En_ds4 Sgn 5.50 Technical Implementation Training 3.22

trusted Professional Services

Implementation Training SafeGuard Enterprise 5.50

Agenda

1. Introduction

2. Installation and configuration

3. Environment recommendations

4. Client configuration policies

5. Dealing with installation issues

6. Working with the scripting API

7. Product implementation in practice

8. Online exam

2

SafeGuard Enterprise Implementation Training

By the end of this course you will be able to …Install and configure the product in a customer environment.

Tell what are the technical prerequisites for the product.

Design a reliable and scalable SGN environment.

To implement the customer’s data security requirements with SGN.

3

Base Training ImplementationTraining

MaintenanceTraining

1 day 2 days 1 day

Learning style

This training works with four learning styles

Theoretical Power Point presentation

Step by step hands-on exerciseswith printed exercise scripts

Trainer led exercises

Demos presented by trainer

All to be done in VMWare4

Environment used in this training

Training environment

Virtual LAN in bridged mode

External notebook for feature demos

- Active Directory- DHCP, DNS- IIS- SQL

This training environment is limited to three virtual machines therefore

IIS and SQL are running on the domain controller

6.5

5

Training environment *)

SERVER XP-ADMIN XP-CLIENTDomain ControllerSGN ServerSGN SQL database

SGN Management CenterSGN Client

SGN Client / SGE 5.50 Client

Domain Administratorpassword: utimacoSQL sa userpassword: utimaco

To be used by:John (SGN MSO)password: utimaco

To be used by:Marc (SGN user)Administrator (standalone user)password: utimaco

6*) This setup is for training only and does not follow the “real live” SGN recommendations.

Before we start, we revert the training environment to the „base“ snapshots

Do the following steps for all virtual machines


7


8

Agenda

1. Introduction

2. Installation and configuration• SGN Back-end

• SGN Client

• SGE Client






8. Online exam9

Installation and configuration

This chapter will provide insight into:

Preparation and Installation of SafeGuard Enterprise back-end components

SafeGuard Enterprise Server

SafeGuard Enterprise Management Center

Creation of a database for SafeGuard Enterprise

Installation and configuration of SafeGuard Easy 5.50

10

Preconditions

SafeGuard Enterprise 5.50 requires (1/2)

For the SGN Servers

Microsoft Windows 2003 Server >= SP1

Microsoft Windows 2008 / R2 Server

Internet Information Services 6.0/7.0 incl. ASP.net >=3.1 SP1

For the SGN Database

Microsoft SQL Server which can be

MS SQL 2005 / 2008 Express Edition

MS SQL 2005 / 2008

Already prepared in virtual training environment11

Preconditions

SafeGuard Enterprise 5.50 requires (2/2)

For SGN Management Center

Microsoft Windows XP >= SP2

Windows Vista

Windows 7

Microsoft .NET Framework >= 3.1 SP1

For SGN Client

Microsoft Windows XP >= SP2

Windows Vista

Windows 7Already prepared in virtual training environment

12

SafeGuard Enterprise installation

Microsoft SQL Server

Active Directory

MicrosoftIIS

MicrosoftWindows XP orWindows Vista orWindows 7

MicrosoftWindows XP orWindows Vista orWindows 7

(optional)

1364 bit OS versions are supported


2. Install SGN Management Center3. Establish connection to SQL Server4. Create initial Master Security Officer

6. Set up database7. Install SGN Servers

8. Create and installSGN Server Config.Contains: DB credsDNS name DB ServerCompany Certificate

13. Create and installSGN Client Config.contains: DNS name(s) SGN server(s) Company Certificate

12. Install SGN Client

10. Establish connection to AD11. Import objects from AD

5. Create Company Certificate

1. Prepare SQL Server

14

9. Setup SSL

Single dedicated machines in a „real“ environment

SafeGuard Enterprise installation in training

SERVER

XP-Admin XP-Client

15

SGN Management Center

SafeGuard Enterprise components at work

SGN Server(s)

SGN Client with SGN User

Active Directory

SGN Database

SGN Security Officer Policies enable e.g.:

AuthenticationEncryptionConfiguration ProtectionLogging

Logging

Logging

16


Communication matrix – ports & protocols

SGN Server(s)

SGN Clients

Active DirectoryData exchange/direct database access using SGN management center via ADO.net

tcp#1433/1434

SGN MSO/SO access to database Data exchange via SOAP

tcp#80 default (443 for SSL)

SGN Clients loading SGN settings from IIS and reporting back

SGN database

Database server exchanges SGN config data with IIS

Data exchange via ADO.net

tcp#1433/1434

SGN MSO/SO imports users and computers from AD

Objects import via SGN management center using ldap

tcp#389 (636*)

* )If SSL login to AD is used

17


Side note: Setup help is available

Installation Best Practice Guidewww.sophos.com/support/knowledgebase/article/110259.html

Installation Advisior on the product CD

Installation videos on the product CD

18

SafeGuard Enterprise Database

The SafeGuard Enterprise Database stores (amongst others) …

objects

encryption keys and certificates

configuration Policies

Security Officers

SGN events for auditing

It is accessed by…SafeGuard Enterprise Management Center used by Security Officers

SafeGuard Enterprise Servers

19


SafeGuard Enterprise objects can beImported from an Active Directory

Autoregistered

Manually generated

Objects areUsers

Computers

Active Directory Domains

Organizational Units (OUs)

Workgroups

Manually generated groups20


Two ways to create the SGN database :Using the Management Center configuration wizard, done by the initial Master Security Officer

Using a SQL script by a SQL server operator

Authentication methods to the database:Windows authentication

Preferred method in productive customer environments

Refer to SGN Best Practice Guide in the Sophos knowledge database

SQL user authentication

Preferred method for customer demos and test installations

Quick and easy setup

Usually not used in productive customer environments

21

recommended method


ExerciseIT1 - Setting up accounts for SGN on a Microsoft SQL Server

22


SGN Servers are basically interfaces between the SGN Database and the SGN Clients.

SGN Servers

provide on request settings to the SGN clients

run as an application on a Web Server

Microsoft‘s Internet Information Services (IIS)…

…with ASP.net installed

have access to the SGN database

23


The SafeGuard Management Center is the central management tool

To be used by Security Officers

It‘s used for management of

policies

keys

certificates

tokens

objects

…

24

Installation

ExerciseIT2 - Implementation of SGN Server and SGN Management CenterIT3 – Setting up the SGN Server

25

Client Server communication with SSL

SGN supports two encryption modes for a secure client server communication:

Integrated Sophos encryption default mode

Certificate based SSL encryption

SSL is generally recommended.

SSL is approximately 40% faster

SSL supports furthermore parallel connections to multiple threads and CPUs

But the initial setup is slightly more complex

26

recommended method


Next is to set up SSL for Client Server communication

There is a knowledge base article in the support area on www.sophos.com

Take this article from your training binder and do the described steps for the IIS 6.0 on the Windows 2003 Server

We do the exercise with a self signed certificate

27


ExerciseImplementing SSL for Client Server Communication

28

Database creation script

As mentioned already:

SGN needs a database to store the objects (machines, users, policies…)

The database can be generated by the installation wizard provided by the SGN Management Center.

Therefore a user with (temporary) „dbcreator“ right is necessary on the SQL Server

Some customers do not want to give users „dbcreator“ rights on the SQL Server

To solve this issue, SGN provides a database creation script29

ExerciseIT4 – Creation of the SGN Database by the SQL Administrator

Database creation script

30

Objects imported from the Active Directory

SGN can work with objects imported from the Active DirectoryImportable objects are basically:

UsersComputers

Objects are imported including their membership belonging to:DomainsOrganizational Units (OUs)User groups

Whenever something has changed in the AD, a re-import can be done

ManuallyVia synchronization script on a SO machineVia synchronization script on an SGN Server

31

Manually created objects

Instead of AD import SGN objects can also be createdin the Management Centerby using a script

Objects which can be created areUser groupsWorkgroupsDomains

Suitable for:Customers who have no ADCustomers with mixed environments

32

Objects import from the Active Directory

Side note:

Before customers do their first ActiveDirectory import, they should consider whether or not they want SGN to auto-generate encryption keys for every manageable object in the AD.

Doing so, will give them much freedom in creating encryption policies for any organizational unit or group

This may result in a long list of inherited keys in the user key-rings in larger environments.

Alternatively customers may choose to turn off auto generation of keys and manually create those few group keys they actually intend to use in their organization.

33

ExerciseIT5 - Importing objects from the Active Directory

Objects import from the Active Directory

34

Installation Advisor

Side note: We have an SGN Installation Advisor

It is a graphical user interface (GUI) program

Designed to help customers to install and configure a new SafeGuard Enterprise environment

It provides Step-by-Step instructions for a new Installation

It can also installnecessary support programs

It’s on the product CD

35

Security Officer Management

SO Management

SOs can have sub SOs and manage them

SOs can delegate a subset of their rights to sub-officers

SOs can be grouped now

Includes an easy handling with drag and drop

SO permissions are now more fine grained

Large numbers of SOs can now be managed easier

SO menus have been modified

SO properties setup has been overworked

SO role creation menu has been simplified

36


Hierarchical Security Officer management

MSO logged in: SO logged in:

All SOs visible and configurable

Only sub SOs visible and configurable

37


SO properties setup

38


Simple SO role creation

39

ExerciseIT6 -Working with SGN Security Officers

SGN Security Officers

40

Agenda

1. Introduction


• SGN Client

• SGE Client






8. Online exam41

Installation and configuration


Preparation of user machines for SGN

Installation of SafeGuard Enterprise clients

User Machine Assignment (UMA)

SGN Service Accounts

42

SafeGuard Enterprise Client

The SafeGuard Enterprise Clientprevents unauthorized machine boots with its POA

allows only assigned users can authenticate with:

Token

User ID and password

puts SafeGuard Policies into operation, e.g. forAuthentication

Pin- and password rules

Volume based or file based encryption

File based encryption

Configuration Protection

Data Exchange

… and many more … 43

ExerciseIT7 - Deployment of SGN client


44

bootboot

User - machine – assignment (UMA)

After initial client installation POA is in autologon mode

First user who logs on to Windows on an SGN protected machine becomes assigned as the owner and POA gets activated

It‘s possible to assign additional users by several methos

45

User - machine – assignment (UMA)

Users can also be assigned by the SGN Client owner

Possible by default

Just “passthrough to Windows” has to be disabled in POA by the SGN Client owner

Security Officers can assign users to machines

Precondition is that the user has a certificate and the respective machine is up and running in Windows and can synchronize with the SGN back end

46


SGN 5.50 introduces Service Accounts

All users in the SG database can be flagged to be a Service Account (SA)

SA users are ignored for the User Machine Assignment (UMA)

Main purpose: Software roll out

SA users do not activate POA

SA users do not take ownership on an SGN machine where they log into Windows

47


Service Accounts to be added manually in the policy section

Wildcards can be used such as

admin* for user - * for the domain

john* for user – utimaco* for the domain

Service Accounts to be assigned to SGN machines via Authentication Policy

Systray icon

The "SGN user state“ message shows the possible states: Pending: The replication of the user in the POA is pending

SGN user (owner): The user logged on is the SGN owner.

SGN user: The user logged on is an SGN user, but not the owner.

SGN guest: The user logged on is an SGN guest user.

SGN guest (service account): The user logged on is an SGN guest user who has logged on using a service account .

Unknown: Indicates the user state cannot be determined.

49

ExerciseIT8 - SGN Service Accounts and User Machine Assignment (UMA)


50

Agenda

1. Introduction


• SGN Client

• SGE Client






8. Online exam51

SafeGuard Easy 5.50

SGN does also exist in an “unmanaged” version, called SafeGuard Easy 5.50, former known as “SGN Standalone”

No server backend

No automatically key deployment and key exchange

No automatically policy deployment

Policy Editor instead of SGN Management Center

Just “install and forget”

For small/medium customer environments

There are limitations, but most important features are included

Power On Authentication

Encryption 52

SafeGuard Easy 5.50

Policy


SGN Server(s)

SGN Clients

Active Directory

SGN Database

„classical“ SGN environment

SGN Policy Editor

SGE 5.50

Option 1:

Policies are generated with the PolicyEditor

Option 2:

Policies are generated with the Management Center (e.g. for remote clients in small branch offices)

53

SafeGuard Easy 5.50

What to consider when working with SafeGuard Easy 5.50Policies can be generated with:

Policy Editor

Management Center

Policies are deployed:

via client configuration MSI file

Client backups up key file e.g. on network share

Migration of SGE 5.50 to „classical/managed“ SGN environment possible

But backend and frontend have to be migrated the same time

Moving a single unmanaged client to normal SGN environment is not possible.

54

SGN 5.50 – SGE 5.50 comparison chart

SGN 5.50 SGE 5.50 (former „standalone“)

Installation package SGNClient.msi SGNClient.msi

Available modules Device Encryption, Data Exchange, ConfigurationProtection

Device Encryption, Data Exchange

Management Management Center Policy Editor

Settings deployment Automatically via SGN Server

Manually via configurationMSI files

Support features Challenge/Response, Local Self Help, Virtual Client

Challenge/Response, Local Self Help, Virtual Client

55

SafeGuard Easy 5.50 - POA Users

SafeGuard Easy 5.50 provides so called “POA” users

POA users have to be generated manually

The can be grouped to POA user groups

The have to be assigned within an SG Easy configuration file

Challenge/Response is possible for POA users

56


POA users are SGE users only, not Windows related

They are maintenance users and can always logon to POA

They have to be created manually

They are delivered to SGE clients within a configuration package

Once one was activated on a new client they do not activate POA

So UMA must be already passed to log on as POA user

57


POA user workflow

1. Security Officer creates POA User with their password and POA user group

• POA User might be a helpdesk guy or the like

2. Security Officer assigns POA User to POA user group

3. Security Officer adds POA User group to SG Easy configuration package

4. Administrator installs SG Easy 5.50 + configuration package on Windows computer

5. Windows user logs on to Windows which starts UMA

6. From now on POA User and Windows user can log on to POA58


Note the different log on modes in the domain selection field

POA user logs on

“Normal” user logs on

either local machine or domain

59

ExerciseIT9 - SG Easy 5.50 / SGN Standalone client

SafeGuard Easy 5.50

60

Agenda

1. Introduction







8. Online exam

61

Environment recommendations


Hardware and software requirements

POA hardware compatibility

Necessary preparations prior to SGN client installation

Limitations and restrictions in SGN

Update / Migration options

62


SGN Server Hardware:Intel or AMD X86 CPU>= 512 MB RAM1 GB free hard disk space>= 100 Mbit/s NIC

SGN Server Operating System:Microsoft Windows 2003 >= SP 1Microsoft Windows 2008

See release notes for more detailed information

63


Client Hardware:Intel or AMD X86 CPU>= 512 MB RAM>= 5 GB free hard disk space

Client Operating System:

Microsoft Windows XP >= SP 2

Microsoft Windows Vista Enterprise , Business or Ultimate Edition >= SP1

Microsoft Windows 7


64


SGN Client limitations (frequently asked)RAID is not tested and therefore not supportedMachines with dynamic disks are not supportedGPT disks are not supportedImaging tools for encrypted volumes are not tested and therefore not supported3rd party Bootmanagers are not tested and therefore not supported


65


Preparations prior to SGN client installation

Backup your data

Run checkdisk for the system drive with parameters /L /V /X /F

Remove 3rd party boot managers

Re-write the MBR with Microsoft tools when the data on the hard disk was restored from an imaging/cloning tool

Reboot the system after converting the boot volume from FAT to NTFS

Deactivate 3rd party virus scanners and anti spyware tools temporarely during installation

66

Hardware compatibility *)

Customers may experience hardware related issues at Power On Authentication (POA) level on SGN Clients

Issues can be solved with POA hotkeys

During installation SGN compares several hardware conditions against the list of tested devices such as

BIOS version

Modell

Built-in hardware

… and others

The installer can determine if your system requires non-default POA settings applied.

*) More to be covered in the Maintenance Training

Hardware compatibility *)

Each SGN release has a built in list of tested devices

Monthly updated hardware compatibility list is also available

Accessible for customers via the SOPHOS knowledge basewww.sophos.com/support/knowledgebase/article/65700.html

Can be applied for any roll out

There is also a tool to gather hardware information for POA

Accessible for customers via the SOPHOS knowledge base www.sophos.com/support/knowledgebase/article/110285.html

Results to be sent back to [email protected].

Their results will be added to the next edition of the HW compatibility list.

*) More to be covered in the Maintenance Training


Supported Smartcard readers

Supported Smartcards

Supported tokens

Gemalto GemPC Express ExpressCard

GemPC Twin USB-CCID

GemPC Key USB-CCID SIM size

Reflex USB v3 USB-CCID

HP SC Terminal (KUS0133)

USB-CCID keyboard

PC-Card SCR 243 OEM

Kobil KAAN Base USB-CCID

KAAN Advanced USB-CCID PIN pad for secure PIN entry is not supported

Lenovo Integrated Smart Card Reader integrated (USB) Reader might be replaced by another type – depending on market situation

o2micro Oz776 integrated-CCID

Omnikey CardMan 3021 3121 USB-CCID

CardMan 4040 PC-Card

CardMan 4321 ExpressCard

CardMan 5125 5321 USB-CCID contactless interface is not supported

CardMan 6121 USB-CCID SIM size

SCM SCR 331 USB-CCID Requires firmware version 5.18 or higher!

SCR 335 CR 3310SCR 3311

USB-CCID

SCR 3320 USB-CCID SIM size

SCR 3340 ExpressCard

SDI 010 USB-CCID contactless interface is not supported

SPR 532 USB-CCID PIN pad for secure PIN entry is not supportedRequires firmware version 5.10 and updated Windows drivers

Vendor Card Versions Card Type Data Format

ActivIdentity Smart Card 64K v2 (Oberthur)v2c (Axalto)GND (G&D)

Java Card ActivIdentity

AET Aspects OS755 2.8 Java Card PKCS#15

Atmel ATOP36 Java Card PKCS#15

Axalto eGate Java Card PKCS#15

Axalto Cyberflex Developer64Kv164Kv2Palmera

Java Card PKCS#15

Belgium eID card

G&D Sm@rtCafe Expert 2.0, Expert 3.0Expert 3.164K

Java Card PKCS#15

G&D STARCOS SPK 2.32.42.5DI3.0

ISO 7816 PKCS#15

Gemplus GemXpresso 211PKPro R3Pro R4

Java Card PKCS#15

Gemplus GemXplore 3G PKCS#15

IBM JCOP 2021id21303131bio[1]41 72K

Java Card PKCS#15

KEBT KONA21T Java Catd PKCS#15

KeyCorp MultOS V4.2 48KV4.2 64K

MultOS PKCS#15

MartSoft Java Card Java Card PKCS#15

Oberthur CosmopolIC V4 Java Card PKCS#15

Oberthur IDone Cosmo 32Cosmo 64

Java Card PKCS#15

AET (continued) ORGA JCOP 202130

Java Card PKCS#15

Sagem Orga J-IDMark 64 Java Card PKCS#15

Charismathics Siemens CardOS M4.3b ISO 7816 CSSID

Siemens Siemens CardOS M4.3b ISO 7816 PKCS#15

RSA Java Card RSA

Vendor USB Token Middleware Supplier Comment

ActivIdentity ActivKey SIM ActivIdentity

ActivIdentity OTP function not supported

Aladdin (CardOS) eToken ProeToken NG-Flash

Aladdin

eToken NG-OTP Aladdin OTP function is not supported

Charismathics OTP Sign Charismathics OTP function is not supported

plug’n’crypt ID Charismathics

Eutronsec CryptoIdentity ITSEC AETCharismathics

Charismathics OTP function is not supported

MARX CrypToken AET

Vasco DigiPass 860 Charismathics OTP function is not supported

RSA RSA OTP

See release notesfor more detailedinformation and

a list ofsupported

devices

69


Operating Systems supported in SGN 5.50

70

SGN – Microsoft Windows Platform SupportSGN 5.50

DE DEBitLocker

DX CP SGN Server

MC

XPProfessional Edition

SP2SP3

32 Bit .NET 2.0

.NET 3.01

Vista

Home PremiumBusinessEnterpriseUltimate

SP1SP2

32 Bit

--

.NET 3.01

Vista

Home PremiumBusinessEnterpriseUltimate

SP1SP2

64 Bit

--

.NET 3.01

7 Home PremiumProfessionalEnterpriseUltimate

32 Bit--

NET 3.01

7 Home PremiumProfessionalEnterpriseUltimate

64 Bit--

NET 3.01

Server 2003 / R2 .NET 3.0

IIS 6 SP1SP2

32 Bit64 Bit

Server 2008 Server 2008 R2

.NET 3.0

IIS 7.0IIS 7.5

SP1 64 Bit64 Bit


Database systems supported by SGN 5.50

Note that some SQL Server versions are not supported anymore by version 5.50

Customers who update from an older SGN version have to update their SQL server too

Migration scripts are available

71

SGN Server - Database Server Support

SGN 5.40 SGN 5.50

Microsoft SQL Server 2005 SP1Microsoft SQL Server 2005 Express SP1Microsoft SQL Server 2005 SP2Microsoft SQL Server 2005 Express SP2Microsoft SQL Server 2005 SP3Microsoft SQL Server 2005 Express SP3Microsoft SQL Server 2008 SP1Microsoft SQL Server 2008 Express SP1


Which client can communicate with which server?

72

SGN - Client/Server MatrixSGN Clients

SGN Server 5.2x 5.30 5.35 5.40 5.50

SGN 5.50SGN 5.40.xSGN 5.35.xSGN 5.35 GASGN 5.30.2SGN 5.30.2SGN 5.30.1SGN 5.30 GASGN 5.21SGN 5.20

SGE to SGN migration matrix

Not all versions of SGE can be updated to SGN

For supported versions it depends on...

...the used algorithm

... the SGE installation mode

Sophos SafeGuard Disk Encryption (SDE) 4.60 can also be migrated to SGN 5.50

73

SGE- SGN Migration Matrix IDEA DES 3DES

AES128

AES256 Blowfish Stealth XOR

SGE 4.50SGE 4.40SGE 4.30SGE 4.20SGE 4.1xSGE 3.x

3.12 SGN Client/Server Matrix

SGN Update matrix

74

SGN Update MatrixUpdate from

Update To

SGN 5.20

SGN5.20.1

SGN 5.20.2

SGN 5.20.3

SGN 5.20.4

SGN 5.20.5

SGN 5.21

SGN 5.21.1

SGN 5.30 RC1

SGN 5.30GA

SGN 5.30.1

SGN 5.30.2

SGN 5.30.3

SGN5.35GA

SGN 5.35.x

SGN 5.40.x

SGN 5.50

SGN 5.40.x

SGN 5.35.x

SGN 5.35 GA

SGN 5.30.3 1 1 1 1 1 1 1 1

SGN 5.30.2

SGN 5.30.1

SGN 5.30 GA

SGN 5.30 RC 1

SGN 5.21.1 (Patch)

SGN 5.21

SGN 5.20.5 (Patch)

SGN 5.20.4 (Patch)

SGN 5.20.3 (Patch)

SGN 5.20.2 (Patch)

SGN 5.20.1 (Lenovo)SGN 5.20

SGN Update process

• Steps to update an older SGN version to SGN 5.50 (1/2)1. Take all SGN - Servers (IIS) offline* and close all SGN Management

Centers .

2. Create a backup of the SafeGuard database - strongly recommended.

3. Put the database in SINGLE_USER mode.

4. Run the update script, e.g. "UpdateSGN540_SGN550.sql".

5. Put the database in MULTI_USER mode again.

6. Update one SafeGuard Management Center machine including the underlying SGN client.

• If not done, Windows logon might fail.

75

SGN Update process

• Steps to update an older SGN version to SGN 5.50 (2/2)7. Start the updated SafeGuard Management Center.

• Database consistency will be checked.

• Select repair to recalculate the checksums for those tables that were modified.

8. Update the SafeGuard Enterprise Server(s) .

9. Update the remaining Management Centers .

10. Create a new client configuration package for future installations.

76

SGN Update

Useful update hints for SGN Management Center

If the SGN client is installed together with the Management Center it must be updated too.

Windows logon might fail after reboot if not done so.

77

Agenda

1. Introduction



4. Client configuration policies• Power On Authentication

• Volume based and file based encryption

• Configuration protection




8. Online exam78

Client configuration policies


How to work with policies

What is the best practice for several policies

How to use the RSOP

How to set up a useful auditing

79


Policies can be set for e.g.

Authentication, e.g.With user ID and password

With token

Fingerprint

Kerberos

Device protection rules, e.g.Hard disk encryption

File based encryption

Port and file protection/restriction

Machine specific settings, e.g.CSP to be used (e.g. for Aladdin eToken)

Logging 80

SGN policy concept

81

Policies

are inherited

are additive

can be assigned toRoot

Domain

OU

SGN container like „autoregistered machines“

But not to single…

…machines

…users


What to consider when working with Policies?

Policies cannot be assigned to single objects like

Users

Machines

Use a recognizable policy name for policies:

according to functions, e.g. „Authentication Policy“

according to functions + assigned object, e.g. „Memory Stick Encryption Board“

Policies can also be used to exclude settings

„Resultant Set Of Policies“ (RSOP) tool available

82


SGN client triggers policy update Client requests SGN Server for policy updateSGN Server sends query to SGN database

Policies are loadedafter machine and SGN service has startedduring user logonupdate interval (default 90 min.)manually initialized by SGN systray toolby command (sgmcmdintn.exe –s)

request

requ

est

83


Let‘s setup the VMWare machines with SGN policies for these features:

Power On Authentication with User ID and password or token optionally

Volume based hard disk encryption for the boot volumes

File based encryption on memory sticks

Configuration Protection

Client logging for security auditing

84

Agenda

1. Introduction









8. Online exam85


Exercise policy 1 – SGN authentication

User authentication in POA with user ID and password

Setting up LSH for user logon recovery

Booting from other media than internal hard disk possible

86


What to consider when configuring the POA?It should always be activated

It can be customized

It can be deactivated if necessary

Temporarely while deploying software unattended

Temporarely while a machine is maintained

Log on mode can be

User name and password

Token and smartcard

Fingerprint on selected models

Kerberos

In case of user forgot their password they can get help by

Challenge/Response

Local Self Help87


Side note:SGN supports a wide range of token and smartcards

See release notes and KBA 107804 The product terms „token“ also for smart cardsToken and smart cards can be used for

User authentication in POAUser authentication in Windows SO authentication in Management Center

Token and smartcards achieve a „two-factor-authentication“ which is based on:

Possession (your token / smart card) Knowledge (your PIN)

882-factor Authentication

Local Self Help on managed clients

If SGN users forgot their password they can recover it by Local Self Help (LSH)

Users have to pre-answer and re-answer question, in order to identify themselve in POA once the forgot their password.

10 questions at least

Different themes are available

89

Local Self Help theme set

LSH themes are predefined in 6 different languages

Spanish, English, German and French are present in the Management Center

Japanese and Italian can be imported from the SGN program folder

90

Local Self Help customer themes

Customers may provide their own themes

Themes do not have to be a language, they could also be organized by departments

HR Theme – asking specific human ressources question

Development themes – asking programmer stuff

…

91

ExerciseIT10 - Authentication and LSH Policy


92

Agenda

1. Introduction









8. Online exam93


Exercise policy 2 – SGN volume based encryption (VBE)Volume based hard disk encryption of the boot volumeAuditing for volume based encryption

94


What to consider when encrypting the boot volume?It encrypts all data areas of the volume

Including also the sectors which keepOS files, page file hibernation file etc.

Booting the OS is from now on only possible after authentication

Regular Windows PE based recovery CDs will not work anymore for an encrypted boot volume

A Windows PE based recovery CD with implemented SGN protected mode driver will be necessary now

Tools CDs which boot in real mode might still work for an encrypted boot volume

The Maintenance Training will deal with this topic

compression becomes impossible

CBC mode is used for encryption to avoid data pattern

95

ExerciseIT11 – Boot volume encryption Policy


96


Exercise policy 3 – SGN file based encryption (FBE)

Encryption of files

On all removable media

Initially and user transparent

97


What to consider when working with file based encryption?It cannot be used for boot volumes, because

FBE works in user context

FBE would not encrypt page file and hibernation file

It is recommended for removable media

Because a mixture of encrypted and plain files is possible

Because SafeGuard Portable can be used

In case of encrypted files should only be used inside one user group, dedicated FBE policies are necessary

It might be advisable to force a key

Be careful in using the settings

All keys in user key ring

All keys in user key ring except user key98

ExerciseIT12 – File based encryption Policy

99


Agenda

1. Introduction









8. Online exam100


Exercise policy 4 – Configuration Protection

USB restriction

Only company devices allowed

File access restricted

101


What to consider when working with Configuration Protection?Port Control works „top – down“

E.g.: USB –> storage devices –> removable storage devices –> distinct storage devices

Port Control should be used „firewall-like“ Restrict/block everything you don‘t wantAllow all what you need in a whitelist

The Port Auditor simplifies Port Control handlingAll computers can be scanned

• SGN computers• Non SGN computers

Scan first, then work with a white list in your policiesAdmin rights are necessary to trigger remote computer‘s WMI service

102

ExerciseIT13 – Configuration Protection


103


Exercise policy 5 – Logging

Logging of SGN events

Logging of SO actions

104


What to consider when working with the logging?Using the SGN Database is more secure than logging to the SGN client‘s event log

Because the database logging is tamper resistentOnly SGN Security Officers can manage it

All the logging tables are hashed with a MAC keyso manipulations will always be reported

But logging tables are not encryptedSQL Select operations for logging entries are possibleSo further processing with tools like Microsoft System Center Operations Manager (SCOM) is possible

Try to set up a moderate loggingAs an extended logging “blows” up the database too muchCreate and assign an extended logging to a OU when necessary 105

ExerciseIT14 – Auditing of SafeGuard Enterprise events


106

Resultant set of policies (RSOP)

The RSOP feature can be used to calculate the effective result for combinations of

Different assigned machine policiesAssigned user and machine policies

The tool calculatesThe result of all policies which are assigned to a machineThe result of all policies which are assigned to a user when they log on to a machine which comes with policies (and vice versa)

107


RSOP example

User to machine

Machine to user

108

Demo


109

Agenda

1. Introduction







8. Online exam

110

Dealing with installation issues

This chapter will provide insight into:How to solve possible misconfiguration in 3rd party toolsWhat are possible SGN client installation issuesHow to work with SafeGuard Knowledge Items

111

IIS / SGN Server Issues

Top IIS / SGN Server issues during installation

Wrong or no ASP.net

Wrong or no server configuration

Wrong or no credential on the SQL Server

Wrong or no IIS service account

112

ExerciseIT15 - Troubleshooting of an SGN Server

Dealing with installation issues

113

Dealing with failed Active Directory import

SGN can work with objects imported from the Active Directory

AD users with the read right can read and import objects from the AD

Under some circumstances the import can fail

114

ExerciseIT16 - Failed AD Import

Dealing with failed Active Directory import

115

bootboot

POA user logon issues

Revision: User machine assignment (UMA):

After initial client installation POA is in autologon mode

First user who logs on to Windows on an SGN protected machine becomes assigned as the owner and POA gets activated

Under some circumstances the UMA fails and POA stays in autologon mode

116

POA logon issues – UMA failed

Reasons for POA autologon might be:

On SGN client:

No SGN client configuration package on client installed

SGN client has no connection to SGN Server

Transport encryption mode misconfigured

Wrong SGN Server entries in client configuration package

Wrong/Invalid company certificate

On SGN Server

No SGN Server configuration package on IIS server installed

SGN Server has no connection to SGN clients

SGN Server cannot reach and logon to SGN database 117

ExerciseIT17 - POA in autologon mode - failed User Machine Assignment

POA user logon issues

118

Dealing with 3rd party GINA issues (Windows XP)

GINA

Stands for Graphical Identification and Authentication

It performs all identification and authentication user interactions to Windows

Examples for 3rd party GINA providers: Checkpoint, Imprivata, Lenovo…

SGN comes with ist own GINA named SGGINA

119


SGGINA on an SGN client deals with

POA to Windows logon passthrough

Windows to POA password sychronization

User Machine Assignment

Local Cache tamper protection

User key ring access during Windows logon

User token issueing during Windows logon

SGGINA „knows“ well known 3rd party GINAs and cooperates

GINAs are different in general

For „exotic“ 3rd party GINAs a compatibility test might be necessary 120


A 3rd party GINA on an SGN machine might cause troubles

GINA loop

Logon issues – logon not possible

Forcing the MS GINA

No user Single Sign On (POA Windows passthrough)

Token Single Sign On

The 3rd party software malfunctions

BSOD during user logon

No user desktop

121

Correct GINA order, SGN and Windows only:

1. SGGINA calls

2. MSGINA

Correct GINA order, SGN, Windows and 3rd party GINA:

1. SGGINA calls

2. 3rd party GINA calls

3. MSGINA


122

ExerciseIT18 - Troubleshooting SGN Client – conflict with 3rd party GINA

Dealing with 3rd party GINA issues

123

Trouble Shooting – POA hardware setting

At the beginning of a project customers might experience issues with some hardware at POA state:

POA hangs

POA reports “no init”

External USB keyboards fail

...

Hotkeys are available in POA

124

POA hot keys

Side note: Hotkeys in POA to be pressed once the machine has issues at boot time

Shift F3 = switch USB Legacy support (Off/On)

Shift F4 = toggle from VESA to VGA graphics mode (Off/On)

Shift F5 = switch USB support (Off/On)

Shift F6 = switch from ATA to Int13 (Off/On)

Shift F7 = switch USB 2.0 support (Off/On)

Shift F9 = switch ACPI/APIC (Off/On)

Default settings are in red

All keys have to be pressed when SGN is in this mode:

125

POA hot keys

Hardware setting (POA flags) can be verified in POA

F5 = show hardware settings

Settings cannot be changed on the fly here

Settings are just displayed

126

POA hardware settings

SGN “knows” already several hardware platforms and applies the necessary hardware settings from a database to the POA

Example:

Hardware is detected based on “conditions”

Example:

127

Vendor Model CommandDell Inc OptiPlex 740 USBLEGACY OFF,VESA ON,USB OFF,ATA ON,USB20 ON,ACPIAPIC OFFDell Inc. Precision M6300 USBLEGACY OFF,VESA OFF,USB OFF,ATA ONDell Inc. Precision M4300 USBLEGACY OFF,VESA OFF,USB ON,ATA ON,USB20 ON


If a specific hardware configuration (e.g. specific graphic card on specific machines) is found which is defined in the database, a corresponding command string is built to set the kernel flags in the base encryption kernel automatically.

Example:

USBLEGACY OFF,VESA ON,USB ON,ATA ON,USB20 OFF

128


For unknown hardware the Hardware Information Tool can be used to

Pre-set necessary hardware settings

Show warning during installation (e.g. special BIOS settings required,…)

Abort installation on “blacklisted” devices

Pre-settings can then be used for installation with help of a POACFGfile

129

Customized POA hardware settings

The default configuration database file (POACFG.XML) is part of the client installation package and can be found in the Utimaco\SafeGuard Enterprise\BaseEncryption folder.

Individual configuration database files can be customized

Customized files can be used

With a MSI file property or command line parameter such asMSIEXEC /i <client.msi> POACFG=<path of the POACFG file>

Within a MST file

If a customized POACFG file is defined, only this file will be used.

If no custom file is defined or found then the default database file is applied.

130

Customized POA hardware settings

POA hardware settings can now also be changed afterwards within Windows.

Therefore the command line tool “BESetFlags.exe can be used

The tool can be given to partners / customers on request

Handling of the tool:

KBA107785

Example to switch off USB and VESA support:besetflags USB OFF,VESA OFF

131

Hardware information tool

The tool can collect useful information of machines were SGN

SGN works out of the box

SGN installation caused issues

SGN does not work at all

Collected infos can be written into an XML file

XML file to be sent to SOPHOS GES DP

Collected XMLs will enhance configuration database (POACFG)

132

Hardware information tool

SGNHWInfo.exe collects hardware information

It’s available on each SGN Client in the program directory

Settings can be defined...

...and be written to XML files

Hardware “blacklists” can becreated

Abort / Warning messages can be defined

133

DemoWorking with POA hardware settings

POA Hardware settings

134

Agenda

1. Introduction







8. Online exam

135

Working with the Scripting API

Useful for administrative tasksCan be performed unattended

Can be triggered automatically e.g. by a customer’s provisioning system

Batch jobs can be created

Issuing many tokens at once

Automatically importing objects from the AD

…

Administrative tasks can be scheduled

E.g. cleaning the EVENT Table every month

136


Very simple interface

Works with the most common scripting engines (VB, Perl,…)

Using the API in the wrong way can destroy data

Script programmer must know what they are doing!

Programmer skills are necessary

Handle it with care - “What you code is what you get”

Wrong entries in a script can destroy data!

137

ExerciseIT19 - Scripting of SGN tasks


138

Agenda

1. Introduction







8. Online exam

139

Product implementation in practice


How to plan a SafeGuard Enterprise project at customers

Sizing of a SafeGuard Enterprise environment

Examples of SafeGuard Enterprise installations

Scalability of SafeGuard Enterprise installations

140

How to plan an SGN project at customers

Components to plan:

Database

SGN Servers

Helpdesk

Things to take under consideration

Sizing

Scalability

Backup/Restore

Compatibility

Limitations

… 141SGN Management Center

SGN Server(s)

SGN Clients

Active Directory

SGN Database


A project starts usually with an initial meeting

Goal: To find out:

What‘s the customers requirement?

What is already available?

Where might problems arise?

…

Therefore we provide a helpful document

Which deals with a lot of constantly recurring questions

142


143


Questions about the database to be used:

Can the preferred database system be used for the SGN Database?

Which Database Software can be used (e.g Microsoft SQL 2005, Express Edition, ...)?

Do we use an existing database or do we create a new one?

Facts to consider

What‘s the database‘s size (table space calculation)?

How to backup the database?

144


Database sizing (1/2)Expected table space sizes

• Microsoft SQL Server 2005 SP1• SGN 5.20• No logging• Database is not shrinked and with default configuration.

Amount of Objects Tablespace without Logging

Users Machines OUs UserGroups

After import

After user registration

1 1 (0,2) 0 0,016 MB

0,058 MB

10 10 2 0 0,16 MB 0,58 MB

100 100 20 0 1,60 MB 5,80 MB

1000 1000 200 0 16 MB 58 MB

10000 10000 2000 0 160 MB 580 MB

50000 50000 10000 0 800 MB 2900 MB

145


Database sizing (2/2)The space required for logging depends on:

The number of installed modules

Occuring errors

The amount of events to be loggedThe logging data will grow permanently over time.Recommendation: 5 GB table space for the logging should be ok for the most installations for approximately three years.Plan with 10 GB Tablespace for the whole SGN Database.

That should be feasible for the most envrionments and gives flexibility and buffer for the long run

146


Database backupRegular backup mechanisms can be used

SGN has no builtin database backup functionMain reasons for database backup (amongst others):

Database contains all keys (e.g. Machine keys, File encryption keys)

Database contains company certificate

Database contains user/machine assignments

… and many more …Backup schedule suggestions:

After initial import

After every significant change

Periodically (e.g. Daily or weekly)

147


Questions about the SGN server(s) to be used

Can the preferred Webserver be used?SGN supports

IIS 6.0 / 7.0 incl. ASP.net on Windows 2003/2008

Microsoft .NET Framework >= 3.1 + SP1 must be installedDedicated Webserver recommended because of

Higher performance

Other applications can harm the SGN Server

Other application might need different ASP.net version• Different ASP.net versions on one IIS might cause problems

148


Facts to considerAmount of Servers

How many server for how many clients?Server Load Balancing necessary?Server locations

Where to place the SGN Server(s)?Network traffic from SGN Server to Clients and Database?

149

Network traffic tests

Network traffic results (in KByte)

These values might have an influence on the decission where to place the SGN Server(s)…

…in terms of network traffic which can be expected

…especially in distributed environments

150

Test Case Client Server Server DBClient registration & User registration 117,63 ~ 5 times more

Start machine incl. Log on & Tick (50:50) 61,76 ~ 4 times more

Tick 28,92 ~ 5 times more


SGN Server locations

A good connection to the database is necessary

Consider the fact, that the SGN Server SGN Database connection generates up to five times more traffic than the SGN Client SGN Server connection

How do the SGN Clients find the right server?

By different configuration msi

With help of intelligent DNS Systems (e.g. 3DNS) which resolves the name according to the region where the client is located.

151


Server Load BalancingSGN Servers can be load balanced with 3rd party services such as

Windows Network Load Balancer

BIG-IP® Load Balancer

To set up load balancing is a difficult task and should be done by people which are trained in the Load Balancer solution

The SGN Server performance is at its highest during the rollout,

because the user certificates will be generated by the SGN Server when a new user is registered.

But in fact this is also relative to the amount of clients which are being rolled out at the same time. So in practice it should not be a big issue.

152


Questions about the Management Center usage

Which connection to Active Directory is available/necessary?

How can the connection to the SGN Database be ensured?

What are the main tasks for using SGN MC?

153


Who needs to have a Management Center installed?Depends on the defined tasks, such as

Helpdesk Officer (e.g. Password reset, Account management)

Recovery Officer (Password reset)

Master Security Officer (e.g. Manage SGN environment, create Security Officer, set permissions)

Security Officer (e.g. Manually synchronisation, Smartcard issuing, Key management)

Auditor (e.g. Report analyzing, verify inventory, check security breaches)

„Synchronisation Host“ (Scheduled Synchronisation via SGN API)

154

Active Directory

Example

155

America Europe Asia

1000 Clients 5000 Clients 4000 Clients

Domain Controller

Helpdesk Helpdesk Helpdesk

Client Client Client

Active Directory

Example

156

America Europe Asia

1000 Clients 5000 Clients 4000 Clients

Domain Controller


Database

SGN MC SGN MC SGN MC

Client Client Client

SGN MC/Scriptfor AD Sync

Active Directory

Example

157

America Europe Asia

Client

1000 Clients

Client

5000 Clients

Client

4000 Clients

Domain Controller



Server1 Server2

Database

Not recommended !


Active Directory

Example

158

America Europe Asia

Client

1000 Clients

Client

5000 Clients

Client

4000 Clients

Domain Controller



Server1 Server2

Database


Active Directory

Example

159

America Europe Asia

Client

1000 Clients

Client

5000 Clients

Client

4000 Clients

Domain Controller




Database

Server1 Server2

Network Loadbalancer

Penetration test

Test environment (main components)SGN Server environment:

2 IIS Server (Network Load Balanced)

Primergy R450 w/ 4-way Xeon 1,90 GHz

4 GB RAM

Windows 2003 Enterprise R2 SP2 (IIS 6.0)

Microsoft .NET 3.5

SGN DB:1 Database Server

Proliant DL380 G5 w/ 1-way Xeon (quad core) 3.0 GHz

8 GB RAM

Windows 2003 Enterprise R2 SP2 x64

Microsoft SQL Server 2005 x64

Directory Structure:50000 User, 50000 Computer, 380 OU‘s, 2000 Groups, 50000 Group memberships

160

Test tool:Microsoft Visual Studio 2008 Team Edition for Software Testers

Tested with SGN 5.21

Workload in the different phases (1/2)

Workload from Rollout until day by day usage

161

Rolled out clients over time

Wor

k lo

ad

5000All Clients rolled out

Rollout Phase day by day usage

During Rollout:- User Certificate generation- Policy update (new & existing Clients)

During Rollout:- User Certificate generation- Policy update (new & existing Clients)

Maintenance:- User Certificate generation- Policy update (existing Clients)

Maintenance:- User Certificate generation- Policy update (existing Clients)

Summary:During the rollout, the work load of the IIS is higher than afterwards (relative to the Database workload).

100%

Workload in the different phases (2/2)

The SGN Server performance is at its highest during the rollout

because the user certificates will be generated by the SGN Server when a new user is registered.

But in fact this is also relative to the amount of clients which are being rolled out at the same time. So in practice it should not be a big issue.

162

Test adaption

The test has been made with fixed parameters such as:Hardware

Structure size

Network load

SGN configuration (e.g. Logging)

For customer projects, this means (amongst others) :Better hardware causes better results (and vice versa)

The AD structure has no influence on the SGN Server/Database performance.

Place the SGN Server close to the SGN database

An intensive log generates high traffic and work load.Set up a moderate logging policy!

There were additional tests done, but they all came to the same conclusion.

163

How to detect performance problems?

Major performance counters

CPU Problems

(e.g. often runs over 80%)

Memory Problems

(e.g. often over 80% of memory always in use, swapping )

Harddisk Problems

(e.g. slow, high workload)

Network Problems

(e.g. slow network connection, bandwidth exhausted)

164

How to improve the SGN Server performance

What can be done if a SGN Server limit is reached?Add an additional SGN Server

With a Network Load Balancer

X Clients per Server (passive)

New Clients contact Server 1, Clients which are rolled out contact Server 2

Set policy setting „Connection interval to Server“ to a higher value

Change IIS performance setting „Maximum number of worker processes“

165


Network Load Balancing (NLB)

Balances the requests between all SGN Servers in the NLB System

NLB Systems which are in use with SGN at customers

Microsoft Windows Network Load Balancing Service(Included e.g. in Windows 2003 Enterprise Server)

BIG-IP ® (Vendor: F5)

166


Configuring SGN config packages for a NLB System1. Register the „real“ SGN Servers as usual.

2. Create an additional Server with the virtual IP/Servername from the NLB System (e.g. „NLB for Server“) (choose any certificate).

3. The server packages will be created as usual

4. For the client configuration packages, the NLB entry (e.g. „NLB for Server“) will be chosen as SGN Server

167


X Clients per Server

A specific amount of Clients will contact one dedicated SGN Server

The configuration, which client will contact which Server, will be defined using the „Primary Server“ entry for the SGN Client config package

The challenge will be how many clients can be handled by one SGN Server.

168


New Clients contact „Server 1“, already rolled out Clients contact „Server 2“

New clients contacting the SGN Server the first time will contact „Server 1“.

Clients, which have already passed UMA switch to „Server 2“.

Server main functions:

Server 1 Machine registrationUser certificate generation

Server 2Policy updateUser changes 169

Primary Server:Server 1

Status 1SGN Client

installed

Status 2SGN Client

registred

Status 3SGN User registred

Primary Server:Server 2

Client Config

Package2

Client Config

Package1


Extend policy setting „Connection interval to Server“In which interval do clients contact the SGN Server

Default value: 90 minutes

If one policy update per day is acceptable, set the value to e.g. 480.

Server will be contacted at machine start (e.g. 09:00 am)

Machines that run overnight will contact the Server every 480 minutes (8 hours).

Clients will contact the Server at least once a day.

However, the highest workload can be expected in the morning, when everybody starts & logs on to their machines.But the calculation „How many Clients per Server“ is based on this (called „9:00 am peak“). 170


IIS Performance Setting „Maximum number of worker processes“

Is the maximum number of worker processes per application pool.

Default value: 1

For an application such as the SGN Server, which conducts numerous database requests,increasing it can improve the performance.

The effect can differ between environments. 171

How to improve the Database performance

Notice Microsoft recommendations, such asPhysical memory (should be larger than the size of the database)

Harddisk space (min. 20% of HD array should be free NTFS recom.)

RAID Lvl 10 or RAID 0+1 combination (RAID 5 not recommended)

Tempdb-System DB (recommended to save TempDB in a seperated array)

Transaction protocol file (should be written to its own separated array)

Splitting of Tables or Indexes in Partitions (e.g. SAFE_GUARD_DIR)

172

How to improve the Database performance

Not recommended: Database Replica (second Database Server)

Replication TypesSnapshot replication not supportedTransactional replication not supportedMerge replication supported

SGN Database merge replication should be your LAST CHOICE for performance improvement.

Not completely testedAdvanced knowledge about Microsoft SQL Server is necessaryReplication conflicts can occur

Conflicts can occur during Update, Insert (uniqueness) and DeleteoperationsMixing of parallel changes of the same object (Merge replication)Probability of conflicts will grow exponentially the longer the time period is between the replication operation

173

Example for a growing SGN environment

2.000 Clients5.000

Clients10.000 Clients

2.000 Clients

2.000 Clients5.000

Clients10.000 Clients

Wor

kloa

d

Wor

kloa

dW

orkl

oad

Wor

kloa

d

Total amount of 22.000

SGN Clients

How to balance the Server work

load?

Place a Network Load Balancer

174

Agenda

1. Introduction

2. Helpdesk Scenarios

3. SafeGuard Enterprise Client Engine

4. Backup / Restore Scenarios

5. Trouble Shooting

6. Online Exam

175

Online exam

Go to gpp.partners.sophos.com for the assessment

176

trusted Professional Services

Implementation Training SafeGuard Enterprise 5.50

Date post:	01-Nov-2014
Category:	Documents
Upload:	j-jonas-janson
View:	185 times
Download:	4 times

En_ds4 Sgn 5.50 Technical Implementation Training 3.22

Documents