTION: Some of the installation scripts require the NETWORK SERVICE account to have

write permission for the C:\Windows\Temp folder. In secure systems, this folder might be lockeddown. In that case, you must temporarily change the permissions for this folder. Otherwise,

the installation fails. McAfee recommends completing all software installations before resetting

the permissions.

Pay attention to the following points when installing ePolicy Orchestrator:

1 In the ePolicy Orchestrator installation wizard, use the following settings:

SettingInstallation wizard screen

Select Install Server and ConsoleInstallation Options

Install SQL Server 2005 Express. Another configuration

option is to create an ePolicy Orchestrator instance on

an existing SQL Server 2005 server and select it.

CAUTION: After verification that you want to install the

software, the SQL installation continues without user

Setup Requirements

input. If prompted to install SQL Server 2005 Backward

Compatibility, you must install it.

McAfee recommends using a SQL Server account. If

preferred, an NT account can also be used.

Database Server Account

Do not use the default setting for the Agent-to-Server

communication port. Instead, set the port to 1080.

HTTP Configuration

Pre-InstallationInstalling ePolicy Orchestrator 4.5



14/37

2 During the installation, you might see a warning about trusted sites. Write down the

recommended additions to the Microsoft Internet Explorer trusted sites list before clicking

OK. You will need to add them later.

WCF installationThere are two basic options for installing the Windows Communication Foundation (WCF)

service: on the same server as the ePO (SQL) database (local installation) or on a separate

server (remote installation). Where ePolicy Orchestrator is installed, together with its database

or on a separate server, is not relevant to this discussion; only the relative locations of WCF

and the database.

Figure 3: WCF installation options

Web access authorized groups

When installing the WCF service, you are asked to specify the Web Access Authorized Groups

(WAAG). McAfee recommends setting up a group or groups in Windows Active Directory with

the names of users authorized to log on to the database.

When the HDLP Policy Manager attempts to connect to WCF, it impersonates the logged on

user. After the user name is authenticated, WCF checks to see if the user is a member of the

WAAG before connecting to the database.

Pre-InstallationWCF installation



15/37

Option 1: Installing WCF locally

When installing WCF on the same server as the ePO database, you can use Windows

authentication or SQL authentication. The option is selected on the WCF service installation

wizard. The selected authentication applies only to the connection between WCF and the

database. The connection between the administration workstation and WCF always uses Windows

authentication. If you have selected Windows authentication, and the logged on user is a

member of the WAAG, connection to the database proceeds without further checking.

The user must be defined in the SQL database. See Adding a user in SQL Server.

Option 2: Installing WCF remotely

When installing WCF on a separate server from the ePO database, you can now use Windows

authentication or SQL authentication. The former limitation to only SQL authentication has been

eliminated. The description of the connection details are the same as in local installation.

Installing the DLP WCF service

Use these tasks to prepare the SQL database for WCF and to install the DLP WCF service. Bothof these tasks are required and should be performed in the order given.

Tasks

Adding a user in SQL Server

Running the DLP WCF installer

Adding a user in SQL Server

To use either Windows or SQL authentication with WCF and the ePO database, an authorized

user must be defined in the SQL database. The authorized user can be a Windows user or a

SQL user. Typically, an account with the minimal permissions to run WCF is created. Use thistask to create such an account.

Before you begin

To perform this task, you must have Microsoft SQL Server Management Studio installed. If you

are using SQL Server Express, you should install the Express version of Management Studio.

The administrator performing the task should have system administrator rights on the server(s)

involved.

Task

1 Open Microsoft SQL Server Management Studio (Express) and connect to the EPOSERVER

instance.




16/37

2 In the Object Explorer, right-click the database name and select Properties.

3 On the Security page, select either Window Authentication mode or SQL Server andWindows Authentication mode, according to which type of authentication you want to

use.

4 Navigate to Security | Logins. Right-click in the Logins page, and select New Login.




17/37

5 On the General page of the Login Properties dialog box, select SQL Server authentication

or Windows authentication and type a login name. Set the default database to

ePO4_SERVER. Enforcing a password policy is optional.

6 On the User Mapping page of the Login Properties dialog box, in the Users mapped to

this login section, select ePO4_SERVER and verify that the new login user is listed under

User. ClickOK.

7 Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the login

user name.

8 On the Securables page, clickAdd. Select Specific objects, and click OK.

9 In the Select Objects dialog box, click Object Types and select Databases. Click OK.

10 Click Browse. Select [ePO4_SERVER] and click OK twice.




18/37

11 Click Effective Permissions, and verify the following permissions:

Figure 4: Setting database user permissions

12 Click OK.

Running the DLP WCF installer

Use this task to install and configure the Windows Communication Foundation (WCF) service.

McAfee Host Data Loss Prevention software version 2.x used the DLP Web Service, which ran

under IIS, to communicate between components. In response to client requests for a non-IIS

dependent communication service, McAfee Host Data Loss Prevention implemented a self-hosted

WCF service with version 3.0. The new service is faster, lighter, and more secure than the

IIS-based service.

Before you begin

Add the login user to the SQL database as a Windows or SQL user, according to which form of

authorization you plan to use. Log out of ePolicy Orchestrator.

Task

1 Browse to and run the DLPWCFServiceInstaller.msi installer.

2 In step 4 of the installation wizard (WCF Service Settings), do the following:

a You should notchange the WCF Server Port value without first consulting your McAfee

representative.

b McAfee recommends setting up a group or groups in Windows Active Directory with the

names of users authorized to login to the database. You must change the default Web

Access Authorized Groups entry from Everyone to a group or user with authorized

access, as described in WCF installation options.c If you are using the confidential data redaction feature, select Obfuscate Sensitive

Data in RSS Feed.

3 In step 5 of of the installation wizard (SQL Database) do the following:

a Review the defaults for Database Server and Database Name. Type other values

if necessary.

b Select Windows Authentication or SQL Authentication and fill in the associated

fields.




19/37

This change in the installer fixes the problem of installing the DLP WCF Service on a

remote server using Windows authentication. You can now use either form of

authentication for local or remote installations. Named users must be defined in the

SQL database.

4 Click Finish to complete the installation.

Troubleshooting the DLP WCF serviceTo troubleshoot the DLP WCF service, use the browser page

http://localhost:8731/DLPWCF/Admin/Testing.

Figure 5: The DLP WCF service testing page

Pre-InstallationTroubleshooting the DLP WCF service



20/37

Installing or Upgrading McAfee Host Data LossPrevention

This section covers a clean installation and upgrading from an earlier version. In both cases,

the default installation is a 90-day license for McAfee Device Control. If you purchased a license

for full McAfee Host Data Loss Prevention, you must upgrade the license after you complete

the installation.

Contents

First-time installation issuesInstalling the McAfee Host Data Loss Prevention extension

Upgrading issues

First-time installation issuesThe McAfee Host Data Loss Prevention installation wizard requires certain inputs for proper

completion. To assure an uninterrupted installation, do the following before installing.

Evidence and whitelist folder

Two folders and network shares must be created, and their properties and security settings

must be configured appropriately. The folders do not need to be on the same computer as the

Host DLP/Database server, but it is usually convenient to put them there.

McAfee suggests the following folder paths, folder names, and share names, but you can create

others as appropriate for your environment.

c:\dlp_resources\

c:\dlp_resources\evidence

c:\dlp_resources\whitelist

Evidence folder

Certain protection rules allow for storing evidence, so you must designate, in advance, a placeto put it. If, for example, an email is blocked, a copy of the email is placed in the Evidence

folder.

Whitelist folder

Text fingerprints to be ignored by the DLP Agent are placed in a whitelist repository folder. An

example is boilerplate text such as disclaimers or copyright. McAfee Host Data Loss Prevention

saves time by skipping these chunks of text that are known to not include sensitive content.



21/37

Roles and permissions

Consider the administrator roles you need to manage the system, and create the necessary

user profiles. Roles such as Host DLP administrators, policy makers, monitor viewers, manual

taggers, and others may be necessary, depending on the size of the system and how centralized

you want control to be. The system can be modified at any time, so the list does not have to

be comprehensive.

Creating and configuring repository folders

Use these tasks to configure the repository folders.

Tasks

Configuring the evidence folder

Configuring the whitelist folder

Configuring the evidence folder

Use this task to configure the evidence folder with its specific security settings.

Before you begin

Create the evidence folder, as described in First-time installation issues.

Task

1 Right-click the evidence folder icon and select Sharing and Security.

2 In the dialog box that appears, select Share this folder, then modify Share name to

evidence$.

NOTE: The $ ensures that the share is hidden.

3 Click Permissions. With the default user name Everyone selected, allow Full Control,

then click OK.

4 Click the Security tab, then click Advanced.

5 On the Permissions tab of the Advanced Security Settings for evidence dialog box,

deselect Allow inheritable permissions. A confirmation box explains the effect this

change will have on the folder.

6 Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows

all permissions eliminated except administrators.

NOTE: As a security precaution, you can set the permissions to only those administrators

who deploy policies.

7 Double-clickAdministrators entry to open the Permission Entry dialog box. Change

the Apply onto option to This folder, subfolders and files. ClickOK.

8 Click Add to select an object type.

9 In the Enter the object name to select text box, type Domain Computers, then click OK

to display the Permission Entry dialog box.

10 In the Allow column, select Create Files/Write Data and Create Folders/Append

Data. Verify that the Apply onto option says This folder, subfolders and files, then

click OK. The Advanced Security Settings dialog box now includes Domain Computers.

Installing or Upgrading McAfee Host Data Loss PreventionFirst-time installation issues



22/37

11 Click OK twice to close the dialog box.

First-time installation issues

Configuring the whitelist folder

Use this task to configure the whitelist folder with its specific security settings.

Before you begin

Create the whitelist folder, as described in First-time installation issues.

Task

1 Right-click the whitelist folder icon and select Sharing and Security.

2 In the dialog box that appears, select Share this folder, then modify Share name to

whitelist$.

NOTE: The $ ensures that the share is hidden.

3 Click the Security tab, then click Advanced.4 On the Permissions tab of the Advanced Security Settings for evidence dialog box,

deselect Allow inheritable permissions. A confirmation box explains the effect this

change will have on the folder.

5 Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows

all permissions eliminated except administrators.

NOTE: As a security precaution, you can set the permissions to only those administrators

who deploy policies.

6 Double-click theAdministrators entry to open the Permission Entry dialog box. Change

the Apply onto option to This folder, subfolders and files. ClickOK.

7 Click Add to select an object type.8 In the Enter the object name to select text box, type Domain Computers, then click OK

to display the Permission Entry dialog box.

9 In the Allow column, select List Folder/Read Data. Verify that the Apply onto option

says This folder, subfolders and files, then click OK. The Advanced Security Settings

dialog box now includes Domain Computers.

10 Click OK twice to close the dialog box.

First-time installation issues

Installing the McAfee Host Data Loss Preventionextension

Use this task for a clean installation of the McAfee Host Data Loss Prevention software version 9.0

extension in ePolicy Orchestrator.

Before you begin

Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the Internet

Explorer security settings.

Installing or Upgrading McAfee Host Data Loss PreventionInstalling the McAfee Host Data Loss Prevention extension



23/37

Task

1 In ePolicy Orchestrator, click Menu | Software | Extensions, then click Install

Extension.

2 Browse to and select the policy manager zip file (..\HDLP_9_0_0_xxx.zip). ClickOpen,

then OK. The installation dialog box displays the file parameters to verify that you are

installing the correct extension.3 Click OK. The extension is installed.

The following applications are installed:

Host DLP Policy Manager (in ePolicy Orchestrator | Data Protection)

Host DLP Event Monitor (in ePolicy Orchestrator | Data Protection)

DLP Event Parser

4 ClickInstall Extension again, Browse to and select the Help zip file (...help_dlp_900.zip).

Click Open, then OK.

NOTE: This file contains the HDLP extension to the ePO Help system.

5 Click OK.

Upgrading issuesUpgrade installation is similar to first-time installation, but the following points must be

considered.

Backward compatibility

The Host DLP Policy Manager version 9.0 initialization has a backward compatibility option that,

when selected, allows communication with both old and new agents. Backward compatibility

can be set to Version 3.0 and later or Version 2.2 Patch 2 and later

Unsupported items

If the policy contains any of the following when backward compatibility mode is selected, the

policy will fail to be applied to ePolicy Orchestrator.

Items unsupported in McAfee Host Data Loss Prevention 3.0 and abovebackward compatibility

mode:

An application file access, email, file system, removable storage, or web post protection rule

contains a document property definition.

A discovery rule contains a document property definition with unsupported properties. Version

3.0 only supports the Date Created and Date Modified properties.

An email or web post protection rule, or a discovery rule, contains an Adobe RM encryptiondefinition.

A discovery rule contains an Apply RM Policy action.

Removable storage file access rules are enabled.

Hit-highlighting is selected on the Evidence tab in the Agent Configuration .

Installing or Upgrading McAfee Host Data Loss PreventionUpgrading issues



24/37

Queries and computer assignments

Queries and Dashboards are saved when you upgrade McAfee Host Data Loss Prevention, as

long as you use the recommended procedure. If you remove the existing Data Loss Prevention

extension before installing the new one, all queries and Dashboards are lost.

To customize a sample query, McAfee recommends using the Duplicate option, to rename the

query before changing it. To use the new sample queries in My Queries in a Dashboard, usethe Make Public option. If a public query exists with the same name, remove or rename the

public query first.

ePolicy Orchestrator requires all query names to be unique. The first time you install McAfee

Host Data Loss Prevention in ePolicy Orchestrator, the sample queries are installed as Public

Queries. To view this, go to Reporting | Queries, and scroll down the queries on the left

side of the screen. When you upgrade Host DLP, ePolicy Orchestrator notices that the names

of the sample queries are already used, and installs the samples in My Queries instead.

However, to use a query in a Dashboard, it must be a public query.

Upgrading McAfee Host Data Loss Prevention software

Use this task to upgrade an earlier version of McAfee Host Data Loss Prevention software to

version 9.0 in ePolicy Orchestrator.

CAUTION: If you want to be able to view previous events in the Host DLP Monitor, do not delete

the existing McAfee Host Data Loss Prevention extension in ePolicy Orchestrator. Removing the

extension removes all events from the Host DLP Database.

Before you begin

When downloading the files from the McAfee download site for McAfee Host Data Loss

Prevention, follow the link to the download page for ePolicy Orchestrator Help, and download

the latest Help zip file.

Log out of ePolicy Orchestrator and close the browser window.

Task

1 From the Windows Control Panel, using Add or Remove Programs, uninstall the DLP

Management Tools.

2 In ePolicy Orchestrator, go to Software | Extensions. ClickInstall Extension, then

click Browse and select the McAfee Host Data Loss Prevention policy manager zip file

(..\HDLP_Extension_9_0_0_xxx.zip). ClickOpen, then OKtwice. The extension is installed,

and appears in the extension list.

If you are installing without removing the previous extension, you see a warning that the

new extension will replace the existing one. ClickOK.

3 Install Extension again, Browse and select the Help zip file (..\help_dlp_900.zip). Click

Open, then clickOK. The installation dialog box warns you that you will replace the existing

Help system. Click OK.

NOTE: This file contains the HDLP extension to the ePO Help system.

Installing or Upgrading McAfee Host Data Loss PreventionUpgrading issues



25/37

Post-Installation

Several steps are needed to complete the McAfee Host Data Loss Prevention software installation.

You must configure the Host DLP Policy Manager and Monitor, install an agent, deploy a test

policy, and verify the installation.

Contents

Initializing the Host DLP Policy Manager

Upgrading the license

Applying the policy

Initializing the Host DLP Monitor

Checking in the DLP Agent package to ePolicy Orchestrator

Deploying the DLP Agent

Initializing the Host DLP Policy ManagerThe first time you open the Host DLP Policy Manager, a wizard runs for first-time initialization.

NOTE: The wizard can be run at any time by selecting Initialization Wizard from the Tools

menu in the Host DLP Policy Manager console.

Before you begin

The DLP Management Tools installer and policy manager initialization wizard use ActiveX

technology. To prevent the installer from being blocked, verify that the following are enabled

in Internet Explorer Tools | Internet Options | Security | Custom level:

Automatic prompting for ActiveX controls

Download signed ActiveX controls

Task

1 In ePolicy Orchestrator 4.5, click Menu | Data Protection | DLP Policy.

The DLP Management Tools installer runs and, after a brief delay, the Welcome screen

of the DLP Management Tools Setup wizard appears. Complete the steps in the wizard.

2 After the DLP Management Tools installation has completed, the Host DLP Policy Manager

console begins loading. If you have an existing policy, you are prompted to convert it to

the new standard XML format. Click Convert and skip to step 4.

3 If no previous policy exists, the message DLP global policy is unavailable. Loading

default policy appears. Click OK to continue.

4 When the message, Agent configuration is unavailable. Loading a default agent.

appears, click OK.



26/37

5 When the Host DLP Policy Manager First Time Initialization wizard appears, complete

the following steps:

ActionPageStep

ClickNext.Welcome1 of 8

By default, the discovery crawler places sensitive files in quarantine. Though

McAfee does not recommend it, you can delete these files instead by selecting

General

configuration

2 of 8

the Support discovery delete option. This option is not available until you

update to full McAfee Host Data Loss Prevention.

For troubleshooting, when you need to review an easily readable version of the

policy, select Generate verbose policy. For most installations, McAfee

recommends leaving these checkboxes unselected.

In very large organizations where the roll-out of DLP Agent 9.0 is staged over

time, earlier versions of the DLP Agent need to coexist. Select the appropriate

Backward compatibility mode:

No compatibility (all agents are version 9.0)

DLP Agent 3.0 and later

DLP Agent 2.2 patch 2 and later

In very large organizations where search times could be excessive, selectRestrict AD searches to default domain.

Deselect Deploy policy to reporting database if you want prevent deploying

the policy to the DLP tables in the ePO database. This option does not require

WCF being installed on the server, but might result in the DLP Monitor not

working as expected.

Configure the Policy Manager WCF service path. For the standard installation,

accept the default. Click Test Connection to verify. Click Next.

Type user names, or clickAdd to search for user names (optional). ClickNext.

NOTE: McAfee recommends creating a role-based group in Active Directory, such

as DLP Manual Tagging Users, and using the group when configuring Access

Control.

Configure the

manual tagging

authorization list

3 of 8

Type a password and confirmation (required). If you don't want agent key

generation events reported to the database, deselect the checkbox. See the

Configure the

Agent override key

password

4 of 8

McAfee Host Data Loss Prevention Product Guide for more information on Agent

bypass. ClickNext.

Browse to the Whitelist storage share, then click Next. The UNC whitelist path

is required to apply the policy to ePolicy Orchestrator. Size limits are displayed,

but cannot be changed in the Initialization wizard.

Whitelist

configuration

5 of 8

Modify the default Agent notification messages (optional). Select each event

type in turn, and type the message in the text box. Click Next.

Agent popup

service

configuration

6 of 8

Browse to the Evidence storage share and clickNext. The evidence storage

path is required to apply the policy to ePolicy Orchestrator. Set the required

Event collector and

replication servers

configuration

7 of 8

Evidence Replication option. See the Readme: New Featuresfor more information.

ClickNext.

ClickFinish.Configuration

completed

8 of 8

6 The Initialization Wizard dialog box appears with the message,Apply McAfee DLP initial

configuration? If you have not skipped any required steps, you can click Yes and apply

the initial policy. If you have skipped required steps, click No to complete the initialization.

NOTE: A password is required to complete initialization. The other steps indicated as

required are necessary to complete the policy. They can be skipped during initialization

Post-InstallationInitializing the Host DLP Policy Manager



27/37

and completed at a later time. If you did not apply the policy, select File | Save to save

the policy to a file.

Upgrading the licenseMcAfee Host Data Loss Prevention software comes in two versions, McAfee Device Control andMcAfee Host Data Loss Prevention with two licensing options for each, 90-day trial and unlimited.

The default installation is McAfee Device Control with a 90-day trial license.

If you purchased a different licensing option, use this task to change the licensing of your

software.

Before you begin

Before starting this task, purchase your upgrade license and get an activation key from your

McAfee sales representative.

Task

1 On the Host DLP Policy Manager menu bar, select Help | Update License. The View

and Update License window displays the current (default) activation key and expiration

date.

2 Click Update.

3 Type or paste the Activation Key in the text box and clickApply. A warning that you must

log on again for the change to take effect appears.

4 Click OK to close the message box, and click Close to close the Update License window,

then log off ePolicy Orchestrator.

5 Log on to ePolicy Orchestrator to complete the upgrade.

6 From the Agent Configuration menu, select Edit Global Agent Configuration.

7 Go to the File Tracking tab and select Enable file tracking.

8 Go to the Miscellaneous tab. Only the Device Control, Agent Popup service, Replicating,

and Reporting modules are selected. Select the remaining modules to enable them and

click OK.

NOTE: Do not enable modules you don't use. They increase the agent size and slow its

operation unnecessarily.

9 On the Toolbar, click . The policy changes are applied to ePolicy Orchestrator.

10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.

Applying the policyUse this task to apply the default policy. You are automatically prompted after the initialization

wizard closes.

Before you begin

Post-InstallationUpgrading the license



28/37

If you are upgrading from a previous version of McAfee Host Data Loss Prevention, and have

backed up the policy, open the saved policy and run the conversion wizard before applying the

policy.

NOTE: If the old policy is from full McAfee Host Data Loss Prevention, you must upgrade the

default license before proceeding.

Task

1 Click Yes to apply the policy. The Applying to ePO window appears.

Figure 6: Verifying the application to ePolicy Orchestrator

2 Click Close when the task is complete.

Initializing the Host DLP Monitor

Use this task to initialize the Host DLP Monitor.

Task

1 In ePolicy Orchestrator 4.5, click Menu | Data Protection | DLP Monitor.

NOTE: The first time you select Host DLP Monitor, a warning window requests the WCF

server path.

2 Click OK.

Post-InstallationInitializing the Host DLP Monitor



29/37

3 For a standard installation, accept the default. For a backward-compatible installation, type

the WCF service address in the dialog box, then click OK. The Host DLP Monitor opens.

Figure 7: Initializing the Host DLP Monitor

Checking in the DLP Agent package to ePolicyOrchestrator

Any client computer with data protected by McAfee software must have the McAfee and DLP

Agents installed, making it a managed computer. The DLP Agent installation can be performed

using the ePolicy Orchestrator infrastructure.

Use this task to install the DLP Agent in ePolicy Orchestrator.

Task

1 On the ePolicy Orchestrator 4.5 console, click Menu | Software | Master Repository.

2 In the Master Repository, click Actions | Check In Package.

3 Select package type Product or Update (.ZIP), browse to

..\HDLPAgentPackage_9_0_0_xxx.zip, then clickNext. The Check in Package page appears.

NOTE: If you are upgrading, you are prompted that the product already exists. Click OK.

The new agent package replaces the old one.

4 Review the details on the screen, then click Save. The package is added to the master

repository.

Post-InstallationChecking in the DLP Agent package to ePolicy Orchestrator



30/37

Deploying the DLP AgentUse these tasks to deploy the DLP Agent to the workstations.

Tasks

Defining a default ruleDeploying the DLP Agent in ePolicy Orchestrator

Verifying the installation

Defining a default rule

To verify that the DLP Agent has been deployed properly, McAfee recommends defining a default

rule before deploying the agent.

Use this task to define a default rule. The rule described is an example of a simple rule that

can be used to test the system.

Task

1 Create a classification rule:

a In the Host DLP Policy Manager navigation bar under Content Protection, select

Classification Rules.

b Right-click in the Classification Rules window and select Add New | Content

Classification Rule. Rename the rule "Email Classification Rule".

c Double-click the rule icon to modify the rule.

d In step 1 of the rule creation wizard, scroll down the text patterns and select Email

Address. ClickNext twice, skipping step 2.

e In step 3 of the rule creation wizard, click Add New to create a new category. Name

it Email Category, click OK to accept the new category, then click Finish.f Right-click the rule icon and select Enable.

2 Create a protection rule:

a In the Host DLP Policy Manager navigation bar under Content Protection, select

Protection Rules.

b Right-click in the Protection Rules window and select Add New | Removable

Storage Protection Rule.

c Double-click the rule icon to modify the rule.

d Click through to step 2 of the rule creation wizard and add the Email Category created

when creating the classification rule in the Included column.

e Click through to step 6 of the rule creation wizard. Select Monitor, then click Finish.f Right-click the rule icon and select Enable.

3 On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no

errors.

4 On the Toolbar, click . The policy is applied to ePolicy Orchestrator.

Post-InstallationDeploying the DLP Agent



31/37

Deploying the DLP Agent in ePolicy Orchestrator

Use this task to deploy the DLP Agent when working in ePolicy Orchestrator.

Before you begin

McAfee Agent 4.0 must be installed in ePolicy Orchestrator and deployed to the target computers

before the DLP Agent is deployed. Consult the ePolicy Orchestrator documentation on how toverify this, and how to install it if necessary.

Task

1 In ePolicy Orchestrator 4.5, click System Tree.

2 In the System Tree, select the level at which to deploy the DLP Agents.

TIP: Leaving the level at My Organization deploys to all workstations managed by ePolicy

Orchestrator.

If you select a level under My Organization, the right-hand pane displays the available

workstations. You can also deploy the DLP Agent to individual workstations.

3 Click the Client Tasks tab. Under Actions, clickNew Task. The Client Task Builder wizardopens.

4 In the Name field, type a suitable name, for (McAfee Agent)example, Install DLP Agent.

5 In the Type field, select Product Deployment . Click Next.

6 In the Products and Components field, select Data Loss Prevention 9.0.0.x. The Action

field automatically resets to Install.

7 Click Next.

8 Change the Schedule type to Run immediately. Click Next.

9 Review the task summary. When you are satisfied that it is correct, click Save. The task

is scheduled for the next time the McAfee Agent updates the policy. To force the installation

to take place immediately, issue an agent wake-up call.

10 After the DLP Agent has been deployed, restart the agent computers.

Verifying the installation

Use this task to verify the Host DLP Monitor installation.

Task

1 Click Menu | Data Protection | DLP Monitor. The Host DLP Monitor opens with a list

of events, which should include Agent Installation Events.

2 Verify the agent installation and apply the policy enforcement by using the cmdagent.exe /s

command. Refer to the ePolicy Orchestrator/McAfee Agent documentation for information.

Post-InstallationDeploying the DLP Agent



32/37

Appendix I Deploying McAfee Host Data LossPrevention with SMS

This appendix reviews the creation of Microsoft System Management Server packages for

deployment of the DLP Agent without using ePolicy Orchestrator.

Microsoft Systems Management Server (SMS) provides a comprehensive solution for deploying

and managing applications and operating systems on Windows desktops and servers. The

following tasks assume working in the Microsoft SMS 2003 environment.

ContentsCreating an installation package

Creating the advertisement

Creating the SMS uninstall package

Creating an installation packageUse this task to create an installation package for deploying DLP Agents using SMS.

Before you begin

Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). The package can be

downloaded from:

http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647.

Task

1 In the Systems Management Server console, right-click Packages and select New |

Package.

2 On the General tab, type the Package Name (required), and the Version, Publisher

and Language (optional).

3 On the Data Source tab, select This Package Contains Source Files, then click Set.

4 In the Set Source Directory window under Source Directory Location, select the typeof connection to the set-up files in the source directory. Type the source directory path in

the text box and clickOK.

5 On the Distribution Settings tab, select High from the Sending Priority drop-down menu,

and click OK. The package appears under the Packages node of the site tree.

6 Expand the new package under the Packages node.

7 Right-clickDistribution Points and select New | Distribution Point. Select the server

or servers you want to be the distribution points for this package, then click Finish.

8 Right-clickPrograms and select New | Program. Type the program name.

http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647


33/37

9 In the Command Line text box, type the DLP command line executable, for example:

msiexec /I DLPAgentInstall.msi /qn /forcerestart.

NOTE: McAfee recommends restarting the managed computer after DLP Agent package

installation. To enable this option use the /forcerestart parameter. To enable the installation

log use /log .

10 On the Environment tab select Whether or not a user is logged on from the Programcan run drop-down menu. Click OK.

NOTE: Verify that Run with Administrative Rights is selected. McAfee Host Data Loss

Prevention setup requires administrative rights to complete installation successfully.

Creating the advertisementSMS packages need to be "advertised." Use this task to create the SMS package advertisement.

Task1 In the Systems Management Server console, right-click Advertisements and select New

| Advertisement. Type the advertisement name.

2 From the Package drop-down menu, select the McAfee DLP package name .

3 From the Program drop-down menu, select the McAfee DLP program name .

4 Click Browse and select the collection that the McAfee DLP installation package should

apply to, then click OK.

5 On the Schedule tab, confirm the time that the advertisement is offered, specify if the

advertisement should expire, and when. Click OK.

Creating the SMS uninstall packageUse this task to create the SMS uninstall package.

Task

1 In the Systems Management Server console, right-click Packages and select New |

Package.

2 On the General tab, type the Package Name (required), and the Version, Publisher

and Language (optional).

3 On the Data Source tab, select This Package Contains Source Files, then click Set.

4 In the Set Source Directory window under Source Directory Location, select the typeof connection to the set-up files in the source directory. Type the source directory path in

the text box and clickOK.

5 On the Distribution Settings tab, select High from the Sending Priority drop-down menu,

and click OK. The package appears under the Packages node of the site tree.

6 Expand the new package under the Packages node.

7 Right-clickDistribution Points and select New | Distribution Point. Select the server

or servers you want to be the distribution points for this package, then click Finish.

8 Right-clickPrograms and select New | Program. Type the program name.

Appendix I Deploying McAfee Host Data Loss Prevention with SMSCreating the advertisement



34/37

9 In the Command Line text box, type the DLP command line executable, for example:

msiexec /x DLPAgentInstall.msi /qn /forcerestart

10 On the Environment tab select Whether or not a user is logged on from the Program

can run drop-down menu. Click OK.

Appendix I Deploying McAfee Host Data Loss Prevention with SMSCreating the SMS uninstall package



35/37

Appendix II Users and permission sets

McAfee Host Data Loss Prevention roles and permissions are created and set in ePolicy

Orchestrator. McAfee recommends creating specific administrator roles and permissions for the

DLP Policy Manager and the DLP Monitor. Roles include creating and saving policies, viewing

(but not changing) policies, generating override, uninstall, and quarantine release keys, viewing

the DLP Monitor and revealing sensitive fields in the Monitor.

Sensitive data redaction and the DLP Monitor permission sets

To meet the legal demand in some markets to protect confidential information in all

circumstances, McAfee Host Data Loss Prevention software version 9.0 offers a data redactionfeature. Fields in the DLP Monitor containing confidential information are encrypted to prevent

unauthorized viewing. The feature is designed with a "double key" release. This means that to

use the feature, you must create two permission sets: one to view the monitor and another to

view the encrypted fields. Both roles are required to use the feature.

Contents

Creating and defining DLP administrators

Creating and defining permission sets

DLP permission set options

Creating and defining DLP administratorsUse this task to create and define a DLP adminstrator in ePolicy Orchestrator.

Task

For option definitions, click ? in the interface.

1 On the ePolicy Orchestrator menu, select User Management | Users.

2 Click New User.

3 Type a user name and specify logon status, authentication type, and permission sets.

McAfee recommends creating user groups related to the role, for example DLP MonitorViewer.

NOTE: The order of creating users and permission sets is not critical. If you create users

first, user names appear in the permission set form and you can attach them to the set. If

you create permission sets first, the permission set names appear in the user form and

you can attach the user to them.

4 Click Save.



36/37

Creating and defining permission setsUse this task to create and define a DLP administrator permission set in ePolicy Orchestrator.

Task

For option definitions, click ? in the interface.1 On the ePolicy Orchestrator menu, select User Management | Permission Sets.

2 Click New Permission Set.

3 Type a name for the set and select users.

NOTE: The order of creating users and permission sets is not critical. If you create users

first, user names appear in the permission set form and you can attach them to the set. If

you create permission sets first, the permission set names appear in the user form and

you can attach the user to them.

4 Click Save.

5 In the Data Loss Prevention field for the new permission set, clickEdit.

6 Select the required permissions and click Save.

Figure 8: Editing a permission set for HDLP

NOTE: To turn off the sensitive data redaction feature, select User can view DLP Monitor

in the monitor section.

DLP permission set optionsPermission set options are designed to give granular control over administrator roles. While the

division of roles is generally optional, if you are using the sensitive data redaction feature, you

must create separate permission sets for the monitor viewer and the administrator who canreveal the encrypted data.

Use this page to specify permission sets for DLP administrators in ePolicy Orchestrator.

Option definitions

DefinitionOption

User is not a policy administrator.User cannot view policies.

Appendix II Users and permission setsCreating and defining permission sets



37/37

DefinitionOption

User administrator role is limited to override, uninstall, and

release keys.

User can only generate Agent Override, Agent Uninstall,

and Agent Quarantine Release keys.

User can review but not edit policies.User can only view policies.

User has full policy administrator permissions.User can view and save policies.

User is not a monitor administratorUser cannot view DLP Monitor

New in McAfee Host Data Loss Prevention software

version 9.0 one of the required roles for sensitive data

redaction.

User can partially view DLP Monitor (cannot view private

fields)

New in McAfee Host Data Loss Prevention software

version 9.0 one of the required roles for sensitive data

redaction.

User can reveal sensitive data but cannot view DLP

Monitor. User can only reveal sensitive data with the

presence of a user with view permissions.

User has full policy administrator permissions. Use this

option if you are not using the sensitive data redaction

feature.

User can view DLP Monitor

Appendix II Users and permission setsDLP permission set options

Date post:	07-Apr-2018
Category:	Documents
Upload:	v2luv2003
View:	220 times
Download:	0 times