upgrade SafeGuard PortProtector Client.
Appendix A - OPSEC™ Interoperability, describes Check Point's OPSEC™ and how it interfaces with SafeGuard PortProtector.
Appendix B - NAC Interoperability, describes Cisco's NAC and how it interfaces with SafeGuard PortProtector.
Contents
1 Installation Workflow ... 5
2 Preparing for Installation ... 8
3 Installing SafeGuard PortProtector Management Server ... 12
4 Installing SafeGuard PortProtector Management Console ... 42
5 Installing SafeGuard PortProtector Client ... 54
6 Appendix A - OPSEC™ Interoperability ... 81
7 Appendix B - NAC Interoperability ... 94
1 Installation Workflow
About This Chapter
Before installing SafeGuard PortProtector V3.3, it is important to fully understand the
implementation process of the SafeGuard PortProtector solution. This chapter suggests a workflow for using the SafeGuard PortProtector solution to protect your organization's data. It contains the following section:
SafeGuard PortProtector Implementation Workflow describes the workflow for implementing and using SafeGuard PortProtector.
1.1 SafeGuard PortProtector Implementation Workflow
The following is an overview of the workflow for implementing and using SafeGuard PortProtector.
Step 1: Install the SafeGuard PortProtector Management Server and Console, as described in Chapter 2, Preparing for Installation and Chapter 3,
Installing SafeGuard PortProtector Management Server.
Step 2: Install Additional Management Consoles, as described in Chapter 4, Installing SafeGuard PortProtector Management Console.
Step 3: Define General SafeGuard PortProtector Administration Settings, such as the method in which policies are published, as described in Chapter 7, Administration in SafeGuard
PortProtector User help.
Step 4: Scan Computers and Detect Port/Device Usage. Use SafeGuard PortAuditor to detect the ports that have been used in your organization and the devices and WiFi networks that are or were connected to these ports, as described in SafeGuard PortAuditor User help.
Step 5: Define SafeGuard PortProtector Policies. In this stage you define the blocked, allowed and restricted ports, devices and WiFi networks according to the security and productivity requirements of your organization as described in Chapter 3, Defining Policies in SafeGuard PortProtector User help.
Step 6: Install SafeGuard PortProtector Client on Endpoints, as described in Chapter 5,
Installing SafeGuard PortProtector Client.
Step 7: Distribute SafeGuard PortProtector Policies to Endpoints: in this stage, you can either associate policies to users and computer and distribute directly to endpoints (via SSL), or use Active Directory's GPO feature to distribute SafeGuard PortProtector Policies or any other third-party tool, as described in Chapter 4, Distributing Policies in SafeGuard PortProtector User help.
Step 8: Endpoints are Protected by SafeGuard PortProtector Policies: in this stage, only approved devices and WiFi networks can be used, through permitted ports. Logs about port, device and WiFi network use and attempted use, as well as tampering attempts, are created and sent to the Management Server as described in Chapter 8, End-User Experience in SafeGuard PortProtector User help.
Step 9: Monitoring Logs and Alerts, view and export the log entries generated by SafeGuard PortProtector Clients, as described in Chapter 5, Viewing Logs in SafeGuard PortProtector User help.
2 Preparing for Installation
About This Chapter
This chapter first describes the SafeGuard PortProtector architecture and the SafeGuard
PortProtector installation workflow. It then specifies the system requirements and prerequisites for installing the different components of SafeGuard PortProtector, followed by instructions on how to prepare the network for installation. It contains the following sections:
System Requirements, page 9, describes the system requirements for each one of the SafeGuard PortProtector components.
Preparing your Network, page 10, describes the preparation that needs to be done on your network in order to allow the different SafeGuard PortProtector components to communicate without interruptions.
Tips on preparing your Endpoints, page 11, describes the preparation that needs to be done on your endpoints before installing SafeGuard PortProtector in order to optimize the security of your network.
2.1 System Requirements
Following are the system requirements for the various system components:
SafeGuard PortProtector
2.2 Preparing your Network
Before installing the system, be sure to enable the following communications in your network and personal firewalls.
To prepare your network:
1 In order to communicate freely between the SafeGuard PortProtector management Server and the SafeGuard PortProtector Clients, make sure that the SSL port is open in your network firewall. Sophos typically uses port 443 (SSL standard) for this. If you have chosen otherwise, make sure to allow this port in your firewall.
2 In order for the SafeGuard PortProtector Management Console to be able to control clients (send control commands to clients to send their logs and update their policy), it needs WMI ports to be open on the personal firewalls of each endpoint. WMI uses port 135 and a series of random ports.
2.2.1 Opening WMI ports on Windows XP (SP2) Firewall
If you are using Windows XP (SP2) firewall as the personal firewall on your endpoints, you can use the GPO mechanism to configure endpoints to accept incoming WMI communications. The following section is quoted from Microsoft documentation.
"Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment.
Windows Firewall settings are available for Computer Configuration only.
They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
Identical sets of policy settings are available for two profiles:
Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.
Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
The relevant policy setting for WMI is:
Windows Firewall: Allow remote administration exception
This allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM.
2.3 Tips on Preparing Your Endpoints
Booting via an external boot device (floppy, CD etc.) will circumvent any security software.
However, there are a few ways to either prevent this scenario from happening, or make it impossible to be able to read the data outside the Sophos protected operating system:
Changing the boot sequence: Change the boot sequence so that the machine does not boot first from the floppy, then the CD\DVD-ROM, and, finally, the hard disk drive. The hard disk drive should always be the first boot device. If the floppy or the CD\DVD-ROM is the initial boot device, anyone can use a bootable medium that can directly access the hard disk drive and reset the
administrator password in seconds.
Physical seal \ chassis protection: Make sure that the hardware is sealed and that the hard disk drive cannot be simply disconnected.
Setting a password to protect the BIOS: This prevents users from entering the BIOS and re-enabling the boot access through devices other than the internal hard disk drive.
Disk Encryption: Several disk encryption software packages are available in the market. These are used to encrypt the entire disk, making sure that the data can be read only when loading the operating system (which contains a decrypt-able client). Booting from any external boot device will not prove useful since all data will be encrypted.
SafeGuard PortProtector Client has been tested to work along with the leading software products of this type, including PGP Wholedisk, Sophos SafeGuard Easy, WinMagic and Pointsec.
3 Installing SafeGuard PortProtector Management Server
About This Chapter
This chapter describes how to install SafeGuard PortProtector Management Server and contains the following sections:
Prerequisites, describes the requirements for installing the management server.
Installing Prerequisite Software, describes how to install Microsoft .NET framework and IIS.
Before Installing SafeGuard PortProtector Management Server, provides a checklist of issues you need to verify before starting the installation process.
Installing the Management Server, describes how to install the SafeGuard PortProtector Management Server for the first time and how to launch the SafeGuard PortProtector Management Console.
Restoring an Existing Management Server, describes how to restore an existing SafeGuard PortProtector Management Server in case of hardware upgrade or failure.
Upgrading the Management Server, explains how to upgrade SafeGuard PortProtector from version 3.2 to version 3.3.
Post-Installation Settings (Checklist), lists a set of critical settings to define after installation.
Uninstalling SafeGuard PortProtector Management Server, explains how to uninstall SafeGuard PortProtector Management Server.
Changing your Database, explains how to switch from using an embedded SafeGuard PortProtector database to and external MS SQL database, and vice versa.
3.1 Prerequisites
3.1.1 Operating System
Windows XP Professional (SP0-2) 32-bit
Windows 2003 Server (SP0-2) 32-bit
3.1.2 Hardware
The server hardware requirements depend on the number of installed SafeGuard PortProtector Clients. To obtain the specifications suitable for your organization, please contact your local Sophos reseller or Sophos support at [email protected].
3.1.3 Software
Microsoft .NET Framework 2.0 installed
Microsoft Internet Information Services (IIS)
3.2 Installing Prerequisite Software
3.2.1 Installing Microsoft .NET Framework 2.0
To install .NET Framework
Microsoft .NET Framework 2.0 is built in by default on Windows 2003, and can be downloaded for free from the Microsoft website for Windows XP.
Link to .NET framework 2.0 installation package:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&DisplayLang=en
3.2.2 Installing Microsoft IIS
To install Microsoft IIS:
1 In Control Panel on your computer, double-click Add or Remove Programs. The Add or Remove Programs window opens.
2 Click Add/Remove Windows Components. The Windows Components Wizard window opens.
3 If you are installing the application on a machine running Windows 2003, check the
Application Server checkbox. If you are installing IIS on a machine running Window XP, check the Internet Information Services checkbox, as shown below:
4 Click Next.
5 The Insert Disk window opens, asking for the utility disc or location that holds the relevant Microsoft Windows installation components:
7 When the wizard notifies you that the installation is complete, as shown in the following figure, click Finish to close the wizard. IIS is now installed.
3.3 Before Installing SafeGuard PortProtector Management Server
1 Verify that all system requirements and prerequisites are met.
2 Make sure that the SafeGuard PortProtector Server machine belongs to the same domain in which you intend to deploy SafeGuard PortProtector policies.
3 Make sure that a MySQL DB is not installed on the SafeGuard PortProtector Management Server machine.
3.4 Installing the Management Server
To install SafeGuard PortProtector Management Server:
1 Locate on your installation CD.
2 Double-click the file. The SafeGuard PortProtector Server Installation window appears:
3 Click Browse to select a destination folder for the extracted installation files.
Note: Make sure that the files are extracted to a local folder. The installation will not run from a network path.
4 Click Install.
5 Following extraction, you will be asked to select the SafeGuard PortProtector Server language, as shown below:
6 Select the required language and click OK. The first step of the installation wizard appears:
Click Next and read the End User License Agreement. After accepting, click Next again. The Installation Mode step opens:
Select one of the following options:
For a new installation select the New radio button and proceed to step 9 below.
For instructions regarding the Restore option, refer to Restoring an Existing Management Server on page 33).
To join a server cluster, select the Join a Cluster radio button.
A server cluster enables the installation of several SafeGuard PortProtector Management Servers connected to a single external database, so that they seamlessly share the load of traffic from the endpoints, as well as to provide redundancy and high availability.
The following window opens:
7 Click Next. The Database window opens:
SafeGuard PortProtector can create its own internal database for storing configuration and data.
Alternatively, you can use an existing external database.
Note: SafeGuard PortProtector supports MS SQL 2000 and up.
8 In the Database window, select the required radio button. Select the first radio button if you want to use a database which resides on the same machine as the Management Server (the database is managed by SafeGuard PortProtector Management Server). Select the second option if you have an MS SQL database on another machine and you want to use it as your SafeGuard PortProtector database.
9 Click Next. If you selected to install an embedded database, skip to Step 14.
10 If you have selected to use an existing database server or to join a cluster, the following window opens:
11 In the Database Credentials window, perform the following steps:
a. In the Database Server field, enter the database server name (for a non-default instance use the format server\instance).
b. Under Database authentication mode, click the appropriate radio button to select whether to use MS SQL Security or Microsoft Windows Security.
c. Enter database authentication credentials – User Name and Password. If you selected Microsoft Windows Security you must also enter a Domain name.
12 Click Next. The installation program validates access to the database.
Note: If validation fails, re-enter the correct information, or click Cancel to exit the installation
Note:
If a valid SafeGuard PortProtector database already exists on this database server, the following window opens:
In this window, click Yes in order to overwrite the existing database. If you wish to use the existing database, click No and skip to Restoring an Existing Management Server on page 33.
13 The Destination Folder step opens:
14 Click Next to select the default installation folder: C:\Program Files\Sophos\SafeGuard PortProtector, or click Change to select a different installation folder then click Next. The Domain Credentials window opens:
15 In the Domain Credentials window, enter the domain user credentials: SafeGuard PortProtector Management Server requires a domain account from your Active Directory in order to perform tasks such as creating GPOs and for controlling clients via WMI. We recommend that you enter an account with domain administrator privileges (you may change this user after installation).
16 Click Next.
Users' access to the Management Console is restricted for security reasons. SafeGuard
PortProtector does not require its own users and computers database. Instead, credentials are checked against Active Directory and/or local user accounts on the Management Server machine. Following installation, access to the Management Console is restricted to users who have local administrative rights on the computer hosting the Server, as shown below:
17 Click Next. The Communication Port window opens.
SafeGuard PortProtector Management Server communicates with the SafeGuard PortProtector Management Consoles and Clients through SSL ports. Port definitions differ in Windows XP and Windows 2003. Windows XP
The Management Server will use the default SSL port which is defined by the website of the host computer for communicating both with SafeGuard PortProtector Clients and with the Management Console.
Note: If no website is found on the host computer, the same window appears, with the
Communication Port (SSL) text box editable. If you are not using the standard port 443, change it as required.
Windows 2003
In Windows 2003, SafeGuard PortProtector uses two different ports to communicate with SafeGuard PortProtector Clients and with the Management Server.
The default ports are 443 for Clients communications and 4443 for Management Console communications. If you wish, you may change these default ports.
18 In order for SSL to operate, a certificate is needed to authenticate the Management Server. This certificate is also used for encrypting the data sent on the communication port. If the computer that is running the Server already has an active website that allows the SSL port activation, the application will use the existing certificate. If no certificate exists, the application will create a new certificate and will notify you of this.
Note: A Sophos generated certificate is not signed by a valid Certificate Authority (CA). Although this does not affect the overall security level of the system, using this certificate will cause Internet Explorer to display security alerts.
In order to avoid these alerts you will need to replace the certificate with a signed certificate you receive from a trusted Certificate Authority.
19 Click OK to continue with the installation.
20 Click Next.
In the following window, you will be asked to backup the encryption keys that are generated by SafeGuard PortProtector.
To enhance the security of the system, encryption keys are generated during the installation.
These keys are unique to your organization and raise the tampering resistance of your system.
The keys are used to encrypt policies and logs as well as for mutual authentication between the Server and the endpoints.
One example for the use of these unique keys is in that endpoints need to be initialized upon installation with the organization's unique keys. From this point on, an endpoint will treat any information (i.e. policy) that does not correlate to the keys as an attempt to circumvent its protection.
For this reason it is highly recommended to backup the keys and store them on another
machine/site in order to ensure smooth recovery in cases of server malfunction without the need to re-deploy Clients to endpoints.
In order to backup your encryption keys, you need to set a password that will be used to protect the keys:
If you do not want to backup your encryption keys during the installation, check the Do not backup encryption keys now checkbox and click Next.
To backup you encryption keys click Browse to select a path. Enter a password, confirm it.
Note: The password should be at least 7 characters long and should contain one upper case character and one digit.
21. Click Next.
In the following window, you will be asked to configure the schedule for automatic system backup to the network, which includes the encryption keys that are generated by SafeGuard PortProtector.
You may change the default Perform backups interval (Daily, Weekly, Monthly) and the time. The backup path supplied must reside on a network share, with write permissions for the user provided in the Domain Credentials window (step 16) in the setup wizard. Click Browse to select the Network backup path. Enter a Password and Confirm it. If there is a problem with the password you choose (or share permission), the following message will be displayed.
22. Click Next.
The Summary window opens:
21 Confirm the installation summary and click Install to perform the Server installation.
Installation begins, and the Installation Progress window opens:
22 Once installation has been completed, the following window opens:
23 The SafeGuard PortProtector Management Server has been installed. Check the checkbox at the bottom of the screen if you wish to launch the SafeGuard PortProtector Management Console, and click Finish.
Note: The installation process installs the SafeGuard PortProtector Management Console as well.
24 If you have chosen to launch the SafeGuard PortProtector Management Console, the Login window opens:
Enter your User Name, Password and Domain and click Login. The application opens, displaying the main window.
25 Take the time to define preliminary settings in the Administration and Global Policy Settings.
Please refer to Post-Installation Settings (Checklist) on page 38 for a list of settings which you may want to review and change.
3.5 Restoring an Existing Management Server
In some cases you will need to install SafeGuard PortProtector Management Server while maintaining your system unique encryption keys, in order to work with your existing SafeGuard PortProtector Clients. This may happen when you want to migrate the Server from a low-CPU machine to a stronger one, or when recovering from hardware malfunctions.
In order to restore an existing Management Server you will need to provide the encryption keys
In order to restore an existing Management Server you will need to provide the encryption keys