PGP Endpoint Application Control - 4.4 SR5 User Guide

User Guide

PGP Endpoint Application Control 4.4 SR5

PGP Endpoint Application Control

- 2 -

Notices

Version Information

PGP Endpoint Application Control User Guide - PGP Endpoint Application Control Version 4.4SR5 - Released:
September 2010

Document Number: 02_104P_4.4SR5_102711507

Copyright Information

Copyright© 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written
permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other
countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft
Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc.
Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark
of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or
registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark
of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc.
Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered
and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The
CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for
commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the
patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher
Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third­party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP
Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL
software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation
may have patents and/or pending patent applications covering subject matter in this software or its documentation;
the furnishing of this software or documentation does not give you any license to these patents.

Acknowledgements

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from
the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and
toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://
www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely
available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (http://
jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/
license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation.
The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, databinding framework
for moving data from XML to Java programming language objects and from Java to databases, is released by the
ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an open­source software library from the Apache Software Foundation that implements the XSLT XML transformation

- 3 -

PGP Endpoint Application Control

language and the XPath XML query language, is released under the Apache Software License, version 1.1, available
at http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP (“Simple Object
Access Protocol”) used for communications between various PGP products is provided under the Apache license
found at http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java
Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/
docs/ch01s06.html. • jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://
www.ijg.org/) • libxslt the XSLT C library developed for the GNOME project and used for XML transformations
is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5
Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The
license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name
System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org)

• Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network
Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992,
Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems,
Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts
and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/
license.html. • NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors.

• Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is
an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003,
The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html.

• Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under
a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD.

• PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the
BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0,
available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database
management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. •
PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database
independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style
license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression Library, a free
software object-relational database management system, is released under a BSD-style license, available at http://
www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs
specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java
object used to facilitate communication between processes written in Java and the data layer, is open source licensed
under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright
2006 The JacORB Project. • TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request
Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright
(c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California,
Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/
~schmidt/ACEcopying. html. • libcURL, a library for downloading files via common network services, is open
source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.
Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under
a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright
(C) 1996, 1997 Theodore Ts’o. • libpopt, a library that parses command line options, is released under the terms
of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright

©

2000-2003 Free Software Foundation, Inc. • gSOAP, a development tool for Windows clients to communicate with
the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at

©

- 4 -

http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library (WRT) is used for developing user
interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/
licenses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of maintenance
functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/
Artistic.html.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated
from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts
the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End
User License Agreement provided with the software. The information in this document is subject to change without
notice. PGP Corporation does not warrant that the information meets your requirements or that the information is
free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to
the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Notices

- 5 -

PGP Endpoint Application Control

- 6 -

Table of Contents

Table of Contents

Preface: About This Document................................................................................................................................11

Typographical Conventions........................................................................................................................................................11

Getting Assistance......................................................................................................................................................................11

Chapter 1: PGP Endpoint Application Control Overview...................................................................................13

Product Overview.......................................................................................................................................................................14

Application Control Server, Database and Client Process........................................................................................................16

System Requirements.................................................................................................................................................................16

Minimum Hardware Requirements......................................................................................................................................17

Supported Operating Systems..............................................................................................................................................18

Supported Databases............................................................................................................................................................21

Other Software Requirements..............................................................................................................................................21

Recommended Configuration.............................................................................................................................................. 22

Client Supported Languages................................................................................................................................................22

Chapter 2: Using Application Control.................................................................................................................... 23

Getting Started with PGP Endpoint Application Control......................................................................................................... 23

The File Authorization Setup Process....................................................................................................................................... 24

Accessing the Management Server Console............................................................................................................................. 26

Logging In to the Management Server Console.................................................................................................................26

Logging Out of the Management Server Console.............................................................................................................. 27

Common Functions within the Management Server Console...................................................................................................27

Viewing the Management Server Console..........................................................................................................................27

Common Conventions..........................................................................................................................................................28

Using the Management Server Console Control Panel.......................................................................................................29

Resizing and Repositioning Panels..................................................................................................................................... 29

Organizing Columns for Display.........................................................................................................................................30

Using the File Menu............................................................................................................................................................31

Using the View Menu..........................................................................................................................................................31

Using the Tools Menu.........................................................................................................................................................32

Using the Reports Menu......................................................................................................................................................33

Using the Explorer Menu....................................................................................................................................................33

Using the Window Menu.................................................................................................................................................... 34

Using the Help Menu.......................................................................................................................................................... 34

- 7 -

PGP Endpoint Application Control

PGP Endpoint Application Control Modules......................................................................................................................35

License Expiration......................................................................................................................................................................35

Chapter 3: Using the Authorization Wizard..........................................................................................................37

Working with the Authorization Wizard...................................................................................................................................37

Authorizing Executable Files...............................................................................................................................................38

Chapter 4: Using Modules........................................................................................................................................43

Working with Scan Explorer.....................................................................................................................................................44

Creating a File Scanning Template ....................................................................................................................................44

Scanning Files on a Client Computer................................................................................................................................. 47

Comparing Scans................................................................................................................................................................. 49

Modifying File Authorization..............................................................................................................................................51

Local Authorization............................................................................................................................................................. 51

Working with the Exe Explorer ............................................................................................................................................... 53

Setting Up the Exe Explorer Default Options.................................................................................................................... 53

Adding a File Group............................................................................................................................................................54

Renaming a File Group....................................................................................................................................................... 55

Deleting a File Group..........................................................................................................................................................56

Working with User Explorer..................................................................................................................................................... 56

About File Groups............................................................................................................................................................... 56

File Group by User Tab.....................................................................................................................................................57

The User by File Group Tab...............................................................................................................................................61

Working with Database Explorer.............................................................................................................................................. 63

The Files Tab.......................................................................................................................................................................65

The Groups Tab...................................................................................................................................................................68

Working with Log Explorer.......................................................................................................................................................70

The Log Explorer Window..................................................................................................................................................71

Navigation Control Bar........................................................................................................................................................71

Column Headers...................................................................................................................................................................72

Log Explorer Templates...................................................................................................................................................... 79

Select and Edit Templates Dialog.......................................................................................................................................84

Template Settings Dialog.....................................................................................................................................................87

Criteria/Properties Panel...................................................................................................................................................... 98

Results Panel/Custom Report Contents...............................................................................................................................98

Upload Latest Log Files....................................................................................................................................................102

Chapter 5: Using Tools........................................................................................................................................... 105

- 8 -

Table of Contents

Synchronizing Domains........................................................................................................................................................... 106

Synchronizing Domain Members......................................................................................................................................106

Synchronizing Domain Users............................................................................................................................................107

Database Clean Up...................................................................................................................................................................107

Deleting Database Records................................................................................................................................................108

Defining User Access...............................................................................................................................................................109

Assigning Administrators...................................................................................................................................................110

Defining Administrator Roles............................................................................................................................................111

Assigning Administrator Roles..........................................................................................................................................113

Defining Default Options.........................................................................................................................................................114

Default Options Page.........................................................................................................................................................114

Default Option Precedence Rules......................................................................................................................................121

Changing Default Options.................................................................................................................................................127

Managing Path Rules............................................................................................................................................................... 127

Creating a Path Rule for All Users...................................................................................................................................129

Creating a Path Rule for a User or User Group............................................................................................................... 132

Modifying a Path Rule...................................................................................................................................................... 135

Deleting a Path Rule..........................................................................................................................................................137

Defining a Trusted Owner.................................................................................................................................................138

Deleting a Trusted Owner................................................................................................................................................. 140

Defining Spread Check............................................................................................................................................................141

Enabling Spread Check......................................................................................................................................................141

Sending File Authorization Updates to Computers.................................................................................................................142

Sending Updates to All Computers...................................................................................................................................142

Sending Updates to a Single Computer............................................................................................................................142

Working with Standard File Definitions................................................................................................................................. 143

Importing Standard File Definitions..................................................................................................................................144

Exporting File Authorization Settings..................................................................................................................................... 145

Exporting Settings..............................................................................................................................................................146

Importing Settings..............................................................................................................................................................146

Working with Endpoint Maintenance......................................................................................................................................147

Creating Endpoint Maintenance Tickets........................................................................................................................... 148

Chapter 6: Using Reports.......................................................................................................................................151

About Reports...........................................................................................................................................................................151

Reporting by User Role...........................................................................................................................................................151

Working with Reports..............................................................................................................................................................152

- 9 -

PGP Endpoint Application Control

Opening a Report...............................................................................................................................................................152

Closing a Report................................................................................................................................................................ 152

Saving a Report..................................................................................................................................................................152

Printing a Report................................................................................................................................................................153

Available Reports...............................................................................................................................................................153

File Groups by User.......................................................................................................................................................... 154

User by File Group............................................................................................................................................................155

User Options.......................................................................................................................................................................156

Machine Options................................................................................................................................................................157

Client Status....................................................................................................................................................................... 158

Server Settings................................................................................................................................................................... 159

Chapter 7: Using PGP Endpoint Client Deployment..........................................................................................161

PGP Endpoint Client Deployment Window............................................................................................................................162

Packages Panel...................................................................................................................................................................162

Packages Menu...................................................................................................................................................................163

Computers Panel................................................................................................................................................................ 163

Computers Menu................................................................................................................................................................164

Creating Deployment Packages............................................................................................................................................... 165

Adding Computers....................................................................................................................................................................168

Deploying Packages................................................................................................................................................................. 170

Querying Client Status.............................................................................................................................................................174

Appendix A: PGP Endpoint Administrative Tools..............................................................................................177

Using the PGP Endpoint Authorization Service Tool.............................................................................................................177

Scheduling Domain Synchronization.......................................................................................................................................181

Manage Administrator Rights..................................................................................................................................................183

Using PGP Endpoint with Novell........................................................................................................................................... 184

Using Novell Shared Data File Directory.........................................................................................................................184

Running the Novell Synchronization Script......................................................................................................................185

Opening Firewall Ports............................................................................................................................................................ 186

Open Ports by Firewall Exception.................................................................................................................................... 186

Open Ports by Active Directory Policy............................................................................................................................ 187

- 10 -

Preface

About This Document

This User Guide is a resource written for all users of PGP Endpoint Application Control 4.4 SR5. This document
defines the concepts and procedures for installing, configuring, implementing, and using PGP Endpoint
Application Control 4.4 SR5.

Tip:

PGP documentation is updated on a regular basis. To acquire the latest version of this or any other published
document, please refer to the PGP Support Portal Web Site (https://support.pgp.com).

Typographical Conventions

The following conventions are used throughout this documentation to help you identify various information
types.

Table 1: Typographical Conventions

Convention Usage
bold Buttons, menu items, window and screen objects.

bold italics

italics New terms, options, and variables.

MONOSPACE UPPERCASE Keyboard keys.

BOLD UPPERCASE SQL Commands.

monospace File names, path names, programs, executables, command syntax, and

Wizard names, window names, and page names.

property names.

Getting Assistance

Getting Product Information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed
with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also available,
which may have last-minute information not found in the product documentation.

- 11 -

PGP Endpoint Application Control

Contacting Technical Support

• To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP
Corporation Support Home Page (http://www.pgp.com/support).

• To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP Support
Portal Web Site (https://support.pgp.com).

Note:

You may access portions of the PGP Support Knowledge Base without a support agreement; however, you
must have a valid support agreement to request Technical Support.

• For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://www.pgp.com/

company/contact/index.html).

• For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).

• To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are user
community support forums hosted by PGP Corporation.

- 12 -

Chapter

1

PGP Endpoint Application Control Overview

In this chapter:

• Product Overview

• Application Control Server,

Database and Client Process

• System Requirements

PGP offers a complete portfolio of solutions for controlling the use of
software applications and devices in your computing environment.

PGP Endpoint solutions include:

• PGP Endpoint Device Control, which prevents unauthorized
transfer of applications and data by controlling access to input and
output devices, such as memory sticks, modems, and PDAs.

• PGP Endpoint Device Control client for Embedded Devices, which
moves beyond the traditional desktop and laptop endpoints to a
variety of platforms that include ATMs, industrial robotics, thin
clients, set-top boxes, network area storage devices and the myriad
of other systems running Microsoft® Windows XP® Embedded.

• PGP Endpoint Application Control, which delivers granular control
of application execution in an enterprise environment.

• PGP Endpoint Application Control Terminal Services Edition,
which extends application control to Citrix® or Microsoft Terminal
Services ® environments that share applications among multiple
users.

• PGP Endpoint Application Control Server Edition, which delivers
application control to protect enterprise servers, such as web
servers, e-mail servers, and database servers.

- 13 -

PGP Endpoint Application Control

Product Overview

PGP Endpoint software is based on a multi-tier software architecture that processes and stores data for
Application Control and Device Control. Users can interact with the application through the client interface. A
separate Management Server Console provides a user interface for network administrators.

The primary components of the PGP Endpoint Application Control solution are:

• The Application Control database which serves as the central repository of authorization information for
devices and applications.

• One or more Administration Servers that communicate between the database, the protected clients, and the
Management Server Console.

• The Management Server Console, which provides the administrative user interface for the Administration
Server.

• The Application Control client, which is installed on each computer, either endpoint or server, that you want
to protect.

- 14 -

PGP Endpoint Application Control Overview

The following figure illustrates the relationships between the PGP Endpoint components.

Figure 1: Application Control Component Relationships

- 15 -

PGP Endpoint Application Control

Application Control Server, Database and Client Process

The Administration Server communicates between the database and the protected client computers.
The following describes the communication process flow between the Administration Servers, database, and

clients when using Application Control.

Figure 2: Application Control Process Flow

System Requirements

The following sections describe the minimum system requirements necessary for successful installation of PGP
Endpoint and the languages supported by the client.

The listed specifications are a minimum; larger network environments, may require additional hardware and
software resources. The system requirements for PGP Endpoint are listed in the following topics.

- 16 -

PGP Endpoint Application Control Overview

Minimum Hardware Requirements

The minimum PGP Endpoint hardware requirements depend upon your service network environment, including
the type of database supported, the number of Administration Servers you need to support a distributed network,
and the number of subscribed clients.

The hardware requirements for PGP Endpoint vary depending upon the number of servers and clients you
manage. The following minimum hardware requirements will support up to:

• 200 connected PGP Endpoint clients for PGP Endpoint Device Control

• 50 connected PGP Endpoint clients for PGP Endpoint Application Control

Table 2: Minimum Hardware Requirements

PGP Endpoint Component Requirement

Database

Administration Server

Management Server Console

Client

• 1 GB (4 GB recommended) memory

• Pentium® Dual-Core CPU processor or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

• 512 MB (1 GB recommended) memory

• Pentium® Dual-Core CPU or AMD equivalent

• 3 GB minimum hard disk drive

• 100 MBits/s NIC

• 512 MB (1 GB recommended) memory

• 15 MB hard disk drive for installation, and 150 MB additional for
application files

• 1024 by 768 pixels for display

• 256 MB (1 GB recommended) memory

• 10 MB hard disk drive for installation, and several additional GB for
full shadowing feature of PGP Endpoint Device Control

• 100 MBits/s NIC

- 17 -

PGP Endpoint Application Control

Supported Operating Systems

PGP Endpoint supports multiple Microsoft Windows operations systems for the Administration Server,
Management Server Console, database, and client.

The operating system requirements for PGP Endpoint components are outlined as follows.

Table 3: Operating System Requirements

PGP Endpoint Component Requirement

Database One of the following:

• Microsoft Windows ® XP Professional Service Pack 2 or higher
(SP2+) (32-bit)

• Windows XP Service Pack 2 (SP2) (64-bit)

• Microsoft Windows Server 2003, Standard Edition with Service
Pack 2 (SP2) or later (32-bit)

• Microsoft Windows Server 2003, Enterprise Edition with SP2
or later (32-bit)

• Microsoft Windows Server 2008, Standard Edition with SP2 or
later (32-bit and 64-bit)

• Microsoft Windows Server 2008, Enterprise Edition with SP2
or later (32-bit and 64-bit)

• Microsoft Windows Server 2008 R2 (64 bit only)

Administration Server One of the following:

• Windows Server 2003, Standard Edition with SP2 or later (32­bit)

• Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)

• Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008 R2 (64 bit only)

- 18 -

PGP Endpoint Component Requirement

Management Server Console One of the following:

• Windows XP Professional SP2+ (32-bit)

• Windows Server 2003, Standard Edition with SP2 or later (32­bit)

• Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)

• Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008 R2 (64 bit only)

• Microsoft Windows Vista™ SP1+ (32- and 64-bit)

• Microsoft Windows 7 (32- and 64-bit)

PGP Endpoint Application Control Overview

- 19 -

PGP Endpoint Application Control

PGP Endpoint Component Requirement

Client One of the following:

• Microsoft Windows® Server 2000 Service Pack 4 or higher
(SP4+) (32-bit)

• Microsoft Windows 2000 Professional SP4+ (32-bit)

• Microsoft Windows XP Professional Service Pack 2 or higher
(SP2+) (32- and 64-bit)

• Windows Server 2003, Standard Edition with SP2 or later (32­bit)

• Windows Server 2003, Enterprise Edition with SP2 or later (32­bit)

• Windows Server 2008, Standard Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008, Enterprise Edition with SP2 or later (32­bit and 64-bit)

• Windows Server 2008 R2 (64 bit only)

• Windows Vista SP1+ (32- and 64-bit)

• Windows 7 (32- and 64-bit)

• Microsoft Windows XP Embedded (XPe) Service Pack 2 (SP2)
(32-bit)

• Microsoft Windows Embedded Point of Service (WEPOS) (32­bit)

• Microsoft Windows XP Tablet PC Edition (32-bit)

• Citrix Access Gateway™ 4.5

• Citrix Presentation Server™ 4.0 for Windows Server 2003 SP1/
SR2+ (32-bit)

• Citrix Presentation Server 4.5 for Windows Server 2003 SP1/
SR2+ (32- and 64-bit)

- 20 -

PGP Endpoint Application Control Overview

Supported Databases

PGP Endpoint supports multiple releases of Microsoft® SQL Server®. You should choose the database instance
required by your network operating environment and the number of Administration Servers and subscribed
clients the application must support.

The database requirements for PGP Endpoint components are outlined as follows.

Table 4: Database Requirements

PGP Endpoint Component Requirement

Database One of the following:

• Microsoft SQL Server® 2005 Service Pack 2 or higher (SP2+) (32-bit and
64-bit)

• Microsoft SQL Server 2005 Express Edition SP2+ (32-bit and 64-bit)

• Microsoft SQL Server 2008

• Microsoft SQL Server 2008 Express Edition

Other Software Requirements

PGP Endpoint requires the following additional software.
Additional software requirements for PGP Endpoint components are outlined as follows.

Table 5: Other Software Requirements

PGP Endpoint Component Requirement

Database No additional software requirements.
Administration Server If you will be encrypting Windows user accounts for centralized

Device Control encryption, you will need to install an enterprise level
Certificate Authority. See Microsoft Certificate Authority (http://

technet.microsoft.com/en-us/library/cc756120.aspx) for additional

information about certificates.

Attention: Certificate authority installation applies to Device Control

only for centralized encryption capability.
A Certificate Authority is required to use secure communications

between clients and servers, and intra-server communications.

Attention: Certificate authority installation applies to both Device

Control and Application Control for secure server communications.

Management Server Console Microsoft Visual C++ 2008 Redistributable Package.
Client No additional software requirements.

- 21 -

PGP Endpoint Application Control

Recommended Configuration

To maximize PGP Endpoint for operation in a Microsoft Windows environment, you should configure your
network environment database and client components using the following suggested configurations.

The recommended configurations for PGP Endpoint components are outlined as follows. These settings represent
the usual default settings, but should be confirmed before beginning PGP Endpoint installation.

Table 6: Recommended Configuration

PGP Endpoint Component Requirement

Database

Administration Server None recommended.
Management Server Console None recommended.
Client

• Change the Windows Event Viewer settings to 1024 KB and

choose to overwrite events as necessary.

• Change Windows Performance settings to prioritize for background

applications.

• If you are using Active Directory, configure a corresponding
Domain Name System (DNS) server as Active Directory (AD)
integrated and create a reverse lookup zone, to provide for name
resolution within the Management Server Console.

• Configure NIC to receive IP from DHCP service.

• Change the Windows Event Viewer settings to 1024 KB and
choose to overwrite events as necessary.

Client Supported Languages

The PGP Endpoint client supports multiple languages in text format.
The PGP Endpoint client is supported in the following languages:

• English

• French

• Italian

• German

• Spanish

• Japanese

• Simplified Chinese

• Traditional Chinese

• Russian

• Dutch

• Portuguese

• Swedish

- 22 -

Chapter

2

Using Application Control

In this chapter:

• Getting Started with PGP Endpoint

Application Control

• The File Authorization Setup

Process

• Accessing the Management Server

Console

• Common Functions within the

Management Server Console

• License Expiration

The Management Server Console provides direct access to system
management, configuration, file authorization, reporting, and logging
functions.

The Management Server Console allows the user to communicate with
an Administration Server to send and retrieve file authorization data
from the database. The data is sent from the server to a client, thereby
establishing application control on the client. The Management Server
Console provides direct access to system management, configuration,
file authorization, reporting, and logging functions.

Getting Started with PGP Endpoint Application Control

Get started with Application Control by installing the application, which includes all server and database
components, the Management Server Console, and the client. Then you use the Management Server Console to
define user access permissions and file authorization rules.

You must begin the installation process with a clean machine that fulfills the minimum software and hardware
requirements. You must resolve all hardware and software conflicts prior installing PGP Endpoint solutions and

- 23 -

PGP Endpoint Application Control

install the latest operating system and database service packs. Refer to the following processes to identify tasks
when installing Application Control.

Figure 3: PGP Endpoint Installation

The File Authorization Setup Process

After successfully installing Application Control, an administrator uses the Management Server Console
to configure and define user access permissions and file authorization rules required in a PGP Endpoint
environment that specify which executable files, scripts, and macros each user can use, as described by the
following process flow.

You can use standard Microsoft file definitions to quickly build a central file
authorization list for executable files, macros, and scripts.

- 24 -

Using Application Control

You can assign administrator access rights using the User Access tool. An
Administrator has restricted access to the Management Server Console and can be
assigned various administrative roles by an Enterprise Administrator.

After defining Administrator roles, you can use the User Access tool to assign the
defined roles to Administrators.

File groups simplify the process of administering large numbers of executable,
script, and macro files for users. Instead of individually authorizing files, you can
group files together logically by creating file groups.

PGP Endpoint verifies which file group is associated with an executable, script,
or macro and whether the user has access permission for the file group. You
can assign specific permissions to local users and user groups. Only authorized
applications and scripts assigned to a user or a user group can run on the client.

After creating the file groups and parent-child relationships you want to use, you
can assign file groups to users or user groups.

You can create a template and scan a target computer running the client. You
can scan all files on a computer, or you can create a template to scan selected
directories or specific file types for example, *.exe, *.com, *.dll, *.ocx, *.sys,
*.drv, *.cpl, *.vbs, *.js, to reduce the scan time required.

After you create the necessary file groups and required parent-child relationships,
you can assign executable files, scripts, and macros to file groups.

Activating Execution blocking prohibits user access to unauthorized files. Local
authorization is permitted only for the administrators and LocalSystem account.

Once you identify all your files, categorize them into file groups, and assign the file groups to users or user
groups, these files are centrally authorized and immediately available to be run by all allowed users.

- 25 -

PGP Endpoint Application Control

When a user wants to run an executable, script, or macro, the following actions take place automatically:

• A file that is identified as an executable, script, or macro, by the operating system is stored in the PGP
Endpoint database ready for execution (but not actually executed).

• A file is identified by PGP Endpoint as an executable, script, or macro, has the entire file content checked to
determine its digital signature (hash) before being allowed to execute by the operating system.

• The digital signature is compared to the digital signatures (stored in a central file authorization list) for files
that are authorized to run.

• If, and only if, the file signature corresponds exactly to a file signature in the central file authorization list,
in other words, the digital signatures are identical and the file is authorized for execution for the user or
computer requesting authorization, can the file run.

Accessing the Management Server Console

Access to the Management Server Console is controlled using the login and logout functions provided by the
Management Server Console. Only authorized administrators may access the Administration Server.

The Management Server Console is a Windows application that conforms to standard conventions. From the
Management Server Console, you navigate through the system with menu bars, scroll bars, icons, lists, and
checkboxes.

Logging In to the Management Server Console

You access the application by logging in to the Management Server Console.

Select Start > Programs > PGP > Endpoint Security > Endpoint Management Server Console > PGP

1.
Endpoint Management Server Console.

Step Result:

From the Administration Server drop-down list, select the Administration Server you want to connect to.

2.

You can type the server name as an IP address with port if required in square brackets, NetBios name, or fully
qualified domain name in the Administration Server field.

Select one of the following options:

3.

Option Description

Use current user

Log in as

Each time you access the Management Server Console, the Connect to PGP Endpoint
Administration Server dialog appears.

By default the system connects to the Administration Server using your
credentials.

Type the user name in the Username field and type the password in the
Password field.

Tip: Precede the user name by a computer workstation name and

backslash for a local user, or by a domain name and backslash for
domain users.

- 26 -

Click OK.

4.

Step Result:

Using Application Control

The Connect to PGP Endpoint Administration Server dialog closes.

Result:

The PGP Endpoint Management Server Console window opens.

Logging Out of the Management Server Console

When you log out from the Management Server Console you can choose to terminate the adminstrative session
or disconnect from the Administration Server.

To disconnect from the Administration Server, select File from the navigation bar.

1.

Select one of the following options:

2.

Option Description
Disconnect
Exit

Result:

The Disconnect or Exit action terminates your current administrative session.

The Management Server Console remains open.
The Management Server Console closes.

Common Functions within the Management Server Console

PGP Endpoint uses standard browsing conventions and navigational functions.
Features specific to the Management Server Console include menu selections for Modules, Tools, and Reports.

From the console, you can access the PGP Endpoint Control Panel features that you have administrative user
access for. You can use the navigation bar to access administrative options and PGP Endpoint control features.

Viewing the Management Server Console

The Management Server Console graphically displays the administrative user features for the application.
The Management Server Console window is divided into four panels:

•

The Control Panel provides access to PGP Endpoint modules, tools, reports, and help functions.

•

The main panel displays a window for the module currently selected from the Control Panel. Modules
remain open and arranged as stacked tabs until closed.

•

The Connection panel shows information about the current user. You can use the scrollbar to navigate
through the text.

•

The Output panel displays system processing information and error messages.

- 27 -

PGP Endpoint Application Control

You can also view the following bars in the Management Server Console window:

• The navigation bar provides access to different PGP Endpoint functions and commands. Some of these
commands and functions depend on the module you are currently using.

• The status bar displays information about the condition of the console.

Figure 4: Management Server Console

Common Conventions

This application supports user interface conventions common to most Web applications.

Table 7: Common User Interface Conventions

Screen Feature Function
Entry Fields Type data into these fields, which allow the system to retrieve matching criteria

or to enter new information.

Drop-Down Menus Displays a list to select preconfigured values.
Command Buttons Perform specific actions when clicked.
Check Boxes A check box is selected or cleared to enable a feature, disable a feature, or

initiate function for a list item. Some lists also include a Select All check box
that lets you select all the available listed items on that page.

Radio Buttons Select the button to select an item.
Sort Data presented in tables can be sorted by ascending (default) or descending order

within a respective column by clicking on a (enabled) column header.

Mouseovers Additional information may be displayed by hovering your mouse pointer over

an item.

- 28 -

Using Application Control

Screen Feature Function
Auto Refresh Where present and when selected, the auto refresh function automatically

refreshes the page every 15 seconds.

Scrollbars Drag to see additional data that does not fit the window.
Tabs Click on the tab name to switch to different information related to the specific

page or dialog.

Bread Crumb Names the page you are currently viewing, that page's parent page (if

applicable), and the navigation menu item that opened the displayed page. If
viewing a page that is child to another page, you can view the parent page by
clicking the bread crumb, which also serves as a link, allowing you to retrace
your steps.

Tip: Most system pages support right-click.

Using the Management Server Console Control Panel

The Control Panel, adjacent to the Management Server Console main window, provides access the Modules,
Tools, Reports, and Help administrative user features.

You can perform the following tasks using the Control Panel:

• Use the application control Modules to administer routine PGP Endpoint control tasks.

• Generate Reports for users, file groups, PGP Endpoint clients, and administrator actions.

• Perform system administrative tasks using Tools.

• Get Help.

Resizing and Repositioning Panels

You can resize and reposition the Management Server Console panels.
You can customize the appearance of the main window as follows:

• Drag a panel, by selecting the title bar, to any position on the main page.

• Float a panel in any position in the window, to share the main window with open Modules.

• Dock a panel to minimize the appearance in the main window. The docked panel appears as a tab at the edge
of the main window.

• Scroll across an active panel.

• Close an active panel by clicking the Close icon.

• Double click a panel title bar to return to the original position on the main screen.

• Right-click a floating panel title bar to display a drop down menu to restore, move, size, minimize, maximize,
or close the panel.

Use the icons listed in the following table to resize or reposition a panel:

Table 8: Resizing and Repositioning Panels

Icon Function

Float a panel

- 29 -

PGP Endpoint Application Control

Icon Function

Dock a panel
Scroll left or right
Close an active panel

Organizing Columns for Display

You can customize the graphical display for columns in the Log Explorer module.
You can reorganize columns by headings only for the Log Explorer module.

1.

Select the Log Explorer module from the PGP Endpoint Control Panel.

Step Result:

2.

Right-click the table header row of the Explorer main window.

Step Result:

Select a column name from the list. A check beside the column name enables the column for display in the

3.

Explorer window.

To organize columns, select Choose Columns....

4.

Step Result:

The Explorer window opens for the module you select.

A right-mouse menu opens showing all available columns for display. The menu options
shown vary according to the PGP Endpoint control module you select and your license type.

The Choose Columns dialog opens.

Figure 5: Choose Columns Dialog

- 30 -