How it Works
PGP
Loading...
#
C
D
E
M
N
P
R
U
W
Loading...
Loading...
Endpoint Device Control - 4.3
User's Guide
302 pgs8.33 Mb0
Table of contents
Loading...

PGP Endpoint Device Control - 4.3 User's Guide

Download
PGP Endpoint Device Control Version 4.3.0
Users Guide
Version Information
Copyright Information
Copyright © 19912008 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non­commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide­blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info- ZIP implementation, developed by zlib (http://www.zlib.net). Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. Castor, an open-source, databinding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at
http://xml.apache.org/xalan-j/#license1.1. Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol")
used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. mx4j, an open-source implementation of the Java Management Extensions
(JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) libxslt the XSLT C library developed for
the GNOME project and used for XML transformations is distributed under the MIT License
http://www.opensource.org/licenses/mit-license.html. PCRE version 4.5 Perl regular expression compiler, copyrighted and
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) • Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. PC/SC Lite is a free implementation of PC/SC, a
specification for SmartCard integration is released under the BSD license. Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL
database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified
programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. Windows Template Library (WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at
http://opensource.org/licenses/cpl1.0.php. The Perl Kit provides several independent utilities used to automate a variety of
maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation

Contents

About this guide ......................................................................................................... 7
Introduction ..................................................................................................................................... 7
Complete security .............................................................................................................................. 8
Whats in this guide ........................................................................................................................... 8
Conventions ..................................................................................................................................... 9
Notational conventions .................................................................................................................. 9
Typographic conventions ................................................................................................................ 9
Keyboard conventions ................................................................................................................... 9
Getting Assistance ............................................................................................................................. 9
Getting product information ........................................................................................................... 9
Contacting Technical Support ......................................................................................................... 10
Chapter 1: Introducing PGP Endpoint Device Control .......................................................... 13
Welcome to PGP Endpoint Device Control................................................................................................ 13
What is PGP Endpoint Device Control ..................................................................................................... 13
What can you do with PGP Endpoint Device Control .................................................................................. 14
Benefits of using PGP Endpoint Device Control ......................................................................................... 14
Major features of PGP Endpoint............................................................................................................ 15
What is new on this version ................................................................................................................ 17
Device types supported ...................................................................................................................... 17
Conclusions ..................................................................................................................................... 20
Chapter 2: Using the PGP Endpoint Console ..................................................................... 21
Starting the PGP Endpoint Management Console ...................................................................................... 21
Connecting to the Server ............................................................................................................... 22
Log in as a different user............................................................................................................... 22
The PGP Endpoint Management Console screen ........................................................................................ 23
Customizing your workspace .......................................................................................................... 24
The PGP Endpoint Device Control modules .............................................................................................. 26
The PGP Endpoint Management Console menus and tools .......................................................................... 28
File menu .................................................................................................................................. 28
View menu ................................................................................................................................ 28
Tools menu ................................................................................................................................ 28
Endpoint Maintenance ................................................................................................................. 29
Reports menu ............................................................................................................................. 31
Explorer menu ............................................................................................................................ 32
Window menu ............................................................................................................................ 32
Help menu ................................................................................................................................. 32
Other administrative functions ............................................................................................................ 33
Setting and changing default options .............................................................................................. 33
Synchronizing domain members ..................................................................................................... 33
Synchronizing with Novell eDirectory ............................................................................................... 33
Adding workgroup computers......................................................................................................... 34
Performing database maintenance .................................................................................................. 34
Defining PGP Endpoint administrators .............................................................................................. 35
Sending updated permissions to client computers............................................................................... 37
Everyday work .................................................................................................................................38
Identifying and organizing users and user groups ...............................................................................38
Identifying the devices to be managed .............................................................................................38
Working with the PGP Endpoint systems pre-defined device classes ....................................................... 39
Adding your own, user-defined devices to the system ........................................................................ 40
Identifying specific, unique, removable devices ................................................................................ 40
Organizing devices into logical groups .............................................................................................. 41
Identifying specific computers to be managed ................................................................................... 42
Defining different types or permissions ............................................................................................ 42
Encrypting removable media & authorizing specific DVDs/CDs................................................................. 43
Forcing users to encrypt removable media ....................................................................................... 44
Practical setup examples ................................................................................................................... 44
DVD/CD burner permissions assignments .......................................................................................... 44
Removable permissions assignments .............................................................................................. 45
PGP Endpoint Device Control User Guide 4.3.0 1
Contents
Assigning permissions to groups instead of users ................................................................................ 45
Shadowing notes ........................................................................................................................ 45
Chapter 3: Using the Device Explorer ............................................................................. 49
How does the Device Explorer work ...................................................................................................... 50
Restricted and unrestricted devices ...................................................................................................... 51
Optimizing the way you use the Device Explorer ...................................................................................... 52
Context menu and drag & drop ...................................................................................................... 52
Keyboard shortcuts ...................................................................................................................... 52
Adding comments to an entry ........................................................................................................ 53
Computer groups ........................................................................................................................ 53
Renaming Computer Groups/Device Groups/Devices ............................................................................. 53
Event notification ....................................................................................................................... 54
Device Groups ............................................................................................................................ 57
Supported devices types .................................................................................................................... 58
Managing permissions ....................................................................................................................... 58
Chapter 4: Managing permissions/rules ......................................................................... 59
Using the Permissions dialog .............................................................................................................. 59
Special case: Working with Removable Storage Devices ........................................................................ 61
Using file filters ............................................................................................................................... 63
To remove File Filtering settings from a permission ............................................................................. 65
File Filtering examples ................................................................................................................. 66
Adding a user or group when defining permissions .................................................................................. 68
To assign default permissions ............................................................................................................. 69
Root-level permissions ................................................................................................................. 69
To assign default permissions to users and groups .............................................................................. 69
Priority of default permissions ........................................................................................................ 71
Read/Write permissions ................................................................................................................ 72
To assign computer-specific permissions to users and groups ..................................................................... 73
To modify permissions.................................................................................................................. 74
To remove permissions ................................................................................................................. 75
To assign scheduled permissions to users and groups ............................................................................... 75
To modify scheduled permissions.................................................................................................... 76
To remove scheduled permissions ....................................................................................................77
To assign temporary permissions to users ...............................................................................................77
To remove temporary permissions ................................................................................................... 78
To assign temporary permissions to offline users ..................................................................................... 78
To assign online and offline permissions ............................................................................................... 82
To remove offline or online permissions ........................................................................................... 83
To export and import permission settings .............................................................................................. 84
To manually export or import permissions settings ............................................................................. 84
Shadowing devices ........................................................................................................................... 85
To shadow a device ..................................................................................................................... 85
To remove the shadow rule ........................................................................................................... 87
To view a shadowed file ............................................................................................................. 87
Copy limit ....................................................................................................................................... 87
To add a copy limit ......................................................................................................................88
To remove a copy limit ................................................................................................................. 89
Applying multiple permissions to the same user ...................................................................................... 89
Forcing users to encrypt removable storage devices .................................................................................. 90
Setting permissions to force users to encrypt removable storage devices .................................................. 91
Managing devices ............................................................................................................................ 95
To add a new device .................................................................................................................... 95
To remove a device ...................................................................................................................... 97
Specific, unique, removable devices ................................................................................................ 97
Changing permissions mode .......................................................................................................... 97
Priority options when defining permissions ...................................................................................... 98
Informing client computers of permission changes .................................................................................. 99
Chapter 5: Using the Log Explorer ................................................................................ 101
Introduction .................................................................................................................................. 101
Monitoring user input/output device actions .................................................................................... 101
Monitoring administrator actions ................................................................................................... 103
Accessing the Log Explorer ................................................................................................................. 103
Log Explorer templates ..................................................................................................................... 104
To use an existing template .......................................................................................................... 105
Predefined templates .................................................................................................................. 105
To create and use a new template ................................................................................................. 107
Backing-up your templates .......................................................................................................... 108
Log Explorer window........................................................................................................................ 108
Navigation/Control bar ................................................................................................................ 109
Column headers ......................................................................................................................... 109
Results panel / custom report contents ............................................................................................ 114
2 PGP Endpoint Device Control User Guide 4.3.0
Contents
Criteria/Properties panel .............................................................................................................. 116
Control button panel ................................................................................................................... 116
Select and edit templates window ....................................................................................................... 117
Template settings window ................................................................................................................. 119
General tab ............................................................................................................................... 120
Query & Output tab ..................................................................................................................... 120
Criteria ..................................................................................................................................... 121
The advanced view ..................................................................................................................... 123
Schedule tab ............................................................................................................................. 127
Viewing access attempts to devices ...................................................................................................... 130
Viewing client error reports ................................................................................................................ 131
Viewing shadow files ........................................................................................................................ 132
When the Data File Directory is not available .................................................................................... 133
Shadowing file names only ................................................................................................................ 134
DVD/CD Shadowing ........................................................................................................................... 134
Forcing the latest log files to upload .................................................................................................... 134
To manage devices using the Log Explorer module .................................................................................. 135
Viewing administrator activity ............................................................................................................ 136
Audit events .............................................................................................................................. 136
Chapter 6: Using the Media Authorizer ......................................................................... 139
Introduction ................................................................................................................................... 139
Creating a DVD/CD hash .................................................................................................................... 140
What happens when a user wants access to the DVD/CD...................................................................... 140
Accessing the Media Authorizer ........................................................................................................... 141
Authorizing users to use specific DVDs/CDs ............................................................................................. 141
Pre-requisites ........................................................................................................................... 141
To authorize the use of a specific DVD/CD .......................................................................................... 141
Encrypting removable storage devices .................................................................................................. 142
Pre-requisites ........................................................................................................................... 143
Decentralized encryption..............................................................................................................144
Limitations ...............................................................................................................................144
To encrypt a specific removable storage device ..................................................................................144
Removable device encryption methods comparison ........................................................................... 146
Problems encrypting a device ....................................................................................................... 146
Authorizing access. ......................................................................................................................... 148
Selecting users for a device. ......................................................................................................... 149
Selecting devices for a user .......................................................................................................... 150
Removing media from the database .................................................................................................... 151
To remove a DVD/CD .................................................................................................................... 151
To remove an encrypted removable storage device ............................................................................. 152
To remove lost or damaged media from the database ......................................................................... 152
Other Media Authorizer utilities .......................................................................................................... 153
To rename a DVD, CD, or removable storage device ............................................................................. 153
Exporting encryption keys ............................................................................................................ 153
Ejecting a CD or DVD ....................................................................................................................154
Recovering a password for decentralized encryption when connected ....................................................154
Permissions Priority ......................................................................................................................... 157
Encrypting devices without a Certificate Authority .................................................................................. 159
To encrypt a removable media without installing a Certificate Authority ................................................. 159
Chapter 7: Accessing encrypted media outside of your organization ................................... 161
Exporting encryption keys ................................................................................................................. 161
Exporting encryption keys centrally ................................................................................................ 161
Exporting encryption keys locally ................................................................................................... 161
To export the encryption key to a file .............................................................................................. 162
To export the encryption key to the device itself ................................................................................ 163
Accessing encrypted media outside your organization ............................................................................. 164
Accessing media on a machine with PGP Endpoint Client Driver installed ............................................... 164
Accessing media without using PGP Endpoint Client Driver .................................................................. 169
Using encryption inside and outside your organization ....................................................................... 174
Decentralized encryption ................................................................................................................... 175
How to configure PGP Endpoint so that users can encrypt their own devices ............................................ 175
Recovering a decentralized encryption password without PGP Endpoint Client .......................................... 175
Chapter 8: Setting and changing options ...................................................................... 181
Default options ............................................................................................................................... 181
Computer-specific options ................................................................................................................. 182
To change an option setting ............................................................................................................... 182
Sending updates to client computers .............................................................................................. 183
Individual option settings ................................................................................................................. 183
Certificate generation .................................................................................................................. 183
PGP Endpoint Device Control User Guide 4.3.0 3
Contents
Client hardening ........................................................................................................................ 183
Device log ................................................................................................................................ 184
Device log throttling ................................................................................................................... 184
eDirectory translation ................................................................................................................. 184
Encrypted media password ........................................................................................................... 185
Endpoint status ......................................................................................................................... 185
Log upload interval .................................................................................................................... 185
Log upload threshold .................................................................................................................. 185
Log upload time ........................................................................................................................ 186
Log upload delay ....................................................................................................................... 186
Online state definition ................................................................................................................ 186
Server address ........................................................................................................................... 187
Shadow directory ....................................................................................................................... 187
Update notification .................................................................................................................... 187
USB Keylogger ........................................................................................................................... 188
Checking settings on a client machine.................................................................................................. 188
Chapter 9: Generating PGP Endpoint Reports................................................................. 189
User Permissions report .................................................................................................................... 191
Device Permissions report ................................................................................................................. 192
Computer Permissions report ............................................................................................................. 193
Media by User report ........................................................................................................................ 194
Users by Medium report .................................................................................................................... 195
Shadowing by Device report .............................................................................................................. 196
Shadowing by User report ................................................................................................................. 197
Online Machines report .................................................................................................................... 198
Machine Options report .................................................................................................................... 199
Server Settings Report ..................................................................................................................... 200
Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data .................. 201
How it works .................................................................................................................................. 201
Limitations and supported media ....................................................................................................... 201
Pre-requisites ................................................................................................................................ 202
Encrypting a CD/DVD ......................................................................................................................... 202
To assign a user permission to encrypt a DVD/CD ................................................................................ 203
To assign a user permission to read an already encrypted DVD/CD ......................................................... 204
To encrypt a DVD/CD ................................................................................................................... 204
Using an already encrypted CD/DVD ..................................................................................................... 208
To use an already encrypted CD/DVD on a machine protected by PGP Endpoint ........................................ 208
To use an already encrypted CD/DVD on a machine not protected by PGP Endpoint ................................... 208
If you forget the CD/DVD password ...................................................................................................... 208
DVD/CD icons ................................................................................................................................. 208
Chapter 11: Using PGP-Encrypted Removable Devices ........................................................ 211
Introduction ................................................................................................................................... 211
Defining Permission Using the PGP Endpoint Management Console ............................................................. 212
To Allow Users to Encrypt a Device Using PGP WDE .............................................................................. 213
To Allow User to Use a PGP WDE Encrypted Removable Device ............................................................... 213
To Check the Client Status .................................................................................................................. 214
To Decrypt or Re-encrypt a Removable Device Using PGPs Desktop ............................................................. 214
Shadow ........................................................................................................................................ 215
Reports ......................................................................................................................................... 215
Using the Log Explorer ...................................................................................................................... 215
Auditing Logs ................................................................................................................................. 216
Appendix A: DVD/CD Shadowing .................................................................................. 219
Introduction .................................................................................................................................. 219
Operation of the PGP Endpoint Client Driver ..................................................................................... 219
Disk space requirements .............................................................................................................. 219
Supported formats when shadowing ................................................................................................... 220
Handling of unsupported shadowing formats ........................................................................................ 220
CD image analysis ............................................................................................................................ 221
Files ........................................................................................................................................ 221
Logs ........................................................................................................................................ 221
Saved image ............................................................................................................................. 221
Sample analysis log ......................................................................................................................... 221
Supported and unsupported CD formats ............................................................................................... 223
Summary ................................................................................................................................. 223
Supported data block formats and recording modes ........................................................................... 223
Supported and unsupported file system features ............................................................................... 223
Supported DVD/CD burning software ............................................................................................... 225
4 PGP Endpoint Device Control User Guide 4.3.0
Contents
Appendix B: Important notes ..................................................................................... 227
Appendix C: PGP Endpoint Device Control encryption ...................................................... 231
Introduction ................................................................................................................................... 231
PGP Endpoint Device Control encryption ................................................................................................ 231
Centralized encryption using the Full Encryption Method .......................................................................... 231
Centralized encryption using Easy Exchange ........................................................................................... 232
Decentralized encryption ................................................................................................................... 232
How is the medium assigned to a user/user group ..................................................................................233
Centralized versus decentralized encryption ...........................................................................................233
Full Encryption vs. Easy Exchange ....................................................................................................... 235
Other available encryption methods ................................................................................................... 236
Access to encrypted data using the PGP Endpoint Client Driver ................................................................... 237
If a MS Enterprise Certificate Authority (CA) is installed ........................................................................ 237
If no MS Enterprise Certificate Authority (CA) installed ........................................................................ 238
Access to encrypted data outside the network ....................................................................................... 239
Accessing encrypted data outside the network when using Full Encryption ............................................. 239
PGP Endpoint Stand-Alone Decryption Tool, SADEC ............................................................................ 239
Accessing encrypted data outside the network when using Easy Exchange .............................................. 240
Encryption scenarios ....................................................................................................................... 243
Simple examples ....................................................................................................................... 243
Complex examples ..................................................................................................................... 244
Understanding Cryptography ..............................................................................................................247
Defining cryptography .................................................................................................................247
How do we achieve privacy? ............................................................................................................. 248
Signing communications ............................................................................................................. 249
The security principles of SDC encryption explained ................................................................................ 249
The AES algorithm ...................................................................................................................... 249
Public/private key based communication between SDC tiers ................................................................ 250
The Key Pair Generator ............................................................................................................... 250
Symmetric AES key public/private key based encryption ...................................................................... 250
Digital Signatures ...................................................................................................................... 250
Digital Signatures & Certificate Authorities (CA) .................................................................................. 251
The AES Algorithm ........................................................................................................................... 252
What is AES? ............................................................................................................................. 252
How does AES work? ................................................................................................................... 252
AES and PGP Endpoint Device Control ............................................................................................. 253
Why is AES so secure? ................................................................................................................. 253
Other useful info ............................................................................................................................ 254
What is considered as a removable media? ..................................................................................... 254
What happens if I have forgotten my password? ............................................................................... 254
Recovering a password when using decentralized encryption .............................................................. 254
What happens to my unencrypted data when I encrypt the device it is on?............................................. 254
How do I decrypt a device? .......................................................................................................... 254
Appendix D: PGP Endpoints Architecture ...................................................................... 257
The whitelist approach ..................................................................................................................... 257
Concepts .................................................................................................................................. 257
Advantages/disadvantages of using a white list ................................................................................. 257
Whitelist and blacklist examples ................................................................................................... 258
A complete security solutions portfolio ................................................................................................ 258
PGP Endpoint Application Control Suite ........................................................................................... 259
PGP Endpoint Device Control ........................................................................................................ 259
PGP Endpoint for Embedded Devices .............................................................................................. 259
PGP Endpoint components ................................................................................................................ 259
The PGP Endpoint Database ......................................................................................................... 260
The PGP Endpoint Administration Server .......................................................................................... 261
PGP Endpoint Client Driver ........................................................................................................... 262
Protocol and ports ..................................................................................................................... 264
Operation overview .................................................................................................................... 265
Key usage ................................................................................................................................ 266
If the PGP Endpoint Administration Server is not reachable ................................................................. 266
The PGP Endpoint Management Console.......................................................................................... 270
Administration Tools ................................................................................................................... 271
Network communications ............................................................................................................. 272
PGP Endpoint Client Driver communications ...................................................................................... 272
PGP Endpoint Administration Server communications ......................................................................... 272
How PGP Endpoint works .................................................................................................................. 272
PGP Endpoint Application Control Suite ............................................................................................ 272
PGP Endpoint Device Control .........................................................................................................274
PGP Endpoint Device Control User Guide 4.3.0 5
Contents
Glossary................................................................................................................. 279
Index of Figures ...................................................................................................... 285
Index of Tables ....................................................................................................... 291
Index .................................................................................................................... 293
6 PGP Endpoint Device Control User Guide 4.3.0

About this guide

Introduction

PGP Endpoint provides policy-based control for all devices and applications that can be used on enterprise endpoints. Using a whitelist approach (see a detailed explanation in Appendix D: PGP Endpoints Architecture) , PGP Endpoint enables the development, enforcement, and auditing for application and device use in order to maintain IT security, reduce the effort and cost associated with supporting endpoint technologies, and ensure compliance with regulations. By using a whitelist approach, administrator can concentrate in approving a list of a few selected device/application accesses instead of banning devices/applications and maintaining endless blacklist subscriptions.
PGP Endpoint links application and device policies to eDirectory- and Active Directory-based identities, dramatically simplifying the management of endpoint application and device resources.
As a security officer or network administrator, you are not only aware but also concerned of the potential damage a typical user can cause on your network. It has been proven that most attacks and damage come from within the bound of the internal firewall performed by employees intentionally or unintentionally. If the typical end user can be limited in its ability, then it scope of damage can also be restricted and, most probably, stopped. This is what the Least Privilege Principle advocates: give users only the access and privileges needed to complete the task at hand.
PGP Endpoint Device Control controls access to devices by applying permission rules to each device type. Based on the Least Privilege Principle, access to any device is prohibited by default for all users. To grant access, the administrator associates users or user groups with the devices or complete device classes for which they should have read and/or write privileges. In this way, PGP Endpoint Device Control extends the standard Windows security model to control input/output (I/O) devices.
The PGP Endpoint Device Control approach contrasts traditional security solutions that use black lists to specify devices that cannot be used. With PGP Endpoint Device Control, your IT infrastructure is protected from unauthorized devices until you decide to include them in the whitelist and, thus, authorize them.
PGP Endpoint Device Control User Guide 4.3.0 7
About this guide

Complete security

PGP offers a portfolio of security solutions for regulating your organizations applications and devices.
> Our PGP Endpoint Application Control Suite, which includes any of the following programs depending
on your needs:
> PGP Endpoint Application Control Terminal Services Edition extends application control to
Citrix or Microsoft Terminal Services environments, which share applications among multiple users.
> PGP Endpoint Application Control Server Edition delivers application control to protect your
organizations servers, such as its Web server, email server, and database server.
> PGP Endpoint Device Control prevents unauthorized transfer of applications and data by controlling
access to input/output devices, such as memory sticks, modems, and PDAs.
> PGP Endpoint for Embedded Devices moves beyond the traditional desktop and laptop endpoints and
onto a variety of platforms that include ATMs, industrial robotics, thin clients, set-top boxes, network area storage devices and the myriad of other systems running Windows XP Embedded.

Whats in this guide

This guide explains how to use PGP Endpoint Device Control to control end user access to I/O devices, including floppy disk drives, DVDs/CDs drives, serial and parallel ports, USB devices, hot swappable and internal hard drives as well as other devices.
We have divided this manual in three sections:
Part I contains a general introduction to the PGP Endpoint Device Control program. It is strongly recommended that you review this section:
> Chapter 1: Introducing PGP Endpoint Device Control provides a high-level overview of PGP Endpoint
Device Control, how it works and how it benefits your organization.
> Chapter 2: Using the PGP Endpoint Console describes the basic principles of how to use PGP Endpoint
Device Control.
Part II contains reference material. It provides information about how to use each of the PGP Endpoint Device Control modules. The functionality of each module is explained in detail.
> Chapter 3: Using the Device Explorer explains how to set the Access Control List permissions on I/O
devices.
> Chapter 4: Managing permissions/rules shows you how to create, delete, modify, organize, combine
permissions and rules, and how to force a user to encrypt removable storage devices.
> Chapter 5: Using the Log Explorer provides information on both how to view a copy of traced files, errors,
access attempts on client computers, and how to display administrative logs and copies of files (known as shadow files) users have been written to or read from specific devices.
> Chapter 6: Using the Media Authorizer illustrates how to create a database of known DVD/CDs and
encrypted media and how to assign their rights to individual users and groups.
> Chapter 7: Accessing encrypted media outside of your organization explains how to use encrypted media
outside the company.
> Chapter 8: Setting and changing options describes how to customize default and computer-specific
options for your organization.
> Chapter 9: Generating PGP Endpoint Reports explains how to obtain the HTML reports generated by
PGP Endpoint Device Control.
> Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data demonstrates how to
encrypt DVDs/CDs and use then outside your organization in a secure way.
> Chapter 11: Using PGP-Encrypted Removable Devices show you how to define permissions to use
removable devices encrypted with PGP in a PGP Endpoint-protected environment.
8 PGP Endpoint Device Control User Guide 4.3.0
About this guide
Part III contains additional information to help you in day-to-day operations.
> Appendix A: DVD/CD Shadowing describes how to copy the contents of files written/read to/from
DVD/CD (shadowing), the DVD/CD disk and file formats supported by the shadowing operations, and how to interpret the files written to the Log Explorer module.
> Appendix B: Important notes shows some key comments you should take into account when using PGP
Endpoint Device Control.
> Appendix C: PGP Endpoint Device Control encryption describes complete behind the scene comparison
between the different encryption methods available in PGP Endpoint Device Control and an explanation of how this encryption is achieved.
> Appendix D: PGP Endpoints Architecture provides you with an overview of PGP Endpoint solution
architecture.
> The Glossary provides definitions of standard acronyms and terms used throughout the guide. > The several indexes (Index of Figures, Index of Tables, and Index) provide quick access to specific
figures, tables, information, items, or topics.

Conventions

Notational conventions

The following symbols are used throughout this guide to emphasize important points about the information you are reading:
relate to other parts of the system or points that need particular attention.
Shortcut. Here is a tip that may save you time.
Caution. This symbol means that proceeding with a course of action introduces a risk
data loss or potential problem with the operation of your system, for example.

Typographic conventions

The following typefaces are used throughout this guide:
> Italic Represents fields, menu commands, and cross-references. > Fixed width Shows messages or commands typed at a command prompt. > SMALL CAPS Represents buttons you click.

Keyboard conventions

A plus sign between two keyboard keys means that you must press those keys at the same time. For example, ALT+R means that you hold down the ALT key while you press R.
A comma between two or more keys signifies that you must press each of them consecutively. For example Alt, R, U means that you press each key in sequence.

Getting Assistance

For additional resources, see these sections.

Getting product information

Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also available, which may have last-minute information not found in the product documentation.
PGP Endpoint Device Control User Guide 4.3.0 9
About this guide
Once PGP Endpoint is released, additional information regarding the product is entered into the online Knowledge Base available on the PGP Corporation Support Portal (https://support.pgp.com).

Contacting Technical Support

> To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP
Corporation Support Home Page (http://www.pgp.com/support).
> To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP
Support Portal Web Site (https://support.pgp.com). Note that you may access portions of the PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.
> For any other contacts at PGP Corporation, please visit the PGP Contacts Page
(http://www.pgp.com/company/contact/index.html).
> For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com). > To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are
user community support forums hosted by PGP Corporation.
10 PGP Endpoint Device Control User Guide 4.3.0
Part I: Administration
PGP Endpoint Device Control User Guide 4.3.0 11
Chapter 1: Introducing PGP Endpoint Device
Control
This chapter introduces PGP Endpoint Device Control, and explains how it benefits your organization, protects your data, and improves your productivity. It also contains an overview of the entire PGP Endpoint system and an explanation of the how the program works.

Welcome to PGP Endpoint Device Control

PGP Endpoint Device Control eliminates many of the dangers associated with the abuse of network resources and mission critical information from within your organization. PGP Endpoint Device Control enhances security by controlling end user access to I/O devices, including:
> Floppy disk drives > DVDs/CDs drives > Serial and parallel ports > USB devices > Hot swappable and internal hard drives > and other devices
This is a very effective way of preventing data leakage and theft of electronic intellectual property and proprietary information.
PGP Endpoint Device Control also prevents the upload and installation of malicious code, unlicensed software, and other counterproductive applications on your system preventing inappropriate use of corporate resources, which can incur unnecessary expenses.
PGP Endpoint Device Control allows you to increase employee productivity and lower corporate legal liabilities while protecting your organizations reputation, image, and assets.

What is PGP Endpoint Device Control

PGP Endpoint Device Control controls access to I/O devices by applying an Access Control List (ACL) to each device type. By default, access to any device is prohibited for all users. Designated administrators can assign access and permissions to specific users or groups of users for the devices that they require in their day-to-day tasks. These permissions can be temporary, online or offline, scheduled, copy limit, shadow (a copy of transferred data), read, read/write, and so on.
The PGP Endpoint Device Control approach works in contrast to traditional security solutions that utilize a list of specific devices that cannot be used which have administrators scrambling to update systems whenever some new class of device is introduced. With PGP Endpoint Device Control, your IT infrastructure is protected from any kind of device until you sanction it use.
PGP Endpoint Device Control User Guide 4.3.0 13
Chapter 1: Introducing PGP Endpoint Device Control

What can you do with PGP Endpoint Device Control

As previously stated, using PGP Endpoint Device Control you can boost your IT security levels by:
> Controlling and managing I/O devices through any port including USB, firewire, WiFi, Bluetooth, etc. > Preventing data theft and data leakage > Preventing malware introduction via removable media usage > Auditing I/O device usage > Blocking USB keyloggers (hardware artifacts that captures and save all keystrokes) > Encrypting removable media > Enabling regulatory compliance
And many other features that we will be enumerated in this introductory chapter. With PGP Endpoint Device Control, you can add or change access rights quickly and without the need to
reboot the computer while controlling and monitoring all activities from a central location. This solution is network friendly and uses a three-tiered architecture that minimizes policy-checking traffic.
Actual control is performed within the client computer itself and is transparent to the user. Because the implementation of the control feature is also local, the power of PGP Endpoint Device Control extends to employees using disconnected laptops delivering the same security regardless of their physical location.
PGP Endpoint Device Control allows you to do the following:
> Define user and group-based permissions on all or specific machines. > Prevent unknown devices from being installed on your networks. > Authorize particular device types within a class. > Uniquely identify individual devices. > Schedule I/O access for a predefined time or day of the week. > Create a temporary device access (same day or planned for future timeframe). > Restrict the amount of data copied to a device. > Assign administrators roles. > Create shadow files (i.e. copies of transferred data) of all data written or read, to or from external devices
or specific ports.
> Encrypt media with the powerful AES algorithm. > Block some media (DVDs/CDs) while permitting other specific ones to be used. > Enforce specific users and user groups to encrypt their removable devices.
You can find a full list of characteristics in the Major features section on page 15.

Benefits of using PGP Endpoint Device Control

The advantages of using PGP Endpoint Device Control include the following:
> Strict user policy enforcement: With no more data leakage, you are in control of the four ws who,
where, what, and when.
> Specific device permission rules: Permissions enforce a specific organization-approved model. > Administrators actions logging: A complete report of what your administrators are doing.
14 PGP Endpoint Device Control User Guide 4.3.0
Chapter 1: Introducing PGP Endpoint Device Control
> Comprehensive reporting: Useful information to keep everything under the strictest control. For example
you can create a daily or weekly scheduled report of all user attempts to access an unauthorized device.
> Data scrutiny: You can optionally enable a copy (shadow) of all data written/read to/from certain devices. > Copied data restrictions: You have the choice of establishing a daily limit on, or simply stopping, data
being written to external devices.
> Media restrictions: Define in advance which DVDs/CDs can be used in your company. > Data encryption: Encrypt data as it is being written to a device.

Major features of PGP Endpoint

PGP Endpoint Device Control is designed for large organizations with complex needs. It offers many powerful features such as:
Centralized device access management
PGP Endpoint Device Control's core functionality is its ability to centrally define and manage user, user groups, computers and computer groups access to devices on the computer.
Intuitive user interface
Access to devices is controlled using a native Access Control List, arranged in the same way as navigating through files and folders in Windows Explorer. You can apply permissions at different levels: users, user groups, all machines, machine groups, specific machines, groups of devices, or even specific devices.
Novell support
PGP Endpoint Device Control fully supports Novells eDirectory/NDS structure. The Novells eDirectory trees are synchronized using an external script. These objects appear on the Device Explorer structure and permissions and rules can be assigned to them explicitly. Administrators can schedule the synchronization script using Windowss scheduler task manager (see PGP Endpoint Setup Guide).
Support for a wide variety of device types and buses
You can grant or deny access permissions for a wide variety of devices using USB, FireWire, ATA/IDE, SCSI, PCMCIA (or Cardbus), Bluetooth and IrDA buses. See Device types supported on page 17 for a list of the supported device types.
Read-only access
PGP Endpoint Device Control lets you define a particular device as read-only. You can set read-only permissions for all file-system based devices, for example, a floppy drive, DVD/CD writer, PCMCIA hard drive, and so on. Other device permissions you can set restrict writing, encrypting, decrypting, exporting data to file/media and importing data.
Copy limit
You can limit the quantity of data users can write to floppy disks and removable storage devices on a daily basis so they cannot abuse their writing permissions.
Temporary access
PGP Endpoint Device Control lets you grant users temporary access to their devices. This means that you can switch access on without having to remember to switch it off again later. You can also use it to grant access in the future for a limited period.
Scheduled device access
PGP Endpoint Device Control lets you grant or deny permissions to use a device during a specific period. This lets you develop sophisticated security policies where certain devices can only be used from, for example, 9 A.M. to 5 P.M., Monday to Friday.
PGP Endpoint Device Control User Guide 4.3.0 15
Chapter 1: Introducing PGP Endpoint Device Control
Context-sensitive permissions
You can apply different permissions depending on their context while others are valid regardless of the connection status. However, you can create others that are only relevant when the machine either is or is not connected to the network. For example, this allows you to disable the WiFi cards when laptops are connected to the company network and enable them when the machine does not have a wired connection to the system.
File shadowing
PGP Endpoint Device Control's shadow technology enables full auditing of all data written and/or read to/from file-system based devices such as Recordable DVD/CD, removable storage devices, floppy disks, Zip and PCMCIA drives, as well as to serial and parallel ports (only written data). This feature is available on a per user basis. Some of these devices only support a partial shadowing only the files name and not the complete content.
User-defined devices
PGP Endpoint Device Control gives you the ability to manage other kind of devices in addition to those supported by default. You can add any device that is not managed by the default installation to the database as a user-defined device and apply permissions in the usual way.
Offline updates
You can update the permissions of remote machines that cannot establish a network connection toyoure your corporate network. New permissions can be exported to a file that is later imported onto the client computer.
Per-device permissions
Sometimes a device type is too general for you to control access to sensitive data effectively. Therefore, you may want to implement greater control at a lower level a device model or even for a specific device within a model. For instance, rather than grant permissions to use any type of removable media, you can restrict access to a specific device of a company-approved model.
Unique, serial identified, removable devices
Administrators can control devices by defining permissions at a class level (for example, all DVD/CD devices), classify devices in logical entities called device groups, or include a device model. When working with removable devices, administrators can go up to a fourth level by defining permissions for a unique, serial identified removable device.
Per-device encryption
Restricting access for a specific device to a particular user also incorporates an encryption process to ensure that sensitive data is not inadvertently exposed to those without authorized access.
Centralized and/or decentralized encryption
Using PGP Endpoint Device Control you, as an administrator, can not only grant user(s)/group(s) access to a removable storage device (defined at the class, group, model, or uniquely identified device level) but can also force users to encrypt their devices locally. This decentralized encryption schema is a work-around for those organizations that do not want (or need) to manage device encryption centrally while ensuring that the companys data is not inadvertently exposed.
DVD/CD recorder shadowing
Shadowing, a copy of the files data, can be used in the following writable media formats: CD-R, CD-RW, DVD-R, DVD+R, DVD-RW, DVD+RW and DVD-RAM. Shadowing means that data written/read to/from these media is intercepted and made available to the administrators. By default, PGP Endpoint Device Control disables writing to such media and, when writing must be enabled, you can optionally select to shadow the data.
DVD/CD Recorder shadowing is supported on Windows 2000 (Service Pack 4 or later) and
later only. Windows NT4 is no longer supported by PGP Endpoint Device Control.
16 PGP Endpoint Device Control User Guide 4.3.0
Chapter 1: Introducing PGP Endpoint Device Control
Administrators roles
PGP Endpoints User Access module allows you to set precise controls to determine who can access the different components of the PGP Endpoint Management Console. For example, you can restrict the access to the shadowing information to only the companys auditors. You should also consult PGP Endpoint Setup Guide to learn how to set rights to control Organizational Units, Users, Computers and Groups.
Tamper-proof client component
The PGP Endpoint Client Driver, installed on each protected computer or server, is a critical part of PGP Endpoint Device Control. This driver is protected against unauthorized removal even by authorized administrators. PGP Endpoint Administrators may emit an endpoint maintenance ticket (see Client hardening on page 183 and Endpoint Maintenance on page 29) or explicitly deactivate this protection.
File filtering
You can use this feature to control which file types can be copied to and/or from removable devices (see Using file filters on page 63).
DVDs/CDs encryption
Use this feature to convert your DVDs/CDs into robust data repositories. Our strong ciphering algorithms always secure your data so you can transport your private information without compromising your data security (see Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data on page
201).
PGP-Encrypted Removable devices usage
PGP-encrypted devices are now recognized directly in PGP Endpoint-protected environments. This gives you the clear advantage of encrypting removable devices using either the long proven PGP application and protocols or the PGP Endpoints technology (see Chapter 11: Using PGP-Encrypted Removable Devices on page 211).

What is new on this version

See the Readme.txt file located on your CD installation disk for a full list of features and changes.

Device types supported

PGP Endpoint Device Control supports a wide range of device types that represent key sources of security breaches. For some of these devices, you can allow access and activate the shadowing option for that class of device. If this is done, PGP Endpoint Device Control enables the administrators to view the content of the files written/read to/from that authorized device.
You can set up permissions for devices that connect using USB, FireWire, PCMCIA, ATA/IDE, SCSI, Bluetooth, and IrDA bus types. Devices attached to these bus types recognized based on their device type, not on the way they are connected. For example, an external DVD/CD-ROM drive attached to a PC using the USB port is recognized as device type DVD/CD-ROM and is, therefore, controlled using the same mechanism and settings as an internal DVD/CD-ROM drive. It is possible to define a permission at device class level and restrict it to a specific device type, such as USB, FireWire, and so forth.
Device types currently managed by PGP Endpoint Device Control include:
Biometric devices
You can find Password Managers and FingerPrint readers in this class of devices. They are connected to the computer using the USB port.
COM/serial ports
These include serial ports and devices that make use of COM device drivers, such as some types of modems (including null modems) and terminal adaptors. Some PDA cradles also make use of the serial port, even when they are connected through the USB port.
PGP Endpoint Device Control User Guide 4.3.0 17
Chapter 1: Introducing PGP Endpoint Device Control

DVD/CD drives
CD-ROM and DVD access can be managed in several ways. PGP Endpoint Device Control allows for full device lock/unlock, access to music CDs only, or access only for uniquely identified DVDs/CDs previously authorized. You can also restrict write privileges to CD-R/W and DVD -/+R/W devices.
Floppy disk drives
You can manage access to the floppy drive as either completely locked/unlocked or on a read-only basis. Floppy disk drive devices include conventional diskette drives, as well as high-capacity drives such as the LS-
120. This applies regardless of how the devices are connected to the system, whether IDE, parallel, USB, or by other methods.
Imaging devices/Scanners
Access to these USB or SCSI devices can be managed using PGP Endpoint Device Control. A scanner or a Webcam are examples of this kind of devices.
Some devices, like the Bluetooth print server, only work if the COM port is also enabled. If you use a printer that is configured to use a particular COM port (even if this port is
provided by a Bluetooth adapter), then you may need to give access to the COM port as well.
Some all-in-one models include a printer, a scanner and a memory card reader. There are
cases where the scanner functionality cannot be used if the USB Printer functionality is disabled by the PGP Endpoint Client Driver.
LPT/parallel ports
You can control conventional parallel printer ports, as well as variants such as ECB. Dongles are also included.
Modems/Secondary network access devices
Access to these internal or external devices can be managed with PGP Endpoint Device Control. Secondary network devices are those that do not connect directly through normal channels.
Different modems operate in different ways. Depending on your brand, you may need to
allow access to the COM port, to the Modem port, or, possibly, to both, so that you can use your modem. You should experiment with the settings in order to see what works best in your case.
If your users connect via dialup you may need to set a permission rule to the Local System
for the Modem.

Palm handheld devices
Create permissions rules at your convenience for this type of devices using PGP Endpoint Device Control.
Plug and Play devices
PGP Endpoint Device Control is able to detect Plug and Play devices. These devices are subject to the same access controls set for fixed devices of the same type.
The FireWire (IEEE 1394) net adapters devices are managed by the Modem/Secondary Network Access Devices class as found in the Device Explorer Module (see Chapter 3:
Using the Device Explorer in page 49). A reboot is required to apply new permissions.
18 PGP Endpoint Device Control User Guide 4.3.0
Chapter 1: Introducing PGP Endpoint Device Control
 During the plug and play process, Windows registers the device into a class. PGP Endpoint
Device Control uses this information to apply permissions to the device. For example, if Windows registers a camera in the Removable Storage Devices class, the access to this camera is controlled by the permissions set in that class in the Device Explorer module.
Printers (USB/Bluetooth )
PGP Endpoint Device Control allows you to control the access to USB/Bluetooth printers connected to client computers.
Some all-in-one models of devices include a printer, a scanner and a memory card reader.
There are cases where the scanner functionality cannot be used if the PGP Endpoint Client Driver disables the USB Printer functionality.
PS/2 ports
PS/2, the port traditionally used to connect a keyboard, is being rapidly superseded by the USB port for keyboard connections. If you are only using USB keyboards and USB mice in your network, you can opt to block definitely all PS/2 ports. This will render the use of PS/2 Keyloggers (which capture data typed at the keyboard, including passwords and other sensitive data) very difficult. Please consult Chapter 8: Setting and changing options on page 181 for more information.
Removable storage devices
This device type includes disk-based devices that are not floppy or CD-ROM drives. Devices such as Jaz and PCMCIA hard drives fall in this category, as well as USB memory devices such as memory stick, Disk on Key, ZIP, as well as USB-connected MP3 players and digital cameras.
 Secondary hard disks drives (including SCSI drives) are treated as Removable Storage
Devices. By specifying if the permission that applies to Hard Drive or Non Hard Drive you can distinguish between memory keys and secondary hard drives. You can also restrict the permissions to devices that connect through a given bus, such as, USB, SCSI, or PCMCIA.
RIM BlackBerry handhelds
Handheld computers/mobile phones from the RIM (Research in Motion) BlackBerry are connected to the computer through a USB port. Access to these PDA/GSM devices can be managed with PGP Endpoint Device Control.
Smart Card readers
Access to readers for smart cards, such as eToken or fingerprint readers, can be managed with PGP Endpoint Device Control.
Tape drives
Access to internal and external tape drives of any capacity can be managed with PGP Endpoint Device Control.
Some backup units that do not use the Microsoft supplied drivers cannot be controlled by
PGP Endpoint Device Control.
User Defined devices
Devices that do not fit into the standard categories can also be managed with PGP Endpoint Device Control. Devices such as some PDAs (non Compaq IPAQ USB, non Palm handheld USB), iPaq, Qtec, HTC, and Web cams can be specified as a user-defined device and permissions added to them in the usual way.
Windows CE handheld devices
Access to these devices can be managed with PGP Endpoint Device Control. The HP iPAQ or XDA are Windows Mobile 5 CE Devices (running Windows PocketPC 2002/2003 OS).
PGP Endpoint Device Control User Guide 4.3.0 19
Chapter 1: Introducing PGP Endpoint Device Control
Windows CE handheld devices
Handheld Windows CE computers (using PocketPC OS) connected to the PC through a USB port.
Wireless network interface cards
When installing the PGP Endpoint Client Driver, you have the option to configure the clients permissions to use a Wireless LAN adaptor.
 This permission applies only to Wireless cards for which Windows does not require a
manufacturer-specific driver or administrative privilege to install.

Conclusions

PGP Endpoint Device Control eliminates the majority of the danger associated with insiders abusing their access to network resources and mission critical information. It significantly increases the security level on your operating system controlling and auditing end-user access to I/O devices.
Using the control console, the security administrator(s) can allow access to an I/O device by assigning permission rules to users/groups.
With the optional shadowing feature, it is possible to track down data written/read to/from certain I/O devices. You can also access a log of what files were copied to various I/O devices on any given day.
PGP Endpoint Device Controls non-obtrusive and flexible nature protects and prevents with very little overhead for your users or system. Using our products, you can be assured that your company is safe.
20 PGP Endpoint Device Control User Guide 4.3.0

Chapter 2: Using the PGP Endpoint Console

This chapter explains how PGP Endpoint Device Control approaches I/O security. It describes the components of the PGP Endpoint Device Control and explains how they contribute to the enforcement of your companys security policies.
When you first install PGP Endpoint Device Control, default permission rules are created and configured. These rules include shadow restrictions and read/write permissions for some of the devices. Although these settings meet the needs of some users, most people require additional access rights to carry out their day-to­day jobs. One of the first tasks of an administrator is to define new permissions rules for users, groups, computers, or devices in their network.
Using the PGP Endpoint Management Console you can:
> Set default options. > Grant general access to all available devices. > Define specific rights for certain users. > Authorize media types and specific media on a general or user-by-user basis. > Send updates to all users or to certain computers. > Maintain the database where all information is stored. > Synchronize domain users. > Configure centralized and decentralized encryption, etc. > Generate standard reports showing user permissions, device permissions, computer permissions, media
by user, users by medium, shadowing by device, shadowing by user, online machines, user options, server settings, and machine options.
> Generate custom reports of device use or device-attempted use. > See the content of a copied or read file (only if shadow is active). > View the log of all administrators changes to users policies. > Review any attempt to access the configured devices in a computer.

Starting the PGP Endpoint Management Console

To start the PGP Endpoint Management Console:
1. Click the Windows START button
2. Select Programs PGP Endpoint PGP Endpoint Management Console.
You can also create a shortcut in Windows desktop for your convenience.
PGP Endpoint Device Control User Guide 4.3.0 21
Chapter 2: Using the PGP Endpoint Console

Connecting to the Server

When you initially launch the PGP Endpoint Management Console, you need to connect to a PGP Endpoint Administration Server. The Connect to SXS Server dialog is displayed.
To connect to the server, follow these steps:
Figure 1: Connecting to the server
1. Select the PGP Endpoint Administration Server to which you want to connect from the list (if available) or type in the name. You can use the IP address, the NetBios name, or the fully qualified domain name of the PGP Endpoint Administration Server. If your Server is configured to use a fixed port, you have to append the port number to the server name as in this example:
secrsrv.secure.com[1234]
Please refer to the description of the registry key settings of the PGP Endpoint
Administration Server in PGP Endpoint Setup Guide for more information about how to configure the server to use a fixed port.
When the PGP Endpoint Administration Server is installed on a Windows XP SP2 or
Windows 2003 SP1 computer, you should configure the Windows XP Firewall to allow the communication between PGP Endpoint Administration Server and the PGP Endpoint Management Console. Please see PGP Endpoint Setup Guide for more details.
2. Choose to log in as the current user or specify a different users details, using the Log in as option.
3. Click on the OK button. The PGP Endpoint Management Console screen is displayed.
If the PGP Endpoint Management Console screen does not appear, an error message is displayed. This indicates a problem occurred during an internal test. Check that you have the required permissions to connect to your selected server, domain rights, and PGP Endpoint Management Console rights. See Defining PGP Endpoint administrators on page 35.

Log in as a different user

If you selected the Log in as option, instead of using your credentials you must enter the user name and password. Prefix the user name by a workstation name and backslash for local accounts, and by a domain name and backslash for domain accounts (e.g. DOMAIN1\ADMIN1).
Once the connection established, the users credentials are shown in the Output panel while the Connection window show the license details if you do not see these windows, select the VIEW CONNECTION and/or VIEW OUTPUT command:
22 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Figure 2: Connection / Output window

The PGP Endpoint Management Console screen

When you start a PGP Endpoint Management Console session, the PGP Endpoint Management Console screen is displayed.
Figure 3: The PGP Endpoint Management Console screen
The Menu in the upper part of the window provides access to different PGP Endpoint Device Control functions and commands. Some of these depend on the module you are currently using. For example, the contents of the Explorer menu depend whether you are in the Exe Explorer of the Log Explorer. You can use shortcut key combinations to access different commands. For example, ALT+R+O displays an HTML Online Machine report.
The Control Panel displays in the left-hand side of the window. This lets you select the available modules and options without using the menu. If the Control Panel is not visible, use the View  Control panel command to display it.
The contents displayed in the Main window panel depend on the module currently selected on the left panel. You can refine the information displayed in some modules. Every time you open a module its stays open and
PGP Endpoint Device Control User Guide 4.3.0 23
Chapter 2: Using the PGP Endpoint Console
arranged in stacked tabs until explicitly closed. You can use the Window command of the menu bar to organize your workspace.
The Connection window shows information about the current user. You can use the scrollbar to navigate through the text. If the Connection window is not visible, use the View Connection to display it.
The Output window displays important information messages, for example, messages generated by updates sent to the clients, file fetching, I/O failures, as well as error messages. Use the scrollbar to navigate through the text. If the Output window is not visible, use the View Output command to display it.
The Status bar, at the bottom of the screen, displays information about the condition of the console. If you do not see it, use the View Status Bar to display it.
If you are using a time-limited license for PGP Endpoint then once a day, when starting the management console, you get the following screen informing you of your license status:
Figure 4: License status warning
This information is also reported in the Connection window of the main screen and generates a log that you can see using the Windows event viewer.

Customizing your workspace

You can resize and reposition the panels in the main PGP Endpoint Management Console window to suit your needs. To do this, use the Pin icon to pin down or float ( ) the Control Panel, Connection, or Output windows. When a window is parked the icon changes to .
Alternatively, you can dock each window or minimize the panel. In Dock mode, the window hides itself as a tab at the edge of the PGP Endpoint Management Console screen, leaving more space for the main window panel. Click again on the pin to float the window panel again.
Figure 5: Docked Control Panel
Figure 6: Docked window
In Floating mode, the windows can be moved to any position in the screen, sharing the working area with whatever module is opened.
You can resize and drag the windows panes to whatever zone you prefer as in the following example:
24 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Figure 7: Floating Control Panel
Figure 8: Floating windows
Double click on a windows title bar to dock it to its previous position. You can also drag the window to any edge of the PGP Endpoint Management Console screen in which case it docks itself guide yourself with the rectangle shape preview before letting go the mouse button.
All open modules occupy the main window area and can be floated or docked at will. You can use the Window menu to arrange those opened modules windows in a tile, cascade, or iconize mode. Each window can also be closed, maximized, or iconized independently as needed. If several modules are already open (as shown in Figure 7), you can choose between them using the stacked tab bar.
You can reorder the windows located at the main window panel by dragging them using their title bar or traverse them using the Scroll Left or Scroll Right icons .
To close the active window, click on its cross icon, right-click on the title bar and select Close, or press Ctrl+F4.
PGP Endpoint Device Control User Guide 4.3.0 25
Chapter 2: Using the PGP Endpoint Console
To minimize a window, right-click on the title bar and select Minimize. You can also use the Restore and Maximize icons and commands as on any Windows program.
Figure 9: Minimized windows

The PGP Endpoint Device Control modules

When you are using PGP Endpoint Device Control the PGP Endpoint Management Console screen gives access to the three PGP Endpoint Device Control modules. These are summarized in the following table:
Module Icon Used to See
Device Explorer
Log Explorer
Media Authorizer
Device Explorer module
Grant access to I/O devices for specific users or groups. Establish copy limits and activate shadowing. Allows users to encrypt removable devices on the fly (decentralized encryption)
> View records of files copied from any PC to authorized I/O devices, and
view the contents of the files themselves (two way Shadowing).
> View attempts to access or connect unauthorized devices. > Create custom reports, for example you can create a daily or weekly
scheduled report of all user attempts to access an unauthorized device.
> Recognize specific DVD/CDs which users can be permitted to use, even
where they have not been granted access rights to access the DVD/CD drive, as well as establish specific (encrypted) removable media which users can be permitted to use.
> Give permission to use specific DVD/CDs for users who have been barred
from using the DVD/CD drive.
> Establish permission to use specific (encrypted) media. > Centrally encrypt removable devices.
Table 1: The PGP Endpoint Device Control modules
Chapter 3: Using the Device Explorer
Chapter 5: Using the Log Explorer
Chapter 6: Using the Media Authorizer
The Device Explorer module is the main nucleus of the PGP Endpoint Management Console program when used under PGP Endpoint Device Control. PGP Endpoints administrators can use it to:
> Modify assigned permissions and rules. > Create new permissions and rules. > Delete already defined permissions and rules. > Check permissions and rules. > Define the user who must encrypt removable storage devices before using them (decentralized
encryption).
26 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
> Add unique, serially identify, removable storage devices to further control the working environment. > Define the bus type where the permission will apply (depending on the device class).
The rules can be applied in any of the following combinations depending on the device:
> Read data. > Read/Write data. > No data access. > Only allow access to encrypted removable storage devices. > Online permission. > Offline permission. > Scheduled permission. > Temporary permission. > Shadow permission (a copy of all data written/read to/from certain I/O devices). > Data Copy limit permission. > Encrypt/decrypt, export encryption key to file/media, import encryption key (when using removable
devices).
You can find more information in Chapter 3: Using the Device Explorer.
Log Explorer module
The Log Explorer module forms the core of the housekeeping control routines that are carried out by PGP Endpoint administrators. It displays the information stored in the log files in the format you specify in a template. You can create custom reports showing:
> User actions: For example, users accessing floppy drives or other device types. > Administrator actions: For example, permissions granted for particular devices.
Although the driver enforces defined permissions, administrators can use this module to check the usage of granted permissions and to view who is trying to access non-authorized devices.
For more information about the Log Explorer module see Chapter 5: Using the Log Explorer on page 101.
In previous versions of PGP Endpoint administrator actions were reported in the Audit Log Viewer.
Media Authorizer
Administrators can use the PGP Endpoint Management Consoles Media Authorizer module to scan a DVD/CD and enter its details into the Database of Authorized DVDs/CDs. You can perform the following actions on the existing DVD/CD in this database:
> Assign them to a user or user group > Remove a user or user group previously assigned to a DVD/CD > Rename the medium > Remove or add media from the list. This is equivalent to add it or remove it from the database
When a DVD/CD is scanned, the DVD/CD Authorizer calculates a checksum to uniquely identify it. There is no limit to the number of Authorized CDs that can be added to the database. Authorization of multi-
session CDs is only supported when the client and the console are installed on the same machine.
PGP Endpoint Device Control User Guide 4.3.0 27
Chapter 2: Using the PGP Endpoint Console
When a DVD/CD is inserted into a client computer, the driver verifies the checksum. If it coincides with the Authorized DVDs/CDs that the user is allowed to access, then the DVD/CD is made available. If the checksum does not correspond to one in the white list access is denied.
You can find more information in Chapter 6: Using the Media Authorizer on page 139. You can also use this module to encrypt removable storage devices connected to a computer using one of
the three proposed methods to cipher the device. As an alternative, you can use the Device Explorer module to define permissions that force the user to encrypt any removable storage device plugged to their computer.
The third and last use of this module is to add an externally encrypted device (Import) to the database of previously encrypted devices and then define permissions for a user to use it. You can also force the user or user group to use only encrypted devices minimizing the risk of losing information if the device is lost.
For more information, see Chapter 7: Accessing encrypted media outside of your organization on page 161.

The PGP Endpoint Management Console menus and tools

This section describes all those commands you can directly access using the Menu bar.

File menu

Use the File menu to connect or disconnect from a PGP Endpoint Administration Server, save the contents of the main page, or close the program. The items on the file menu are explained in the following table:
Item Used to
Connect Communicates with a PGP Endpoint Administration Server running
Disconnect Detaches the PGP Endpoint Management Console from the current
Save As Saves the contents of the main window in CSV format (only available
Print Prints the active report window. The standard Internet Explorer print Exit Exits the PGP Endpoint Management Console application. This
on another machine or using a different user name in order to carry out administrative tasks.
PGP Endpoint Administration Server before using the Connect option.
for specific modules). You can use this option to export data to any CSV compliant program, for example Excel.
dialog is displayed. command does not stop the PGP Endpoint Administration Server,
just your administrative session.
Table 2: File menu options

View menu

The View menu controls how the main elements of the PGP Endpoint Device Control window are displayed. The items on the view are explained in the following table:
Item Used to
Modules Displays a sub menu from which you can select any available Control Panel Shows or hides the Control Panel, which lets you select modules, Output Shows or hides the Output window, which displays a log of system Connection Shows or hides the Connection window, which displays real-time Status bar Shows or hides the status bar, which displays programs
module. tools, reports, and help from a convenient list. activity. operating information. conditions, clock, and messages.
Table 3: View menu options

Tools menu

The Tools menu is used to update the database, send permissions to PGP Endpoint clients and so on. The tools menu items are explained in the following table:
28 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Item Used to
Synchronize Domain members Database Maintenance
User Access Defines PGP Endpoint Enterprise Administrators and PGP Endpoint
Key Recovery Accesses the administrators tool to recover a password to unlock an
Default Options Changes the default options settings for computers. See Chapter 8: Send Updates to
All Computers Send Updates to Transmits the latest setting and permission changes to a specific Export Settings Places all settings and permissions in an external file that can be sent
Purge Online Table
Endpoint Maintenance Temporary Permission Offline
Updates the PGP Endpoint Database with the current list of users and groups of a domain or machine. Deletes the device logging entries, audit logs, machine scans, shadow files, and key recovery information created before a given date from the database and data file directory.
Administrators. This option lets you restrict the right to set permissions, view audit information about administrators actions or shadowing information. See PGP Endpoint Setup Guide to learn how to set rights to control Organizational Units/ Users/ Computers/ Groups.
encrypted storage device. See Recovering a password for
decentralized encryption when connected on page 154. Setting and changing options on page 181.
Dispatches the latest setting and permission changes to all computers on the network. Changes can be sent in synchronous or asynchronous mode.
computer on the network. to all those who are working offline with no connection, and need an
update of their permissions. If placed in a special file policies.dat it is possible to do a Serverless client installation (see PGP Endpoint
Setup Guide for more details). See To export and import permission settings on page 84.
Erases all information regarding connected clients. PGP Endpoint Administration Server keeps a record of connected clients. Sometimes, clients are disconnected without notifying their server that they are not available anymore. In this case orphan entries are left in the online table affecting the performance of the Send Updates functionality. When you purge the online table, the application server deletes all information it has concerning connected clients. Every time a user logs on/off or unlocks his station the online table is modified. Creates and save maintenance tickets for computers/computer groups allowing protected files and/or registries to be modified. Accesses the administrators tool for generating a code that can be communicated to a user by phone to enable them to increase their permissions on a temporary basis while offline. See To assign temporary permissions to offline users on page 78.
Table 4: Tools menu options

All the commands in the Tools menu can also be accessed using the Tools module of the Control Panel.
PGP Endpoint keeps a copy of user information in its database. When a new user logs on, PGP Endpoint stores its Security Identifier (SID) but not its name. The same applies when you add a new computer to the domain: PGP Endpoint identifies the computer and stores its name in the database. For performance reasons, new user names are not resolved during logon but require an explicit synchronization (Tools Synchronize Domain Members). The synchronization process varies depending on whether the protected computers are on a domain or a workgroup.

Endpoint Maintenance

When the client starts, it generates a 15-byte random value used for protection purposes. This key which we call Salt is used to guarantee that only authorized process/users can perform maintenance. The Endpoint Maintenance dialog is used to create and save a ticket for this service. This provisional permission to modify, repair, or remove the client, registry keys, or special directories, can be sent to computers or users.
This key value works in conjunction with the Client Hardening value configured in the Default Options dialog (see Chapter 8: Setting and changing options on page 181). If the client hardening option is set to Basic you do not need salt. If the client hardening option is set to Extended you need to enter or query the salt and lower the protection level using the endpoint maintenance. You can save and transport the generated ticket to the client computer(s) by any available means (shared directory, email, or removable device).
PGP Endpoint Device Control User Guide 4.3.0 29
Chapter 2: Using the PGP Endpoint Console
If the client machine is not reachable, you can always get the salt value and hardening
status of the client computer by right-clicking its PGP Endpoint Client Drivers icon located on the system bar and selecting Endpoint Maintenance from the contextual menu.
You must enable the Remote Registry service on Windows Vista machines if you want to
query the Salt value using the PGP Endpoint Management Console. This service is disabled by default in this operating system. As a workaround, you can ask the user to provide this value.
Do not use the Send to right-click menu option to transfer the Maintenance ticket file, use
copy and paste instead.
Client ticket rules
The client ticket follows these rules:
1. The maintenance ticket is unique and per machine. You cannot generate the same ticket for several computers (even though you are allowed to do so if the client hardening option is set to Basic).
2. You can define a validity period for the ticket. After this period, if the ticket has not been accepted it is no longer legitimate for the clients. Once the ticket is accepted, there is no time limit for its use. To deactivate the ticket you must reboot the machine.
3. If the maintenance ticket is generated for a specific user, this user must be logged to accept it. If this is not the case, the ticket is rejected.
4. If you choose to relax (lower) the client hardening value by creating and using a maintenance ticket for a computer without choosing a user and another user logs into the same machine, the computer continues in a relaxed (modified) state until the next reboot.
5. Your comments appear on the audit log. You can review them by using the Log Explorer module (see Chapter 5: Using the Log Explorer on page 101).
The client protection mechanism can also be temporary deactivated when using the PGP Endpoint Client Deployment Tool. The protection is reactivated and reset to its previous
setting after the clients reboot. Please consult the PGP Endpoint Setup Guide for more details.
To create and save maintenance tickets for endpoint machines/users
1. Select the TOOLS ENDPOINT MAINTENANCE item from the menu bar (or from the Tools section of the Control Panel).
2. Select the Salt value. (If the client hardening option is set to Basic you do not need salt. If the client hardening option is set to Extended you need to enter or query the salt for the machine you are using to relax.) Use the QUERY button to obtain the salt value directly from the client computer. Use the right-click contextual menu of PGP Endpoint Client Drivers icon when the machine is not connected to the network.
3. Select the validity period for the ticket.
4. Select the user(s) and/or computer for which this ticket is valid.
5. Add any additional comments in the corresponding field.
6. Click on the SAVE button, choose a suitable location, click on SAVE and then on CLOSE.
30 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Figure 10: Endpoint maintenance
You can save this ticket (ticket.smt) and transfer it to selected computers by means of an external device the machine(s) needs to have the required permissions to access the device. This maintenance ticket must then be copied to the predefined ticket directory in the client computer(s). See PGP Endpoint Setup Guide for a description of the registry keys. As previously explained, this ticket also depends of the Client Hardening option value.

Reports menu

The Reports menu can be used to save or print many types of information. The reports menu items are explained in the following table:
Item Used to
User Permissions Generate a report of the device permissions associated with one or Device
Permissions Computer Permissions Media by User Generate a report of the types of DVDs/CDs a selected user is
Users by Medium Generate a report of the users or groups allowed to use each
Shadowing by Device Shadowing by User User Options Generate a report with all related permissions and settings for a
Machine Options Generate a report showing all computers options as currently
Online Machines The PGP Endpoint Administration Server(s) keep record of the
Server Settings Generate a report showing how your PGP Endpoint Administration
more users. Generate a report of users permissions for each device.
Generate a report of the permissions assigned to each user for the use of the different devices associated with a particular computer.
allowed to access.

DVDs/CDs authorized as a result of a User being a member of a Group are not listed.
Specific (encrypted) media that users have permission to use are also listed in this report.
authorized DVD/CD. Users who have been granted the right to access a specific encrypted media are also listed in this report. Create a report showing the users copying and/or reading data to and/or from particular devices. Generate a report showing the total amount of data copied and/or read to and/or from different devices for all users.
specified user. defined in the system. These can be changed using the command
Tools Define Options. connected clients. The online table is updated every time a user logs
on or unlocks his/her station. This report shows a list of connected machines.
Server (s) is configured. This is provides you with very useful troubleshooting information.
Table 5: Report menu options
See Chapter 9: Generating PGP Endpoint Reports on page 189 for more detailed information.
In addition to the standard reports that are available through the Reports menu, you can
define your own criteria for selecting log entries and producing reports using the Log Explorer module. For more information see Chapter 5: Using the Log Explorer on page 101.
PGP Endpoint Device Control User Guide 4.3.0 31
Chapter 2: Using the PGP Endpoint Console

Explorer menu

The Explorer menu contains different menu options, depending on which module you are currently using. The explorer menu items are explained in the following table:
Item Used to
In the Device Explorer module
Manage Devices Add and remove devices that can be administrated using permissions. Insert Computer Add a machine to the machine-specific settings section or a computer
Add/Modify Permissions
Add/Modify Online Permissions
Add/Modify Offline Permissions
Add/Modify Scheduled Permissions
Add/Modify Shadow Settings
Add/Modify Copy Limits
Temporary Permissions
Add Event Notification
Remove Delete the current selected permission, device group, computer, or
Insert Device Group Add a device-classifying group. Rename Device
Group Insert Computer
Group Rename Computer
Group
In the Log Explorer module
Fetch log Obtain the latest log entries from a client computer.
group. Define and change general permissions.
Define and change device permissions to apply when a computer is connected to the network.
Define and change device permissions to apply when a computer is not connected to the network.
Define and change programmed permissions.
Create and modify the rules used to obtain a copy of those files users have copied and read to and from certain devices.
Define and change copying quota limits.
Define provisional permissions.
Define a message to inform the user of an incident
computer group.
Change the name of device-classifying group.
Add a computer-classifying group.
Change the name of a computer-classifying group.
Table 6: Explorer Menu options

Window menu

The Window menu controls how the panels and windows in the PGP Endpoint Management Console screen are displayed. The window menu items are explained in the following table:
Item Used to
Cascade Place all open windows in an overlapping arrangement. Tile Lay all open windows side by side in a non-overlapping fashion.
Table 7: Window menu options

Help menu

The Help menu is used to access information about the PGP Endpoint Management Console and PGP Endpoint Device Control. The help menu items are explained in the following table:
Item Used to
Contents Go directly to the contents tab of the help file. Search Look up information in the help file. Index Show the help index. About Display information about the current version of PGP Endpoint
PGP on the Web Go to the PGP home page, where you can find updated information PGP
Knowledgebase
32 PGP Endpoint Device Control User Guide 4.3.0
Device Control, when contacting PGP technical support staff. about all PGP Endpoint products.
Go directly to PGPs knowledge database. This includes tips, questions and answers, and how-to articles.
Chapter 2: Using the PGP Endpoint Console
Table 8: Help menu options

Other administrative functions

This section explains the use of other administrative functions.

Setting and changing default options

PGP Endpoint Device Control allows you to set default options for various aspects of the PGP Endpoint Client Driver behavior. You can do this using the Default Options dialog.
You can access the Default Options dialog by selecting Default Options from the Tools menu (or from the Tools section of the Control Panel):
Figure 11: The Default Options dialog
Please refer to Chapter 8: Setting and changing options on page 181 for detailed information.

Synchronizing domain members

If PGP Endpoint Device Control is protecting the computers in a domain, and you wish to synchronize to that domain, then select Synchronize Domain members from the Tools menu (or from the Tools section of the Control Panel). The following dialog appears.
Figure 12: The Synchronizing Domains dialog
To synchronize domain members
1. Type the name of the domain you want to synchronize.
2. Click the OK button.
The list of users and groups held by PGP Endpoint Device Control is updated.
If a machine name is used instead of a domain name, and the machine is a domain
controller, this particular domain controller is used for domain synchronization. This can be useful when the replication between the various domain controllers is slow and you cannot wait for the user account information to replicate between all of them.

Synchronizing with Novell eDirectory

If you are using PGP Endpoint Application Control Suite in a Novell environment, you should periodically run the synchronization script. This can be done manually (provided there are not too many changes in your eDirectory structure) or automatically using scheduler software. See PGP Endpoint Quick Setup Guide for more information.
PGP Endpoint Device Control User Guide 4.3.0 33
Chapter 2: Using the PGP Endpoint Console

Adding workgroup computers

If PGP Endpoint Device Control is protecting the computers in a workgroup instead of a domain, then there is no domain controller from which you can obtain a list of users. In this case, you need to add the computers in the workgroup individually. To do this, select Synchronize Domain members from the Tools menu (or from the Tools section of the Control Panel). The following dialog appears:
Figure 13: Adding workgroup computers
To add workgroup computers
1. Enter the name of the computer you want to add.
2. Click on different user name. The following dialog is displayed:
Figure 14: The Connect As dialog
3. Type in the user name and password for the local administrator for the computer you want to add. Make sure you include the computers name in the user name.
4. Click the OK button twice (to close the corresponding dialogs).
This adds the computer to the database and you can then proceed to assign permissions to its users through the Device Explorer module.
the process of synchronizing a computer with PGP Endpoint Device Control. If the process described above does not make the computer visible to PGP Endpoint Device Control, you should turn off this option and try again to synchronize the computer. To access the Simple File Sharing option, open Windows Explorer on the target machine, select Folder Options on the Tools menu (or from the Tools section of the Control Panel) and then go to the View tab. It should be the last option in the list.
You can also synchronize the local users/groups of one or more workstations when a
domain is used in case you want to enforce policies on a local user despite being in a domain.

Performing database maintenance

After you have been using PGP Endpoint for a while, your database will have accumulated a large number of activity logs, scan results, shadow files and key recovery information. Older records take up unnecessary database space and may no longer be needed for your daily operations. If this is the case, you can periodically clean up the database by removing obsolete records.
To delete database records prior to a given date from the database
1. Open the Database Maintenance dialog, accessible from the Tools Database Maintenance menu (or from the Tools section of the Control Panel):
34 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Figure 15: Performing database maintenance
2. Click on the arrow to the right of the date field to select the date from a calendar. The maintenance you can do when using PGP Endpoint Device Control is to delete device log information, audit logs, shadow files (if they exist) and any key recovery information.
3. Click on the OK button to delete the database records written before the chosen date.
Database maintenance operations cannot be undone. If you wish to keep this information
for future reference, you should first do a backup using the SQL Server utilities. You also need to make a backup of the data file directory.
You should make sure that there is enough free space on the database server hard disk
BEFORE starting database maintenance. If the operation fails because the database engine cannot create the transaction logs, you should perform the maintenance on a shorter period basis.

Defining PGP Endpoint administrators

Before using the program, we recommend that you define the administrators. You can assign different roles for each one of them, but you should have at least one user assigned to the Enterprise Administrator role.
You should be careful not to lockout yourself out when modifying these roles. 
Local machine users cannot manage PGP Endpoint Management Console even if they are assigned as Enterprise Administrators. They cannot connect the PGP Endpoint
Management Console to the PGP Endpoint Administration Server using such an account.
Since all programs in our suite share the same database, some options you set for the Console users are also enforced for other programs of our Suite. For instance, changing a
user from the role of a Enterprise Administrator to a normal Administrator for PGP Endpoint Device Control also changes his role for PGP Endpoint Application Control Suite.
All members of the local Administrators group on servers running PGP Endpoint Administration Server are PGP Endpoint Administrators and have access to all objects by default.
To change users roles
1. Select Tools User Access from the menu (or from the Tool section of the Control Panel). This will open the User Access dialog as shown below.
PGP Endpoint Device Control User Guide 4.3.0 35
Chapter 2: Using the PGP Endpoint Console
Figure 16: Searching for users
2. Enter a user name in the User Name field.
3. Click on SEARCH to locate the user or group to whom you want to grant administrative rights. You can use wildcards (* or ?) in the name.
Figure 17: Defining the administrators' roles
4. Select the user in the Users list and click on the Access column.
5. Click on the down arrow icon located at the right side of the field to view a menu with all available options.
6. Set a user to Enterprise Administrator to grant him or her the right to connect to the PGP Endpoint Administration Server and manage any object (Users/Groups/Computers/Default Options).

Only the Enterprise Administrators can assign other users as Administrators and use the Tools menu. User set as Administrator can use the console without being able to assign
other users as administrators.
If you are delegating administrative rights using Active Directory Organizational Units, the PGP Endpoint Management Console Administrators have the following permissions:
Action Type of Administrator Comments
View all permissions. Modify global-level permissions.
Modify machine­level permissions.
Modify machine­group permissions.
All Administrators Enterprise Administrators
Members of the Manage Device ControlSettings role. ONLY for the users that the Enterprise Administrators
(for ALL accounts, including the WELL-KNOWN accounts). Members of the Manage Device Control Settings role (for ALL accounts, including the WELL-KNOWN accounts). Enterprise Administrators (for ALL accounts, including the WELL-KNOWN accounts). Members of the Manage Device Control Settings role (for ALL accounts, including the WELL-KNOWN accounts).
Table 9: Administrator's prerogatives
administrator is allowed to manage.
ONLY for the machines that the administrator is allowed to manage.
IF AND ONLY IF the administrator is allowed to manage ALL the machines in the machine group for ALL accounts in BOTH CASES, including the WELL­KNOWN accounts.
When you define at least one user as Enterprise Administrator, the members of local
Administrators group (default setting) no longer have access to PGP Endpoint Administration Server /PGP Endpoint Management Console. Be careful when adding or removing Administrators from the list and ensure that there is always at least one Enterprise Administrator.
36 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
PGP Endpoint Management Console administrators access can be restricted to pre-defined roles when activating the Yes option. These are summarized in the following table (please see also the notes after the table):
Option Administrator actions available when option
Settings (Device Control)
Time based settings (Device Control). Devices (Device Control)
Media (Device Control)
Audit (Device Control)
Logs (Device Control)
Logs without File Access (Device Control) Medium Recovery (Device Control)
Temporary Permissions Offline (Device Control)
Endpoint maintenance Scheduled Reports Synchronize Computer
set to Yes
Change permissions and options for the objects of the Active Directory. Requires write access to these objects. Set temporary and scheduled permissions. Administrator cannot set standard permissions.
Add new devices in the system using the manage devices functionality. Organize devices into groups. Encrypt and authorize media but cannot change permissions in the Device Explorer module.
View and search Audit Logs. Can also see the Administrator actions, if you
Review central logging and access shadow files. Can also see the Log Explorer module and get
Same actions done by the Logs (Device Control) option but cannot see the content of a shadow file. Generate a passphrase used to access an encrypted device when the user has forgotten a decentralized encryption password.
Set temporary permissions for users who are not connected to the PGP Endpoint Administration Server yet require extended access permissions for a short time. Administrator cannot set standard permissions. Create tickets to update, delete, and install the client. Generate custom reports at pre-scheduled intervals between start and end dates. Can synchronize domain or computers (local accounts)
Table 10: Administrator's roles
Comments
Can also see the Media Authorizer module.
This option is a sub group of Settings (Device Control)’.
-
Can also see the Media Authorizer module and get more reports (Media by User and Users by Medium). This option is a sub group of Settings (Device Control)’.
have the appropriate priveleges, using the Log Explorer module.
more reports (‘Shadowing by Device’ and Shadowing by User). This option is a sub group of ‘Logs (Device Control)’.
This is done with a lower security risk when the user is connected to your network as PGP Endpoint Client Driver can provide a Security Code containing the public key (whereas Secure Volume Browser cannot).
-
See Endpoint Maintenance on page 29. See Schedule tab on page 127.
-
 The Compatible option is a legacy. It only appears for those users updating from previous
versions. This option is changed to Yes or No when edited. There are no restrictions for an administrator that has the Compatible mode assigned.

 

Sending updated permissions to client computers

Administrators use the Device Explorer module in the PGP Endpoint Management Console to modify permissions and rules. When a policy changes, the PGP Endpoint Client downloads it at the next event. For example, when the user logs in.
PGP Endpoint Device Control User Guide 4.3.0 37
There are default rights that apply to all Administrators: see the Device Explorer module and get some ‘Reports’ (‘Users Permissions’, ‘Device permissions’, ‘Computer permissions’,
Online Machines, and Options). When selecting the Yes option, you add to this default rights.
You can only change these options for ‘Administrators’. All other user types, are set to No’.
Consult the PGP Endpoint Setup Guide to learn how to set rights to control Organizational Units/ Users/ Computers/ Groups.
Chapter 2: Using the PGP Endpoint Console
However, if the administrator wishes the changes to take effect immediately, they can be transmitted to the affected clients by updating the database using the Application Server. At the same time, the Application Server sends a message to the connected client computers to indicate that the client should contact the Application Server and download the latest permissions rules.
If the permissions are the same, no changes are applied and the existing rules remain intact. If the permissions differ, the client contacts the Application Server and downloads the latest ones.
When the client receives the new set of permissions, the kernel mode driver activates the changes immediately. There is no requirement for the user to reboot or log-off and log-back onto their system except for certain devices, see Table 17.
Use the Send Updates to All Computers or Send Updates to items from the Tools menu (or from the Tools section of the Control Panel) to communicate immediately the changed rules and permissions to the client computers.
You can send permissions updates to computers not connected to the network using a file transfer. See To export and import permission settings on page 84 for more information. Alternatively users can temporarily increase their offline permissions by contacting an administrator and obtaining a passphrase. See To assign temporary permissions to offline users on page 78.

Everyday work

In this section, we present you with the most common cases encountered in your daily work with PGP Endpoint Device Control. You can find practical tips and advices in the following subsections.

Identifying and organizing users and user groups

Only members of the Domain Administrators or Enterprise Administrators group can create, modify, or delete users and user groups in Windows using the Active Directory Users and Computers Microsoft Management Console snap-in.
To activate the Active Directory User and Computers snap-in
1. Select Start Programs Administrative Tools Active Directory Users and Computers from Windows desktop.
2. By opening this snap-in console all users and user groups are automatically published across the network.
Publishing is the act of making an object publicly browseable and accessible. Most objects are automatically published, but you must explicitly publish Windows NT shared printers and computers outside the domain.
Published resources allow users to find and use objects (users, groups, printers, servers, etc.) without knowing their host server. Published resources are seen across subnets. The Computer Management or Active Directory Users and Computers administrative tool is used to publish resources in the Active Directory structure.
When you make changes to a domain, such as adding groups, users, or computers, you must publish them, if necessary some of them are automatically published as stated before. You should use the Synchronize Domain Members item on the Tools menu (or from the Tool section of the Control Panel) in PGP Endpoint Device Control to refresh the content of the devices, users, and group information before modifying permissions and rules. This is especially true if you are not the only member of the Administration group. On a Novell network, you should use the synchronization script described in the PGP Endpoint Setup Guide.

Identifying the devices to be managed

When first installing PGP Endpoint Device Control, all those devices belonging to the standard Windows classes are identified and fill-in with the default permissions and rules. However, if you add new devices to a computer or an independent computer that forms part of a subnet and is not included in the active directory structure, some of the devices will not be accessible since the most restrictive policy applies. Please see Table 16 on page 50 and Table 17 on page 51 for details.
If this policy suits your needs, you do not have to take any action. If you want to change the rules and permissions for a specific computer or a specific model of device, you first need to publish it (see previous section) or add the devices. To add new devices from a specific computer do one of the following actions:
38 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
> If you are in the Device Explorer module ( ), select Explorer Manage Devices item from the menu to
open the Manage Devices dialog.
> While in the Device Explorer module ( ), right-click on the Default Settings header in the Device
Explorer window and select the Manage Devices item.
> From the Log Explorer, right-click on a Device Attached entry.
See Managing devices on page 95 for more details. You should only add the models of devices that will receive specific permissions. If you only want to set
permissions at the class-level, you do not need to add specific device models. Do not add devices if you are not going to define access permissions for them.

Working with the PGP Endpoint systems pre-defined device classes

Once you install the program, the standard Windows device classes are created:
Biometric Devices LPT/Parallel Ports PS/2 Ports Tape Drives COM/Serial ports Modem/Secondary
DVD/CD Drives Palm Handheld Floppy Disk Drives Printers Imaging Devices
Table 11: Standard Windows' device classes as seen on the Device Explorer module in the Default Settings section
Standard Windows device classes
Network Access Devices
Devices (USB/Bluetooth)
Removable Storage Devices
RIM BlackBerry Handhelds Smart Card Readers Wireless NICs
User Defined Devices
Windows CE Handheld Devices
These classes are given access rights according to Table 16 on page 50. You DO NOT have to do anything else if you are satisfied with this or if a new device is connected to a computer. The most restrictive access rules already apply for new devices and they will have no access whatsoever (except for PS/2, WiFi, and IrDA).
If you need to adapt permissions rules for certain users or groups, you just do a right-click and select the type of permission you want to add. Depending on the device type, you can add:
> Read or Read/Write permissions. See Read/Write permissions on page 72 for more information. > Enforced encryption for removable storage devices. Define permissions so that users are forced to
encrypt all removable storage devices plugged to their computers. See Forcing users to encrypt removable storage devices on page 90.
> Online/Offline permissions. See To assign online and offline permissions on page 82 for more
information.
> Scheduled permissions. See To assign scheduled permissions to users and groups on page 75 for more
information.
> Temporary permissions. See To assign temporary permissions to users on page 77 for more information. > Temporary permissions for offline users. See To assign temporary permissions to offline users on page
78 for more information.
> Shadow. See Shadowing devices on page 85 for more information. > Copy limit. See Copy limit on page 87 for more information.

When upgrading from older versions of PGP Endpoint it is possible that some wireless cards appear in the Modem/Secondary Network Access Devices device class rather than
the Wireless NICs class. To correct this, simply delete the wireless card from the Modem/Secondary Network Access Devices device class and add it again using the Device Explorers Explorer  Manage Devices menu option.
PGP Endpoint Device Control User Guide 4.3.0 39
Chapter 2: Using the PGP Endpoint Console

Adding your own, user-defined devices to the system

Permissions rules for all other devices that do not fall into the normal categories, such as iPaq, Qtec, HTC, or webcams, are defined in the User Defined Device class. Imagine that a user connects a webcam to a computer, a webcam that needs no special drivers to be identified and make it work. In an unprotected environment, the user can immediately begin recording and sending potentially illegal images over email or other medium. Since this webcam is not included on the other device classes, the policies defined here, if they exist, control the access behavior of this device. This user is forced to ask for special permissions in order to use the device since no rule has been defined and the most restrictive applies – no access at all.
On the other hand, if you need to administrate an uncategorized device connected to a computer, you can do so by adding it to the list of the managed devices that appear in the Default Settings section of the Device Explorer module. Please refer to Managing devices on page 95 for more details.
You can add specific models to all the base device classes located on the Default Setting section of the Device Explorer module with exception of Wireless NICs and PS/2 Ports, since they already form part of the standard device classes you find there.
You can also define permissions at the device class level (the nodes of the Default Settings tree shown in the Device Explorer module), computer level (the nodes of the Machine-Specific Settings tree shown in the Device Explorer module) and even at deeper levels (Computer Groups or Device Groups). The final permission that applies depends on the user and priority settings.

Identifying specific, unique, removable devices

Administrators have the option to manage device permissions at different levels depending on the companys needs:
Level Permissions applies to Example
Base class All devices classified in that
Device Group: a group defined in the base class (only available for some classes) and used as an aid to rearrange your devices into logical clusters Specific device model included in the class itself or in a group.
Precise, unique individual device identified by its serial number
The Vendor ID (VID), Product ID (PID), and serial number are obtained from the standard Device
Descriptor that every USB device must support.
Some cheap devices do not comply with the USB standards and do not have unique numbers.
Others do not comply with the rules as all devices produced in a single batch have the same identical unique serial number.
Table 12: Managing unique individual removable devices
class including groups, models, and specific devices All devices included in that precise group (see
Organizing devices into logical groups on page 41 for
an explanation) All devices belonging to the same, exclusive, model
That specific device Online permissions for a user
The following image shows this four level structure:
A temporary permission defined for the Removable Storage devices class A read permission created for a device group named Marketing USB keys defined in the base class Removable Storage Devices Offline permissions for a device model Sony Storage Media USB Device
device with a serial # 4ed552fd755cefd3f1db4de2 91e16aeaacb9d177
Figure 18: The four level removable device class structure
As an example of the permission structure depicted in Table 12 (page 40), consider the following model:
40 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
Figure 19: The four level removable device class structure with permission examples
As you can see, at the last level of the Marketing USB Devices hierarchy there is a unique serialized device. Defining permissions for a unique, serialized, USB key allows you to deny or allow a user or group the right to use this device.
To insert a device model:
1. Attach the user device to a computer that has PGP Endpoints client installed.
2. Activate the Device Explorer module by clicking the icon located on the Modules section of the Control Panel in the main window.
3. Use the Explorer  Manage Devices item from the menu.
4. Click the ADD NEW button.
5. Enter the name of the computer where the device is attached or search for it using the ellipsis button.
6. Click the GET DEVICES button.
7. Select the device model from the list.
8. Click the ADD DEVICES button.
To insert a specific, unique, device or a device model:
1. Activate the Log Explorer module by clicking on the icon located on the Modules section of the Control Panel in the main window.
2. Search for the attached device in the list using the filters, templates, or by manually traversing the list. Once the register is located, right-click on it and select Manage Devices from the popup menu. You can also use the ADD DEVICES button located at the lower right corner of the Log Explorer window. See a detailed description in Chapter 5: Using the Log Explorer on page 101.
3. Follow steps 4 to 8 of the 1st method.

Organizing devices into logical groups

Sometimes you want to organize your devices in logical units within a device class and assign them special permissions (rules, notifications, etc.). For example, you can do the following:
1. Create a new Device Group in the DVD/CD Drives class on the Default Settings section of the Device Explorer module
2. Label this freshly created device group with the name of your preference
3. Add comments
4. Place here all your double-sided high-capacity DVD burners
PGP Endpoint Device Control User Guide 4.3.0 41
Chapter 2: Using the PGP Endpoint Console
5. Create an Offline permission rule and, finally,
6. Create an Online permission rule
This strict classification is not strictly necessary, but it helps visualize and organize your permissions and rules more effectively.
Not all device classes accept this organization. Please refer to Device Groups on page 57 for more information.

Identifying specific computers to be managed

Sometimes you require special rules for specific computers. In this case, you can add them directly on the Machine-Specific Settings section of the Device Explorer module. All computers that are added go directly to their Workgroup or Domain tree structure. From there, you can proceed to define all needed rules or organize them in computer groups like those shown in the following image:
Figure 20: Computers and computer groups
Here we add a new group in the Workgroup section, rename it Marketing, add a comment (Special rules), and then proceed to add computers to this group and change the permissions rules (expanding the Group Settings tree and modifying the rules for each device class). Be aware that if they are conflicting rules in the Default Settings and in the Machine-Specific Settings sections, they apply depending on the priority selected. Please refer to Priority options when defining permissions on page 98 for further details.

Defining different types or permissions

You are normally confronted with what kind of permissions you can define for a device class. Take for example the Floppy Disk Drives, PGP Endpoint Device Control offers the best of both worlds: total control and flexibility when the time comes to assign multiple permissions to access devices. For this specific example, you can add independent Read, Read/Write, Online, Offline, Schedule, Temporary, Copy Limit, and Shadow rules and permissions: define only one or a combination of them at the same time (depends on the device class as specified on Table 13 found on page 43).
To extend our example further, let us consider a user called Emily who works in the Sales Department and who has a Floppy Disk Drive on her companys laptop:
> She has Read/Write permission for this device. > She can use the floppy only when connected to the network (online permissions). > She can only use the device from 8 A.M. to 5 P.M., Monday to Friday (temporary permissions). > We want to know what she writes to the floppy. Not only do we need the name of the file, but also the
content.
> To limit her a bit, we only allow her to copy a maximum of 5 MB per day.
All this is done using the Device Explorer module and defining the corresponding permission rules:
> Permissions: read/write access. > Online Permissions: read/write access. > Offline Permissions: no access. > Schedule permissions: define the days (Monday to Friday) and timeframe (from 8 A.M. to 5 P.M.).
42 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
N
ame of the class
   
 
 
  
 
   
   
  
 
   
   
  
 
  
 
  
 
   
   
> Shadow rule: Enable it in the Write Permissions panel. > Copy Limit rule: define 5 MB.
We can frame even more her behavior by adding as needed event notifications, encryption, file filtering, etc.
The following table summarizes the type of simultaneous permissions by Windows standard device classes you can define in the Device Explorer module:
P ON OF SC TP SH CL P ON OF SC TP SH CL
Biometric devices COM/Serial ports DVD/CD drives
Floppy disk drives Imaging devices LPT/Parallel ports Modem/Secondary Network Access Devices Palm handheld devices Printers (USB/Bluetooth) PS/2 Ports Removable storage devices RIM BlackBerry handhelds Smart Card Readers Tape drives User defined devices Windows CE handheld devices Wireless NICs * Code used: P=Permissions; ON=Online permissions; OF=Offline Permissions; SC=Schedule; TP=Temporary Permissions; SH=Shadow; CL=Copy limit. Permissions can include one or several of the following: file filters, encryption, decryption, drive & bus type, export & import key file.
Table 13: Simultaneous permissions definitions for all Windows standard device classes in the Device Explorer module
   
 
     
 
Section in the Device Explorer module*
Default Settings Machine-Specific Settings
 
         

Encrypting removable media & authorizing specific DVDs/CDs

If you deal with media containing sensible data that is moved around between computers or leaves the company premises, you should consider encrypting it. If the medium is lost or stolen, the intruder must defeat several layers of protection before having access to the actual data. The encryption process alters the data in such a way that it is not useful. Encryption makes data unreadable to those not having the correct password and deciphering information.
The first step in this process consists in activating the Media Authorizer module and use the ADD REMOVABLE button to centrally encrypt a removable media.
Once the procedure is finished and the associated users are defined the access to the device is completely transparent for the user(s). Among the encryption options, you can find our Easy Exchange method that formats and ciphers the media so that the user can use it in another computer without the need to install software and without being an administrator.
 You cannot associate User groups with encrypted removable media.
You can also authorize the use of specific media in your company. You can precisely determine which DVDs/CDs are allowed in your organization. For example, you can allow the use of a data warehouse DVD or authorize the use of music CDs to certain users or groups. Once the media is encrypted in the PGP Endpoint Database, ‘malicious’ users that may want to add other kind of information to the CD or DVD – for example, by duplicating it and then including programs, images, music, or other kind of info – are unable to do so since the media does not correspond to what was initially encrypted and registered. The result is that the user can no longer access the DVD/CD.
You can also consider using DVD/CD encryption as defined in Chapter 10: Comprehensive
CD/DVD encryption for securing all your CD/DVD data on page 201.
PGP Endpoint Device Control User Guide 4.3.0 43
Chapter 2: Using the PGP Endpoint Console

Forcing users to encrypt removable media

As an alternative to centrally controlling all removable media management, the administrator can opt for a distributed schema. In this scenario, users who plug removable media in their computers are forced to encrypt them before they can be used. This is controlled by defining a simple permission for the Removable
Storage Devices class located in the Device Explorer module . An administrator can force the encryption of a hard disk, memory stick, or any other device recognized as removable storage (depending on their respective drivers: cameras, phones, etc.). See Decentralized encryption on page 175.
 Data recorded on a removable storage device before it is encrypted can be read following
encryption.

Practical setup examples

You can see different common uses of PGP Endpoint Device Control in this section. For example you can learn how to:
> Control device use and installation. > Restrict the use of games, MP3 players, video players, etc. > Enforce compliance with internal security policies and external regulations.

DVD/CD burner permissions assignments

We illustrate here with a simple example how can PGP Endpoint Device Control block device use with no action of your part. In this first example, an employee let us call him Bob without the permission to use a DVD/CD writer assigned to him or the groups he belongs to, brings in to work a DVD USB burner and wants to use it at work by connecting it directly to his computer. In a standard situation, he can immediately begin burning DVDs with all kind of data, even your confidential information. PGP Endpoint Device Control blocks and denies this kind of access. He now has to ask the administrator for this permission. The administrator has several choices:
> He can grant Bob access to the DVD by making him a member of an Active Directory Group that has
received access to the device class (DVD/CD drives, in this case). To do this, he only changes the domain group membership using the Microsoft Management Console (MMC) no modification to the PGP Endpoint permission rules is required.
> If a computer group exists (a one-click operation to create using PGP Endpoint) and access to DVD/CD
drives has been defined, the administrator can move Bob's computer into this group. His machine automatically receives the permissions that apply to the existing computer group.
> Assign Bob the necessary permissions (temporarily, scheduled, or definitive ones). > Grant Bob Read & Write access on the DVD burner. > Give permissions for using the device, except during working hours. > Allow access to the device only when the computer is offline (or online). > Decide that Bob can only use specific DVD/CD media. > Allow Bob to read but not to write data. > Give Read/Write permissions but store the contents (shadow) of the copied/read files to control what has
been done.
> The administrator can decide to do NOTHING. Bob has no right to use the DVD/CD burner and it should
stay that way
As you can see from this simple example, the possibilities are endless and flexible enough to adapt to each kind of imaginable situation.
44 PGP Endpoint Device Control User Guide 4.3.0
Chapter 2: Using the PGP Endpoint Console
To do
To avoid

Removable permissions assignments

For our second example, we consider another real-life case: Rather than grant permissions to all removable media in exactly the same way, you may want to allow access
only to a specific company-approved model. For example, if the corporate standard USB memory stick is a SanDisk 2GB, it is possible to define it in the PGP Endpoint Device Control and assign group or user permissions to that specific model. Access is denied to any other type of removable media connected. In this way, it is possible to build up a White List of corporate-approved devices and deny everything else. Permissions for a newly defined device can be assigned without having to log off/log on.

You can go a step further by managing unique user devices identified by their exclusive serial number. This way, your control boils down to a specific device.
You can apply device class permissions and device type permissions at the same time.

Assigning permissions to groups instead of users

When you begin to use PGP Endpoint Device Control, you are probably tempted to traverse the Device Explorer module assigning permissions to individual users for different classes and devices as you go.
Although this is practical when the number of assigned permissions are kept small and while you get accustom to the inner works of the program, this becomes quickly unmanageable as the deployment grows and you control more and more users and devices in your organization. You will have the double task of maintaining Windows users and their possible PGP Endpoint Device Control assignations.
A more pragmatic approach is to invest more time in the designing phase deciding which devices and classes should be restricted beforehand. The object of this exercise is to define Windows Groups to control device access. Once this determined, you should proceed to define a naming convention, the actual groups, and all necessary group nesting so that it meets your business requirements. You should aim to create the fewest possible groups. This first phase design pays off as you can define Windows user groups precisely and then proceed to grant permissions to these groups instead of assigning them directly to specific users. The user, of course, should then be member of one or more of these previously defined groups.
As soon as your groups are determined, you can then proceed to define permissions for them in PGP Endpoint Device Control. You get the distinguished advantage of controlling device access by assigning permissions directly to one or more specific Windowsgroups. You can also use these same groups to do all kind of housekeeping (Windowspublic folder and mailboxes permissions for example).
By defining a small number of user groups in your domain, granting those groups permissions, and then assigning users to groups, you can manage a small number of groups instead of a large number of users.
Another benefit of this approach is that you are keeping User Management where it belongs: in your Directory structure (Windows Active Directory or Novells eDirectory).
Invest time in the design phase deciding device use policies Define Windows user groups to control device access Use no naming convention at all for your user
Define a naming convention Create user groups as needed with no planning or Create the fewest possible groups -
Assign when possible permissions to groups instead of to users
Table 14: Best practice when assigning permissions to users and user groups
As a possible naming convention, you can use the following two examples:
> Groups name based on the device classes, Ex. SDC_Floppy_Grp. > Groups name based on the Access-Profile, Ex. SDC_Standard or SDC_Laptop.
Jump-in and begin assigning permissions indiscriminately to individual users
groups order
-

Shadowing notes

The Shadowing or creating copies of transferred data of removable devices gives you a clear advantage when trying to decide who has to be controlled more closely. As you have a complete control of
PGP Endpoint Device Control User Guide 4.3.0 45
Chapter 2: Using the PGP Endpoint Console
Permission
Priority order
the copied (read) data or the file names, you can quickly decide on corrective or preventive actions or limit access to certain groups or users.
Although this is a very powerful feature, it should be used with care. The hard disk drive assigned to contain the data file directory should be ample enough to receive all copied data. This can amount to several Mbytes, read Gbytes, very quickly not to mention the possible network saturation in case of using slow lines. A judicious compromise between receiving all data or just the file name should be made. As there is no rule or thumb here, there has to be a case-by-case analysis for each organizations needs.


You have to be careful with permissions priorities conflicts when defining shadowing rules. Write and read permissions follow this priority:
For example, let us say that you define shadow permission for the same user and the same device class, one at the Default Setting node stating a Disabled Write permission permission and another one for a specific machine at the Machine-specific Settings node defining an Enabled Write permission one. The prevailing one will be the higher disabled priority. Remember this simple conventions to avoid surprises when defining, otherwise conflicting, Shadowing rules.
Since secondary hard disk are consider as removable devices, you should consider shadowing repercussion as described in the previous paragraph when applying a
general rule to the Removable Storage Devices class.
Even if you control shadow upload frequency, shadowed files are not sent to the PGP Endpoint Administration Server while the device is still connected unless explicitly
demanded by a PGP Endpoint administrator. This is done so that the device is not un­mounted and mounted repeatedly by the client leading to sever operation disruption (while copying or reading data, a possible format or encryption process, etc.).
Disable (highest) Enabled Filename (lowest)
Table 15: Shadow permissions priorities
46 PGP Endpoint Device Control User Guide 4.3.0
Part II: PGP Endpoint Device Control modules and
functions
PGP Endpoint Device Control User Guide 4.3.0 47

Chapter 3: Using the Device Explorer

PGP Endpoint Device Controls Device Explorer module allows you to assign permissions to users and groups to use any kind of I/O devices available in your network. However, you can also use the Device Explorer to setup and maintain device types.
Using the Device Explorer module, you can define the rules and permissions that determine which devices users and groups can use. Users (or groups of users) can gain access to I/O devices as long as they have the appropriate permissions to do so.
You can access the Device Explorer module by clicking the icon located on the Modules section of the Control Panel in the main window.
Figure 21: Device Explorer main window

When you make changes to a domain, such as adding groups, users or computers, you must use the Synchronize Domain Members item on the Tools menu (or from the Tools
section of the Control Panel) to refresh the content of the database. If you want to synchronize Novells objects, you should use our Synchronization Script instead of this command. See PGP Endpoint Setup Guide for instructions on how to do this.
If the Settings (Device Control) access of the PGP Endpoint Management Console
Administrator User Access is set to No, the administrator has limited access. See Table 9 and Table 10 on pages 36 & 37.
In some cases you must use the Send Updates to All Computers or Send Updates To
option on the Tools menu (or from the Tools section of the Control Panel) or the right-click (context) menu of a specific computer to be sure all modifications are effective immediately.
The Device Explorer module allows you to decide who can access to I/O devices on the network. For instance, you might want to do the following:
> Grant read-only access to the DVD/CD-ROM to all members of the group Domain Users. > Make a floppy disk drive read-only for everyone. > Explicitly deny access to a specific user. You simply need to select a user and leave the Read and Write
checkboxes unchecked. This might be appropriate to permit a user access to the floppy drive in normal circumstances, but deny it on a specific machine containing sensitive data.
PGP Endpoint Device Control User Guide 4.3.0 49
Chapter 3: Using the Device Explorer
> Grant read/write access to the DVD/CD-ROM for all members of group Marketing from 9h00 to 17h00,
Monday to Friday – after 17h00 access is denied. This is called scheduled permission.
> Add a temporary permission for a group/user to use a particular device. > Deny access to a device when a user is online but allow it when offline (or vice versa). > Copy (shadow) all data written, or read, to, or from, a device for a specific computer or user. > Limit the quota of data written to a device for a user or group. > Create an Event Notification rule that informs the user when someone is trying to gain access to an
otherwise unauthorized device.
> Force a user or user group to encrypt a decentralized removable storage device.

How does the Device Explorer work

When you first install the software, all permissions have their default settings (see the following Table 16). The main task you carry out using PGP Endpoint Device Control is to assign the proper permissions to each user/group/computer as needed.
You can do this using the two available parts of the tree shown on the right panel of the Device Explorer module:
Figure 22: The Device Explorer module two main sections
> Default Settings contains the permissions that apply to every machine. You can modify all
authorizations used as general settings for the computers in your network. You must take into account that not all combinations of users/groups are valid for every device listed in this section. Please refer to the table located in the Restricted and unrestricted devices section on page 51 for a complete description of the different kinds of groups/users that you can add to a device. If one of your computers has a specific device not listed in this section, you can add it using the Manage Devices dialog as described in the Managing devices section on page 95.
> Machine-Specific Settings contains specific permissions granted to users/groups that apply to a
specific computer or group of computers. These set of rules combine with those located in the Default Settings section as defined in Table 28. Here you can also add a computer group to reorganize some computers in a logical way that lets you to define special permissions for them. For instance, you can add a new computer group called Special scheduled access that includes some computers that only have restricted access to their floppy disk drive during working hours (from 8:00 A.M. to 5:00 P.M.).
Device Permissions Shadow Copy limit
COM/serial port Disable DVD/CD drives Disable Floppy disk drive Disable LPT/Parallel port Disable Modem/Secondary Network
Access Devices PS/2 port (normally the
keyboard and mouse)
Removable Storage Devices Disable No limit Wireless Network Interface
Cards
Table 16: Default settings following installation (these apply to Everyone)
Disable
Read/Write with Low priority
Read/Write with High priority

50 PGP Endpoint Device Control User Guide 4.3.0
Do not block the PS/2 port unless you only use USB keyboards.
Chapter 3: Using the Device Explorer

If you are using a Wireless NIC as a unique network card in some clients and you change its permissions to None(leaving the Read and Write checkboxes empty) for Everyone you
will have no way to send updates to the block-out users unless done by exporting permissions and you must reinstall the client.

Restricted and unrestricted devices

By the nature of the drivers designed by Microsoft, or the manufacturer of each device known to Windows, there can be some restrictions when assigning permissions to those devices.
The following table shows the possible assignments, for each class of device:
Device Class Allowed Permissions Applies to Notes
Biometric devices Read-Write /None;
COM/Serial ports Read-Write/None;
DVD/CD drives Read only/
Floppy disk drives Read only/
Imaging devices (such as scanners)
LPT/Parallel ports Read only/Read-Write/None;
Modem/Secondary Network Access Devices
Palm handheld devices Read-Write /None;
Printers (USB/Bluetooth) Read-Write /None Any user or group. ­PS/2 Ports Read-Write /None Only to Local
Removable storage devices
RIM BlackBerry handhelds
Smart Card Readers Read-Write/None;
Tape drives Read-Write/None;
User Defined Devices Read-Write/None Any user or group. Windows CE handheld
devices Wireless NICs Read-Write /None Only to the
Select bus type
Select bus type
Read-Write/None; Select bus type
Read-Write/None; Select bus type
Read-Write /None; Select bus type
Select bus type Regular
modems
ISDN modems or network adapters
Select bus type
Read only/ Read-Write/None
Encrypt, Decrypt, Export, Import; Select bus and drive type
Read-Write /None Any user or group. -
Select bus type
Select bus type
Read-Write /None Any user or group. -
Read­Write/None; Select bus type
Read­Write/None; Select bus type
Table 17: Possible assignments by device
Only to Local System or Everyone.
Any user or group. -
Any user or group. -
Any user or group. -
Any user or group. -
Any user or group ­Any user or group. -
Only the Everyone group.
Any user or group. -
System or Everyone.
Any user or group. -
Only Local System or Everyone.
Any user or group.
Everyone group.
Device re-plug might be required to grant access for an already blocked device.
Device re-plug or reboot required to enforce updated permissions.
Reboot required to enforce updated permissions.
A device re-plug or machine restart might be required to grant access for an already blocked device.
Some backup units do not use the Microsoft supplied drivers and cannot be controlled by PGP Endpoint Device Control.
-
-
PGP Endpoint Device Control User Guide 4.3.0 51
Chapter 3: Using the Device Explorer
It is important to distinguish between the absence of permission and a negative permission
(None the most restrictive access). In the latter case, when creating a permission for which neither the Read nor the Write flags
are selected, you deny the user access to the device even if they are indirectly authorized to use the device. You specifically deny the access to a device for the user.
The File Filtering dialog is only available for the DVD/CD Drives, Floppy Disk Drives, and
Removable Storage Devices classes.

Optimizing the way you use the Device Explorer

This section explains how to use your mouse and keyboard effectively within the Device Explorer module.

Context menu and drag & drop

You can assign permissions using the right-click context menu:
Figure 23: Contextual menu

Keyboard shortcuts

A number of keyboard shortcuts are available in the Device Explorer module. The convention used in this guide to represent keyboard shortcuts in which you press two or more keys simultaneously, is a plus sign (+) between the key characters. The following table explains the available keyboard shortcuts:
52 PGP Endpoint Device Control User Guide 4.3.0
Chapter 3: Using the Device Explorer
Shortcut Used to
CRTL+D Add/Modify permission for the selected item(s). CRTL+P Add/Modify offline permission for the selected item(s). CRTL+I Add/Modify online permission for the selected item(s). CRTL+N Add/Modify a schedule for the selected item(s). CRTL+L Add/Modify a temporary permission for the selected item(s). CRTL+W Add/Modify shadow settings. CRTL+M Define the copy limit for the selected item(s). CRTL+E Insert a device group. F2 Rename a computer group/device. DELETE Delete an entry (see note below). CRTL+A Insert a computer. CTRL+C Copy and cut a computer(s) from a computer group to place in another one
(same as CTRL+X).
CTRL+V Paste a computer(s) previously cut or copied from a computer group to place in
the selected one. CTRL+X Cut and copy a computer(s) from a computer group to place in another one. CTRL+Q Add/ Modify event notifications. F5 Refresh screen information.
Table 18: Keyboard shortcuts in the Device Explorer module
Using Delete for a computer entry in a computer group, erases all permissions, shadows,
copy limits, etc. for this machine. This computer is not visible but still exists in this computer group; you can use the right-click menu to display it again. See Show All Members on page 54 for more information.

Adding comments to an entry

You can add a comment to remind yourself why you made an entry or as a useful note for other PGP Endpoint administrators. You can add comments to every entry.
To modify or add a comment to an item
1. Select the permission line that you want to add a comment to.
2. Click once more on the Comments column to edit it. You can also click on the Comments column and press the F2 key.
3. Type a brief explanatory notice and finish by pressing ENTER.

Computer groups

Computer groups are virtualgroupings, formed by several computers not having any relation with those in the Active Directory structure. These virtual computer groups help you organize your permissions in a more logical way - reorganizing several machines that should share permissions to specific devices.
A good permission policy is to FIRST define as many Default Settings as possible to apply to all computers and then define Computer groups for the exceptions. You can then proceed to set permissions to specific machines.
Computer groups are defined to make the same exceptions for a series of machines.
It is a good idea to add comments to the permission modifications you make. It helps you
remember why each modification was made as your permission structure grows in complexity.

Renaming Computer Groups/Device Groups/Devices

Computer Groups, Device Groups, and devices in a device class (those belonging to the Default Settings tree in the Device Explorer module) can be renamed. While renaming a Computer Group, Device Groups, or
PGP Endpoint Device Control User Guide 4.3.0 53
Chapter 3: Using the Device Explorer
Device, you should be aware that internal names are not case sensitive: My Device Name is the same as MY device NAME. This can cause errors when trying to change lower to uppercase letters in descriptions.
Show All Members
Sometimes you may find that there are hidden computers in a computer group inside the Machine-Specific Settings section of the Device Explorer module. This happens mainly when inserting computers but not
assigning them rights. These computers are hidden to avoid crowding the computer group with data that is not meaningful. When you delete a group with invisible computers, they are all moved back to their domain along with those that have permissions rules and are shown. If you need to change permissions, move them to other computer groups, or display them, right-click and select Show all members.
If the Show all members item right-click menu is grayed-out, this indicates that you do not have invisible computers in that computer group.
To delete or change permissions for a computer that is hidden in the computer group:
4. Right-click on the computer group that you want to view.
5. Select the Show All Members. This displays the hidden computer(s).
Figure 24: Show all members
6. Select the computer on which you want to erase permissions.
7. Press the DELETE key. As an alternative, you can also select the computer and then use the Remove item of the Explorer menu. If you do not want to delete the machine, you can right-click on the computers name or on the device classes and change its permissions.

Event notification

If you want your users/user groups to receive a message when trying to gain access to an otherwise unauthorized device, you can create an Event notification rule. You can create this rule at following levels:
> Root level when selecting the Default Setting node. The notification applies to all devices for the
user(s)/user group(s) defined.
> Device class root level when selecting any of the sub-nodes of the Default Settings root node, for
example, the DVD/CD Drives class. The event notification applies only for the devices belonging to that particular class.
> Device level when selecting a specific device within a device class, for example, a XXXX 48x DVD
drive contained in the DVD/CD Drives class. The event notification applies only in the case of the specific device use.
> Device Group level when selecting a group created within a device class, for example, the Marketing
DVD Rewritable previously created in the DVD/CD Drives class.
> Computer level for a specific computer in the Machine-Specific Settings node and following the
guidelines establish in all previous points (at the computers root level, computers device class, computers device within a device class, computers Device Group within a device class).
 If you set an event notification for the Everyone group, your users may receive constant
messages when some programs try to access their removable devices. For example, an antivirus application trying to scan for devices. Setting it for specific users/groups instead resolves this issue.
54 PGP Endpoint Device Control User Guide 4.3.0
Chapter 3: Using the Device Explorer

When event notifications using the same priority are defined at the root-level and the computer-specific level, only one of the rules is taken into account. The priority of event
notification rules are not handled based on machine vs. global settings, they are ordered purely based on their priority.
To create an Event Notification
To add an event notification for a user:
1. Activate the Device Explorer module by clicking on the icon in the Modules option of the Control Panel.
2. Select the device class where you want to create the rule.
3. Use CRTL+Q or right-click and select the Event Notification item from the context menu.
4. Click the Add button.
5. Choose the users/groups for which you want to create the rule by typing the name or clicking on the SEARCH or BROWSE button.
6. Click OK.
Figure 25: Event notification: selecting the users/groups
7. Choose between not notifying (default behavior) or the Notify option.
8. Select the Priority.
9. Enter a message (optional).
10. Click on NEXT.
Figure 26: Event notification: options
11. Click on Finish to accept rule.
PGP Endpoint Device Control User Guide 4.3.0 55
Chapter 3: Using the Device Explorer
Figure 27: Event notification: finish the rule definition
You can now see a new event notification defined for the device class. The following image shows an example for the DVD/CD Drives class for user Bill:
Figure 28: Event notification: new permission rule as shown for the device class

Event notifications can also be created, modified or deleted at root level by right-clicking directly on the Default Settings icon. You can assign, this way, a notification for all illegal
access to devices.
To delete an Event Notification
If you want to remove the Event Notification rule defined for a device class and assigned to a user(s)/group(s), you can do one of the following:
> Select the permission and then press the DELETE key. > Right-click on the permission and then select the Remove Event Notification item from the context menu.
To modify an Event Notification
To change the Event Notification rule defined for a device class and assigned to a user(s)/group(s), you can do one of the following:
> Select the permission and then press the Ctrl+Q shortcut key. > Right-click on the permission and then select the Modify Event Notification item from the context menu.
This opens a dialog where you actually modify the Event Notification. You then need to:
1. Change the setting (to notify or not), priority, and message as needed.
2. Click on the NEXT button.
3. Click FINISH.
Some practical examples
You can use the event notification rule to your advantage by carefully planning some rules. For example, let us say that you establish an event notification rule at the root level informing the members of the group Marketing with a general message You cannot use this device with a Medium priority. Furthermore, you established a copy limit rule for these same users that you cluster in two distinctive device groups called
Removable with copy limit rule. German section and Removable with copy limit rule. English section. You
can now proceed to add two new event notification messages (one in German and the other one in English) with High priority informing those users: If you think you need to extend your quota limit, please dial extension 200. You also assigned a temporary permission for user Bill for a specific device in the Removable Storage Devices class of his computer, defined in the Machine-Specific Settings, and you decide to improve communication defining also an event rule specifying To obtain new temporary permissions, dial 310’.
56 PGP Endpoint Device Control User Guide 4.3.0
Chapter 3: Using the Device Explorer
This can be as complicated or as simple No message at all, a simple message, or a complicated set of rules defining every possible deny access scenario imaginable.
Limiting the number of messages a user receives
You will notice that the event notification dialog on the client side has a Do not notify me again checkbox to limit the number of messages the user receives when trying to, intentionally or unintentionally, break a defined policy. This limits the messages displayed since some applications once the user tries to access or open a file insist on accessing the data and/or files on the users behalf generating a very high quantity of notification error messages that the user must bear.
Figure 29: Event notification: limiting the number of messages a user receives

This message will reappear even when using the Do not notify me again option when the user plugs again the device, starts a new sessions, or restarts the computer. It is
only there to limit the number of messages the PGP Endpoint reports back to the user.

Device Groups

Device groups are used to organize your devices into logical units with special permissions. You can, for example, create a new device group for the Imaging Devices class and then place in this new group all your HP scanners. Furthermore, you can then add special permission rules for particular device group.

To add a device group
To add device groups to any device class inside the Default Settings section of the Device Explorer module do one of the following actions:
> Select any device, at its upper level or class, and use the shortcut key Ctr+E. > Right-click on any device, at its upper level or class, and select Insert Device Group from the popup
menu.
> Select any device, at its upper level or class, and use Insert Device Group from the Explorer menu.
You can group for any device class you desire (upper level of a device) and add any device of the same class to this newly created class group. You can move devices among different groups by using the Shift or Ctrl keys and then the Drag & Drop functionality. You can also use the shortcut key commands: Cut (Ctrl+X), Copy (Crtl+C), and Paste (Ctrl+V) for the same purpose. These commands are also available from the right­click context menu:
Permissions cannot be applied to an empty device group. You must first add a device to it.
PGP Endpoint Device Control User Guide 4.3.0 57
Chapter 3: Using the Device Explorer
Figure 30: Using Drag & Drop to move devices to a newly created group
Remember that you can extend this classification further by adding device models and, in the case of removable storage devices, unique serialized devices.

Supported devices types

The Device Explorer module can be used to control access to a variety of I/O devices. Setting access at the Default settings level class allows the user to access that device class on any computer in the network. Information about the device types supported is given in Device types supported on page 17.

If you notice an unexpectedly blocked device consider giving it LocalSystem access. Some devices are not accessed directly but through a service running under the Local System
account and PGP Endpoint Device Control might block this access. For example, this is the case for some printer models connected through the LPT or COM ports.

Managing permissions

The main purpose of the Device Explorer module is to manage permissions and rules for every conceivable device and then associate them with user(s)/user group(s). A second use is to define decentralized encryption in organizations that do not need/want a centralized control of this aspect of our solution. Since PGP Endpoint Device Control offers a great range of options in this respect, we dedicated a chapter describing in detail the process.
Please refer to the next chapter for a complete description on how to administrate permissions/rules using the Device Explorer module.

When there is no permission or rule defined, the default applies: the user has no access at all to the device.
58 PGP Endpoint Device Control User Guide 4.3.0

Chapter 4: Managing permissions/rules

This chapter explains the different types of permissions and rules that can be administered using the Device Explorer module. Please refer to Chapter 3: Using the Device Explorer on page 49 for a detailed description on how to use the Device Explorer module.
You can access the Device Explorer by clicking on the icon located on the Modules section of the Control Panel in the main window.
As explained in the previous chapter, the Device Explorer lets you administer the rules and permissions that determine which devices your users and user groups can use and cannot use.
Users (or groups of users) can only gain access to I/O devices if they have the appropriate permissions to do so. To define permissions, you:
1. Select the appropriate section of the Device Explorer tree, either Default Settings or Machine­Specific Settings.
2. Choose the desired device class.
3. Use the Explorer menu or right-click on the item. From there you can select all type of permissions and rules to assign to a device and associated user(s)/user group(s).
If you double-click on the device class (the higher level of the tree nodes), the Permissions dialog opens from where you can define Read, Read/Write, or None rights and set decentralized encryption and filters on some classes.
You should not use permissions other that Read and Read/Write when working on a system
that uses older versions of the PGP Endpoint Client Driver. The client cannot interpret these types of permissions, resulting in no permissions applied.

Using the Permissions dialog

When defining permissions the following dialog is displayed as the first screen (except for Shadow where a subset is used as depicted in Figure 32):
Figure 31: Main permissions dialog
PGP Endpoint Device Control User Guide 4.3.0 59
Chapter 4: Managing permissions/rules
Figure 32: Bus dialog used for Shadow
Choose between Read Only, Read/Write, Encrypt, Decrypt, Export to file, Export to media, Import, and/or None (not selecting any option). The Encrypt, Decrypt, Export to file, Export to media, and Import options as well as the Encryption and Drive panels are only available for the Removable Storage Devices class. (They are fully explained in the corresponding sections of this chapter.)
Once you have selected the user(s) or group(s) using the ADD button (see Adding a user or group when defining permission on page 68) you can reselect all, or some, of them to define Permissions, Encryption, Drive, and Bus type (if applicable) individually or globally.
You can add as many permissions to user(s) or user group(s) as you want without closing the dialog. To do this, repeatedly click the ADD button.
Figure 33: General Permissions dialog exceptions
The options available in this dialog depend on the device class for which you are defining the permission. The Bus panel displays the available interface standards for the class you are working with. For example, if
you are working with the Tape Drives class, you can choose among SCSI, USB, FireWire, ATA/IDE, and All. The All option indicates that SCSI, USB, FireWire, and ATA/IDE bus, and any other from which the tape drive works.
The User/Group panel, at the top of the Permissions dialog, contains the following fields:
> Name shows the user/group name. > Location indicates the user domain or workgroup (if available). This is the same field that is shown in
the Select User dialog (opened with the ADD button).
> Permissions reflects the options selected on the Permissions panel (lower left side of the dialog). > Priority shows if the permission is applied with a high or low priority (depending whether the Low
Priority option is selected). See the description of priorities and how do they apply in Priority of default permissions on page 71.
> Filters shows which types of files the user can access.
60 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
> Scope changes to reflect the extent of this permission definition. It is adjusted when you modify the
options located on the Encryption, Bus, or Drive panel.
You can add permissions to multiple users/groups without closing the dialog. To do this:
1. Click on ADD to select the required user(s)/group(s).
2. Click on OK to close the user selection dialog.
3. Select the desired options from the permission dialog and file filters (if available).

Special case: Working with Removable Storage Devices

If you are defining permissions or a Shadow rule for removable storage devices, you can choose to apply the permission(s) to encrypt and/or decrypt devices. To further limit permissions, you can also choose the required scope options from the Encryption and Drive panels.
Some USB memory sticks are recognized as external hard disk drives. This may lead to
confusion and undesirable behavior if you select All in the Bus panel and/or Both in the Drive panel sections while defining permissions or a Shadow rule. You may accidentally specify that real secondary hard disk drive(s) may be blocked/allowed/shadowed or forced to be encrypted/decrypted.
You can use the following settings when working with the removable storage devices:
Parameter Description
None (neither read nor write) The user or group is specifically denied access to the device Read The user or group can do read operations Read/Write The user or group can read and/or write to/from the removable
Encrypt The user or group is allowed to encrypt the device, This option is Decrypt The user or group can decrypt a device
Export to file The public key used to encrypt the device can be exported to a
Export to media The public key used to encrypt the device can be exported to the
Import The user/group can import data from an external encrypted key.
Table 19: Allowed settings when working with the Removable Storage Devices class
media related with the Export and Import settings
file. A secure channel can then be use to transmit this file. You must first choose the Self Contained Encryption setting in the Encryption panel.
medium itself. If you do this, the device can be decrypted directly without the need of providing an external key. You must first choose the Self Contained Encryption setting in the Encryption panel.
You must first choose the Self Contained Encryption setting in the Encryption panel.
Examples
1. The user/group has read only rights for all USB memory key devices with a high priority.
Figure 34: Removable permissions settings example 1
2. Read/Write permissions for PGP Endpoint-encrypted SCSI hard disks with a low priority.
PGP Endpoint Device Control User Guide 4.3.0 61
Chapter 4: Managing permissions/rules
Figure 35: Removable permissions settings example 2
3. User has Read/Write permissions for all PGP Endpoint-encrypted removable devices in all kind of buses with high priority. The user can also locally encrypt and export the key to the encrypted device or a file. In this case we force the user to encrypt all his removable devices but the user cannot read (nor write) them unless they are already encrypted (two permissions are needed).
Figure 36: Removable permissions settings example 3 – Encrypted
Figure 37: Removable permissions settings example 3 - Unencrypted
4. The user can format (Decrypt) his USB memory key, have Read/Write permissions only for encrypted devices connected to the USB port (Bus) and can export and/or import the devices encryption key, all this with high priority.
Figure 38: Removable permissions settings example 4
See Decentralized encryption on page 175 to define permissions that force the user to encrypt Removable Storage Devices.
See Chapter 11: Using PGP-Encrypted Removable Devices on page 211 for instruction on how to use PGP­encrypted devices.
62 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules

Using file filters

The Permission dialog includes a FILTER button. This is used to limit access to certain file types depending on the nature of the permission defined (see Table 22). Filters are ONLY available for the Removable Storage Devices, Floppy Disk Drives, and DVD/CD Drives classes.
To define a filter, select it from the list in the File Type Filtering dialog that opens when you click on the FILTERS button. To delete a filter, deselect the desired row.
Once a filter is set, click on the OK button in the Permissions dialog to accept (or on CANCEL to close the dialog without selecting the filter). The filter details are shown in the corresponding field of the permission dialog. Once filter permissions have been defined, their details are also visible in the Filters column of the Device Explorer module window.
When using permissions that include File Filters you can use the following file type filtering:
File type filtering
Not defined when creating the permission
Defined when creating the permission
The All File Types (Import/Export) and ‘Only files selected from this list’ parameters control if the permissions are applied solely to all types of files (even those not included in the list) or to those files selected in the list panel.
The type of file is not taken into account to enforce permissions settings as defined in the dialog.
Read Write
Read
Write Read only
Read Write
None
(neither Read nor Write)
Read /Write
File filter is enforced in a deny state
File filter is enforced in a grant state and controlled ONLY by the Import/Export settings plus the state of the file types selected in the list. The Read/Write part of the permissions only controls directory access (Read = directories & files can be listed, Write = directories can be created, deleted and renamed).
Table 20: File type filtering options
Result
Import
Export
Import
Export
Import Export
Import
Export
Import
Export
Import Export
Deny file copy from floppy disks, removable storage devices, and CDs/DVDs to the local HDD Deny file copy from the local HDD to floppy disks, removable storage devices, and CDs/DVDs
Filters are not enforced. The end result is like not defining filters at all.
Allow file copy from floppy disks, removable storage devices, and CDs/DVDs to the local HDD
Allow file copy from the local HDD to floppy disks, removable storage devices, and CDs/DVDs
Filters are not enforced. The end result is like not defining filters at all.
See File Filtering examples on page 66 for a complete set of examples showing how to use file filtering
You can define different file filters for read, write, or read/write permissions. The Filters button is disabled when you select more than one user/group in the permissions
dialog. Nevertheless, you can define different file filters for each user/group individually.
Users cannot copy files directly from a FTP disk to an external device or vice versa if
file content filtering is active. Users should first copy the files to the hard disk drive.
 Permissions without file filtering always have priority over those where file filtering is defined. The File Type Filtering dialog contains the two options: All Known Files and All File
Types. These control whether the filters apply only to the files selected in the list panel or to all types of files (even those not included in the list).
PGP Endpoint Device Control User Guide 4.3.0 63
Chapter 4: Managing permissions/rules
Families of file type
File type
s
Adobe Acrobat
If you activate the File Filtering feature for the DVD/CD class, the user will not be able to
burn such media. This also explains why you cannot select the Export Permission option right corner panel, see Figure 39 when this feature is activated for this class. The user will be able to burn DVD/CD once more when the file filtering is deleted.
User who have an active File Type Filtering rule can always copy a file or group of files
from a hard disk to a removable device using the command line (with COPY or XCOPY), but not the other way around. They can always use Windows Explorer for this task either way with no problem at all.
File Type Filtering rules cannot be combined with Encrypt, Decrypt and Bus-specific
permissions inside the same rule. ONE permission cannot have both file type filtering defined and Encrypt / Decrypt / Bus-specific options selected, but SEPARATE permissions can, and will be properly enforced.
If no filter is defined or the Import/Export options of the filter dialog are not activated even if some files are selected the profiled permission applies to all type of files.
Figure 39: Defining a file filter
File filters can be used to limit access to the files listed in the following table:
Microsoft Word Microsoft Excel
Microsoft Office
Microsoft Office 2007
Open Office
Microsoft Visio
Microsoft PowerPoint
Microsoft Graph Microsoft Project Microsoft Access Database Microsoft Office Open XML Word Microsoft Office Open XML Excel Microsoft Office Open XML PowerPoint
OpenOffice.org Writer OpenOffice.org Math
OpenOffice.org Base OpenOffice.org Calc
OpenOffice.org Draw OpenOffice.org Impress
Microsoft PowerPoint Slideshow Microsoft PowerPoint Presentation Microsoft PowerPoint Template Microsoft PowerPoint Add-in
OpenOffice Text Document OpenOffice Text Template OpenOffice Formula OpenOffice Formula Template
OpenOffice Spreadsheet OpenOffice Spreadsheet Template OpenOffice Graphics OpenOffice Graphics Template OpenOffice Presentation OpenOffice Presentation Template
64 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
Markup languages
Rich Text Format
Archive
Executable
Image
Audio Video
Advanced Streaming Format Standard MIDI File
RealNetworks Content
Microsoft Windows Setup
Zip Protected Zip Application Dynamic Link Library Microsoft Windows OS/2 Bitmap Graphics Joint Photographic Experts Group Graphics Interchange Format Tagged Image File Format Microsoft Windows Metafile Microsoft Windows Icon Microsoft Windows Cursor Enhanced Microsoft Windows Metafile Format Portable Network Graphic Corel vector Graphic Drawing
Moving Picture and Associated Audio Video
Resource Interchange File Format
Microsoft Windows Installer File Microsoft Windows Installer Patch Microsoft Windows SDK Setup Transform Script
Table 21: File types for filtering
Moving Picture Experts Group MPEG Audio Stream Layer II MPEG Audio Stream Layer III Windows Animated Cursor Audio Video Interleave Downloadable Sounds Musical Instrument Digital Interface DirectMusic Style WAVEform audio format
RealMedia Streaming Media RealAudio Streaming Media
File filters work in combination with the permission type that you have set:
Permission type Example
Device access set to None Device access set to Read Device access set to Read/Write
If you select Microsoft Word in the File Type Filtering dialog then access is denied for all .doc files. If you select MPEG Audio Stream Layer III in the File Type Filtering dialog then read access is allowed for .mp3 files. If you select Microsoft Word in the File Type Filtering dialog then read/write access is allowed for .doc files.
Table 22: File filter settings and permission relation
Once a filter has been assigned, you can modify it by editing the related permission. To do this, click on the FILTERS button, and change the required file type(s). Alternatively, you can choose one of the following settings from the Permissions panel:
> Export — allows copying from the system hard disk drive to an external device. > Import — allows copying from an external device to the system hard disk drive.
Currently PGP Endpoint does not support file filtering for the new format *.wim (Windows
Imaging Format) introduced with Windows Vista.
When defining File filters, you cannot open files directly from the external device. You must
first copy them to your system (or another authorized hard disk drive).

To remove File Filtering settings from a permission

Occasionally situations arise where you want to delete all file filtering conditions from a permission rule but keep all its other settings (bus, encryption, drive type, etc.).
Obviously, you can do this by deleting the permission and recreating it without using File Filtering, however this solution is unacceptable for all but the simplest cases. For more complicated permissions, use the following procedure:
PGP Endpoint Device Control User Guide 4.3.0 65
Chapter 4: Managing permissions/rules
1. Open the Permissions dialog. To do this, double-click the permission rule in the Device Explorer module, right-clicking the Removable Storage Device, Floppy Disk Drives, or DVD/CD Drives class, or use the Ctrl+D shortcut.
2. Select the desired register by clicking on it or by navigating through the registers using your keyboard Up or Down arrow keys.
3. Click on the FILTERS button.
4. If the permission is defined using the All file types (Import/Export) option, deselect the Import and
Export checkboxes. If the permission is valid for a specific file type(s) (Only files selected from this list), click on the UNCHECK ALL button.
5. Close the File Type Filtering dialog by clicking CLOSE.

File Filtering examples

In this section, we consider several common cases where you can use File Filtering to block or allow user file access by file type.
> Allow Marketing users to access all kind of files with the exception of MP3.
To grant Marketing users access all kind of files with the exception of MP3, we first need to define the following rules:
> Domain users have Read/Write access to removable devices. (This is a File Filtering rule with All
File Types and Import/Export activated.)
> The Marketing user group has a None permission for the Removable Storage Devices class with a
File Filter defined for file type MPEG Audio Stream Layer III. Activate the Import/Export settings.
These two rules mean that:
> ‘Marketing users can copy everything they want to removable devices except MP3 files since there
is a negative permission defined from them (despite the positive permission due to the first rule).
> All other users (not belonging to Marketing) can copy whatever they want to removable devices with
no limitation whatsoever. There is no negative rule limiting their behavior.
> Allow Sales users to copy PDF files to removable media.
To let Sales users to copy PDF files to removable media simply define a Read/Write permission and, using the File Type Filter dialog, define Export permissions for files with a file type Abode Acrobat for the user group Sales in the Removable Storage Devices class. Users belonging to this group can now write and export (copy) PDF files. If no other permission is defined, this is the only type of files that Sales can copy.
> Allow Marketing users to copy PDF files to removable media and read Microsoft Word and Excel
documents.
To let Marketing users copy PDF files to removable media and read Microsoft Word and Excel documents define a Read/Write permission and, using the File Filter dialog, define Export permissions for files with a file type Abode Acrobatand Import permissions for Microsoft Word and Microsoft Excel files
Users in the user group Marketing can now copy PDF files to their external devices (but not the other way around) and copy Microsoft Word and Microsoft Excel files to their system hard disk drive (from their external devices). The files can be opened once they reside in the hard disk drive.
> Allow all users to copy in/out of the company any Microsoft Office documents, PDF files, and
images but not MP3 files.
To do this, define a Read/Write permission for domain users to the Removable Storage Devices class with a File Filter set for Microsoft Office, Adobe Acrobat, and Image files. Select the Import and Export checkboxes from the Permissions panel in the File Type Filtering dialog. Since MP3 files are not included in the File Filter, they are NOT accessible.
Remember that in all cases:
66 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
You cannot define several different permissions relating to the same device class for a
single user or user group. For example, Marketing cannot have a Read/Write permission for the Removable Storage Devices (no file filtering) and a None with an import file filter for MP3 files for this same device class. In this case, you MUST use two different groups and include users in one or another.
If you define a file filter authorization, all files not in the list are denied. If you deny access to
a specific type of file (using the File Filter dialog), all other file types are NOT be denied by this rule. They can be denied by default or by defining another rule.
The following table contains further examples to clarify file filtering. (In these, users Jack and Jill both belong to the user group Marketing and all permissions are defined for the removable storage devices class.):
Example Permission
1
2
3
4
5
6
7
8
9
10
type
Read Jack
Read Everyone
Read/Write Marketing
None
Read Jill
Read/Write Marketing
None Jack
Read/Write Marketing
Read/Write Jill
Read/Write Jack Not defined n/a
Read/Write Marketing Not defined n/a
None Jack Not defined n/a
Read/Write Marketing
Read Marketing Not defined n/a
None Jack
Read/Write Access*
None Jack
Read/Write Access*
User/ Group
No_Access *
File filter Import/
Only files selected from
this list Microsoft Word selected
All file types
All file types
All file types Only files selected from
this list Adobe Acrobat selected
All File types Only files selected from
this list Microsoft Word selected
Only files selected from
this list Microsoft Word selected
Only files selected from
this list Adobe Acrobat selected
Only files selected from
this list Microsoft Word selected
Only files selected from
this list Microsoft Word selected
All file types
Export
Import
Export
Import
Export
Import Export Import Export
Import
Export
Import Export
Import
Export
Import
Export
Import Export
Import
Export
Import Export
Import
Export
Only files selected from
this list MPEG Audio Stream Layer III selected
Import Export
All file types Import
Resulting permission for the user
Jack can copy Word documents to his local hard disk drive. All other file types are blocked. All other users cannot read nor write from removable devices.
Jill can copy PDF files to her local hard disk drive. All other members of Marketing can read or write from removable devices. Everyone else can only read from removable devices.
Jack cannot copy Word documents to his local hard disk drive, all other users belonging to the user group Marketing can read or write from removable devices.
Jill can copy PDF files from/to her local hard disk to removable devices. All other users of the user group Marketing can only copy DOC files to their local hard disk drive.
Jack can read or write from removable devices without limitation.
Jack is blocked from reading or writing to removable devices. On the other hand, all other users belonging to the user group Marketing can read or write to removable devices with no limitation at all.
Jack and Jill and all other users in the user group Marketing can only copy Word documents from removable devices to their local hard disk drive.
Jack and Jill and all other users in the user group Marketing can only read data from removable devices.
Jack cannot copy Word documents to/from removable devices but can copy all other type of files from removable devices.
Jack cannot copy to/from removable devices mp3 files but, on the other hand, can copy to/from his removable devices all other kind of files (even those not in the file filter list).
PGP Endpoint Device Control User Guide 4.3.0 67
Chapter 4: Managing permissions/rules
Object
Description and use
Example Permission
type
User/ Group
File filter Import/
Export
Resulting permission for the user
Export
11
12
*Auxiliary file groups created to serve as a bridge to define required permissions.
Read/Write Marketing
Read Marketing
Read/Write Jill
All file types
All file typesOnly files selected from
this list Microsoft Word selected
Table 23: File filter settings examples
Import
Export Import
Export Import
Export
Jack and Jill and all other users belonging to the user group Marketing can only copy data to removable devices.
All Marketing user group users can copy all kind of files from their removable devices to their local HDD, but Jill can also copy Word documents from her HDD to removable devices.

Adding a user or group when defining permissions

When adding a new permission, no matter what kind of permission, you need to associate it with one or several users or group of users. This is done using the Select Group, User, Local Group, or Local User dialog.
Figure 40: The Select Group, User, Local Group or Local User dialog
The contents of the Select Group, User, Local Group, or Local User dialog are explained in the following table:
Name field Used to type in the user or group name. It accepts wildcard symbols. Search button To search for the user or group. Browse button To browse in the Active Directory for users/groups. Not available for
List box Once the Name field is validated, a list of all possibilities is shown here OK button Accepts the selected user/group and close the dialog.
Cancel button Interrupts the add user/group operation and close the dialog.
Novell objects to select from.
Table 24: Add user/group dialog options
You can select one or more users or user groups by doing one of the following:
> Leaving the NAME field empty and clicking on the SEARCH button. You can see a complete list of available
users, groups, or objects in the list box. Double click to select one user or group or use the SHIFT and CTRL keys to do a multiple selection. Once your selection is done, click on OK or ENTER to accept and close the dialog.
> Typing the complete name of the user or group in the NAME field and pressing ENTER (or clicking on
SEARCH). The name of the user or group is verified and, if valid and present, appears in the list box. Double click on it or select it and then click on OK or ENTER to accept and close the dialog.
> Typing a partial name in the NAME field and pressing ENTER (or clicking on SEARCH). You can use the
wildcards * and ? in the name. Double click to select one user or group or use the SHIFT and CTRL keys to do a multiple selection. Once your selection is done, click on OK or ENTER to accept and close the dialog.
> Clicking on the Browse button. The standard Windows Select Users or Groups dialog opens. Follow
68 PGP Endpoint Device Control User Guide 4.3.0
Windows procedures to select the desired user or group. Click on OK or ENTER to accept the selection and close this dialog and then once more on OK or ENTER to close the first dialog and accept the selection.
Chapter 4: Managing permissions/rules
If the user or group you are looking for is not displayed, make sure you synchronize the domain and check you have the appropriate permissions on the object in the Active Directory (delegation) or Novells eDirectory. Remember to run the synchronization script if working in a Novell environment as described in PGP Endpoint Setup Guide.

To assign default permissions

Root-level permissions

You can apply root-level permissions using the Device Explorer module. These permissions are not attached to a particular device class or type, but to the root of the Device Explorer tree (or to a specific device class, device group, computer, or group settings of a computer group in the Machine-Specific Settings tree). They, therefore, apply to all devices for a specific user(s) or user group(s). For example, you can have a non-
blocking mode (Read/Write permissions) for all devices at user or user group level. Of course, applying an all­blocking mode (no Read or Read/Write permissions) is equally possible.
 Since access to certain devices (notably those connected to the PS/2 port) is performed in
the context of the built-in LocalSystem user, we recommend not using the built-in Administrators group that includes that user for root-level permissions. If you do this,
you may allow unexpected users to access certain devices (depending on the particular machines configuration). A safer approach is to define a specific user group for assigning these types of root-level permissions. For example, if you grant Administrators read/write access at the root level, you are also implicitly granting the LocalSystem user and, therefore, everyone the same permissions for the PS/2 port.
Where default permissions apply
Default permissions can be apply to the following levels:
> The root node of the Default Settings tree. > The Device Class node of the Default Settings tree. For example, for the DVD/CD Devices class. > The Device Group within an existing Device Class node in the Default Settings tree. For example, a
previously defined device group called DVD recorders Marketing Dept. of the DVD/CD Devices class in the Default Settings tree.
> In the Group Settings of a previously defined Computer Group within the Machine-Specific Settings tree. > A computer previously added to an existing domain or workgroup within the Machine-Specific Settings
tree.
When applying the non-blocking mode (Read/Write permissions for a user or user group) you have the advantage of creating a log of device usage (see Chapter 5: Using the Log Explorer on page 101 for more details) without denying them access. You can combine this feature with a shadow (see Shadowing devices on page 85 for more details) at device class level for a full log control.
Assigning default permissions
To assign permissions to a node in a tree, follow the steps outlined in the next section. The only difference is that you should select the nodes described on the previous list (root of the Device Explorer tree, a specific device class, device group, computer, or group settings of a computer group in the Machine-Specific Settings tree).
If you assign default permissions at the root-level, they combine with those defined at the class level (the branches of the Default Settings tree) depending on the chosen priority (Low or High) see Table 25 on page 90.

To assign default permissions to users and groups

You can set the access permissions to devices for users and groups so that they apply to any computer that the user uses. Do this using the following procedure:
1. Select a devices class within the Default settings list.
PGP Endpoint Device Control User Guide 4.3.0 69
Chapter 4: Managing permissions/rules
2. Right-click on the selection and choose Add / Modify Permissions from the popup menu. Alternatively, select the class and then select Add / Modify Permissions from the Explorer menu or use the CTRL+D shortcut key.
Figure 41: Assigning default permissions to users and groups
The Permissions dialog is displayed (some options may or may not be available depending on the class where you are defining the permissions):
Figure 42: The Permissions dialog
3. The first step consists on adding the user(s)/group(s) for which this permission applies. Click on the ADD button.
The Select Group, User, Local Group, or Local User dialog is displayed.
Figure 43: The Select Group, User, Local Group or Local User dialog when adding default permissions
4. Select the user(s) or group(s). See Adding a user or group when defining permission on page 68 for a complete description on how to use this dialog.
5. Back in the Permissions dialog, select the user(s) or group(s) you want to assign permissions to (you can use the SHIFT and CTRL keys to do a multiple selection), and then activate the appropriate options. You can define different permissions for each group of selected users or groups. See
Using the Permissions dialog on page 59 for more details (especially if you are working on the Removable Storage Devices class).
70 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
6. If required, select the file filter options by clicking on the FILTERS button. See a description in the Using file filters section on page 63.
7. Click OK to finish.
The Permissions column in the main window now shows which options are active for the selected users or groups.
When setting read-only permissions on the DVD/CD Drives class, some applications,
notably CD-R applications, may not notice that access was denied by PGP Endpoint and erroneously report to the user that a CD has been burned properly when it was not the case. In these circumstances, we recommend that you use Event Notification (see page 54) to warn users.
If Smart Card readers are used to authenticate the user then they should be granted
Read/Write access to the group Everyone.
The list of changes is not sent to the client computer immediately. This list is downloaded
the next time a user logs onto that computer. You can, alternatively, send the list immediately by selecting the Send Updates to All Computers or Send Updates To option on the Tools menu (or from Tools item of the Control Panel). Some devices, such as the TAPE and the Smart Card Reader, require a reboot in order to apply the new permissions. See the notes on page 51 for those devices that require a reboot.

Priority of default permissions

The priority flag can only be set for default permissions. It determines if a negative permission – None defined at the default permission level can be overwritten by a computer-specific permission.
It is important to distinguish between the absence of permission and a negative permission
(None’ — the most restrictive access). In the latter case, when creating a permission for which neither the Read nor the Write flags
are selected, you deny the user access to the device even if they are indirectly authorized to use the device. You specifically deny the access to a device for the user.
You should be aware that:
> When a None permission has a High priority, it cannot be overwritten by a computer-specific one. > When a None permission has a Low priority, it can be overwritten by computer-specific one only when
its priority is High.
> When different positive (Read, Read/Write) permissions are defined at the Default and computer-specific
levels, the resulting one is an addition of both of them. The permission priority property only applies to negative ones.
> When a negative permission is defined at the computer-specific level, it takes precedence over the
default one depending on the priority.
The following table explains how permissions are applied when they are defined for the same user or group(s) where the user is a member, at the Default level and computer-specific level:
PGP Endpoint Device Control User Guide 4.3.0 71
Chapter 4: Managing permissions/rules
Default Setting Default
Permission
Priority
High
Read-only
Low
High
Read/Write
Low
High
None
Low
Rules:
1. Combine both permissions.
2. Sort them according to their priority.
3. The one with the highest one is applied.
4. If both permissions have the same priority, follow this precedence:
Computer-
specific
permission
Read/Write None Read-only Read/Write None Read-only
Read/Write None Read-only Read/Write None Read-only
Read/Write None Read-only Read/Write None Read-only
Computer
Specific
permission
priority
High Read/Write Low Read/Write High None Low Read-only High Read-only Low Read-only High Read/Write Low Read/Write High None Low None High Read-only Low Read-only
High Read/Write Low Read/Write High None Low Read/Write High Read/Write Low Read/Write High Read/Write Low Read/Write High None Low None High Read/Write Low Read/Write High None Low None High None Low None High None Low None High Read/Write Low None High None Low None High Read-only Low None
Resulting
permission
None Read/Write Read-only
Explanation
See below for the steps to follow to find out which priority applies.
Highest
Lowest
Note: You can substitute the Default Setting column heading with Class Setting & Computer Specific Permission with Device Permission’. This substitution works for any group subgroup you create, for example, Class Device; Class Device Group; Device Group Model; Model
Specific device, etc.
Please refer to Permissions Priority on page 157 for an explanation of the priority rules
Table 25: Applied permissions
interacting between those permissions defined at the Device Explorer level and those defined at the Media Authorizer level.

Read/Write permissions

Only those devices that support a file system can be set to read-only mode. For all others, the only possible permission is either None or Read/Write. Read-only applies to floppy drives, DVD/CD drives, and Removable media. See Table 17 on page 51 for devices restrictions.
72 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules

To assign computer-specific permissions to users and groups

You can assign permissions on a per-computer basis in a similar way on how you assigned default permissions. Settings that are specific to a particular computer override the Default Settings for the given machine.
To assign permissions computer-specific permissions to users and groups.
1. If the computer is not listed in the Machine-Specific Settings section, right-click on the section title and select Insert Computer. Alternatively, select Insert Computer from the Explorer menu or use the CRTL+A shortcut key.
The Device Explorer does not show every computer in the domain. It includes those
computers for which permissions or options are set. Administrators are limited to the users or computers they are allowed to manage when using Active Directory. Permissions for most computers are managed using the Default settings section.
The Select Computer dialog is displayed:
Figure 44: The Select Computer dialog showing multiple selection in action
2. Select the desired computer(s). See Adding a user or group when defining permission on page 68 for a complete description on how to use this dialog (although the description in that section describes how to select users/groups, the procedure is just the same).
You return to the Device Explorer window.
Figure 45: Assigning permissions in the Device Explorer module
3. Select the computer you want to assign permissions to, and click the + box to the left of it to expand the list of devices (or use the –, +, and arrow keys to navigate the tree).
4. Right-click on the device class and then select the Add/Modify Permissions option from the popup menu. Alternatively, open the tree structure, select the device, and then select Permissions from the Explorer menu or use the shortcut key CTRL+D.
The Permissions dialog is displayed (some options may or may not be available depending on the class where you are defining the permissions).
PGP Endpoint Device Control User Guide 4.3.0 73
5. Click on ADD.
Chapter 4: Managing permissions/rules
Figure 46: Defining Read, Read/Write, or None permissions when adding permissions
The Select Group, User, Local Group or Local User dialog is displayed.
Figure 47: The Select Group, User, Local Group or Local User dialog
6. Select the user(s)/group(s). See Adding a user or group when defining permission on page 68 for a complete description on how to use this dialog.
7. Back in the Permissions dialog, select the user(s) you want to assign permissions to, and then activate the appropriate options from the list. Use the SHIFT or CTRL key to make multiple selections. See Using the Permissions dialog on page 59 for more details (especially if you are working on the Removable Storage Devices class).
8. Click OK to finish and close the dialog.
The list of changes is not sent to the client computer immediately. This list is downloaded
the next time a user logs onto that computer. You can, alternatively, send the list immediately by selecting the Send Updates to All Computers or Send Updates Toitem on the Tools menu (or from the Tools section of the Control Panel).

To modify permissions

To modify the permission assigned to a user or group, proceed as follows:
1. Right-click on the user or group.
2. Select Modify Permissions from the pop-up menu. Alternatively, select the Add/Modify Permissions from the Explorer menu, or use the shortcut key CTRL+D.
Figure 48: Modifying permissions
3. In the Modify Permissions dialog, change the permissions as appropriate.
74 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
4. Click OK.
The list of changes is not sent to the client computer immediately. The list is downloaded
the next time a user logs onto that computer. You can, alternatively, send the list immediately by selecting the Send Updates to All Computers or Send Updates Toitem on the Tools menu (or from the Tools section of the Control Panel).

To remove permissions

To delete the permission to use a device from a user or group:
1. Right-click on the user or group.
2. Select Remove Permissions from the pop-up menu. Alternatively use the Remove option from the Explorer menu, or press the DELETE key.
Figure 49: Removing permissions

To assign scheduled permissions to users and groups

You assign this kind of permission when you want to limit the use of certain devices to specific hours and days of the week. The procedure is the same for assigning global or computer-specific scheduled permissions.

To assign scheduled permissions:
1. Right-click on the device in the Default Settings section.
2. Select Add Schedule from the popup menu. Alternatively, select the device and select Add/Modify
When assigning scheduled permissions (for example, from Monday to Friday, 8 A.M. to 5 P.M.), the local clients time applies.
Scheduled Permission on the Explorer menu, or use the shortcut key CTRL+N.
Figure 50: Add a Scheduled permission
The Choose User dialog is displayed:
Figure 51: The Choose User dialog when adding a scheduled permission
PGP Endpoint Device Control User Guide 4.3.0 75
Chapter 4: Managing permissions/rules
3. Select the user(s)/group(s). See Adding a user or group when defining permission on page 68 for a complete description on how to use this dialog. Click on NEXT: the Choose Permissions dialog is displayed:
Figure 52: Defining Read or Read/Write permissions when adding scheduled permissions
4. Choose the permissions that you want to apply to the schedule (Read or Read/Write) and then click NEXT. The Choose Timeframe dialog is displayed:
Figure 53: The Choose Timeframe dialog when adding a scheduled permission
5. Define when the permissions will apply: using the From and To fields enter the period of the day; then, using the checkboxes, specify the days of the week.
6. Click on the NEXT button.
7. Click on FINISH.
If you define scheduled or temporary access for a dial-up modem (using either a COM port
or a Modem port), when the access expires, the communication with the modem is immediately terminated. One side effect is that the program that is using the modem does not have the time to send a disconnect command to the modem. Therefore, the modem may remain on-line for a long time, leading to a large call charge.
You cannot set a scheduled permission that runs past midnight. If you need a schedule that
allows somebody to access a device through midnight, it is necessary to define two scheduled sessions, one up to midnight and one the next day immediately after midnight.
The list of changes is not sent to the client computer immediately. The list is downloaded
the next time a user logs onto that computer. Alternatively, you can send the list immediately by selecting the Send Updates to All Computers or Send Updates Toitem on the Tools menu (or from the Tools section of the Control Panel).

To modify scheduled permissions

To modify an existing schedule proceed as follows:
1. Right-click on the user or group with the schedule in the Default Setting section, and select Modify Schedule from the pop-up menu. Alternatively, you can select Add/Modify Scheduled permission from the Explorer menu.
Figure 54: Modifying a scheduled permission
76 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
2. In the Choose Permissions dialog, change the options if appropriate, and click NEXT.
3. In the Choose Timeframe dialog, modify the schedule if appropriate, and then click NEXT.
4. Click FINISH.

To remove scheduled permissions

To delete an existing schedule:
1. Right-click on the user or group with the schedule.
2. Select the Remove Schedule item from the pop-up menu. Alternatively, you can select Remove from the Explorer menu, or press the DELETE key.
Schedule permissions also disappear automatically once they become due.

To assign temporary permissions to users

It is possible, on a computer-specific basis only, to assign a one-off time-limited permission to access a device. The main purpose is to allow you to grant access to a device for a limited period without having to go back and delete the permission afterwards.
 When assigning temporary permissions as a deferred value (for example, from Monday to
Friday, 8 A.M. to 5 P.M.), the local time on the console is converted to UTC (Coordinated Universal Time) and sent to the client who converts his local time to UTC before comparing these values.
 You can only define temporary permissions for a computer previously added to the
Machine-Specific Settings branch of the Device Explorer tree.
To assign a temporary permission:
3. Right-click on the device in the Machine-Specific Settings section and select Temporary Permissions from the pop-up menu you must first insert the computer. Alternatively, select the device and use the Temporary Permissions option on the Explorer menu, or use the CTRL +L shortcut key.
Figure 55: Adding a Temporary permission
The Choose User dialog is displayed:
Figure 56: The Choose User dialog when adding a temporary permission
PGP Endpoint Device Control User Guide 4.3.0 77
Chapter 4: Managing permissions/rules
4. Click on the ADD button. Select the user(s)/group(s). See Adding a user or group when defining
permission on page 68 for a complete description on how to use this dialog. Click on NEXT: the Choose Permissions dialog is displayed:
Figure 57: Defining Read or Read/Write permissions when adding a temporary permission
5. Choose the permissions that you want to apply, then click NEXT. The Choose Period dialog is displayed:
Figure 58: The Choose Period dialog when adding a temporary permission
6. Choose the period when you want to apply the permissions, by selecting either Immediately or
From, and then specifying the times and dates involved. The minimum duration is 5 minutes.
7. Click NEXT and then click FINISH.

To remove temporary permissions

To delete an existing temporary permission:
1. Right-click on the user or group with the permission.
2. Select Remove Temporary Permissions item from the popup menu. Alternatively, you can select
Remove from the Explorer menu, or press the DELETE key.
Temporary permissions also disappear automatically once their time limits are reached.

To assign temporary permissions to offline users

In some cases users need to modify their permissions while they are not connected to your network, i.e. they are out of band. For example, a user who has no access to the Internet may want to read a file stored on a removable storage device, or may be meeting a customer at an airport and needs authorization to install the customers software application on his laptop.
If a user needs new permissions when working offline, a phone line can be used to communicate with a PGP Endpoint administrator (since there is no way for the machine to obtain permissions from the PGP Endpoint server), explain the required permissions, and quote a key code provided by the PGP Endpoint Client. The administrator enters these details into the PGP Endpoint Management Console and, if the request is approved, provides an unlock code which, when entered by the user, grants the required permissions. These permissions are valid until either they expire or the computer reconnects to the protected network.
78 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
To grant temporary permissions to offline users the administrator requires the appropriate access rights; The PGP Endpoint Management Console administrators User Access must
have Temporary Permission Offline (Device Control) set to Yes. See Defining PGP Endpoint administrators on page 35 for more information.
The procedure to assign a temporary permission for an offline user involves steps carried out by the user requesting permissions, denoted [Offline user] below, and the administrator authorizing the changes, denoted [Administrator]. To assign offline permissions:
1. [Offline user] Right-click on the PGP Endpoint Client icon, in the Windows system tray (at the bottom right of the PGP Endpoint Client computers screen) and select the Request temporary access offline option in the context menu. The Request Temporary Access Offline dialog is displayed, showing the Introduction page:
Figure 59: PGP Endpoint Clients Request Temporary Access Offline dialog – Introduction page
2. [Offline user] Telephone your PGP Endpoint administrator and then click on the NEXT button. The Input page is displayed:
Figure 60: PGP Endpoint Clients Request Temporary Access Offline dialog – Input page
3. [Administrator] Open the Request Temporary Permissions dialog on the PGP Endpoint Management Console. To do this, select Temporary Permissions Access Offline from the Tools menu (or from the Tools section of the Control Panel). The Authorize Temporary Access Offline dialog is displayed:
PGP Endpoint Device Control User Guide 4.3.0 79
Chapter 4: Managing permissions/rules
Figure 61: PGP Endpoint Management Consoles Authorize Temporary Access Offline dialog
4. [Administrator and offline user] Agree and enter the settings for the device, the required permissions, user, and, in the case of the administrator, the computer.
The offline user specifies the settings in the Input page of PGP Endpoint Clients Request Temporary Access Offline dialog. The administrator enters them in PGP Endpoint
Management Consoles Authorize Temporary Access Offline dialog.

The settings specified by the offline user and the administrator must be identical for the Unlock Key generated by the administrator to work when entered by the offline user.
The contents of the offline users and administrators dialogs are explained in the following table:
Field Used to
Device Class Select the type of device that the offline user wants permission to use, for example, (Permissions) Select the permissions that the user requires, for example Read/Write and/or
Lifetime of the Permissions For which user? [Offline User] Select whether the permission change should be made just for the users
Computer [Administrator] Either enter the name of the computer directly or click on the
User [Administrator] Either enter the name of the user directly or click on the USERS button
Removable Storage Device for a USB memory stick. Encrypt. The available options depend on the device class selected above.
Administrators can browse for the appropriate permission by clicking on the
PERMISSIONS button.
Select the Day(s), Hour(s), and/or Minute(s) for which the temporary offline permission is required. For example, the lifetime of the permission may be one hour.
login account or for everyone logging into the particular computer within the lifetime of the permission. You should choose the For everyone option when the computer is logged in to a network that is not known to the administrator. Although this makes the device control less secure, it enables administrators to change the offline permissions in some situations where it otherwise would not be possible.
COMPUTERS button and browse for it. The computer name is not case sensitive.
and browse for it. When the Offline user has chosen the For everyone option then the Administrator must select the Everyone user.
Table 26: Temporary Access Offline dialog settings
5. [Offline user] On the Input page, click on the NEXT button. The Unlock page is displayed showing a Client key:
80 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
Figure 62: PGP Endpoint Clients Request Temporary Access Offline dialog - Unlock page
6. [Offline user] Read out the 27-character Client Key value to the administrator.
The client key is valid for up to an hour. If the requested permission is not granted in this time the offline user needs to click on the CANCEL button and repeat steps 1, 2, 4, 5, and 6.
7. [Administrator] Enter the alphanumeric string provided by the offline user in the Client Key field of the middle section of the Authorize Temporary Access Offline dialog.
The Client key value is validated by the PGP Endpoint Management Console. If correct, the message Client key is valid is displayed at the bottom of the Administrator Authorize Temporary Access Offline dialog. If an error is identified, ask the offline user to repeat the Client key and reenter it.
The client key generated by the PGP Endpoint Client depends on the settings entered in step 4. This enables the PGP Endpoint Management Console to check whether the same
settings were entered by the administrator in the Authorize Temporary Access Offline dialog and the offline user in his Request Temporary Access Offline dialog. If this is not the case, an error is displayed, the offline user must click on the BACK button and you must repeat step 4 onwards.
8. [Administrator] Enter any comments about the temporary offline permission in the Comments text field at the bottom of the Authorize Temporary Access Offline dialog. For example, you can enter Requested for project 1042. This comment is viewable in the audit log entries.
9. [Administrator] If you approve the offline users permission request, click on the GENERATE button. An Unlock Key is generated by the PGP Endpoint Management Console and displayed in the Authorize Temporary Access Offline dialog.
The GENERATE button is disabled until all the information in the Authorize Temporary Access Offline dialog is complete and has been validated.
10. [Administrator] Read out the 46-character Unlock Key value to the offline user.
11. [Offline user] Enter the alphanumeric string provided by the administrator in the Unlock code field of the Request Temporary Access Offline dialog and click on the NEXT button.
The offline user is limited to 15 tries at entering the correct Unlock code before a lockout period comes into effect.
A lockout period also comes into effect if the PGP Endpoint Clients Request Temporary Access Offline dialog is used to generate a Client key 15 times without a valid unlock code
being entered.
Once the unlock key is successfully entered, the Finish page is displayed (and a system tray message informs you that the permission status has been changed up to a certain time):
PGP Endpoint Device Control User Guide 4.3.0 81
Chapter 4: Managing permissions/rules
Figure 63: PGP Endpoint Clients Request Temporary Access Offline dialog – Finish page
12. [Administrator and offline user] If the temporary permission was successfully granted to the offline user, you can end your phone call and click on the CLOSE/FINISH button.
A message is displayed in the PGP Endpoint Management Console informing administrators that the temporary offline permissions are deleted when the computer next connects to your PGP Endpoint server. This reminds you that you may need to create a normal temporary permission (see To assign temporary permissions to users on page 77) if you want the permissions to continue once the user is online again.
Figure 64: Temporary Access Offline reminder to administrators

To assign online and offline permissions

You assign this kind of permission to control the use of devices in a different way when the user is offline, as opposed to when they are online. For example, you may let an individual use the DVD/CD writer when at home but not when online at the company, or you may ban a user from establishing a WiFi/Modem connection to Internet when his machine is connected to the companys network (so that he does not circumvent your firewall).
The way the online/offline state is detected depends on the Online state definition option. See Chapter 8: Setting and changing options on page 181.
You should be aware that:
> An online state applies when the client computer is under the control of your server, or is connected to
the computer network.
> An offline state (the opposite to online) applies when the client computer is not under the control of
your server, or is not connected to the computer network.
The PGP Endpoint Client Driver discovers when a computer is online or offline when one of the following occurs:
> The machine boots (and the PGP Endpoint Client Driver starts). The initial state is offline. > The user logs on. > The user uses the Refresh Settingsitem of the right-click menu of the system trays PGP Endpoint
Device Control icon.
> A Refresh message is received from a PGP Endpoint Administration Server. > The shadow upload time is due.
82 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
> A network interface changes its state. For example, when a network cable, WiFi card or modem is
connected or disconnected, a VPN connection is established or terminated, an address (DHCP) is used or released, or a network card is disabled, enabled, deleted, or added.
> One hour after the different online/offline permissions were set (if none of the above happened in the
meantime).
If you are using different online and offline permissions and the PGP Endpoint Administration Server is stopped or disconnected, clients who are already logged in retain
their online permissions for up to one hour. This happens because the PGP Endpoint Client Driver checks updates with the PGP Endpoint Administration Server each hour.
When the online and offline permissions become effective, they are treated the same way as a regular permission. That is, the online/offline permissions COMBINE with the regular ones, in accordance with their mutual priorities.
Use the following procedure to assign online and offline permissions:
1. Right-click on the device (general type or a specific device on the list) in the Default Settings section.
2. Select Online Permissions (or Offline Permissions) from the popup menu. Alternatively, select the device and select Add/Modify Online Permission on the Explorer menu, or use the shortcut key CTRL+I (for online) or CTRL+P (for offline).
Figure 65: Defining Read, Read/Write, or None permissions when adding online/offline permission
3. Click on the ADD button and select the user(s)/groups(s) from the Select Group, User, Local Group or Local User dialog. See Adding a user or group when defining permission on page 68 for a complete description on how to use this dialog.
4. Enable the desired options and accept these by clicking on OK. See Using the Permissions dialog on page 59 for more details (especially if you are working on the Removable Storage Devices class).
The list of changes is not sent to the client computer immediately. This is downloaded the next time a user logs onto that computer. You can, alternatively, send it immediately by
selecting the ‘Send Updates to All Computers’ or ‘Send Updates To’ option on the ‘Tools’ menu (or from the ‘Control Panel’). Some devices require rebooting before new permissions are applied.

To remove offline or online permissions

To remove an existing offline or online permission:
1. Right-click on the user or group with the permission.
2. Select Remove Online Permissions (or offline) from the pop-up menu. Alternatively, you can select Remove from the Explorer menu, or press the DELETE key.
PGP Endpoint Device Control User Guide 4.3.0 83
Chapter 4: Managing permissions/rules

To export and import permission settings

The export and import permission settings are used to export a group of carefully crafted permissions for a range of devices and then import them onto a computer to synchronize them.
You can use this feature to change permissions when a computer is not connected to the network (and cannot be connected for the time being), but it still has access to the Internet. The rules apply when you import them into the target computer.
There is also a special case when you export to a file called policies.dat. Please consult PGP Endpoint Setup Guide for more information.
Files containing exported permissions have a limited usability period of two weeks. After
this the file of exported authorization settings is no longer valid. Contact support if you want to extend the validity of your exported permission files.
To export/import your settings:
1. Select the Export Settings item from the Tools menu (or from the Tools section of the Control Panel).
2. Select the name and destination of the file in the standard Save As Windows dialog. Normally the destination is a network drive, floppy disk, or any other kind of removable media.
3. Go to the client computer where you want to import the permission settings and right-click on the PGP Endpoint Client Driver icon to display a popup menu. This image may change depending on your license type and installed programs.
Figure 66: Importing permission settings
4. Select the Import settings option.
5. Select the source of the file to import from the Import Settings dialog.

To manually export or import permissions settings

If you try to export (or import on the client side) a big database containing probably thousands of permissions, rules, and settings, or using a very busy connection (or low bandwidth), you may get a timeout. If you are experiencing this kind of problems, you may try to manually set a special registry key on the machine where the console is installed (or where the client is if you are trying to import permissions). See Appendix B of the PGP Endpoint Setup Guide for more details on how to configure these registry keys.
You can do this export process using the console (from the TOOLSEXPORT SETTINGS item) or manually using the following command:
export.exe -f export_filename -s server_name [-e TLS] [-t connection_timeout]
-f (compulsory): Defines the file name where the permissions are saved.
-s (compulsory): Defines the name of the PGP Endpoint Administration Server from where the permissions are recovered.
-e TLS (optional): Use Transport Layer Security protocol.
-t (optional): Set connection timeout in milliseconds. Three minutes is used if this parameter is not specified. Thirty seconds is used if less than 30,000 milliseconds or a wrong parameter is specified.
84 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
Examples:
export.exe -f corporate -s secure:65229 –e TLS -t 240000
Export permissions, rules, and settings to a file named Corporate contacting the Application Server named secure on port 65229 (default TLS port) using TLS protocol and waiting a maximum of 4 minutes (240,000 milliseconds) before timing-out.
export.exe -f backup -s secure
Export permissions, rules, and settings to a file named backup contacting the Application Server named secure on the default port. No TLS protocol is used (but the communication is still signed) and a maximum timeout of 3 minutes is used.

Shadowing devices

When you need to control the files and content written/read to/from a device, use the shadowing rule. You can analyze the file(s) using the Log Explorer module (see Chapter 5: Using the Log Explorer on page 101). This rule is available for the following:
> COM/Serial ports. > LPT/Parallel ports. > DVD/CD drives. > Modem/Secondary network access devices. > Removable storage devices. > Floppy disk drives.
You can define shadowing for a user or group of users on a:
> Class of devices. > Group of devices. > Specific model or device for a computer.
If a user does an operation involving shadowing while the computer is disconnected from
the network, shadow information is transferred to the server as soon as the machine is reconnected.
You must choose the Encrypted setting in the first dialog so that the Shadow rule applies
to this kind of device. See Chapter 6: Using the Media Authorizer on page 139 for more information.
If a user traverse a shadowed device folder by using his mouse (or the keyboard),
Windows Explorer recovers part of the file to display its thumbnail and extended info. This behavior causes partial shadow files to show in the Log Explorer module.
The shadow permission details are displayed in the Permissions column of the Device Explorer module. A value of R means that shadowing is on for files read from the device, W means that it is on when files are written to it, and no letter means that it is on for both reading and writing files.
When editing a file previously copied to a shadowed device (in the same users session),
no read shadow data is created since Windows saves the file in its cache and, therefore there is no new read operation request. This does not apply if the file initially resides in the device or in a new user session (the cache is empty).

To shadow a device

To activate a shadowing rule for a device:
PGP Endpoint Device Control User Guide 4.3.0 85
Chapter 4: Managing permissions/rules
1. Right-click on the device, device class, or device type in the Default Settings section and select
Shadow from the popup menu. Alternatively, select the device and select Add/Modify Shadow Settings on the Explorer menu, or use the shortcut key CTRL+W.
Figure 67: The Choose User dialog when adding a shadow rule
2. Click on the ADD button and select the user(s)/groups(s) from the Select Group, User, Local Group or Local User dialog. Click on the NEXT button. The Choose Bus dialog opens:
Figure 68: Selecting the bus when defining shadow rules
The first part of the dialog is only active when you are adding a shadow rule for a removable device and DVDs/CDs. It lets you select if the shadow applies to all type of devices or just encrypted or unencrypted ones. The Drive panel lets you select between shadow for hard disk, non hard disks, or all types.
3. Select among the available bus types (they vary from one class to another) or all of them. See
Using the Permissions dialog on page 59 for more details (especially if you are working on the Removable Storage Devices class).
4. Click on NEXT to continue. The Choose Permissions dialog is displayed.
5. Select either Enabled, Disabled, or Filename (some devices only support Enable and Disable) to switch shadowing on or off. Select these options either on the Read Permission and/or in the Write Permission panel. When selected on the Read Permission side, the shadow is only activated during the read operations. The same applies to the Write Permission panel.
If you use the File Name option, you just get the name of the file being copy to the medium but not the content. In this case, the Attachment field in the Log Explorer module is set to False. This option uses very few network and no hard disk storage resources on the data file directory.
When you use the Enabled option, you get the name of the file being copied (read) by the user to the device and an exact copy of what is written. This content is stored on the local client directory and then transmitted to the server. Please note that high capacity devices, such as DVDs, can consume a lot or resources and hard disk space. When full shadowing is enabled, the Attachment field in the Log Explorer module is set to True.
Some classes only have the Write panel active because no data can be read from them LPT & COM.
86 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
Figure 69: Defining the type of shadow for a device
6. Click NEXT to display the Finish dialog where you can review the settings.
Figure 70: Finishing the shadow rule definition
7. Click FINISH to close the dialog and apply the changes.
The list of changes is not sent to the client computer immediately. This list is downloaded
the next time a user logs onto that computer. You can, alternatively, send the list immediately by selecting the Send Updates to All Computers or Send Updates To item on the Tools menu (or from the Tools section of the Control Panel). Some devices require a reboot in order to apply the new permissions.

To remove the shadow rule

To remove an existing shadow permission:
1. Right-click on the user or group with the permission.
2. Select Remove Shadow Permissions from the pop-up menu. Alternatively, you can select Remove from the Explorer menu, or press the DELETE key.

To view a shadowed file

When the rule to create shadow (read/write) files is selected, these files are kept in the client computer until a transfer is done to the PGP Endpoint Administration Server and its associated Data File Directory. You can review these files using the Log Explorer module. Please see Chapter 5: Using the Log Explorer on page 101 for more information.

Copy limit

You can use this rule to limit the quantity of data a user can write to a device on a per-day basis.
Copy limit can also be applied to administrators. If you do not want this restriction to apply
to them, you should modify the default copy limit rule as defined in the Device Explorer module.
The copy limit rule is defined per user/per machine. A user that exhausts the establish
quota can always log on another machine to renew it.
PGP Endpoint Device Control User Guide 4.3.0 87
Chapter 4: Managing permissions/rules
You can only limit data for floppy disk drives or removable devices and only for a device class (the upper level of a device).
When users reach their copy limit, PGP Endpoint prevents them from copying, moving, or replacing files on a device. If the user is replacing a file, PGP Endpoint removes the file that is being replaced.

To add a copy limit

To change the limit of data copied to such types of devices:
1. Right-click on the device class (the upper level of a device) in the Default Settings section (to define this rule for all users) or in the device class of the Machine-Specific Settings (to create a rule at a computer level) and select Copy Limit from the popup menu. Alternatively, select the device and select Add/Modify Copy Limits from the Explorer menu, or use the shortcut key CTRL+M.
Figure 71: The Choose User dialog when adding a copy limit rule
2. Click on the ADD button and select the user(s)/groups(s) from the Select Group, User, Local Group or Local User dialog.
3. Once you have finished adding the users or groups, click on the NEXT button to continue the process.
4. Assign the copy limit (in MB) to the user(s)/group(s):
Figure 72: Defining a copy limit
5. Click on the FINISH button to create and apply the rule.
The copy limit rule is reset daily at midnight, local hour.
Copy limit permissions cannot be defined at the device-type level, only at the device class
level (the topmost category of the device).
When users select the Status item of the icon tray pop-up menu in the client machine, they can see how many bytes have been copied and how many remain for their working day. This only applies to those devices that have the copy limit rule set as shown on Figure 73.
88 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
Figure 73: The status screen on the client's side: copied/remaining bytes

To remove a copy limit

To remove an existing copy limit permission:
1. Right-click on the user or group with the permission.
2. Select Remove Copy Limit from the pop-up menu. Alternatively, you can select Remove from the Explorer menu, or press the DELETE key.

Applying multiple permissions to the same user

It is possible to apply several sets of permissions to a user for a specific device. This can happen if the user is a member of different groups. Permissions can be set for domain groups, domain users, well-known groups, local groups, or local users.
You need to synchronize computers so that the local groups and users appear in the
system. By default, only well-known groups and users as well as domain groups and users are visible to the system. Please refer to the Synchronizing domain members section on page 33 for more information.
Overlapping permissions have the following effects:
> The default setting is no access available. If you do not take any further action, you are accepting this
default scenario for a user or group.
> You can explicitly authorize access to a user or group. > You can explicitly deny access to a user or group – negative permission – None.
The overall effect is that you deny access if any of following cases is true:
> The default setting is still in effect (i.e., no permissions have been set). > You explicitly deny access with high priority at the default or computer-specific level to a user or any of
the groups he or she belongs. This is also true if you explicitly allow access to other groups.
> You explicitly deny access with low priority at the default level to the user or any of the groups he or she
belongs to and none of the groups is explicitly allowed access at the computer-specific level.
If access to a particular device has been explicitly denied with high priority at the default
permission level, then the Scheduled and Temporary permissions are ignored.
When a user logs onto a machine, the sum of all permissions assigned directly to him and to the groups the user belongs are applied (refer to Table 25 on page 72).
Example: The domain user Bill, uses the computer BillLaptop, he is member of the domain groups Marketing and Remote users. The company policy for device access is the following one:
> Read-only access to DVD/CD for Everyone.
PGP Endpoint Device Control User Guide 4.3.0 89
Chapter 4: Managing permissions/rules
> None’ – Low priority access to DVD/CD for ‘Remote Users. You want everybody to have read-only
access to the DVD/CD except the members of the Remote Users group. The low priority means that you accept computer-specific exceptions to this rule.
> Read/Write access to Floppy for Domain Users. > Read/Write access to Modem for Remote Users. > Read-only access to Removable storage devices for Domain Users Monday to Friday from 07h00 to
18h00.
> Read/Write access to Removable storage devices for Marketing. > Read/Write access to BlackBerry (USB) for user Bill on BillLaptop. > Read/Write – High priority access to DVD/CD for user Bill on the computer BillLaptop. Since Bill is a
member of the Remote Users, he would otherwise not be able to access the DVD/CD. By setting this permission, you let him have R/W access to his DVD/CD drive but only on his laptop.
The next table summarizes these permissions:
Permission Filter Priority User/User Group
DVD/CD DVD/CD DVD/CD Floppy Modem Removable Storage Devices Removable Storage Devices BlackBerry (USB) *Bill uses computer BillLaptop and is member of user groups Marketing and Remote Users (as well as member of Everyone, as all users, and Domain Users if he belongs to the Domain) **There is no File Filter defined
Read Low Everyone None Low Remote Users Read/Write High Bill* in computer BillLaptop Read/Write Low Domain Users Read/Write Low Remote Users Read Low Domain Users from Monday to Friday,
7h00 to 18h00
Read/Write Low Marketing
Read/Write Low Bill* in computer BillLaptop
Table 27: Permissions example
Bill logs onto his laptop. He has the following permissions (refer to previous table and to Table 25 on page
72):
> Read/Write access to DVD/CD only on his laptop, Read everywhere else. The priority of None is low
and can be overwritten by computer-specific permissions (only when setting its priority as High’).
> Read/Write access to Floppy. He gets this right from the Domain Users group. > Read/Write access to Modem. He has access to the modem because he is also a member of the
Remote Users group.
> Read/Write access to Removable storage devices. This is the result of the combination of Marketing
and Domain Users rights.
> Read/Write access to BlackBerry (USB). Here there is an exception made just for Bill, and only on his
laptop.

Forcing users to encrypt removable storage devices

Permissions can also be used to force users to encrypt all or some removable storage devices that they use. This decentralized approach can be used for those companies that do not need or do not want to handle a centralized encryption schema using the Media Authorizer module (see Chapter 6: Using the Media
Authorizer on page 139 and Chapter 7: Accessing encrypted media outside of your organization on page
161).
The encryption process itself uses our Easy Exchange method to cipher the medium. Please refer to the Easy Exchange section on page 171 for more information.
90 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules

Setting permissions to force users to encrypt removable storage devices

Forcing a user to do a decentralized encryption is as simple as defining permissions from the Device Explorer module. Once these permissions have been defined, a user that plugs in a removable storage device must encrypt it before being able to use it. In the following sections, we analyze how this encryption is achieved and the vast available alternatives an administrator has.
 Decentralized encryption can only be used for removable storage device between 16MB
and 4GB in size.
To force decentralized encryption
The process to force a user to do a decentralized device encryption consists of two main phases:
> The first phase consists of defining permissions for the specific user that must do the encryption. There
are two case here:
In a first case you can assign a unique user or group that must do the encryption but do not have
access to the media itself. This middle agent can be someone designated to do this ciphering process for all other users. Since this encryption is done in the Easy Exchange mode (see page
171), other users do not need to have the PGP Endpoint Client Driver installed nor have administration rights to use these, as the device has already been encrypted by somebody else.
As a second case, you define permissions for each user or group that must do a device encryption
before using the media. You define as many permissions as you need and always two per use/group: one to define that the user must encrypt the device and the other one defining the mode (read/write, etc.).
> The second, optional phase is to set the Device Log option to 'Enabled' (see Device log on page 184).
This means that MEDIUM-INSERTED log events are generated when the user inserts a device on his computer. You can use these log events to generate a message pop-up that invites the user to encrypt their device.
In the most complex case, there should be two permission settings for a user or group plus an optional Event Notification. These permissions can be defined at any level of the Removable Storage Devices class: root level, device group, device model, or a specific uniquely identified device.
Notice that you can define these permissions at the Default Settings level of the Device Explorer module (effective for all computers), at the Machine-Specific Settings level (to activate decentralized encryption for a specific computer) or at the computer group level.
The following steps summarize this procedure (please refer to Using the Permissions dialog on page 59 for a complete description on how to define permissions):
1. Activate the Device Explorer module by clicking on the icon located on the Modules section of the Control Panel in the main window.
2. Right-click on the Removable Storage Devices class icon and select Permissions (or select the class and use the Ctrl+D shortcut key).
3. Turn on the Device Log option (see Chapter 8: Setting and changing options on page 181).
4. Proceed to define encryption permissions for the required user or group with the Encrypt, Export, and Import options activated and the Unencrypted option of the Encryption panel selected. Choose the type of drive and bus. This must be done so that the user/group is force to encrypt all those unencrypted devices plugged to the computer.
5. Define Read/Write permissions as required. Activate the Decrypt and Import options so that the user can unblock the medium afterwards. Do not forget to add the Self Contained Encryption option in the Encryption panel.
6. Optionally if you want to inform the user of other possible actions or a help message define an Event Notification for the user/group or class. Please see page 54 for a full description on how to define Event Notifications.
PGP Endpoint Device Control User Guide 4.3.0 91
Chapter 4: Managing permissions/rules
The user now receives a Deny Access message along with an invitation to encrypt the device when trying to access the removable media. Encryption is carried out using the Encrypt contextual menu option.
The following images are displayed in this process:
Figure 74: Decentralized encryption: The Access
Denied message and inviting the user to encrypt it
Figure 75: Password complexity is required to encrypt
the device
Figure 76: Decentralized encryption: The Encryption
option of the contextual menu
Figure 77: Decentralized encryption: Encryption
begins
Examples
All examples apply to PGP Endpoint encryption. See Chapter 11: Using PGP-Encrypted Removable Devices on page 211 for instruction on how to use PGP encryption schemas.
Example 1:
In this first example, we define a decentralized encryption rule for a group at the Removable Storage Devices class root level. All users of the group Management must encrypt their own USB keys and have Read/Write access to encrypted devices. A notification must be defined to inform these users that they must encrypt their devices and should include a help desk number.
The procedure involves the following steps:
1. Define a device group called Management removable devices where all permissions are going to be defined. You can also add some device models here to further classify and outline devices.
2. Define an encryption permission for the group Management at the devices group level.
3. Define a Read/Write permission for the group Management at the devices group level.
4. Define an Event Notification for the group Management informing the need to encrypt removable devices and providing a help phone number.
Figure 78: Decentralized encryption for a group defined at a device group level (1/2)
92 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
Figure 79: Decentralized encryption for a group defined at a device group level (2/2)
Example 2:
The second example deals with a particular user that MUST encrypt a unique device: User Bill must encrypt the USB key that he daily uses to show sales info to selected customers. He must, of course, have also read/Write permissions for this, uniquely identified, USB key. He is not informed since he already knows that he must cipher this USB key.
The procedure involves the following steps:
1. Define an encryption permission for Bill for the specific model.
2. Define a Read/Write permission for Bill for the specific model.
Figure 80: Decentralized encryption at the unique device level (1/2)
Figure 81: Decentralized encryption at the unique device level (2/2)
Example 3:
The next example shows how to force everyone to encrypt all devices recognized by the system in the Removable Storage Device class. All users must encrypt their own USB keys and have Read/Write access to encrypted devices.
The procedure involves the following steps:
1. Define an encryption permission for Everyone at the Removable Storage Devices class root level.
2. Define a Read/Write permission for Everyone at the Removable Storage Devices class root level.
3. Optionally define an Event Notification for Everyone informing the need to encrypt removable devices.
PGP Endpoint Device Control User Guide 4.3.0 93
Chapter 4: Managing permissions/rules
Figure 82: Decentralized encryption at the class level (1/2)
Figure 83: Decentralized encryption at the class level (2/2)
Example 4:
The next example shows how to delegate the encryption process to a user and then force all those belonging to a particular group to use only encrypted media. A user is assigned as middle agent to encrypt all Sony USB keys (only approved model for the company). This user has no access to these devices. All user of the Marketing group have Read/Write access for encrypted devices.
The procedure involves the following steps:
1. Define an encryption permission for Bill at the Sony USB devices level.
2. Define a Read/Write permission for Marketing at the Sony USB devices level.
3. Optionally define an Event Notification for Marketing exclusively for the USB Bus informing the need to encrypt removable devices this should be done at the Sony USB devices level.
Figure 84: Decentralized encryption using a delegated user (1/2)
Figure 85: Decentralized encryption using a delegated user (2/2)
94 PGP Endpoint Device Control User Guide 4.3.0
Chapter 4: Managing permissions/rules
 If the 'Device Log' option is set to Enabled, the users that insert a non-encrypted device is
automatically prompted to encrypt the device. If the 'Device Log' option is Disabled, you must inform the user(s)/group(s) that they receive a Drive not accessible message when trying to access a non-encrypted device. The user must right-click on the device in a Windows Explorer window and choose Encrypt medium to do the device ciphering. You can inform the user via an 'Event Notification' rule. Once the device encrypted, all authorized users have direct access to its data (see Easy Exchange method on page 171).

Managing devices

All kinds of devices can be attached to the computers in your network. You do not need to know them all in order to protect your company from abuse. When you first install our product, you get a standard list of devices. You can define a general policy for all devices based on the classes of devices that appear by default in the Device Explorer module. If a particular device is not recognized in one of the classes listed in the Device Explorer module or if it belongs to a class for which the user has no access defined then the user cannot access the device even though it is attached to the computer.
Nevertheless, if you want to define permissions more precisely, you can set rules for certain models of devices (device types) or specific ones in some cases (removable devices). In this case, and only in this case, it is your responsibility to set up and manage the different models and specific devices for which you want to define permissions. You do not need to do that for all possible devices plugged to your network.
To add new devices from a specific computer do one of the following actions:
> If you are in the Device Explorer module ( ), select Explorer Manage Devices item from the menu to
open the Manage Devices dialog.
> While in the Device Explorer module ( ), right-click on the Default Settings header in the Device
Explorer window and select the Manage Devices item.
> Activate the central logging for all machines or a specific one it is turned off by default , proceed to
the Log Explorer module and check the attached device registers. You can then use the right-click menu to open the Device dialog (or use the ADD DEVICES button). You can enable central logging either for all computers (ToolsDefault OptionsDevice Log) or for a specific one by means of the detailed options of that computer.
 You can sometimes find a de-synchronization between the time shown in the Manage
Device dialog, the Device dialog, and your local clock. This is due to the dialogs showing respectively the connect’, ‘managed, and system times not necessary the same in all cases.

To add a new device

You can add specific models to all the base device classes with exception off the Wireless NICs and PS/2 ports classes.
When you initially connect a new type of device (e.g. a webcam) to a computer controlled by PGP Endpoint Device Control, the PGP Endpoint Client Driver may initially block it and log the device type. Once this done, the administrator can then add and set permissions for the new device at the PGP Endpoint Management Console.
Follow this procedure to recognize a new device:
1. Open the Manage Devices dialog by selecting EXPLORER MANAGE DEVICES or by right-clicking on the DEFAULT SETTINGS item. The following dialog (with all the already managed devices) is displayed:
PGP Endpoint Device Control User Guide 4.3.0 95
Chapter 4: Managing permissions/rules
Figure 86: Managing devices
2. Click on the ADD NEW button.
3. Type the computer name and press ENTER. You can use wildcards (*,?) to do a search or click the ellipsis button to show all available computers logged on to the network:
Figure 87: Managing devices - selecting the computer
4. Select a computer from the list by double-clicking or by selecting and pressing ENTER or clicking the OK button.
5. Click the GET DEVICES button. Another dialog is displayed in which you can select the devices you want to add to your Device Explorer control list.
6. Click on the column heading to classify by that field. You can also click the heading of the Time column to order the list by the most recent device connected to that computer.
Figure 88: Managing devices - choosing the devices from the selected computer
 The available devices may include different ones within the same or different classes. The
list might include, for example, one or more types of digital cameras, and a DiskOnKey memory device, all as separate Removable storage devices. Select the device and use the RENAME button to change to your own description.
7. Select the devices that you want to add by clicking on the checkbox of the device and then click the ADD DEVICES button. The checkbox disappears and the line grays-out, indicating that the device is now on the list. If you want to keep a log of all devices plugged to the computer, click the SAVE LOG button.
8. Click on the CLOSE button.
Once you close the Devices dialog, you return to the Manage Device window. This now shows the newly added device(s) as well as the old ones.
Once the new device is listed in the Device Explorer window, permissions can be assigned for it just as for any other device.
96 PGP Endpoint Device Control User Guide 4.3.0
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use