How it Works
PGP
Loading...
#
C
D
E
M
N
P
R
U
W
Loading...
Loading...
Endpoint Application Control - 4.3
Instruction Manual
183 pgs4.91 Mb0
Table of contents
Loading...

PGP Endpoint Application Control - 4.3 Instruction Manual

PGP Endpoint Application Control Version 4.3.0
Users Guide
Version Information
Copyright Information
Copyright © 19912008 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non­commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide­blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info- ZIP implementation, developed by zlib (http://www.zlib.net). Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. Castor, an open-source, databinding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at
http://xml.apache.org/xalan-j/#license1.1. Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol")
used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. mx4j, an open-source implementation of the Java Management Extensions
(JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) libxslt the XSLT C library developed for
the GNOME project and used for XML transformations is distributed under the MIT License
http://www.opensource.org/licenses/mit-license.html. PCRE version 4.5 Perl regular expression compiler, copyrighted and
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. PC/SC Lite is a free implementation of PC/SC, a
specification for SmartCard integration is released under the BSD license. Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL
database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified
programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. Windows Template Library (WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at
http://opensource.org/licenses/cpl1.0.php. The Perl Kit provides several independent utilities used to automate a variety of
maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Contents

Introducing PGP Endpoint Application Control Suite
A complete portfolio of security solutions 5 What can you find in this guide 5 Conventions 6
Typographical conventions 6 Symbol conventions 6 Keyboard conventions 6
Getting Assistance 7
Getting product information 7 Contacting Technical Support 7
Chapter 1: Understanding PGP Endpoint Application Control Suite
Welcome to PGP Endpoint Application Control Suite 9
Benefits of the white-list approach 9 How does the system know which files can be run? 10 Special note concerning macros and other changing files 11
What do you gain by using PGP Endpoint Application Control Suite? 11
Chapter 2: Using PGP Endpoint Application Control Suite
What is new in this version 13 Working with the PGP Endpoint Application Control Suite system 13 Starting up the PGP Endpoint Management Console 13
Connecting to a server 13 Log in as a different user 14
The PGP Endpoint Management Console 15
Controlling your workspace 16 The PGP Endpoint Application Control Suite modules 18 The PGP Endpoint Management Console menus and tools 18
File menu 18
View menu 18
Tools menu 19
Endpoint Maintenance 19
Reports menu 21
Explorer menu 21
Window menu 21
Help menu 22
5
9
13
Chapter 3: An overview of authorization strategies
Central authorization using digital signatures 23 Central authorization by file location (path) 25 Local authorization of executables, scripts, and macros 25
Local authorization of files that are not centrally authorized 25
Preventing the malicious spread of locally authorized files 26
Deleting users local authorization lists 27 Sending updated authorization information to computers 27
To push updates to all computers protected by PGP Endpoint 28
To push updates to a specific computer 28
Chapter 4: Setting up PGP Endpoint administrators
How to set up a PGP Endpoint system administrator 29
To define a system administrator with full management privileges 29
To define a system administrator with restricted access privileges 30
Administrators access privileges 30
Chapter 5: Building a white list of authorized files
Exporting and importing file authorization settings 33
Manually export or import file authorization settings 34 Importing Standard File Definitions 34
23
29
33
PGP Endpoint Application Control User Guide 4.3.0 1
Contents
Benefits of importing Standard File Definitions 35 To import Standard File Definitions 35
Selecting files to authorize using the Exe Explorer module 37
To select files using the Exe Explorer modules 38
Automatically scanning a computer to identify files 39
Using the Scan Explorer module 39
Using the Authorization Wizard 44
To authorize executable files using the Authorization Wizard 44
Chapter 6: Organizing files into File Groups
Creating and managing File Groups 47
To create a new File Group 47 To delete a File Group 48 To rename a File Group 48 To create a parent-child relationship between File Groups 48
Assigning executable, script, and macro files to File Groups 49
To assign files to File Groups 49
Changing file assignments 50
To change the File Group to which a file is assigned 51 To delete a file from a File Group 51 To delete a file from the PGP Endpoint Database 51
Viewing file assignments 51
To sort entries by any attribute, such as filename or File Group 52 To display a subset of the files in the database 52 Using the Groups tab 52
Chapter 7: Authorizing files by location (Path Rules)
Creating, changing, and deleting Path Rules 53
To create a new Path Rule that applies to everybody 53 To create a new Path Rule that applies to a specific user or user group 54 To modify an existing Path Rule 55 To delete a single Path Rule for a user or user group 55
To delete all Path Rules for a user or user group 55 Conventions for specifying paths in the rules 56 Defining and working with Trusted Owners 56
To define or delete a Trusted Owner 56
Trusted Owner and Path Rule example 57 Path Rules precedence 57
Chapter 8: Granting access using the User Explorer
Users and user groups 59
Direct, indirect, and not authorized File Groups 59 Assigning File Groups to users/user groups 61
To assign/remove File Groups to/from users 61 Assigning users/user groups to File Groups 62
To assign/remove users to/from a File Group 62
47
53
59
Chapter 9: Monitoring activities using the Log Explorer
Accessing the Log Explorer module 66 Log Explorer templates 67
To use an existing template 67
Predefined templates 67
To create and use a new template 68
Backing-up your templates 70 Log Explorer window 70
Navigation/Control bar 70
Column headers 71
Results panel / custom report contents 75
Criteria/Properties panel 78
Control button panel 78 Select and edit templates window 78 Template settings window 81
General tab 81
Query & Output tab 82
Criteria 82
The advanced view 84
Schedule tab 89 Using the Log Explorer module to authorize unknown files 91
To authorize a new executable, script, or macro from the Log Explorer module 91 Forcing the latest log files to upload 91
65
2 PGP Endpoint Application Control User Guide 4.3.0
Contents
Viewing administrator activity 92
Audit events 92
Generating reports of system status and settings 93
Chapter 10: Managing files using the Database Explorer
Viewing database records 95
Using the Database Explorer module 95 To sort entries by any attribute, such as filename or File Group 96 To expand the display to show/hide other columns 96 To save this list as a CSV file 96
Synchronizing PGP Endpoint accounts with Microsoft and/or Novell accounts 97
To synchronize domain members 97 SXDomain command-line tool 97 Novells synchronization script 97 To synchronize user/account information from a workgroup (not a domain) 97
Performing database maintenance 98
Backing up the PGP Endpoint Database 98 Removing old database records 98 To delete old database records 98
Removing obsolete computer connections records 99
Chapter 11: Generating PGP Endpoint reports
File Groups by User 102 Users by File Group 103 User Options 104 Machine Options 105 Online Machines 106 Server Settings Report 107
101
Chapter 12: Setting PGP Endpoint system options
Default options 109
To change default option settings 109
Default options for protected servers and computers 110
Client Hardening 111 eDirectory translation 111 Endpoint status 111 Execution blocking 112 Execution eventlog 112 Execution log 113 Execution notification 113 Local Authorization 113 Log upload interval 114 Log upload threshold 114 Log upload time 114 Log upload delay 114 Server address 114
Default options for users and user groups 115
Execution blocking 115 Execution eventlog 116 Execution log 116 Execution notification 116 Macro and Script protection 116 Relaxed logon 117 Relaxed logon time 117
Options that apply to specific machines or specific users 117
To override default option settings 118
Determining which option setting takes precedence 119
Precedence rules for computer options 119 Precedence rules for user and user group options 120 Precedence rules for options with both computer and user/user group values 122 Precedence rules for the Execution Blocking option 124
Informing client computers of changes 125
95
109
Chapter 13: Windows Updates and other tools
PGP Endpoint Authorization Service Tool 127
Microsoft Software Update Services and Windows Server Update Services 127 What does the PGP Endpoint Authorization Service Tool do? 127 Installing the PGP Endpoint Authorization Service Tool 129 Configuring the PGP Endpoint Authorization Service Tool 129
Versatile File Processor tool 131
127
PGP Endpoint Application Control User Guide 4.3.0 3
Contents
Command line parameters 131
Usage notes 132
Examples 134 File Import/Export Tool 134
Command line parameters 134
Usage notes 135
Examples 135
Chapter 14: Inspecting your endpoints and authorizing software
The Discover procedure 137 Exact match: High-control foundation 138
Procedure 138
Authorizing your present installation 138
Pros and cons 139 Pragmatically: Average foundation 139
Procedure 139
Authorizing your present installation 140
Pros and cons 140 Maintenance phase 140
Frequently changing programs 141
Operating system updates and patches 141
New software installations 141
Software updates 141 Changing from a test to a production environment 141 Identifying DLL dependencies 142
What are DLLs? 142
What are dependencies? 142
How are DLLs dependencies identified? 142
How to integrate dependencies with PGP Endpoint 143
Appendix A: PGP Endpoints Architecture
The whitelist approach 145
Concepts 145
Advantages/disadvantages of using a white list 145
Whitelist and blacklist examples 146 A complete security solutions portfolio 146
PGP Endpoint Application Control Suite 147
PGP Endpoint Device Control 147
PGP Endpoint for Embedded Devices 147 PGP Endpoint components 147
The PGP Endpoint Database 148
The PGP Endpoint Administration Server 148
PGP Endpoint Client Driver 150
Protocol and ports 152
Operation overview 153
Key usage 153
If the PGP Endpoint Administration Server is not reachable 154
The PGP Endpoint Management Console 157
Administration Tools 159
Network communications 160
PGP Endpoint Client Driver communications 160
PGP Endpoint Administration Server communications 160 How PGP Endpoint works 160
PGP Endpoint Application Control Suite 160
PGP Endpoint Device Control 162
145
137
Glossary Index of Figures Index of Tables Index
167
171
175
176
4 PGP Endpoint Application Control User Guide 4.3.0

Introducing PGP Endpoint Application Control Suite

The real world can be harsh: Trojans, worms, viruses, hackers, and even careless or disgruntled employees
threaten your companys data and structure. They can undermine your business with extraordinary speed, and
the cost and damage to applications, data, confidentiality, and public image, can be immense.
Your role, until now, has been to try to anticipate malicious code and actions before they occur and to react to
them when they do in a never-ending expenditure of time, money, and energy.
PGP Endpoint solutions stop that futile game for good. With PGP Endpoint software, you define what is allowed
to execute on your organizations desktops and servers, and what devices are authorized to copy data.
Everything else is denied by default. Only authorized programs and devices can run on your network, regardless
of the source. Nothing else can get in. Nothing.
What makes PGP Endpoint so revolutionary is that it is proactive, not reactive. You are empowered, not
encumbered. You lower and raise the drawbridge. You open and close the borders. You create calm in a chaotic
world.

A complete portfolio of security solutions

PGP offers a complete portfolio of solutions for regulating your organizations applications and devices.
> Our PGP Endpoint Application Control Suite, which includes any of the following programs:
> PGP Endpoint Application Control Terminal Services Edition extends application control to Citrix or
Microsoft Terminal Services environments, which share applications among multiple users.
> PGP Endpoint Application Control Server Edition delivers application control to protect your
organizations servers, such as its Web server, email server, and database server.
> PGP Endpoint Device Control prevents unauthorized transfer of applications and data by controlling
access to input/output devices, such as memory sticks, modems, and PDAs.
> PGP Endpoint for Embedded Devices moves beyond the traditional desktop and laptop endpoints and
onto a variety of platforms that include ATMs, industrial robotics, thin clients, set-top boxes, network area storage devices and the myriad of other systems running Windows XP Embedded.

What can you find in this guide

This guide explains how to use PGP Endpoint Application Control Suite (PGP Endpoint Application Control, PGP
Endpoint Application Control Terminal Services Edition or PGP Endpoint Application Control Server Edition - as
explained in the previous section) to enable your organizations servers and computers to only run safe, approved
applications.
> Chapter 1: Understanding PGP Endpoint Application Control Suite, provides a high-level overview of the
solution, how it works and benefits your organization.
> Chapter 2: Using PGP Endpoint Application Control Suite, shows a high-level view of system modules,
menus, and tools.
> Chapter 3: An overview of authorization strategies, describes the various file tools and ways you can control
file execution.
> Chapter 4: Setting up PGP Endpoint administrators, tells how to set up two types of system administrators
with full or limited privileges.
PGP Endpoint Application Control User Guide 4.3.0 5
> Chapter 5: Building a white list of authorized files, describes four ways to load definitions of allowable
executables, scripts and macros into the system.
> Chapter 6: Organizing files into File Groups, describes the process of setting up File Groups and adding files
to those groups.
> Chapter 7: Authorizing files by location (Path Rules), describes the process of using pathname rather than
digital signature to define allowable files.
> Chapter 8: Granting access using the User Explorer, describes two key ways to give users privileges to use
executable files, scripts and macros.
> Chapter 9: Monitoring activities using the Log Explorer, describes the logs of application-execution activity
and explains how to verify the log of the system administrator activities.
> Chapter 10: Managing files using the Database Explorer, describes the database in full as well as routine
housekeeping functions such as system cleanup and backup.
> Chapter 11: Generating PGP Endpoint reports, describes the HTML reports that can be easily created by the
system.
> Chapter 12: Setting PGP Endpoint system options, describes the various options that govern system
operation at user, machine, group, or global levels.
Introducing PGP Endpoint Application Control Suite
> Chapter 13: Windows Updates and other tools, explains how you can use PGP Endpoint with the
technologies provided with Windows.
> Chapter 14: Inspecting your endpoints and authorizing software, outlines recommended procedures for using
PGP Endpoint in the context of a total security strategy.
> Appendix A: PGP Endpoints Architecture provides you with an overview of PGP Endpoint solution
architecture.
> The Glossary and indexes (Index of Figures, Index of Tables, and Index) provide quick access to specific
terms or topics.

Conventions

Typographical conventions

Different typefaces have been used to outline special types of content throughout this guide:
Italic text Represents fields, menu options, and cross-references.
This style Shows messages or commands typed at a prompt.
SMALL CAPS Represent buttons you select.

Symbol conventions

The following symbols emphasize important points:

Take note. You can find here more information about the topic in question. These may relate to other parts of the system or points that need particular attention.
Shortcut. Here is a tip that may save you time.
Caution. This symbol means that proceeding with a course of action introduces a risk data loss or potential problem with the operation of your system, for example.

Keyboard conventions

A plus sign between two keyboard keys means that you must press those keys at the same time. For example, ALT+R means that you hold down the ALT key while you press R.
6 PGP Endpoint Application Control User Guide 4.3.0
Introducing PGP Endpoint Application Control Suite
A comma between two or more keys means you must press each of them consecutively. For example Alt, R, U
means that you press each key in sequence.

Getting Assistance

For additional resources, see these sections.

Getting product information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed with
PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also available, which
may have last-minute information not found in the product documentation.
Once PGP Endpoint is released, additional information regarding the product is entered into the online
Knowledge Base available on the PGP Corporation Support Portal (https://support.pgp.com).

Contacting Technical Support

> To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP
Corporation Support Home Page (http://www.pgp.com/support).
> To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP Support
Portal Web Site (https://support.pgp.com). Note that you may access portions of the PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.
> For any other contacts at PGP Corporation, please visit the PGP Contacts Page
(http://www.pgp.com/company/contact/index.html).
> For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).
> To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are
user community support forums hosted by PGP Corporation.
PGP Endpoint Application Control User Guide 4.3.0 7
Chapter 1: Understanding PGP Endpoint Application
Control Suite
This chapter introduces PGP Endpoint Application Control Suite and explains how it benefits your organization.
We explain:
> How PGP Endpoint Application Control Suite fundamentally differs from most anti-virus and intrusion-
detection systems on the market.
> How PGP Endpoint Application Control Suite streamlines your costs and network administration, adding
higher levels of protection.
> How it protects your environment enforcing proper use of users applications.
> Enhance productivity levels not allowing unauthorized and unlicensed program installations.
> The basic components of the PGP Endpoint Application Control Suite solution and how each one contributes
to the security strategy.
> What happens behind the scenes to make PGP Endpoint Application Control Suite such a powerful,
effective, yet easy-to-use solution.
> How to navigate through the different screens and options.

Welcome to PGP Endpoint Application Control Suite

If you are tired of worrying about viruses, worms, and other malicious code tired of keeping up with illegal or
unlicensed software that finds its way onto crucial servers or computers rest easy. Now you have PGP
Endpoint.
PGP Endpoint Application Control Suite is a unique product that provides a new approach to network security.
Rather than specifying what cannot run (an approach that has administrators scrambling to defend themselves
against every new threat that comes along), PGP Endpoint security specifies what can run. Nothing else works,
period. That means no matter how inventive and evolved some new malicious code might be, it simply does not
run. You are protected.
Using PGP Endpoint Application Control Suite ensures that:
> Your users cannot execute programs such as hacking tools, games, or unlicensed software.
> You eliminate the threats posed by Trojans, Worms, and executable viruses, both known and unknown.
PGP Endpoint Application Control Suite works in exactly the opposite way most security and antivirus products
on the market do. Rather than creating a black list of files that are not allowed to run, PGP Endpoint uses a
white list of executable files, scripts, and macros that are allowed to run.

Benefits of the white-list approach

PGP Endpoint Application Control Suite innovative white list approach offers several significant benefits (for a
complete description see Appendix A: PGP Endpoints Architecture on page 145):
> Greater protection. Even if dozens of new viruses, worms, and Trojans have been created since you
installed the software, you are protected. Unknown and unauthorized executable files, regardless of their origin email, Internet, DVD or CD simply do not run.
PGP Endpoint Application Control User Guide 4.3.0 9
> Early interception. For most malicious code, the application cannot even be installed, because the self-
install program itself is an executable file that does not run. That means requests for execution are intercepted long before there is any chance of running them.
> Simple maintenance. You do not have to keep loading updates just to keep pace with the endless stream of
new viruses. You do not even need to know exactly what software is installed on every protected system. You only have to monitor what is known and approved, not everything else.
In short, with PGP Endpoint, you have a robust shield protecting your organizations servers and computers. For a complete description of the advantages and disadvantages of white lists, see Appendix A: PGP Endpoints Architecture on page 145.
Chapter 1: Understanding PGP Endpoint Application Control Suite

How does the system know which files can be run?

As a PGP Endpoint administrator, you can specify which executable files, scripts, and macros each user can activate, in a simple three-stage process:
1. Build your white list of executables, scripts, and macros.
Collect files by using built-in tools to scan the servers and computers you wish to protect, or import standard file definitions provided by PGP for popular Windows 2000, Windows 2000 Server, Windows XP, Windows 2003 Server, and Vista operating systems (see Importing Standard File Definitions on page 34).
The system calculates a unique signature (a hash) for each executable file, script, or macro, and uses this distinctive signature to identify allowable files.
2. Organize the files into File Groups.
To streamline administration, you can logically organize files into File Groups, such as grouping together all applications that would be needed by your Webmaster, all database management applications used by your database administrators, or your payroll program.
A single File Group cannot contain both executables and scripts/macros.
3. Link users with their allowed File Groups.
Having defined File Groups, Users, and User Groups, you can now specify not only which executables, scripts and macros can be used, but by whom. Once a file has been centrally authorized and it is immediately available to be run by all authorized users.
When a user wants to run an executable, script or a macro, the following actions automatically take place:
1. If the file is an executable, it is identified as such by the operating system and loaded in memory ready for execution (but not actually executed yet!).
2. If the file is identified by PGP Endpoint as an executable, script or macro, the entire file content is checked to determine the digital signature (hash) before it is allowed to be executed by the operating system.
PGP Endpoint can only recognize and centrally manage the following types of scripts and
macros: VBScripts and JScripts that are interpreted by the Windows Script Host (using cscript.exe and
wscript.exe). These scripts are text files written using the grammar and semantics of the appropriate language. To be recognized by PGP Endpoint your script files must have the appropriate file extension usually .vbs or .js.
Visual Basic scripts (VBA macros) that execute within Microsoft Office and other host applications. These are embedded in Word documents, Excel spreadsheets, and so on.
 Visual Basic scripts (VBA macros) can be embedded in many Microsoft Office formats, such as
.doc, .dot, .xls, and .ppt files. In this case, a hash is created for the whole file, not just the macro.
10 PGP Endpoint Application Control User Guide 4.3.0
Chapter 1: Understanding PGP Endpoint Application Control Suite
3. The digital signature is compared to those of files authorized to run (in the white list).
4. If and only if, the file corresponds exactly to a file on the white list, i.e. their digital signatures are identical, and the file is authorized for execution by the user or machine that has requested it, the file is executed.
If you are using PGP Endpoint Application Control Server Edition, the solution protects your organizations servers and, by nature, your users are system administrators. For the purposes of this guide, we call them all users, even though for some of our products they are not end-users in the typical sense of the word. PGP Endpoint recognizes both local and domain users and groups.
Now you can have total control over applications running on your organizations servers. Authorized administrators and users can work with their applications, but they cannot run any other executable files, such as viruses, Spyware, any unauthorized scripts and macros, or other inappropriate applications whether loaded deliberately or accidentally.

Special note concerning macros and other changing files

Macros embedded in other files (for example Microsoft Word or Excel files) are special cases. These files may be constantly changing since once loaded in memory any user can edit them.
Consider, for example, the case of a Word document containing a macro. This file is loaded into memory ready to be run by the user with a hash that has been previously calculated, assigned to a File Group, and authorized to be used. This is, thus, a legal file and should be granted the right to run. Unfortunately, this file can also be edited and saved back to the hard disk. Once this action done, the file does not correspond to the hash previously calculated when first authorized. Next time this, previously legal file, is run, its access will be denied since the hash does not matches what was originally computed.
You, as a PGP Endpoint administrator, will be constantly confronted to this type of challenge when authorizing this kind of embedded macro. The only possible solution to avoid this sort of conflict is to keep the file content as it was when its hash was initially calculated. Remember: PGP Endpoint Application Control bases its White List control in static digital firm digests. To do this you MUST assign Read-Only permissions to these types of files; this will stop the user from saving back the modified files and keeping its hashes intact.

What do you gain by using PGP Endpoint Application Control Suite?

We have already described the benefits of a white-list approach versus the typical black-list approach see also the Appendix A: PGP Endpoints Architecture on page 145. Looking further, PGP Endpoint offers a wide range of features and benefits:
> Strong file identification PGP Endpoint works by examining each executable, script, or macro file that
an administrator wishes to centrally authorize and calculating a unique digital signature based on the entire contents of that executable. This digital signature is known as a hash. Even the slightest change to a file would result in a different hash, which means the altered file would not be able to run.
> Software version control Because the solution recognizes files by content rather than by name or
location, you can manage different versions of applications as different files. As a result, you cannot only control which applications are allowed but also which versions.
For example, you may decide that an older version of an application is valid up to a certain date. Old and new versions are valid during a transitional period, and only the new version may run after a designated date.
> Reduced total cost of ownership Is your organization buying software licenses on a per-computer basis
rather than a per-user basis? Are you, therefore, paying for idle computers, or duplicate licenses for a single user, just to ensure compliance with software licensing terms?
If so, then you will appreciate the ability to manage application access at the user level. Since you always know exactly how many users are authorized to use each application, you can reduce the total number of licenses: one per user instead of one per computer.
> Preventing the installation of undesirable programs Not only does PGP Endpoint stop undesirable
programs from running in most cases, it prevents them from even being installed. That is because the installation program itself is an executable file. It does not run, because it is not authorized.
PGP Endpoint Application Control User Guide 4.3.0 11
> Easy installation Despite being an extremely powerful security tool, PGP Endpoint is simple to install. A
wizard guides you through the installation process, prompting you for any information required.
> The ability to grant or revoke access on the fly The administrator may grant or revoke access to
executables, scripts and macros on the fly. Users do not have to reboot or log off and then log on again for the changes to take effect.
> A log trail of all system activity Each time a user requests to run a file, a log entry is created. You can
access and maintain the File Group assignment details for the respective files if required directly from the log.
> Integration with industry standard databases PGP Endpoint integrates with the powerful Microsoft
SQL Server and MSDE databases, which offer speed, security, robustness, and interoperability with other applications. With these databases, there is virtually no limit to the number of servers and/or computers that you can protect.
> Non-stop protection Although PGP Endpoint is a network-based solution, its power extends to off-line
systems as well. Whenever a server or computer is connected to the network, PGP Endpoint sends the latest authorization information. If that machine is later isolated from the networkintentionally or otherwiseit is still managed by the authorization information stored in a secure location on its hard disk. Whenever the computer is reconnected to the network, it automatically receives an update.
> The ability to manage applications by their locations Their unique digital signatures (hashes) identify
most executable files, but you can also inform the program that all files in secure locations are inherently safe. Path rules enable you to define approved applications based on their location rather than on binary hash calculations.
Chapter 1: Understanding PGP Endpoint Application Control Suite
> Provisional and limited local override of application denial You can opt to allow users to authorize an
application locally if it is not on the centralized master list of previously approved executables, scripts and macros. The system displays its characteristics and potential security risks, grants provisional access, and logs the activity. To prevent the spread of malicious code, such as Trojan horses, the system can automatically disable the application if it appears on a certain number of computers in a given period.
> Protection from unauthorized scripts Optionally, PGP Endpoint can control the execution of VBScripts,
Microsoft Office VBA macros, and JScripts. Depending on the settings, the execution can be authorized, prevented altogether, or the user can be prompted with a dialog every time a script attempts to execute on his computer.
> Windows Server Update Services support — You can deploy automatic update services inside your own
network: All Microsoft Authorized updates and fixes can be automatically authorized, their hash created, and the database updated.
> Encrypted client-PGP Endpoint Administration Server communication using TLS protocol — Client -
PGP Endpoint Administration Server and intra PGP Endpoint Administration Server communication can, optionally, be done using TLS protocol which encrypts all communications using a certificate signed with a private key. If this option is not activated, communication messages are signed using the private/public key pair generated during setup. See the PGP Endpoint Setup Guide for a complete description.
Rest easy. You have PGP Endpoint.
12 PGP Endpoint Application Control User Guide 4.3.0
Chapter 2: Using PGP Endpoint Application Control
Suite
This chapter provides a high-level view of what it is like to work with PGP Endpoint. It includes:
> The administrative tasks that determine system operation. > The menu selections available to authorized administrators. > The five key modules of the PGP Endpoint management console.

What is new in this version

See the Readme.txt file located on your CD installation disk for a full list of features and changes.

Working with the PGP Endpoint Application Control Suite system

From the PGP Endpoint Management Console, you can perform all the tasks required to configure, monitor, and maintain the solution its database records, executable files, authorizations, and system activity.
Using a familiar Windows-styled interface with pull-down menus, pop-up dialog boxes, and Outlook-style screen displays, you can easily perform the following tasks:
> Build a list of executable files, scripts and macros that you wish to allow. > Define authorizations for the identified executable files (applications), scripts, and macros. > Organize files into File Groups and manage those File Groups. You can also create a parent-child
relationship easing the task of classifying all the applications that use common components.
> Define individuals and groups who have permission to use applications. > Associate File Groups with User Groups to define access privileges. > Manage and maintain the database of authorizations. > Monitor a record of system activity and settings. > Set and change a variety of system options.
If you have already installed solution components by using the simple installation wizards or following the steps in the PGP Endpoint Setup Guide, then you are ready to get going.

Starting up the PGP Endpoint Management Console

As with nearly all Windows programs, you start the PGP Endpoint Management Console by clicking on the Windows START button and selecting Programs  PGP Endpoint  PGP Endpoint Management Console. You can also create a shortcut in Windows desktop for your convenience.

Connecting to a server

When you initially launch the PGP Endpoint Management Console, you need to connect to a PGP Endpoint Administration Server. The Connect to PGP Endpoint Administration Server dialog is displayed.
PGP Endpoint Application Control User Guide 4.3.0 13
Figure 1. Connecting to the PGP Endpoint Administration Server
To connect to a server, follow these steps
1. Select the PGP Endpoint Administration Server to which you want to connect from the list (if available) or type in the name. You can use the IP address, the NetBios name or the fully qualified domain name of the PGP Endpoint Administration Server. If your Server is configured to use a fixed port, you must append the port number to the server name as in this example:
secrsrv.secure.com[1234]
Chapter 2: Using PGP Endpoint Application Control Suite
Please refer to the description of the registry key settings of the PGP Endpoint Administration
Server in the PGP Endpoint Setup Guide for more information about how to configure the server to use a fixed port.
When the PGP Endpoint Administration Server is installed on a Windows XP SP2 or Windows
2003 SP1 computer, you should configure the Windows XP Firewall to allow the communication between the Server and the Console. See Appendix E in the PGP Endpoint Setup Guide for more details.
2. Select to login as the current user or as a different one using the Login as option.
3. Click on the OK button. The PGP Endpoint Management Console screen appears, as shown on Figure
3.
If the PGP Endpoint Management Console screen does not appear, an error message is displayed. This indicates that there were problems when all the internal tests were carried out. Check that you have the required permissions to connect to that server, on domain rights and PGP Endpoint Management Console rights level. See Chapter 4: Setting up PGP Endpoint administrators on page 29.

Log in as a different user

By default, the system establishes the connection using your own credentials.
A local account is created on a single computer and is stored in its Security Account Manager (SAM) database on its hard disk. Domain accounts are created on the domain controller and
stored in the Active Directory. To log onto the local machine, you need a local account. To log onto the domain you need a domain account.
If you choose to click on the Login as option, instead of using your own credentials you must enter the user name and password. Prefix the user name by a workstation name and slash for local accounts and by a domain name and slash for domain accounts (e.g. DOMAIN1\ADMIN1).
Once the connection established, the users credentials are shown in the Output panel while the Connection panel show the license details. If you do not see these windows, select the VIEW CONNECTION and/or VIEW OUTPUT command:
14 PGP Endpoint Application Control User Guide 4.3.0
Chapter 2: Using PGP Endpoint Application Control Suite
Figure 2. Connection and Output window

The PGP Endpoint Management Console

When you log onto the PGP Endpoint system, the system displays the programs user interface. From this screen, you are only a click or two away from the full range of configuration and management functions. Take a moment to get familiar with the menu selections, tools, panels, and modules available from this screen as shown in the following image.
Figure 3. The main screen
The Menu bar in the upper part of the window let you choose different functions and commands. Some of these depend on the module you are working with. As with nearly all Windows programs, you can use the ALT key to have immediate access to the different commands. You can use, for example, Alt+R+O to get an HTML Online Machine report.
In the left part of the window, you find the Control Panel from where you can directly select the available modules and options without using the menu. If you do not see it, use the View  Control Panel command to display it.
The Main Window panel changes its contents depending on the module selected in the left panel. You can refine even more the resulting information in some modules. Every time you open a module, its stays open arranged in stacked tabs until explicitly closed. You can use the Window command of the menu bar to organize your workspace.
The Connection window shows rights information regarding the current user. Use the sidebars to navigate through the text. If you do not see it, use the View  Connection to display it.
The Output window shows you important information messages. Here you can find those messages generated by updates sent to the clients, file fetching, I/O failures, and error messages. Use the sidebars to navigate through the text. If you do not see it, use the View  Output command to display it.
PGP Endpoint Application Control User Guide 4.3.0 15
Chapter 2: Using PGP Endpoint Application Control Suite
The Status bar, at the bottom of the screen, shows important information about the condition of the console. If you do not see it, use the View  Status Bar to display it.
If you are using a time-limited license for PGP Endpoint then once a day, when starting the management console, you get the following screen informing you of your license status:
Figure 4. License status warning
This dialog contains the same data reported to the Connection window in the main screen. This event also generates a log that you can see using Windows Event Viewer.

Controlling your workspace

You can use the Pin icon to pin down’, or ‘park’ the Control Panel, Connection, or Output window. The icon changes to . The alternative is to ‘float’ the window, in which the icon changes to .
In the Dock mode, the panel hides itself as a tab next to the programs window border leaving more space for the main window panel. In the Floating mode, the windows can be moved to any position in the screen, sharing the working area with whatever module(s) is opened.
Figure 5. Docked Control panel
Figure 6. Docked window
Click again on the pin to float again the window panel. You can resize and drag the windows panes to whatever zone you prefer as in the following example:
Figure 7. Floating Control panel
16 PGP Endpoint Application Control User Guide 4.3.0
Chapter 2: Using PGP Endpoint Application Control Suite
Figure 8. Floating windows
Double click on the windows title bar to dock it to its previous position once more. You can also glide the window to any edge until it docks itself guide yourself with the rectangle shape preview before letting go the mouse button.
All open modules occupy the main window area and can be floated or docked at will. You can use the Window menu to arrange the opened modules windows in a tile, cascade, or iconize mode. Each window can also be closed, maximized, or iconized independently as needed. If several modules are already open (as shown in Figure 7), you can choose between them using the stacked tab bar.
You can reorder the windows located at the main window panel by dragging them using their title bar, or traverse them using the Scroll Left or Scroll Right icons .
To close the active window, click on its cross icon, right-click on the title bar and select Close, or press Ctrl+F4. To minimize a window, right-click on the title bar and select Minimize. You can also use the Restore and
Maximize icons and commands as on any Windows program.
Figure 9. Minimized windows
PGP Endpoint Application Control User Guide 4.3.0 17
Item Use to
Item Use to
Chapter 2: Using PGP Endpoint Application Control Suite

The PGP Endpoint Application Control Suite modules

The functions you need for configuring and managing PGP Endpoint are grouped into six modules, represented by the icons in the Modules section of the Control Panel (usually located on the left side of the screen):
Module Use to See page
Database Explorer
Exe Explorer
Log Explorer
Scan Explorer
User Explorer
View the list of executable files, scripts and macros that have been entered into the PGP Endpoint Database and manage file assignment details. Build a list of executable files, scripts and macros that are allowed to run, assigning these files to File Groups. View logs of applications, scripts and macros that have been run, those to which access was denied, or those locally authorized after denial. If you are an Enterprise Administrator you can also view information about Administrator actions from the Audit logs. Scan a computer or domain to identify executable files, scripts and macros that need to be authorized, and assign the files to a File Group. Align users or User Groups with File Groups, to grant them permission to use the files in the File Groups.
Table 1. The System Modules
The procedure for assigning files to File Groups is the same, irrespective of which module you use. This is explained in Chapter 6: Organizing files into File Groups on page 47.
95
37 65
39
59
Detailed information about how to use these modules work is given in the following chapters.

The PGP Endpoint Management Console menus and tools

This section describes all the commands you can directly access using the Menu bar.

File menu

The File menu (on the menu bar), gives you a one-click access to the following functions:
Connect Communicate with another PGP Endpoint Administration Server in
Disconnect Detach from the current PGP Endpoint Administration Server. You Save As Save the contents of the main page in CSV format (only available for
Print Print the active report window. You get the standard Internet Explorer
Exit Exit from the PGP Endpoint Management Console application. Note

View menu

other machine or/a different user name in order to carry out administrative tasks.
need to do this in order to reconnect using a different user or server. specific modules). You can use it to export data to any CSV compliant
program, for example Excel. print dialog where you can choose the printer and select several
printer options. that this command does not stop the PGP Endpoint Administration
Server, just your administrative session.
Table 2. The File Menu
The View menu contains the following functions that regulate the appearance of the on-screen display:
Modules Show a submenu that allows you to select any available module. Control Panel Show/hide the Control Panel that allows you to select modules, tools,
reports, and help from a convenient list. Output Show/hide the Output window (log of system activity). Connection Show/hide the Connection window (real-time operating information). Status bar Show/hide the status bar (programs conditions, clock, and
messages).
Table 3. The View Menu
18 PGP Endpoint Application Control User Guide 4.3.0
Chapter 2: Using PGP Endpoint Application Control Suite
Item Use to
See

Tools menu

The Tools menu (on the menu bar), gives you one-click access to the following functions:
page
Synchronize Domain Members Database Maintenance User Access Define PGP Endpoint Enterprise Administrators and PGP Endpoint Administrators. It allows you to
Default Options Change the default option settings for computers. 109 Path Rules Use path locations and file owners to define which applications can run. 53 Spread Check Prevent the spread of self-propagating code by disabling suspicious executables that have been
Send Updates to All Computers
Send Updates to Transmit the latest setting and permission changes to one or more selected computers. 27 Import Standard File Definitions
Export Settings Export all file permission settings to an external file that can be used to import in a client or to Purge Online
Table

Endpoint Maintenance

Update the PGP Endpoint Database with the current list of users and groups of a domain or machine. Delete log files and items generated from a database scan created before a specified date. 98
restrict the right to set permissions, view the audit information about Administrators actions or the shadowing information. See PGP Endpoint Setup Guide to learn how to set rights to control Organizational Units/ Users/ Computers/ Groups
locally authorized on too many computers. Dispatch the latest setting and permission changes to all computers in the PGP Endpoint Administration Server(s) online table(s). Changes can be sent in synchronous or asynchronous mode
Import files and their hash definitions for any server platforms supported by the PGP Endpoint solution (Windows 2000/XP/2003 and Vista). You can find new ones on our Web site: www.pgp.com.
deploy the client component with predefined permissions. See also the PGP Endpoint Setup Guide. The PGP Endpoint Administration Server keeps a record of the connected clients. Sometimes, clients are disconnected without notifying their server that they are not available anymore. In this case orphan entries are left in the online table affecting the performance of the Send Updates functionality. When you purge the online table, the PGP Endpoint Administration Server erases all information it has regarding connected clients. Every time a user logs on/off or unlocks his station the online table is modified. Create and save maintenance tickets’ for computers/computer groups allowing protected files and/or registries to be modified. See next section for an explanation.
Table 4. The Tools Menu
109
97
29
26 27
34
33 99
19,
 You can also find all these commands in the Tools section of the Control Panel.
PGP Endpoint keeps a copy of the users information in its database. When a new user logs on PGP Endpoint stores their Security Identifier (SID) but not their name. The same applies when you add a new computer to the domain: PGP Endpoint identifies the computer and stores its name in the database. For performance reasons, new users names are not resolved during logon but require an explicit synchronization (ToolsSynchronize Domain Members). The synchronization process depends on whether the protected computers are in a domain or a workgroup.
Endpoint Maintenance
When the client starts, it generates a 15-byte random value used for protection purposes. This key which we call Salt is used to guarantee that only authorized processes/users can do maintenance. The Endpoint Maintenance dialog is used to create and save a ticket for this service. This provisional permission to modify, repair, or remove the client, registry keys, or special directories, can be sent to computers or users.
This key value works in conjunction with the Client Hardening value established in the Default Options dialog (see Default options on page 109). If the client hardening option is set to Basic you do not need salt. If the client hardening option is set to Extended you need to enter or query the salt and relax the protection using the endpoint maintenance. The generated ticket can be saved and transported to the client computer(s) by any available mean (shared directory, email, or removable device).
Do not use the Send to right-click menu option to transfer the Maintenance ticket file, use Copy
and Paste instead.
If the client machine is not reachable, you can always get the salt value and hardening status
of the client computer by right-clicking its PGP Endpoint Client Drivers icon located on the system bar and selecting Endpoint Maintenance from the context menu.
PGP Endpoint Application Control User Guide 4.3.0 19
Chapter 2: Using PGP Endpoint Application Control Suite
You must enable the Remote Registry service on Windows Vista machines if you want to
query the Salt value using the PGP Endpoint Management Console. This service is disabled by default in this operating system. A workaround is to ask the user to provide this value.
Client ticket rules
The client ticket follows these rules:
1. The maintenance ticket is unique and per machine. You cannot generate the same ticket for several computers (even though you are allowed to do so if the client hardening option is set to Basic).
2. A validity period can be defined for the ticket. After this period, if the ticket has not been accepted it is no longer accepted by clients. Once the ticket is accepted, there is no time limit for its use. To deactivate the ticket you must reboot the machine.
3. If the maintenance ticket is generated for a specific user, this user must be logged to accept it. If this is not the case, the ticket is rejected.
4. If you choose to relax the client hardening value by creating and using a maintenance ticket for a computer without choosing a user and another user logs into the same machine, the computer continues in a relaxed state until the next reboot.
5. Your comments appear on the audit log. You can review them by using the Log Explorer module (see on Chapter 9: Monitoring activities using the Log Explorer page 65).
The client protection mechanism can also be temporary deactivated when using the PGP Endpoint Client Deployment Tool. The protection is reactivated and reset to its previous
setting after the clients reboot. Please consult the PGP Endpoint Setup Guide for more details.
To create and save maintenance tickets for endpoint machines/users
1. Select the TOOLS ENDPOINT MAINTENANCE item from the menu bar (or the Control Panel).
2. Select the salt value. (If the client hardening option is set to Basic you do not need salt. If the client hardening option is set to Extended you need to enter or query the salt for the machine you are using to relax.) Use the QUERY button to obtain the salt value directly from the client computer. Use the right­click context menu of PGP Endpoint Client Drivers icon when the machine is not connected to the network.
3. Select the validity period for the ticket.
4. Select the user(s) and/or computer for which this ticket is valid.
5. Add any valuable comments in the corresponding field.
6. Click on the SAVE button, choose a suitable location, click on SAVE and then on CLOSE.
Figure 10. Endpoint Maintenance
You can save this ticket (ticket.smt) and transfer it to selected computers by means of an email or external device the machine(s) needs to have the required permissions to access the device if using PGP Endpoint Device
20 PGP Endpoint Application Control User Guide 4.3.0
Chapter 2: Using PGP Endpoint Application Control Suite
Item Use t
o…
See page
Control. You can also save directly to the ticket directory of the necessary online machine. This maintenance ticket must then be copied to the predefined ticket directory in the client computer(s). See the PGP Endpoint
Setup Guide for a description of the registry keys. As previously explained, this ticket also depends of the Client Hardening option value.

Reports menu

The Reports menu (on the menu bar), leads to the following functions:
File Groups by User Select one or more Users and/or Groups and generate a report of the File Groups Users by File Group Select one or more File Groups and generate a report of the Users and Groups User Options Display all the user options defined in the system. 104
Machine Options Display all the computer options defined in the system. 105 Online Machines Show all machines currently recognized by the PGP Endpoint Administration
Server Settings Find out how your PGP Endpoint Administration Server(s) is configured. This is
In addition to the standard reports that are available through the Reports menu, you can define
they may use. given access to them.
Server that you are connected to. provides you with very useful configuration and troubleshooting information.
Table 5. The Reports Menu
102 103
106 107
your own criteria for selecting log entries and producing reports using the Log Explorer module. For more information see Chapter 9: Monitoring activities using the Log Explorer on page 65.

Explorer menu

The Explorer menu (on the menu bar) changes depending on the module you are using (as selected in the ViewModules menu or using the Control Panel).
Item Use to
In the Database Explorer module
Assign Change the File Group to which a file is assigned. Manage file groups Add, rename and delete a File Group. See page 47 for more details. Choose columns To organize the panels columns
In the Exe Explorer module
Map Network Drive Assign a drive letter (map) to any shared resource on a network. Doing this, you can quickly and easily Disconnect
Network Drive Assign Change the File Group to which a file is assigned. Manage File Groups Choose columns To organize the panels columns.
In the Log Explorer module
Fetch log Obtain the latest log from a client computer. See page 91 for details. Manage File Groups
In the Scan Explorer module
Perform scan Scan a computer to identify executable files, scripts and macros that need to be authorized. Select scans Choose the two scans you want to compare. Assign Change the File Group to which a file is assigned. Manage File Groups Choose columns To organize the panels columns.
In the User Explorer module
access the resource by using the letter instead of a full path qualifier. Remove the letter assignation from any shared resource on a network. This is the opposite operation than that done with the Map Network Drive command.
Add, rename, and delete a File Group. See page 47 for more details.
Add, rename, and delete a File Group. See page 47 for more details.
Add, rename, and delete a File Group. See page 47 for more details.
No options are available in the Explorer menu for this module.
Table 6. The Explorer Menu

Window menu

The Window menu controls the navigation and display of various elements of the Management Console window:
Use this item To
PGP Endpoint Application Control User Guide 4.3.0 21
Chapter 2: Using PGP Endpoint Application Control Suite
Cascade Place all open windows in an overlapping arrangement. Tile Lay all open windows side by side in a non-overlapping fashion.
Table 7: The Window menu items

Help menu

The Help menu gives you handy access to on-line help.
Use this item To
Help Access context-sensitive help. You can also use the shortcut function key F1. Contents View the Help file by contents. Search Search for a specific topic in the Help file. Index Go directly to the helps index page. About Display information about your installed version of PGP Endpoint. PGP on the Web Go to the PGPs home page, where you can find up-to-date information, resources, support, etc. about
PGP Knowledgebase
this and other useful products. Direct access to PGPs knowledge database. An invaluable source of tips, questions and answers, and how-to articles.
Table 8. The Help Menu
22 PGP Endpoint Application Control User Guide 4.3.0

Chapter 3: An overview of authorization strategies

PGP Endpoint protects your organizations servers and computers by permitting only authorized applications to run on them unknown executable files that are not required for the authorized applications (or the operating system) are blocked by default. In addition, PGP Endpoint can also protect your system from running many unauthorized scripts and macros (as these contain commands that are interpreted either by host applications running on the computers, or the Windows operating system itself even though they are not Win32 executables).
The PGP Endpoint system offers several strategies for managing the running/blocking of executables, scripts and macros. These include:
> Central authorization using digital signatures. This is the main method used to secure your servers and
computers against unwanted executables, scripts and macros known or unknown. Your organization centrally manages authorizations by establishing a list of the executables, scripts and macros that are specifically approved by an authorized PGP Endpoint administrator (in a white list’) and checking whether the digital signatures (hashes) of files users want to run are in this list.
> Central authorization by file location (path). This enables you to control executable files for which digital
signatures are not useful or applicable. You can establish Path Rules to handle exceptions, for example, auto-changing executable files. You can also define Trusted Owners to reinforce security.
> Local authorization. You can choose to grant some local users limited rights to authorize additional
executables, scripts and macros unknown files that they may require for their work.
Most executable files can be identified by their file extensions. File extensions such as .exe, .com, .dll (dynamic link library), .cpl (control panel), .scr (screen-saver), .drv, and .sys (system driver) normally denote executable files. When deciding whether a file is authorized to run PGP Endpoint does not rely on file extensions but lets the operating system determine whether a file is an executable. If so, PGP Endpoint checks whether the digital signature of the file is listed in its white list of allowed files (in the case of central authorization using digital signatures).
Scripts and macros are more difficult to identify than executables. PGP Endpoint can only recognize, and centrally manage, the following types of scripts and macros:
> VBScripts and JScripts that are interpreted by the Windows Script Host (using cscript.exe and wscript.exe).
These scripts are text files written using the grammar and semantics of the appropriate language. To be recognized by PGP Endpoint your script files must have the appropriate file extension either .vbs or .js.
 File names are only available for scripts interpreted by cscript.exe and wscript.exe. This means,
for example, that Java scripts executed by Internet Explorer cannot be centrally managed.
> Visual Basic scripts (VBA macros) that execute within Microsoft Office and other host applications. These are
embedded in Word documents, Excel spreadsheets, and so on.
PGP Endpoint also contains a mechanism to prevent the malicious spread of locally authorized files. If it detects that an unknown executable, script, or macro has been locally authorized on a certain number of servers or computers within the defined period, it can disable the executable and the local authorization capability.
We take a closer look at the various authorization strategies in the following sections.

Central authorization using digital signatures

The primary, and most powerful, method that PGP Endpoint uses to control executable files, scripts and macros involves identifying individual files that a user wants to run based on their digital signatures. PGP Endpoint either
PGP Endpoint Application Control User Guide 4.3.0 23
blocks these or allows them to run depending whether the files are in an authorized white list and whether the user (or user group containing the user) has been granted to the right to run them.
Central authorization using digital signatures typically controls all the applications required to manage and maintain the organizations servers (including the operating system itself), and applications and scripts that are specific to your business.
Chapter 3: An overview of authorization strategies
 Previous versions of PGP Endpoint did not let administrators authorize scripts and macros
using digital signatures only executable files.
 Central authorization using digital signatures works in combination with local authorization of
executables, scripts and macros, and the Execution blocking and Macro and Script protection options to either grant or deny authorization for a particular executable file, script, or macro. Also see Local Authorization on page 113, and Macro and Script protection on page 116.
Central authorization of executables, scripts, and macros using digital signatures involves the following steps:
1. Building a list of executables, scripts, and macros that are authorized to run. This list can be assembled by running a scan of target systems (using the Scan Explorer), by searching designated directories (using the Exe Explorer), or by using the Authorization Wizard, the Log Explorer, or the Versatile File Processor Tool. See Chapter 5: Building a white list of authorized files on page 33.
2. Creating a unique digital signature for each approved executable, script, or macro. PGP Endpoint examines the binary contents of the executable files, scripts and MS office macros, calculates a 20-character alphanumeric digital signature (or hash), and records this information in a central repository.
The list of centrally authorized executables, scripts, and macros is the white list of programs trusted within your organization, and that you want all or some users/user groups to be able to run at any time.
 Visual Basic scripts (VBA macros) can be embedded in many Microsoft Office formats, such as
.doc, .dot, .xls, and, .ppt files. In this case, a hash is created for the whole file, not just the macro.
3. Organizing approved executables, scripts and macros files into File Groups. An authorized PGP Endpoint administrator assigns the files identified in step 2 to particular File Groups, such as Windows Operating System. This simplifies the administration of related and/or interdependent files.
4. Associating File Groups with users or user groups. An authorized PGP Endpoint administrator then determines which users, and/or user groups, have access to which File Groups. This means that a particular user can only run a particular application, script, or macro if they have the appropriate privileges to do so.
5. Downloading authorization information to protect your computers. The digital signatures of centrally approved files are downloaded to each users machine and stored in a secure location on their local hard drive. PGP Endpoint references this locally stored authorization list whenever the user (or a server administrator) attempts to launch an executable file or run an identifiable script or macro.
 It is particularly important to centrally authorize operating system files and driver files (such as
the video card user interface, atiptaxx.exe) that execute before the user logs on.
You can set up and maintain the white list of files PGP Endpoint uses for central authorization using:
> The Database Explorer module (see Chapter 10: Managing files using the Database Explorer on page 95). > The Exe Explorer module (see Selecting files to authorize using the Exe Explorer on page 37). > The Log Explorer module (see Using the Log Explorer module to authorize unknown files on page 91). > The Scan Explorer module (see Using the Scan Explorer module on page 39). > Authorization Wizard, FileTool.exe, or the AuthSrv.exe tools (see Using the Authorization Wizard on page 44).
For more information, see Chapter 5: Building a white list of authorized files on page 33.
24 PGP Endpoint Application Control User Guide 4.3.0
Chapter 3: An overview of authorization strategies

Central authorization by file location (path)

For a small number of applications, security based on file hashes simply does not work. For example, some executables are modified as part of the installation procedure, typically to embed licensing information. In some cases, internal applications change frequently, however you trust the modified files, as they are run under the control of trusted administrators.
 You cannot authorize scripts and macros by file location (Path Rules) only executable files.
To allow for applications of this sort, PGP Endpoint lets you to authorize all executables that run from a specified location, determined by the path of the file: Executable files in the specified directory location are exempted from normal hash checking. They are presumed to be from a trusted source, so they are allowed to run.
To add a layer of protection to this type of authorization, you can have the system check the identity of the files owner and only execute files that belong to trusted owners.
Central authorization by file location is set up using the Path Rules option of the Tools menu (or from the Control Panel). See Chapter 7: Authorizing files by location (Path Rules) on page 53 for more information.

Local authorization of executables, scripts, and macros

Local authorization relies on local users discretion to determine for themselves at the time of running a file, whether it should be allowed or not. By default, PGP Endpoint does not permit users to perform local authorization. Occasionally however, you may wish to give a user the right to locally authorize an application required for their productivity, such as to run a special executable, macro, or script once.
 In order to permit local authorization of executables, scripts and macros the Local
Authorization’, ‘Execution blocking and Macro and Script protection options must have the required values. See Chapter 12: Setting PGP Endpoint system options on page 109.
 For a user to be asked if they want to authorize or deny an executable, script, or macro, the file
must be assigned to a File Group and the user must be assigned permission to use files in that File Group (either explicitly as a user, or through membership of a User Group).
 PGP Endpoint contains a spread check mechanism to prevent the malicious spread of locally
authorized files. If PGP Endpoint detects that an unknown executable, script, or macro has been locally authorized too many times within the defined period, it disables the local authorization capability and the executable.
 When a user creates or records a new macro in Microsoft Office (i.e. not by loading it from a
file), the macro is not intercepted and the user can run it without notification.

Local authorization of files that are not centrally authorized

Let us consider the situation when a user attempts to run an executable, script, or macro that has not been centrally authorized, i.e. whose digital signature (hash) has not been included in the white list of files that are authorized to run (provided the user has the appropriate permissions).
We also assume that:
> The Local Authorization option (see Local Authorization on page 113) has an Enabled value either by
default (for all machines) or for the specific computer on which the user wants to run the file. and
> The Local Authorization option has not been disabled because the Spread Check mechanism is enacted to
stop self-propagating code. See Preventing the malicious spread of locally authorized files on page 26 for more information.
and
PGP Endpoint Application Control User Guide 4.3.0 25
> The Execution Blocking option has a value of Ask user for *.exe onlyor Ask user always either for the user,
one of the groups of which he is a member, specific computer on which the user wants to run the file, or by default (for all users or machines). See Examples of the precedence of Execution Blocking options on page 125 for more information.
In addition, in the case of a script or a macro, the Macros and script protection option must either have a value of Ask User or Disabled either for the user, one of the groups of which he is a member, or by default (for all users).
When the user attempts to execute a file that is not centrally authorized the following takes place:
1. The user gets an alert message explaining that the executable, script, or macro has not been centrally authorized. This alert message emphasizes the potential risks of authorizing this file and displays details about it, such as its path, internal name, filename, description, and alleged source of origin.
Chapter 3: An overview of authorization strategies
Figure 11: Local authorization dialog
2. Within the alert dialog, the user can then choose one of the following actions:
> Authorize To allow the script or macro to execute for this one time and one computer only. Once
authorized, this prompt does not appear again.
> Deny To prevent the execution, as the source of the executable, script, or macro is not fully trusted. > Deny all To prevent execution of this and future scripts and macros.
 You can reset the Deny all local authorization setting, if required, by right-clicking on the PGP
Endpoint Client icon in the system tray of the machine running the client and selecting the option in the context menu.
 If the user does not respond within the time-out period (two minutes by default), the dialog
automatically disappears and the file is denied.
 Some applications, such as Windows Media Player, start several scripts when they are loaded.
The user is prompted for each script launched by the application if the Ask User option is set.
Whether the executable is authorized or denied, the PGP Endpoint system logs the action.

Preventing the malicious spread of locally authorized files

PGP Endpoint contains a mechanism to prevent the malicious spread of locally authorized files. If the PGP Endpoint system detects that an unknown executable, script, or macro has been locally authorized on a certain number of servers or computers within the defined period, it immediately disables the executable and the local authorization capability. This does not disable the already running authorized executables, however self­propagating viruses and worms are stopped in their tracks.
 If you have more than one PGP Endpoint Administration Server on your network, only one of
them should be assigned the job of spread checking.
26 PGP Endpoint Application Control User Guide 4.3.0
Loading...
+ 153 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use