PGP Endpoint Application Control - 4.4 SR1 User Guide

User Guide

PGP Endpoint Application Control 4.4 SR1

02_104P 4.4 SR1 User Guide

- 2 -

Notices

Version Information

PGP Endpoint Application Control User Guide - PGP Endpoint Application Control Version 4.4 SR1 ­Released: August 2009
Document Number: 02_104P_4.4 SR1_092391106

Copyright Information

Copyright© 1991-2009 by PGP Corporation. All Rights Reserved. No part of this document can be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without
the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the
US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered
trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a
trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks
of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered
trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business
Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH
and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X
are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered
trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech
AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty­free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent
rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of
California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a
Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under
the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL.
If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact
PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent
applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.

Acknowledgements

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with
permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2,
the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under
the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by
the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted

- 3 -

PGP Endpoint Application Control

by Julian Seward, © 1996-2005. • Application server (http://jakarta.apache.org/), web server (http://
www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a
Java-based library used to parse HTML, developed by the Apache Software Foundation. The license
is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework for
moving data from XML to Java programming language objects and from Java to databases, is released
by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html.

• Xalan, an open-source software library from the Apache Software Foundation that implements the
XSLT XML transformation language and the XPath XML query language, is released under the Apache
Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is
an implementation of the SOAP (“Simple Object Access Protocol”) used for communications between
various PGP products is provided under the Apache license found at http://www.apache.org/licenses/
LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions (JMX),
is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html.

• jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/)

• libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version

4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006.
The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and
Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium,
Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, ©
1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie
Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge
Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and
Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license
agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed
by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol
developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of
the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation.
The license agreement is at http://www.openldap.org/software/release/license.html. • Secure shell
OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under
a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?
rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is
released under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under
the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL,
a free software object-relational database management system, is released under a BSD-style license,
available at http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program
used to connect to a PostgreSQL database using standard, database independent Java code, (c)
1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available
at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free software
object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX
daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used
by permission. • JacORB, a Java object used to facilitate communication between processes written in
Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL)
available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The ACE
ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for
communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by
Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/

- 4 -

ACEcopying. html. • libcURL, a library for downloading files via common network services, is open source
software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.
Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is
released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/
COPYING. Copyright (C) 1996, 1997 Theodore Ts’o. • libpopt, a library that parses command line options,
is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/
libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. • gSOAP, a development
tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is
distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html.

• Windows Template Library (WRT) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. • The Perl Kit
provides several independent utilities used to automate a variety of maintenance functions and is provided
under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations
promulgated from time to time by the Bureau of Export Administration, United States Department of
Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of
the End User License Agreement provided with the software. The information in this document is subject
to change without notice. PGP Corporation does not warrant that the information meets your requirements
or that the information is free of errors. The information may include technical inaccuracies or typographical
errors. Changes may be made to the information and incorporated in new editions of this document, if and
when made available by PGP Corporation.

Notices

- 5 -

PGP Endpoint Application Control

- 6 -

Table of Contents

Preface: About This Document................................................................13

Typographical Conventions.......................................................................................... 13

Getting Assistance........................................................................................................13

Chapter 1: PGP Endpoint Application Control Overview......................15

Product Overview..........................................................................................................15

Server, Database and Client Process..........................................................................17

System Requirements...................................................................................................18

Minimum Hardware Requirements........................................................................18

Supported Operating Systems..............................................................................19

Supported Databases............................................................................................20

Other Software Requirements...............................................................................21

Recommended Configuration................................................................................21

Client Supported Languages.................................................................................22

Chapter 2: Using Application Control.....................................................23

Getting Started with PGP Endpoint Application Control...............................................23

The File Authorization Setup Process..........................................................................24

Accessing the Management Server Console...............................................................26

Logging In to the Management Server Console................................................... 26

Logging Out of the PGP Endpoint Management Server Console.........................27

Common Functions within the Management Server Console...................................... 27

Viewing the Management Server Console............................................................28

Common Conventions...........................................................................................28

Using the Management Server Console Control Panel........................................29

Resizing and Repositioning Panels.......................................................................30

Organizing Columns for Display............................................................................30

Using the File Menu..............................................................................................32

Using the View Menu............................................................................................32

Using the Tools Menu...........................................................................................33

Using the Reports Menu....................................................................................... 33

- 7 -

Table of Contents

Chapter 3: Using the Authorization Wizard............................................39

Chapter 4: Using Modules........................................................................47

Using the Explorer Menu...................................................................................... 34

Using the Window Menu.......................................................................................35

Using the Help Menu............................................................................................ 35

PGP Endpoint Application Control Modules..........................................................36

License Expiration.........................................................................................................36

Working with the Authorization Wizard........................................................................ 39

Authorizing Executable Files.................................................................................40

Working with Scan Explorer.........................................................................................48

Creating a File Scanning Template ..................................................................... 48

Scanning Files on a Client Computer...................................................................50

Comparing Scans..................................................................................................52

Modifying File Authorization..................................................................................54

Working with the Exe Explorer ....................................................................................54

Setting Up the Exe Explorer Default Options........................................................55

Adding a File Group..............................................................................................56

Renaming a File Group.........................................................................................57

Deleting a File Group............................................................................................57

Working with User Explorer..........................................................................................58

About File Groups................................................................................................. 58

File Group by User Tab.......................................................................................58

The User by File Group Tab.................................................................................63

Working with Database Explorer..................................................................................66

The Files Tab........................................................................................................ 67

The Groups Tab....................................................................................................70

Working with Log Explorer........................................................................................... 73

The Log Explorer Window.....................................................................................74

Navigation Control Bar..........................................................................................74

Column Headers....................................................................................................75

Log Explorer Templates........................................................................................83

Select and Edit Templates Dialog.........................................................................89

Template Settings Dialog......................................................................................92

- 8 -

Table of Contents

Criteria/Properties Panel......................................................................................105

Results Panel/Custom Report Contents..............................................................105

Upload Latest Log Files...................................................................................... 109

Chapter 5: Using Tools...........................................................................111

Synchronizing Domains..............................................................................................112

Synchronizing Domain Members.........................................................................112

Synchronizing Domain Users..............................................................................113

Database Clean Up.................................................................................................... 114

Deleting Database Records.................................................................................114

Defining User Access................................................................................................. 116

Assigning Administrators.....................................................................................118

Defining Administrator Roles...............................................................................118

Assigning Administrator Roles.............................................................................121

Defining Default Options.............................................................................................122

Default Options Page.......................................................................................... 122

Default Option Precedence Rules.......................................................................130

Changing Default Options................................................................................... 138

Managing Path Rules................................................................................................. 138

Creating a Path Rule for All Users..................................................................... 140

Creating a Path Rule for a User or User Group................................................. 143

Modifying a Path Rule.........................................................................................146

Deleting a Path Rule...........................................................................................148

Defining a Trusted Owner...................................................................................150

Deleting a Trusted Owner...................................................................................152

Defining Spread Check...............................................................................................153

Enabling Spread Check.......................................................................................154

Sending File Authorization Updates to Computers.................................................... 154

Sending Updates to All Computers ....................................................................154

Sending Updates to a Single Computer..............................................................155

Working with Standard File Definitions...................................................................... 156

Importing Standard File Definitions..................................................................... 157

Exporting File Authorization Settings..........................................................................158

Exporting Settings................................................................................................159

Importing Settings................................................................................................159

- 9 -

Table of Contents

Chapter 6: Using Reports.......................................................................163

Working with Endpoint Maintenance..........................................................................160

Creating Endpoint Maintenance Tickets..............................................................161

About Reports.............................................................................................................163

Reporting by User Role..............................................................................................163

Working with Reports................................................................................................. 164

Opening a Report................................................................................................164

Closing a Report..................................................................................................164

Saving a Report...................................................................................................164

Printing a Report................................................................................................. 165

Available Reports.................................................................................................165

File Groups by User............................................................................................166

User by File Group..............................................................................................167

User Options........................................................................................................168

Machine Options..................................................................................................169

Client Status........................................................................................................ 170

Server Settings....................................................................................................171

Chapter 7: Using the Client Deployment Tool Tool............................. 173

PGP Endpoint Client Deployment Window................................................................ 174

Packages Panel...................................................................................................174

Packages Menu...................................................................................................175

Computers Panel.................................................................................................176

Computers Menu.................................................................................................176

Creating Deployment Packages.................................................................................177

Adding Computers......................................................................................................180

Deploying Packages...................................................................................................182

Querying Client Status................................................................................................186

Appendix A: PGP Endpoint Administrative Tools................................189

Using the PGP Endpoint Authorization Service Tool................................................. 189

Scheduling Domain Synchronization..........................................................................193

Manage Administrator Rights..................................................................................... 195

Using PGP Endpoint with Novell................................................................................196

- 10 -

Table of Contents

Using Novell Shared Data File Directory............................................................ 197

Running the Novell Synchronization Script.........................................................198

Opening Firewall Ports............................................................................................... 199

Open Ports by Firewall Exception.......................................................................199

Open Ports by Active Directory Policy................................................................200

- 11 -

Table of Contents

- 12 -

Preface

About This Document

This User Guide is a resource written for all users of PGP Endpoint Application Control 4.4 SR1.
This document defines the concepts and procedures for installing, configuring, implementing,
and using PGP Endpoint Application Control 4.4 SR1.

Tip:

PGP documentation is updated on a regular basis. To acquire the latest version of this or
any other published document, please refer to the PGP Support Portal Web Site (https://

support.pgp.com).

Typographical Conventions

The following conventions are used throughout this documentation to help you identify various
information types.

Convention Usage
bold Buttons, menu items, window and screen objects.

bold italics Wizard names, window names, and page names.

italics New terms, options, and variables.
UPPERCASE SQL Commands and keyboard keys.
monospace File names, path names, programs, executables, command

syntax, and property names.

Getting Assistance

Getting Product Information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files
that are installed with PGP Endpoint. Online help is available within the PGP Endpoint product.
Release notes are also available, which may have last-minute information not found in the
product documentation.

- 13 -

Preface

Contacting Technical Support

• To learn about PGP support options and how to contact PGP Technical Support, please visit
the PGP Corporation Support Home Page (http://www.pgp.com/support).

• To access the PGP Support Knowledge Base or request PGP Technical Support, please visit
PGP Support Portal Web Site (https://support.pgp.com).

Note:

You may access portions of the PGP Support Knowledge Base without a support agreement;
however, you must have a valid support agreement to request Technical Support.

• For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://

www.pgp.com/company/contact/index.html).

• For general information about PGP Corporation, please visit the PGP Web Site (http://

www.pgp.com).

• To access the PGP Support forums, please visit PGP Support (http://

forums.pgpsupport.com). These are user community support forums hosted by PGP

Corporation.

- 14 -

Chapter

1

PGP Endpoint Application Control Overview

In this chapter:

• Product Overview

• Server, Database and

Client Process

• System Requirements

PGP Endpoint application and device control solutions
include:

• PGP Endpoint Device Control, which prevents
unauthorized transfer of applications and data by
controlling access to input and output devices, such as
memory sticks, modems, and PDAs.

• PGP Endpoint Device Control client for Embedded
Devices, which moves beyond the traditional desktop
and laptop endpoints to a variety of platforms that
include ATMs, industrial robotics, thin clients, set-top
boxes, network area storage devices and the myriad
of other systems running Microsoft® Windows XP
Embedded.

• PGP Endpoint Application Control, which delivers
granular control of application execution in an enterprise
environment.

• PGP Endpoint Application Control Terminal Services
Edition, which extends application control to Citrix® or
Microsoft Terminal Services ® environments that share
applications among multiple users.

• PGP Endpoint Application Control Server Edition, which
delivers application control to protect enterprise servers,
such as web servers, e-mail servers, and database
servers.

®

Product Overview

PGP Endpoint software is based on a multi-tier software architecture that processes and stores
data for Application Control and Device Control. Users can interact with the application through

- 15 -

PGP Endpoint Application Control

the client interface. A separate Management Server Console provides a user interface for
network administrators.

The primary components of the PGP Endpoint Application Control solution are:

• The PGP Endpoint database which serves as the central repository of authorization
information for devices and applications.

• One or more Administration Servers that communicate between the database, the protected
clients, and the PGP Endpoint Management Server Console.

• The PGP Endpoint Management Server Console, which provides the administrative user
interface for the PGP Endpoint Administration Server.

• The PGP Endpoint client, which is installed on each computer, either endpoint or server, that
you want to protect.

The following figure illustrates the relationships between the PGP Endpoint components.

Figure 1: PGP Endpoint Component Relationships

- 16 -

PGP Endpoint Application Control Overview

Server, Database and Client Process

The Administration Server communicates between the database and the protected client
computers.

The following describes the communication process flow between the Administration Servers,
database, and clients when using Application Control.

Figure 2: Application Control Process Flow

- 17 -

PGP Endpoint Application Control

System Requirements

The following sections describe the minimum system requirements necessary for successful
installation of PGP Endpoint 4.4 SR1 and the languages supported by the client.

Important: For installation or upgrade to PGP Endpoint version 4.4 SR1:

• You must have a new license file that is valid specifically for version 4.4.

• Existing license files issued before PGP Endpoint version 4.4 will not work with the PGP
Endpoint Administration Server and may cause your Administration Servers to stop working.
The PGP Endpoint 4.4 license must be installed before you install or upgrade the PGP
Endpoint database, and then the Administration Server.

• Request a new license file using the Downloads tab on the PGP Licensing and Entitlement

Management System (LEMS) ( https://lems.pgp.com/account/login) .

Minimum Hardware Requirements

The minimum PGP Endpoint hardware requirements depend upon your service network
environment, including the type of database supported, the number of Administration Servers
you need support a distributed network, and the number of subscribed clients.

The hardware requirements for PGP Endpoint Application Control 4.4 SR1 vary depending upon
the number of servers and clients you manage. The following minimum hardware requirements
will support up to:

• 200 connected PGP Endpoint clients for PGP Endpoint Device Control

• 50 connected PGP Endpoint clients for PGP Endpoint Application Control

Table 1: Minimum Hardware Requirements

PGP Endpoint Component Requirement

Database

Administration Server

• 1 GB (4 GB recommended) memory

•

Pentium® Dual-Core CPU processor or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

• 512 MB (1 GB recommended) memory

•

Pentium® Dual-Core CPU or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

- 18 -

PGP Endpoint Component Requirement

PGP Endpoint Application Control Overview

Management Server Console

Client

• 512 MB (1 GB recommended) memory

• 15 MB hard disk drive for installation, and 150 MB
additional for application files

• 1024 by 768 pixels for display

• 256 MB (1 GB recommended) memory

• Pentium Dual-Core CPU or AMD equivalent

• 10 MB hard disk drive for installation, and several
additional GB for full shadowing feature of PGP Endpoint
Device Control

• 100 MBits/s NIC

Supported Operating Systems

PGP Endpoint supports multiple Microsoft Windows operations systems for the Administration
Server, Management Server Console, database, and client.

The operating system requirements for PGP Endpoint Application Control 4.4 SR1 components
are outlined as follows.

Table 2: Operating System Requirements

PGP Endpoint Component Requirement

Database

One of the following:

•

Microsoft Windows ® XP Professional Service Pack 2 or
higher (SP2+) (32-bit)

• Microsoft Windows XP Service Pack 2 (SP2) (64-bit)

•

Microsoft Windows Server® 2003 Service Pack 2 (SP2)
(32- and 64-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

Administration Server One of the following:

• Microsoft Windows Server 2003 SP2 (32-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

- 19 -

PGP Endpoint Application Control

PGP Endpoint Component Requirement

Management Server Console One of the following:

Client One of the following:

• Microsoft Windows XP Professional SP2+ (32-bit)

• Microsoft Windows Server 2003 SP2 (32-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

•

Microsoft Windows Vista™ SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

•

Microsoft Windows® Server 2000 Service Pack 4 or higher
(SP4+) (32-bit)

• Microsoft Windows 2000 Professional SP4+ (32-bit)

• Microsoft Windows XP Professional Service Pack 2 or
higher (SP2+) (32- and 64-bit)

• Microsoft Windows Server 2003 SP2 (32- and 64-bit)

• Microsoft Windows Server 2008 (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

• Microsoft Windows Vista SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

• Microsoft Windows XP Embedded (XPe) Service Pack 2
(SP2) (32-bit)

• Microsoft Windows Embedded Point of Service (WEPOS)
(32-bit)

• Microsoft Windows XP Tablet PC Edition (32-bit)

•

Citrix Access Gateway™ 4.5

•

Citrix Presentation Server™ 4.0 for Windows Server 2003
SP1/SR2+ (32-bit)

• Citrix Presentation Server 4.5 for Windows Server 2003
SP1/SR2+ (32- and 64-bit)

Supported Databases

PGP Endpoint supports multiple releases of Microsoft® SQL Server® . You should choose
the database instance required by your network operating environment and the number of
Administration Server s and subscribed clients the application must support.

The database requirements for PGP Endpoint Application Control 4.4 SR1 components are
outlined as follows.

- 20 -

Table 3: Database Requirements

PGP Endpoint Application Control Overview

PGP Endpoint
Component

Database One of the following:

Requirement

•

Microsoft SQL Server® 2005 Service Pack 2 or higher (SP2+)
(32-bit and 64-bit)

• Microsoft SQL Server 2005 Express Edition SP2+ (32-bit and
64-bit)

• Microsoft SQL Server 2008

• Microsoft SQL Server 2008 Express Edition

Other Software Requirements

The PGP Endpoint Application Control 4.4 SR1 release requires the following additional
software.

Additional software requirements for PGP Endpoint Application Control 4.4 SR1 components are
outlined as follows.

Table 4: Other Software Requirements

PGP Endpoint Component Requirement

Database No additional software requirements.
Administration Server

Install Microsoft® Certificate Authority for PGP Endpoint
Device Control encryption, if you will be encrypting Windows
user accounts. See Microsoft Certificate Authority (http://

technet.microsoft.com/en-us/library/cc756120.aspx) for

additional information about certificates.
Management Server Console Microsoft Visual C++ 2008 Redistributable Package.
Client No additional software requirements.

Recommended Configuration

To maximize PGP Endpoint Application Control 4.4 SR1 for operation in a Microsoft Windows
environment, you should configure your network environment database and client components
using the following suggested configurations.

The recommended configurations for PGP Endpoint Application Control 4.4 SR1 components
are outlined as follows. These settings represent the usual default settings, but should be
confirmed before beginning PGP Endpoint installation.

- 21 -

PGP Endpoint Application Control

Table 5: Recommended Configuration

PGP Endpoint Component Requirement

Database

Administration Server None recommended.
Management Server Console None recommended.
Client

• Change the Windows Event Viewer settings to 1024 KB
and choose to overwrite events as necessary.

• Change Windows Performance settings to prioritize for
background applications.

• If you are using Active Directory, configure a
corresponding Domain Name System (DNS) server as
Active Directory (AD) integrated and create a reverse
lookup zone, to provide for name resolution within the
PGP Endpoint Management Server Console.

• Configure NIC to receive IP from DHCP service.

• Change the Windows Event Viewer settings to 1024 KB
and choose to overwrite events as necessary.

Client Supported Languages

The PGP Endpoint Application Control 4.4 SR1 client supports multiple languages in text format.
The PGP Endpoint Application Control 4.4 SR1 client is supported in the following languages:

• English

• French

• Italian

• German

• Spanish

• Japanese

• Simplified Chinese

• Traditional Chinese

• Russian

• Dutch

• Portuguese

• Swedish

- 22 -

Chapter

2

Using Application Control

In this chapter:

• Getting Started with PGP
Endpoint Application
Control

• The File Authorization
Setup Process

• Accessing the
Management Server
Console

• Common Functions within
the Management Server
Console

• License Expiration

The Management Server Console allows the user to
communicate with an Administration Server to send and
retrieve file authorization data from the database. The data
is sent from the server to a client, thereby establishing
application control on the client. The Management Server
Console provides direct access to system management,
configuration, file authorization, reporting, and logging
functions.

Getting Started with PGP Endpoint Application Control

Get started with Application Control by installing the application, which includes all server and
database components, the Management Server Console, and the clients. Then you use the
Management Server Console to define user and device permissions for encryption of removable
storage devices.

You must begin the installation process with a clean machine that fulfills the minimum software
and hardware requirements. You must resolve all hardware and software conflicts prior installing

- 23 -

PGP Endpoint Application Control

PGP Endpoint solutions and install the latest operating system and database service packs.
Refer to the following processes to identify tasks when installing Application Control.

Figure 3: PGP Endpoint Installation

The File Authorization Setup Process

After successfully installing Application Control, an administrator uses the Management Server
Console to configure and define user access permissions and file authorization rules required in
a PGP Endpoint environment that specify which executable files, scripts, and macros each user
can use, as described by the following process flow.

You can use standard Microsoft file definitions to quickly build a
central file authorization list for executable files, macros, and scripts.

- 24 -

Using Application Control

You can assign administrator access rights using the User Access
tool. An Administrator has restricted access to the Management
Server Console and can be assigned various administrative roles by
an Enterprise Administrator.

After defining Administrator roles, you can use the User Access tool
to assign the defined roles to Administrators.

File groups simplify the process of administering large numbers of
executable, script, and macro files for users. Instead of individually
authorizing files, you can logically group files together logically by
creating file groups.

PGP Endpoint verifies which file group is associated with an
executable, script, or macro and whether the user has permission for
the file group. You can assign specific permissions to local users and
user groups. Only authorized applications and scripts assigned to a
user or a user group can run on the client.

After creating file groups and parent-child relationships you want to
use, you can assign file groups to users or user groups.

You can create a template and scan a target computer running the
client. You can scan all files on a computer, or you can create a
template to scan selected directories or specific file types for example,
*.exe, *.com, *.dll, *.ocx, *.sys, *.drv, *.cpl, *.vbs, *.js, to reduce the
scan time required.

After you create the necessary file groups and required parent-child
relationships, you can assign executable files, scripts, and macros to
file groups.

Activating Execution blocking prohibits user access to unauthorized
files. Local authorization is permitted only for the administrators and
LocalSystem account.

Once you identify all your files, categorize them into file groups, and assign the file groups to
users or user groups, these files are centrally authorized and immediately available to be run by
all allowed users.

- 25 -

PGP Endpoint Application Control

When a user wants to run an executable, script, or macro, the following actions take place
automatically:

• A file that is identified as an executable, script, or macro, by the operating system is stored in

the PGP Endpoint database ready for execution (but not actually executed).

• A file is identified by PGP Endpoint as an executable, script, or macro, has the entire file

content checked to determine its digital signature (hash) before being allowed to execute by
the operating system.

• The digital signature is compared to those of the authorized files that can be run (stored in a

central file authorization list).

• If and only if, the file corresponds exactly to a file in the central file authorization list, that

is, the digital signatures are identical, and the file is authorized for execution for the user or
machine that requested it, the file is executed.

Accessing the Management Server Console

Access to the Administration Server is controlled using the login and logout functions
provided by the Management Server Console. Only authorized administrators may access the
Administration Server.

The Management Server Console is a Windows application that conforms to standard
conventions. From the Management Server Console, you navigate through the system with
menu bars, scroll bars, icons, lists, and checkboxes.

Logging In to the Management Server Console

You access the application by logging in to the Management Server Console.

1. Select Start > Programs > PGP > Endpoint Security > PGP Endpoint Management

Server Console.

Step Result: Each time you access the Management Server Console, the Connect to PGP

Endpoint Management Server Console dialog appears.

2. From the Administration Server drop-down list, select the Administration Server you want

to connect to.
You can type the server name as an IP address with port if required in square brackets,

NetBios name, or fully qualified domain name in the Administration Server field.

3. Select one of the following options:

Option Description

Use current user

By default the system connects to the Administration
Server using your credentials.

- 26 -

Using Application Control

Option Description

Log in as Type the user name in the Username field and type the

password in the Password field.

Tip: Prefix the user name by a computer workstation

name and backslash for a local user, and by a domain
name and backslash for domain users.

4. Click OK.

Step Result: The Connect to PGP Endpoint Management Server Console dialog closes.

Result: The PGP Endpoint Management Server Console window opens.

Logging Out of the PGP Endpoint Management Server Console

When you log out from the Management Server Console you can choose to terminate the
adminstrative session or disconnect from the Administration Server.

1. To disconnect from the Administration Server, select File from the navigation bar.

2. Select one of the following options:

Option Description

Disconnect The Management Server Console remains open.
Exit The PGP Endpoint Management Server Console closes.

Result: The Disconnect or Exit action terminates your current administrative session.

Common Functions within the Management Server Console

PGP Endpoint uses standard browsing conventions and navigational functions.
Features specific to the Management Server Console include menu selections for Modules,

Tools, and Reports. From the console, you can access the PGP Endpoint Control Panel
features that you have administrative user access for. You can use the navigation bar to access
administrative options and PGP Endpoint control features.

- 27 -

PGP Endpoint Application Control

Viewing the Management Server Console

The Management Server Console graphically displays the administrative user features for the
application.

The Management Server Console window is divided into four panels:

• The Control Panel provides access to PGP Endpoint modules, tools, reports, and help

functions.

• The main panel displays a window for the module currently selected from the Control Panel.

Modules remain open and arranged as stacked tabs until closed.

• The Connection panel shows information about the current user. You can use the scrollbar

to navigate through the text.

• The Output panel displays system processing information and error messages.

You can also view the following bars in the Management Server Console window:

• The navigation bar provides access to different PGP Endpoint functions and commands.

Some of these commands and functions depend on the module you are currently using.

• The status bar displays information about the condition of the console.

Figure 4: Management Server Console

Common Conventions

This application supports conventions common to most Windows applications.

Table 6: Common User Interface Conventions

Screen Feature Function
Entry Fields Type data into these fields, which allow the system to retrieve

matching criteria or to enter new information.

- 28 -

Using Application Control

Screen Feature Function
Drop-Down Menus Displays a list to select preconfigured values.

Command Buttons Perform specific actions when clicked.
Check Boxes A check box is selected or cleared to enable or disable a feature.

Some lists also include a Select All check box that lets you select all
the available listed items on that page.

Radio Buttons Select the button to select an item.
Sort Data presented in tables can be sorted by ascending (default)

or descending order within a respective column by clicking on a
(enabled) column header.

Mouseovers Additional information may be displayed by hovering your mouse

pointer over an item.

Auto Refresh Where present and when selected, the auto refresh function

automatically refreshes the page every 15 seconds.

Scrollbars Drag to see additional data that does not fit the window.
Tabs Click on the tab name to switch to different information related to the

specific page or dialog.

Bread Crumb Where present and when selected, names the page you are

currently viewing, that page's parent page (if applicable), and the
navigation menu item that opened the displayed page. If viewing a
page that is child to another page, you can view the parent page by
clicking the bread crumb, which also serves as a link, allowing you to
retrace your steps.

Tip: All list pages support right-click.

Using the Management Server Console Control Panel

The Control Panel, adjacent to the Management Server Console main window, provides
access the Modules, Tools, Reports, and Help administrative user features.

You can perform the following tasks using the Control Panel:

• Use the application control Modules to administer routine PGP Endpoint control tasks.

• Generate Reports for users, file groups, PGP Endpoint clients, and administrator actions.

• Perform system administrative tasks using Tools.

• Get Help.

- 29 -

PGP Endpoint Application Control

Resizing and Repositioning Panels

You can resize and reposition the Management Server Console panels.
You can customize the appearance of the main window as follows:

• Drag a panel, by selecting the title bar, to any position on the main page.

• Float a panel in any position in the window, to share the main window with open Modules.

• Dock a panel to minimize the appearance in the main window. The docked panel appears as

a tab at the edge of the main window.

• Scroll across an active panel.

• Close an active panel by clicking the Close icon.

• Double click a panel title bar to return to the original position on the main screen.

• Right-click a floating panel title bar to display a drop down menu to restore, move, size,

minimize, maximize, or close the panel.

Use the icons listed in the following table to resize or reposition a panel:

Table 7: Resizing and Repositioning Panels

Icon Function

Float a panel
Dock a panel
Scroll left or right
Close an active panel

Organizing Columns for Display

You can customize the graphical display for columns in the Log Explorer module.
You can reorganize columns by headings only for the Log Explorer module.

1. Select the Log Explorer module from the PGP Endpoint Control Panel.

Step Result: The Explorer window opens for the module you select.

2. Right-click the table header row of the Explorer main window.

Step Result: A right-mouse menu opens showing all available columns for display. The

menu options shown vary according to the PGP Endpoint control module you
select and your license type.

3. Select a column name from the list. A check beside the column name enables the column for

display in the Explorer window.

- 30 -