PGP Endpoint Device Control - 4.3 User's Guide
PGP Endpoint Device Control
Version 4.3.0
User’s Guide
Version Information
PGP Endpoint Device Control User's Guide. PGP Endpoint Version 4.3.0. Released: June 2008.
02_103_4.3.0.55
Copyright Information
Copyright © 1991–2008 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in
any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP
Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries.
IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a
registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are
trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or
registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines
Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are
trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of
Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective
owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128
encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and noncommercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number
10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wideblocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is
licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you
would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support
(http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in
this software or its documentation; the furnishing of this software or documentation does not give you any license to these
patents.
Acknowledgments
This product includes or may include:
• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-
ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome
project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html.
Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely available high-quality data compressor, is copyrighted by
Julian Seward, © 1996-2005. • Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta
Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by
the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source,
databinding framework for moving data from XML to Java programming language objects and from Java to databases, is
released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an
open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language
and the XPath XML query language, is released under the Apache Software License, version 1.1, available at
http://xml.apache.org/xalan-j/#license1.1. • Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol")
used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. • mx4j, an open-source implementation of the Java Management Extensions
(JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version
6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) • libxslt the XSLT C library developed for
the GNOME project and used for XML transformations is distributed under the MIT License
http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler, copyrighted and
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. • BIND
Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems
Consortium, Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. •
Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992,
Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., ©
2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP
version 4.2 developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access
Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the
Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is
at http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version 4.2.1 developed by OpenBSD
project is released by the OpenBSD Project under a BSD-style license, available at
http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a
specification for SmartCard integration is released under the BSD license. • Postfix, an open source mail transfer agent (MTA),
is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free
software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL
database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is
released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. • PostgreSQL Regular Expression
Library, a free software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified
programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java object used to
facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library
General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The
ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication
between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group
at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is
available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. • libcURL, a library for downloading files via common network
services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.
Copyright (c) 1996 - 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under a BSD-style
license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore
Ts'o. • libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License
available at http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. • gSOAP, a
development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed
under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. • Windows Template Library
(WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at
http://opensource.org/licenses/cpl1.0.php. • The Perl Kit provides several independent utilities used to automate a variety of
maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time
to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export
of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User
License Agreement provided with the software. The information in this document is subject to change without notice. PGP
Corporation does not warrant that the information meets your requirements or that the information is free of errors. The
information may include technical inaccuracies or typographical errors. Changes may be made to the information and
incorporated in new editions of this document, if and when made available by PGP Corporation
Contents
About this guide ......................................................................................................... 7
Introduction ..................................................................................................................................... 7
Complete security .............................................................................................................................. 8
What’s in this guide ........................................................................................................................... 8
Conventions ..................................................................................................................................... 9
Notational conventions .................................................................................................................. 9
Typographic conventions ................................................................................................................ 9
Keyboard conventions ................................................................................................................... 9
Getting Assistance ............................................................................................................................. 9
Getting product information ........................................................................................................... 9
Contacting Technical Support ......................................................................................................... 10
Chapter 1: Introducing PGP Endpoint Device Control .......................................................... 13
Welcome to PGP Endpoint Device Control................................................................................................ 13
What is PGP Endpoint Device Control ..................................................................................................... 13
What can you do with PGP Endpoint Device Control .................................................................................. 14
Benefits of using PGP Endpoint Device Control ......................................................................................... 14
Major features of PGP Endpoint............................................................................................................ 15
What is new on this version ................................................................................................................ 17
Device types supported ...................................................................................................................... 17
Conclusions ..................................................................................................................................... 20
Chapter 2: Using the PGP Endpoint Console ..................................................................... 21
Starting the PGP Endpoint Management Console ...................................................................................... 21
Connecting to the Server ............................................................................................................... 22
Log in as a different user............................................................................................................... 22
The PGP Endpoint Management Console screen ........................................................................................ 23
Customizing your workspace .......................................................................................................... 24
The PGP Endpoint Device Control modules .............................................................................................. 26
The PGP Endpoint Management Console menus and tools .......................................................................... 28
File menu .................................................................................................................................. 28
View menu ................................................................................................................................ 28
Tools menu ................................................................................................................................ 28
Endpoint Maintenance ................................................................................................................. 29
Reports menu ............................................................................................................................. 31
Explorer menu ............................................................................................................................ 32
Window menu ............................................................................................................................ 32
Help menu ................................................................................................................................. 32
Other administrative functions ............................................................................................................ 33
Setting and changing default options .............................................................................................. 33
Synchronizing domain members ..................................................................................................... 33
Synchronizing with Novell eDirectory ............................................................................................... 33
Adding workgroup computers......................................................................................................... 34
Performing database maintenance .................................................................................................. 34
Defining PGP Endpoint administrators .............................................................................................. 35
Sending updated permissions to client computers............................................................................... 37
Everyday work .................................................................................................................................38
Identifying and organizing users and user groups ...............................................................................38
Identifying the devices to be managed .............................................................................................38
Working with the PGP Endpoint system’s pre-defined device classes ....................................................... 39
Adding your own, user-defined devices to the system ........................................................................ 40
Identifying specific, unique, removable devices ................................................................................ 40
Organizing devices into logical groups .............................................................................................. 41
Identifying specific computers to be managed ................................................................................... 42
Defining different types or permissions ............................................................................................ 42
Encrypting removable media & authorizing specific DVDs/CDs................................................................. 43
Forcing users to encrypt removable media ....................................................................................... 44
Practical setup examples ................................................................................................................... 44
DVD/CD burner permissions assignments .......................................................................................... 44
Removable permissions assignments .............................................................................................. 45
PGP Endpoint Device Control User Guide 4.3.0 1
Contents
Assigning permissions to groups instead of users ................................................................................ 45
Shadowing notes ........................................................................................................................ 45
Chapter 3: Using the Device Explorer ............................................................................. 49
How does the Device Explorer work ...................................................................................................... 50
Restricted and unrestricted devices ...................................................................................................... 51
Optimizing the way you use the Device Explorer ...................................................................................... 52
Context menu and drag & drop ...................................................................................................... 52
Keyboard shortcuts ...................................................................................................................... 52
Adding comments to an entry ........................................................................................................ 53
Computer groups ........................................................................................................................ 53
Renaming Computer Groups/Device Groups/Devices ............................................................................. 53
Event notification ....................................................................................................................... 54
Device Groups ............................................................................................................................ 57
Supported devices types .................................................................................................................... 58
Managing permissions ....................................................................................................................... 58
Chapter 4: Managing permissions/rules ......................................................................... 59
Using the Permissions dialog .............................................................................................................. 59
Special case: Working with Removable Storage Devices ........................................................................ 61
Using file filters ............................................................................................................................... 63
To remove File Filtering settings from a permission ............................................................................. 65
File Filtering examples ................................................................................................................. 66
Adding a user or group when defining permissions .................................................................................. 68
To assign default permissions ............................................................................................................. 69
Root-level permissions ................................................................................................................. 69
To assign default permissions to users and groups .............................................................................. 69
Priority of default permissions ........................................................................................................ 71
Read/Write permissions ................................................................................................................ 72
To assign computer-specific permissions to users and groups ..................................................................... 73
To modify permissions.................................................................................................................. 74
To remove permissions ................................................................................................................. 75
To assign scheduled permissions to users and groups ............................................................................... 75
To modify scheduled permissions.................................................................................................... 76
To remove scheduled permissions ....................................................................................................77
To assign temporary permissions to users ...............................................................................................77
To remove temporary permissions ................................................................................................... 78
To assign temporary permissions to offline users ..................................................................................... 78
To assign online and offline permissions ............................................................................................... 82
To remove offline or online permissions ........................................................................................... 83
To export and import permission settings .............................................................................................. 84
To manually export or import permissions settings ............................................................................. 84
Shadowing devices ........................................................................................................................... 85
To shadow a device ..................................................................................................................... 85
To remove the shadow rule ........................................................................................................... 87
To view a ‘shadowed’ file ............................................................................................................. 87
Copy limit ....................................................................................................................................... 87
To add a copy limit ......................................................................................................................88
To remove a copy limit ................................................................................................................. 89
Applying multiple permissions to the same user ...................................................................................... 89
Forcing users to encrypt removable storage devices .................................................................................. 90
Setting permissions to force users to encrypt removable storage devices .................................................. 91
Managing devices ............................................................................................................................ 95
To add a new device .................................................................................................................... 95
To remove a device ...................................................................................................................... 97
Specific, unique, removable devices ................................................................................................ 97
Changing permissions mode .......................................................................................................... 97
Priority options when defining permissions ...................................................................................... 98
Informing client computers of permission changes .................................................................................. 99
Chapter 5: Using the Log Explorer ................................................................................ 101
Introduction .................................................................................................................................. 101
Monitoring user input/output device actions .................................................................................... 101
Monitoring administrator actions ................................................................................................... 103
Accessing the Log Explorer ................................................................................................................. 103
Log Explorer templates ..................................................................................................................... 104
To use an existing template .......................................................................................................... 105
Predefined templates .................................................................................................................. 105
To create and use a new template ................................................................................................. 107
Backing-up your templates .......................................................................................................... 108
Log Explorer window........................................................................................................................ 108
Navigation/Control bar ................................................................................................................ 109
Column headers ......................................................................................................................... 109
Results panel / custom report contents ............................................................................................ 114
2 PGP Endpoint Device Control User Guide 4.3.0
Contents
Criteria/Properties panel .............................................................................................................. 116
Control button panel ................................................................................................................... 116
Select and edit templates window ....................................................................................................... 117
Template settings window ................................................................................................................. 119
General tab ............................................................................................................................... 120
Query & Output tab ..................................................................................................................... 120
Criteria ..................................................................................................................................... 121
The advanced view ..................................................................................................................... 123
Schedule tab ............................................................................................................................. 127
Viewing access attempts to devices ...................................................................................................... 130
Viewing client error reports ................................................................................................................ 131
Viewing shadow files ........................................................................................................................ 132
When the Data File Directory is not available .................................................................................... 133
Shadowing file names only ................................................................................................................ 134
DVD/CD Shadowing ........................................................................................................................... 134
Forcing the latest log files to upload .................................................................................................... 134
To manage devices using the Log Explorer module .................................................................................. 135
Viewing administrator activity ............................................................................................................ 136
Audit events .............................................................................................................................. 136
Chapter 6: Using the Media Authorizer ......................................................................... 139
Introduction ................................................................................................................................... 139
Creating a DVD/CD hash .................................................................................................................... 140
What happens when a user wants access to the DVD/CD...................................................................... 140
Accessing the Media Authorizer ........................................................................................................... 141
Authorizing users to use specific DVDs/CDs ............................................................................................. 141
Pre-requisites ........................................................................................................................... 141
To authorize the use of a specific DVD/CD .......................................................................................... 141
Encrypting removable storage devices .................................................................................................. 142
Pre-requisites ........................................................................................................................... 143
Decentralized encryption..............................................................................................................144
Limitations ...............................................................................................................................144
To encrypt a specific removable storage device ..................................................................................144
Removable device encryption methods comparison ........................................................................... 146
Problems encrypting a device ....................................................................................................... 146
Authorizing access. ......................................................................................................................... 148
Selecting users for a device. ......................................................................................................... 149
Selecting devices for a user .......................................................................................................... 150
Removing media from the database .................................................................................................... 151
To remove a DVD/CD .................................................................................................................... 151
To remove an encrypted removable storage device ............................................................................. 152
To remove lost or damaged media from the database ......................................................................... 152
Other Media Authorizer utilities .......................................................................................................... 153
To rename a DVD, CD, or removable storage device ............................................................................. 153
Exporting encryption keys ............................................................................................................ 153
Ejecting a CD or DVD ....................................................................................................................154
Recovering a password for decentralized encryption when connected ....................................................154
Permissions Priority ......................................................................................................................... 157
Encrypting devices without a Certificate Authority .................................................................................. 159
To encrypt a removable media without installing a Certificate Authority ................................................. 159
Chapter 7: Accessing encrypted media outside of your organization ................................... 161
Exporting encryption keys ................................................................................................................. 161
Exporting encryption keys centrally ................................................................................................ 161
Exporting encryption keys locally ................................................................................................... 161
To export the encryption key to a file .............................................................................................. 162
To export the encryption key to the device itself ................................................................................ 163
Accessing encrypted media outside your organization ............................................................................. 164
Accessing media on a machine with PGP Endpoint Client Driver installed ............................................... 164
Accessing media without using PGP Endpoint Client Driver .................................................................. 169
Using encryption inside and outside your organization ....................................................................... 174
Decentralized encryption ................................................................................................................... 175
How to configure PGP Endpoint so that users can encrypt their own devices ............................................ 175
Recovering a decentralized encryption password without PGP Endpoint Client .......................................... 175
Chapter 8: Setting and changing options ...................................................................... 181
Default options ............................................................................................................................... 181
Computer-specific options ................................................................................................................. 182
To change an option setting ............................................................................................................... 182
Sending updates to client computers .............................................................................................. 183
Individual option settings ................................................................................................................. 183
Certificate generation .................................................................................................................. 183
PGP Endpoint Device Control User Guide 4.3.0 3
Contents
Client hardening ........................................................................................................................ 183
Device log ................................................................................................................................ 184
Device log throttling ................................................................................................................... 184
eDirectory translation ................................................................................................................. 184
Encrypted media password ........................................................................................................... 185
Endpoint status ......................................................................................................................... 185
Log upload interval .................................................................................................................... 185
Log upload threshold .................................................................................................................. 185
Log upload time ........................................................................................................................ 186
Log upload delay ....................................................................................................................... 186
Online state definition ................................................................................................................ 186
Server address ........................................................................................................................... 187
Shadow directory ....................................................................................................................... 187
Update notification .................................................................................................................... 187
USB Keylogger ........................................................................................................................... 188
Checking settings on a client machine.................................................................................................. 188
Chapter 9: Generating PGP Endpoint Reports................................................................. 189
User Permissions report .................................................................................................................... 191
Device Permissions report ................................................................................................................. 192
Computer Permissions report ............................................................................................................. 193
Media by User report ........................................................................................................................ 194
Users by Medium report .................................................................................................................... 195
Shadowing by Device report .............................................................................................................. 196
Shadowing by User report ................................................................................................................. 197
Online Machines report .................................................................................................................... 198
Machine Options report .................................................................................................................... 199
Server Settings Report ..................................................................................................................... 200
Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data .................. 201
How it works .................................................................................................................................. 201
Limitations and supported media ....................................................................................................... 201
Pre-requisites ................................................................................................................................ 202
Encrypting a CD/DVD ......................................................................................................................... 202
To assign a user permission to encrypt a DVD/CD ................................................................................ 203
To assign a user permission to read an already encrypted DVD/CD ......................................................... 204
To encrypt a DVD/CD ................................................................................................................... 204
Using an already encrypted CD/DVD ..................................................................................................... 208
To use an already encrypted CD/DVD on a machine protected by PGP Endpoint ........................................ 208
To use an already encrypted CD/DVD on a machine not protected by PGP Endpoint ................................... 208
If you forget the CD/DVD password ...................................................................................................... 208
DVD/CD icons ................................................................................................................................. 208
Chapter 11: Using PGP-Encrypted Removable Devices ........................................................ 211
Introduction ................................................................................................................................... 211
Defining Permission Using the PGP Endpoint Management Console ............................................................. 212
To Allow Users to Encrypt a Device Using PGP WDE .............................................................................. 213
To Allow User to Use a PGP WDE Encrypted Removable Device ............................................................... 213
To Check the Client Status .................................................................................................................. 214
To Decrypt or Re-encrypt a Removable Device Using PGP’s Desktop ............................................................. 214
Shadow ........................................................................................................................................ 215
Reports ......................................................................................................................................... 215
Using the Log Explorer ...................................................................................................................... 215
Auditing Logs ................................................................................................................................. 216
Appendix A: DVD/CD Shadowing .................................................................................. 219
Introduction .................................................................................................................................. 219
Operation of the PGP Endpoint Client Driver ..................................................................................... 219
Disk space requirements .............................................................................................................. 219
Supported formats when shadowing ................................................................................................... 220
Handling of unsupported shadowing formats ........................................................................................ 220
CD image analysis ............................................................................................................................ 221
Files ........................................................................................................................................ 221
Logs ........................................................................................................................................ 221
Saved image ............................................................................................................................. 221
Sample analysis log ......................................................................................................................... 221
Supported and unsupported CD formats ............................................................................................... 223
Summary ................................................................................................................................. 223
Supported data block formats and recording modes ........................................................................... 223
Supported and unsupported file system features ............................................................................... 223
Supported DVD/CD burning software ............................................................................................... 225
4 PGP Endpoint Device Control User Guide 4.3.0
Contents
Appendix B: Important notes ..................................................................................... 227
Appendix C: PGP Endpoint Device Control encryption ...................................................... 231
Introduction ................................................................................................................................... 231
PGP Endpoint Device Control encryption ................................................................................................ 231
Centralized encryption using the Full Encryption Method .......................................................................... 231
Centralized encryption using Easy Exchange ........................................................................................... 232
Decentralized encryption ................................................................................................................... 232
How is the medium assigned to a user/user group ..................................................................................233
Centralized versus decentralized encryption ...........................................................................................233
Full Encryption vs. Easy Exchange ....................................................................................................... 235
Other available encryption methods ................................................................................................... 236
Access to encrypted data using the PGP Endpoint Client Driver ................................................................... 237
If a MS Enterprise Certificate Authority (CA) is installed ........................................................................ 237
If no MS Enterprise Certificate Authority (CA) installed ........................................................................ 238
Access to encrypted data outside the network ....................................................................................... 239
Accessing encrypted data outside the network when using Full Encryption ............................................. 239
PGP Endpoint Stand-Alone Decryption Tool, SADEC ............................................................................ 239
Accessing encrypted data outside the network when using Easy Exchange .............................................. 240
Encryption scenarios ....................................................................................................................... 243
Simple examples ....................................................................................................................... 243
Complex examples ..................................................................................................................... 244
Understanding Cryptography ..............................................................................................................247
Defining cryptography .................................................................................................................247
How do we achieve privacy? ............................................................................................................. 248
Signing communications ............................................................................................................. 249
The security principles of SDC encryption explained ................................................................................ 249
The AES algorithm ...................................................................................................................... 249
Public/private key based communication between SDC tiers ................................................................ 250
The Key Pair Generator ............................................................................................................... 250
Symmetric AES key public/private key based encryption ...................................................................... 250
Digital Signatures ...................................................................................................................... 250
Digital Signatures & Certificate Authorities (CA) .................................................................................. 251
The AES Algorithm ........................................................................................................................... 252
What is AES? ............................................................................................................................. 252
How does AES work? ................................................................................................................... 252
AES and PGP Endpoint Device Control ............................................................................................. 253
Why is AES so secure? ................................................................................................................. 253
Other useful info ............................................................................................................................ 254
What is considered as a removable media? ..................................................................................... 254
What happens if I have forgotten my password? ............................................................................... 254
Recovering a password when using decentralized encryption .............................................................. 254
What happens to my unencrypted data when I encrypt the device it is on?............................................. 254
How do I decrypt a device? .......................................................................................................... 254
Appendix D: PGP Endpoint’s Architecture ...................................................................... 257
The whitelist approach ..................................................................................................................... 257
Concepts .................................................................................................................................. 257
Advantages/disadvantages of using a white list ................................................................................. 257
Whitelist and blacklist examples ................................................................................................... 258
A complete security solutions portfolio ................................................................................................ 258
PGP Endpoint Application Control Suite ........................................................................................... 259
PGP Endpoint Device Control ........................................................................................................ 259
PGP Endpoint for Embedded Devices .............................................................................................. 259
PGP Endpoint components ................................................................................................................ 259
The PGP Endpoint Database ......................................................................................................... 260
The PGP Endpoint Administration Server .......................................................................................... 261
PGP Endpoint Client Driver ........................................................................................................... 262
Protocol and ports ..................................................................................................................... 264
Operation overview .................................................................................................................... 265
Key usage ................................................................................................................................ 266
If the PGP Endpoint Administration Server is not reachable ................................................................. 266
The PGP Endpoint Management Console.......................................................................................... 270
Administration Tools ................................................................................................................... 271
Network communications ............................................................................................................. 272
PGP Endpoint Client Driver communications ...................................................................................... 272
PGP Endpoint Administration Server communications ......................................................................... 272
How PGP Endpoint works .................................................................................................................. 272
PGP Endpoint Application Control Suite ............................................................................................ 272
PGP Endpoint Device Control .........................................................................................................274
PGP Endpoint Device Control User Guide 4.3.0 5
Contents
Glossary................................................................................................................. 279
Index of Figures ...................................................................................................... 285
Index of Tables ....................................................................................................... 291
Index .................................................................................................................... 293
6 PGP Endpoint Device Control User Guide 4.3.0
About this guide
Introduction
PGP Endpoint provides policy-based control for all devices and applications that can be used on enterprise
endpoints. Using a whitelist approach (see a detailed explanation in Appendix D: PGP Endpoint’s
Architecture) , PGP Endpoint enables the development, enforcement, and auditing for application and device
use in order to maintain IT security, reduce the effort and cost associated with supporting endpoint
technologies, and ensure compliance with regulations. By using a whitelist approach, administrator can
concentrate in approving a list of a few selected device/application accesses instead of banning
devices/applications and maintaining endless blacklist subscriptions.
PGP Endpoint links application and device policies to eDirectory- and Active Directory-based identities,
dramatically simplifying the management of endpoint application and device resources.
As a security officer or network administrator, you are not only aware but also concerned of the potential
damage a typical user can cause on your network. It has been proven that most attacks and damage come
from within the bound of the internal firewall performed by employees — intentionally or unintentionally. If the
typical end user can be limited in its ability, then it scope of damage can also be restricted and, most
probably, stopped. This is what the “Least Privilege Principle” advocates: give users only the access and
privileges needed to complete the task at hand.
PGP Endpoint Device Control controls access to devices by applying permission rules to each device type.
Based on the Least Privilege Principle, access to any device is prohibited by default for all users. To grant
access, the administrator associates users or user groups with the devices — or complete device classes —
for which they should have read and/or write privileges. In this way, PGP Endpoint Device Control extends
the standard Windows security model to control input/output (I/O) devices.
The PGP Endpoint Device Control approach contrasts traditional security solutions that use ‘black lists’ to
specify devices that cannot be used. With PGP Endpoint Device Control, your IT infrastructure is protected
from unauthorized devices until you decide to include them in the whitelist and, thus, authorize them.
PGP Endpoint Device Control User Guide 4.3.0 7
About this guide
Complete security
PGP offers a portfolio of security solutions for regulating your organization’s applications and devices.
> Our PGP Endpoint Application Control Suite, which includes any of the following programs depending
on your needs:
> PGP Endpoint Application Control Terminal Services Edition extends application control to
Citrix or Microsoft Terminal Services environments, which share applications among multiple users.
> PGP Endpoint Application Control Server Edition delivers application control to protect your
organization’s servers, such as its Web server, email server, and database server.
> PGP Endpoint Device Control prevents unauthorized transfer of applications and data by controlling
access to input/output devices, such as memory sticks, modems, and PDAs.
> PGP Endpoint for Embedded Devices moves beyond the traditional desktop and laptop endpoints and
onto a variety of platforms that include ATMs, industrial robotics, thin clients, set-top boxes, network area
storage devices and the myriad of other systems running Windows XP Embedded.
What’s in this guide
This guide explains how to use PGP Endpoint Device Control to control end user access to I/O devices,
including floppy disk drives, DVDs/CDs drives, serial and parallel ports, USB devices, hot swappable and
internal hard drives as well as other devices.
We have divided this manual in three sections:
Part I contains a general introduction to the PGP Endpoint Device Control program. It is strongly
recommended that you review this section:
> Chapter 1: Introducing PGP Endpoint Device Control provides a high-level overview of PGP Endpoint
Device Control, how it works and how it benefits your organization.
> Chapter 2: Using the PGP Endpoint Console describes the basic principles of how to use PGP Endpoint
Device Control.
Part II contains reference material. It provides information about how to use each of the PGP Endpoint
Device Control modules. The functionality of each module is explained in detail.
> Chapter 3: Using the Device Explorer explains how to set the Access Control List permissions on I/O
devices.
> Chapter 4: Managing permissions/rules shows you how to create, delete, modify, organize, combine
permissions and rules, and how to force a user to encrypt removable storage devices.
> Chapter 5: Using the Log Explorer provides information on both how to view a copy of traced files, errors,
access attempts on client computers, and how to display administrative logs and copies of files (known
as “shadow files”) users have been written to or read from specific devices.
> Chapter 6: Using the Media Authorizer illustrates how to create a database of known DVD/CDs and
encrypted media and how to assign their rights to individual users and groups.
> Chapter 7: Accessing encrypted media outside of your organization explains how to use encrypted media
outside the company.
> Chapter 8: Setting and changing options describes how to customize default and computer-specific
options for your organization.
> Chapter 9: Generating PGP Endpoint Reports explains how to obtain the HTML reports generated by
PGP Endpoint Device Control.
> Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data demonstrates how to
encrypt DVDs/CDs and use then outside your organization in a secure way.
> Chapter 11: Using PGP-Encrypted Removable Devices show you how to define permissions to use
removable devices encrypted with PGP in a PGP Endpoint-protected environment.
8 PGP Endpoint Device Control User Guide 4.3.0
About this guide
Part III contains additional information to help you in day-to-day operations.
> Appendix A: DVD/CD Shadowing describes how to copy the contents of files written/read to/from
DVD/CD (shadowing), the DVD/CD disk and file formats supported by the shadowing operations, and
how to interpret the files written to the Log Explorer module.
> Appendix B: Important notes shows some key comments you should take into account when using PGP
Endpoint Device Control.
> Appendix C: PGP Endpoint Device Control encryption describes complete behind the scene comparison
between the different encryption methods available in PGP Endpoint Device Control and an explanation
of how this encryption is achieved.
> Appendix D: PGP Endpoint’s Architecture provides you with an overview of PGP Endpoint solution
architecture.
> The Glossary provides definitions of standard acronyms and terms used throughout the guide.
> The several indexes (Index of Figures, Index of Tables, and Index) provide quick access to specific
figures, tables, information, items, or topics.
Conventions
Notational conventions
The following symbols are used throughout this guide to emphasize important points about the information
you are reading:
Take note. You can find here more information about the topic in question. These may
relate to other parts of the system or points that need particular attention.
Shortcut. Here is a tip that may save you time.
Caution. This symbol means that proceeding with a course of action introduces a risk —
data loss or potential problem with the operation of your system, for example.
Typographic conventions
The following typefaces are used throughout this guide:
> Italic — Represents fields, menu commands, and cross-references.
> Fixed width — Shows messages or commands typed at a command prompt.
> SMALL CAPS — Represents buttons you click.
Keyboard conventions
A plus sign between two keyboard keys means that you must press those keys at the same time. For
example, ALT+R means that you hold down the ALT key while you press R.
A comma between two or more keys signifies that you must press each of them consecutively. For example
‘Alt, R, U’ means that you press each key in sequence.
Getting Assistance
For additional resources, see these sections.
Getting product information
Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed
with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also
available, which may have last-minute information not found in the product documentation.
PGP Endpoint Device Control User Guide 4.3.0 9
About this guide
Once PGP Endpoint is released, additional information regarding the product is entered into the online
Knowledge Base available on the PGP Corporation Support Portal (https://support.pgp.com).
Contacting Technical Support
> To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP
Corporation Support Home Page (http://www.pgp.com/support).
> To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP
Support Portal Web Site (https://support.pgp.com). Note that you may access portions of the PGP
Support Knowledge Base without a support agreement; however, you must have a valid support
agreement to request Technical Support.
> For any other contacts at PGP Corporation, please visit the PGP Contacts Page
(http://www.pgp.com/company/contact/index.html).
> For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).
> To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are
user community support forums hosted by PGP Corporation.
10 PGP Endpoint Device Control User Guide 4.3.0
Part I: Administration
PGP Endpoint Device Control User Guide 4.3.0 11
Chapter 1: Introducing PGP Endpoint Device
Control
This chapter introduces PGP Endpoint Device Control, and explains how it benefits your organization,
protects your data, and improves your productivity. It also contains an overview of the entire PGP Endpoint
system and an explanation of the how the program works.
Welcome to PGP Endpoint Device Control
PGP Endpoint Device Control eliminates many of the dangers associated with the abuse of network
resources and mission critical information from within your organization. PGP Endpoint Device Control
enhances security by controlling end user access to I/O devices, including:
> Floppy disk drives
> DVDs/CDs drives
> Serial and parallel ports
> USB devices
> Hot swappable and internal hard drives
> and other devices
This is a very effective way of preventing data leakage and theft of electronic intellectual property and
proprietary information.
PGP Endpoint Device Control also prevents the upload and installation of malicious code, unlicensed
software, and other counterproductive applications on your system preventing inappropriate use of corporate
resources, which can incur unnecessary expenses.
PGP Endpoint Device Control allows you to increase employee productivity and lower corporate legal
liabilities while protecting your organization’s reputation, image, and assets.
What is PGP Endpoint Device Control
PGP Endpoint Device Control controls access to I/O devices by applying an Access Control List (ACL) to
each device type. By default, access to any device is prohibited for all users. Designated administrators can
assign access and permissions to specific users or groups of users for the devices that they require in their
day-to-day tasks. These permissions can be temporary, online or offline, scheduled, copy limit, shadow (a
copy of transferred data), read, read/write, and so on.
The PGP Endpoint Device Control approach works in contrast to traditional security solutions that utilize a list
of specific devices that cannot be used which have administrators scrambling to update systems whenever
some new class of device is introduced. With PGP Endpoint Device Control, your IT infrastructure is
protected from any kind of device until you sanction it use.
PGP Endpoint Device Control User Guide 4.3.0 13
Chapter 1: Introducing PGP Endpoint Device Control
What can you do with PGP Endpoint Device Control
As previously stated, using PGP Endpoint Device Control you can boost your IT security levels by:
> Controlling and managing I/O devices through any port including USB, firewire, WiFi, Bluetooth, etc.
> Preventing data theft and data leakage
> Preventing malware introduction via removable media usage
> Auditing I/O device usage
> Blocking USB keyloggers (hardware artifacts that captures and save all keystrokes)
> Encrypting removable media
> Enabling regulatory compliance
And many other features that we will be enumerated in this introductory chapter.
With PGP Endpoint Device Control, you can add or change access rights quickly and without the need to
reboot the computer while controlling and monitoring all activities from a central location.
This solution is network friendly and uses a three-tiered architecture that minimizes policy-checking traffic.
Actual control is performed within the client computer itself and is transparent to the user. Because the
implementation of the control feature is also local, the power of PGP Endpoint Device Control extends to
employees using disconnected laptops delivering the same security regardless of their physical location.
PGP Endpoint Device Control allows you to do the following:
> Define user and group-based permissions on all or specific machines.
> Prevent unknown devices from being installed on your networks.
> Authorize particular device types within a class.
> Uniquely identify individual devices.
> Schedule I/O access for a predefined time or day of the week.
> Create a temporary device access (same day or planned for future timeframe).
> Restrict the amount of data copied to a device.
> Assign administrator’s roles.
> Create shadow files (i.e. copies of transferred data) of all data written or read, to or from external devices
or specific ports.
> Encrypt media with the powerful AES algorithm.
> Block some media (DVDs/CDs) while permitting other specific ones to be used.
> Enforce specific users and user groups to encrypt their removable devices.
You can find a full list of characteristics in the Major features section on page 15.
Benefits of using PGP Endpoint Device Control
The advantages of using PGP Endpoint Device Control include the following:
> Strict user policy enforcement: With no more data leakage, you are in control of the four w’s — who,
where, what, and when.
> Specific device permission rules: Permissions enforce a specific organization-approved model.
> Administrators’ actions logging: A complete report of what your administrators are doing.
14 PGP Endpoint Device Control User Guide 4.3.0
Chapter 1: Introducing PGP Endpoint Device Control
> Comprehensive reporting: Useful information to keep everything under the strictest control. For example
you can create a daily or weekly scheduled report of all user attempts to access an unauthorized device.
> Data scrutiny: You can optionally enable a copy (shadow) of all data written/read to/from certain devices.
> Copied data restrictions: You have the choice of establishing a daily limit on, or simply stopping, data
being written to external devices.
> Media restrictions: Define in advance which DVDs/CDs can be used in your company.
> Data encryption: Encrypt data as it is being written to a device.
Major features of PGP Endpoint
PGP Endpoint Device Control is designed for large organizations with complex needs. It offers many powerful
features such as:
Centralized device access management
PGP Endpoint Device Control's core functionality is its ability to centrally define and manage user, user
groups, computers and computer groups access to devices on the computer.
Intuitive user interface
Access to devices is controlled using a native Access Control List, arranged in the same way as navigating
through files and folders in Windows Explorer. You can apply permissions at different levels: users, user
groups, all machines, machine groups, specific machines, groups of devices, or even specific devices.
Novell support
PGP Endpoint Device Control fully supports Novell’s eDirectory/NDS structure. The Novell’s eDirectory trees
are synchronized using an external script. These objects appear on the Device Explorer structure and
permissions and rules can be assigned to them explicitly. Administrators can schedule the synchronization
script using Windows’s scheduler task manager (see PGP Endpoint Setup Guide).
Support for a wide variety of device types and buses
You can grant or deny access permissions for a wide variety of devices using USB, FireWire, ATA/IDE, SCSI,
PCMCIA (or Cardbus), Bluetooth and IrDA buses. See Device types supported on page 17 for a list of the
supported device types.
Read-only access
PGP Endpoint Device Control lets you define a particular device as read-only. You can set read-only
permissions for all file-system based devices, for example, a floppy drive, DVD/CD writer, PCMCIA hard
drive, and so on. Other device permissions you can set restrict writing, encrypting, decrypting, exporting data
to file/media and importing data.
Copy limit
You can limit the quantity of data users can write to floppy disks and removable storage devices on a daily
basis so they cannot abuse their writing permissions.
Temporary access
PGP Endpoint Device Control lets you grant users temporary access to their devices. This means that you
can switch access on without having to remember to switch it off again later. You can also use it to grant
access “in the future” for a limited period.
Scheduled device access
PGP Endpoint Device Control lets you grant or deny permissions to use a device during a specific period.
This lets you develop sophisticated security policies where certain devices can only be used from, for
example, 9 A.M. to 5 P.M., Monday to Friday.
PGP Endpoint Device Control User Guide 4.3.0 15
Chapter 1: Introducing PGP Endpoint Device Control
Context-sensitive permissions
You can apply different permissions depending on their context while others are valid regardless of the
connection status. However, you can create others that are only relevant when the machine either is or is not
connected to the network. For example, this allows you to disable the WiFi cards when laptops are connected
to the company network and enable them when the machine does not have a wired connection to the system.
File shadowing
PGP Endpoint Device Control's shadow technology enables full auditing of all data written and/or read to/from
file-system based devices such as Recordable DVD/CD, removable storage devices, floppy disks, Zip and
PCMCIA drives, as well as to serial and parallel ports (only written data). This feature is available on a per
user basis. Some of these devices only support a partial shadowing — only the file’s name and not the
complete content.
User-defined devices
PGP Endpoint Device Control gives you the ability to manage other kind of devices in addition to those
supported by default. You can add any device that is not managed by the default installation to the database
as a user-defined device and apply permissions in the usual way.
Offline updates
You can update the permissions of remote machines that cannot establish a network connection toyou’re
your corporate network. New permissions can be exported to a file that is later imported onto the client
computer.
Per-device permissions
Sometimes a device type is too general for you to control access to sensitive data effectively. Therefore, you
may want to implement greater control at a lower level — a device model or even for a specific device within
a model. For instance, rather than grant permissions to use any type of removable media, you can restrict
access to a specific device of a company-approved model.
Unique, serial identified, removable devices
Administrators can control devices by defining permissions at a class level (for example, all DVD/CD
devices), classify devices in logical entities called device groups, or include a device model. When working
with removable devices, administrators can go up to a fourth level by defining permissions for a unique, serial
identified removable device.
Per-device encryption
Restricting access for a specific device to a particular user also incorporates an encryption process to ensure
that sensitive data is not inadvertently exposed to those without authorized access.
Centralized and/or decentralized encryption
Using PGP Endpoint Device Control you, as an administrator, can not only grant user(s)/group(s) access to a
removable storage device (defined at the class, group, model, or uniquely identified device level) but can also
force users to encrypt their devices locally. This decentralized encryption schema is a work-around for those
organizations that do not want (or need) to manage device encryption centrally while ensuring that the
company’s data is not inadvertently exposed.
DVD/CD recorder shadowing
Shadowing, a copy of the file’s data, can be used in the following writable media formats: CD-R, CD-RW,
DVD-R, DVD+R, DVD-RW, DVD+RW and DVD-RAM. Shadowing means that data written/read to/from these
media is intercepted and made available to the administrators. By default, PGP Endpoint Device Control
disables writing to such media and, when writing must be enabled, you can optionally select to shadow the
data.
DVD/CD Recorder shadowing is supported on Windows 2000 (Service Pack 4 or later) and
later only. Windows NT4 is no longer supported by PGP Endpoint Device Control.
16 PGP Endpoint Device Control User Guide 4.3.0
Chapter 1: Introducing PGP Endpoint Device Control
Administrators’ roles
PGP Endpoint’s User Access module allows you to set precise controls to determine who can access the
different components of the PGP Endpoint Management Console. For example, you can restrict the access to
the shadowing information to only the company’s auditors. You should also consult PGP Endpoint Setup
Guide to learn how to set rights to control Organizational Units, Users, Computers and Groups.
Tamper-proof client component
The PGP Endpoint Client Driver, installed on each protected computer or server, is a critical part of PGP
Endpoint Device Control. This driver is protected against unauthorized removal— even by authorized
administrators. PGP Endpoint Administrators may emit an “endpoint maintenance ticket” (see Client
hardening on page 183 and Endpoint Maintenance on page 29) or explicitly deactivate this protection.
File filtering
You can use this feature to control which file types can be copied to and/or from removable devices (see
Using file filters on page 63).
DVDs/CDs encryption
Use this feature to convert your DVDs/CDs into robust data repositories. Our strong ciphering algorithms
always secure your data so you can transport your private information without compromising your data
security (see Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data on page
201).
PGP-Encrypted Removable devices usage
PGP-encrypted devices are now recognized directly in PGP Endpoint-protected environments. This gives you
the clear advantage of encrypting removable devices using either the long proven PGP application and
protocols or the PGP Endpoint’s technology (see Chapter 11: Using PGP-Encrypted Removable Devices on
page 211).
What is new on this version
See the Readme.txt file located on your CD installation disk for a full list of features and changes.
Device types supported
PGP Endpoint Device Control supports a wide range of device types that represent key sources of security
breaches. For some of these devices, you can allow access and activate the shadowing option for that class
of device. If this is done, PGP Endpoint Device Control enables the administrators to view the content of the
files written/read to/from that authorized device.
You can set up permissions for devices that connect using USB, FireWire, PCMCIA, ATA/IDE, SCSI,
Bluetooth, and IrDA bus types. Devices attached to these bus types recognized based on their device type,
not on the way they are connected. For example, an external DVD/CD-ROM drive attached to a PC using the
USB port is recognized as device type DVD/CD-ROM and is, therefore, controlled using the same mechanism
and settings as an internal DVD/CD-ROM drive. It is possible to define a permission at device class level and
restrict it to a specific device type, such as USB, FireWire, and so forth.
Device types currently managed by PGP Endpoint Device Control include:
Biometric devices
You can find Password Managers and FingerPrint readers in this class of devices. They are connected to the
computer using the USB port.
COM/serial ports
These include serial ports and devices that make use of COM device drivers, such as some types of modems
(including null modems) and terminal adaptors. Some PDA cradles also make use of the serial port, even
when they are connected through the USB port.
PGP Endpoint Device Control User Guide 4.3.0 17
Chapter 1: Introducing PGP Endpoint Device Control
DVD/CD drives
CD-ROM and DVD access can be managed in several ways. PGP Endpoint Device Control allows for full
device lock/unlock, access to music CDs only, or access only for uniquely identified DVDs/CDs previously
authorized. You can also restrict write privileges to CD-R/W and DVD -/+R/W devices.
Floppy disk drives
You can manage access to the floppy drive as either completely locked/unlocked or on a read-only basis.
Floppy disk drive devices include conventional diskette drives, as well as high-capacity drives such as the LS-
120. This applies regardless of how the devices are connected to the system, whether IDE, parallel, USB, or
by other methods.
Imaging devices/Scanners
Access to these USB or SCSI devices can be managed using PGP Endpoint Device Control. A scanner or a
Webcam are examples of this kind of devices.
Some devices, like the Bluetooth print server, only work if the COM port is also enabled. If
you use a printer that is configured to use a particular COM port (even if this port is
provided by a Bluetooth adapter), then you may need to give access to the COM port as
well.
Some all-in-one models include a printer, a scanner and a memory card reader. There are
cases where the scanner functionality cannot be used if the USB Printer functionality is
disabled by the PGP Endpoint Client Driver.
LPT/parallel ports
You can control conventional parallel printer ports, as well as variants such as ECB. Dongles are also
included.
Modems/Secondary network access devices
Access to these internal or external devices can be managed with PGP Endpoint Device Control. ‘Secondary’
network devices are those that do not connect directly through ‘normal’ channels.
Different modems operate in different ways. Depending on your brand, you may need to
allow access to the COM port, to the Modem port, or, possibly, to both, so that you can use
your modem. You should experiment with the settings in order to see what works best in
your case.
If your users connect via dialup you may need to set a permission rule to the Local System
for the Modem.
Palm handheld devices
Create permissions rules at your convenience for this type of devices using PGP Endpoint Device Control.
Plug and Play devices
PGP Endpoint Device Control is able to detect Plug and Play devices. These devices are subject to the same
access controls set for fixed devices of the same type.
The FireWire (IEEE 1394) net adapters devices are managed by the Modem/Secondary
Network Access Devices class as found in the Device Explorer Module (see Chapter 3:
Using the Device Explorer in page 49). A reboot is required to apply new permissions.
18 PGP Endpoint Device Control User Guide 4.3.0
Chapter 1: Introducing PGP Endpoint Device Control
During the plug and play process, Windows registers the device into a class. PGP Endpoint
Device Control uses this information to apply permissions to the device. For example, if
Windows registers a camera in the Removable Storage Devices class, the access to this
camera is controlled by the permissions set in that class in the Device Explorer module.
Printers (USB/Bluetooth )
PGP Endpoint Device Control allows you to control the access to USB/Bluetooth printers connected to client
computers.
Some all-in-one models of devices include a printer, a scanner and a memory card reader.
There are cases where the scanner functionality cannot be used if the PGP Endpoint Client
Driver disables the USB Printer functionality.
PS/2 ports
PS/2, the port traditionally used to connect a keyboard, is being rapidly superseded by the USB port for
keyboard connections. If you are only using USB keyboards and USB mice in your network, you can opt to
block definitely all PS/2 ports. This will render the use of PS/2 Keyloggers (which capture data typed at the
keyboard, including passwords and other sensitive data) very difficult. Please consult Chapter 8: Setting and
changing options on page 181 for more information.
Removable storage devices
This device type includes disk-based devices that are not floppy or CD-ROM drives. Devices such as Jaz and
PCMCIA hard drives fall in this category, as well as USB memory devices such as memory stick, Disk on
Key, ZIP, as well as USB-connected MP3 players and digital cameras.
Secondary hard disks drives (including SCSI drives) are treated as Removable Storage
Devices. By specifying if the permission that applies to ‘Hard Drive’ or ‘Non Hard Drive’ you
can distinguish between memory keys and secondary hard drives. You can also restrict the
permissions to devices that connect through a given bus, such as, USB, SCSI, or PCMCIA.
RIM BlackBerry handhelds
Handheld computers/mobile phones from the RIM (Research in Motion) BlackBerry are connected to the
computer through a USB port. Access to these PDA/GSM devices can be managed with PGP Endpoint
Device Control.
Smart Card readers
Access to readers for smart cards, such as eToken or fingerprint readers, can be managed with PGP
Endpoint Device Control.
Tape drives
Access to internal and external tape drives of any capacity can be managed with PGP Endpoint Device
Control.
Some backup units that do not use the Microsoft supplied drivers cannot be controlled by
PGP Endpoint Device Control.
User Defined devices
Devices that do not fit into the standard categories can also be managed with PGP Endpoint Device Control.
Devices such as some PDAs (non Compaq IPAQ USB, non Palm handheld USB), iPaq, Qtec, HTC, and Web
cams can be specified as a user-defined device and permissions added to them in the usual way.
Windows CE handheld devices
Access to these devices can be managed with PGP Endpoint Device Control. The HP iPAQ or XDA are
Windows Mobile 5 CE Devices (running Windows PocketPC 2002/2003 OS).
PGP Endpoint Device Control User Guide 4.3.0 19
Chapter 1: Introducing PGP Endpoint Device Control
Windows CE handheld devices
Handheld Windows CE computers (using PocketPC OS) connected to the PC through a USB port.
Wireless network interface cards
When installing the PGP Endpoint Client Driver, you have the option to configure the client’s permissions to
use a Wireless LAN adaptor.
This permission applies only to Wireless cards for which Windows does not require a
manufacturer-specific driver or administrative privilege to install.
Conclusions
PGP Endpoint Device Control eliminates the majority of the danger associated with insiders abusing their
access to network resources and mission critical information. It significantly increases the security level on
your operating system controlling and auditing end-user access to I/O devices.
Using the control console, the security administrator(s) can allow access to an I/O device by assigning
permission rules to users/groups.
With the optional ‘shadowing’ feature, it is possible to track down data written/read to/from certain I/O devices.
You can also access a log of what files were copied to various I/O devices on any given day.
PGP Endpoint Device Control’s non-obtrusive and flexible nature protects and prevents with very little
overhead for your users or system. Using our products, you can be assured that your company is safe.
20 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
This chapter explains how PGP Endpoint Device Control approaches I/O security. It describes the
components of the PGP Endpoint Device Control and explains how they contribute to the enforcement of your
company’s security policies.
When you first install PGP Endpoint Device Control, default permission rules are created and configured.
These rules include shadow restrictions and read/write permissions for some of the devices. Although these
settings meet the needs of some users, most people require additional access rights to carry out their day-today jobs. One of the first tasks of an administrator is to define new permissions rules for users, groups,
computers, or devices in their network.
Using the PGP Endpoint Management Console you can:
> Set default options.
> Grant general access to all available devices.
> Define specific rights for certain users.
> Authorize media types and specific media on a general or user-by-user basis.
> Send updates to all users or to certain computers.
> Maintain the database where all information is stored.
> Synchronize domain users.
> Configure centralized and decentralized encryption, etc.
> Generate standard reports showing user permissions, device permissions, computer permissions, media
by user, users by medium, shadowing by device, shadowing by user, online machines, user options,
server settings, and machine options.
> Generate custom reports of device use or device-attempted use.
> See the content of a copied or read file (only if shadow is active).
> View the log of all administrators’ changes to users’ policies.
> Review any attempt to access the configured devices in a computer.
Starting the PGP Endpoint Management Console
To start the PGP Endpoint Management Console:
1. Click the Windows START button
2. Select Programs PGP Endpoint PGP Endpoint Management Console.
You can also create a shortcut in Windows’ desktop for your convenience.
PGP Endpoint Device Control User Guide 4.3.0 21
Chapter 2: Using the PGP Endpoint Console
Connecting to the Server
When you initially launch the PGP Endpoint Management Console, you need to connect to a PGP Endpoint
Administration Server. The Connect to SXS Server dialog is displayed.
To connect to the server, follow these steps:
Figure 1: Connecting to the server
1. Select the PGP Endpoint Administration Server to which you want to connect from the list (if
available) or type in the name. You can use the IP address, the NetBios name, or the fully qualified
domain name of the PGP Endpoint Administration Server. If your Server is configured to use a
fixed port, you have to append the port number to the server name as in this example:
secrsrv.secure.com[1234]
Please refer to the description of the registry key settings of the PGP Endpoint
Administration Server in PGP Endpoint Setup Guide for more information about how to
configure the server to use a fixed port.
When the PGP Endpoint Administration Server is installed on a Windows XP SP2 or
Windows 2003 SP1 computer, you should configure the Windows XP Firewall to allow the
communication between PGP Endpoint Administration Server and the PGP Endpoint
Management Console. Please see PGP Endpoint Setup Guide for more details.
2. Choose to log in as the current user or specify a different user’s details, using the Log in as option.
3. Click on the OK button. The PGP Endpoint Management Console screen is displayed.
If the PGP Endpoint Management Console screen does not appear, an error message is displayed. This
indicates a problem occurred during an internal test. Check that you have the required permissions to connect
to your selected server, domain rights, and PGP Endpoint Management Console rights. See Defining PGP
Endpoint administrators on page 35.
Log in as a different user
If you selected the Log in as option, instead of using your credentials you must enter the user name and
password. Prefix the user name by a workstation name and backslash for local accounts, and by a domain
name and backslash for domain accounts (e.g. DOMAIN1\ADMIN1).
Once the connection established, the user’s credentials are shown in the Output panel while the Connection
window show the license details — if you do not see these windows, select the VIEW CONNECTION and/or
VIEW OUTPUT command:
22 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Figure 2: Connection / Output window
The PGP Endpoint Management Console screen
When you start a PGP Endpoint Management Console session, the PGP Endpoint Management Console
screen is displayed.
Figure 3: The PGP Endpoint Management Console screen
The Menu in the upper part of the window provides access to different PGP Endpoint Device Control
functions and commands. Some of these depend on the module you are currently using. For example, the
contents of the Explorer menu depend whether you are in the Exe Explorer of the Log Explorer. You can use
shortcut key combinations to access different commands. For example, ALT+R+O displays an HTML Online
Machine report.
The Control Panel displays in the left-hand side of the window. This lets you select the available modules
and options without using the menu. If the Control Panel is not visible, use the View Control panel
command to display it.
The contents displayed in the Main window panel depend on the module currently selected on the left panel.
You can refine the information displayed in some modules. Every time you open a module its stays open and
PGP Endpoint Device Control User Guide 4.3.0 23
Chapter 2: Using the PGP Endpoint Console
arranged in stacked tabs until explicitly closed. You can use the Window command of the menu bar to
organize your workspace.
The Connection window shows information about the current user. You can use the scrollbar to navigate
through the text. If the Connection window is not visible, use the View Connection to display it.
The Output window displays important information messages, for example, messages generated by updates
sent to the clients, file fetching, I/O failures, as well as error messages. Use the scrollbar to navigate through
the text. If the Output window is not visible, use the View Output command to display it.
The Status bar, at the bottom of the screen, displays information about the condition of the console. If you do
not see it, use the View Status Bar to display it.
If you are using a time-limited license for PGP Endpoint then once a day, when starting the management
console, you get the following screen informing you of your license status:
Figure 4: License status warning
This information is also reported in the Connection window of the main screen and generates a log that you
can see using the Windows event viewer.
Customizing your workspace
You can resize and reposition the panels in the main PGP Endpoint Management Console window to suit
your needs. To do this, use the Pin icon to ‘pin down’ or ‘float’ ( ) the Control Panel, Connection, or Output
windows. When a window is ‘parked’ the icon changes to .
Alternatively, you can ‘dock’ each window or minimize the panel. In Dock mode, the window hides itself as a
tab at the edge of the PGP Endpoint Management Console screen, leaving more space for the main window
panel. Click again on the pin to ‘float’ the window panel again.
Figure 5: Docked Control Panel
Figure 6: Docked window
In Floating mode, the windows can be moved to any position in the screen, sharing the working area with
whatever module is opened.
You can resize and drag the windows panes to whatever zone you prefer as in the following example:
24 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Figure 7: Floating Control Panel
Figure 8: Floating windows
Double click on a window’s title bar to dock it to its previous position. You can also drag the window to any
edge of the PGP Endpoint Management Console screen in which case it docks itself — guide yourself with
the rectangle shape preview before letting go the mouse button.
All open modules occupy the main window area and can be ‘floated’ or ‘docked’ at will. You can use the
Window menu to arrange those opened module’s windows in a tile, cascade, or iconize mode. Each window
can also be closed, maximized, or iconized independently as needed. If several modules are already open
(as shown in Figure 7), you can choose between them using the stacked tab bar.
You can reorder the windows located at the main window panel by dragging them using their title bar or
traverse them using the Scroll Left or Scroll Right icons .
To close the active window, click on its cross icon, right-click on the title bar and select Close, or press
Ctrl+F4.
PGP Endpoint Device Control User Guide 4.3.0 25
Chapter 2: Using the PGP Endpoint Console
To minimize a window, right-click on the title bar and select Minimize. You can also use the Restore and
Maximize icons and commands as on any Windows’ program.
Figure 9: Minimized windows
The PGP Endpoint Device Control modules
When you are using PGP Endpoint Device Control the PGP Endpoint Management Console screen gives
access to the three PGP Endpoint Device Control modules. These are summarized in the following table:
Module Icon Used to … See…
Device
Explorer
Log
Explorer
Media
Authorizer
Device Explorer module
Grant access to I/O devices for specific users or groups. Establish copy limits
and activate shadowing. Allows users to encrypt removable devices ‘on the fly’
(decentralized encryption)
> View records of files copied from any PC to authorized I/O devices, and
view the contents of the files themselves (two way ‘Shadowing’).
> View attempts to access or connect unauthorized devices.
> Create custom reports, for example you can create a daily or weekly
scheduled report of all user attempts to access an unauthorized device.
> Recognize specific DVD/CDs which users can be permitted to use, even
where they have not been granted access rights to access the DVD/CD
drive, as well as establish specific (encrypted) removable media which
users can be permitted to use.
> Give permission to use specific DVD/CDs for users who have been barred
from using the DVD/CD drive.
> Establish permission to use specific (encrypted) media.
> Centrally encrypt removable devices.
Table 1: The PGP Endpoint Device Control modules
Chapter 3: Using
the Device
Explorer
Chapter 5: Using
the Log Explorer
Chapter 6: Using
the Media
Authorizer
The Device Explorer module is the main nucleus of the PGP Endpoint Management Console program when
used under PGP Endpoint Device Control. PGP Endpoint’s administrators can use it to:
> Modify assigned permissions and rules.
> Create new permissions and rules.
> Delete already defined permissions and rules.
> Check permissions and rules.
> Define the user who must encrypt removable storage devices before using them (decentralized
encryption).
26 PGP Endpoint Device Control User Guide 4.3.0