DeviceLock 7.1 - User Manual - Spearhead Networks
Contents
1. Deploy Solbware e ee ee ine Deel Dep er rhe 39 Installation Close the Windows Group Policy Object editor When the client computer starts DeviceLock Service is automatically installed gf Group Policy Resins EHA Computer Configuration B E Software Settings id Software installation B E Windows Settings ak Smartline DewiceLock E O Administrative Templates gf User Configuration E E Software Settings G Windows Settings J E Administrative Templates Upgrade a Package If the previous version of DeviceLock Service was already deployed and you want to upgrade it to the new one 1 Open the group policy object that contains the old DeviceLock Service package in the Windows Group Policy Object editor use either the Group Policy Management or Active Directory Users and Computers snap in Under Computer Configuration expand Software Settings Right click Software installation point to New and then click Package g Group Policy Tree New Group Policy Object a_ser at E DeviceLock Service old 5 62 Computer Configuration B E Software Settings EHE Windows Setting g SmatLine Devic View fe Administrative Te JA User Configuration Refresh E E Software Setting Export List EHEJ Windows Seltine Properti Help In the Open dialog box type the full Universal Naming Convention UNC path to the shared folder that contains the new DeviceLock Service MS2. i Group Poley doled vm2000serve Computer Configuration J Software Settings H E Windows Settings w Administrative Templates GEESE certificate Generation Tool Bg User Configuration Temporary White List Administration Tool Uindefine entire policy 3 Service Options 4 Resets the entire DeviceLock _ Help 226 DeviceLock Group Policy Manager Use Undefine entire policy from the context menu of DeviceLock to reset all parameters to the unconfigured state zi Undefining the entire Devicelock group policy is an irreversible action All DeviceLock settings will be lost Are wou sure wou wank bo continue 4 Remove Offline You can remove any offline policy settings permissions audit and shadowing rules white lists etc for both devices and protocols in order to enforce regular ones in this GPO To do so right click any policy setting and then click Remove Offline Note In order to manage DeviceLock Service settings via Group Policy DeviceLock Service must be installed and started on all the computers belonging to the GPO For more information about the service installation see Deploying DeviceLock Service Also do not forget that Group Policy is reapplied on a periodic basis by default every 90 minutes so your changes do not take effect immediately For more information see Applying Group Policy Using Resultant Set of Policy RSoP DeviceLock s
3. ccceeeeeeeeee eee eee 389 MANAGING OFFLINE PERMISSIONS cians omeddas iera a NE sua 390 MANAGING OFFLINE AUDIT AND SHADOWING RULES cc ceeeeee eee ees 394 MANAGING OFFLINE USB DEVICES WHITE LIST 1 2 cecccccccceeeee cece eee e eee 399 MANAGING OFFLINE MEDIA WHITE LIST snc stemraawiues cena a ENA 406 MANAGING OFFLINE CONTENT AWARE RULES FOR DEVICES eee 412 MANAGING OFFLINE SECURITY SETTINGS siririna iiinn ea a a EA 422 MANAGING OFFLINE SECURITY POLICIES FOR PROTOCOLS ssasssssssesnnrnnnrrrnnns 427 MANAGING OFFLINE PERMISSIONS FOR PROTOCOLS ccceeeeeeeeeee eee e eens 427 MANAGING OFFLINE AUDIT AND SHADOWING RULES FOR PROTOCOLG 432 MANAGING OFFLINE PROTOCOLS WHITE LIST 1 2 cccccccceeeee cece teen eee e ees 436 MANAGING OFFLINE CONTENT AWARE RULES FOR PROTOCOLS 04 446 MANAGING OFFLINE SECURITY SETTINGS FOR PROTOCOLS 00 eee 457 TEMPORARY WHITE LIST ccccscccceeeceecceeeeeeeeeeeeeeeeceeeeeeeeeeeeeeeeeeeeoeeeeeenenes 460 TEMPORARY WHITE LIST AUTHORIZATION TOOL sce ecccceeeeeeeeeeeeeeeeee eens 461 APPENDIX wivsisacicacawacacscnvadavesaddeeecewecsuelenecewenewesewedeucceeeceuesetentdumanscbweceleneeeue 464 PERMISSIONS AND AUDIT EXAMPLES FOR DEVICES cccccceeeeeeee teen eens 464 PERMISSIONS EXAMPLES anren reaa mera aeen soeuetniads anaapariacsanads 464 AUDIT amp SHADOWING RULES EXAMPLES kerronnan eN 475 PERMISSIONS EXAMPLES FOR PROTOCOLS eriy
4. e DeviceLock Signing Tool runs the special tool that allows you to grant users temporary access to requested devices and sign XML files with DeviceLock Service settings For more information see DeviceLock Signing Tool e About DeviceLock displays the dialog box with information about the DeviceLock version and your licenses 193 DeviceLock Management Console Expand the DeviceLock Content Security Server node to display the following Sub nodes e The Server Options node Use this node to configure DeviceLock Content Security Server and Search Server The following list describes the general settings that you can configure for DeviceLock Content Security Sever Server Administrators Use this setting to specify members of the Server Administrators group and their associated access rights DeviceLock certificate Use this setting to install or remove DeviceLock Certificate Service startup account Use this setting to specify the startup account information such as the account name and the password for the server service TCP port Use this setting to specify the TCP port that the server uses to connect to DeviceLock Management Console The following list describes the full text search related settings that you can configure for Search Server DeviceLock Enterprise Server s Use this setting to specify DeviceLock Enterprise Server s whose data will be indexed for full text search Index directory
5. 388 DeviceLock Security Policies Offline Profile OPTION DESCRIPTION Wired Indicates that the connection state of a client computer is determined by connectivity whether or not the network cable is connected to the Network Interface Card NIC This is the simplest and least secure method of detecting the connection state Thus a client computer works in online mode if the network cable is connected to the NIC A client computer works in offline mode if the network cable is disconnected from the NIC Please note that wireless network connections Wi Fi etc and modem connections are ignored This option is selected by default 5 Click OK Switching Between Online and Offline Mode DeviceLock Service running on client computers automatically detects the connection state and seamlessly switches between online and offline mode every hour and when any of the following events occurs A user boots the computer running DeviceLock Service DeviceLock Service always starts in offline mode A user logs on A user right clicks the DeviceLock Tray Notification Utility icon in the notification area of the taskbar and then clicks Refresh Current State The DeviceLock Tray Notification Utility icon is displayed in the notification area when Always show tray icon is enabled in Service Options DeviceLock Service sends audit and shadow logs to DeviceLock Enterprise Server A network interface changes state e A network cabl
6. Audit and Shadowing rights determine which user actions on devices are logged to the audit and or shadow log In the right pane of the Auditing amp Shadowing Offline dialog box you can specify days and hours for example from 7 AM to 5 PM Monday through Friday when the selected user s actions on devices will be logged to either the audit or shadow log Use the left mouse button to select days and hours when the selected user s actions on devices will be logged Use the right mouse button to mark days and hours when the selected user s actions on devices will not be logged In the upper left pane of the dialog box under Users select the user or group In the lower left pane of the dialog box under User s Rights select or clear the Allow check box next to the appropriate audit and shadowing rights In the upper left pane of the dialog box under Users select the user or group and then click Delete or press the DELETE key When you remove a user or group any rules for that user or group will also be removed 6 Click OK or Apply Undefining Offline Audit and Shadowing Rules You can return previously defined offline audit and shadowing rules to the unconfigured State If offline rules are undefined regular rules are applied to offline client computers 397 DeviceLock Security Policies Offline Profile To undefine offline audit and shadowing rules 1 If you use DeviceLock Management Console do the followi
7. It takes some time up to a minute before the DeviceLock Content Security Server service is started and the wizard s second page is displayed 73 Installation The second page of the wizard looks like this DeviceLock Content Secu rity Server Enable Delauk Security Lise Ceithiesie Mane Certiicats it net inclalled On this page you define the list of users that have administrative access to DeviceLock Content Security Server and install DeviceLock Certificate the private key Enable Default Security In the default security configuration all users with local administrator privileges i e members of the local Administrators group can connect to DeviceLock Content Security Server using a management console change its settings and run search queries To turn on the default security select the Enable Default Security check box If you need to define more granular access to DeviceLock Content Security Server turn off the default security by clearing the Enable Default Security check box Then you need to specify authorized accounts users and or groups that can connect to DeviceLock Content Security Server To add a new user or group to the list of accounts click Add You can add several accounts simultaneously To delete a record from the list of accounts use the Delete button Using Ctrl and or Shift you can highlight and remove several records simultaneously To define which actions are to be allowed
8. 222 DeviceLock Group Policy Manager Add Remove Snap in Standalone Extensions Use thes page to add or remove 4 standalone Smap in fram the console Snap ing added to ey Console Root ne Consolel Console Root Add Remove Snap in anapins added to Z Cof Available Standalone Snap ine BE Disk Defragmenter Microsoft Comp Execulive so Management Microsoft and VERITAS Sc ul Event Viewer Microsoft Comporation Ej Folder Microsoft Comporation E i1 Group Policy Microsoft Comporahon Indexing Service Microsoft Corporation Irgo F IP Security Monitor Microsoft orporation IP Secuily Pokey Management Microsoft Comperstion F Link to Web Address Microsoft Consain lt Description This snapar allows you to edil Group Policy Objects which con be linked to a Ste Doman or Organizational Unit in the Active Directory of stored On a Oonnpuber 5 Select a Group Policy Object either from Active Directory or a local computer and then click Finish 223 DeviceLock Group Policy Manager Select Group Policy Object Welcome to the Group Policy Wizard Group Foley Obpscts can be stored in the Active Directory of on 4 local computer Use the Browne button to select a Group Policy Object Group Pobcy Obpact Remote computer 3 server ed Uys locr eee Poko Anpi to be changed when launching Irom the command ine This arii apples if you save the console
9. 300 Content Aware Rules for Protocols Regular Profile 5 In the left pane of the Add File Type Detection Group dialog box under Content group type the name of the new content group in the Name box 6 In the right pane of the Add File Type Detection Group dialog box under Available Content select any file type you want to add to the new content group and then click the left single arrow button Ll You can select multiple file types by holding down the SHIFT key or the CTRL key while clicking them To remove single file types from the content group use the right single arrow button To add or remove all available file types to or from the content group at the same time use the left double arrow button l or right double arrow button Note You can search the available content database for specific file types by extension or description You can use wildcards such as asterisks and question marks to search for a specific group of file types To find a specific file type or specific group of file types under Available Content type an extension or description with or without wildcards in the search string and then click Find To filter file types click Filter To remove the filter apply it to an empty string An asterisk replaces an unlimited number of characters The question mark replaces a single character You can use these wildcards in any position and in any quantity 7 Click OK to close
10. 6 Click Close to close the Add Standalone Snap in window 7 Click OK to add the snap in 8 Expand the Computer Configuration container and then select DeviceLock Using DeviceLock Group Policy Manager There is almost no difference between the procedure of managing DeviceLock Service via DeviceLock Management Console and via DeviceLock Group Policy Manager For more information see Managing DeviceLock Service iir Group Policy tjere ESE Eile Action Wew Help zame e aal A Hl Computer Configuration 83 Service Options H E Software Settings Bp tevmes A Windows Settings H E Administrative Templates ab Smartline DeviceLock 4 0 u User Configuration It is impossible to manage DeviceLock Enterprise Server and view audit and shadow logs using DeviceLock Group Policy Manager For such operations you should use DeviceLock Management Console 224 DeviceLock Group Policy Manager DeviceLock Service management via DeviceLock Group Policy Manager includes four additional features in comparison to DeviceLock Management Console 1 Override Local Policy If you want to disallow changing settings permissions and audit rules for individual computers without the GPO editor enable Override Local Policy in Service Options This enables the Group Policy mode for all the computers in GPO so that the Local Policy mode cannot be enabled for these computers fa Group Policy Object Editor Eile Atin View Help f
11. C Dynamic ports C Fixed TOP port e Verify Service Settings Service Settings file Configured Service Settings 26 lassie Restore Service Settings Scanning interval Number of scanning threads 183 DeviceLock Management Console Name the name of the task used to identify this task in the tasks list and in the monitoring log Active if selected allows DeviceLock Enterprise Server to execute this task Clear this check box if you wish to disable the task but do not want to delete it permanently Computers the type of the computers list used to define what computers will be monitored by this task Click the Edit button to configure the list selected in Computers Two computer list types are supported 1 Static list all of the computers are specified in the list by their names or IP addresses Since this list is static even if some computer no longer exists in the network it will be monitored and the error logged until its record is deleted from the list manually ET Edit static list Select computer s Computers ha BE Microsoft Terminal Services O E vWMa000S5ERVER F Microsoft Windows Network O Sy VeNT4SP6 A TRAVEL_GROLP O S xvirt a E vezoo0ap gg Vhiware Shared Folders O E host BH Web Client Network lt lt Cancel Computers that will be monitored should be specified in the right list You have to select needed computers in the left list and then
12. Protocol s The protocol s to which the rule applies Profile Possible values Regular and Offline Regular indicates that the rule applies to client computers that are working online Offline indicates that the rule applies to computers that are working offline You can define different online vs offline Content Aware Rules for the same user or sets of users For information about how to define offline Content Aware Rules for protocols see Managing Offline Content Aware Rules for Protocols Editing Content Aware Rules You can modify the Content Aware Rule properties such as Description Applies To Protocol s Actions To edit a Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor 323 Content Aware Rules for Protocols Regular Profile b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols right click Content Aware Rules click Manage and then do the following a In the lower left pane of the Content Aware
13. Shadow Log Viewer Service There is a built in shadow log viewer that allows you to retrieve the shadow log from DeviceLock Service 1S DeviceLock Management Console Fie Action View Help do aw B M T HX hd DeviceLock Status of DeviceLock Service Local WINKPPROSPS Success L26 20107 Rermevable Write E Service Options EalSuccess 1216 20107 Removable Write BD Devices H h Frotocok EF Audit Log Viewer aa Shadow Log Viewer ae Devitelock Enterprie Server HL Dewitelock Content Security Server The typical DeviceLock configuration assumes that the shadow data is stored on DeviceLock Enterprise Server In this case all shadow data which is originally logged and cached by DeviceLock Service on the local computer is periodically moved to the 159 DeviceLock Management Console server The local shadow log is cleared as soon as the data is successfully moved to the server so to view this data you should use the server s shadow log viewer However in some cases you may need to view the shadow log of a certain computer This need arises when for example you do not use DeviceLock Enterprise Server at all or when the server is being used but for some reason the data still exists on the client computer The columns of this viewer are defined as follows e Status indicates the status of the record The Success status indicates that data is successfully logged the Incomplete status indicates
14. USE THIS Name Description Add Insert View Delete NOT AND OR Clear Validate Content Aware Rules for Protocols Regular Profile TO DO THIS Specify the name of the group Specify a description for the group Add the desired content groups from the Content Database To do so click Add to open the Content Groups dialog box In the Content Groups dialog box under Content Database select the desired content group and then click OK You can select multiple content groups by holding down the SHIFT key or the CTRL key while clicking them To view information about a content group select the desired group and then click View Group The content groups you added appear in the Criteria column in the Add Complex group dialog box Each content group you add is treated as a single filter criterion that can be included in your Boolean expression Insert a content group from the Content Database before the currently selected group in the Criteria column To do so click Insert to open the Content Groups dialog box In the Content Groups dialog box under Content Database select the desired content group and then click OK View information about the currently selected group in the Criteria column Delete the selected group from the Criteria column Join each content group you select with the logical NOT operator To do so select the desired group in the Criteria column and then select the appropriate ch
15. You can enter multiple values separated by a semicolon PID the number that matches a value in the Shadow Log Viewer s PID column You can enter multiple values separated by a semicolon File size the number or the region of numbers that matches a value in the Shadow Log Viewer s File Size column From specifies the beginning of the interval of records that you want to filter Select First Record to see records starting with the first record written to the log Select Records On to see records that were written starting with a specific time and date To specifies the end of the range of records that you want to filter Select Last Record to see records ending with the last record written to the log Select Records On to see records that were written ending with a specific time and date Managing DeviceLock Enterprise Server Expand the DeviceLock Enterprise Server item to get access to all of a server s functions and configuration parameters DeviceLock Management Console File Action View Hep e Ome 2em SHB 09A Ad DevineLock Mame a DeviceLock Service Local WINKPPROSP3 Git carver Options DESG Gevicelock Enterprise Server f Cornmeck a 0 GeviceLock Content Security Reconnect Connect bo Last Used Server at Startup Certificate Generation Tool DewiceLlock Signing Tod About DeviceLock pany Help There is a context menu available by a right mouse click
16. a In the details pane select several device types by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Remove Offline The offline state of the audit and shadowing rules changes to Use Regular The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console ging Offline USB Devices White List etailed description of the USB Devices White List feature see USB Devices White List Regular Profile The offline USB Devices White List can have one of the following states STATE DESCRIPTION Not Configured Indicates that the white list is not defined The following message is displayed Offline USB White List is not configured This is the default state Configured Indicates that the white list is defined Use Re gular Indicates that the inheritance of the offline white list is blocked and the regular white list is enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of the regular white list is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of the regular white list lets you prevent the offline white list inherited from a higher level from being applied to a specific group of client computers at a lower
17. e Inthe File name box type the file name you want e Click Save 216 DeviceLock Management Console 4 Click Close to close the viewer 217 DeviceLock Group Policy Manager DeviceLock Group Policy Manager Overview In addition to the standard way of managing permissions via DeviceLock Management Console DeviceLock also provides you with a more powerful mechanism settings can be changed and deployed via Group Policy in an Active Directory domain System administrators can use policies to control DeviceLock s configurations from a single location on a network no matter how large the network Group Policy enables policy based administration that uses Active Directory Group Policy uses directory services and security group membership to provide flexibility and support extensive configuration information Policy settings are created using the Microsoft Management Console MMC snap in for Group Policy Tighter integration into Active Directory is a very important function of DeviceLock It makes DeviceLock s management and deployment easier for large networks and more convenient for system administrators Integration with Active Directory eliminates the need to install more third party applications for centralized management and deployment DeviceLock does not need to have its own server based component to control the entire network instead it uses standard functions provided by Active Directory Via Group Policy it is
18. e Open Save and View links allow you to access and manipulate the search results shadow copies retrieved from the Shadow Log For detailed information on how to manipulate shadow copies see Manipulating search results retrieved from the Shadow Log Note If your search produced no results the search results page displays a message indicating that no matches were found Results navigator This area is located at the bottom of the search results page and looks like this Previous 1 2 3456 7 8 9 10 Next To move forward or backward through your results click Next or Previous or click the page number Manipulating search results retrieved from the Shadow Log You can perform the following operations on results retrieved from the Shadow Log e Open a shadow copy of a file in its native application e Save a shadow copy of a file to any local or network location e Open and save a shadow copy of a file using the built in viewer Below are step by step instructions demonstrating how to perform these operations To open a shadow copy of a file in its native application 1 Perform your search 2 On the search results page click Open under the desired search result The shadow copy of the file opens in its native application If there is no native application the Open With dialog box appears Use this dialog box to choose the program with which to open the file If you open the shadow copy of a file captured from eithe
19. test croup _oweicate_ _add Grove edt croup Delete Group Shone Compl Conbert fuvsne Pubes Liens Rudess Liners 8 De poription Type Pectin 5 Apps To Protocols fEEveryone EA Cinenpibare Gapi Complex Der CURE Pa FTP HTTE SATP 14 In the Content Aware Rules for Protocols dialog box click OK or Apply to apply the rule 485
20. 7 Click OK or Apply to apply the white list settings and close the Protocols White List dialog box 8 In the Permissions dialog box click OK or Apply Note Access control audit shadow copying and content filtering will be disabled for all Dropbox file transfers Content Aware Rules Examples All users are denied the right to copy to devices Floppy Removable and transmit over the network over HTTP FTP SMTP Web Mail the following types of content files containing more than 1 credit card number password protected documents and archives files containing more than 1 Social Security number and images containing a large amount of text 1 In the console tree expand DeviceLock Service expand Devices right click Content Aware Rules and then click Manage 2 In the Content Aware Rules for Devices dialog box under Content Database click the drop down arrow next to Add Group and then click Document Properties 480 Appendix Permissions and Audit Examples In the Add Document Properties Group dialog box do the following a In the Name box specify the name of the group for example Password protected documents and archives b Select the Password protected check box c Click OK The new content group you created is added to the existing list of content groups under Content Database in the Content Aware Rules for Devices dialog box This group will be used to control access to password protected documents and a
21. Computers you browse the network tree and select computers O S BUHG bee NAVIGATOR E PaaNDREW PaPRO E PARUSLAN LDAP you browse the LDAP Lightweight Directory Access Protocol tree and select computers from the directory To configure a connection to the LDAP server click the button 236 DeviceLock Enterprise Manager LDAP Settings 192 16 100 25 cnega o SPAR TLIME cas on sdmin o SMGR TLINE c US aeree SOOO La Host the name or the IP address of the LDAP server to connect to Port the TCP port on which the LDAP server accepts connections The default port is 389 Protocol version the LDAP protocol version Some servers are not fully compatible with the LDAP v 3 protocol and LDAP requests require certain adjustments for correct communication with such servers Selecting Version 2 makes sure that the server requests are adjusted according to the LDAP v 2 protocol requirements Base DN the starting point for you to browse the directory tree You must use the LDAP string representation for distinguished names for example cn qa O SMARTLINE c US Leave the Base DN box blank to start browsing from the root By clicking the Fetch button you can get all the published naming contexts User DN the distinguished name DN of the directory user that allows connection to the directory You must use the LDAP string representation for distinguished names for example cn admin o SMARTLINE c
22. Enable Default Security Lipas NOTE We sbronghy recommand that accounts in this list h re lots pomini a privileges to ensure proper connection bo Devicelock Service C Enable Unhook Protection DeviceLock s default security configuration is based on Windows Access Control Lists ACL A user without administrative privileges can t connect to DeviceLock Service modify its settings or remove it Everything is controlled by the Windows security Subsystem To turn on the default security based on Windows ACL select the Enable Default Security check box Note As described in the Recommended Basic Security Measures section of this manual giving administrative privileges to regular users is strongly discouraged Users with local administrator privileges i e members of the local Administrators group can connect to DeviceLock Service using a management console and change permissions auditing and other parameters Moreover such users can uninstall DeviceLock from their computers disable or delete DeviceLock Service modify a service s registry keys delete a service s executable file and so on In other words users with local administrator privileges can circumvent the default security based on Windows ACL However if for some reason users in your network have administrator privileges on their local computers DeviceLock does provide another level of protection DeviceLock Security When DeviceLock Security is enabled no
23. If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following Expand Content Aware Rules right click the user or group to which the rule is applied and then click Delete user When you delete a user or group the rule associated with this user or group is automatically deleted OR Expand Content Aware Rules and then select the user or group to which the rule is applied In the details pane right click the rule associated with this user or group and then click Delete aOR Right click Content Aware Rules and then click Manage Offline In the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group to which the rule is applied In the lower right pane of the Content Aware Rules Offline dialog box under Rules select the rule and then click Delete or right click the rule and then click Delete You can select mult
24. In the Add Rule dialog box in the Description box type the name of the Content Aware Rule By default the Content Aware Rule has the same name as the specified content group but you can enter a different name Under Applies to specify the type of operation associated with the rule The available options are e Permissions Specifies that the rule will apply to access control operations e Shadowing Specifies that the rule will apply to shadow copy operations e Permissions Shadowing Specifies that the rule will apply to both access control and shadow copy operations Under Protocol s select the appropriate protocol s you would like this rule to be applied to Content Aware Rules can be applied to the following protocols FTP HTTP ICQ AOL Messenger IRC Jabber Mail ru Agent SMTP Social Networks Web Mail Windows Messenger and Yahoo Messenger If you select several protocols that have different access rights under Action s the dialog box displays only those access rights that are common to all selected protocols Under Action s specify which user actions are allowed or disallowed on protocols and which user actions are logged to the Shadow Log For detailed information on user rights that can be specified in Content Aware Rules see Content Aware Rules for Access Control Operations and Content Aware Rules for Shadow Copy Operations Click OK 449 DeviceLock Security Policies Offline Profile
25. The rule you created is displayed under Rules in the lower right pane of the Content Aware Rules Offline dialog box 13 Click OK or Apply to apply the rule The users or groups to which the Content Aware Rule applies are displayed under Content Aware Rules in the console tree When you select a user or group to which a Content Aware Rule applies in the console tree in the details pane you can view detailed information regarding this rule This information includes the following Description The name of the rule By default the rule has the same name as the specified content group Type The type of the content analysis Possible values File Type Detection Keywords Pattern Document Properties and Complex File Type Detection indicates that recognition and identification of files is based on their characteristic signatures Keywords indicates that recognition and identification of data files is based on the specified keywords or phrases Pattern indicates that recognition and identification of data files is based on the specified patterns of text described by Perl regular expressions Document Properties indicates that recognition and identification of files is based on their properties Complex indicates that recognition and identification of data files is based on the specified content described by a Boolean expression Action s Shows which user actions are allowed or disallowed on protocols and which user actions are logged to the
26. These weight values are interpreted as follows Heavy weight indicates that each keyword occurrence is counted as three occurrences This value is the highest Above Normal weight indicates that each keyword occurrence is counted as two occurrences Normal weight indicates that each keyword occurrence is counted as one occurrence Below Normal weight indicates that two keyword occurrences are counted as one occurrence 305 Content Aware Rules for Protocols Regular Profile USE THIS TO DO THIS Light weight indicates that three keyword occurrences are counted as one occurrence This value is the lowest Add Specify keywords and phrases Click Add to enter a keyword or phrase Delete Delete a keyword To do so select the keyword you want to delete and then click Delete You can select multiple keywords by holding down the SHIFT key or the CTRL key while clicking them Load Import a list of Keywords from a tab delimited text file 6 Click OK to close the Add Keywords Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Pattern Content Groups Pattern groups let you control access to text data using patterns of text described by Perl regular expressions Patterns provide a flexible and powerful way to automatically detect potentially sensitive content for example credit card numbers Social Se
27. a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Auditing amp Shadowing When you select Auditing amp Shadowing in the console tree in the details pane you can view protocols for which you can define audit and shadowing rules In the details pane you can also view the current state of offline rules for each protocol in the Offline column In the details pane right click the protocol for which you want to remove offline audit and shadowing rules and then click Remove Offline You can remove audit and shadowing rules defined for several protocols at the same time To do this do the following a In the details pane select several protocols by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Remove Offline The offline state of the audit and shadowing rules changes to Use Regular The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console ging Offline Protocols White List etailed description of the Protocols White List feature see Managing Protocols White List Regular Profile The offline Protocols White List can have one of the following states STATE DESCRIPTION Not Configured Indicates that the white list is not defined The following message is displayed Offline
28. are performed by tasks On a single DeviceLock Enterprise Server you can have as many tasks as you wish The maximum number of tasks on one server is only limited by available memory CPU and network s bandwidth capacity Please keep in mind that the server should have enough resources to communicate with at least 10 remote computers simultaneously By default DeviceLock Enterprise Server can execute up to 30 tasks simultaneously This means that if you have for example 40 tasks and all of them run at the same time the first 30 tasks will run first and each of the remaining 10 tasks will run as soon as others complete However you can change the number of tasks that can be run simultaneously by modifying the registry To define the new number open Regedit and set the following entry on the computer where DeviceLock Enterprise Server is running e Key HKEY_LOCAL_MACHINE SOFTWARE SmartLine Vision DeviceLockEnterpriseServer e Name ConcurrentJobs e Type DWORD e Value number_of_threads where number_of_threads must be a value between 1 and 1000 During their execution tasks write status information to the monitoring log including data about monitored computers and DeviceLock Services They ll also write possible errors which occurred during the scanning of computers and connecting to DeviceLock Services Also tasks display the status of monitored computers and other useful information at the management console This allows y
29. fF Log polcy changes and Start Shop events ia DewiceLock certificate Of Lee Group Pobcy BL Fast servers first HE Traffic pricy a Pleas shew bray loon Fechives content inspection on read Aes content inspection on write y E offing made detection USB FireWire blocked message You can define a custom message to be displayed to users when access to a USB or FireWire device is denied at the interface USB or FireWire level or type Removable CD DVD etc level E Blocked Message Computer Name xpvirt W Enable USB Firewire Blocked Message Blocked hMessage Caption Blocked Message Text You do mot have pemissions to access SDEVICES ADAWE Please contact pour system administrator Restore Defauks To enable this custom message select the Enable USB FireWire Blocked Message check box Also you can define additional parameters such as DeviceLock Secunty Subsystem 100 DeviceLock Management Console e Blocked Message Caption the text to be displayed as a caption You can use three predefined macros within the text e TYPE inserts the port name USB port FireWire port where the device is plugged e DEVICE inserts the name of the device e g USB Mass Storage Device received from the system e DRIVE inserts the drive letter of the storage device e g F If the device doesn t have a letter then this macro inserts an empty string Using these macros yo
30. s Server column 213 DeviceLock Management Console e Record N the record number This value matches the value in the Server Log Viewer s Record N column The following information is displayed in Log Parameters for a result retrieved from the Monitoring Log e Type the class of the event Success Information Warning or Error This value matches the value in the Type column of the server s Monitoring Log Viewer e Date Time the date and time when the event occurred This value matches the value in the Date Time column of the server s Monitoring Log Viewer e Event the number identifying the event type This value matches the value in the Event column of the server s Monitoring Log Viewer e Task Name the name of the task responsible for this event Can be empty if the event does not link to any task This value matches the value in the Task Name column of the server s Monitoring Log Viewer e Computer Name the name of the computer belonging to the task that is responsible for this event Can be empty if the event does not link to the computer This value matches the value in the Computer Name column of the server s Monitoring Log Viewer e Information event specific information such as status error warning and so on This value matches the value in the Information column of the server s Monitoring Log Viewer e Server the name of the server where the event occurred This value matches the val
31. 1 DeviceLock Service is the core of DeviceLock DeviceLock Service is installed on each client system runs automatically and provides device and network protection on the client machine while remaining invisible to that computer s local users Device or Network User DeviceLock Service DeviceLock Settings a gt A N DeviceLock Service DeviceLock Driver user mode kernel mode DeviceLock Administrator lt d lt 4 2 DeviceLock Enterprise Server is an optional component for centralized collection and storage of the shadow data and audit logs DeviceLock Enterprise Server uses MS SQL Server to store its data You can install several DeviceLock Enterprise Servers to uniformly spread the network load Overview DeviceLock Service _s Service DeviceLock Service es SS he J L SQL Server SQL Server DeviceLock Enterprise Server DeviceLock Enterprise Server DeviceLock Management Console MMC snap in DeviceLock Content Security Server is another optional component which includes Search Server for instant search of text within shadowed files and other logs stored on DeviceLock Enterprise Server For more information see Understanding DeviceLock Content Security Server 3 The management console is the control interface that systems administrators use to remotely manage each system that
32. 5 In the left pane of the Add File Type Detection Group dialog box under Content group type the name of the new content group in the Name box 6 In the right pane of the Add File Type Detection Group dialog box under Available Content select any file type you want to add to the new content group and then click the left single arrow button lt You can select multiple file types by holding down the SHIFT key or the CTRL key while clicking them To remove single file types from the content group use the right single arrow button l To add or remove all available file types to or from the content group at the same time use the left double arrow button L or right double arrow button l Note You can search the available content database for specific file types by extension or description You can use wildcards such as asterisks and question marks to search for a specific group of file types To find a specific file type or specific group of file types under Available Content type an extension or description with or without wildcards in the search string and then click Find To filter file types click Filter To remove the filter apply it to an empty string An asterisk replaces an unlimited number of characters The question mark replaces a single character You can use these wildcards in any position and in any quantity 7 Click OK to close the Add File Type Detection Group dialog box The new content
33. Appendix Permissions and Audit Examples Audit amp Shadowing Rules Examples Log insert remove and access actions for USB devices for all users 1 Select the USB port record from the list of device types under Auditing amp Shadowing and then select Set Auditing amp Shadowing from the context menu available by a right mouse click Ei DeviceLock Management Sie Ed File Help od Ey Omartline DeviceLock Name a DeviceLock Service B Bluetooth a Service Opteans 2 OY DICO ROM E DeviceLock Administrators Sa FireWire port me Shecowng 9 Floppy Chev per store Hard disk a ij infrared port a Auditing amp Shadowing a Infrar E USB Devices White List a Paralel port Media White List Removable gE Security Settings p7 Serial port 57 Audit Log Viewer Ta f _ g3 Shadow Log Viewer Set Auditing amp Shadowing kl DeviceLock Enterprise Server ae a eRe 2 Click the Add button in the Audit dialog box and add the Everyone user type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box select the Everyone record and enable Read and Write audit rights in the User s Rights list c Auditing E Shadowing Dees Type USE port Computer heme Laca Compii 4 ant Llesg ite ada a g side izes e da a oe ifeie Pi Everyore B iod Tire Ci Honeaudt Tine Coa ast 475 Appendix Permissions and Aud
34. Best Practice The most reliable way to secure client server communication is to use DeviceLock Certificate authentication For client server certificate authentication the public key must be installed on client computers while the private key must be installed on DeviceLock Enterprise Server s If the certificate the private key is installed only on DeviceLock Enterprise Server the server will reject connections and client computers will work in offline mode If the certificate the public key is installed only on client computers the server and the client will authenticate each other once a connection is established though this type of authentication is less secure than certificate based authentication For detailed information on DeviceLock Certificates see DeviceLock Certificates Indicates that the connection state of a client computer is determined by whether or not it can connect to the appropriate Active Directory domain controller a domain controller of the domain to which the client computer belongs Thus a client computer works in online mode if it can connect to the appropriate domain controller A client computer works in offline mode if the appropriate domain controller becomes unavailable A client computer that is not joined to a domain a workgroup or stand 111 DeviceLock Management Console OPTION DESCRIPTION alone computer always works in offline mode Wired Indicates that the connection state o
35. Ep IRANE R Ja Report Permissions Auditing E 20 Report PoP Devices Primary Domain Controller JES Set Service Settings Backup Domain Controler ae Shadow Log Viewer Microsoft SOL Servers Uninstall service Terminal Servers Stand Alone Servers J Cluster Servers Print Servers NT Workstations EH WORKGROUP Show this dialog at meat startup First select computers where DeviceLock Service must be installed DeviceLock Enterprise Manager allows you to select computers by their types and names You can also load the computers list from an external file or select them from any LDAP tree Active Directory Novell eDirectory OpenLDAP and so on Then select the Install service plug in and click the Settings button to specify the directory that contains all of the files needed for installation such as DeviceLock Service msi DeviceLock Service x64 msi DLRemotelInstaller exe and InstMsiW exe These files are located in the DeviceLock installation directory By default the DeviceLock installation directory is ProgramFiles DeviceLock You can also instruct DeviceLock Service to use the fixed TCP port for the communication with management consoles To use dynamic ports for the RPC communication select the Dynamic ports option By default DeviceLock Service uses port 9132 34 Installation E Install options Path bo installation Files A MOTE The directory should contain DLRemoteinstaller exe Insthisit ene Cevi
36. If you have specified an incorrect user name for the This account option or the wrong user password DeviceLock Content Security Server will not be able to start DeviceLock ChangeConfieService error 1097 X The account mamit is invald or doss mot exist or the passveond is inevabd for the account nams specihied You will be notified if the user s account specified for the This account option is not a member of the Domain Admins group 72 Installation DeviceLock The account VRRDISAD emp does mot belong bo the Domain Admins group Do you want bo continus You may continue by clicking Yes However keep in mind that in this case either the specified user must have administrative access to all remotely running DeviceLock Enterprise Servers or DeviceLock Certificate the private key must be installed on every computer with DeviceLock Enterprise Server If the user s account specified for the This account option does not have the Log On As A Service system privilege the wizard automatically assigns it This privilege is needed to start the service on behalf of the user Devirelork A The account Vere temp has been granted the Log On As A Service right If all of the service s startup parameters were specified correctly the wizard starts DeviceLock Content Security Server Starting service Peace wait while the program B interacting wath a sarmice Starting service OLCSS on Local Computer ja
37. If you specify these file properties within the same Document Properties group and then create a Content Aware Rule based on this content group this rule will control password protected documents and archives that are larger than 5 MB By defining rules based on Document Properties groups you can for example allow read access to all documents larger than 1 MB in size from Removable Floppy and DVD CD ROM devices but deny write access to Removable and Floppy devices for these documents You can also specify that only documents whose size exceeds 5 MB will be shadow copied There are no predefined built in Document Properties content groups to use The following procedure describes how to create your own Document Properties group To create a Document Properties group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service 274 Content Aware Rules for Devices Regular Profile If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following
38. In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following Right click Content Aware Rules and then click Save OR Select Content Aware Rules and then click Save on the toolbar OR Expand Content Aware Rules right click any user or group to which the rule is applied and then click Save OR Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Save OR Expand Content Aware Rules select any user or group to which the rule is applied and then click Save on the toolbar OR Right click Content Aware Rules and then click Manage In the lower right pane of the Content Aware Rules dialog box under Rules click Save The Save As dialog box appears 4 In the Save As dialog box in the Save in box browse to the location where you want to save the cwl file In the File name box type the file name you want Click Save 326 Content Aware Rules for Protocols Regular Profile When you export rules they are saved in a file with a cwl extens
39. Is Device In USB White List Is User in USB port permissions list DACL Access Denied Access Allowed There are additional Security Settings that can turn off access control for classes of devices for example all USB printers while others remain under control In the case of a device belonging to a class for which control is disabled DeviceLock allows all requests to connect this device at the interface port level Also DeviceLock supports the white listing of specific devices in other words you can turn off access control for only specific devices for example certain USB printer Note If access to a device is denied at the interface port level DeviceLock does not check permissions at the type level However if access is granted at the interface port level 13 Overview DeviceLock also checks permissions at the type level Only when access is granted at both levels the user can connect the device Access control for protocols works in the following way Every time the user wants to access a remote network resource DeviceLock intercepts this connection request at the kernel level of the OS and checks the user rights in the appropriate Access Control List ACL If the user does not have the right to access this protocol an access denied error is returned Note Access control settings for Social Networks and Web Mail override access control settings for HTTP For example i
40. OR e Right click USB Devices White List and then click Manage Offline In the lower right pane of the USB Devices White List Offline dialog box under Devices click Load The Open dialog box appears 4 In the Open dialog box in the Look in list click the location that contains the file you want to import In the folder list locate and open the folder that contains the file 6 Click the file and then click Open Undefining Offline USB Devices White List You can return the previously defined offline white list to the unconfigured state If the offline white list is undefined the regular white list is applied to offline client computers 404 DeviceLock Security Policies Offline Profile To undefine the offline USB Devices White List 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices right click USB Devices White List and then click Undefine Offline The offline state of the whit
41. Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices right click Media White List and then click Undefine Offline The offline state of the white list changes to Not Configured 411 DeviceLock Security Policies Offline Profile When you select Media White List in the console tree in the details pane the following message is displayed Offline Media White List is not configured Removing Offline Media White List If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of the higher level offline white list and enforce the regular white list on specific lower level groups of client computers To enforce the regular Media White List you must remove the offline Media White List To remove the offline Media White List 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices right click Media White List and then click Remove Offline The offline state of the white list changes to Use Regular W
42. Otherwise you will need to use DeviceLock Certificate authentication If you re installing DeviceLock Enterprise Server in the domain environment we recommend that you use a user account that is a member of the Domain Admins group Since Domain Admins is a member of the local group Administrators on every computer in the domain members of Domain Admins will have full access to DeviceLock Service on every computer Also don t forget that if DeviceLock Security is enabled on remotely running DeviceLock Services to protect them against local users with administrative privileges the user s account specified in the This account option must be also in the list of DeviceLock Administrators with Full access rights Otherwise you ll need to use DeviceLock Certificate authentication Connection settings You can instruct DeviceLock Enterprise Server to use a fixed TCP port for communication with the management console making it easier to configure a firewall Type the port number in Fixed TCP port To use dynamic ports for RPC communication select the Dynamic ports option By default DeviceLock Enterprise Server is using the 9133 port Press the Next button to start the DeviceLock Enterprise Server s service and to proceed to the second page If the current user doesn t have full administrative access to DeviceLock Enterprise Server in case it already exists and you re installing an upgrade the configuration wizard will not be able t
43. Russian Financial Report Financial Terms Firing Innovations Insurance Internal Payments Investors and Investments Labor Law 266 BUILT IN KEYWORDS GROUPS Failures Financial Report Financial Statements Firing FITS Date amp Time FITS File Checksum FITS File Descriptors FITS Hierarchical file grouping FITS Instrumentorum FITS Non standard FITS Observations FITS Standard Gambling Grades HCFA CMS 1500 Form HIPAA Diseases HIPAA HCPCS HIPAA ICD9 HIPAA NDC Classes HIPAA NDC Dosages HIPAA NDC Listing HIPAA NDC Routes Illegal Drugs Innovations Internet Slang Abbreviations Investments Java Source Code Market Development Medical Diagnosis Medical Record Numbers MEMO Network Security Partner Names Password Payments PCI GLBA Perl Source Code Price List Prices Pro Earnings Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Content Aware Rules for Devices Regular Profile Loans and Credits Manufacturing Market Development Plan Medicinal Active Substances Medicinal Drugs Noncompliant Passwords and Access Codes Physical Security Prices Project Documentation Project Names Project Versions Projects Release Date Technology User Names Working Conditions Sales Forecast Sarbanes Oxley Sensitive Security Security Agencies Sensitive Disease Sexual Language Social
44. Source Code Cellular Operator Call Log COBOL Source Code Common Disease Common Medical Terms Company Development Compensation and Benefits Compliance Report Confidential Confidential Partners Information Credit Report Credits Discontent Discrediting Information Driver s License Employer Identification Number Ethnicity Executive Job Searches Failures Financial Report Financial Statements Firing FITS Date amp Time FITS File Checksum FITS File Descriptors FITS Hierarchical file grouping FITS Instrumentorum FITS Non standard FITS Observations FITS Standard Gambling Grades HCFA CMS 1500 Form HIPAA Diseases HIPAA HCPCS HIPAA ICD9 HIPAA NDC Classes HIPAA NDC Dosages HIPAA NDC Listing HIPAA NDC Routes Illegal Drugs Innovations Internet Slang Abbreviations Investments Java Source Code Market Development Medical Diagnosis Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Content Aware Rules for Protocols Regular Profile Accounting Documentation Types Bank Account Bank Operations Banking Operations Participants
45. This is the default state Configured Indicates that audit and shadowing rules are defined for a protocol No Audit Indicates one of the following e Audit rights are not set for all of the users and groups specified in audit and shadowing rules for a protocol e All users and groups specified in audit and shadowing rules for a protocol are removed e The Everyone account has no Audit and Shadowing rights and is the only account specified in audit and shadowing rules for a protocol Use Regular Indicates that the inheritance of offline audit and shadowing rules is blocked and regular audit and shadowing rules are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of regular rules is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of regular rules lets you prevent offline rules inherited from a higher level from being applied to a specific group of client computers ata lower level For more information on the enforcement of regular rules see Removing Offline Audit and Shadowing Rules Managing offline audit and shadowing rules involves the following tasks e Defining and editing offline audit and shadowing rules e Undefining offline audit and shadowing rules e Removing offline audit and shadowing rules Defining and Editing O
46. USE THIS Name Description Add Insert View Delete NOT TO DO THIS Specify the name of the group Specify a description for the group Add the desired content groups from the Content Database To do so click Add to open the Content Groups dialog box In the Content Groups dialog box under Content Database select the desired content group and then click OK You can select multiple content groups by holding down the SHIFT key or the CTRL key while clicking them To view information about a content group select the desired group and then click View Group The content groups you added appear in the Criteria column in the Add Complex group dialog box Each content group you add is treated as a single filter criterion that can be included in your Boolean expression Insert a content group from the Content Database before the currently selected group in the Criteria column To do so click Insert to open the Content Groups dialog box In the Content Groups dialog box under Content Database select the desired content group and then click OK View information about the currently selected group in the Criteria column Delete the selected group from the Criteria column Join each content group you select with the logical NOT operator To do so select the desired group in the Criteria column and then select 280 Content Aware Rules for Devices Regular Profile USE THIS TO DO THIS the appropriate check b
47. Undefining the offline Media White List Removing the offline Media White List Defining and Editing Offline Media White List To define and edit the offline Media White List 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following 406 DeviceLock Security Policies Offline Profile a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Media White List and then click Manage Offline OR e Select Media White List and then click Manage Offline I on the toolbar The Media White List Offline dialog box appears E Media White List Online Feda Wht e LHA Leag nerd 4 In the upper pane of the Media White List Offline dialog box under Media Database click Media Database The Media Database dialog box appears 407 DeviceLock Security Policies Offline Profile Midha database Cries Typa ED No Meda DO CD Re E Mo Media DTDyCD el In the upper pane of the Media Databas
48. Under Server Options select Search Server Options When you select Search Server Options in the console tree they are displayed in the details pane In the details pane double click Search Server License s or right click Search Server License s and then click Properties The DeviceLock Content Security Server dialog box appears In the DeviceLock Content Security Server dialog box click Load License s to browse for the license file In the Select the DeviceLock license file dialog box in the Look in list click the location that contains the license file In the folder list locate and open the folder that contains the license file Click the file and then click Open Information about installed license files is displayed in the License information area of the DeviceLock Content Security Server dialog box You can install as many licenses as required to suit your organization s needs To do this add them one by one Click OK Task Specify DeviceLock Enterprise Server s whose data will be indexed for full text search To start the process of creating the full text index you must specify DeviceLock Enterprise Server s whose data will be indexed Search Server starts the indexing process automatically as soon as you specify DeviceLock Enterprise Server s To specify DeviceLock Enterprise Server s 1 In the console tree expand DeviceLock Content Security Server and then expand Server Options Under Server O
49. data Table 2 has the following columns e User Name Shows a user name e Data Size Shows the total size of all copied files Values in this column are sorted in descending order This report shows the most frequently copied files sorted according to the number of copied files and total size of all copied files By default the report lists the first 10 files but you can specify any number of files The report consists of three sections the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e Channel s Shows the device types and or protocols that were specified for the report e Users s Shows the users that were specified for the report The Report Results section contains two tables with detailed results of the report Table 1 lists the top N where N is a specific number copied files by quantity Tab
50. devices continue to function as usual and audit is not performed for these devices This parameter affects audit and access control on the interface USB level only If the device belongs to both levels interface and type the permissions and audit rules if any for the type Removable Floppy DVD CD ROM or Hard disk level will be applied anyway Access control for USB and FireWire network cards if enabled allows DeviceLock Service to audit and control access to network cards plugged into the USB or FireWire IEEE 1394 port Otherwise even if the USB or FireWire port is locked network cards continue to function as usual and audit is not performed for these devices Access control for FireWire storage devices if enabled allows DeviceLock Service to audit and control access to storage devices plugged into the FireWire port Otherwise even if the FireWire port is locked storage devices continue to function as usual and audit is not performed for these devices This parameter affects audit and access control on the interface FireWire level only If the device belongs to both levels interface and type the permissions and audit rules if any for the type Removable Floppy DVD CD ROM or Hard disk level will be applied anyway Access control for serial modems internal amp external if enabled allows DeviceLock Service to audit and control access to modems plugged into the COM port Otherwise even if the COM port is lo
51. dialog box under Users select the user or group You can select multiple users and or groups by holding down the SHIFT key or the CTRL key while clicking them 4 Inthe lower left pane of the Permissions Offline dialog box under User s Rights select or clear the Allow check box next to the appropriate access rights In the right pane of the Permissions Offline dialog box you can set day and time restrictions that narrow user access to devices 392 DeviceLock Security Policies Offline Profile TO DO THIS FOLLOW THESE STEPS Use the left mouse button to select days and hours when the selected user or group will have access to devices Use the right mouse button to mark days and hours when the selected user or group will not have access to devices To change 1 In the upper left pane of the dialog box under Users select the permissions for user or group an existing 2 In the lower left pane of the dialog box under User s Rights user or group select or clear the Allow check box next to the appropriate access rights To remove an e Inthe upper left pane of the dialog box under Users select the existing user or user or group and then click Delete or press the DELETE key group and permissions 6 Click OK or Apply Undefining Offline Permissions You can reset previously set offline permissions to the unconfigured state If offline permissions are undefined regular permissions are applied to offline cl
52. e Configure a schedule for merge operations e Rebuild the full text index immediately e Update the existing index immediately e Monitor and refresh the status of the current indexing activity Task Install the required number of Search Server licenses There is a special Search Server license which you must purchase for DeviceLock Content Security Server You can use the same license on an unlimited number of computers running DeviceLock Content Security Server The Search Server licensing model is based on the number of log entries to be indexed for full text search Each license allows Search Server to index 1 000 entries from the shadow logs Shadow Log and Deleted Shadow Log and 5 000 entries from every other log Audit Log Server Log and Monitoring Log Depending on the actual number of log entries on your DeviceLock Enterprise Servers you can purchase as many licenses as required If you use several licenses for Search Server it can index as many log entries as the combined licenses allow The trial period for DeviceLock Content Security Server is 30 days During the trial period Search Server can index 2 000 entries from the shadow logs and 10 000 entries from every other log You can always purchase and install additional Search Server licenses 200 DeviceLock Management Console To install Search Server licenses 1 In the console tree expand DeviceLock Content Security Server and then expand Server Options
53. e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears bt Confent Aware Rules Contert Databace Description Type i T ABA Fiouting Mumbes Patbern dba T Arcguiation Keywords T Admission Discharge Keywords TI Adult Kerywceds Keywords American Add oss Kepwonds TL Arnericars Hame Kerwonds E Archers File Tyga D TA Aiia When Flash Fs Typs Dh r Taigi Aung F Liners vers T Prota g E 4 In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Document Properties The Add Document Properties Group dialog box appears 275 Content Aware Rules for Devices Regular Profile Add Document Properties Group Marne Description Properties File mama Miceli ie Nok specified File size Mot specified Paseeord protected ka ar C Text extraction net supported a Contains text Accessed by process 5 In the Add Document Properties Group dialog box do the following USE THIS Name Description File name Modified TO DO THIS Specify the name of the group Specify a description for the group Specify the file names You can use wildcards such as asterisks and question marks For example type txt to specify all files that have the txt extensi
54. native print spooler format send it to the printer again or save it as a graphic file such as BMP GIF JPEG PNG EMF or TIFF Next print spooler formats are Supported PostScript PCL5 PCL6 PCL XL HP GL 2 GDI printing ZjStream and EMF Spooled Files 160 DeviceLock Management Console Save If you need to save data from a selected record to your local computer use Save from the context menu or press the appropriate button on the toolbar Use CTRL and or SHIFT to select and save the data from several records simultaneously Browse For Folder Please select a folder you want bo save files bo 47 Desktop a G My Documents T hiy Computer D A 314 Floppy 4 Se Local Disk C E G Goouments and Settings O s0lServer C Program Files J ay E E Ee CTT Make New Folder hal In case the record has no associated data its size is O or it was not logged Save is disabled in the context menu and on the toolbar The progress bar appears when you are saving a large file Please Wait 53 Saving file C Documents and Settings Administrator VAZAN Desktop test zip LAA ER RRR EERE Cancel You can click Cancel at any time to abort the saving process In this case the resultant file on the local computer will be incomplete and will contain only that part of the data which was received before you aborted the saving process If the data was transferred by the user as a file it is stored i
55. ss the second and AP M the AM or PM designation In the Period from and To boxes type or select the date and time of the report period The default start and end time of the report period is the time at which the Report Options dialog box opens The default end date of the report period is the current date The default start date of the report period is the same day in an earlier month For example if the current date is March 5 2009 the default end date of the report period is 3 5 2009 while the default start date is 2 5 2009 Computer s Specifies computers for the report The Computer s box is not displayed in the Report Options dialog box for the Top active computers report types The Computer s box is empty by default This means that the report will display data for all computers in the DeviceLock Enterprise Server database To specify computers for the report you can do any of the following e Inthe Computer s box type computer names using wildcards such as asterisks and question marks For example if you specify mydomain com the report will display data for all computers in mydomain com An asterisk replaces an unlimited number of characters The question mark replaces a single character You can use these wildcards in any position and in any quantity Multiple computer names must be separated by a comma or semicolon OR e Click Browse next to the Computer s box and then do th
56. the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e User s Shows the users that were specified for the report e Channel s Shows the data transmission channels that were specified for the report The available options are all devices all protocols and all devices and protocols The Report Results section contains a table and a chart that show detailed results of the report The table has the following columns e Channel Shows a data transmission channel e Allowed Shows the number of allowed access requests e Denied Shows the number of denied access requests This report shows the total number of allowed and denied access requests sent through all data transmission channels devices and or protocols The report consists of three sections the Report Header Report Parameters and Report Result
57. the Save command or the toolbar s button DeviceLock Management Console detects that the CD DVD image contains a session that refers to the data in other previous sessions Since the previous sessions are not available they could be written on the computer where DeviceLock Service is not installed DeviceLock Management Console locates and fixes all references to these non existent sessions to make the cue file readable by applications that support this format However if you need to get the data that was not modified by DeviceLock Management Console use Save As Raw Data In this case the resultant file may be unreadable by applications that support the CUE format When saving large files you can click the Cancel button on the progress bar to abort the saving process In this case the resultant file on the local computer will contain only that part of the data which was received before you aborted the saving process 162 DeviceLock Management Console View To open the data in the built in viewer use View from the context menu fe restart servicebat C Program Files DeviceLock dlgervice exe e pause C Program Filesi DeviceLock dlgervice exe s Hex C Autodeterck Text ANSI Text C UTF 16 Text UTF 166E Text Save Close In the built in viewer click any of the following viewing options e Hex Displays data in hex as well as in words e Autodetect Text Enables the auto detection of encoding for text and
58. the following options e Report Available Devices Only select this check box to report permissions and audit rules for only those devices currently available on the computer Otherwise you will see permissions and audit rules for every type of device that DeviceLock supports e Report Auditing amp Shadowing select this check box to report audit and Shadowing rules that have been set Also when this check box is selected you receive information about whether the Log Policy changes and Start Stop events parameter is enabled in Service Options e Report Enabled Auditing amp Shadowing Only select this check box to exclude devices for which audit and shadowing rules are disabled from the report This option is available only if the Report Auditing amp Shadowing check box is selected e Report Security Settings select this check box to report what parameters are disabled via Security Settings e Report Content Aware Rules select this check box to report Content Aware Rules that have been set see Content Aware Rules for Devices e Report USB White List select this check box to include information about white listed devices see USB Devices White List e Report Media White List select this check box to include information about white listed media see Media White List e Report DeviceLock Administrators select this check box to report accounts that can manage DeviceLock Service or view its settings and
59. 1 When you are opening a large file you can click Cancel on the progress bar to abort the opening process In this case the external application will receive only that part of the data which was received before you aborted the opening process Delete To delete a record select Delete from the context menu or press the appropriate button Use CTRL and or SHIFT to select and remove several records simultaneously Refresh To refresh the list select Refresh from the context menu available via a right mouse click or press the appropriate button on the toolbar Send Data to Server When DeviceLock Enterprise Server is defined in Service Options and you need to force moving the shadow data from the current computer to the server use Send Data to Server from the context menu available by a right mouse click or press the appropriate button on the toolbar Shadow Log Filter Service You can filter data in Shadow Log Viewer so that only records that meet certain conditions are displayed in the list 164 DeviceLock Management Console To open the Filter dialog box use Filter from the context menu of Shadow Log Viewer or press the appropriate button on the toolbar Filter bce Evchade Shadow satus SuOcess Incompbehe File Hame database S ounce Femovabie Action User agues Process Fie sire Between 1 and a Fome Resors On ow 127 142010 Tex Recods On 12 07 F2010 Enable filter Failed GE a
60. 1001 Deis Ma USS Derice Chatabase USE Crees Whe Lit U pat Dmg Lipert Drapo r PART Adminittratons Gee Mini Flash USED OS04RFID 1001 5 Click the Add button below the Users list add the Administrators group type the name or browse for all available names and select the needed one click OK to close the Select Users or Groups dialog box and then select the Administrators record 6 Select the device model s record in the USB Devices Database list and then click the Add button below this list If you do not have devices in the USB Devices Database list click the USB Devices Database button below this list and then add devices as described in the USB Devices Database section of this manual When you finished adding devices to the database click OK to save this database and close the USB Devices Database dialog box 470 Appendix Permissions and Audit Examples 7 Click OK to apply the white list settings and close the USB Devices White List dialog box click OK to apply changes and close the Permissions dialog box and then click Yes to confirm that you really want to deny all users access to the USB port For all users all USB devices are denied except the mouse and keyboard but members of the Administrators group can use an authorized unique USB storage device 1 Select the USB port record from the list of device types under Permissions and then select Set Permissions from the context menu available by a r
61. 103i AH s 1 05 31 PM g There is no big difference between defining Audit Log Filter and Shadow Log Filter so first read the Audit Log Filter Service section of this manual When the filter is active you can define its condition by entering values into the following fields e Success specifies whether to filter the successfully logged data e Incomplete specifies whether to filter the data that was logged incompletely e Failed specifies whether to filter the logged data whose transmission was blocked by Content Aware Rules e File Name the text that matches a value in the Shadow Log Viewer s File Name column This text is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Source the selection that matches a value in the Shadow Log Viewer s Source column You can enter multiple values separated by a semicolon e Action the selection that matches a value in the Shadow Log Viewer s Action column You can enter multiple values separated by a semicolon e User the text that matches a value in the Shadow Log Viewer s User column This text is not case sensitive and you may use wildcards 165 DeviceLock Management Console You can enter multiple values separated by a semicolon Process the text that matches a value in the Shadow Log Viewer s Process column This text is not case sensitive and you may use wildcards
62. 12 28 PM Deleted Shadow Data Log 3 16 12 28 Success vm2003server testlabde com Removable Write G Customer database doc 27 5 KB TANYADC Administrator 2864 C WINDOWS amp Log Parameters amp Document Parameters 9 28 2009 4 12 28 PM 77Kb Shadow Log Open Save View A search result includes the following e Snippets portions of text containing highlighted query words bold font These snippets allow you to see the context in which the query words were 211 DeviceLock Management Console found The search results page displays only the first three snippets per search result Log Parameters summary information retrieved from the log for this search result Click the plus sign to expand Log Parameters and view this information This information is different depending on the log type Note If an entry in a log has an empty field this field is not displayed in Log Parameters The following information is displayed in Log Parameters for a result retrieved from the Audit Log Received Date Time the date and time when the event was received by DeviceLock Enterprise Server Type the class of the event either Success for allowed access or Failure for denied access This value matches the value in the Type column of the server s Audit Log Viewer Computer the name of the computer from which the Audit Log was received This value matches the value in the Computer column of the server s Audit Log View
63. 19 18 29 17 07 2006 bin Each CD DVD image is saved to the local computer as two files the data file with the bin extension for example direct_write E_ 19_18 29 17_07_2006 bin and the cue sheet file that has the same name as its data file with the cue extension for example direct_write E_ 19_18_29 17_07_2006_bin cue Both these files are necessary to open the CD DVD image in the external application that supports the CUE format such as Cdrwin Nero DAEMON Tools IsoBuster UltraISO WinISO and many others To open and save a shadow copy of a file using the built in viewer 1 2 Perform your search On the search results page click View under the desired search result The shadow copy opens in the built in viewer In the built in viewer click any of the following viewing options e Hex Displays data in hex as well as in words e Autodetect Text Enables the auto detection of encoding for text and displays data in textual format only e ANSI Text Specifies ANSI encoding for text and displays data in textual format only e UTF 16 Text Specifies Unicode UTF 16 encoding for text and displays data in textual format only e UTF 16BE Text Specifies Unicode UTF 16 Big Endian encoding for text and displays data in textual format only To save the file click Save to open the Save As dialog box In the Save As dialog box do the following e Inthe Save in box browse to the location where you want to save the file
64. Access control for USE scanners and stil image devices v Access control for USS Bluetooth adapters Acess control for USE storage devices Access control for USS and FireWire network cards 4 Click OK to close the Security Settings dialog box and then click OK to apply changes and close the Permissions dialog box 466 Appendix Permissions and Audit Examples For all users all storage devices except fixed hard drives are denied but all non storage USB devices are allowed 1 Select the USB port record from the list of device types under Permissions and then select Set Permissions from the context menu available by a right mouse click lt lt DeviceLock Management Console Fie Action View Help aa DeviceLock cH DeviceLock Service 483 Service Options BY Devices amp Permissions fo Auditing amp Shadowing E LSB Devices Wihikte List Media White List Security Settings aF Audit Log viewer ia Shadow Log Viewer DeviceLock Enterprise Server Bluetooth DvD CD ROM Sv Firewire port Floppy Hard disk zal Infrared pork g Palm a Parallel port G Printer Removable Set Permissions Help Manages permissions For selected device s 2 Click the Add button in the Permissions dialog box add the Everyone user type the name or browse for all available names and select the needed one click OK to close the Select Users or Groups dialog box select the Everyone record and enable all rights
65. Access control for USE scanners and stil image devices w Access control for USS Bluetooth adapters Acess control for USE storage devices Access control for USE and FireWire network cards 4 Click OK to close the Security Settings dialog box click OK to apply changes and close the Permissions dialog box and then click Yes to confirm that you really want to deny all users access to the USB port For all users all USB devices are denied except the mouse and keyboard but members of the Administrators group can use all USB devices 1 Select the USB port record from the list of device types under Permissions and then select Set Permissions from the context menu available by a right mouse click 465 Appendix Permissions and Audit Examples 2 Click the Add button in the Permissions dialog box add the Administrators group type the name or browse for all available names and select the needed one click OK to close the Select Users or Groups dialog box select the Administrators record and enable all rights in the User s Rights list ie jf er E Pennes Derka Types USE pit Compuber Hame Local Computer Leers a Pa OFF rcerinashrators E Abseed Tse O Deris Tene Security Settings USE White ist 3 Click the Security Settings button in the Permissions dialog box and then clear the Access control for USB HID mouse keyboard etc check box Sec urity Settings w Access control for USB printers
66. Append In the message box click Yes to overwrite the existing offline white list Click No to append a new Offline white list to the existing offline white list Deleting Rules of Offline Protocols White List You can delete individual rules of the offline Protocols White List when they are no longer required To delete an offline white list rule I If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Expand White List right click the user or group to which the rule is applied and then click Delete user When you delete a user or group the rule associated with this user or group is automatically deleted 444 DeviceLock Security Policies Offline Profile OR Expand White List and then select the user or group to which the rule is applied In the details pane right click the rule associated with this user or group and then click Delete ai OR Right
67. Aware Rule applies in the console tree in the details pane you can view detailed information regarding this rule This information includes the following Description The name of the rule By default the rule has the same name as the specified content group Type The type of the content analysis Possible values File Type Detection Keywords Pattern Document Properties and Complex File Type Detection indicates that recognition and identification of files is based on their characteristic signatures Keywords indicates that recognition and identification of data files is based on the specified keywords or phrases Pattern indicates that recognition and identification of data files is based on the specified patterns of text described by Perl regular expressions Document Properties indicates that recognition and identification of files is based on their properties Complex indicates that recognition and identification of data files is based on the specified content described by a Boolean expression Action s Shows which user actions are allowed or disallowed on protocols and which user actions are logged to the Shadow Log Applies To Possible values Permissions Shadowing and Permissions Shadowing Permissions indicates that the rule applies to access control operations Shadowing indicates that the rule applies to shadow copy operations Permissions Shadowing indicates that the rule applies to both access control and shadow copy operations
68. B em SBS 28 A A Devicelock Manne W gig DeviceLock Service 3 Server Options Gay DeviceLock Enterprise Server pe Search Server fod Server Options F Server Administr abars Search Server Options H aa Search Server lA Search Page Curent Activity Local Compuber Right click the DeviceLock Content Security Server node to display the following commands e Connect connects to the computer running DeviceLock Content Security Server For more information see Connecting to Computers When you connect to a computer where an old version of DeviceLock Content Security Server is installed you may receive the following message DeviceLock SearchServerConnect error 7049 X The product version on the client and server machines does not mabch In this case you need to install the new version of DeviceLock Content Security Server on this computer For information on how to install DeviceLock Content Security Server see Installing DeviceLock Content Security Server e Reconnect connects to the currently connected computer once again e Connect to Last Used Server at Startup click this command to instruct DeviceLock Management Console to automatically connect to the last used server each time the console starts up e Certificate Generation Tool runs the special tool that allows you to generate DeviceLock Certificates For more information see Generating DeviceLock Certificates
69. Blocked Message Text Restore Defaults TO DO THIS Enable or disable the display of the Content Aware blocked write message Select the Enable Content Aware Blocked Message check box to enable the display of the message Clear the Enable Content Aware Blocked Message check box to disable the display of the message Specify the text to display in the title bar of the message balloon By default the Blocked Message Caption text is as follows DeviceLock Security Subsystem Specify the text to display in the message balloon By default the Blocked Message Text for the Content Aware blocked write message is as follows You do not have permissions to write FILENAME Please contact your system administrator where FILENAME is the path and file name of the file to be inserted Restore the default settings For a detailed description of the Content Aware Rules feature see Content Aware Rules for Devices Regular Profile and Content Aware Rules for Protocols Regular Profile 104 DeviceLock Management Console Protocols blocked message You can define a Protocols blocked message notification balloon to be displayed to users when they try to access a protocol to which they are denied access This message balloon is shown in the notification area of the taskbar on client computers To enable or disable the Protocols blocked message right click Protocols blocked message and then click Properties or d
70. Computer Merge Interval i minute s cancel 4 In the Merge Interval dialog box in the Merge Interval box type or select the number of minutes for the merge interval 5 Click OK Task Rebuild the full text index immediately You can completely rebuild the full text index immediately To rebuild the full text index immediately 1 In the console tree expand DeviceLock Content Security Server 2 Under DeviceLock Content Security Server right click Search Server and then click Create New Index If the index already exists and you choose to create a new index the following message box is displayed DeviceLock 2 Oo you want bo create the nma index and overvrite the existing one Yes verake Ho Append In the message box click Yes to completely rebuild the full text index immediately Click No to update the existing full text index with changes immediately Task Update the existing index immediately If new data is added to DeviceLock Enterprise Server and you want to update the existing full text index with these changes immediately use the following procedure To update the existing index immediately 1 In the console tree expand DeviceLock Content Security Server 2 Under DeviceLock Content Security Server right click Search Server and then click Index Now During an update operation Search Server does not perform a full rebuild of the index It indexes only new data on DeviceLock Ente
71. Console Beles File Action View Helo e Bee Hw Wx hd DeviceLock Status a DeviceLock Service Local WINMPPROSPS gy DewiceLock Enterprise Server Local WIM E Success ap Server Dpionis O7 49 00 PM Renovable L0 7 46 15 PM Removable EF Audit Log Viewer Shadow Log Viewer Wt Deleted Shadow Data Log i Server Log viewer 92 Monitoring py Reports 2 DeviceLock Content Security Server There is not much difference between the service s shadow log viewer and the server s shadow log viewer so first see Shadow Log Viewer Service In comparison with the service s shadow log viewer the server s viewer has only two additional columns e Computer the name of the computer from which shadow logs were received e Received Date Time the date and time when a record was received by DeviceLock Enterprise Server Also unlike the service s shadow log viewer when you delete a record in the server s viewer the record s binary data is removed from the database or from the disk it depends on the Store shadow files in SOL Server flag but all other information such as the file name and size user name date time process and so on is moved to the special log called Deleted Shadow Data Log This Deleted Shadow Data Log is used when you do not need the content of the Shadow data anymore and you want to clean up storage either SQL Server or the disk but you need to keep information about the data
72. Content Aware Rules for Protocols Regular Profile PROTOCOL ACCESS RIGHTS DESCRIPTION FTP Generic Outgoing Files Controls whether the user can upload files with specified content to an FTP server SSL Outgoing Files Controls whether the user can upload files with specified content to an FTP server using FTPS HTTP Generic POST Requests Controls whether the user can submit Web form data with specified content to a Web server using HTTP Generic Outgoing Files Controls whether the user can upload files with specified content to a Web server using HTTP SSL POST Requests Controls whether the user can submit Web form data with specified content to a Web server using HTTPS SSL Outgoing Files Controls whether the user can upload files with specified content to a Web server using HTTPS ICQ AOL Generic Outgoing Controls whether the user can send instant messages Messenger Messages with specified content IRC Jabber SSL Outgoing Messages Controls whether the user can send instant messages with specified content using SSL Mail ru Generic Outgoing Controls whether the user can send instant messages Agent Messages with specified content Windows Messenger Yahoo Messenger SMTP Web Generic Outgoing Controls whether the user can send e mail messages Mail Messages with specified content Generic Outgoing Files Controls whether the user can send e mail attachments with specified content SSL Outgoing Messages Controls
73. Content Aware Rules for access control operations You can allow certain users or groups to read files containing the phrase not for distribution from Removable Floppy and CD DVD devices but prevent them from writing files containing more than one credit card number to Removable and Floppy devices e Example 2 Using Content Aware Rules for shadow copy operations You can specify that only files containing credit card numbers Social Security numbers the words Secret Confidential Restricted and the phrases Top Secret and For Official Use Only will be shadow copied for security auditing and incident investigation purposes Note You can define different online vs offline Content Aware Rules for the same user or sets of users Online Content Aware Rules Regular Profile apply to client computers that are working online Offline Content Aware Rules Offline Profile apply to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define offline Content Aware Rules see Managing Offline Content Aware Rules for Devices Content Aware Rules for Access Control Operations When Content Aware Rules apply to access control operations they control read write and delete op
74. DEFINING AND CHANGING SECURITY SETTINGS cccccceceee cette teen eens 363 UNDEFINING SECURITY SETTINGS rirun a o aaan 363 DEVICELOCK REPORTS cccccccccnnnccceeeeeccneneeseennneeseeeeeocooooeeesennnnseceesooonenooons 365 REPORT CATEGORIES AND TYPES carroceria 365 AUDIT EOG REPORT Sorria Red pale E aunties 366 SHADOW LOG REPORTS i citcsaudtioutiansaarasetenesat tesastansanteiadeas AO 370 CONFIGURING E MAIL DELIVERY OF REPORTS tisatesutsatssssssivicaiotoieianrrasnes 372 SE TING DEFAULT FORMAT FOR REPORTS srandra eaaa e aean 374 DEFINING REPORT PARAMETERS lt 2 ccrciantaiantiniannsacrmnnane kaon ienmcarcelaaigecetatmans 374 REPORT OPTIONS DIALOG BOX ristrut aaa a aa norms 375 MANAGING REPOR TS sacisiancateacceeattet ceuneciins E ee tte eames 380 RUNNING REPORT Siciccccentascooienecdiastisa increta a Na 380 REFRESHING REPORTS x sacucneicuassuicnd a O E akeanemianck uaas 381 VIEWING REPORTS aicsoctecnie nee a E E E T 382 VIEWING REPORT PARAMETERS roirecennorui rt geni are OE Tea 382 EXPORTING AND SAVING REPOR PSs aaa a a 383 SENDING REPORTS THROUGH E MAIL jicstactiicancteiiece aa a a a a 384 DELETING REPORT S mscuvecosansuetsceucimiinai chbore op SA 384 DEVICELOCK SECURITY POLICIES OFFLINE PROFILE cccessseeeesesneseeees 386 CONFIGURING OFFLINE MODE DETECTION SETTINGS cece es 387 SWITCHING BETWEEN ONLINE AND OFFLINE MODE ccc cece eee e eee es 389 MANAGING OFFLINE SECURITY POLICIES FOR DEVICES
75. DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears In the upper pane of the Content Aware Rules dialog box under Content Database select any built in group you want to view and then click View Group Duplicating Built in Content groups You cannot edit the built in content groups but you can create and use their editable copies duplicates to suit your particular organization s needs To duplicate a built in content group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage on the toolbar 317 5 Content Aware Rules for Protocols Regula
76. DeviceLock Enterprise Manager provides very sophisticated data filtering enabling you to narrow a scan or comparison result to only those data complying to your specific conditions a Active Network Monitor Select Columns are Filter 253 DeviceLock Enterprise Manager To open the Filter Data dialog box you can select Filter from the View menu or press the appropriate button on the Main toolbar Note The window with a scan or comparison result must be active to use data filtering Filter Data Desenphor Device rionnag Conmeached Tia e The Field column contains all the fields available in the scan or comparison result that you want to filter You can define the AND OR logic for each field separately AND includes only those records that comply with all defined conditions For example Process explorer exe AND PID 3764 retrieves all data where both the Process is explorer exe and PID is 3764 It does not include data where the Process is explorer exe and PID is not 3764 or where PID is 3764 but Process is not explorer exe OR includes all records that comply with at least one condition For example Process explorer exe OR PID 3764 retrieves all data having one or both conditions where Process explorer exe no matter what PID is or where PID is 3764 no matter what Process is e The Condition column contains a list of logical operatio
77. DiE Adrii rator A Temporary White List works like a device white list with the distinction that a network connection is not required to add devices and grant access to them Note Using Temporary White List it is possible to grant access to USB devices that were blocked on both levels the USB port level and the type level If some white listed device for example USB Flash Drive belongs to both levels USB and type Removable the permissions if any for the type level are ignored as well as for the USB level Creating and activating a Temporary White List is a matter of following these step by step instructions 1 The administrator generates a cryptographic certificate DeviceLock Certificate using the Certificate Generation Tool A DeviceLock Certificate consists of two keys private and public 2 The administrator deploys the DeviceLock Certificate the public key to a user s computer This enables the Temporary White List on the user s computer 460 Temporary White List 3 When a user needs to access some USB device he she runs the Temporary White List Authorization Tool from the Windows Control Panel Then the user selects the particular device from a list and a textual numeric code Device Code is generated The user can then provide this code to the DeviceLock Administrator over the phone or via an Internet chat session 4 The administrator then runs the DeviceLock Signing Tool loads the corresponding Dev
78. DirectRead Eject DirList write to the audit log Audit Write Print Open Device Access and Direct Access events and flags Write Del DirectWrite write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print CD DVD images in the CUE format and or files write to the shadow log Shadowing Write Non files 137 DEVICE TYPE FireWire port Floppy Hard disk DeviceLock Management Console RIGHTS Audit Read Insert Remove and Device Access actions and device names write to the audit log Audit Write Print Insert Remove and Device Access actions and device names write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Shadowing Write Non files Audit Read Open Mount Unmount and Direct Access actions file names and flags Read DirectRead Eject DirList write to the audit log Audit Write Print Open Open Create Overwrite Create Direct Access Delete Rename and Create new actions file names and flags Write DirectWrite Format Del DirCreate write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Files are written to the shadow log Shadowing Write Non files Audit Read Open Mount Unmount and Direct Acces
79. Filter from the context menu of the Monitoring Log Viewer or press the appropriate button on the toolbar Filter Include Exclude Event types C Success CI Warring C Infomation Eiro Computer name xpwiit Task name Iniomalnory Sever Eveni ID From Fast Record Tx Last Record Enable fiter There is no significant difference between defining an Audit Log Filter and a Monitoring Log Filter so for more information see Audit Log Filter Service When the filter is active you can define its condition by entering values into the following fields e Success specifies whether to filter events of the Success class e Information specifies whether to filter events of the Information class e Warning specifies whether to filter events of the Warning class e Error specifies whether to filter events of the Error class e Computer Name the text that matches a value in the Monitoring Log Viewer s Computer Name column This field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon 191 DeviceLock Management Console e Task Name the text that matches a value in the Monitoring Log Viewer s Task Name column This field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Information the text that matches a value in the Monitoring Log Viewer s Information column This
80. Floppy and Removable device types Generic Write Controls whether the user can write specified content to a device Applies to the Floppy and Removable device types Generic Read Write Controls whether the user can read and write specified content from and to a device Applies to the Floppy and Removable device types Encrypted Read Controls whether the user can read specified content from an encrypted device Applies only to the Removable device type Encrypted Write Controls whether the user can write specified content to an encrypted device Applies only to the Removable device type Encrypted Read Controls whether the user can read and write specified content from and to Write an encrypted device Applies only to the Removable device type Note Generic access rights specified for the Removable device type apply only to unencrypted devices Encrypted access rights specified for the Removable device type apply only to encrypted devices To specify access rights for both encrypted and unencrypted Removable devices you must specify both Generic and Encrypted access rights For detailed information on devices that are recognized by DeviceLock Service as encrypted devices see Encryption The following table shows how different device type level and file level permissions affect the state of a permission for a user account Device type level permissions are permissions set for a device type File level permissions are permissions
81. In the console tree expand DeviceLock Service 455 DeviceLock Security Policies Offline Profile If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols right click Content Aware Rules and then click Undefine Offline The offline state of Content Aware Rules changes to Not Configured When you select Content Aware Rules in the console tree in the details pane the following message is displayed Offline Content Aware Rules are not configured Removing Offline Content Aware Rules If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of higher level offline Content Aware Rules and enforce regular Content Aware Rules on specific lower level groups of client computers To enforce regular Content Aware Rules you must remove offline Content Aware Rules To remove offline Content Aware Rules 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy M
82. Open Device Access and Direct Access actions and flags Read DirectRead write to the audit log Audit Write Print Open Device Access and Direct Access actions and flags Write DirectWrite write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Shadowing Write Non files 141 DEVICE TYPE USB port WiFi Windows Mobile DeviceLock Management Console RIGHTS Audit Read Insert Remove and Device Access actions and device names write to the audit log Audit Write Print Insert Remove and Device Access actions and device names write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Shadowing Write Non files Audit Read Device Access action writes to the audit log Audit Write Print Device Access action writes to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Shadowing Write Non files Audit Read Read File Get File Attributes Create New File Overwrite Create File Open File and Open Create File actions file names and flags write to the audit log Audit Write Print Write File Delete File Rename File Create File Create New File Overwrite Create File Open File Open Create File Overwrite Set File At
83. Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols 3 Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR 299 Content Aware Rules for Protocols Regular Profile e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears Wu Content Aware Rules Conbent Da abita Description T ABA Routing Mumbi Pattern ba a e Keywords TI Admession Dischange Keyword TI Adult Keywords Keon Tl Anerican Address Kepords El Arresi ari Neves Kepwords T Archives File Type D TA dup Vices amp Flash File Typs Da gt Ganie Aa Puig Leang hers In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click File Type Detection The Add File Type Detection Group dialog box appears Add File Type Detection Group Exbernian Description pak data FENG Eregi SMA Gane Shocks resource HP Mina compressed A Gurr Mor W PIRES container dats File aax SO LIVE container data Fle hax 360 CON container diets Fle Works 4 0 for Madni WINDEY data generic Cphionsolt Wino encoded FromPage VTI kalinio wrar Sery hats ERKUT Fada File linas Pusch ees UHE compressed Trend Micro Virus Patbern Teas Instruments Caloulshors Prog The Wibdher save game 5
84. Outlook Express Audio Video amp Flash MS PowerPoint BlackBerry MS Project Common Object File Format COFF MS Publisher Database MS Visio Executable MS Windows Installer Fax Documents MS Windows Memory Dump FileMaker Pro MS Word Fonts MS Works Help Files OpenOffice StarOffice OpenDocument etc Images CAD amp Drawing PDF PostScript amp XPS Documents Lotus SmartSuite QuickBooks Quicken TurboTax amp etc MS Access Rich Text Format MS Excel Security Certificates MS InfoPath Text HTML amp XML MS Money Virtual Machines 262 Content Aware Rules for Devices Regular Profile BUILT IN FILE TYPE DETECTION GROUPS MS OneNote WordPerfect Office Note Content Aware Rules support Word To Go Sheet To Go and Slideshow To Go formats for Palm devices Word To Go format is included in the MS Word and Rich Text Format built in content groups Sheet To Go format is included in the MS Excel built in content group while Slideshow To Go format is included in the MS PowerPoint built in content group Microsoft Word or Rich Text Format RTF files Excel files and PowerPoint files can be transferred to a Palm device using the Documents To Go application The Documents To Go application converts these files to special formats Word and RTF files are converted to Word To Go format Excel files are converted to Sheet To Go format while PowerPoint files are converted to Slideshow To Go format The converted files are automatically do
85. PARUSLAN W2K SLAAPERUSLANAW KS fe P4SUPPORT SL2 P4SUPPOATS PASUPPORT_NT SL2 P4SUPPORT_NT m PaSUPPORT wk meenemnennsiy ig d dS BP Ee ed ee T i k Permissions Full Corina Read White Create All Child Objects Delete All Chid Objects Apply Group Folcy f Dery BOOOOO OOOUOUCI Click on the Deny check box next to Apply Group Policy for the security groups that you want to prevent from having this policy applied Click on the Allow check box for the groups to which you want to apply this policy When you are finished click OK e Assign a Package To assign DeviceLock Service to computers that are running Windows 2000 or later io Open the group policy object that you need in the Windows Group Policy Object editor use either the Group Policy Management or Active Directory Users and Computers snap in Under Computer Configuration expand Software Settings Right click Software installation point to New and then click Package 38 Installation 4 In the Open dialog box type the full Universal Naming Convention UNC path to the shared folder that contains the DeviceLock Service MSI package For example file server share DeviceLock Service msi Important Do not browse to the location Ensure that you use the UNC path to the shared folder 5 Click Open 6 Click Assigned and then click OK The package is listed in the right pane of the Group Policy window
86. RULES sirpana a a ts 323 COPYING CONTENT AWARE RULE Sanyi a a a mena 324 EXPORTING AND IMPORTING CONTENT AWARE RULES nnssasserssssrnnrrsrrrrerrn 326 UNDEEINING CONTENTAWARE RULES serana EE EA ATE AE 328 DELETING CONTENT AWARE RULES tosiisiarii ipenira a a a 328 PROTOCOLS REGULAR PROFILE cccccesscccceesenceeesenseuesseneueesecceueeseusoossaas 330 MANAGING PERMISSIONS FOR PROTOCOLS oncicniiiriatinictabenaeaskiiniadesisislanebis 331 SETTING AND EDITING PERMISSIONS wisitesrecpinntontwespieeenieiciseiedeieeeetoriawe es 335 UNDEFININGIPERMIS SIONS ana EE EAEE EN 337 MANAGING AUDIT AND SHADOWING RULES FOR PROT OCOLS ssasssssssssseresrssas 338 DEFINING AND EDITING AUDIT AND SHADOWING RULES nsaan 346 UNDEFINING AUDIT AND SHADOWING RULES cc cece cece eee ees 348 MANAGING PROTOCOLS WHITE LIST swicsucc dred ianecsnavcnanaebaannd tecneeieeteladndeteateins 349 DEFINING PROTOCOLS WHITE LIST civessiiaraiinavebeiehieieeiaieiesishitaiem era bentt 353 EDITING PROTOCOLS WHITE LIST kscstcsasnnsrsacenneasaeseteeeestacnatereubiatawuaeaeres 356 COPYING RULES OF PROTOCOLS WHITE LIST ss2 cccustiseyinnsdawitenietiatevadedeot acces 357 EXPORTING AND IMPORTING PROTOCOLS WHITE LIST aaeeea 358 UNDEFINING PROTOCOLS WHITE LIST itnssteusaseaconustssoiss isnadsdawtaamdaainesenses 360 DELETING RULES OF PROTOCOLS WHITE LIST wiinscccisnstaccexteceetinssadmendanveteaee 361 MANAGING SECURITY SETTINGS FOR PROTOCOLS cccccceeeee eee e eee e eee 362
87. Rules and then click Undefine Deleting Content Aware Rules You can delete individual Content Aware Rules when they are no longer required To delete a Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor 292 Content Aware Rules for Devices Regular Profile b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices 3 Under Devices do one of the following Expand Content Aware Rules right click the user or group to which the rule is applied and then click Delete user When you delete a user or group the rule associated with this user or group is automatically deleted OR Expand Content Aware Rules and then select the user or group to which the rule is applied In the details pane right click the rule associated with this user or group and then click Delete OR Right click Content Aware Rules and then click Manage In the lower left pane of the Content Aware Rules dialog box under Users select the user or group to which the r
88. Shadow Log Viewer File Size the size of the data This value matches the value in the File Size column of the server s Shadow Log Viewer User the name of the user who transferred the data This value matches the value in the User column of the server s Shadow Log Viewer PID the identifier of the process used to transfer the data This value matches the value in the PID column of the server s Shadow Log Viewer Process the fully qualified path to the process executable file In some cases the process name may be displayed instead of the path This value matches the value in the Process column of the server s Shadow Log Viewer The following information is displayed in Log Parameters for a result retrieved from the Server Log Type the class of the event Success Information Warning or Error This value matches the value in the Server Log Viewer s Type column Date Time the date and time when the event occurred This value matches the value in the Server Log Viewer s Date Time column Event the number identifying the event type This value matches the value in the Server Log Viewer s Event column Information event specific information such as error warning descriptions names and values of changed parameters and so on This value matches the value in the Server Log Viewer s Information column Server the name of the server where the event occurred This value matches the value in the Server Log Viewer
89. Software instalati BHE Windows Settings ak SmattLine DeviceLoct H O Administrative Templal pl User Conhiguration Ld Software Settings E Windows Selliings Note Usually when you upgrade the new DeviceLock Service MSI package detects its previously assigned package in GPO and automatically performs steps 7and 8 described above Redeploy a Package In some cases you may want to redeploy DeviceLock Service To redeploy a package 1 Open the group policy object which contains the deployed package in the Windows Group Policy Object editor use either the Group Policy Management or Active Directory Users and Computers snap in 2 Expand the Software Settings container that contains the Software installation item with which you deployed the package 42 5 6 Installation Click the Software installation container that contains the package In the right pane of the Group Policy window right click the program point to All Tasks and then click Redeploy application The following message is displayed Redeploying this application will reinstall the application everywhere it is already installed Do you want to continue Click Yes Close the Windows Group Policy Object editor e Remove a Package To remove DeviceLock Service 1 6 Open the group policy object which contains the deployed package in the Windows Group Policy Object editor use either the Group Policy Management or Active Direct
90. Standard event logging subsystem and writes audit records to the Windows event log DeviceLock supports data shadowing the ability to mirror all data copied to external storage devices transferred through serial and parallel ports or transmitted over the network A full copy of the files can be saved into the SQL database Shadowing like auditing can be defined on a per user basis Moreover the DeviceLock data shadowing function is compatible with the National Software Reference Library maintained by the National Institute of Standards and Technology NIST and with the Hashkeeper Database designed and maintained by U S DOJ National Drug Intelligence Center NDIC Overview The data logged by DeviceLock can be checked against hash databases collections of digital signatures of known traceable data and used in computer forensics You may also create your own database with digital signatures SHA 1 MD5 and CRC32 are supported of critical files and then use it for tracing purposes For example you can trace which users are copying signatured files at what time and with which devices For information on how to use hash databases in cooperation with DeviceLock please contact our technical support team More information about hash databases and their samples can be found at the National Software Reference Library s Web site http www nsrl nist gov Also DeviceLock provides instant searching of text across shadowed files a
91. The following procedure describes how to create your own Complex group To create a Complex group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following 278 Content Aware Rules for Devices Regular Profile a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears Wu Content Aware Rules Faten Es Epa Eavan Epor Keywords kawon Fit Tyga D Fis Tyga D ka Conherk Aare Ps Liners ers cee 4 In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Complex 279 Content Aware Rules for Devices Regular Profile The Add Complex Group dialog box appears Add Complex Group 5 In the Add Complex Group dialog box do the following
92. Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the Media White List and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Media White List Offline dialog box To delete a user or group in the lower left pane of the Media White List Offline dialog box under Users select the user or group and then click Delete or press the DELETE key In the lower left pane of the Media White List Offline dialog box under Users select the user or group You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the upper pane of the Media White List Offline dialog box under Media Database select the medium you want to add to the white list for the selected user or group and then click Add You can select multiple media by holding down the SHIFT key or the CTRL key while clicking them The media that you added to the white list are displayed under Media in the lower right pane of the dialog box To delete a medium from the white list for the selected user or group in the lower right pane of the Media White List Offline dialog box under Media do the following e Select the medium and then click Delete OR e Right click the medium and then click Delete To edit a medium s description for the selected user or group in the
93. Webmail The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Outgoing Messages Outgoing Files Enables audit logging of user attempts to send an e mail message with or without attachments The Outgoing Message action the name of the e mail provider such as Yahoo Gmail Hotmail etc the e mail address of the sender and recipients the IP address with the port number and the name of the host are written to the log The sender address precedes recipient addresses sender gt recipient1 recipient2 Shadowing Outgoing Messages Outgoing Files Enables shadow copying of sent e mail messages with or without attachments Shadow copies of sent e mail messages with or without attachments are written to the log as eml files You can for example open eml files in Microsoft Outlook Express in Windows Mail and in Mozilla Thunderbird Note Webmail services automatically save drafts of messages DeviceLock handles Saving a draft as sending a message Audit Connection Enables audit logging of user attempts to connect to the Windows Messenger server The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the
94. White Lists for the same user or sets of users For information about how to define the online Protocols White List see Managing Protocols White List Editing Offline Protocols White List You can modify parameter values specified for an offline white list rule any time you want To edit an offline white list rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols 3 Under Protocols right click White List click Manage Offline and then do the following a In the left pane of the Protocols White List Offline dialog box under Users select the user or group for which you want to edit the rule By selecting users or groups you can view the white list rules applied to them under Rules in the right pane of the dialog box b In the right pane of the Protocols White List Offline dialog box under Rules select the rule you want to edit and then click Edit OR Right click the rule and then click Edit O
95. WiFi devices with any type of connection interface USB PCMCIA etc to the computer Note Using the WiFi type you can control user access to the hardware device but not to the network Windows Mobile type level includes all Windows Mobile devices with any type of connection interface USB COM IrDA Bluetooth WiFi to the computer DeviceLock controls Windows Mobile devices that are working with a PC through the Windows Mobile Device Center WMDC or Microsoft ActiveSync application or its API You can define different online vs offline permissions for the same user or sets of Online permissions Regular Profile apply to client computers that are working online Offline permissions Offline Profile apply to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to set offline permissions see uN Managing Offline Permissions To set online regular permissions for a device type highlight it use Ctrl and or Shift to select several types simultaneously and select Set Permissions from the context menu available by a right mouse click Alternatively you can press the appropriate button on the toolbar i Permissions Dahiti Tipas UGS pri Compier hame Lia Corpi Users 4 o a Pe
96. a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar 314 Content Aware Rules for Protocols Regular Profile The Content Aware Rules dialog box appears Wu Content Aware Rules Corbet Cat sheen Description Type T ABA Routine Humber Pattern be Acquistion Keywords El Admission Dischange Keywords OB sukuk Keywords Kand T American Ade oss Kenwardst T Amarican Hane Keywords I El Archers Fie Tree D T Aun Wickens amp k Flash File Typs Dh sv sr Conhert Aung Riss Liners Uag EREE Proteaceae 4 In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Complex The Add Complex Group dialog box appears Add Complex Group 5 In the Add Complex Group dialog box do the following 315
97. a semicolon e From specifies the beginning of the interval of events that you want to filter Select First Event to see events starting with the first event recorded in the log Select Events On to see events that occurred starting with a specific time and date 158 DeviceLock Management Console e To specifies the end of the range of events that you want to filter Select Last Event to see events ending with the last event recorded in the log Select Events On to see events that occurred ending with a specific time and date The AND logic is applied to all specified fields and between active filters Include Exclude It means that the filter s result includes only those records that comply with all defined conditions If you do not want to include a field to the filter s condition just leave this field empty For some fields you can use wildcards A wildcard is a character such as an asterisk or a question mark that is used to represent one or more characters when you are defining a filter Use the asterisk as a substitute for zero or more characters If you are looking for a name that you know starts with win but you cannot remember the rest of the name type the following win This locates all names that begin with win including Windows Winner and Wind Use the question mark as a substitute for a single character in a name For example if you type win you will locate Wind but not Windows or Winner
98. all internal and external floppy drives with any connection interface IDE USB PCMCIA etc It is possible that some nonstandard floppy drives are recognized by Windows as removable devices in this case DeviceLock treats such floppy drives as the Removable type as well Hard disk type level includes all internal hard drives with any connection interface IDE SATA SCSI etc DeviceLock treats all external USB FireWire and PCMCIA hard drives as the Removable type Also DeviceLock treats as Removable some internal hard drives usually SATA and SCSI if they Support the hot plug feature and Windows is not installed and running on them Note Even if you deny access to the Hard disk type users with local administrative privileges the SYSTEM user and members of the local Administrators group still can access the partition where Windows is installed and running Infrared port interface level includes all devices that can be connected to the computer via the infrared IrDA port iPhone type level includes all iPhone iPod Touch and iPad devices DeviceLock controls iPhone iPod Touch and iPad devices that are working with a PC through the iTunes application or its API Palm type level includes all Palm OS devices with any type of connection interface USB COM IrDA Bluetooth WiFi to the computer DeviceLock controls Palm OS devices that are working with a PC through the HotSync application Parallel port
99. an unsupported format the database specified in the Database name parameter already exists but is outdated This existing database has an unsupported format so it can t be automatically upgraded to the new format You should either use another database or create a new one e DeviceLock Database has a format that Is not supported by the current server version the database specified in the Database name parameter already exists but it was created by the more recent version of DeviceLock Enterprise Server You should either use the latest version of DeviceLock Enterprise Server or use another database or create a new one Also some of the SQL Server connection errors described above may be displayed here as well Use the Back button to return to the previous page of the wizard and make necessary changes If there are no errors press the Finish button to close the wizard and continue the installation process As soon as Setup has installed DeviceLock it prompts you to point your default Internet browser to the DeviceLock Web site 67 Installation ie DeviceLock Setup Installation Wizard Completed The installation Wizard has successfully installed DeviceLock Chick Finish bo ext the wizard Stop Data From Slipping Through Your Fingers Control Information With Open DeviceLock home page Device Clear the Open DeviceLock home page check box if you do not want to visit the DeviceLock Web site Click Finish to fi
100. and Audit Examples Add Complex Group Description Credit cands SSM mages password protected documents and archiver Criteria US Soca Secunty Humber Passe d pecteacted documert and achive Credit Caid Humbe Images CAD amp Draag Images conmbamn itie Peta LS Sock Security Humbe OF Passaword protected documents and archives OF Credit Cand Number OF Images CAD amp Dravang AND ieaged conten Ta d Click OK The new content group you created is added to the existing list of content groups under Content Database in the Content Aware Rules for Devices dialog box This group will be used to control access to files containing more than 1 credit card number password protected documents and archives files containing more than 1 Social Security number and images containing a large amount of text In the Content Aware Rules for Devices dialog box do the following a Under Users click Add In the Select Users or Groups dialog box in the Enter the object names to select box type Everyone and then click OK b Under Users select Everyone Under Content Database select the Complex Group 1 content group and then click Add In the Add Rule dialog box do the following a Under Applies to select the Permissions check box b Under Device Type s select the Floppy and Removable check boxes c Under Action s select the Deny check box next to Write 482 Appendix Permissions and Audit Examples Add Rule D Jv
101. and Tasks Microsoft Outlook Express 5 and 6 dbx message stores Microsoft PowerPoint ppt Microsoft PowerPoint 2007 and 2010 pptx Microsoft Rich Text Format rtf Microsoft Searchable Tiff tiff Microsoft Word for DOS doc Microsoft Word for Windows doc Microsoft Word 2003 XML xml Microsoft Word 2007 and 2010 docx Microsoft Works wks MP3 metadata only mp3 Multimate Advantage II dox Multimate version 4 doc OpenOffice versions 1 2 and 3 documents spreadsheets and presentations Sxc Sxd Sxi SXW SXQ StC sti stw stm odt ott odg otg odp otp ods ots odf includes OASIS Open Document Format for Office Applications Quattro Pro wb1 wb2 wb3 qpw QuickTime mov m4a m4v TAR tar TIFF tif TNEF winmail dat files Treepad HJT files hjt Unicode UCS16 Mac or Windows byte order or UTF 8 Visio XML files vdx Windows Metafile Format wmf WMA media files metadata only wma WMV video files metadata only wmv WordPerfect 4 2 wpd wpf WordPerfect 5 0 and later wpd wpf WordStar version 1 2 3 ws WordStar versions 4 5 6 ws WordStar 2000 Write wri XBase including FoxPro dBase and other XBase compatible formats dbf XML xml XML Paper Specification xps XSL XyWrite ZIP zip Automated protection of new documents You can automatically apply content based security policies to new documents as they ar
102. and iPhone from a PC You can enable this right only if Read Files is selected in the Special Permissions group For a Windows Mobile device this option also requires selecting Execute from the Generic group For iPhone the media content type consists of the following iTunes types Ringtones Music Audiobooks Photos Podcasts Audio amp Video Movies TV shows Rented Movies e Write Media to enable writing media content using Windows Media Player to a Windows Mobile device and writing media files to a Palm device and iPhone from a PC You can enable this right only if Write Files is selected in the Special Permissions group and for a Windows Mobile device if Execute is selected from the Generic group For iPhone the media content type consists of the following iTunes types Ringtones Music Audiobooks Photos Podcasts Audio amp Video Movies TV shows Rented Movies e Read Backup to enable creating the iPhone backup by reading the device data from a PC Note An iPhone device is backed up by iTunes each time users sync with iTunes automatically on the first sync every time they connect it to the computer To allow synchronization to complete successfully grant the Read Backup permission to users 130 DeviceLock Management Console for the iPhone device type Otherwise if iTunes automatically creates an iPhone backup the synchronization session will be interrupted To avoid interrupting the synchronization process
103. and later Access control for FireWire sborage devices Access control for virtual printers Windows 2000 and later xe Cerne 4 In the Security Settings Offline dialog box select the appropriate check boxes for the Security Settings that you want to define Once you have enabled Security Settings you can disable them To do so clear the appropriate check boxes Note All check boxes in the Security Settings Offline dialog box have three states selected cleared and indeterminate that correspond to the Enabled Disabled and Not Configured states of Security Settings 5 Click OK Undefining Offline Security Settings You can return the previously defined offline Security Settings to the unconfigured state If offline Security Settings are undefined regular Security Settings are applied to offline client computers You can undefine Security Settings individually or collectively To undefine offline Security Settings individually 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console
104. and then expand Server Options Under Server Options select Search Server Options When you select Search Server Options in the console tree they are displayed in the details pane In the details pane double click Extract text from binary or right click Extract text from binary and then click Enable or Disable Task Configure the full text indexing schedule Full text indexing enables the creation and subsequent update of the full text index You can schedule the indexing process to automatically start at a predetermined interval The full text indexing schedule is configured based on the indexing interval The indexing interval specifies the time interval in minutes between the end of one indexing process and the start of the next indexing process The default indexing interval is 60 minutes To configure the full text indexing schedule i 2 In the console tree expand DeviceLock Content Security Server and then expand Server Options Under Server Options select Search Server Options 203 DeviceLock Management Console When you select Search Server Options in the console tree they are displayed in the details pane 3 In the details pane double click Indexing interval or right click Indexing interval and then click Properties The Indexing Interval dialog box appears Indexing Interval Computer Name Local Computer Indexing Interval 50 minute s 4 In the Indexing Interval dialog box in t
105. and then expand DeviceLock Expand Devices Under Devices right click Content Aware Rules click Manage and then do the following a In the lower left pane of the Content Aware Rules dialog box under Users select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box b In the lower right pane of the Content Aware Rules dialog box under Rules select the rule you want to edit and then click Edit OR Right click the rule and then click Edit OR Under Devices expand Content Aware Rules and then do the following a Under Content Aware Rules select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them in the details pane b In the details pane right click the rule you want to edit and then click Edit OR In the details pane double click the rule you want to edit The Edit Rule dialog box appears 4 In the Edit Rule dialog box modify the rule properties as required to meet your needs 5 Click OK to apply the changes 288 Content Aware Rules for Devices Regular Profile Copying Content Aware Rules You can perform a cut and paste operation a copy and paste operation or a drag and drop operation to reuse existing Content Aware Rules To copy a Content Aware Rule i If you us
106. box appears In the Report Options dialog box accept or change the default settings and then click OK For information on the default settings and changing the default settings in the Report Options dialog box see Defining Report Parameters While the report is being processed on DeviceLock Enterprise Server the report execution information is displayed in DeviceLock Management Console To view and analyze this information in the console tree select the report template that you used for running a new report When you select a report template in the console tree in the details pane you can view report execution information regarding all reports based on the selected template Report execution information includes the following e User The name of the user who ran the report 380 DeviceLock Reports e From Computer The name of the computer used to run the report e Started The date and time when the report began to run e Finished The date and time when the report was finished e E mailed Possible values Yes and No Yes indicates that the report included in the e mail delivery was successfully delivered to some or all of the intended recipients Yes is displayed only after the sending process is complete No indicates one of the following The report is not included in the e mail delivery OR The report included in the e mail delivery did not reach all of the intended recipients If an error occurs during the e mai
107. boxes to disable all rights 477 D 6 Appendix Permissions and Audit Examples 5 Permissions ess Coe Lizars Rights me ada Sand Race Data Cubpoang Messages Cag Files 41 Senji Renge Dita Chian P Dugi Fiss OOO OOO Protocols White List d Click Protocols White List In the Protocols White List dialog box do the following a Under Users click Add In the Select Users or Groups dialog box in the Enter the object names to select box type Administrators and then click OK b Under Users select Administrators and then under Rules click Add In the Add Rule dialog box in the Description box specify the rule name Next under Web Mail services select the Gmail check box and then click OK E Protocols White List Rules Description Probeccl TA Allow Gell Web Hal c Click OK or Apply to apply the white list settings and close the Protocols White List dialog box In the Permissions dialog box click OK or Apply Members of the Users group are allowed to use Dropbox 1 In the console tree expand DeviceLock Service and then expand Protocols 478 Appendix Permissions and Audit Examples 2 Under Protocols select Permissions 3 In the details pane right click HTTP and then click Set Permissions 4 In the Permissions dialog box do the following a Under Users click Add In the Select Users or Groups dialog box in the Enter the object names to select box
108. check box next to the appropriate access rights In the right pane of the Permissions dialog box you can set day and time restrictions that narrow user access to the specified protocol s Use the left mouse button to select days and hours when the selected user or group will have access to the specified protocol s Use the right mouse button to mark days and hours when the selected user or group will not have access to the specified protocol s To change 1 In the upper left pane of the dialog box under Users select the permissions for user or group an existing 2 Inthe lower left pane of the dialog box under User s Rights user or group select or clear the Allow check box next to the appropriate access rights To remove an e Inthe upper left pane of the dialog box under Users select the existing user or user or group and then click Delete or press the DELETE key group and permissions 6 Click OK or Apply Undefining Permissions If you deploy DeviceLock policies using DeviceLock Group Policy Manager or DeviceLock Service Settings Editor in some situations you may want to prevent some or all of the previously set permissions for protocols from being applied to a specific group of client computers To do so you need to return the previously set permissions to the unconfigured state All undefined DeviceLock settings are ignored by client computers To undefine permissions 1 If you use DeviceLock Service Settings Edit
109. click Content Aware Rules and then click Manage Offline In the lower right pane of the Content Aware Rules Offline dialog box under Rules click Save The Save As dialog box appears 4 In the Save As dialog box in the Save in box browse to the location where you want to save the cwl file In the File name box type the file name you want Click Save 453 DeviceLock Security Policies Offline Profile When you export rules they are saved in a file with a cwl extension To import offline Content Aware Rules 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following Right click Content Aware Rules and then click Load Offline OR Select Content Aware Rules and then click Load Offline amp on the toolbar OR Expand Content Aware Rules right click any user or group to which the rule is applied and then click Load Offline
110. click Delete You can select multiple rules that you want to delete by holding down the SHIFT key or the CTRL key while clicking them 329 Protocols Regular Profile Protocols Regular Profile DeviceLock allows you to control data that is transferred over different network protocols thus enhancing protection against unwanted information disclosure and offering additional transport level security With the Protocols feature you can define policies to selectively allow or block data file transmission via specific protocols as well as shadow copy the transferred data For flexibility policies can be defined on a per user or per group basis DeviceLock provides control over the following protocols and Web applications e FTP File Transfer Protocol The Internet standard protocol for transferring files between computers Both active mode and passive mode FTP connections are supported FTPS FTP over SSL is also supported Both implicit and explicit FTPS connections are supported e HTTP Hypertext Transfer Protocol An application level client server protocol used to transfer information over the World Wide Web HTTPS SSL over HTTP is also supported e ICQ AOL Messenger AOL s Open System for Communication in Realtime OSCAR protocol used by ICQ and AOL Instant Messenger AIM Both non SSL and SSL connections are supported e IRC Internet Relay Chat An Internet standard protocol that supports interactive real time text bas
111. click White List and then click Manage Offline In the left pane of the Protocols White List Offline dialog box under Users select the user or group to which the rule is applied In the right pane of the Protocols White List Offline dialog box under Rules select the rule and then click Delete or right click the rule and then click Delete Undefining Offline Protocols White List You can return the previously defined offline white list to the unconfigured state If the offline white list is undefined the regular white list is applied to offline client computers To undefine the offline Protocols White List 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols right click White List and then click Undefine Offline The offline state of the white list changes to Not Configured When you select White List in the console tree in the details pane the following message is dis
112. data is stored locally and is not transferred to the server Anti keylogger These parameters allow you to tune up DeviceLock s ability to detect hardware keyloggers and to define what DeviceLock Service should do when a keylogger is found 118 DeviceLock Management Console Hardware keyloggers are devices that record keystrokes DeviceLock Service can detect USB keyloggers and block keyboards connected to them Also DeviceLock Service can block PS 2 keyloggers Fie Action View Help Beh al DeviceLock ef DeviceLock Service Spock keyboard a Service Options a ee E EA E Devicelock Administrabors a Log event ge Treat any USS hub as keylogger Enabled Eh Notify user Disabled GA PS 2 keyboard scrambling Disabled Ley Auditing amp Shadowing E Anti heylogger E R Encryption E BD Devices lay Audit Log Viewer GBA Shadow Log Viewer E E DeviceLock Enterprise Server Local Policy is enabled for this machine Local Computer Use the context menu available via a right mouse click on every parameter Block keyboard Enable this parameter to block the keyboard connected to the hardware USB keylogger when it is detected Since DeviceLock Service starts before the user logs in to Windows it can block the keyboard and prevent the user from typing the password Note Some hardware keyloggers continue to record keystrokes even if the keyboard is blocked and not functioning in Windows Th
113. default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define offline permissions for protocols see Managing Offline Permissions for Protocols You can set the default permissions on protocols for both types of profiles Regular Profile and Offline Profile The default permissions are assigned to the Administrators and Everyone accounts The following table lists access rights granted to these accounts by default ACCOUNT ADMINISTRATORS EVERYONE PROTOCOL FTP Generic Send Receive Data Generic Send Receive Data Sutgping File SSL Send Receive Data SSL Send Receive Data Outgoing Files HTTP Generic Send Receive Data Generic Send Receive Data Outgoing Files SSL Send Receive Data Outgoing SSL Send Receive Data 333 Protocols Regular Profile ACCOUNT ADMINISTRATORS EVERYONE PROTOCOL ICQ AOL Generic Send Receive Data Generic Send Receive Data Outgoing Messenger Outgoing Messages Messages SSL Send Receive Data Outgoing SSL Send Receive Data Outgoing Messages Messages IRC Generic Send Receive Data Generic Send Receive Data Outgoing Outgoing Messages Messages SSL Send Receive Data Outgoing SSL Send Receive Data Outgoing Messages Messages Jabber Generic Send Receive Data Generic Send
114. defined by Content Aware Rules 257 ALLOW READ file level DENY READ file level ALLOW WRITE file level DENY WRITE file level ALLOW READ ALLOW WRITE file level DENY READ DENY WRITE file level ALLOW READ DENY WRITE file level FULL ACCESS device type level allows read access to all content allows creation deletion and renaming of empty folders and zero byte 0 files denies read access to specified content allows creation deletion and renaming of empty folders and zero byte 0 files allows write access to all content allows creation deletion and renaming of empty folders and zero byte 0 files denies write access to specified content allows creation deletion and renaming of empty folders and zero byte 0 files allows read and write access to all content allows creation deletion and renaming of empty folders and zero byte 0 files denies read and write access to specified content allows creation deletion and renaming of empty folders and zero byte 0 files allows read access to all content denies write access to specified content allows creation Content Aware Rules for Devices Regular Profile NO ACCESS device type level denies read access to all but specified content denies creation and renaming of empty folders and zero byte 0 files denies access to a device denies write access to all but specifie
115. dialog box under Content Database select any custom group you want to edit or delete Click Edit Group to modify the selected content group In the dialog box that opens make the required changes and then click OK OR Click Delete Group or press the DELETE key to delete the selected content group In the Content Aware Rules dialog box click OK or Apply to apply the changes 318 Content Aware Rules for Protocols Regular Profile Testing Content Groups You can test any built in or custom content group to see whether specified files match with it By using these tests you can verify that the rules that are created based on the content groups meet your specific business requirements To test a content group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then clic
116. dialog box appears 283 Content Aware Rules for Devices Regular Profile In the upper pane of the Content Aware Rules dialog box under Content Database select any content group you want to test and then click Test Group You can test only one group at a time The Open dialog box appears In the Open dialog box in the Look in list click the location that contains the file you want to use for testing the specified content group In the folder list locate and open the folder that contains the file Click the file and then click Open The Result message box is displayed If the file matches with the specified content group the Result message box contains the following text Selected file matches with the group If the file does not match with the specified content group the Result message box contains the following text Selected file does not match with the group When testing is in progress the console stops responding hangs Managing Content Aware Rules Managing Content Aware Rules involves the following tasks Defining Content Aware Rules Editing Content Aware Rules Copying Content Aware Rules Exporting and importing Content Aware Rules Undefining Content Aware Rules Deleting Content Aware Rules You can manage Content Aware Rules using DeviceLock Management Console DeviceLock Group Policy Manager or DeviceLock Service Settings Editor Defining Content Aware Rules Content Aware Rules are created bas
117. displays data in textual format only e ANSI Text Specifies ANSI encoding for text and displays data in textual format only e UTF 16 Text Specifies Unicode UTF 16 encoding for text and displays data in textual format only e UTF 16BE Text Specifies Unicode UTF 16 Big Endian encoding for text and displays data in textual format only When you are opening the large file you can click Cancel on the progress bar to abort the opening process Please Wait 13 Saving file DO0UME 1 ADMINI 1 Ve LOCALS 1Temptdini tmp In this case the viewer will show only that part of the data which was received before you aborted the opening process 163 DeviceLock Management Console Click Save to save the data from the viewer to an external file External Viewer Also you can define the external program that will be used to view the shadow data If such an external application is defined External Viewer is available on the Shortcut menu To define it open Regedit and set the following entry on the computer where DeviceLock Management Console is running e Key HKEY_CURRENT_USER Software SmartLine Vision DLManager Manager e Name ExternalShadowViewer e Type REG_SZ e Value lt full_path_to_viewer gt 1 where lt full_path_to_viewer gt must be replaced by the full path to the external application If this path contains spaces use quotation marks For example C Program Files Microsoft Office OFFICE11 winword exe
118. drives and so on Some USB devices cannot be reinitialized from DeviceLock Service It means that their drivers do not support the software replug If such a device was white listed but 145 DeviceLock Management Console does not work the user should remove it from the port and then insert it again manually to restart the device s driver To edit a device s description select the appropriate record in USB Devices White List and click Edit Click Delete to delete a selected device s record use CTRL and or SHIFT to select several records simultaneously To save the white list to an external file click Save and then select the name of the file To load a previously saved white list click Load and select a file that contains the list of devices If you need to manage the devices database you can click USB Devices Database and open the appropriate dialog box Note If you add an iPhone device to the USB Devices White List access control is disabled for both the iPhone and its camera at the interface USB port level Thus you cannot allow access to iPhone and deny access to its camera at the interface USP port level In the USB devices database an iPhone device is identified as the Apple Mobile Device USB Driver However it is possible to allow access to iPhone s camera and deny access to iPhone To do this you can use any of the following methods Method 1 To allow access to iPhone s camera add the iPhone to
119. e Managing offline Security Settings You can manage offline security policies by using DeviceLock Management Console Service Settings Editor or DeviceLock Group Policy Manager Managing Offline Permissions For a detailed description of the Permissions feature see Permissions Regular Profile Offline permissions can have one of the following states STATE DESCRIPTION Not Configured Indicates that permissions on a device type are not set This is the default state Configured Indicates that permissions on a device type are set Full Access Indicates that full access rights are granted to the Everyone account No Access Indicates one of the following e The Everyone account has No Access permissions and is the only account assigned to a device type No Access permissions assigned to the Everyone account take priority over permissions assigned to other accounts e All users and groups assigned to a device type have No Access permissions e All users and groups assigned to a device type are removed 390 DeviceLock Security Policies Offline Profile STATE DESCRIPTION Use Regular Indicates that the inheritance of offline permissions is blocked and regular permissions are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of regular permissions is useful if you use Group Policy or DeviceLock Service Settings files
120. e Select the device and then click Delete OR e Right click the device and then click Delete Devices are not deleted automatically from the white list after you delete them from the USB Devices Database 401 10 DeviceLock Security Policies Offline Profile To edit a device s description in the lower pane of the USB Devices Database dialog box under USB Devices Database select the device and then click Edit If you change a device s description in the USB Database the following behavior occurs The device will have its old description in the white list if it has already been added to the white list Click OK or Apply The device that you added to the USB Devices Database is displayed under USB Devices Database in the upper pane of the USB Devices White List Offline dialog box In the lower left pane of the USB Devices White List Offline dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the USB Devices White List and then click OK The users and groups that you added are displayed under Users in the lower left pane of the USB Devices White List Offline dialog box To delete a user or group in the lower left pane of the USB Devices White List Offline dialog box under Users select the user or group and then click De
121. festure wal be installed on local hard dive E96 This festure and al subfestures wil be installed on local hard drive sO The feature wal not be avaiable This Feature requires 5037KB on gt Cae Note On the Custom Setup page you can select the RSoP component to install This component enables support for DeviceLock s Resultant Set of Policy planning mode on domain controllers The RSoP component is required only when DeviceLock management consoles are installed but DeviceLock Service is not installed on the computer For more information on RSoP planning mode refer to the Microsoft documentation 53 Installation On the Custom Setup page you can change the default installation directory By default the DeviceLock installation directory is ProgramFiles DeviceLock To change the default installation directory click Change to open the Change Current Destination Folder page if DeviceLock Setup Change Current Destination Folder Browse to the destination folder Look in jugns On the Ready to Install the Program page click Install to begin the installation Select the Add DeviceLock shortcuts to the desktop check box if you want to add DeviceLock Management Console the MMC snap in DeviceLock Enterprise Manager and DeviceLock Service Settings Editor shortcuts to the desktop if DeviceLock Setup Ready to Install the Program The wizard is ready bo begin instalation TF you want bo re
122. for a setting and a child has a non conflicting value for the same setting e A parent has a value for a setting and a child has a conflicting value for the same setting If a GPO has settings that are configured for a parent Organizational Unit and the same policy settings are unconfigured for a child Organizational Unit the child inherits the parent s GPO settings That makes sense If a GPO has settings configured for a parent Organizational Unit that do not conflict with a GPO on a child Organizational Unit the child Organizational Unit inherits the parent GPO settings and applies its own GPOs as well 219 DeviceLock Group Policy Manager If a GPO has settings that are configured for a parent Organizational Unit that conflict with the same settings in another GPO configured for a child Organizational Unit then the child Organizational Unit does not inherit that specific GPO setting from the parent Organizational Unit The setting in the GPO child policy takes priority although there is one case in which this is not true If the parent disables a setting and the child makes a change to that setting the child s change is ignored In other words the disabling of a setting is always inherited down the hierarchy Starting DeviceLock Group Policy Manager DeviceLock Group Policy Manager integrates into the Windows Group Policy Object GPO editor To use DeviceLock Group Policy Manager on your local PC rather than on the domain c
123. for a user or user group set the appropriate rights e Full access to enable full access to DeviceLock Content Security Server Users can change settings and run search queries 74 Installation e Change to enable change access to DeviceLock Content Security Server Users can change settings install uninstall DeviceLock Content Security Server and run search queries but they cannot add new users to the list of authorized accounts that can connect to DeviceLock Content Security Server or change access rights for existing users in this list e Read only to enable read only access to DeviceLock Content Security Server Users can run search queries and view settings but cannot modify anything or create a new index for Search Server Note We strongly recommend that accounts included in this list have local administrator privileges because in some instances installing updating and uninstalling the DeviceLock Content Security Server service may require access rights to Windows Service Control Manager SCM and shared network resources Certificate Name You may need to deploy the private key to DeviceLock Content Security Server if you want to enable authentication based on DeviceLock Certificate There are two methods of DeviceLock Content Security Server authentication on a remotely running DeviceLock Enterprise Server e User authentication the DeviceLock Content Security Server service is running under the user s account
124. for which you want to set permissions You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them 9 In the lower right pane of the Content Aware Rules Offline dialog box right click in the Rules pane and then click Paste The copied rule is displayed under Rules in the lower right pane of the Content Aware Rules Offline dialog box 10 Click OK or Apply to apply the copied rule 418 DeviceLock Security Policies Offline Profile Exporting and Importing Offline Content Aware Rules You can export all your current offline Content Aware Rules to a cwl file that you can import and use on another computer Exporting and importing can also be used as a form of backup To export offline Content Aware Rules 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following Right click Content Aware Rules and then click Sav
125. iTunes does not support sync of messages Controls whether or not e mail attachments with specified content written from a PC to a Windows Mobile or Palm device are shadow copied Controls whether or not favorites with specified content written from a PC to a Windows Mobile device or iPhone are shadow copied Controls whether or not files with specified content written from a PC to a mobile device are shadow copied Applies to the iPhone Palm and Windows Mobile device types Controls whether or not media data with specified content written using Windows Media Player to a Windows Mobile device from a PC and media files with specified content written to a Palm device and iPhone from a PC are shadow copied Controls whether or not the iPhone backup data with specified content written from a PC to iPhone is shadow copied Controls whether or not notes with specified content written from a PC to a mobile device are shadow copied Applies to the iPhone Palm and Windows Mobile device types Controls whether or not Pocket Access databases with specified content written from a PC to a Windows Mobile device are shadow copied Controls whether or not tasks with specified content written from a PC to a mobile device are shadow copied Applies to the Palm and Windows Mobile device types Controls whether or not Palm Expense application data with specified content written from a PC to a Palm device is shadow copied Controls whether or not
126. import and use on another computer Exporting and importing can also be used as a form of backup To export the offline USB Devices White List 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following Right click USB Devices White List and then click Save Offline OR Select USB Devices White List and then click Save Offline on the toolbar OR Expand USB Devices White List right click any user or group specified in the white list and then click Save Offline OR Expand USB Devices White List select any user or group specified in the white list In the details pane right click the white listed device and then click Save OR Right click USB Devices White List and then click Manage Offline In the lower right pane of the USB Devices White List Offline dialog box under Devices click Save The Save As dialog box appears 4 In the
127. it may result in severe civil and criminal Control penakies and vill be prosecuted bo the mazimum extent Information With possible under lave Device You should run setup exe on each computer that is to be controlled with DeviceLock Service If you are upgrading a previous version make sure that you have administrative access to DeviceLock Service otherwise you will not be able to continue installation You must accept DeviceLock s End User License Agreement to continue the installation process On the Customer Information page type your user name and organization On this page under Install this application for you can specify for whom desktop Shortcuts to DeviceLock management consoles DeviceLock Management Console DeviceLock Enterprise Manager and DeviceLock Service Settings Editor will be created You can select from the following options e Anyone who uses this computer all users Creates desktop shortcuts to DeviceLock management consoles for all users e Only for me Creates desktop shortcuts to DeviceLock management consoles only for the account that is installing DeviceLock 25 Installation i DeviceLock Setup Arane who uses this computer all users 2 Only for me Q On the Setup type page select the required setup type You have the following two choices either install both DeviceLock Service and DeviceLock management consoles using the Service Consoles option or install only DeviceLoc
128. last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all sent messages Audit Connection Enables audit logging of user attempts to connect to an SMTP server The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Outgoing Messages Outgoing Files Enables audit logging of user attempts to send an e mail message with or without attachments The Outgoing Message action the e mail address of the sender and recipients the IP address with the port number and the name of the host are written to the log The sender address precedes recipient addresses sender gt recipient1 recipient2 Shadowing Outgoing Messages Outgoing Files Enables shadow copying of sent e mail messages with or without attachments Shadow copies of sent e mail messages with or without attachments are written to the log as eml files You can for example open eml files in Microsoft Outlook Express in Windows Mail and in Mozilla Thunderbird Audit Connection Enables audit logging of user attempts to connect to a social networking site The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name
129. list of DeviceLock Administrators in case this administrator safeguard feature is enabled for DeviceLock Service or DeviceLock Enterprise Server or DeviceLock Content Security Server A credentials conflict can result if after connecting to i e you have a mapped network disk opened shared resource etc a selected computer under a user that can t access DeviceLock Service DeviceLock Enterprise Server or DeviceLock Content Security Server you then try to login as another user in DeviceLock Management Console To avoid this conflict you must first delete your existing connection When DeviceLock Management Console detects a credentials conflict it displays a list of existing connections on your local computer and suggests that you delete some of them 95 DeviceLock Management Console Local Connections The credentials supplied conflict with an existing set of credentials User Test dinin Domain VMS00040 To establish a commection using a different set of credentials first you must disconnect the existing connections to vm2000server Local Remote Be Wv2000server Pct Highlight all existing connections to the computer you want to connect to and press the Disconnect button Press the Close button and then try to connect to this computer again Note Sometimes the existing connection can t be terminated thus preventing you from connecting under a different user account in DeviceLock Management Console In this c
130. logs 244 DeviceLock Enterprise Manager To receive information on the security policies defined for protocols under Protocols use the following options e Report Protocols select this check box to report security policies for protocols Otherwise information on all protocol based policies will be excluded from the report If the Report Protocols check box is cleared the Report Auditing amp Shadowing option and the Report Enabled Auditing amp Shadowing Only option are unavailable e Report Auditing amp Shadowing select this check box to report audit and shadowing rules that have been set for protocols e Report Enabled Auditing amp Shadowing Only select this check box to exclude protocols for which audit and shadowing rules are disabled from the report This option is available only if the Report Auditing amp Shadowing check box is selected e Report Security Settings select this check box to report what parameters are defined via Security Settings e Report Content Aware Rules select this check box to report Content Aware Rules that have been set for protocols see Content Aware Rules for Protocols e Report Protocols White List select this check box to include information about white listed protocols see Managing Protocols White List This report always includes information about an installed DeviceLock Certificate Also it always shows when the Use Group Policy parameter is enabled in Se
131. lt Back Next gt Cancel Database name You must specify the name of the database in SQL Server that will be used to store the DeviceLock Enterprise Server data The default name suggested by the wizard is DeviceLockDB Note You should not create a database with the specified name manually because the configuration wizard creates the database automatically or uses the existing one Connection type There are two ways to define a connection to SQL Server 1 ODBC Driver you enter the name of SQL Server in SQL Server name and select the authentication mode Windows or SQL Server The SQL Server name parameter must contain not just the name of the computer where SQL Server is running but the name of SQL Server itself Usually the SQL Server name consists of two parts the computer name and the instance name divided by a backslash e g computer instance Sometimes the instance name is empty default and you can use the computer name as an SQL Server name To retrieve SQL Server names available in your local network press the Browse button You should have access to the remote registry of the SQL Server machine to retrieve the instance name If the SQL Server name parameter is empty it means that SQL Server is running on the same computer as DeviceLock Enterprise Server and has an empty default instance name 62 Installation To establish a connection to SQL Server you must also configure authentication paramete
132. memory and free storage space dedicated machine for Microsoft SQL Server Interactive Installation Run Setup setup exe and follow the instructions that appear on the screen You must run setup exe on each computer targeted for DeviceLock Enterprise Server installation 51 Installation i Devicelock Setup Welcome bo the DeviceLock Setup program This program val install DewiceLock version 7 0 0 RC Build 266577 on your computer Tk is shronghy recommended that you erik all Windows programs before nunning this Setup program Click Cancel to quit Setup and then cose any programs you hawe running Chick Mest bo continue with the Setup program WARNING ipa moman i protected by copyright law and Stop Data From intestinal treaties Slippi Th A pre ti lel Unauthorized reproduction or distribution of this program or Your Fingers any portion of it may result in severe cwi and criminal Control penalizes and val be prosecuted to tha masimum extent Information With possible under lovr Device You must accept the DeviceLock End User License Agreement before continuing the installation process On the Customer Information page type your user name and organization On this page under Install this application for you can specify for whom desktop shortcuts to DeviceLock management consoles DeviceLock Management Console DeviceLock Enterprise Manager and DeviceLock Service Settings Editor will be created You can select
133. name not found and no default driver specified you ve selected System Data Source from the Connection type list and specified either an empty or non existent name in Data Source Name Store shadow files in SQL Server There are two modes of storing binary data data can be stored in SQL Server or it can be stored on the disk To store data in SQL Server check the Store shadow files in SQL Server flag If you decided to store binary data in SQL Server we recommend that you dramatically increase the maximum file size parameter for the transaction log of the database specified in Database name Otherwise SQL Server may fail to handle the large amount of data hundreds of megabytes in one transaction Also it is recommended that you increase the maximum amount of memory available for SQL Server and turn on the PAE Physical Address Extension feature For more information on how to tune up your SQL Server for storing large amounts of data please read the article available at the Microsoft Web site http technet microsoft com en us library cc966420 aspx To store data on the disk uncheck the Store shadow files in SQL Server flag In this case only links to the binary data and some additional information are stored in SQL Server When stored on the disk data files are located by the path specified in the Store path parameter To choose the folder where files should be stored you can use the Browse button You can also specify the net
134. need to keep the information about the data transfer To define a maximum log size and instruct DeviceLock Enterprise Server regarding what it should do if the deleted shadow data log becomes full use Settings from the context menu available with a right mouse click This log s settings are similar to the audit log s settings so see Audit Log Settings Server for more information If there is no space for new records in the deleted shadow data log and there is nothing to remove then DeviceLock Enterprise Server just drops any new records To avoid loosing records in this way we recommend that you monitor DeviceLock Enterprise Server s log on a periodic basis and watch for warning messages there To refresh the list select Refresh from the context menu available with a right mouse click or by pressing the appropriate button on the toolbar To filter records in this list select Filter from the context menu available with a right mouse click or by pressing the appropriate button on the toolbar The same filter is used by the Shadow Log Viewer so see Shadow Log Filter Server for more information To clear all records from this log select Clear from the context menu or press the appropriate button on the toolbar 175 DeviceLock Management Console Server Log Viewer This viewer allows you to retrieve the internal DeviceLock Enterprise Server s log The server uses this log to write errors warnings and other imp
135. of higher level offline Security Settings and enforce regular Security Settings on specific lower level groups of client computers To enforce regular Security Settings you must remove offline Security Settings To remove offline Security Settings 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Security Settings When you select Security Settings in the console tree they are displayed in the details pane 4 In the details pane right click the Security Setting and then click Remove Offline The Security Setting changes its offline state to Use Regular The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console 459 Temporary White List Temporary White List The DeviceLock Temporary White List function enables the granting of temporary access to USB devices when there is no network connection Administrators provide users with special access codes over the phone that temporarily unlock access to requested devices The following diagram illustrates the process of granting temporary access to USB devices USB Flash Drive
136. on the DeviceLock Enterprise Server item Connect connects to any computer that you specify For more information please read the Connecting to Computers section of this manual When you connect to a computer where an old version of DeviceLock Enterprise Sever is installed you may receive the following message 166 DeviceLock Management Console DeviceLock InitBindingloDLServer error 7049 Eg X The product version on the client and server machines does mot match In this case you need to install the new version DeviceLock Enterprise Server on this computer For information on how to install DeviceLock Enterprise Server please read the Installing DeviceLock Enterprise Server section of this manual e Reconnect connects to the currently connected computer once again e Connect to Last Used Server at Startup check this flag to instruct DeviceLock Management Console to automatically connect to the last used server each time console starts up e Certificate Generation Tool runs the special tool that allows you to generate DeviceLock Certificates For more information please read the Generating DeviceLock Certificates section of this manual e DeviceLock Signing Tool runs the special tool that allows you to grant users temporary access to requested devices and sign XML files with DeviceLock Service settings For more information please read the DeviceLock Signing Tool section of this manual e About DeviceLock d
137. one except authorized users can connect to DeviceLock Service or stop and uninstall it Even members of the local Administrators group if they are not on the list of authorized DeviceLock administrators can t circumvent DeviceLock Security To turn on DeviceLock Security clear the Enable Default Security check box 113 DeviceLock Management Console Then you need to specify authorized accounts users and or groups that can administer DeviceLock Service To add a new user or user group to the list of accounts click the Add button You can add several accounts simultaneously To delete a record from the list of accounts use the Delete button Using Ctrl and or Shift you can highlight and remove several records simultaneously To define which DeviceLock administrative actions are to be allowed for a user or user group set the appropriate rights e Full access to enable full access to DeviceLock Service Users can modify permissions auditing and other parameters remove and update DeviceLock Service e Change to enable change access to DeviceLock Service Users can change settings install and uninstall DeviceLock Service but they cannot add new users to the list of authorized accounts that can administer DeviceLock Service or change access rights for existing users in this list e Read only to enable only the reading of permissions auditing and other parameters Users can run reports view defined parameters but cannot mo
138. or delete them For information on how to view the built in content groups see Viewing Built in Content Groups Creating Custom Pattern Groups You can define Content Aware Rules based on your own custom content groups if the predefined content groups included with DeviceLock do not meet your requirements Custom content groups enable you to specify any pattern that you want to use to identify sensitive information within documents 271 Content Aware Rules for Devices Regular Profile To create a custom Pattern group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears Wu Content Aware Rules Contant Databaza Description Type T ABA Routing Number Pattern dba T Acguanitien
139. organization s needs The following table lists these predefined content groups BUILT IN PATTERN GROUPS ABA Routing Number BIC ISO 9362 Canadian Social Insurance Number Credit Card Number Email Address European VAT Number GPS Data RMC String IBAN International Telephone Number IP Address ISO Date MAC Address Microsoft Windows Product Key Russian Address Russian Auto Insurance Number Russian Bank Account Number Russian BIC Russian Car Numbers Russian Classification of Economic Activities Russian Classification of Enterprises and Organizations Russian Driver s License Number Russian Health Insurance Number Russian International Passport Russian Russian Russian Russian Russian Russian Russian Russian Russian Main State Registration Number Motorcycle Numbers Passport Pension Insurance Number Post Code Taxpayer Identification Number Telephone Number Trailer Numbers Vehicle Registration Document SQL Queries TCP UDP Port Number Time 12 24h UK National Insurance Number UK Phone Number UK Post Code UK Tax Code Uniform Resource Locator URL US Date US Phone Number US Social Security Number US Zip Code VIN With built in content groups you can quickly create and apply rules without having to define your own content groups Note You can view regular expression patterns that are included in the built in Pattern content groups but you cannot edit
140. port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Note When this right is enabled numerous Connection events are recorded in the Audit Log each time a user attempts to open a web page This happens because a web page often requests resources such as images scripts etc from other hosts Audit Incoming Data Enables audit logging of web pages and objects on web pages scripts Flash files up to 1 5 MB in size images up to 512 KB in size text up to 200 KB in size etc The Incoming Data action the URL of the web page and objects on the web page the IP address with the port number and the name of the host are written to the log Audit Incoming Files Enables audit logging of user attempts to download a file from a Web site The Incoming File action the absolute path and complete name of the file for example http domain path myfile doc the IP address with the port number and the name of the host are written to the log Audit Outgoing Data The Outgoing Data content type contains no data This right enables audit logging of blocked user attempts to open a web page if the Audit Denied option is set for the protocol The Outgoing Data action the URL of the web page and objects on the web page the IP address with the port number and the name of the host are written to the log Audit POST Requ
141. rule is applied and then click Delete user When you delete a user or group the rule associated with this user or group is automatically deleted OR e Expand White List and then select the user or group to which the rule is applied In the details pane right click the rule associated with this user or group and then click Delete OR e Right click White List and then click Manage In the left pane of the Protocols White List dialog box under Users select the user or group to which the rule is applied In the right pane of the Protocols White List dialog box under Rules select the rule and then click Delete or right click the rule and then click Delete 361 Protocols Regular Profile Managing Security Settings for Protocols You can define additional security parameters that affect permissions and audit rules for protocols DeviceLock supports these additional security parameters e Block unrecognized outgoing SSL traffic if enabled allows DeviceLock Service to audit and block all unrecognized outgoing SSL traffic Otherwise even if the protocols are locked all unrecognized outgoing SSL traffic is not blocked and audit is not performed for it e Block IP addresses in URL if enabled allows DeviceLock Service to block all URLs containing the host IP address when users have allow access permissions for a protocol Use this setting to block access to sites for example Facebook that can be acces
142. separated by a semicolon for example explorer exe notepad exe 6 Click OK to close the Add Document Properties Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Complex Content Groups Complex groups use Boolean expressions to select documents for which you want to control access These groups can include any combination of built in or custom content groups File Type Detection Keywords Pattern and Document Properties groups linked with any number of the standard logical operators Each content group is treated as a single filter criterion that can be included in your Boolean expression By using multiple content groups you can create complex filters to identify sensitive content contained in documents The following table lists the logical operators in order of precedence from highest to lowest OPERATOR MEANING NOT Logical negation of a filter criterion AND Both filter criteria must apply OR Either filter criterion can apply You can use parentheses to modify the precedence of operators and force some parts of an expression to be evaluated before others Nested criteria enclosed in parentheses are evaluated in inner to outer order Multiple levels of nesting are supported A complex group can contain a maximum of 30 content groups There are no predefined built in Complex content groups to use
143. services will not be blocked The following Web based e mail services are Supported AOL Mail Gmail GMX Mail Hotmail Mail ru Rambler Mail Web de Yahoo Mail and Yandex Mail Note You can define different online vs offline Protocols White Lists for the same user or sets of users The online Protocols White List Regular Profile applies to client computers that are working online The offline Protocols White List Offline Profile applies to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define the offline Protocols White List see Managing Offline Protocols White List Managing the online regular Protocols White List involves the following tasks e Defining the Protocols White List e Editing the Protocols White List e Copying rules of the Protocols White List e Exporting and importing the Protocols White List e Undefining the Protocols White List e Deleting rules of the Protocols White List Defining Protocols White List To define the Protocols White List 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use De
144. specified settings and only upgrades DeviceLock Service to the new version You can also define a destination directory for DeviceLock InstallDir C Program Files DeviceLock Setup uses this directory if it can t find the previous installation of DeviceLock 31 Installation If you have purchased licenses for DeviceLock you can also specify the location of the license files RegFileDir C Directory where C Directory is where your license files are located You do not need to load the licenses if you are installing only DeviceLock Service They are required for DeviceLock management consoles and separately licensed components ContentLock and NetworkLock To instruct DeviceLock Service to use a fixed port specify the FixedPort parameter FixedPort port number where port number the fixed TCP port number that you want to use for the communication between DeviceLock Service and management consoles To use dynamic ports for the RPC communication specify 0 as a port number By default DeviceLock Service uses port 9132 If the CreateGroups parameter is set to 1 Setup creates the special local user group Allow_Access_To_ for each device type e g Allow_Access_To_Floppy for floppy drives if these do not exist on the local computer To apply settings permissions audit and shadowing rules to DeviceLock Service specify the path to the previously saved XML file in the SettingsFile parameter SettingsFile C se
145. supports these third party products for encrypting data on removable storage devices e DriveCrypt DeviceLock Service can detect DriveCrypt s encrypted removable storage devices and apply special encrypted permissions to them when the DriveCrypt product is installed on the computer where DeviceLock Service is running and Integration is enabled For more information on DriveCrypt please visit http www securstar com e Lexar JD SAFE S3000 and Lexar JD SAFE S3000 FIPS DeviceLock Service can detect Lexar JumpDrive SAFE S3000 USB flash drives FIPS 121 DeviceLock Management Console certified and or regular and apply special encrypted permissions to them in the event that a user plugs such a device into a computer where DeviceLock Service is running and Integration is enabled For more information on Lexar JumpDrive SAFE S3000 please visit Lexar s Web site http www lexar com products enterprise usb solutions Lexar SAFE PSD DeviceLock Service can detect Lexar SAFE PSD S1100 USB flash drives and apply special encrypted permissions to them in the event that a user plugs such a device into a computer where DeviceLock Service is running and Integration is enabled For more information on Lexar SAFE PSD S1100 please visit Lexar s Web site http www lexar com about newsroom press releases lexar begins shipping its award winning safe psd s1100 secure enterpri PGP Whole Disk Encryption DeviceLoc
146. that data is possibly not completely logged while the Failed status is given to shadow copies of files whose transmission was blocked by Content Aware Rules e Date Time the date and the time when the data was transferred e Source the type of device or protocol involved e Action the user s activity type e File Name the original path to the file or the auto generated name of the data that originally was not a file such as CD DVD images data written directly to the media or transferred through the serial parallel ports e File Size the size of the data e User the name of the user transferred the data e PID the identifier of the process used to transfer the data e Process fully qualified path to the process executable file In some cases the process name may be displayed instead of the path Use the context menu available via a right mouse click on every record Open To open the file from a selected record with its associated application use Open from the context menu If there is no associated application then the Open With dialog box is shown In case the record has no associated data its size is O or it was not logged Open is disabled If you use Open for shadowing data captured from either Printer or Parallel port device types then the associated application is always the built in viewer called DeviceLock Printer Viewer DeviceLock Printer Viewer is able to show you the shadowed printed document in the
147. that has administrative access to DeviceLock Enterprise Server on the remote computer For more information on how to run DeviceLock Content Security Server on behalf of the user please read the description of the Log on as parameter e DeviceLock Certificate authentication in situations when the user under which DeviceLock Content Security Server is running cannot access DeviceLock Enterprise Server on the remote computer you must authenticate based on a DeviceLock Certificate The same private key should be installed on DeviceLock Enterprise Server and on DeviceLock Content Security Server To install DeviceLock Certificate click the ellipsis button L J and select the file with a private key To remove DeviceLock Certificate click Remove For more information regarding DeviceLock Certificate see DeviceLock Certificates Click Next to apply changes and proceed to the final page of the configuration wizard The final page of the wizard looks like this 75 Installation DeviceLock Content Security Server License infomealon Tou have 0 valid boense s misled PLEASE REMEMBER THAT THIS I5 A 30 047 TRAL VERSION Load Licenses Back Finish f Canca On this page you load your DeviceLock Content Security Server licenses License information If you have purchased a license for Search Server you should load this license into DeviceLock Content Security Server To load the license click Load License s an
148. that is already received from the plug in Because the scan process runs in a separate thread you do not need to wait until all computers are finished being scanned You can also perform other tasks in the DeviceLock Enterprise Manager interface There are only a few things which you cannot do while the scan is running you cannot close DeviceLock Enterprise Manager and you cannot run another scan process If for some reason you wish to abort the active scan process you can click Stop Scan on the File menu or press REWIETE the appropriate button on the Main toolbar The scan y a k process will be aborted as soon as a plug in returns control to DeviceLock Enterprise Manager 241 DeviceLock Enterprise Manager Plug ins DeviceLock Enterprise Manager has a flexible plug in based architecture that allows you to plug in the necessary module on demand DeviceLock Enterprise Manager loads the plug ins on startup from the Plugins subdirectory which is located in the main DeviceLock Enterprise Manager directory DeviceLock Enterprise Manager ships with standard plug ins that require some network ports to be opened on remote computers as described in the table below REQUIRED PORTS PLUG INS AFFECTED TCP 139 or TCP 445 Audit Log Viewer Report UDP 137 this port must be opened only when a connection is aat established by the computer name If an IP address is used this port is not required TCP 139 or TCP 445 Instal
149. the audit log Audit Copy Shadowing Write Print Files are written to the shadow log Shadowing Write Non files All data that contains non file objects Calendar Contacts etc is written to the shadow log 139 DEVICE TYPE Palm Parallel port Printer DeviceLock Management Console RIGHTS Audit Read Read File action file names and the Sync flag write to the audit log Audit Write Print Write File action file names and the Sync flag write to the audit log Audit Execute Audit Read Non files Read Calendar Read Contact Read Expense Read E mail Read Document Read Memo Read Notepad Read Task and Read Media actions and object names write to the audit log Audit Write Non files Write Calendar Write Contact Write Expense Write E mail Write Document Write Memo Write Notepad Write Task Write Media and Install actions and object names write to the audit log Audit Copy Shadowing Write Print Files are written to the shadow log Shadowing Write Non files All data that contains non file objects Calendar Contacts Tasks etc is written to the shadow log Audit Read Device Access action writes to the audit log Audit Write Print Device Access action writes to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print All data sent to the port is written to the shadow
150. the file 4 Click the file and then click Open The computers from the file are displayed in the left pane of the Edit computers list dialog box 5 In the left pane of the Edit computers dialog box select the desired computers and then click the right single arrow button The selected computers are displayed under Selected computers in the right pane of the dialog box To remove single computers from the list of selected computers use the left single arrow button To add or remove all available computers to or from the list of selected computers at the same time use the right double arrow button or left double arrow button L Manual This option lets you manually add computers that you want to select for the report If you select this option 1 Inthe left pane of the Edit computers list dialog box type either computer names or IP addresses Press the ENTER key after each computer name to make sure that each computer name is on a separate line 2 In the left pane of the Edit computers dialog box select the desired computers and then click the right single arrow button The selected computers are displayed under Selected computers in the right pane of the dialog box To remove single computers from the list of selected computers use the left single arrow button To add or remove all available computers to or from the list of selected computers at the same time use the right double arrow button L or left do
151. the Add File Type Detection Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Keywords Content Groups Keywords groups are used to control access to data files based on specified keywords or phrases DeviceLock includes 157 predefined built in Keywords groups that you can use to set up the desired configuration of permissions and or shadow copy operations You can use the built in content groups as they are create their editable copies duplicates or create your own content groups to suit your particular organization s needs The following table lists these predefined content groups BUILT IN KEYWORDS GROUPS Accounting Documentation Terms Accounting Documentation Types Acquisition Active substance Admission Discharge Adult Keywords American Address American Name Bank ABA Bank ACNT Bank STMT Board Meeting Production Charges Profanity Profiles Profit Loss Project Names Project Release Dates Property Racism Keywords Resume Russian Account Statement Russian Accounting Documentation Russian Accounting Documentation Terms 301 BUILT IN KEYWORDS GROUPS Breach of Obligation Breach of Standards Breach of the Law Business Documentation Business Documentation Terms Business Documentation Types Business Rivals Business Trips amp Meetings C Source Code C C
152. the first 10 users but you can specify any number of users The report consists of three sections the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e Channel s Shows the device types and or protocols that were specified for the report e File Name Shows the files that were specified for the report The Report Results section contains two tables with detailed results of the report Table 1 lists the top N where N is a specific number users by the number of copied files Table 1 has the following columns 371 REPORT TYPE Top copied files DeviceLock Reports DESCRIPTION e User Name Shows a user name e Number of Files Shows the number of copied files Values in this column are sorted in descending order Table 2 lists the top N where N is a specific number users by the amount of copied
153. the local group Administrators on every computer in the domain members of Domain Admins will have full access to DeviceLock Enterprise Server on every computer Also do not forget that if Default Security is disabled on remotely running DeviceLock Enterprise Server the user s account specified in the This account option must be also in the list of Server Administrators with at least Read only access rights on that DeviceLock Enterprise Server Otherwise you will need to use DeviceLock Certificate authentication Connection settings You can instruct DeviceLock Content Security Server to use a fixed TCP port for communication with the management console making it easier to configure a firewall Type the port number in Fixed TCP port To use dynamic ports for RPC communication select the Dynamic ports option By default DeviceLock Content Security Server uses port 9134 Click Next to start the DeviceLock Content Security Server service and to proceed to the second page If the current user does not have full administrative access to DeviceLock Content Security Server in case it already exists and you re installing an upgrade the configuration wizard will not be able to install the service and apply changes Also a similar error may occur when the current user does not have local administrative privileges on the computer where DeviceLock Content Security Server is installing DeviceLock ChangeConfigservice error 3 Ed
154. this event Can be empty if an event does not link to any task e Computer Name the name of the computer belonging to the task that is responsible for this event Can be empty if an event does not link to the computer e Information event specific information such as status error warning and so on e Server the name of the server where an event occurred e Record N the record number To refresh the list use Refresh from the context menu available by clicking the right mouse button or by pressing the appropriate button on the toolbar To clear all records from this log use Clear from the context menu or press the appropriate button on the toolbar Monitoring Log Settings To define a maximum log size and instruct DeviceLock Enterprise Server in the event the monitoring log becomes full use Settings from the context menu of the Monitoring Log Viewer Monitoring Log Settings V Control log size M basini bg se 10000 records When maximum log size is reached C Overwrite events as needed G Overwrite events older than days gt Do not overwrite events i clear log manually Restore Defaults For information on these settings see Audit Log Settings Server 190 DeviceLock Management Console Monitoring Log Filter You can filter data in the Monitoring Log Viewer so that only records that meet specified conditions are displayed in the list To open the Filter dialog box use
155. this option in the Recipients box type the e mail addresses of the recipients separated by commas semicolons or spaces Use the following format user mailserver Access type s Specifies the types of events that you want to include in or exclude from the report Appears only for the Read amp Write access requests per device type report type in the Audit Log report category If you select the Allowed check box the Success Audit events that is events that record successful access attempts will be retrieved for the report If you select the Denied check box the Failure Audit events that is events that record failed access attempts will be retrieved for the report You can use either or both of these options to specify the types of events Device type s Specifies the device types for the report Appears only for the Top active computers Top active users and Top copied files report types If you select this option select the appropriate check boxes next to the device types you want to specify for the report Protocol s Specifies the protocols for the report Appears only for the Top active computers Top active users and Top copied files report types If you select this option select the appropriate check boxes next to the protocols you want to specify for the report 378 DeviceLock Reports Note If you leave both options Device type s and Protocol s unselected the report will display data for all device type
156. to a Web server is shadow copied Generic Outgoing Files Controls whether or not files with specified content uploaded to a Web server are shadow copied SSL Incoming Files Controls whether or not files with specified content downloaded from a Web server using HTTPS are Shadow copied 296 PROTOCOL ICQ AOL Messenger IRC Jabber Mail ru Agent Windows Messenger Yahoo Messenger SMTP Web Mail Social Networks Content Aware Rules for Protocols Regular Profile SHADOWING RIGHTS SSL POST Requests SSL Outgoing Files Generic Incoming Messages Generic Outgoing Messages SSL Incoming Messages SSL Outgoing Messages Generic Incoming Messages Generic Outgoing Messages Generic Outgoing Messages Generic Outgoing Files SSL Outgoing Messages SSL Outgoing Files Generic Outgoing Messages Generic Outgoing Files DESCRIPTION Controls whether or not Web form data with specified content submitted to a Web server using HTTPS is Shadow copied Controls whether or not files with specified content uploaded to a Web server using HTTPS are shadow copied Controls whether or not instant messages with specified content received by the user are shadow copied Controls whether or not instant messages with specified content sent by the user are shadow copied Controls whether or not instant messages with specified content received by the user using SSL are Shadow co
157. to specify the exact match option allows you to find an exact match of your keyword Clear the Whole Word check box to specify the broad 269 Content Aware Rules for Devices Regular Profile USE THIS TO DO THIS match option allows you to find all grammatical variations of your keyword Weight Specify the degree of importance for each keyword or phrase Weight is used to count the number of occurrences of the specified keywords within text data This property requires a value if you selected the Only when combined score exceeds or equal to threshold option Possible values Heavy Above Normal Normal default value Below Normal Light These weight values are interpreted as follows Heavy weight indicates that each keyword occurrence is counted as three occurrences This value is the highest Above Normal weight indicates that each keyword occurrence is counted as two occurrences Normal weight indicates that each keyword occurrence is counted as one occurrence Below Normal weight indicates that two keyword occurrences are counted as one occurrence Light weight indicates that three keyword occurrences are counted as one occurrence This value is the lowest Add Specify keywords and phrases Click Add to enter a keyword or phrase Delete Delete a keyword To do so select the keyword you want to delete and then click Delete You can select multiple keywords by holding down the SHIFT key or the CTRL key while c
158. to the Local Policy made In this case Group Policy settings wil be replaced by Local Policy settings If you change some parameter using DeviceLock Management Console it will revert to its original state defined in GPO on the next Group Policy update For more information please read the Service Options section of this manual If you re trying to connect to DeviceLock Enterprise Server or DeviceLock Content Security Server on a computer where it is not installed or stopped you receive a connection error 94 DeviceLock Management Console DeviceLock InitBinding loDLServer error 1733 Eg x There are no more endpoints available from the endpoint mapper DeviceLock Enterprise Server and DeviceLock Content Security Server must be installed and started before DeviceLock Management Console can connect to them For more information regarding the servers deployment please read the Installing DeviceLock Enterprise Server and Installing DeviceLock Content Security Server sections of this manual If you don t have administrative privileges on the selected computer DeviceLock Management Console suggests that you connect under the account of another user Enter Network Password Incorrect password or unknown username for ywWmre000server connect As vnz000edladministratar Password aip In the Connect As parameter you can specify a user account with administrative privileges This account should also be on the
159. to the log PROTOCOL AUDIT SHADOWING RIGHTS FTP Audit Connection Enables audit logging of user attempts to connect to an FTP site 338 PROTOCOL HTTP Protocols Regular Profile AUDIT SHADOWING RIGHTS The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Incoming Files Enables audit logging of user attempts to download a file from an FTP site The Incoming File action the absolute path and complete name of the file for example ftp myftp myfile doc the IP address with the port number and the name of the host are written to the log Audit Outgoing Files Enables audit logging of user attempts to upload a file to an FIP site The Outgoing File action the absolute path and complete name of the file for example ftp myftp myfile doc the IP address with the port number and the name of the host are written to the log Shadowing Incoming Files Enables shadow copying of files downloaded from an FTP site Shadow copies of downloaded files are written to the log Shadowing Outgoing Files Enables shadow copying of files uploaded to an FTP site Shadow copies of uploaded files are written to the log Audit Connection Enables audit logging of user attempts to open a web page The Connection action the IP address with the
160. transfer 172 DeviceLock Management Console Shadow Log Settings To define a maximum log size and what DeviceLock Enterprise Server should do if the shadow log becomes full use Settings from the context menu of Shadow Log Viewer Shadow Loe Settings Control log size Maximum log size i d records When maximum log size is reached Overwrite events as needed C Overwrite events older than days C Do not overwrite events clear log manually Restore Defaults For information on these settings see Audit Log Settings Server When DeviceLock Enterprise Server needs to remove some old records from the Shadow log because of defined parameters Overwrite events as needed and Overwrite events older than these records are moved to the Deleted Shadow Data Log If there is no space for new records in the shadow log and there is nothing to delete then DeviceLock Enterprise Server does not remove shadowed data from remote users computers This prevents the loss of shadowed data due to lack of space in the log When some space becomes available in the log DeviceLock Enterprise Server moves the remaining shadowed data from users computers to this log It is best to avoid accumulating shadowed data on users computers We recommend that you monitor the DeviceLock Enterprise Server s log on a periodic basis watch for warning messages and adjust log settings appropriately Shadow Log Filter Serv
161. type Users and then click OK b Under Users select Users c Under User s Rights select the check boxes next to the following rights Generic Send Receive Data and SSL Send Receive Data Penmissions Frota HTTP Conmpuber Name Local Computer Diners a i FF cers i ete de g we Beis it se e d a a ajaj el any 7 nat vette see oefou dkr Usar Fights aa Sand Race Data POSIT Aege Caig Files 41 cendi Renge Dita POST Aaepaeshs ube Fikes OOS 200 E ii Tine O Dered Time Protocols White List d Click Protocols White List 5 In the Protocols White List dialog box do the following a Under Users click Add In the Select Users or Groups dialog box in the Enter the object names to select box type Users and then click OK b Under Users select Users and then under Rules click Add 6 In the Add Rule dialog box do the following a In the Protocol list click SSL b In the Description box specify the rule name c In the Hosts box type the DNS names of the Dropbox servers separated by a comma or semicolon www dropbox com static reverse softlayer com compute 1 amazonaws com 479 Appendix Permissions and Audit Examples i Add Rule Frota 551 Description Siira Dropia Pees Barge wed Mira e 12 13 04 15 wae OOo Com eeta reverse soiter com compute 5 Preece aes i Prete Erangi 25 20e5 20G5 d Click OK E Protocols White List
162. under a different user that can authenticate on the remote computer as a local admin e 7045 You must have administrative privileges to perform this operation you don t have sufficient privileges to access DeviceLock Service DeviceLock Enterprise Server or DeviceLock Content Security Server because the user is not in the list of DeviceLock Administrators Make sure that DeviceLock Management Console is trying to connect to the remote computer under the user that is in the list of DeviceLock Administrators on that computer Managing DeviceLock Service Expand the DeviceLock Service item to access all of the service function and configuration parameters 97 DeviceLock Management Console lt gt DeviceLock Management Console File Action View Help Heb e sH as A pa Devicelock EE Service Options en pCevicelock Service BS nawirwe fad Service Options Conmect BD Devices Reconnect Cy Audet Log Views Connect to Local Computer at startup 3h Shadow Log view Load Service Settings G DeviceLock Enterpri Sane Service Settings Save amp Sion Service Settings Create MSI Package Certificate Generation Tool DeviceLock Signing Tool About DeviceLock Wiew Export List Help Connects to a different computer There is a context menu available via a right mouse click on the DeviceLock Service item e Connect connects to any computer that you specify For more information please read the Connecting
163. users should set iTunes to sync only the content to which they are allowed access e Write Backup to enable restoring iPhone by writing the device backup data from a PC e Read Note to enable reading notes on a mobile device from a PC For a Palm device this right controls Memos and Note Pad content types e Write Note to enable writing notes from a PC to a mobile device For a Palm device this right controls Memos and Note Pad content types e Read Pocket Access to enable reading Pocket Access databases on a Windows Mobile device from a PC e Write Pocket Access to enable writing Pocket Access databases from a PC to a Windows Mobile device e Read Task to enable reading tasks on a mobile device from a PC e Write Task to enable writing tasks from a PC to a mobile device e Read Expense to enable reading Palm Expense application data on a Palm device from a PC e Write Expense to enable writing Palm Expense application data from a PC to a Palm device e Read Document to enable reading Palm documents on a Palm device from a PC You can enable this right only if Read Files is selected in the Special Permissions group e Write Document to enable writing Palm documents from a PC to a Palm device You can enable this right only if Write Files is selected in the Special Permissions group e Read Unidentified Content to enable reading any other uncategorized content type on a Windows Mobile device from a PC e Writ
164. where you want to save the cwl file In the File name box type the file name you want Click Save When you export rules they are saved in a file with a cwl extension To import Content Aware Rules 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Load OR e Select Content Aware Rules and then click Load on the toolbar OR e Expand Content Aware Rules right click any user or group to which the rule is applied and then click Load OR e Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Load OR e Expand Content Aware Rules select any user or group to which the rule is applied and then click Load on the toolbar OR e Right click Content Aware Rules and then click Manage In the lower right pane of the C
165. whether the user can send e mail messages with specified content using SSL SSL Outgoing Files Controls whether the user can send e mail attachments with specified content using SSL Social Generic Outgoing Controls whether the user can send messages Networks Messages comments and posts with specified content Generic Outgoing Files Controls whether the user can send media and other files with specified content to a social networking site Note If the No Access permission is set for a protocol and there is a Content Aware Rule that allows access to specified content for the same protocol the Send Receive Data access right is automatically granted to users for this protocol For more information about this access right see Managing Permissions for Protocols When using Content Aware Rules consider the following 295 Content Aware Rules for Protocols Regular Profile If Content Aware Rules are defined for both devices and protocols all access checks are executed in one thread Content Aware Rules with Deny settings take priority over rules with Allow settings if they apply to the same users or groups Checking the content of files can be a time consuming operation You can define a Content verification message to be displayed to users when content inspection is in progress For detailed information on this message see Content verification message in Service Options When users try to use protocols to which th
166. 07cr Ace fe Phappey be Periit d Click OK bt Content Aware Rules for Devices Acomplece Grow Ca Casa atone Lemeoe Sm con Conbent fusane Filet Liters fiss lkers Description Type Adonis Boob To Ceres Typed everyone TI Compl Group 1 Corgis Dery Write Pernis pkr Floppy Pomp atin 10 In the Content Aware Rules for Devices dialog box click OK or Apply to apply the rule 11 In the console tree expand Protocols right click Content Aware Rules and then click Manage 12 In the Content Aware Rules for Protocols dialog box do the following a Under Users click Add In the Select Users or Groups dialog box in the Enter the object names to select box type Everyone and then click OK 483 Appendix Permissions and Audit Examples b Under Users select Everyone Under Content Database select the Complex Group 1 content group and then click Add 13 In the Add Rule dialog box do the following a Under Applies to select the Permissions check box b Under Protocol s select the FTP HTTP SMTP and Web Mail check boxes c Under Action s select the Deny check box next to Generic Outgoing Files and SSL Outgoing Files bn Add Rule Geeuciphon irpan Group Pps bi 3 Remmaer a Prodan 5 iene Cidi Metesorks erie Hiei sh Mesar d Click OK 484 Appendix Permissions and Audit Examples Wi Content Aware Rules for Protocels Conberk Dut ire E Complex rou 1
167. 6 To install and use DeviceLock you MUST have administrative privileges If you are going to use DeviceLock only on a local computer you must have local administrative privileges If you are going to use DeviceLock throughout your network you must have domain administrator privileges If you want to use DeviceLock on your network you must have a functioning TCP IP network protocol However DeviceLock can also work on stand alone computers A network is needed only if you want to control DeviceLock Service from a remote computer Deploying DeviceLock Service DeviceLock Service should be installed on the computer so you can control the access to devices on that computer There are multiple ways to deploy DeviceLock Service to client systems Interactive Installation Run Setup setup exe and follow the instructions that appear on the screen 24 Installation iF DeviceLock Setup Welcome bo the DeviceLock Setup program This program val install DeviceLock version 7 0 0 RC Build 25657 on your campuhe Tk is shronghy recommended that you erik all Windows programs before nunning this Sebup progam Click Cancel to quit Setup ond then close any programs you hawe running Chick Mest bo continue with the Setup program WARNING This program amp protected by copyright law and Stop Data From intennational treaties Slipi Through ee Unauthorized reproduction or distribution of this program or Your Fingers any portion of
168. Aware Rules You can export all your current offline Content Aware Rules to a cwl file that you can import and use on another computer Exporting and importing can also be used as a form of backup To export offline Content Aware Rules 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following Right click Content Aware Rules and then click Save Offline OR Select Content Aware Rules and then click Save Offline on the toolbar OR Expand Content Aware Rules right click any user or group to which the rule is applied and then click Save Offline OR Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Save OR Expand Content Aware Rules select any user or group to which the rule is applied and then click Save Offline on the toolbar OR Right
169. Breach of Commitment Breach of Law Business Documentation Business Documentation Terms Business Documentation Types Business Partners Business Trips amp Meetings Company Development Plan Compensation and Benefits Confidential Information Corporate Capital Corporate Property Expenses Failures Financial Information Financial Report Financial Terms Firing Innovations Insurance Internal Payments Investors and Investments Labor Law Loans and Credits Manufacturing Market Development Plan Medicinal Active Substances Medicinal Drugs Noncompliant Passwords and Access Codes Physical Security Prices Project Documentation Project Names Project Versions Projects Release Date Technology User Names Working Conditions Sales Forecast Sarbanes Oxley Sensitive Security Security Agencies Sensitive Disease Sexual Language Social Security SPAM Sports Staff Training Substance Abuse Suspicious Activity Report Technology 302 Content Aware Rules for Protocols Regular Profile BUILT IN KEYWORDS GROUPS Medical Record Numbers UBO4 Form MEMO US Birth Date Network Security US Birth Place Partner Names US Expiry Date Password User Name Payments VB Source Code PCI GLBA Violence Perl Source Code Weapon Keywords Price List Wire Transfer Prices Working Conditions Pro Earnings With built in content groups you can quickly create and apply rules without having to define your own content groups No
170. Console see DeviceLock Management Console Permissions Examples For all users all USB devices are denied except the mouse and keyboard 1 Select the USB port record from the list of device types under Permissions and then select Set Permissions from the context menu available by a right mouse click lt 2 DeviceLock Management Console Fie Action View Help amp ag 2 a DeviceLock Mame cH DeviceLock Service J Bluetooth 43 Service Options OVD ACD ROM nb i Firewire port oe Sn Floppy Go Auditing amp Shadowing Hard disk USB Devices Wihihe List FA Media White List get Infrared port Security Settings 57 Audit Log viewer A Shadow Log Viewer GS DeviceLock Enterprise Server Set Permissions Manages permissions For selected device s 2 Click the Add button in the Permissions dialog box add the Everyone user type the name or browse for all available names and select the needed one click OK to close the Select Users or Groups dialog box select the Everyone record and disable all rights in the User s Rights list 464 Appendix Permissions and Audit Examples Penniesions Derka Types USE port Computer Name Local Computer Users Tiver 3 Click the Security Settings button in the Permissions dialog box and then clear the Access control for USB HID mouse keyboard etc check box amp Security Settings w Access control for USB printers
171. Current Destination Folder L sk ini De wceLack i pevita Agent aed Phginis On the Ready to Install the Program page click Install to begin the installation Select the Add DeviceLock shortcuts to the desktop check box if you want to add 27 Installation DeviceLock Management Console the MMC snap in DeviceLock Enterprise Manager and DeviceLock Service Settings Editor shortcuts to the desktop iE DeviceLock Setup fi Ready to Install the Program The wizard is ready to begin instalati Chick Install bo begin the installation TF you vant bo review or change any of your installation settings cick Back Click Cancel to exit the wizard Add DeviceLiock shortcuts to the desktop If you choose to install DeviceLock management consoles as well Setup may Suggest that you generate a new DeviceLock Certificate DeviceLock Setup i Y Do you want to creabe the new DeviceLock Certificate the private and public key pair e Click No if you already have DeviceLock Certificate and you dont need bo create the new key pair You can always generate a new DeviceLock Certificate later using the Certificate Generation Tool installed with DeviceLock management consoles Hence if at this step you are not sure whether you need the new certificate or not just press the No button and continue the installation For more information on DeviceLock Certificates see DeviceLock Certificates Also if you select Ser
172. DeviceLoci lt User Manual Software Version 7 1 My Works with Windows N isi5 1996 2012 DeviceLock Inc All rights reserved Information in this document is subject to change without notice No part of this document may be reproduced or transmitted in any form or by any means for any purpose other than the purchaser s personal use without the prior written permission of DeviceLock Inc Trademarks DeviceLock and the DeviceLock logo are registered trademarks of DeviceLock Inc All other product names service marks and trademarks mentioned herein are trademarks of their respective owners DeviceLock User Manual Software Version 7 1 Updated February 10 2012 Contents ABOUT THIS MANUAL cc cccccccceeeeee eee a a 6 CON MENTIONS ieron en aa AO T nig aeeaan nia mano tigre owes 6 OVERVIEW pitsiin e a ceemesis a a aaa 7 GENERALATNEOR MATION acosie ee a a mains 7 MANAGED ACCESS CONTROL FOR DEVICES AND PROTOCOLS cece eee 11 UNDERSTANDING DEVICELOCK CONTENT SECURITY SERVER 0cceeee eee 16 HOW SEARCH SERVER WORKS lt tiuiedtiemcninieeneenneesndeeici ht eneiae 16 EXTENDING DEVICELOCK FUNCTIONALITY WITH CONTENTLOCK AND NET WORKEOCK errre nona Ao O E A E N ena ren orca E 18 LICENSING carraira a A EN a taeee 22 RECOMMENDED BASIC SECURITY MEASURES epen mesno ae e deea 22 INSTALLATION saiisine aa aaa aa a a aaa aaan 24 REQUIREMENTS urrnsissr inip araea A ETE 24 DEPLOYING DEVIC ELOCK SERVICE sorss
173. DeviceLock Certificate authentication on DeviceLock Enterprise Server Generating DeviceLock Certificates DeviceLock s Certificate Generation Tool allows you to generate DeviceLock Certificates We recommend that you generate only one DeviceLock Certificate and deploy its public key to all user computers It is necessary to generate and install a new certificate only if the private key was either compromised e g stolen or lost To run the Certificate Generation Tool select the Certificate Generation Tool item from the File menu in DeviceLock Enterprise Manager To run the Certificate Generation Tool from DeviceLock Management Console the MMC snap in and DeviceLock Group Policy Manager use the context menu available by a right mouse click e mB ee HS Rison Certificake Generation Tool eG Deve DeviceLock Signing Tool baut Ceviceock viceLock Service ice Lock Enterprise Server View a Export List Help 77 DeviceLock Certificates The Certificate Generation Tool will run automatically when DeviceLock management consoles are installed on an administrator s computer that has no DeviceLock Certificate There are two simple steps to generate the key pair 1 Define the name of the DeviceLock Certificate DeviceLock Certificate Generation Tool DewceLock Certificate 05 07 2006 1346 02 The Certificate Generation Tool auto generates a name based on the current date a
174. DeviceLock Service uses all available space on the disk where the directory specified in the Local storage directory parameter is located 116 DeviceLock Management Console When the total size of the directory specified in the Local storage directory parameter reaches the quota DeviceLock Service either starts deleting old data if the Cleanup files older than days parameter is enabled or stops data Shadowing and content analysis if the Cleanup files older than days parameter is disabled or there is nothing to delete Shadow zero length files Enable this parameter to allow shadowing of files whose size is zero Even if the file contains no data at all it is still possible to transfer some information in its name and path up to several kilobytes that is why you may need to enable shadowing for zero length files Prevent data transfer on errors By enabling this parameter you can prevent users from writing data when Shadowing or content analysis is not possible You can be sure that users can transfer information only when shadowing and Content Aware Rules are working normally e g there is enough local disk space to store cached data When the Prevent data transfer on errors parameter is enabled the total size of the directory specified in the Local storage directory parameter reaches the quota specified in Local storage quota and there is no data that can be deleted DeviceLock Service stops shadowing and content anal
175. ENTER after each entry Note When adding senders recipients to the white list for Web Mail consider the following Messages sent from a Webmail application are kept in the Sent Items folder and can be forwarded to any address from any computer Applies to the SMTP and Web Mail protocols Specifies a list of allowed e mail recipients for this rule If this list is specified mail to these recipients will not be blocked Use the following format for a recipient address user domain com You can use the asterisk as a wildcard character to specify a group of recipients You can 352 PARAMETER DESCRIPTION add the asterisk before or after the at sign in an e mail address For example to allow mail delivery to all users in a domain type domain com Multiple e mail addresses must be separated by a comma or semicolon You can also press ENTER after each entry Social Applies to the Social Networks protocol Specifies a list of allowed social networking Networks sites for this rule If this list is specified these social networking sites will not be blocked The following social networking sites are supported Facebook Google LinkedIn LiveJournal MeinVZ Myspace Odnoklassniki SchuelerVZ StudiVZ Tumblr Twitter Vkontakte XING Web Mail Applies to the Web Mail protocol Specifies a list of allowed Web based e mail Services services for this rule If this list is specified e mail messages sent through these mail
176. Eaa Zl Admission Discharge Keawords Fl adult keye ds Kerodi TI american Address Keywords T Arvepricars Hares Keywords El Archivs File Tyga D T dudy Wiehe amp Flash Fis Typa Dw 4 r Conherk Avaa Fuki Lers Uara ppi Prisons 4 In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Pattern The Add Pattern Group dialog box appears 272 Add Pattern Group Pea Darscripinan Expressions vaida Bo Wabdation Cam Gregter iran Test sample Content Aware Rules for Devices Regular Profile 5 In the Add Pattern Group dialog box do the following USE THIS Name Description Expression Validate Validation Condition TO DO THIS Specify the name of the group Specify a description for the group Specify a pattern by creating a regular expression For information on how to create Perl regular expressions refer to the Perl regular expressions quick start tutorial and Perl regular expressions tutorial Check regular expression syntax Perform the actual validation on the potential matches returned by the regular expression The following options are available No validation this option is selected by default ABA Routing Number Canadian Social Insurance Number Credit Card Number All Credit Card Number American Express Credit Card Number Diners Club Credit Card Number Diners Clu
177. Enterprise Server These search capabilities make it easier and more efficient to manage the increasing amount of data in DeviceLock Enterprise Server databases DeviceLock Content Security Server includes the following features e Full text search capability support Through the use of Search Server DeviceLock Content Security Server allows you to instantly search for relevant text data based on various search criteria e Flexible configuration options There is support for many different configuration options enabling you to optimize the performance of DeviceLock Content Security Server for your unique installation You can use full text searches to find data that you cannot find by filtering data in the log viewers The full text search functionality is especially useful in situations when you need to search for shadow copies of documents based on their contents Use Case Preventing leaks of confidential information Security specialists who are tasked with keeping sensitive information confidential can regularly use Search Server to easily find retrieve and analyze all shadow copies of files containing specific business critical data for example customers or price lists The log records associated with found shadow copies will help to determine when and by whom confidential information was copied With this information security specialists can take immediate steps to avoid possible information disclosure and distribution outside the c
178. For a detailed description of the Content Aware Rules feature for protocols see Content Aware Rules for Protocols Regular Profile The offline Content Aware Rules can have one of the following states STATE DESCRIPTION Not Configured Indicates that Content Aware Rules are not defined The following message is displayed Offline Content Aware Rules are not configured This is the default state Configured Indicates that Content Aware Rules are defined Use Regular Indicates that the inheritance of offline Content Aware Rules is blocked and regular Content Aware Rules are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of regular Content Aware Rules is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of regular Content Aware Rules lets you prevent offline Content Aware Rules inherited from a higher level from being applied to a specific group of client computers at a lower level For more information on the enforcement of regular Content Aware Rules see Removing Offline Content Aware Rules Managing offline Content Aware Rules involves the following tasks Defining offline Content Aware Rules Editing offline Content Aware Rules Copying offline Content Aware Rules Exporting and importing offline Content Awar
179. I package For example file server share DeviceLock Service msi Click Open Click Assigned and then click OK The new package is listed in the right pane of the Group Policy window 40 7 Installation E Group Policy dn view alol es le FHE Windows Settings g SmatLine DeviceLock 9 Administrative Templates gif User Configuration P L Software Settings HHE Windows Settings x Right click the new package click Properties and then click the Upgrades tab DeviceLock Service Properties General Deployment Upgrades Categories Modifications Security Packages that this package will upgrade eae Mew Group am Compute EHE Soh I Regiredupreie ko endma packages Click Add select the old DeviceLock Service package you want to upgrade click Uninstall the existing package then install the upgrade package and then click OK 41 Installation Add Upgrade Package E ES Choose a package from Curent Group Policy Object GPO C A speciic GPO Package to upgrade DevceLock Service ok Uninstall the existing package then install the upgrade package oe toes_ 9 Click OK to close the Properties window close the Windows Group Policy Object editor When the client computer starts DeviceLock Service is automatically upgraded g Group Policy of fi Acssngred a Computer Coniguraton Sofware Settings ime
180. ICQ and AOL Instant Messenger server The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Incoming Messages Outgoing Messages Enables audit logging of user attempts to send and receive instant messages The Chat action IDs of all IM participants the IP address with the port number and the name of the host are written to the log The ID of the local participant precedes the ID of a remote participant Shadowing Incoming Messages Enables shadow copying of received instant messages Shadow copies of received instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all received messages Shadowing Outgoing Messages Enables shadow copying of sent instant messages Shadow copies of sent instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user 340 PROTOCOL IRC Jabber Protocols Regular Profile AUDIT SHADOWING RIGHTS quits the instant messenger It contains an exact
181. Indicates that permissions on a protocol are set Full Access Indicates that full access rights are granted to the Everyone account No Access Indicates one of the following e The Everyone account has No Access permissions and is the only account assigned to a protocol No Access permissions assigned to the Everyone account take priority over permissions assigned to other accounts e All users and groups assigned to a protocol have No Access permissions e All users and groups assigned to a protocol are removed Setting and Editing Permissions To set and edit permissions i If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Permissions When you select Permissions in the console tree in the details pane you can view protocols for which you can set permissions In the details pane you can also view the current state of online regular permissions for each protocol in the Regular colum
182. Interface Devices continue to function as usual and audit is not performed for these devices e Access control for USB printers if enabled allows DeviceLock Service to audit and control access to printers plugged into the USB port Otherwise even if the USB port is locked printers continue to function as usual and audit is not performed for these devices e Access control for USB scanners and still image devices if enabled allows DeviceLock Service to audit and control access to scanners and still image devices plugged into the USB port Otherwise even if the USB port is locked these devices continue to function as usual and audit is not performed for these devices e Access control for USB Bluetooth adapters if enabled allows DeviceLock Service to audit and control access to Bluetooth adapters plugged into the USB port Otherwise even if the USB port is locked Bluetooth 152 DeviceLock Management Console adapters continue to function as usual and audit is not performed for these devices This parameter affects audit and access control on the interface USB level only If the device belongs to both levels the permissions and audit rules if any for the type Bluetooth level will be applied anyway Access control for USB storage devices if enabled allows DeviceLock Service to audit and control access to storage devices such as flash drives plugged into the USB port Otherwise even if the USB port is locked storage
183. K The rule you created is displayed under Rules in the right pane of the Protocols White List Offline dialog box 10 Click OK or Apply The users or groups to which the white list rule applies are displayed under White List in the console tree When you select a user or group to which a white list rule applies in the console tree in the details pane you can view detailed information regarding this rule This information includes the following e Protocol The protocol the rule applies to e Description The name of the rule e Hosts Shows the allowed hosts for this rule e Ports Shows the allowed ports for this rule e SSL Shows the selected SSL option Possible values Allowed allows SSL connections Denied disallows SSL connections and Required requires that all connections use SSL 439 DeviceLock Security Policies Offline Profile e Extra parameters Shows additional protocol specific parameters specified for the rule These parameters include From shows allowed sender identifiers for instant messaging and e mail sender addresses for Webmail and To shows allowed recipient identifiers for instant messaging and e mail recipient addresses for Webmail e Profile Possible values Regular and Offline Regular indicates that the rule applies to client computers that are working online Offline indicates that the rule applies to computers that are working offline You can define different online vs offline Protocols
184. LE CONNECTION ERRORS cirein nE E mals 96 MANAGING DEVICELOCK SERVICE vac cccceuiriddaiade ne EA A ER 97 SERVICE OPTIONS ig iatvnins a neeiaitantwaapeneoins cathe ot pe hcatarauaimeersinans aes en reel 99 DEVICE atircan wogur comma E ca eaupne icin E E eanenas 123 PERMISSIONS REGULAR PROFILE iier r uae 124 AUDITING amp SHADOWING REGULAR PROFILE cceece cece eee eeeeeeeeeeeeeeeeees 133 USB DEVICES WHITE LIST REGULAR PROFILE scsuscsnd oviidincndeeteeneminiidcanaas 143 MEDIA WHITE LIST REGULAR PROFILE scatsccirtincaniicata O E 148 SECURITY SEMINGS REGULAR PROFILE jini sisnuest jertiwitaoramnsnepienieaianidee sere 152 AUDIT LOG VIEWER SERVICE Jemp etasn ets conuucecdnminai petal t resume tem anat 155 SHADOW LOG VIEWER SERVICE aicisaviinlenctaticareuiae ela iciddanasaeadionsenanats 159 MANAGING DEVICELOCK ENTERPRISE SERVER cseececeeeeeeeeeeeeeeeeee eens 166 SERVER OPTION S cnisia ae cos emnceash wis A ea eani 167 AUDIT LOG VIEWER SERVER Jiesios ana ea a 168 SHADOW LOG VIEWER SERVER ievcstiacctesndetigusseueitenvnmuaniacenbasneatermaven sens 172 SERVER LOG VIEWER issictvrsntedoeccbeocacdameies E AE OEE NN 176 MONITORING nrnna mani a a eae tera eae eae 178 MANAGING AND USING DEVICELOCK CONTENT SECURITY SERVER sasssa 192 NAVIGATING DEVICELOCK CONTENT SECURITY SERVER nssasssssssssrsrrsrrsrrrre 192 CONFIGURING GENERAL SETTINGS FOR DEVICELOCK CONTENT SECURITY SERVER sinatra A E N A eas 194 CONFIGURING FULL TEXT
185. List Offline dialog box To delete a user or group in the left pane of the Protocols White List Offline dialog box under Users select the user or group and then click Delete In the left pane of the Protocols White List Offline dialog box under Users select the user or group You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the right pane of the Protocols White List Offline dialog box under Rules click Add The Add Rule dialog box appears E Add Rule Protecal Description In the Add Rule dialog box specify general and protocol specific parameters for this rule To specify general parameters do the following e To specify the protocol in the Protocol list click the protocol of your choice e To specify the rule name in the Description box type a name To specify protocol specific parameters do the following 438 DeviceLock Security Policies Offline Profile e To specify the hosts in the Hosts box type host names or IP addresses separated by a comma or semicolon For more information on how to specify hosts see the description of the Hosts parameter e To specify the ports in the Ports box type port numbers separated by a comma or semicolon For more information on how to specify ports see the description of the Ports parameter e To configure the SSL options under SSL click any of the following Allowed allows SSL connection
186. Lock Service Settings Editor and return to the plug in s settings dialog box For more information see Set Service Settings 231 DeviceLock Enterprise Manager DeviceLock Enterprise Manager Overview With DeviceLock Enterprise Manager you can view and change security policies defined for device types and protocols install update and uninstall DeviceLock Service and view audit and shadow logs for all the computers in a large network We recommend using DeviceLock Enterprise Manager if you have a large network without Active Directory Based on a multi threaded engine using this console speeds up all activity for all the computers in the large network DeviceLock Enterprise Manager stores compares and filters the data it receives from all the computers Administrators can make snapshots of the systems for future comparison and notation of changes DeviceLock Enterprise Manager has a flexible plug in based architecture that allows you to plug in necessary modules on demand Each module plug in performs a task and displays retrieved information in its own window For information on how to install DeviceLock Enterprise Manager please read the Installing Management Consoles section of this manual To run DeviceLock Enterprise Manager select the appropriate shortcut from the Programs menu available by clicking the Windows Start button To fag DeviceLock Certificate Generation To
187. Loniroler Operations Masters Her All Tasks Refresh Exp I tL a Propet te 5 Help Click the Group Policy tab select the group policy object that you need and then click Edit If you wish to create a new group policy object click Add Wait until the GPO editor is started It may take up to several seconds 221 DeviceLock Group Policy Manager 5 Under Computer Configuration select DeviceLock ta Group Policy Object Editor File Action yew Hep 7 Gla Siei ela DeviceLock Group Policy Object vm2000server vm2000ad com Policy Name Computer Configuration H Service Options H E Software Settings m Windows Settings H E Administrative Templates User Configuration Alternatively to run the GPO editor you can start MMC and add the Group Policy snap in manually 1 Run mmc from the command line or use the Run menu to execute this command 2 On the File menu click Add Remove snap in ym Console Console Root ip Acton View Favorites Window Help New Ciri pen Chrl HO Save Chrl 5 Save AS There are no ibemes bo show in this view ddi Remove Snep in Options 1 C downloads Group Policy msc 2 C WINDOWS hoonnprgnt msc 2 DeviceLock Management nse 4 DeviceLock Management msc 3 Inthe Add Remove snap in dialog box click the Standalone tab and then click Add
188. Management Console and DeviceLock Enterprise Manager are replaced by Group Policy settings To activate the Local Policy mode for this DeviceLock Service disable the Use Group Policy parameter In this mode all settings that you set via DeviceLock Management Console and DeviceLock Enterprise Manager have a priority over Group Policy settings and replace them If DeviceLock Service was not configured to work with Group Policy the Use Group Policy parameter is disabled and unavailable for changing If the Use Group Policy parameter is enabled but unavailable for changing it means that the Group Policy mode always has a priority the Override Local Policy parameter was enabled in DeviceLock Group Policy Manager and the Local Policy 108 DeviceLock Management Console mode can t be enabled for this DeviceLock Service For more information please read the Using DeviceLock Group Policy Manager section of this manual Fast servers first DeviceLock Service can choose the fastest available DeviceLock Enterprise Server from the list of servers When this parameter is enabled all servers specified in the DeviceLock Enterprise Server s parameter are divided into three groups depending on their network speed and preference is given to the fastest If all of the fastest servers are unavailable DeviceLock Service attempts to select a server from the group of next fastest servers and so on If the Fast servers first parameter is disabled D
189. No if you already have DeviceLock Certificate and you dont need bo create the new key pair You can always generate the new DeviceLock Certificate later using the Certificate Generation Tool installed with DeviceLock management consoles Hence if at this step you are not sure whether you need the new certificate or not just press the No button and continue the installation For more information on DeviceLock Certificates see DeviceLock Certificates 47 Installation Also Setup may suggest that you load the license files for DeviceLock If you don t have the license files click Cancel to install DeviceLock in a 30 day trial mode Select the DeviceLock license file s Choose a directory with the licence file s for DeviceLock PRESS CANCEL TO INSTALL A S0 DAY TRIAL VERSION C00C UME uaa LOCA SL Temp Temporary Directory 3 For Mock wane 0 0 2086 7 fresenueban zip a My Documents F Phy Computer a EL 34 Floppy A Se Local Disk Cr amp G Documents and Settings 5 Program Files G Screenshots E WINDOWS J r Pre fe If you opted to install DeviceLock Service as well Setup suggests that you set special permissions for local devices Lock Devices C Tape Derites CLEE Ports J Infrared Ports FireWire Ports IDDE 13 iiuetooth Adapters OwA 802 11 Adapters C Prirters elackBenry H Create local groups Allow _Access_to_ if not existing Security Sethi Access co
190. OP Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Load OR Expand Content Aware Rules select any user or group to which the rule is applied and then click Load Offline on the toolbar OR Right click Content Aware Rules and then click Manage Offline In the lower right pane of the Content Aware Rules Offline dialog box under Rules click Load The Open dialog box appears In the Open dialog box in the Look in list click the location that contains the file you want to import In the folder list locate and open the folder that contains the file Click the file and then click Open You can import only one cwil file at a time 454 DeviceLock Security Policies Offline Profile Deleting Offline Content Aware Rules You can delete individual offline Content Aware Rules when they are no longer required To delete an offline Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Edi
191. Palm documents with specified content written from a PC to a Palm device are shadow copied Controls whether or not any other uncategorized data with specified content written from a PC to a Windows Mobile device is shadow copied Note Generic shadowing rights specified for the Removable device type apply only to unencrypted devices Encrypted shadowing rights specified for the Removable device type apply only to encrypted devices To specify shadowing rights for both encrypted and unencrypted Removable devices you must specify both Generic and Encrypted shadowing rights Configuring Content Detection Settings Content Aware Rules are created based on content groups that enable you to centrally define types of content for which you want to control access Content groups specify content filtering criteria that will be used to select data to which rules should be applied 261 Content Aware Rules for Devices Regular Profile All content groups are stored in the Content Database The same Content Database is used for both devices and protocols The Content Database is a part of the DeviceLock Service policy and is also saved in an XML file with service settings that can be created using DeviceLock Management Console DeviceLock Service Settings Editor and DeviceLock Group Policy Manager There are several types of content groups File Type Detection groups Keywords groups Pattern groups Document Properties groups and Complex groups The
192. Parameters for a result retrieved from the Shadow Log or Deleted Shadow Data Log Received Date Time the date and time when the data was received by DeviceLock Enterprise Server 212 DeviceLock Management Console Status the status of the record The Success status indicates that data is successfully logged the Incomplete status indicates that data is possibly not completely logged while the Failed status is given to shadow copies of files whose transmission was blocked by Content Aware Rules This value matches the value in the Status column of the server s Shadow Log Viewer Computer the name of the computer from which the Shadow Log was received This value matches the value in the Computer column of the server s Shadow Log Viewer Date Time the date and the time when the data was transferred This value matches the value in the Date Time column of the server s Shadow Log Viewer Source the type of device or protocol involved This value matches the value in the Source column of the server s Shadow Log Viewer Action the user s activity type This value matches the value in the Action column of the server s Shadow Log Viewer File Name the original path to the file or the auto generated name of the data that originally was not a file such as CD DVD images data written directly to the media or transferred through the serial parallel ports This value matches the value in the File Name column of the server s
193. Permissions 430 DeviceLock Security Policies Offline Profile When you select Permissions in the console tree in the details pane you can view protocols for which you can set permissions In the details pane you can also view the current state of offline permissions for each protocol in the Offline column 4 In the details pane right click the protocol for which you want to undefine offline permissions and then click Undefine Offline You can undefine offline permissions set for several protocols at the same time To do this do the following a In the details pane select several protocols by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Undefine Offline The offline state of the permissions changes to Not Configured Removing Offline Permissions If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of higher level offline permissions and enforce regular permissions on specific lower level groups of client computers To enforce regular permissions you must remove offline permissions To remove offline permissions 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Ope
194. Policies Offline Profile DESCRIPTION Indicates that Security Settings are not defined This is the default state Indicates that Security Settings are defined to enable audit and access control for the specified device classes Indicates that Security Settings are defined to disable audit and access control for the specified device classes Indicates that the inheritance of offline Security Settings is blocked and regular Security Settings are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of regular Security Settings is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of regular Security Settings lets you prevent offline Security Settings inherited from a higher level from being applied to a specific group of client computers at a lower level For more information on the enforcement of regular Security Settings see Removing Offline Security Settings Managing offline Security Settings involves the following tasks e Defining and changing offline Security Settings e Undefining offline Security Settings e Removing offline Security Settings Defining and Changing Offline Security Settings Offline Security Settings can be defined and changed individually or collectively To define and change offline Security Settings indi
195. PowerPoint BlackBerry MS Project Common Object File Format COFF MS Publisher Database MS Visio Executable MS Windows Installer Fax Documents MS Windows Memory Dump FileMaker Pro MS Word Fonts MS Works Help Files OpenOffice StarOffice OpenDocument etc Images CAD amp Drawing PDF PostScript amp XPS Documents Lotus SmartSuite QuickBooks Quicken TurboTax amp etc MS Access Rich Text Format MS Excel Security Certificates MS InfoPath Text HTML amp XML MS Money Virtual Machines MS OneNote WordPerfect Office 298 Content Aware Rules for Protocols Regular Profile Note Content Aware Rules support Word To Go Sheet To Go and Slideshow To Go formats for Palm devices Word To Go format is included in the MS Word and Rich Text Format built in content groups Sheet To Go format is included in the MS Excel built in content group while Slideshow To Go format is included in the MS PowerPoint built in content group Microsoft Word or Rich Text Format RTF files Excel files and PowerPoint files can be transferred to a Palm device using the Documents To Go application The Documents To Go application converts these files to special formats Word and RTF files are converted to Word To Go format Excel files are converted to Sheet To Go format while PowerPoint files are converted to Slideshow To Go format The converted files are automatically downloaded to the Palm when users synchronize With built in content groups you c
196. Properties The DeviceLock Content Security Server dialog box appears 3 In the DeviceLock Content Security Server dialog box do the following TO DO THIS FOLLOW THESE STEPS To enable e Select the Enable Default Security check box default If default security is enabled members of the local security Administrators group will have full access to DeviceLock Content Security Server To restrict 1 Clear the Enable Default Security check box access to the 2 Under Users click Add to add the specific users to whom server to you want to allow access to DeviceLock Content Security specific users Server The Select Users or Groups dialog box appears 3 Inthe Select Users or Groups dialog box in the Enter the object names to select box type the name of the user or group and then click OK The users and groups you selected are added to the Server Administrators group and are displayed under Users in the DeviceLock Content Security Server dialog box Server Administrators are users or groups that are authorized to perform tasks related to configuring and using DeviceLock Content Security Server By default members of the Server Administrator group have full access rights to the server To change their access rights under Users select the user or group and then click any option in the access rights list The available options are Full Access enables full access to DeviceLock Content Security Server Users can install uninstal
197. Protocols White List is not configured This is the default state Configured Indicates that the white list is defined Use Re gular Indicates that the inheritance of the offline white list is blocked and the regular white list is enforced The following message is displayed Offline Protocols White List is configured to use Regular Protocols White List Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of the regular white list is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of the regular white list lets you prevent the offline white list inherited from a higher level from being applied to a specific 436 DeviceLock Security Policies Offline Profile STATE DESCRIPTION group of client computers at a lower level For more information on the enforcement of the regular white list see Removing Offline Protocols White List Managing the offline Protocols White List involves the following tasks Defining the offline Protocols White List Editing the offline Protocols White List Copying rules of the offline Protocols White List Exporting and importing the offline Protocols White List Deleting rules of the offline Protocols White List Undefining the offline Protocols White List Removing the offline Protocols White List Defini
198. R Under Protocols expand White List and then do the following a Under White List select the user or group for which you want to edit the rule By selecting users or groups you can view the white list rules applied to them in the details pane b In the details pane right click the rule you want to edit and then click Edit 440 DeviceLock Security Policies Offline Profile OR In the details pane double click the rule you want to edit The Edit Rule dialog box appears In the Edit Rule dialog box modify the rule parameters as required to meet your needs Click OK to apply the changes Copying Rules of Offline Protocols White List You can perform a cut and paste operation a copy and paste operation or a drag and drop operation to reuse existing rules of the offline Protocols White List To copy an offline white list rule ik If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols d
199. Receive Data Outgoing Outgoing Messages Messages SSL Send Receive Data Outgoing SSL Send Receive Data Outgoing Messages Messages Mail ru Agent Generic Send Receive Data Generic Send Receive Data Outgoing Outgoing Messages Messages SMTP Generic Send Receive Data Generic Send Receive Data Outgoing Outgoing Messages Outgoing Files Messages SSL Send Receive Data Outgoing SSL Send Receive Data Outgoing Messages Outgoing Files Messages Social Networks Generic Send Receive Data Generic Send Receive Data Outgoing Outgoing Messages Outgoing Files Messages Telnet Generic Send Receive Data Generic Send Receive Data Web Mail Generic Send Receive Data Generic Send Receive Data Outgoing Outgoing Messages Outgoing Files Messages SSL Send Receive Data Outgoing SSL Send Receive Data Outgoing Messages Outgoing Files Messages Windows Generic Send Receive Data Generic Send Receive Data Outgoing Messenger Outgoing Messages Messages Yahoo Generic Send Receive Data Generic Send Receive Data Outgoing Messenger Outgoing Messages Messages Managing online regular permissions for protocols involves the following tasks e Setting and editing permissions e Undefining permissions Online permissions for protocols can have one of the following states STATE DESCRIPTION Not Configured Indicates that permissions on a protocol are not set 334 Protocols Regular Profile STATE DESCRIPTION Configured
200. Rules dialog box under Users select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box b In the lower right pane of the Content Aware Rules dialog box under Rules select the rule you want to edit and then click Edit OR Right click the rule and then click Edit OR Under Protocols expand Content Aware Rules and then do the following a Under Content Aware Rules select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them in the details pane b In the details pane right click the rule you want to edit and then click Edit OR In the details pane double click the rule you want to edit The Edit Rule dialog box appears In the Edit Rule dialog box modify the rule properties as required to meet your needs Click OK to apply the changes Copying Content Aware Rules You can perform a cut and paste operation a copy and paste operation or a drag and drop operation to reuse existing Content Aware Rules To copy a Content Aware Rule If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do
201. SB amp FireWire devices report type Because a single user action often triggers multiple events DeviceLock uses event consolidation when collecting events from the audit log for reporting purposes DeviceLock compares the time element of an event with the time of subsequent events When this time delta is less than or equal to the Threshold value multiple events of the same type either Allowed or Denied are combined into a single summary event if all of the following conditions are true e The events are associated with the same computer e The events are associated with the same device type 377 DeviceLock Reports Report Devices Select this option if you want to display data for all device types If you do not select this option information on all device related activities will be excluded from the report Appears only for Allowed amp Denied access requests per channel Allowed vs Denied access requests and Copied files per channel report types Report Protocols Select this option if you want to display data for all protocols If you do not select this option information on all protocol related activities will be excluded from the report Appears only for Allowed amp Denied access requests per channel Allowed vs Denied access requests and Copied files per channel report types Send report via email Select this option if you want to automatically send the generated report to individual users through e mail If you select
202. SEARCH SETTINGS FOR SEARCH SERVER 200 USING SEARCH SER VER rodio ari E E O T wins 207 DEVICELOCK GROUP POLICY MANAGER cccccceeeeeseenneeeeeeeeeeeeeeeeeeeeeennees 218 OVERVIEW scecihe aa ieee iE E a E E 218 APPREYING GROUP POLICY serina niea a a a A a 219 STANDARD GPO INHERITANCE RULES titsiusotaniotadabeawieiaieted E 219 STARTING DEVICELOCK GROUP POLICY MANAGER ssssssssssssssnnrnnrrnrrrnnrrsrrnrene 220 USING DEVICELOCK GROUP POLICY MANAGER sssussssssusussnnnnurnnnrnnennnnnnnrnnrennnns 224 USING RESULTANT SE TOF POLICY RSOP Jusisisiran dinte a tears 227 DEVICELOCK SERVICE SETTINGS EDITOR ssssasssnnsnnnsunnnnnnnnnnnnnnnnnnnnnnnnnnnnn 230 OVERVIEWS siepata nein ao a a E e E ANA 230 DEVICELOCK ENTERPRISE MANAGER cccccccceeeeeeeenneeeeeeeeeeeeeeeeeeeeesnnoens 232 OVER VIEN saaneetorstes causa cass sane caamipianereietauien oy E ere eaen es 232 INTERFACE ator wate a ior Geet tierra irae a a aarti E 233 SCAN NEIWORK DIALOG BOX iiisianitintiadeeasaerbe a tee aaanades 234 SELECTING COMPUTERS rrei snn aiaa i anise eea ere dea A 234 SELECTING IPLUGHING Ascain niae cengc anes seGucmeaabsaaane paar E 240 STAR TING A SCAN crara as ousceeaawaca akan sai A weenie awa eee Aeneas 241 PLUGINS reprae e at E a E E E A 242 AUDIT LOG VIEWER rsiryranotin onanan na EA 243 INSTALL SERVICE otea E EE N aA 243 REPORT PERMISSIONS AUDITING prinio E E K 243 REPORT PNP DEVICES reptania AA 245 SET SERVICE SET DINGS ergs a
203. Save As dialog box in the Save in box browse to the location where you want to save the whl file 5 In the File name box type the file name you want 403 DeviceLock Security Policies Offline Profile 6 Click Save When you export the offline USB Devices White List it is saved in a file with a whl extension To import the offline USB Devices White List 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click USB Devices White List and then click Load Offline OR e Select USB Devices White List and then click Load Offline amp on the toolbar OR e Expand USB Devices White List right click any user or group specified in the white list and then click Load Offline OR e Expand USB Devices White List and then select any user or group specified in the white list In the details pane right click the white listed device and then click Load
204. Security SPAM Sports Staff Training Substance Abuse Suspicious Activity Report Technology UBO4 Form US Birth Date US Birth Place US Expiry Date User Name VB Source Code Violence Weapon Keywords Wire Transfer Working Conditions With built in content groups you can quickly create and apply rules without having to define your own content groups Note You can view keywords that are included in the built in Keywords groups but you cannot edit or delete them For information on how to view the built in content groups see Viewing Built in Content Groups Creating Custom Keywords Groups You can define Content Aware Rules based on your own custom content groups if the predefined content groups included with DeviceLock do not meet your requirements Custom Keywords content groups enable you to specify any keywords that you want in the Same group to better meet your individual business needs 267 Content Aware Rules for Devices Regular Profile To create a custom Keywords group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the follow
205. Sets the SSL options The following SSL options are available e Allowed Allows SSL connections e Denied Disallows SSL connections e Required Requires that all connections use SSL Applies to the ICQ AOL Messenger Jabber Mail ru Agent Windows Messenger and Yahoo Messenger protocols Specifies a list of identifiers for local users who are allowed to send instant messages If this list is specified instant messages from these users will not be blocked ICQ AOL Messenger users are identified by numbers called UIN for example 111222 23232323 Jabber users are identified by Jabber IDs in the following format user example com Mail ru Agent users are identified by mail ru e mail addresses in the following format user mail ru Windows Messenger users are identified by e mail addresses in the following format user example com 351 PARAMETER Remote recipient ID s Local sender Email s Remote recipient Email s Protocols Regular Profile DESCRIPTION Yahoo Messenger users are identified by any of the following user ID types e Yahoo ID lt username gt or lt username gt yahoo com e Rocketmail lt username gt rocketmail com e Ymail lt username gt ymail com Multiple user identifiers must be separated by a comma or semicolon You can also press ENTER after each entry Applies to the ICQ AOL Messenger Jabber Mail ru Agent and Yahoo Messenger protocols Specifies a list of iden
206. Shadow Log Applies To Possible values Permissions Shadowing and Permissions Shadowing Permissions indicates that the rule applies to access control operations Shadowing indicates that the rule applies to shadow copy operations Permissions Shadowing indicates that the rule applies to both access control and shadow copy operations Protocol s The protocol s to which the rule applies Profile Possible values Regular and Offline Regular indicates that the rule applies to client computers that are working online Offline indicates that the rule applies to computers that are working offline You can define different online vs offline Content Aware Rules for the same user or sets of users For information about how to define online Content Aware Rules for protocols see Managing Content Aware Rules Editing Offline Content Aware Rules You can modify the Content Aware Rule properties such as Description Applies To Protocol s Actions To edit an offline Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service 450 DeviceLock Security Policies Offline Profile If you use DeviceLoc
207. Terminal Servers any server where Terminal Services are running e Stand Alone Servers any server that is not a domain controller e Cluster Servers server clusters available in the domain e Print Servers any computer that is sharing the print queue e NT Workstations any Windows NT 2000 XP workstation There are two ways to choose the type of computers 1 Types you select the network domain and then select types of computers which must be processed in this domain Types fay SL LJ Priman Domain Controle O Backup Domain Controller Micnonolt SOL Servers O Terminal Servers ie Stand Alone Servers O Cluster Servers O Prt Servers NT Workstations aed SL2 ay SL 2 Domains you select the type of computer and then select network domains where computers of the selected type must be processed Primary Domain Controller Backup Domai Controller Microsoft SQL Servers ia SL o gp SL oO i SL O ad SMARTLINE be 7 TRAVEL_GROUP Terminal Servers Stand Alone Servers Cluster Sernrers e Network computers can also be selected by their names There are several ways to choose computers by name 1 Organizational Units you browse Active Directory organizational units OUs and select computers which must be processed 235 DeviceLock Enterprise Manager Organizational Units O MS AMDSALES o M2000 O PaNATALI avi fee Severs E Test OW EHE testing
208. The Save amp Sign Service Settings command is unavailable when the DeviceLock Signing Tool has no previously loaded private key Later files with policies created using DeviceLock Service Settings Editor can be loaded via DeviceLock Management Console and or DeviceLock Group Policy Manager Also files with policies can be sent to users whose computers are not online and thus out of reach via management consoles To avoid unauthorized modification these files should be signed with the DeviceLock Certificate the private key using the DeviceLock Signing Tool For more information see Service Settings If you modify an existing policy file DeviceLock Service Settings Editor automatically saves your changes Note Only settings that are explicitly defined in a policy file apply to client computers All policy settings that have the Not Configured state are ignored by client computers DeviceLock Service Settings Editor is also used in the Set Service Settings plug in of DeviceLock Enterprise Manager This plug in runs DeviceLock Service Settings Editor as an external application and opens it with the XML file selected in the plug in s settings dialog box When you make any policy changes change parameters set permissions define white lists etc in the XML file passed to the editor by the plug in DeviceLock Service Settings Editor automatically saves them to this file AS soon as you finish modifying the policy just close Device
209. There is a special Search Server license which you must purchase for DeviceLock Content Security Server You can use the same license on an unlimited number of computers running DeviceLock Content Security Server The Search Server licensing model is based on the number of log entries to be indexed for full text search Each license allows Search Server to index 1 000 entries from the shadow logs Shadow Log and Deleted Shadow Log and 5 000 entries from every other log Audit Log Server Log and Monitoring Log Depending on the actual number of log entries on your DeviceLock Enterprise Servers you can purchase as many licenses as required If you use several licenses for Search Server it can index as many log entries as the combined licenses allow The trial period for DeviceLock Content Security Server is 30 days During the trial period Search Server can index 2 000 entries from the shadow logs and 10 000 entries from every other log e Incase you have several DeviceLock Enterprise Servers on your network you can also install several DeviceLock Content Security Servers to spread the load However this approach only makes sense if all these DeviceLock Enterprise Servers are not connected to the same Microsoft SQL Server i e not in the MANY TO ONE mode e When you have several DeviceLock Content Security Servers installed each Search Server will have its own search index Hence you have to connect to every DeviceLock Content Securit
210. US Password the user s password From File you load a predefined list of computers from the external text file and then select the computers TO open an external file click the button O E SL_SERVER O Ml SL_SERVER3 O Wy SL_SERVER2 o Sy Figa o By FUITSU_LAPTOF O E ACER_LAPTOP 0 E TERMINALA A text file must contain each computer s name or IP address on separate lines and can be either Unicode or non Unicode A brief example of such a file follows 237 DeviceLock Enterprise Manager computers txt Notepad pro s _server sl_server3 sl_server pili600 fujitsu_laptop acer_laptop terminala Supplying Credentials If you need to supply alternative credentials for the target computer s select the computer or network domain from the tree and point to Credentials on the context menu From Fie From Fie mE Audi Log Vie Ce Install service Sat Report Permits JE Repot PnP D eS Set Perissi You may assign credentials to individual computers and or to network domains To add credentials click Set To delete alternative credentials click Clear Credentials consist of a user name and password pair used to authenticate the computers processed By default DeviceLock Enterprise Manager uses your currently logged on credentials to automatically log in and process the target computer s If the current logged in user credentials do not have administrative rights on all of
211. Use this setting to specify the location of the full text index Indexing interval Use this setting to specify the time interval in minutes between the end of one indexing process and the start of the next indexing process Merge Interval Use this setting to specify the time interval in minutes at which to perform merge operations Extract text from binary Use this setting to allow or disallow the index to include textual information from binary data Search Server License s Use this setting to install the required number of Search Server licenses e The Search Server node Use this node to perform a search operation and monitor the current indexing activity Configuring General Settings for DeviceLock Content Security Server There are two types of configuration settings for DeviceLock Content Security Server e General settings for DeviceLock Content Security Server These settings affect your whole DeviceLock Content Security Server deployment e Full text search settings for Search Server These settings are related to full text search and affect only the Search Server component of DeviceLock 194 DeviceLock Management Console Content Security Server For more information see Configuring Full Text Search Settings for Search Server You can configure general server settings during the initial installation of DeviceLock Content Security Server or you can use DeviceLock Management Console to configure a
212. a Sea aes 246 SHADOW LOG VIEWER lt c sssensmasabinsaatnnser ete pieeteteedias outer EOE 247 UNINSTALL SERV IGE sancicanmicanwacsianas A O wants tiene waarmee 247 OPEN 7 SAVE J EXPORT cxiscicacwiniaeascamticenrad ics A A AA 248 COMPARING DAT Pisaweiccdins cance ase saan a iangiuate outa eeenam ann nbm Mes saat he da Mae cauanasuatuntiea 249 FILTERING DATA roerne tects a abate eran oearaiuend awed a a 253 CONTENT AWARE RULES FOR DEVICES REGULAR PROFILE ssecesssees 256 CONTENT AWARE RULES FOR ACCESS CONTROL OPERATIONS aaea 256 CONTENT AWARE RULES FOR SHADOW COPY OPERATIONS cece eee ee eee 260 CONFIGURING CONTENT DETECTION SETTINGS c cece cece eo a iaa 261 FILE TY PE DETECTION CONTENT GROUPS sks cceeiners tou EEEN OS ANSE 262 KEYWORDS CONTENT GROUPS sisscisaias acai oti ean ete eseaee a a Sua eee 265 PATTERN CONTENT GROUPS mees iee onus ete eaneeniedy ieee dial oiea neath 270 DOCUMENT PROPERTIES CONTENT GROUPS ii ietscnsecexatacov ner teiecaartsagncediaiseaans 274 COMPLEX CONTENT GROUPS ariris aea a E a a AS 278 VIEWING BUILT IN CONTENT GROUP S sssscisicinananaksi a Ea 281 DUPLICATING BUILT IN CONTENT GROUPS ine aaaea A EAE TAO 282 EDITING AND DELETING CUSTOM CONTENT GROUPS cc cece cece 282 TESTING CONTENT GROUP Sirsi irio i a e 283 MANAGING CONTENT AWARE RULES s cessussuseurevoiveanssvetannds seen a adena diaa 284 DEFINING CONTENT AW ARE RULE Siriene a anaes 284 EDITING CONTENT AWARE RULES irea ta t
213. a fio ME i Devicelock Group Policy Object mitisera Hl Compuber Configuration A E Software Settings T Shadowing b ix a eo aan a USB FireWire blocked message Mot Configured H E Administratie Templates a Exrired meseane Not Configured a Smartline DeviceLock 2 oe anise alin El DeviceLock Enterprise Server s Mot Configured cb FE Daaa n Log policy changes and Start fStop events Not Configured 31 2 User Configuration E DeviceLock certificate Nat Configured 3 hey Override Local Policy Enabled i ym2000server vm2000ad If the Override Local Policy parameter is enabled it means that the Use Group Policy parameter in Service Options of DeviceLock Management Console and DeviceLock Enterprise Manager cannot be disabled The following table shows how different settings of the Use Group Policy parameter and the Override Local Policy parameter affect the policy application mode POLICY APPLICATION MODE USE GROUP POLICY OVERRIDE LOCAL POLICY Only Local Policy is applied Disabled Disabled Only Group Policy is applied Enabled Enabled Local Policy is applied until Active Enabled Disabled Directory replication occurs When setting the Override Local Policy parameter consider the following e Disabling the Override Local Policy parameter does not cancel Active Directory replication e If the Override Local Policy parameter is disabled all Devi
214. a report that allows you to view and change security policies defined for device types and protocols across the network Before you can use this plug in you should select the information you want to include in the report You can do this by clicking the Settings button below the plug ins list in the Scan Network dialog box see Selecting Plug ins 243 DeviceLock Enterprise Manager s Report Permissions Crevice Probook Repsrt Available Devices Oriy Report Protecots Device hype Proteca bypets ihr fe Ide ane port v T FTP i Telnet Bluebooth fv Phone fv yur HTTP fi teks Mai FJOH i Pain iv PCG IACL Mesterer e tires Perser Clipboard fe Parallel port ve BRE E Fahoo Messenger Freire pork he Prinber se Aahe Feeey Dea able Misr Auger E Heard dick Serial port SMTP ier Sevcial Mapbrecer hss Report Auditing amp Shackoring Report Guditing amp Shading Report Enabled Auditing amp Shadowing Onh l Report Enabied Auditing amp Shadewing Ondy e Report Securty Settings F Report Security Settings iw Report Contant Awara Pulas Report Content Arrara Poulet hel Regart USE Whe List Report Protocols White List fw Report Meda White List fw Report Dielo Adminas In the Report Permissions dialog box specify the information that you want to include in your report To receive information on the security policies defined for device types under Devices use
215. aaeraneeani seta teaids 288 COPYING CONTENT AWARE RULES srcseteivotivervend fusca pene itedens sad votes eee aa 289 EXPORTING AND IMPORTING CONTENT AWARE RULES cccceeeeeeee eee e eee 290 UNDEFINING CONTENT lt AWARE RULES cicuieuicerceaeabtat enna tania Gaaas cendavadaui sues 292 DELETING CONTENT AWARE RULES icvadsdtsccasscuaevenisiaasoeedenepes aE EA 292 CONTENT AWARE RULES FOR PROTOCOLS REGULAR PROFILE 008 294 CONTENT AWARE RULES FOR ACCESS CONTROL OPERATIONS aaa 294 CONTENT AWARE RULES FOR SHADOW COPY OPERATIONS ccc ececcc cece ees 296 CONFIGURING CONTENT DETECTION SETTINGS c cece cece eee eee eee ees 298 FILE TYPE DETECTION CONTENT GROUPS sesseurvudie an tieaniviend eee needle alias 298 KEYWORDS CONTENT GROUPS sisccotccdunerticematerscetninteds a nies 301 PATTERN CONTENT GROUPS aii E ies daw teeta cee aes teeta 306 DOCUMENT PROPERTIES CONTENT GROUPS wistecisce vanevatnasinnd meen A wads 310 COMPLEX CONTENT GROUPS 4 5i02 cctcunatasid ad hetachendweaxinnnsacntesimnsaxenedeeadanoamine 313 VIEWING BUILT IN CONTENT GROUPS pansement aea aa 316 DUPLICATING BUILT IN CONTENT GROUPS stisstissstusosenstetensnsaseetaniacaaseaneien 317 EDITING AND DELETING CUSTOM CONTENT GROUPS cece cece eects 318 TESTING CONTENT GROUPS inire iea A a tatiana tia cere awl 319 MANAGING lt CONTENT AWARE RULES siccu sevinies a E S a A 319 DEFINING CONTENT lt AWARE RULES inersiya a a aa a 320 EDITING CONTENTF AWARE
216. abase in the upper pane of the Content Aware Rules dialog box Complex Content Groups Complex groups use Boolean expressions to select data for which you want to control access These groups can include any combination of built in or custom content groups File Type Detection Keywords Pattern and Document Properties groups linked with any number of the standard logical operators Each content group is treated as a single filter criterion that can be included in your Boolean expression By using multiple content groups you can create complex filters to identify sensitive content of data transmitted over the network The following table lists the logical operators in order of precedence from highest to lowest 313 Content Aware Rules for Protocols Regular Profile OPERATOR MEANING NOT Logical negation of a filter criterion AND Both filter criteria must apply OR Either filter criterion can apply You can use parentheses to modify the precedence of operators and force some parts of an expression to be evaluated before others Nested criteria enclosed in parentheses are evaluated in inner to outer order Multiple levels of nesting are supported A complex group can contain a maximum of 30 content groups There are no predefined built in Complex content groups to use The following procedure describes how to create your own Complex group To create a Complex group 1 If you use DeviceLock Management Console do the following
217. ach incidents caused by data loss or theft For auditing and shadow copying at the transport level DeviceLock uses two types of logging Audit Logs and Shadow Logs The Audit Log is used to audit access to protocols and track what individual users do Audit data can be written to the Windows Event Log to the DeviceLock proprietary log or both To define what log should be used set the Audit log type parameter in Service Options To view audit log data use either DeviceLock Service Audit Log Viewer or DeviceLock Enterprise Server Audit Log Viewer The Shadow Log is used to store a full copy of data files transferred via specified protocols To view shadow log data use either DeviceLock Service Shadow Log Viewer or DeviceLock Enterprise Server Shadow Log Viewer Auditing and shadow copying of data transferred via specified protocols are enabled by defining audit and shadowing rules Each rule associated with a protocol specifies users or groups the rule applies to and appropriate audit shadowing rights which determine which user actions to audit shadow copy Audit events logged include a variety of information such as the event type the date and time of the event the associated protocol the user associated with this event process information and event specific information The following table provides summary information on audit and shadowing rights that can be specified in rules and describes event specific information that is written
218. ach included column for this record e If the column s values for the older and the recent files are different DeviceLock Enterprise Manager inserts both records in the compare result The record from the recent file comes right after the record from the older one The column that belongs to an older record is highlighted in red The column that belongs to a recent record is highlighted in green All excluded columns and columns with equal values are not highlighted and are written in the default color e If all of a record s columns for both files contain equal values DeviceLock Enterprise Manager either skips this record the Show changes only check box is selected or inserts this record into the compare result and writes it in the default color the Show changes only check box is cleared 252 DeviceLock Enterprise Manager If you wish to compare two files which were saved as projects it is a good idea to use the special feature of the Open Project window B Open Project E eee amp Report Permissions Auditing fe 21 06 2005 17 41 58 Ce Open project s ge 12 05 2005 19 37 11 BBN 12 06 2005 18 36 29 Select Open Project from the File menu Group by Plug ins select two projects you would like to REl 07 05 2005 17 25 30 BG Group by Date compare use CTRL and or SHIFT to select GB 07 05 2005 17 25 15 two projects simultaneously and then fe Gb 07 05 2005 17 24 54 select Co
219. after you paste it To perform a drag and drop operation select the rule and move it to the user or group to which you want to apply the copied rule In the lower left pane of the Content Aware Rules dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups to which you want to apply the copied rule and then click OK 289 Content Aware Rules for Devices Regular Profile The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules dialog box 8 In the lower left pane of the Content Aware Rules dialog box under Users select the users or groups to which you want to apply the copied rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them 9 In the lower right pane of the Content Aware Rules dialog box right click in the Rules pane and then click Paste The copied rule is displayed under Rules in the lower right pane of the Content Aware Rules dialog box 10 Click OK or Apply to apply the copied rule Exporting and Importing Content Aware Rules You can export all your current Content Aware Rules to a cwl file that you can import and use on another computer Exporting and importing can also be used as a form of backup To export Content Aware Rules 1 If you use De
220. ame box is empty by default This means that the report will display data for all files in the DeviceLock Enterprise Server database To specify files for the report in the File name box type file names using wildcards such as asterisks and question marks For example type txt to specify all files that have the txt extension To continue the example if you want to specify all files whose 379 DeviceLock Reports names begin with any characters that contain the string price and have any extension type price An asterisk replaces an unlimited number of characters The question mark replaces a single character You can use these wildcards in any position and in any quantity Multiple file names must be separated by a comma or semicolon Managing Reports Managing DeviceLock reports involves the following tasks Running reports Refreshing reports Viewing reports Viewing report parameters Exporting and saving reports Sending reports through e mail Deleting reports Running Reports To run a report if aS E Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server expand Reports Expand Audit Log or Shadow Log Under Audit Log or Shadow Log right click any report template you want to use and then click New report The Report Options dialog
221. an contain medias The list is automatically refreshed and displays new medias as soon as they arrive To manually refresh this list click Refresh In the list at the bottom of the dialog box you can see media that are already in the database You can add media to this list by selecting the desired record in the Drives list and clicking Add It takes some time depending on the media size to authorize the media If the media is already in the database it cannot be added there a second time To edit a media description select the appropriate record in the list and click Edit Click Delete to delete a selected record use CTRL and or SHIFT to select several records simultaneously You can also save a current database to an external file To save the database to an external file click Save then select the type of the file txt or csv To load a previously saved database click Load and select a file that contains the list of medias 151 DeviceLock Management Console Security Settings Regular Profile There is a list of additional security parameters that affect permissions and audit rules for some device types aS DevieeLock Management Console E E Ele Action yew Help ded briod Mame Ly chine ohh Deviegleck Serine Local WINDERS 48 Service Options 3 BY Dri de Fading hkr i Alerts Ay acess caira her UB HID auge keyboard atz het Cener et A Access corral fer LES ririri I hist Configured Access
222. an quickly create and apply rules without having to define your own content groups Note You can view file type definitions that are included in the built in File Type Detection groups but you cannot edit or delete them For information on how to view the built in content groups see Viewing Built in Content Groups Creating Custom File Type Detection Groups You can define Content Aware Rules based on your own custom content groups if the predefined content groups included with DeviceLock do not meet your requirements Custom File Type Detection content groups enable you to specify any file types that you want in the same group to better meet your individual business needs For example suppose you need to grant certain users access to Word Excel PDF documents and graphic files To do this first you create a new File Type Detection content group that represents these document content types Then you define a rule based on this custom content group To create a custom File Type Detection group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a
223. anager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols 3 Under Protocols right click Content Aware Rules and then click Remove Offline The offline state of Content Aware Rules changes to Use Regular When you select Content Aware Rules in the console tree in the details pane the following message is displayed Offline Content Aware Rules are configured to use Regular Content Aware Rules The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console 456 DeviceLock Security Policies Offline Profile Managing Offline Security Settings for Protocols For a detailed description of the Security Settings feature for protocols see Managing Security Settings for Protocols Offline Security Settings can have one of the following states STATE DESCRIPTION Not Configured Indicates that Security Settings are not defined for protocols This is the default Enabled Disabled Use Regular state Indicates that Security Settings are enabled for protocols Indicates that Security Settings are disabled for protocols Indicates that the inheritance of offline Security Settings is blocked and regular Security Settings are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Grou
224. and DeviceLock Expand Devices Under Devices select Security Settings When you select Security Settings in the console tree they are displayed in the details pane 4 In the details pane right click any Security Setting you want to remove and then click Remove Offline The Security Setting changes its offline state to Use Regular The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console Managing Offline Security Policies for Protocols Managing offline security policies for protocols involves the following operations e Managing offline Permissions for protocols e Managing offline audit and shadowing rules for protocols e Managing the offline Protocols White List e Managing offline Content Aware Rules for protocols e Managing offline Security Settings for protocols Managing Offline Permissions for Protocols For a detailed description of the Permissions feature for protocols see Managing Permissions for Protocols Offline permissions can have one of the following states STATE DESCRIPTION Not Configured Indicates that permissions on a protocol are not set This is the default state Configured Indicates that permissions on a protocol are set 427 DeviceLock Security Policies Offline Profile STATE DESCRIPTION Full Access Indicates that full access rights are granted to the Everyone account No Access Indicates one of the following e Th
225. and Copy Unidentified Content rights do not control data copying to the clipboard Users can always copy data to the clipboard regardless of the rights they have Note If the access read and or write to some content type is denied during the iPhone or Windows Mobile synchronization process you have to replug the device in order to continue using the iPhone or Windows Mobile device When users attempt to synchronize a Palm handheld device over a network and DeviceLock denies access to some content type the synchronization session is interrupted To avoid this situation users should set the HotSync application to sync only the content to which they are allowed access before attempting synchronization If all rights are enabled for the user account it means that this account has full access rights to a device If all rights are disabled for the user account it means that this account has no access rights to a device Note The no access right has a priority over all other rights It means that if the group to which some user belongs has the no access right but this user has full access the user still cannot access a device If you want to deny access for some user or group you can just remove it from the account s list it is not necessary to add it with no access Also the Everyone user has a priority over all other accounts It means that if Everyone has the no access right no one can access a de
226. and DeviceLock Content Security Server are using 9132 9133 and 9134 ports thereafter For more information please refer to the Frequently Asked Questions section of our Web site Also please note that DeviceLock Service automatically adds itself to the exception list of Windows Firewall e 1753 There are no more endpoints available from the endpoint mapper you re trying to connect to a computer where DeviceLock Service DeviceLock Enterprise Server or DeviceLock Content Security Server is not accessible First of all make sure that DeviceLock Service DeviceLock Enterprise Server or DeviceLock Content Security Server is installed and started on the remote computer It is possible that this computer was just booted and Windows is still initializing its services The Remote Procedure Call RPC service may not be running yet Also a firewall could be blocking access to DeviceLock Service DeviceLock Enterprise Server or DeviceLock Content Security Server For more information please read the above description of the 1722 error To troubleshoot RPC Endpoint Mapper errors please read this Microsoft article support microsoft com kb 839880 en us e 5 Access is denied you don t have enough privileges on the remote computer Make sure that DeviceLock Management Console is trying to connect to the remote computer under a user with local administrator privileges on that computer You may also need to run DeviceLock Management Console
227. and connect to it using any standard Windows administrative tool such as Computer Management Services and so on 242 DeviceLock Enterprise Manager This error also occurs when the standard Windows Server service is not running on the remote computer Check the Server service status and start it if it is stopped More connection errors are described in the Possible Connection Errors section of this manual Audit Log Viewer The Audit Log Viewer plug in retrieves DeviceLock s audit log from the computer s local Windows event logging subsystem To define a maximum log size and what Windows should do if the audit log becomes full use Audit Log Settings from the context menu To clear all events from the audit log select Clear Audit Log from the context menu For more information see Audit Log Viewer Service Install Service The Install Service plug in installs or updates DeviceLock Service on computers Before you can use this plug in you should specify the directory that contains all of the files needed for installation such as DeviceLock Service msi DeviceLock Service x64 msi DLRemotelInstaller exe and InstMsiW exe You can do this by clicking the Settings button below the plug ins list in the Scan Network dialog box see Selecting Plug ins For more information see Remote Installation via DeviceLock Enterprise Manager Report Permissions Auditing The Report Permissions Auditing plug in generates
228. and hours when the rule is not active non audit time In the upper left pane of the dialog box under Users select the user or group In the lower left pane of the dialog box under User s Rights select or clear the Allow check box next to the appropriate rights In the upper left pane of the dialog box under Users select the user or group and then click Delete or press the DELETE key When you remove a user or group any rules for that user or group will also be removed Undefining Audit and Shadowing Rules If you deploy DeviceLock policies using DeviceLock Group Policy Manager or DeviceLock Service Settings Editor in some situations you may want to prevent audit and shadowing rules defined for a particular protocol or protocols from being applied to a specific group of 348 Protocols Regular Profile client computers To do so you need to return the previously defined rules to the unconfigured state All undefined DeviceLock settings are ignored by client computers To undefine audit and shadowing rules 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree right click DeviceLock Settings or DeviceLock Service and then click Load Service Settings to open the XML file with defined DeviceLock policies c In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Polic
229. and reliable algorithm allows for correct identification and handling of files regardless of the file extension You can also use Content Aware Rules to allow or deny shadow copying of specific file types Note You must purchase a ContentLock license to gain access to enhanced capabilities of the Content Aware Rules feature e Audit and shadowing Allows you to track user activity for specified protocols and log a full copy of data files transmitted over the network ContentLock is a content monitoring and filtering component that greatly enhances the capabilities of the Content Aware Rules feature With ContentLock you can not only grant or deny access to information based on real file types but also create regular expressions patterns with numerical conditions and Boolean combinations of matching criteria and keywords Recognizing more than eighty file formats and data types ContentLock extracts and filters the content of data copied to removable drives and plug n play storage devices as well as that transmitted over the network With ContentLock you can also filter shadowed data down to just those pieces of information meaningful to security auditing incident investigations and forensic analysis before saving in the Shadow Log This tremendously reduces storage space and network bandwidth requirements for shadow log delivery to the central database ContentLock includes the following key features and benefits e Content based document a
230. anged without being reported to the monitoring log To load the master policy file click the button Since the signature is not validated at this step it can be either a signed or non signed file However if you load the signed file then its name will be displayed in the Service Settings file box in round brackets If you are modifying the task and the master policy is already assigned you can export it to an external XML file by clicking the Save button Restore Service Settings if selected DeviceLock Enterprise Server will overwrite the current policy of a monitored DeviceLock Service for which the policy verification process failed with the master policy assigned to this task Using this feature you can not only passively monitor the integrity of specific parameters but also restore them in case they were changed Scanning interval the time in seconds that should pass after a task completes and before DeviceLock Enterprise Server will start executing the same task again Number of scanning threads the maximum number of threads that can be used by this task simultaneously You can increase this number to parallelize the process of computer scanning However a larger number of threads requires more hardware resources especially RAM and network bandwidth for DeviceLock Enterprise Server Monitoring Log Viewer This viewer allows you to retrieve the monitoring log The monitoring log is used by tasks to write informati
231. annot be disabled via Security Settings In this case you may use the devices white list to authorize such devices individually Audit Log Viewer Service There is a built in audit log viewer that allows you to retrieve DeviceLock audit log records from a computer s local Windows event logging subsystem The standard Windows event logging subsystem is used to store audit records only if Event Log or Event amp DeviceLock Logs is selected in the Audit log type parameter in Service Options Otherwise audit records are stored in the proprietary log and can be viewed using the server s audit log viewer S DevioeLock Management Console fel Fie Actor Ww con ER Bee gA T del Deiak Typs DatejTima Source Acti A fi Dewicelock Service Local WINMPPROSES Gh cece inaina ga Service Started E service Opuons Oisuccess 131420106321 Service Stopped ji re crs Qysuccess 2 03 2010 79533 Service Started i 2h success IALA Pesos Geva Shutdown T Shadorrog View Settings Deps IZ LZ0NO 76 3 Servie Started pE Oeviebock Enterpriy SAVE Ci L2 LS ZOIO F430 Service Shutdown oz fia Devicalock Contents Ckw oaks LIJSOyVSOIO EIG YEE Sot Priooboetois Are List Refresh es LISOVOIO SSO Senie Set Contert Awang Rubis Prokocols Filter somes 6 LAZOVDOLO 450 2 Servie Set duniit amp Shadow Options cess LAZOVDOIO ASO Servie Set duik amp Shadow Options es LAZOVDOIO 450 1 Servia Sat dun
232. apply changes and close the Auditing amp Shadowing dialog box Shadow all data writing to removable storage devices and floppies for all users 1 Select Floppy and Removable records from the list of device types under Auditing amp Shadowing and then select Set Auditing amp Shadowing from the context menu available by a right mouse click 2 Click the Add button in the Audit dialog box and add the Everyone user Click OK to close the Select Users or Groups dialog box and select the Everyone record Disable all audit rights and enable only the Write shadowing right in the User s Rights list Dees Types Floppy Bemoratle Computer Name Leal Compasber Claud Allewed C Audit Derisi Uess EiEvoryone Abra O LI B a Tra Cl en au Tine 3 Click OK to apply changes and close the Auditing amp Shadowing dialog box Permissions Examples for Protocols For all users all Webmail services are denied but members of the Administrators group can access Gmail 1 In the console tree expand DeviceLock Service and then expand Protocols 2 Under Protocols select Permissions 3 In the details pane right click Web Mail and then click Set Permissions 4 In the Permissions dialog box do the following a Under Users click Add In the Select Users or Groups dialog box in the Enter the object names to select box type Everyone and then click OK b Under Users select Everyone c Under User s Rights clear all check
233. ase you need to run DeviceLock Management Console under a user that either has sufficient privileges to access DeviceLock Service DeviceLock Enterprise Server or DeviceLock Content Security Server or has no connections to the selected computer at all You may use the Run As function run RUNAS from the command line available in Windows 2000 and later to run DeviceLock Management Console under another user Possible Connection Errors When you re trying to connect to a computer with DeviceLock Service DeviceLock Enterprise Server or DeviceLock Content Security Server you may receive some of these errors e 1722 The RPC server is unavailable you re trying to connect to a computer that either does not exist the wrong name or IP address or is not accessible Make sure that the computer name you ve specified is correct Try to ping this computer by its name and IP address and connect to it using any standard Windows administrative tool such as Computer Management Services and so on Make sure that this computer is working under a DeviceLock compatible OS Windows NT 4 0 and later Also it is possible that a firewall is blocking access to this computer You would need to configure your firewall to allow some ports needed for DeviceLock You could also instruct DeviceLock to use the fixed TCP port making it easier to configure a firewall By default DeviceLock Service 96 DeviceLock Management Console DeviceLock Enterprise Server
234. asy to install Administrators can have instant access from remote computers when necessary The administrator of the machine or domain can designate user access to floppy drives CD ROM drives other removable media tape drives WiFi and Bluetooth adapters or USB FireWire infrared and serial and parallel ports All types of file systems are supported NetworkLock an extension to DeviceLock provides control over network communications Administrators can designate user access to the FTP HTTP SMTP Telnet protocols instant messengers ICQ AOL Instant Messenger Windows Live Messenger and Windows Messenger Jabber IRC Yahoo Messenger Mail ru Agent webmail and social networking applications AOL Mail Gmail GMX Mail Hotmail Mail ru Rambler Mail Web de Yahoo Mail and Yandex Mail Facebook Google LinkedIn LiveJournal MeinVZ Myspace Odnoklassniki SchuelerVZ StudiVZ Tumblr Twitter Vkontakte XING ContentLock another extension to DeviceLock extracts and filters the content of data copied to removable drives and plug n play storage devices as well as that transmitted over the network Administrators can create rules that specify which content can be copied and transmitted DeviceLock can audit user activity for a particular device type or protocol on a local computer Based on the user s security context this capability allows you to audit activities that belong to a certain user or user group DeviceLock employs the
235. b En Route Credit Card Number Discover Credit Card Number JCB Credit Card Number Laser Credit Card Number Maestro Credit Card Number Master Card Credit Card Number Solo Credit Card Number Switch Credit Card Number Visa Credit Card Number Visa Electron Date Date ISO Email Address European VAT Number IBAN IP Address LUHN Checksum Russian Bank Account Number Russian Health Insurance Number Russian Taxpayer Identification Number Russian Main State Registration Number Russian Classification Of Enterprises And Organizations UK National Insurance Number UK Phone Number UK Post Code UK Tax Code URL US Social Security Number Specify conditions for firing rules associated with this content group To do so in the Condition list click any of the following options e Less than or indicates that a rule associated with this content group is activated every time the number of matches returned by the regular expression is less than or equal to the specified number e Equal to indicates that a rule associated with this content 273 Content Aware Rules for Devices Regular Profile USE THIS TO DO THIS group is activated every time the number of matches returned by the regular expression is equal to the specified number e Greater than or indicates that a rule associated with this content group is activated every time the number of matches returned by the regular expression is greater than or equal to
236. ber This list displays either all currently plugged in devices if the Show all devices button is not clicked or all the devices ever plugged into the port on this computer if the Show all devices button is clicked The list of available devices is automatically refreshed and displays new devices as soon as they arrive To manually refresh this list click Refresh To retrieve devices from the remote computer click Remote Computer This button is unavailable when you are connected to the local computer In the USB Devices Database list at the bottom of the dialog box you can see devices that are already in the database You can add devices to this list by selecting the desired device s record in the Available USB Devices list and clicking Add If the device is already in the database it cannot be added there a second time 147 DeviceLock Management Console To edit a device description select the appropriate record in the USB Devices Database list and click Edit Click Delete to delete a selected device s record press CTRL and or SHIFT to select several records simultaneously You can also save a current database to an external file To save the database to an external file click Save then select the type of the file txt or csv To load a previously saved database click Load and select a file that contains the list of devices Media White List Regular Profile The media white list allows you to uniquely i
237. blocked read message notification balloon to be displayed to users when they try to read a file to which they are denied access This message balloon is shown in the notification area of the taskbar on client computers By default DeviceLock does not display the Content Aware blocked read message To enable or disable the Content Aware blocked read message right click Content Aware blocked read message and then click Properties or double click Content Aware blocked read message E Content Aware blocked read message I Computer Name Local Computer Enable Content Aware Blocked Message Blocked Message Caption Blocked Message Text In the Content Aware blocked read message dialog box do the following USE THIS TO DO THIS Enable Content Enable or disable the display of the Content Aware blocked read Aware Blocked message Message Select the Enable Content Aware Blocked Message check box to enable the display of the message Clear the Enable Content Aware Blocked Message check box to 102 DeviceLock Management Console USE THIS Blocked Message Caption Blocked Message Text Restore Defaults TO DO THIS disable the display of the message Specify the text to display in the title bar of the message balloon By default the Blocked Message Caption text is as follows DeviceLock Security Subsystem Specify the text to display in the message balloon By default the Blocked Message Text for the Content A
238. board You can use the CTRL C CTRL X and CTRL V key combinations to copy cut and paste the rule When you use the CTRL X key combination to cut the rule the rule will be cut only after you paste it To perform a drag and drop operation select the rule and move it to the user or group to which you want to apply the copied rule 6 In the lower left pane of the Content Aware Rules Offline dialog box under Users click Add The Select Users or Groups dialog box appears 7 In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups to which you want to apply the copied rule and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules Offline dialog box 8 In the lower left pane of the Content Aware Rules Offline dialog box under Users select the users or groups to which you want to apply the copied rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them 9 In the lower right pane of the Content Aware Rules Offline dialog box right click in the Rules pane and then click Paste The copied rule is displayed under Rules in the lower right pane of the Content Aware Rules Offline dialog box 10 Click OK or Apply to apply the copied rule 452 DeviceLock Security Policies Offline Profile Exporting and Importing Offline Content
239. box 10 Click OK or Apply to apply the copied rule Exporting and Importing Protocols White List You can export all your current rules of the Protocols White List to a pwl file that you can import and use on another computer Exporting and importing can also be used as a form of backup To export the Protocols White List i If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor 358 Protocols Regular Profile b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols 3 Under Protocols do one of the following 4 Under Protocols do one of the following Right click White List and then click Save OR Select White List and then click Save on the toolbar OR Expand White List right click any user or group specified in the white list and then click Save OR Expand White List select any user or group specified in the white list In the details pane right click the white list rule and then click Save OR Expand White List select any use
240. box is unselected all nested containers are ignored and only computers located directly in the selected container are retrieved at the time of executing the task There are two modes to work with the directory service e Active Directory You browse the Active Directory tree and select the needed container While the Active Directory tree can also be displayed by choosing the LDAP option see below the Active Directory mode results in greater efficiency between the directory service and DeviceLock Enterprise Server service and thus resource savings If you need to supply alternative credentials to access Active Directory click the button to open the Credentials dialog box and specify the needed user account and its corresponding password Note If no alternative credentials are specified when accessing Active Directory DeviceLock Enterprise Server uses the credentials of the account under which its service started For more information see the description of the Log on as parameter Select the Synchonization check box to allow DeviceLock Enterprise Server to use the internal synchronization mechanisms provided by Active Directory This will dramatically reduce the load on the domain controller and speed up the process of retrieving computers at the time of task execution Note Administrative access to Active Directory is required to use the synchronization function e LDAP You browse the LDAP Lightweight Directory Access Proto
241. cally accessible hard disk DeviceLock Service protects this directory so regular users cannot access files inside it Make sure that there is enough space to store the data if the user copies 1GB to the flash drive then you need approximately 2GB available in local storage 115 DeviceLock Management Console Enable local storage quota Enable this parameter to allow automatic cleanup of the locally stored cached data for shadowing and content analysis When this parameter is enabled you can also configure Cleanup files older than days and Local storage quota parameters see below Cleanup files older than days You can define the number of days that should pass before cached data for Shadowing and content analysis can be automatically deleted from the local storage E Cleanup files older than days Computer Mame xpvir W Cleanup Fies Older Than Er days cancel Select the Cleanup Files Older Than check box and type or select the number of days to allow automatic cleanup Local storage quota You can define a disk quota for cached data for shadowing and content analysis wa Local storage quota Computer Mame xpvir Local Storage Quota E 4 ki oe Specify the maximum percentage from 5 to 100 of free disk space that can be used by cached data in the Local Storage Quota parameter If the quota is not used i e the Enable local storage quota parameter is disabled then
242. ccess control You can control access to documents depending on their content Thus you can block sensitive content leakage while allowing authorized employees to gain access to the information they need to collaborate e Content based filtering of shadow data You can specify that only data that contains sensitive information is shadow copied and saved to the Shadow Log thus reducing the volume of unnecessary log data and making the log files easier to work with e Expansive coverage of multiple file formats and data types You can protect content for the following file formats and data types Adobe Acrobat pdf Adobe Framemaker MIF mif Ami Pro sam Ansi Text txt SCII Text ASF media files metadata only asf CSV Comma separated values csv DBF dbf EBCDIC EML files emails saved by Outlook Express eml Enhanced Metafile Format emf Eudora MBX message files mbx Flash swf GZIP gz HTML htm Atml JPEG jpg Lotus 1 2 3 123 wk MBOX email archives including Thunderbird mbx MHT archives 19 Overview HTML archives saved by Internet Explorer mht MIME messages MSG files emails saved by Outlook msg Microsoft Access MDB files mdb accdb including Access 2007 and Access 2010 Microsoft Document Imaging mdi Microsoft Excel xls Microsoft Excel 2003 XML xml Microsoft Excel 2007 and 2010 xlsx Microsoft Outlook Exchange Messages Notes Contacts Appointments
243. ceLock Service moi and Oevicelock Service 264 mi files te Dna ports Specify port By default the DeviceLock Service installation files will be copied to the ProgramFiles DeviceLock Agent folder if this service doesn t exist on this system If the service exists on the system but its version is lower than 7 0 the Install service plug in will also copy the installation files to the default ProgramFiles DeviceLock Agent folder If the service exists on the system but its version is 7 0 or higher the Install service plug in will copy the installation files to the directory of the old files and the old files will be replaced Installation via Group Policy This step by step instruction describes how to use Group Policy to automatically distribute DeviceLock Service to client computers DeviceLock Service can be deployed in an Active Directory domain using the Microsoft Software Installer MSI package DeviceLock Service msi and DeviceLock Service x64 msi Note Microsoft Windows Group Policy automated program installation requires client computers that are running Windows 2000 or later If you use a custom MSI package with defined DeviceLock Service settings to deploy DeviceLock Service using Group Policy these settings are not applied to client computers if any one of the following conditions is true The default security is disabled on remotely running DeviceLock Services The GPO applied to client computers has the Over
244. ceLock Service settings that you set via DeviceLock Management Console and DeviceLock Enterprise Manager take effect immediately 225 DeviceLock Group Policy Manager 2 Undefine You can reset any parameter to the unconfigured state All undefined parameters are ignored in this GPO For more information see Standard GPO Inheritance Rules i Group Policy Object Editor H E Windows Settings s C Administrative Templates Not Configured oe Smartline DeviceLock okD Not Configured a ed ao ce Options sey rewire port Configur ed m a Peniso Not Configured aa Permissions Unche fire Gio Auditing amp Shadowing a Not Configured B USE Devices White List A infrared port Not Configured Help Pele Media White List 2 Parallel port Not Configured security Settings ai i Mot Configured User Configuration 7 Serial po Not Configured Not Configured Abe Pee Le el Use Undefine from the context menu of any parameter to reset this parameter to the unconfigured state Also for some parameters you can use the intermediate state gray of the check box to make it unconfigured Bj Blocked Message 3 x ee wroieUOUserver vm00lad com Blocked Message Caption SS dO 3 Undefine entire policy You can reset all parameters to the unconfigured state in one click Selecting this has the same effect as resetting each parameter one by one see above H Group Policy Object Editor
245. cess attempts that were successful e Failure audit specifies whether to filter device access attempts that failed e Name the text that matches a value in the Audit Log Viewer s Name column This text is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Source the text that matches a value in the Audit Log Viewer s Source column This text is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Action the text that matches a value in the Audit Log Viewer s Action column This text is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Information the text that matches a value in the Audit Log Viewer s Information column This text is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e User the text that matches a value in the Audit Log Viewer s User column This text is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Process the text that matches a value in the Audit Log Viewer s Process column This text is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e PID the number that matches a value in the Audit Log Viewer s PID column You can enter multiple values separated by
246. ch any keyword s indicates that a rule associated with this content group is activated every time any of the specified keywords is found within text data e Match all keyword s indicates that a rule associated with this content group is activated every time all of the specified keywords are found within text data e Only when combined score exceeds or equal to threshold indicates that a rule associated with this content group is activated every time the total number sum of occurrences of all found keywords within text data equals or exceeds the threshold number of occurrences of the keywords Threshold Specify the threshold number of occurrences of the keywords This number can range from O to 65535 This property requires a value if you selected the Only when combined score exceeds or equal to threshold option Keywords Specify words and phrases that must occur within text data Double click under Keywords to enter a keyword or phrase Case Determine the case sensitivity of the keywords Select the Case Sensitive Sensitive check box to specify a case sensitive comparison of the keywords for example the words test and Test will be treated as different keywords Clear the Case Sensitive check box to specify a case insensitive comparison of the keywords for example the words test and Test will be treated as the same keyword Whole Word Specify keyword matching options Select the Whole Word check box
247. ck Access control for serial modems To disable locking of virtual software emulated CD ROMs on Windows 2000 and later systems uncheck Access control for virtual CD ROMs To disable control of virtual printers those which print to files on Windows 2000 and later systems uncheck Access control for virtual printers To allow access control for copy paste clipboard operations between different applications select the Access control for inter application copy paste clipboard operations check box Otherwise even if the clipboard is locked access control for copy paste operations between different applications is disabled To disable FireWire controllers when the Everyone account has No Access permissions for the FireWire port device type select the Block FireWire controller if access is denied check box Click OK to apply changes Click Skip if you prefer to wait until after installation to set permissions to these devices using DeviceLock management consoles As soon as Setup has installed DeviceLock it suggests that you point your default Internet browser to the DeviceLock Web site ie Devicelock Setup Installation Wizard Completed The instalation Wiad has successfully inshalled DeviceLock Click Finish bo ext the wizard Stop Data From Slipping Through Your Fingers Control Information With Open DeviceLock home page Device 30 Installation Clear the Open DeviceLock home page check box if you do not want to visit th
248. ck licenses are optional If a basic license is missing or invalid DeviceLock runs in a trial mode only The number of NetworkLock and or ContentLock licenses must equal or exceed the number of basic DeviceLock licenses The trial period for ContentLock and NetworkLock is 30 days Recommended Basic Security Measures Following is a series of basic security rules that should be met for computers that you want to install in a corporate network Change the boot sequence The hard disk must be the first boot device Change the boot sequence in the BIOS so that the computer does not boot from the floppy USB drive or CD ROM If the hard disk is not the first boot device someone can use a bootable CD or USB Flash Drive to directly access the hard disk drive 22 Overview Protect the BIOS with a password The password should be set to the BIOS so only an authorized person can make changes there If the BIOS is not password protected someone can change the boot sequence and use a bootable CD floppy or USB Flash Drive see above Seal computer cases and chassis Protect the hardware with a seal Otherwise it is possible to plug an external boot device directly to the computer and access the hard disk Moreover if someone can physically access the motherboard it is very easy to locate the CMOS reset jumper and clear the BIOS password see above Do not give Administrative rights to regular users Regular local users Should not be member
249. ck Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices 263 Content Aware Rules for Devices Regular Profile 3 Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears Wu Content Aware Rules Pattern Ea Keywords Keona Kayon Keywords keyword Fis Tope D Fils Tyga D s ae Cier tA Bikes Lrg 4 In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click File Type Detection The Add File Type Detection Group dialog box appears 264 Content Aware Rules for Devices Regular Profile S Add File Type Detection Group Find Find Previous Fitter Extern Description Ta data Ere Eregi PHA Getty Sacks rerccance HP lane compressed 5 Oriar Ebon W0 FES container data file aox 0 LIVE container data File whoo 20 COM container diets fle Works 4 0 for Mascinibeedh INDE date oeneric WO packet Cetonia Ae e er FromPage VTI kalinio WreCrypt encrypted date ERKUT Fada Pile Urras Package LHS compressed Trend Micro Virus Pattar exs Instruments Calculstors Progr The Ather sare game we
250. ck Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Select Service Options When you select Service Options in the console tree they are displayed in the details pane In the details pane do one of the following e Right click Offline mode detection and then click Properties OR e Double click Offline mode detection The Offline Mode Detection dialog box appears 387 Gs DeviceLock Security Policies Offline Profile Ofttine Mode Detection Computer Name Local Computer Fiode Server connectivity C Domain connectivity Mined connectivity 4 In the Offline Mode Detection dialog box click any of the following options OPTION Server connectivity Domain connectivity DESCRIPTION Indicates that the connection state of a client computer is determined by whether or not it can connect to the specified DeviceLock Enterprise Server Thus a client computer works in online mode if it can connect to any of the specified DeviceLock Enterprise Servers and send them audit and Shadow logs A client computer works in offline mode if it cannot authenticate with any of the specified DeviceLock Ent
251. cked modems continue to function as usual and audit is not performed for these devices Access control for virtual CD ROMs if enabled allows DeviceLock Service to audit and control access to virtual software emulated CD ROMs Otherwise even if the CD ROM device is locked virtual drives continue to function as usual and audit is not performed for these devices This parameter is effective only for Windows 2000 and later systems Access control for virtual printers if enabled allows DeviceLock Service to audit and control access to virtual printers which do not send documents to real devices but instead print to files for example PDF converters Otherwise even if the physical printer is locked virtual printers continue to print as usual and audit is not performed for them This parameter is effective only for Windows 2000 and later systems 153 DeviceLock Management Console e Access control for inter application copy paste clipboard operations if enabled allows DeviceLock Service to audit and control access to copy paste operations between different applications Otherwise even if the clipboard is locked access control for copy paste operations between different applications is disabled and audit is not performed for them e Block FireWire controller if access is denied if enabled allows DeviceLock Service to disable FireWire controllers when the Everyone account has No Access permissions for the FireWire port device ty
252. click any of the following options e Not specified this option is selected by default e Equal to indicates that the file s must have a size that is equal to the size you specify e Less than indicates that the file s must have a size that is less than the size you specify e More than indicates that the file s must have a size that is more than the size you specify e Between indicates that the file size must fall within the specified range Detect and control access to password protected archives PDF files and Microsoft Office documents doc xls ppt docx xlsx pptx If you select the Password protected check box for a Document Properties group and then create a Content Aware Rule based on this content group this rule will control access to password protected archives PDF files and Microsoft Office documents Clear the Password protected check box if you do not want to detect and control access to password protected archives PDF files and Microsoft Office documents For information on the supported archive formats see the description of the Inspection of files within archives feature Control access to unsupported file formats If you select the Text extraction not supported check box for a Document Properties group and then create a Content Aware Rule based on this content group this rule will control access to all files in an unsupported format All supported file formats are listed in the Extending De
253. co RoM Bco RoM j Be LSE pot Everyore Full access Allowed Time All time GB EEE 1394 pon SYSTEM Full access Allowed Tine Al time H BB IEEE 1394 pon Administators Full access Allowed Time All time F i Bluebooth Adminishators Full access Allowed Tine All tne rl Securky Settings Disabled access control fo USB Bluetooth adaphers m BR USB white List Hawking Technologies HWUSA HiGain WirelessG USB Adapter m B USE White List Kanguu Extemal IDE Devices USE vid_OdbibPid_O400 Rev_00ig The comparison is very simple and effective 1 If the Ignore domains check box is cleared the program enumerates network domains in the two selected files and tries to find each domain in both the older file and the recent file If the domain exists in the older file but does not exist in the recent file DeviceLock Enterprise Manager inserts the missing domain along with all the computers contained in that domain as well as the information in those computers into the comparison result and then writes all those records in red If the domain does not exist in the older file but exists in the recent file DeviceLock Enterprise Manager inserts the missing domain along with all the computers contained in that domain as well as the information in those computers into the comparison result and then writes all those records in green If the domain exists in both files DeviceLock Enterprise Manager enumerates all the computers the domain
254. col tree and select the needed container To configure a connection to the LDAP server click the button and open the LDAP Settings dialog box LDAP Settings Host VMZ0005ERVER Port 359 Base DH CN Configuration DC wm2000ed 0C com v Liser Dry Password Host the name or the IP address of the LDAP server to connect to Port the TCP port on which the LDAP server accepts connections The default port is 389 Base DN the starting point for you to browse the directory tree You must use the LDAP string representation for distinguished names for 186 DeviceLock Management Console example cn ga o SMARTLINE c US Leave the Base DN box blank to start browsing from the root By clicking the Fetch button you can get all the published naming contexts User DN the distinguished name DN of the directory user that allows connection to the directory You must use the LDAP string representation for distinguished names for example cn admin o SMARTLINE c US Note If no user is specified when accessing the LDAP server DeviceLock Enterprise Server uses the credentials of the account under which its service started For more information see the description of the Log on as parameter Password the user s password Network discovery methods types of network scanning that will be used to determine the status available or unavailable of monitored computers Upon executing the task DeviceLock Ent
255. compare process Select Columns To Compare 250 DeviceLock Enterprise Manager DeviceLock Enterprise Manager compares only those columns which you have selected If you need to exclude one column from the compare process you have to move it from the Included columns list to the Excluded columns list Excluded columns will be visible in the compare result but the values they contain are ignored and do not affect the compare result By default the compare result contains only records which are different in the two files being compared If you would like to see all of the records even unchanged records you can clear the Show changes only check box To include names of the network domains in the compare process you can clear the Ignore domains check box When the Ignore domains check box is selected DeviceLock Enterprise Manager ignores domains and only compares computers and the information those computers contain The third and final step is to start the compare process Press the Finish button to compare two selected files with each other DeviceLock Enterprise Manager displays the compare result in a separate window in the form of a tree exactly as it displays information received from a plug in amp Report Permissions Auditing Compare results 01 02 05 16 15 03 7 02 04 05 E3 Vevice Paramte VET its Shor E ADOMAN Sy ACER_LAPTOP Windows lt P E S FUJITSU_LAPTOP Windows XP E Penmssions
256. contain text If you select the Contains text check box for a Document Properties group and then create a complex Content Aware Rule based on this content group and the built in Images CAD amp Drawing content group File Type Detection combined by the AND operator this rule will check whether supported image files contain text and control access to text images Clear the Contains text check box if you do not want to detect and control access to text images For information on the supported image files see the description of the Text in picture detection feature If you select the Contains text check box specify the amount of text that images must contain The amount of text is expressed as a percentage of the total image area For example if text occupies 1 2 of the image the amount of text makes 50 If an image contains only text the amount of text is 100 Note The Contains text option also applies to other supported file formats In this case the percentage means the ratio of the text size in characters to file size in bytes Specify the name of the process accessing the document s file You can use wildcards such as asterisks and question marks Multiple process names must be separated by a semicolon for example explorer exe notepad exe 6 Click OK to close the Add Document Properties Group dialog box The new content group you created is added to the existing list of content groups under Content Dat
257. contains see below 251 2 DeviceLock Enterprise Manager If the Ignore domains check box is selected DeviceLock Enterprise Manager ignores domains and enumerates all the computers in the two selected files and tries to find each computer in both older and recent files If the computer exists in the older file but does not exist in the recent file DeviceLock Enterprise Manager inserts the missing computer with all information it contains into the compare result and writes all these records in red If the computer does not exist in the older file but exists in the recent file DeviceLock Enterprise Manager inserts the missing computer with all information it contains into the compare result and writes all these records in green If the computer exists in both files DeviceLock Enterprise Manager enumerates all the information it contains see below DeviceLock Enterprise Manager enumerates all information for a computer and tries to find each record in both the older and the recent file If the record exists in the older file but does not exist in the recent file DeviceLock Enterprise Manager inserts the missing record into the compare result and writes it in red If the record does not exist in the older file but exists in the recent file DeviceLock Enterprise Manager inserts the missing record into the compare result and writes it in green If the record exists in both files DeviceLock Enterprise Manager starts comparing e
258. content inspection on write Note If this option is disabled inspection of images embedded in PDF files RTF and Microsoft Office documents is also not performed Offline mode detection Use this option to configure offline mode detection settings You can define the network characteristics that DeviceLock uses to detect its connection state whether it is online or offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer 110 DeviceLock Management Console To configure offline mode detection settings right click Offline mode detection and then click Properties or double click Offline mode detection Offline Mode Detection Computer Name Local Computer Mode _ Server connectivity C Domain connectivity hired connectivity You can choose any of the following options OPTION Server connectivity Domain connectivity DESCRIPTION Indicates that the connection state of a client computer is determined by whether or not it can connect to the specified DeviceLock Enterprise Server Thus a client computer works in online mode if it can connect to any of the specified DeviceLock Enterprise Servers and send them audit and Shadow logs A client computer works in offline mode if it cannot authenticate with any of the specified DeviceLock Enterprise Servers or all of the specified DeviceLock Enterprise Servers become unavailable at the same time
259. control For LSN Fhsto sdlaoters nahn Net Configured A access control for LAS and Fratre patak card Net Configured i iri A ee Stel ive 5 I LSB Devices White List JD access control for USB scanners and stil mage devices Not Configured A Piada Wite LHI i Access cadra for panal moders tena amp estennsl Het Conert h Carian Aaa Poles Access contral fer LEB forog Serviced ha Conduit B Secuky Settings dD Access contral Ror virtua DMD AOD OME Windowed 2000 ard Later Ersbhe Net ConPauresd E ty Probenoh A access control for Firewire storage dees Net Conine EF Aut Log ies 4 access control for varual printers Aficio S000 ard later Hot Configured EA Shadow Log Wieveer danes control her Chipboard data sahin one process hat Coriri a g Deila Enterprise Server SE Eek Fraine controler i access ib denied i Not Confapured E C Geico Content Secuty Server These security parameters enable you to keep some device types completely locked but allow the use of certain device classes without need to authorize every device in the white list For example you can disallow using all USB devices except any mouse and keyboard devices that connect through the USB DeviceLock supports these additional security parameters e Access control for USB HID if enabled allows DeviceLock Service to audit and control access to Human Interface Devices mouse keyboard and so on plugged into the USB port Otherwise even if the USB port is locked Human
260. cord 6 Select the unique device s record in the USB Devices Database list and then click the Add button below this list If you do not have devices in the USB Devices Database list click the USB Devices Database button below this list and then add devices as described in the USB Devices Database section of this manual When you finish adding devices to the database click OK to save this database and close the USB Devices Database dialog box 7 Click OK to apply the white list settings and close the USB Devices White List dialog box click OK to apply changes and close the Permissions dialog box and then click Yes to confirm that you really want to deny all users access to the USB port For all users all CD and DVD drives are set to the read only mode but members of the Administrators group can burn write CD and DVD disks 1 Select the DVD CD ROM record from the list of device types under Permissions and then select Set Permissions from the context menu available by a right mouse click 472 Appendix Permissions and Audit Examples lt gt DeviceLock Management Console miea Fie Action View Help ER amp A DeviceLock eH DeviceLock Service 9 Service Options DYDICD ROM i Sef Permissions BF Devices ay Firewire port 2 Permissions Flo di Auditing amp Shadowing PPY USS Devices White List Hard disk Help Media White List gi Infrared port Security Settings Na 57 Audi
261. crypted permissions to storage devices encrypted by it disable Integration under the product s section in the management console For more information on encrypted permissions please read the Permissions section of this manual Note DeviceLock does not ship with third party encryption products and does not require them for its own functioning The integrated functioning of DeviceLock and a third party encryption product will only work when the third party product is properly installed configured and running on the same computer where DeviceLock Service is running Devices Configuration parameters available under this item allow you to access main functions of DeviceLock permissions auditing shadowing white lists and so on lt Devicelock Management Console Fie Action View Help e DD B amp hal DeviceLock Mame B Dewvikelodk Service Local WIMP PROSE Permissions iat Service Oplia ga Auditing amp Shadowing T DeviceLock Administrators EUSE Devices White List Gl Auditing amp Shadowing EMedia white List i Content Aware Fiukes El Security Settings a Display Available Devices Onh ay Shadow i Devieetock Export List T DewiceLock 2 Help rF Local Policy is enabbed for this machine Regular Profile Local Computer Use the context menu available with a right mouse click on the Devices item to access the Display Available Devices Only flag If i
262. ct any user or group specified in the white list In the details pane right click the white listed medium and then click Save OR Right click Media White List and then click Manage Offline In the lower right pane of the Media White List Offline dialog box under Media click Save The Save As dialog box appears 4 In the Save As dialog box in the Save in box browse to the location where you want to save the mwil file In the File name box type the file name you want 6 Click Save When you export the offline Media White List it is saved in a file with a mwl extension To import the offline Media White List 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock 410 DeviceLock Security Policies Offline Profile 2 Expand Devices 3 Under Devices do one of the following e Right click Media White List and then click Load Offline OR e Select Media White List and then click Load Of
263. ctocth O diptosrd Aoro z Bus USD Devices White List ast a EJ Meda white List Poppy Content Aerans Piles Hd h morky Sethings a drone port E h Protocols Fiona EF kudt Log Viewer ie Th Shadow Log Virer Pareles pedal a Lg DeviceLock Enterprise Server Local WINI QF Printer i erkbelok Content Security Server Peary ale T Sania port LSR part Y wri gt UB Windows Mobde hio There is not much difference between setting up permissions and defining audit and Shadowing rules so at fist read the Permissions section of this manual DeviceLock Service can use the standard Windows event logging subsystem to log a device s information It is extremely useful for system administrators because they can use any event log reading software to view the DeviceLock audit log You can use the standard Event Viewer for example Also DeviceLock Service can use its own protected proprietary log The data from this log is sent to DeviceLock Enterprise Server and stored centrally in the database To define what log should be used set the Audit log type parameter in Service Options 133 DeviceLock Management Console DeviceLock Management Console has its own built in audit log viewer that represents information from the event log in a more convenient form For more information see Audit Log Viewer Service To view the audit log stored on DeviceLock Enterprise Server use the server s audit log viewer Also there is an exte
264. curity numbers e mail addresses and phone numbers within text data For more information on creating and using Perl regular expressions refer to the Perl regular expressions quick start tutorial and Perl regular expressions tutorial DeviceLock includes 45 predefined built in Pattern groups that you can use to set up the desired configuration of permissions and or shadow copy operations You can use the built in content groups as they are create their editable copies duplicates or create your own content groups to suit your particular organization s needs The following table lists these predefined content groups BUILT IN PATTERN GROUPS ABA Routing Number Russian Main State Registration Number BIC ISO 9362 Russian Motorcycle Numbers Canadian Social Insurance Number Russian Passport Credit Card Number Russian Pension Insurance Number Email Address Russian Post Code European VAT Number Russian Taxpayer Identification Number GPS Data RMC String Russian Telephone Number IBAN Russian Trailer Numbers International Telephone Number Russian Vehicle Registration Document IP Address SQL Queries ISO Date TCP UDP Port Number MAC Address Time 12 24h Microsoft Windows Product Key UK National Insurance Number Russian Address UK Phone Number 306 Content Aware Rules for Protocols Regular Profile BUILT IN PATTERN GROUPS Russian Auto Insurance Number UK Post Code Russian Bank Account Number UK Tax Code R
265. d The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the name of the user or group and then click OK The users and groups that you added are displayed under Users in the upper left pane of the Auditing amp Shadowing Offline dialog box In the upper left pane of the Auditing amp Shadowing Offline dialog box under Users select the user or group You can select multiple users and or groups by holding down the SHIFT key or the CTRL key while clicking them In the lower left pane of the Auditing amp Shadowing Offline dialog box under User s Rights select or clear the Allow check box next to the appropriate audit and shadowing rights Audit and Shadowing rights determine which user actions on protocols are logged to the Audit and or Shadow Log In the right pane of the Auditing amp Shadowing Offline dialog box you can specify days and hours for example from 7 AM to 5 PM Monday through Friday when the selected user s actions on protocols will be logged to either the Audit or Shadow Log Use the left mouse button to select days and hours when the selected user s actions on protocols will be logged Use the right mouse button to mark days and hours when the selected user s actions on protocols will not be logged In the upper left pane of the dialog box under Users select the user or group In the lower left pane of t
266. d this status means that the monitored computer is working and DeviceLock Service is running on it but the policy verification process has failed This happens when the master policy is assigned to a task and it differs from the monitored DeviceLock Service policy The computer s icon will be green computer with exclamation mark 5 Unresolved computer address this status means that DeviceLock Enterprise Server is unable to resolve the name address of the computer This happens when an invalid computer name that does not exist in DNS is specified Also it could happen because there is no DNS server In this case the Unresolved computer address status should be treated as Computer is unavailable The computer s icon will be red computer with exclamation mark 6 Unsupported service version this status means that DeviceLock Enterprise Server is trying to download a policy service settings from DeviceLock Service version 6 2 and lower The policy verification is supported only for version 6 2 1 and later The computer s icon will be green computer with exclamation mark 7 Access ts denied this status means that DeviceLock Enterprise Server is unable to connect to DeviceLock Service due to lack of privileges It happens when the account under which the DeviceLock Enterprise Server service starts has no rights to connect to DeviceLock Service The computer s icon will be green computer with exclamation mark F
267. d bult in Kesrerord bult in Kesserords bulk in Fie Type Detection baiti Fie Tepe Deterctign baat Kga cha ia irn Show All Type Conbertfuvaene Bubs Liens Lauer s miN Preia gh Cea In the lower left pane of the Content Aware Rules Offline dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the rule and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules Offline dialog box To delete a user or group in the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group and then click Delete or press the DELETE key In the lower left pane of the Content Aware Rules Offline dialog box under Users select the users or groups for which you want to define the rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the upper pane of the Content Aware Rules Offline dialog box under Content Database select the desired content group and then click Add Note You can specify only one content group for a Content Aware Rule The Add Rule dialog box appears 448 10 11 12 DeviceLock Security Policies Offline Profile Wu Add Rule
268. d content allows creation deletion and renaming of empty folders and zero byte 0 files denies access to a device denies read and write access to all but specified content allows creation deletion and renaming of empty folders and zero byte 0 files denies access to a device denies read access to all but specified content denies write access to all content denies creation and ALLOW READ DENY WRITE device type level allows read access to all content denies creation deletion and renaming of empty folders and zero byte 0 files denies read access to specified content denies creation deletion and renaming of empty folders and zero byte 0 files denies write access to all but specified content allows creation deletion and renaming of empty folders and zero byte 0 files denies write access to all content denies creation deletion and renaming of empty folders and zero byte 0 files allows read access to all content denies write access to all but specified content allows creation deletion and renaming of empty folders and zero byte 0 files denies read access to specified content denies write access to all content denies creation deletion and renaming of empty folders and zero byte 0 files allows read access to all content denies write access to all content denies creation deletion and renaming 258 Content Aware Rules for Devices Reg
269. d Service Settings to open the XML file with defined offline DeviceLock policies In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following Select Security Settings In the details pane right click the Security Setting and then click Undefine When you select Security Settings in the console tree they are displayed in the details pane OR Right click Security Settings and then click Manage Offline In the Security Settings Offline dialog box that opens return the appropriate check box to the indeterminate state and then click OK 458 DeviceLock Security Policies Offline Profile To open the Security Settings Offline dialog box vou can also select Security Settings and then click Manage Offline El on the toolbar Note All check boxes in the Security Settings Offline dialog box have three states selected cleared and indeterminate that correspond to the Enabled Disabled and Not Configured states of Security Settings The Security Setting changes its offline state to Not Configured Removing Offline Security Settings If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance
270. d messages comments posts etc Generic Outgoing Files The right to upload media and file content to a social networking site 332 Protocols Regular Profile PROTOCOL ACCESS RIGHTS Telnet Generic Send Receive Data The right to connect to a Telnet server and to send and receive protocol data Web Mail Generic Send Receive Data The right to access Webmail and read e mail Generic Outgoing Messages The right to send e mail messages without attachments Generic Outgoing Files The right to send e mail attachments SSL Send Receive Data The right to access Webmail and read e mail using SSL SSL Outgoing Messages The right to send e mail messages without attachments using SSL SSL Outgoing Files The right to send e mail attachments using SSL Windows Generic Send Receive Data The right to connect to the Windows Messenger Messenger server Generic Outgoing Messages The right to send instant messages It does not control file transfers Yahoo Generic Send Receive Data The right to connect to the Yahoo Messenger Messenger server Generic Outgoing Messages The right to send instant messages It does not control file transfers Note You can define different online vs offline permissions on protocols for the same user or sets of users Online permissions Regular Profile apply to client computers that are working online Offline permissions Offline Profile apply to client computers that are working offline By
271. d number e Equal to indicates that a rule associated with this content group is activated every time the number of matches returned by the regular expression is equal to the specified number e Greater than or indicates that a rule associated with this content group is activated every time the number of matches returned by the regular expression is greater than or equal to the specified number e Between indicates that a rule associated with this content group is activated every time the number of matches returned by the regular expression is within the specified range Quickly test your regular expression pattern on sample data Click Advanced to display or hide the Test sample box Enter a test string and view the result DeviceLock supports real time color highlighting of test results All matches are highlighted in green while strings that do not match the pattern are highlighted in red 6 Click OK to close the Add Pattern Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box 309 Content Aware Rules for Protocols Regular Profile Document Properties Content Groups Document Properties groups are used to control access to files based on file properties such as file name size etc You can also use a Document Properties content group to control access to password protected documents and archives as
272. d select the license file You can load several license files in series one by one The trial period for DeviceLock Content Security Server is 30 days Click Finish to close the wizard and continue the installation process Next on the Installation Wizard Completed page click Finish to complete the installation On this page you will have the option to go to the DeviceLock Content Security Server home page This option is selected by default Note To uninstall DeviceLock Content Security Server do one of the following Use Add or Remove Programs in Control Panel to remove DeviceLock Content Security Server OR Click Start point to All Programs point to DeviceLock and then click Remove DeviceLock Content Security Server 76 DeviceLock Certificates DeviceLock Certificates Overview DeviceLock Certificate is a cryptographic certificate that consists of two keys the key pair private and public e The private key must be stored on the administrator s computer and only the administrator must be able to access it Also the private key may be installed on DeviceLock Enterprise Server and DeviceLock Content Security Server Note Make sure that non administrative users can t get access to the private key e The public key is installed on every computer where DeviceLock Service is running If the public key has not been preinstalled on the user s computer there is no way to use the Temporary White List function or
273. d shadowing rules In the details pane you can also view the current state of offline rules for each protocol in the Offline column 4 In the details pane right click the protocol for which you want to undefine offline audit and shadowing rules and then click Undefine Offline You can undefine audit and shadowing rules defined for several protocols at the same time To do this do the following a In the details pane select several protocols by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Undefine Offline The offline state of the audit and shadowing rules changes to Not Configured Removing Offline Audit and Shadowing Rules If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of higher level offline audit and shadowing rules and enforce regular audit and shadowing rules on specific lower level groups of client computers To enforce regular audit and shadowing rules you must remove offline audit and shadowing rules To remove offline audit and shadowing rules 1 If you use DeviceLock Service Settings Editor do the following 435 Mana Forad DeviceLock Security Policies Offline Profile a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following
274. default see Managing Audit and Shadowing Rules for Protocols In the upper left area of the dialog box specify which events are written to the audit log Select the Audit Allowed check box to audit successful attempts to gain access to a protocol Select the Audit Denied check box to audit unsuccessful attempts to gain access to a protocol In the upper left pane of the dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the name of the user or group and then click OK The users and groups that you added are displayed under Users in the upper left pane of the Auditing amp Shadowing dialog box In the upper left pane of the Auditing amp Shadowing dialog box under Users select the user or group You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the lower left pane of the Auditing amp Shadowing dialog box under User s Rights select or clear the Allow check box next to the appropriate rights In the right pane of the Auditing amp Shadowing dialog box you can specify days and hours for example from 7 AM to 5 PM Monday through Friday when the rule for the selected user or group will or will not be active Use the left mouse button to select days and hours when the rule is active audit time Use the right mouse button to mark days
275. dentify a specific DVD CD ROM disk by the data signature and authorize read access to it even when DeviceLock Service has otherwise blocked DVD CD ROM drives a4 DeviceLock Management Seles jf Smartline DeviceLock i DeviceLock Service Service Options BB Devices Permissions ga Auditing amp Shadowing B USB Devices White List Media White List Delete User x Security Settings aF Audit Log Viewer Manage _ LBA Shadow Log Viewer Load HRA DeviceLock Enterprise Server Save Pedia Database Yew Help The media white list can be configured to grant access to a collection of approved DVD CD ROM disks by certain users and groups so that only authorized users are able to use the approved information Any change to the content of the media will change the data signature thus invalidating authorization If the user copies the authorized media without any changes in the original content byte to byte copy then such a copy is accepted as the authorized media 148 DeviceLock Management Console Note Access to white listed media can be granted only on the type DVD CD ROM level If the DVD CD drive plugs into the port USB or FireWire and access to this port is denied then access to the white listed media is denied too Two steps are required to authorize media 1 Add the media to the media database making it available for adding to the white list 2 Add the media to the white list for t
276. der Protocols do one of the following Select Security Settings In the details pane right click the Security Setting and then click Enable Offline or Disable Offline When you select Security Settings in the console tree they are displayed in the details pane OR Right click Security Settings and then click Manage Offline In the Security Settings Offline dialog box that opens select or clear the appropriate check box and then click OK To open the Security Settings Offline dialog box vou can also select Security Settings and then click Manage Offline El on the toolbar Note All check boxes in the Security Settings Offline dialog box have three states selected cleared and indeterminate that correspond to the Enabled Disabled and Not Configured states of Security Settings The Security Setting changes its offline state from Not Configured to Enabled or Disabled Undefining Offline Security Settings You can return the previously defined offline Security Settings to the unconfigured state If offline Security Settings are undefined regular Security Settings are applied to offline client computers To undefine offline Security Settings lls 2 CF If you a b C If you a b use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree right click DeviceLock Settings or DeviceLock Service and then click Loa
277. der Server Options select Search Server Options When you select Search Server Options in the console tree they are displayed in the details pane 3 In the details pane double click Index directory or right click Index directory and then click Properties The Index Directory dialog box appears mr Index Directory Computer Hare Local Computer Indes Directory C Program Files DeviceLock Content Security Server index Cl greate New Indien 202 4 5 DeviceLock Management Console In the Index Directory dialog box in the Index Directory box type the path that you want to use as your default index location If you want to immediately create a new index select the Create New Index check box If the index already exists at the specified location and you choose to create a new index the following message box is displayed DeviceLlock 2 Do you want bo create the new index and oververibe the existing one Yes Crverpeite No Append Yes In the message box click Yes to completely rebuild the full text index immediately Click No to update the existing full text index with changes immediately Click OK Task Allow or disallow the index to include textual information from binary data You can allow or disallow the index to include textual information from binary data To enable or disable the extraction of text from binary data 1 In the console tree expand DeviceLock Content Security Server
278. dialog box under Content Database select any custom group you want to edit or delete Click Edit Group to modify the selected content group In the dialog box that opens make the required changes and then click OK OR Click Delete Group or press the DELETE key to delete the selected content group In the Content Aware Rules dialog box click OK or Apply to apply the changes Testing Content Groups You can test any built in or custom content group to see whether specified files match with it By using these tests you can verify that the rules that are created based on the content groups meet your specific business requirements To test a content group 1 ce If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage on the toolbar The Content Aware Rules
279. dify anything or remove update DeviceLock Service Note We strongly recommend that accounts included in this list have local administrator privileges because in some instances installing updating and uninstalling DeviceLock Service may require access rights to Windows Service Control Manager SCM and shared network resources Here is just one example of how to properly define a DeviceLock Administrators list add a Domain Admins group with Full access rights Because Domain Admins is a member of the local group Administrators on every computer in the domain all members of Domain Admins will have full access to DeviceLock Service on every computer However other members of the local group Administrators will not be able to administer DeviceLock Service or disable it Also by selecting the Enable Unhook Protection check box you can turn on optional protection against anti rootkit techniques that could be used to intentionally disable DeviceLock Service When this protection is turned on the DeviceLock Driver controls the integrity of its code If a violation is found DeviceLock causes Windows to stop with a fatal error BSOD Note Some antivirus firewall and other low level third party software may conflict with the unhook protection and cause fatal errors BSOD We recommend that you enable this protection only for the systems where it was tested before 114 DeviceLock Management Console Auditing amp Shadowing These paramete
280. displayed in the list To open the Filter dialog box use Filter from the context menu of Server Log Viewer or press the appropriate button on the toolbar Filter Include Geclude Event bypes v Success e Warning Infomation Error Information Server Event ID 16 From First Record i To Last Record Enable filter 177 DeviceLock Management Console There are no big differences between defining an Audit Log Filter and a Server Log Filter so for more information see Audit Log Filter Service When the filter is active you can define its condition by entering values into the following fields e Success specifies whether to filter events of the Success class e Information specifies whether to filter events of the Information class e Warning specifies whether to filter events of the Warning class e Error specifies whether to filter events of the Error class e Information the text that matches a value in the Server Log Viewer s Information column This field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Server the text that matches a value in the Server Log Viewer s Server column This field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Event ID the number that matches a value in the Server Log Viewer s Event column You can enter multiple values se
281. dls to deploy DeviceLock policies throughout your network The enforcement of regular permissions lets you prevent offline permissions inherited from a higher level from being applied to a specific group of client computers at a lower level For more information on the enforcement of regular permissions see Removing Offline Permissions Managing offline permissions involves the following tasks e Setting and editing offline permissions e Undefining offline permissions e Removing offline permissions Setting and Editing Offline Permissions To set and edit offline permissions 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices Under Devices select Permissions When you select Permissions in the console tree in the details pane you can view device types for which you can set permissions In the details pane you can also view the current state of offline permissions for each device type in the Offline colu
282. dows Mobile Generic Read Write Generic Read Write Generic Read Execute Execute Write Execute Using special time control you can define a time when the selected user or user group will or will not have access to devices Time control appears at the top right side of the Permissions dialog box Use the left mouse button and select the allowed time To select a denied time use the right mouse button Also you can use the keyboard to set times arrow keys for navigation and the spacebar to toggle allowed denied time To define which actions on devices are to be allowed for a user or user group set the appropriate rights All rights are divided into three groups Generic Encrypted and Special Permissions Each group has its own set of rights e Generic Generic rights do not apply to devices that are recognized by DeviceLock Service as encrypted devices For more information on encryption integration please read the Encryption section of this manual e Read to enable data reading from the device Applies to all device types except Clipboard and Printer e Write to enable data writing to the device With the exception of Windows Mobile this right can be enabled for all devices only if Read is selected in the Generic group It cannot be disabled for BlackBerry 128 DeviceLock Management Console Bluetooth Infrared port Parallel port Serial port and WiFi device types When Write is disabled for USB and FireWire ports it
283. e Browee For Folder Fisse oelect the folder where inctallstion files loc ated 2 Desktop E My Documents 3 H My Computer E EL a Floppy A Ss Local Disk Cs Documents and Settings 6 Program Files C Common Files G ComPius Apobcations 3 gt BevineLock O DeviceLock Agent O Plugins O Projects DevineLock Agent Folder GeviceLock Lo J Lone These files are located in the DeviceLock installation directory By default the DeviceLock installation directory is ProgramFiles DeviceLock By default the DeviceLock Service installation files will be copied to the ProgramFiles DeviceLock Agent folder if this service doesn t exist on this system 33 Installation If the service exists on the system but its version is lower than 7 0 the management console will also copy the installation files to the default ProgramFiles DeviceLock Agent folder If the service exists on the system but its version is 7 0 or higher the management console will copy the installation files to the directory of the old files and the old files will be replaced Remote Installation via DeviceLock Enterprise Manager DeviceLock Enterprise Manager contains the Install service plug in that allows you to deploy DeviceLock Service automatically on all the selected computers in your network si scan Network select domain s and computer s typets Select Plug in Types Cie Audt Log Viewer O MJA Install service
284. e A ContentLock license enables you to create and use Content Aware Rules based on regular expressions keywords and document properties as well as complex rules based on Boolean combinations of matching criteria If you use different types of licenses consider the following If you have a basic DeviceLock license a ContentLock license and a NetworkLock license you can use the Protocols feature create and use Content Aware Rules based on file types regular expressions keywords and document properties as well as complex rules If you have only a basic DeviceLock license you cannot use the Protocols feature and you cannot create and use Content Aware Rules based on regular expressions keywords and document properties as well as complex rules You can create and use Content Aware Rules based on file types File Type Detection If you have a basic DeviceLock license and a ContentLock license you can create and use Content Aware Rules based on file types regular expressions keywords and document properties as well as complex rules You cannot use the Protocols feature If you have a basic DeviceLock license and NetworkLock license you can use the Protocols feature and create and use Content Aware Rules based on file types You cannot create and use Content Aware Rules based on regular expressions keywords and document properties as well as complex rules A basic DeviceLock license is obligatory while NetworkLock and ContentLo
285. e DeviceLock Web site Click Finish to finish the installation Note To uninstall DeviceLock do one of the following Use Add or Remove Programs in Control Panel to remove DeviceLock OR Click Start point to All Programs point to DeviceLock and then click Remove DeviceLock Unattended Installation DeviceLock also supports unattended silent setups This provides an installation method that can be used from within a batch file To install DeviceLock Service without user intervention run Setup with the s parameter e g c setup exe s There is a special configuration file for silent setups named devicelock ini The devicelock ini file must be in the same directory as setup exe With this file you can customize the installation parameters You can open and edit devicelock ini in any text editor for example in Notepad Remove a semicolon before the parameter to assign a new value or leave it to assign the default value There are two sections Install and Misc in this configuration file and each section has its own parameters 1 Install To install DeviceLock Service specify the Service parameter Service 1 You can also install DeviceLock management consoles and the documentation using Manager and Documents parameters If you want to just upgrade DeviceLock Service and do not want to change existing settings use the OnlyUpgradeService parameter OnlyUpgradeService 1 In this case Setup ignores all
286. e Adobe Acrobat Reader because DeviceLock uses PDF as the default output format for reports If you want to open a report in PDF format you must have Adobe Acrobat Reader installed on your computer You can download Acrobat Reader from the Adobe Web site http get adobe com reader Viewing Report Parameters After you run a report you can get information on the report parameters that you specified when generating the report To view report parameters 1 Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server expand Reports Expand Audit Log or Shadow Log 382 5 DeviceLock Reports Under Audit Log or Shadow Log select the report template that you used for generating the report When you select a report template in the console tree you can view the reports associated with it in the details pane In the details pane right click the report and then click View parameters The Report Options dialog box appears In this dialog box you can view the parameter values that you specified when generating the report Exporting and Saving Reports DeviceLock provides the ability to export generated reports to another format such as HTML PDF or RTF and save them as files locally or on your network Note When you save a report as HTML it is saved as an htm file If this report co
287. e Content Aware Rule properties such as Description Applies To Device Type s Actions To edit an offline Content Aware Rule i If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following 416 DeviceLock Security Policies Offline Profile a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices 3 Under Devices right click Content Aware Rules click Manage Offline and then do the following a In the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box b In the lower right pane of the Content Aware Rules Offline dialog box under Rules select the rule you want to edit and then click Edit OR Right click the rule and then click Edit ORs Under Devices expand Content Aware Rules and then do the following a Under Content Aware Rules
288. e DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following Right click White List and then click Load Offline OR Select White List and then click Load Offline amp on the toolbar OR Expand White List right click any user or group specified in the white list and then click Load Offline OR Expand White List select any user or group specified in the white list In the details pane right click the white list rule and then click Load OR Expand White List select any user or group specified in the white list and then click Load Offline on the toolbar 443 DeviceLock Security Policies Offline Profile OR e Right click White List and then click Manage Offline In the right pane of the Protocols White List Offline dialog box under Rules click Load The Open dialog box appears In the Open dialog box in the Look tn list click the location that contains the file you want to import In the folder list locate and open the folder that contains the file Click the file and then click Open If the offline Protocols White List is already defined and you choose to import a new offline white list the following message box is displayed DeviceLock Do you want bo overvanite existing records Wes Qverwrite Ho
289. e DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage on the toolbar The Content Aware Rules dialog box appears In the lower left pane of the Content Aware Rules dialog box under Users select the user or group to which the rule that you want to copy is applied By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box In the lower right pane of the Content Aware Rules dialog box under Rules right click the rule you want to copy and then click Copy or Cut The rule you cut or copy is automatically copied to the Clipboard You can use the CTRL C CTRL X and CTRL V key combinations to copy cut and paste the rule When you use the CTRL X key combination to cut the rule the rule will be cut only
290. e Everyone account has No Access permissions and is the only account assigned to a protocol No Access permissions assigned to the Everyone account take priority over permissions assigned to other accounts e All users and groups assigned to a protocol have No Access permissions e All users and groups assigned to a protocol are removed Use Regular Indicates that the inheritance of offline permissions is blocked and regular permissions are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of regular permissions is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of regular permissions lets you prevent offline permissions inherited from a higher level from being applied to a specific group of client computers at a lower level For more information on the enforcement of regular permissions see Removing Offline Permissions Managing offline permissions involves the following tasks e Setting and editing offline permissions e Undefining offline permissions e Removing offline permissions Setting and Editing Offline Permissions To set and edit offline permissions 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the con
291. e Offline OR Select Content Aware Rules and then click Save Offline on the toolbar OR Expand Content Aware Rules right click any user or group and then click Save Offline OR Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Save OR Expand Content Aware Rules select any user or group to which the rule is applied and then click Save Offline on the toolbar OR Right click Content Aware Rules and then click Manage Offline In the lower right pane of the Content Aware Rules Offline dialog box under Rules click Save The Save As dialog box appears 4 In the Save As dialog box in the Save in box browse to the location where you want to save the cwl file In the File name box type the file name you want Click Save 419 DeviceLock Security Policies Offline Profile When you export rules they are saved in a file with a cwl extension To import offline Content Aware Rules 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLoc
292. e Rules 446 DeviceLock Security Policies Offline Profile e Deleting offline Content Aware Rules e Undefining offline Content Aware Rules e Removing offline Content Aware Rules Defining Offline Content Aware Rules Content Aware Rules are created based on either the built in or custom content groups For detailed information on these groups see Configuring Content Detection Settings To define an offline Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage Offline OR e Select Content Aware Rules and then click Manage Offline I on the toolbar The Content Aware Rules Offline dialog box appears 447 A DeviceLock Security Policies Offline Profile t Content Aware Rules Offline Canberk Dust aturse er Routing Humber Pattern buk im keyed bult in keyed bhuat kear
293. e Unidentified Content to enable writing any other uncategorized content type from a PC to a Windows Mobile device e Copy Text to enable pasting text data from the clipboard e Copy Image to enable pasting graphical data from the clipboard e Copy Audio to enable pasting audio data from the clipboard e Copy File to enable pasting files from the clipboard e Screenshot to enable capturing screen shots of the entire screen the active window or any segment of the screen to the clipboard Note Because screen shots captured using screen capture tools and utilities are saved directly to files while screen shots captured by pressing the PRINT SCREEN key are first copied to the clipboard and then must be pasted into a separate program for example Microsoft Word or Paint different access rights are required to control access to screen shots To allow users to capture screen shots using screen capture tools and utilities you must grant them only the Screenshot right To allow users to capture screen shots by pressing the PRINT SCREEN key you must grant them the Screenshot and Copy Image rights If users do not have the Screenshot right they cannot capture screen shots using the PRINT SCREEN key or screen capture tools and utilities 131 DeviceLock Management Console e Copy Unidentified Content to enable pasting any other uncategorized content type from the clipboard Note The Copy Text Copy Image Copy Audio Copy File
294. e aor aes ed Sa Wet ede Geese j ad ag a eee Ca iB Monday through Friday From 12 To 2 E Akad Teme O Deris Teves carir sirg I LSS tig Lint 126 DeviceLock Management Console The names of the users and user groups assigned to a device type are shown in the list of accounts on the top left hand side of the Permissions dialog box To add a new user or user group to the list of accounts click Add You can add several accounts simultaneously Select Users or Groups Select this object type Users of Groups Object Types From this locator ym200Dad_ com Locations Enter the object names to select examples Admurustrator Guest Check Names To delete a record from the list of accounts use the Delete button Using CTRL and or SHIFT you can select and remove several records simultaneously Use the Set Default button to set default permissions for devices Default permissions are enabled by using the following access selections ACCOUNT DEVICE TYPE BlackBerry Generic Read Write Generic Read Write Generic Read Write Bluetooth Generic Read Write Generic Read Write Generic Read Write Clipboard Generic Copy to Generic Copy to Generic Copy to clipboard clipboard clipboard EVERYONE ADMINISTRATORS SYSTEM Special Permissions Special Permissions Special Permissions Copy Text Copy Copy Text Copy Copy Text Copy Image Copy Audio Image Copy Audio Image Copy Audio C
295. e created Multiple content detection methods You can use multiple methods to identify sensitive content contained in documents based on regular expressions keywords and document properties Centralized content management Content Aware Rules are created based on content groups that enable you to centrally define types of content for which you want to control access Ability to override device type protocol level policies You can selectively allow or deny access to certain content regardless of preset permissions at the device type protocol level Inspection of files within archives Allows you to perform deep inspection of each individual file contained in an archive The following inspection algorithm is used When a user attempts to copy an archive file to a device or transmit it over the network all files are extracted from the archive and analyzed separately to detect the content to which access is denied by Content Aware Rules If Content Aware Rules deny access to at least one of the files extracted from the archive the user is denied access to the archive If Content Aware Rules allow access to all of the files extracted from the archive the user is allowed access to the archive All archived files are 20 Overview extracted to the Temp folder of the System user Typically the system Temp folder resides in the following location windir Temp directory If DeviceLock Service has no access to the Temp folder the archi
296. e details pane right click the rule you want to edit and then click Edit OR In the details pane double click the rule you want to edit The Edit Rule dialog box appears In the Edit Rule dialog box modify the rule parameters as required to meet your needs Click OK to apply the changes Copying Rules of Protocols White List You can perform a cut and paste operation a copy and paste operation or a drag and drop operation to reuse existing rules of the Protocols White List To copy a white list rule i If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click White List and then click Manage OR e Select White List and then click Manage e on the toolbar The Protocols White List dialog box appears 357 Protocols Regular Profile In the left pane of the Protocols White List dialog box under Users select the user or group to which the
297. e dialog box under Drives you can view all CD ROM and DVD ROM drives available on the local computer The list of drives is automatically refreshed and displays new media as soon as they arrive To manually refresh this list click Refresh In the upper pane of the Media Database dialog box under Drives select the drive that contains the media you want to add to the Media White List and then click Add The selected media are added to the Media Database and can be viewed in the lower pane of the Media Database dialog box Note You can add media to the Media White List only after you add the media to the Media Database The same Media Database is used for both the regular and offline Media White List To delete a medium from the white list in the lower pane of the Media Database dialog box do the following e Select the medium and then click Delete OR e Right click the medium and then click Delete To edit a medium s description in the lower pane of the Media Database dialog box select the medium and then click Edit Click OK or Apply The media that you added to the Media Database are displayed under Media Database in the upper pane of the Media White List Offline dialog box In the lower left pane of the Media White List Offline dialog box under Users click Add The Select Users or Groups dialog box appears 408 8 10 11 I DeviceLock Security Policies Offline Profile In the Select
298. e displayed under White List in the console tree When you select a user or group to which a white list rule applies in the console tree in the details pane you can view detailed information regarding this rule This information includes the following e Protocol The protocol the rule applies to e Description The name of the rule e Hosts Shows the allowed hosts for this rule e Ports Shows the allowed ports for this rule e SSL Shows the selected SSL option Possible values Allowed allows SSL connections Denied disallows SSL connections and Required requires that all connections use SSL e Extra parameters Shows additional protocol specific parameters specified for the rule These parameters include From shows allowed sender identifiers for instant messaging and e mail sender addresses for Webmail and To shows allowed recipient identifiers for instant messaging and e mail recipient addresses for Webmail e Profile Possible values Regular and Offline Regular indicates that the rule applies to client computers that are working online Offline indicates that the rule applies to computers that are working offline You can define different online vs offline Protocols White Lists for the same user or sets of users For information about how to define the offline Protocols White List see Managing Offline Protocols White List Editing Protocols White List You can modify parameter values specified for a white list ru
299. e file you want to import In the folder list locate and open the folder that contains the file Click the file and then click Open You can import only one cwil file at a time 327 Content Aware Rules for Protocols Regular Profile Undefining Content Aware Rules If you deploy DeviceLock policies using DeviceLock Group Policy Manager or DeviceLock Service Settings Editor in some situations you may want to prevent Content Aware Rules from being applied to a specific group of client computers To do so you need to return the previously defined Content Aware Rules to the unconfigured state All undefined DeviceLock settings are ignored by client computers To undefine Content Aware Rules 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree right click DeviceLock Settings or DeviceLock Service and then click Load Service Settings to open the XML file with defined DeviceLock policies c In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols 3 Under Protocols right click Content Aware Rules and then click Undefine Deleting Content Aware Rules You can delete individual Content Aware Rules when they are no longer required To delete a C
300. e following a When the Edit computers list dialog box opens to the Select computer s list click one of the following options OPTION DESCRIPTION From This option is selected by default This option lets you select Database computers from the DeviceLock Enterprise Server database that shows all computers from which the server has ever received audit and 375 DeviceLock Reports OPTION DESCRIPTION shadow data If you select this option 1 Inthe left pane of the dialog box select the appropriate check boxes next to desired computers 2 Click the right single arrow button L The selected computers are displayed under Selected computers in the right pane of the dialog box To remove single computers from the list of selected computers use the left single arrow button To add or remove all available computers to or from the list of selected computers at the same time use the right double arrow button l or left double arrow button L From File This option lets you select computers from an external text file A text file must contain each computer s name or IP address on a separate line and can be either Unicode or non Unicode If you select this option 1 Click the ellipsis button to open the Open dialog box and browse for the file to use 2 Inthe Open dialog box in the Look in list click the location that contains the file you want to import 3 In the folder list locate and open the folder that contains
301. e is connected or disconnected e A modem connects or disconnects e A virtual private network VPN connection is established or terminated e A wireless network connection using a Wi Fi card is established or terminated e A DHCP assigned IP address is used or released e A network card is enabled disabled added or removed Changes to DeviceLock Service settings are made Managing Offline Security Policies for Devices You can manage offline security policies in much the same way as you manage online regular policies except for a few variations This section provides offline profile specific information as well as basic management procedures For detailed information on Permissions audit and shadowing rules white lists Content Aware Rules and Security 389 DeviceLock Security Policies Offline Profile Settings for devices refer to the following sections of the User Manual Permissions Regular Profile Auditing amp Shadowing Regular Profile USB Devices White List Regular Profile Media White List Regular Profile Security Settings Regular Profile Content Aware Rules for Devices Regular Profile Managing offline security policies for devices involves the following operations e Managing offline Permissions e Managing offline audit and shadowing rules e Managing the offline USB Devices White List e Managing the offline Media White List e Managing offline Content Aware Rules
302. e is some new computer that did not exist in the container at the time the task was created modified but was added to this container later it will be retrieved and monitored at the time of executing the task Note If DeviceLock Enterprise Server is running on Windows NT4 then using Dynamic list requires that Active Directory Extension be installed You can download it from http www microsoft com downloads details aspx displaylang en amp FamilyID 7c219dc c ec0O0 4c98 ba61 fd98467952a8 ma Edit dynamic list Select path from the Active Directory bree Active Directory E Builtin ORE Domain Controllers H ForeignSecurityPrincipals J Users Cl Synchronization Path LDAP i N Computers Dsm 00lad DC com Traverse subcontainers when enumerating computers A path to the container from which computers will be retrieved at the time of executing the task should be specified in the Path parameter You must use the LDAP string representation for distinguished names You may browse the directory tree and choose the needed container by clicking the Select button In this case a path to this container will be specified in the Path parameter automatically Select the Traverse subcontainers when enumerating computers check box to allow DeviceLock Enterprise Server to retrieve computers from all the 185 DeviceLock Management Console nested containers located inside the selected container Otherwise if this check
303. e list changes to Not Configured When you select USB Devices White List in the console tree in the details pane the following message is displayed Offline USB White List is not configured Removing Offline USB Devices White List If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of the higher level offline white list and enforce the regular white list on specific lower level groups of client computers To enforce the regular USB Devices White List you must remove the offline USB Devices White List To remove the offline USB Devices White List 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices right click USB Devices White List and then click Remove Offline The offline state of the white list changes to Use Regular When you select USB Devices White List in the console tree in the details pane the following message is displayed Offline USB White List is configured to use Regular USB White List 405 DeviceLock Security Policies Offline Profile The Use Regu
304. e mail Configure an e mail notification for completed reports notifications for reports Select the Use e mail notifications for reports check box to type your e mail information in the corresponding boxes Clear the Use e mail notifications for reports check box to remove the previously configured SMTP server and e mail notification settings SMTP host Specify the name of the SMTP server to use when sending messages You can specify the SMTP server through an IP address or a DNS resolvable name Port Specify the port that SMTP clients use to connect to the SMTP server The default value is 25 Server requires Specify the type of authentication to use with the SMTP server authentication Select the Server requires authentication check box to specify basic authentication Clear the Server requires authentication check box to specify 373 DeviceLock Reports USE THIS TO DO THIS no authentication User name Specify the user name to use for authentication with the SMTP server This property requires a value if you specified basic authentication Password Specify the password to use for authentication with the SMTP server This property requires a value if you specified basic authentication Sender Address Specify the e mail address that will be used in the From line of an e mail message 5 Click OK Setting Default Format for Reports You can specify the report output format you want to use for
305. e of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears 4 In the upper pane of the Content Aware Rules dialog box under Content Database select any built in group you want to view and then click View Group 281 Content Aware Rules for Devices Regular Profile Duplicating Built in Content groups You cannot edit the built in content groups but you can create and use their editable copies duplicates to suit your particular organization s needs To duplicate a built in content group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage on the toolbar The Content Aware Rules dialog box appears 4 I
306. e than indicates that the file s must have a size that is more than the size you specify e Between indicates that the file size must fall within the specified range Detect and control access to password protected archives PDF files and Microsoft Office documents doc xls ppt docx xlsx pptx If you select the Password protected check box for a Document Properties group and then create a Content Aware Rule based on this content group this rule will control access to password protected archives PDF files and Microsoft Office documents Clear the Password protected check box if you do not want to detect and control access to password protected archives PDF files and Microsoft Office documents For information on supported archive formats see 312 USE THIS Text extraction not supported Contains text Accessed by process Content Aware Rules for Protocols Regular Profile TO DO THIS the description of the Inspection of files within archives feature Control access to unsupported file formats If you select the Text extraction not supported check box for a Document Properties group and then create a Content Aware Rule based on this content group this rule will control access to all files in an unsupported format All supported file formats are listed in the Extending DeviceLock Functionality with ContentLock and NetworkLock section Detect and control access to images based on whether or not they
307. e the Permissions dialog box and then click Yes to confirm that you really want to deny access to these devices for all users For all users all USB devices are denied except the mouse and keyboard but members of the Administrators group can use an authorized model of USB storage devices 1 Select the USB port record from the list of device types under Permissions and then select Set Permissions from the context menu available by a right mouse click 2 Click the Add button in the Permissions dialog box and add the Everyone user type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box select the Everyone record and disable all rights in the User s Rights list 3 Click the Security Settings button in the Permissions dialog box and then clear the Access control for USB HID mouse keyboard etc check box 469 Appendix Permissions and Audit Examples amp Security Settings les Access control for USB scanners and stil image devices Access control for USS Bluetooth adapters Access control for USS storage devices Access control for USS and FireWire network cards 4 Click OK to close the Security Settings dialog box and then click the USB White List button in the Permissions dialog box A Usi Dewioes White List USE Device Database Dercipton DercelD Type d Leer Flach Cheve USS 610 _ DOT SPHD_ 140 Uirigus Chere LISENID D0
308. eLock Reports Shadow Log Reports Shadow Log reports are reports that use the DeviceLock Enterprise Server shadow log files as a data source All reports contain the combined data from the shadow log and deleted Shadow log The following table provides summary information on the report types available in this category REPORT TYPE Copied files per channel Top active computers DESCRIPTION This report shows statistics on copied files per data transmission channel devices and or protocols Statistical information on copied files is sorted according to the number of copied files and total size of all copied files The report consists of three sections the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e Users s Shows the users that were specified for the report e File Name Shows the files tha
309. eLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree right click DeviceLock Settings or DeviceLock Service and then click Load Service Settings to open the XML file with defined DeviceLock policies 360 Protocols Regular Profile c In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols 3 Under Protocols right click White List and then click Undefine Deleting Rules of Protocols White List You can delete individual white list rules when they are no longer required To delete a white list rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Expand White List right click the user or group to which the
310. earch Change Doman Controler Create a GPO inthisdo Pamowe Fibber Fidel a hee sed Ps ee Click Create and Link a GPO Here from the context menu of the domain item If you are using the Active Directory Users and Computers snap in right click your domain then click Properties click the Group Policy tab and then click New amp Active Directory Users and Computers Agire Directory Users and Compuber E E Bateges Gonid Eyt Fmd fe ga Connect to Doman fe oF Coneect to Doman Controller J Operations Masters Cortaner Controllers Onganatronal Ura SecuntyPrncipals Cortaner Cornlarer New Al Tasks View Mew Window Irom Here Opens prope Fiefiesh 36 Installation Type the name that you want to call this policy and then press ENTER In the console tree select your group policy object click the Delegation tab and then click Advanced OC a Group Polic y Manage 7 F Domain Admins VM20004D Dioman A Eda stings oe EE SYSTEM If you are using the Active Directory Users and Computers snap in click Properties on the Group Policy tab and then click the Security tab 37 6 Installation DeviceLock Service distiubutwon Properhes Gereral Linke Security Hame PARUSLAN NT4 SL2 P4RUSLAN NT4 Gl
311. ecause DeviceLock uses the local Hosts file for host name resolution a malicious user with local administrator rights can modify the Hosts file as required to bypass DeviceLock security policies For example if the white list allows HTTP access to gmail com a malicious user with local administrator rights can gain access to unauthorized www ru by adding the 194 87 0 50 gmail com entry to the Hosts file In order to minimize security risks we recommend that you specify IP addresses instead of host names e IP address for example 12 13 14 15 You can specify a range of IP addresses separated by a dash for example 12 13 14 18 12 13 14 28 You can also specify the subnet mask for the IP address using the following format IP address subnet mask width in bits for example 3 4 5 6 16 Multiple hosts must be separated by a comma or semicolon You can also press ENTER after each entry You can specify multiple hosts in different formats described above for example www microsoft com 12 13 14 15 12 13 14 18 12 13 14 28 Note When adding hosts to the white list consider the following If objects images scripts video Flash files ActiveX etc on a web page are downloaded from other hosts you must add those hosts to the white list to load the 350 PARAMETER Ports SSL Local sender ID s Protocols Regular Profile DESCRIPTION web page correctly If you specify hosts and do not specify ports t
312. eck box in the Not column Join each content group you select with the logical AND or OR operator To do so select the desired group in the Criteria column and then click either AND or OR in the appropriate list in the AND OR column Clear the current list of content groups in the Criteria column Validate your expression If the expression was defined incorrectly for example an opening parenthesis was not matched with a closing parenthesis you receive an error message 6 Click OK to close the Add Complex Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Viewing Built in Content groups You can view any built in content groups but you cannot edit or delete them To view a built in content group 1 If you use DeviceLock Management Console do the following 316 4 Content Aware Rules for Protocols Regular Profile a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand
313. ed communications in established chat rooms on the Internet by means of IRC servers Both non SSL and SSL connections are supported e Jabber An open XML based protocol for instant messaging Both non SSL and SSL connections are supported e Mail ru Agent An instant messaging program created by Mail ru e SMTP Simple Mail Transfer Protocol An Internet standard protocol used for exchanging e mail messages between SMTP servers on the Internet Extended SMTP ESMTP is also supported Both non SSL and SSL connections are Supported e Social Networks Controls communication with social networking sites The following social networking sites are supported Facebook Google LinkedIn LiveJournal MeinVZ Myspace Odnoklassniki SchuelerVZ StudiVZ Tumblr Twitter Vkontakte XING Note SSL traffic on social networking sites is controlled as generic non SSL traffic e Telnet The Internet standard protocol for remote terminal connection service e Web Mail Controls Web based mail communication The following Web based e mail services are supported AOL Mail Gmail GMX Mail Hotmail Mail ru Rambler Mail Web de Yahoo Mail and Yandex Mail Both non SSL and SSL connections are supported 330 Protocols Regular Profile e Windows Messenger Microsoft Notification Protocol MSNP the underlying protocol used by Windows Live Messenger and Windows Messenger e Yahoo Messenger The underlying network protocol used by the Yaho
314. ed from the system e Notification Text the main text of the message You can use the predefined macros described above within the text 120 DeviceLock Management Console PS 2 keyboard scrambling By enabling this parameter you can prevent PS 2 keyloggers from recording keystrokes DeviceLock Service is unable to detect PS 2 keyloggers and notify users about their presence but it obfuscates PS 2 keyboard s input and forces PS 2 keyloggers if any to record some garbage instead of the real keystrokes Note When PS 2 keyboard scrambling is enabled while working with the PS 2 KVM switch the switching between computers will not work from the keyboard Encryption DeviceLock Service can detect disks USB flash drives and other removable media encrypted by third party products and apply special encrypted permissions to them This feature allows you to define more flexible access control policies and helps to prevent writing sensitive data to unencrypted media DeviceLock Management Console Fie gdin View Help 5m h 8 F pfi DeviceLock Service Local TANYA ViltP Administrator RS Service Options DeviceLock Administrators EF Anii keylogger Q Encryption OriveCrypt fay Lexar JO SAFE 3000 fay Lexar JO SAFE 3000 FIPS fa Lexar SAFE PSD SareDisk Safeguard Ea TreCrypt Gig Windows BRLocker To Go BD Devices Local Policy is enabled For thes machine Regular Profile Currently DeviceLock
315. ed on either the built in or custom content groups For detailed information on these groups see Configuring Content Detection Settings To define a Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following 284 Content Aware Rules for Devices Regular Profile a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices 3 Under Devices do one of the following 4 e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears Wu Content Aware Rules Conbert Database Desertor Type T ABA Fiouting Mumbi Pattern ba Tl Aangapen Keywords T uimesin Discharge kewoh TA Adult Keryer de Keywords I Anesrican Address Keywords T Arveracars Hrot keyword i TL archers Fie Tree D Aap Wickens d Flash File Typs De lt ar D aa Au Flees Liners Capers J a LE appt To Protocole In the lower left pane of the Cont
316. ed parameters and so on e Server the name of the server where an event occurred e Record N the record number To refresh the list select Refresh from the context menu available by clicking the right mouse button or by pressing the appropriate button on the toolbar To clear all records from this log select Clear from the context menu or press the appropriate button on the toolbar After the server s log is cleared the one event about this clearing action is written into the log for example The Server Log 100 record s was cleared by VM2000AD Administrator from xpvirt vm2000ad com 176 DeviceLock Management Console Server Log Settings To define a maximum log size and what DeviceLock Enterprise Server should do if the server s log becomes full use Settings from the context menu of Server Log Viewer Server Log Settings e Control log size Maximum log size 1000 records When maximum log size is reached Ci overwrite events as needed 2 Overwrite events older than lt days Oo not overwrite events clear log manually Restore Defaults For information on these settings see Audit Log Settings Server If there is no space for new records in the server s log and there is nothing to remove then DeviceLock Enterprise Server just drops any new records Server Log Filter You can filter data in the Server Log Viewer so that only records that meet specified conditions are
317. either interface port or type 11 Overview D gt USB Flash User Drive Device Interface port Level NO YES Is Device In USB White List for User Is Access control for USB storage devices unchecked in Security Settings Is Control as Type YES unchecked in USB White List Is User in USB port permissions list DACL Type Level Is User in Removable permissions list DACL Is User allowed to access this Is User denied to access this file s content in Content file s content in Content Aware Rules Aware Rules Access Denied Access Allowed 12 Overview Consider the case of a user connecting a USB flash drive to the USB port Here DeviceLock would first check whether the USB port is open or locked at the interface level Next because Windows recognizes a USB flash drive as a removable storage device DeviceLock will also check permissions at the type level Removable Finally DeviceLock will also check permissions at the file content level Content Aware Rules In contrast a USB scanner would only be checked at the interface level USB port as DeviceLock doesn t distinguish scanners at the type level D S User USB Scanner Device Interface port Level Is Access control for YES USB scanners unchecked in Security Settings
318. el If the white listed device for example USB Flash Drive belongs to both levels interface USB and type Removable the permissions if any for the type level will be applied anyway Otherwise if the Control as Type check box is not selected access control on the type level is also disabled For example by clearing the Control as Type check box for the USB Flash Drive you can bypass security checking on the Removable level Note When you add a USB composite device a device that is represented in the system by a parent composite device and one or more child interface devices to the USB Devices White List consider the following If you add any device of a USB composite device to the white list access control is disabled for all devices of the composite device at the interface USB port level If the white listed device belongs to both levels interface USB and type for example Removable and the Control as Type check box is selected the permissions if any for the type level will be applied anyway If it is necessary to force the white listed device to reinitialize replug when the new user is logged in select the Reinitialize check box Some USB devices like the mouse will not work without being reinitialized so it is recommended to keep this check box selected for non storage devices It is recommended to keep the Reinitialize check box unselected for storage devices such as flash drives CD DVD ROMs external hard
319. ene ia E 477 CONTENT AWARE RULES EXAM PES gisctstats cuateesteeu a wietavy aan 480 About This Manual About This Manual This manual provides detailed information about how to install and use DeviceLock It is primarily intended for administrators security specialists and other IT professionals who focus on how to provide data security within an organization This manual assumes some basic knowledge of the Microsoft Windows operating system and networking as well as the ability to create a local area network LAN Conventions The following table lists the conventions used in this manual CONVENTION Bold text Italic text Blue text Note Caution Best Practice Plus sign DESCRIPTION Represents user interface elements such as menus and commands dialog box titles and options Used for comments Represents hyperlinks Used to provide supplementary information Used to alert you to possible problems Used to provide best practice recommendations Used to indicate a combination of keys that you must press at the same time Overview Overview General Information Preventing unauthorized downloading as well as the uploading of inappropriate software and data is important when trying to protect and administer a company s computer network The traditional solution has been a physical lock on the floppy drive DeviceLock eliminates the need for physical locks and has a number of advantages DeviceLock is e
320. ent Aware Rules dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the rule and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules dialog box To delete a user or group in the lower left pane of the Content Aware Rules dialog box under Users select the user or group and then click Delete or press the DELETE key In the lower left pane of the Content Aware Rules dialog box under Users select the users or groups for which you want to define the rule 285 7 8 10 Content Aware Rules for Devices Regular Profile You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the upper pane of the Content Aware Rules dialog box under Content Database select the desired content group and then click Add Note You can specify only one content group for a Content Aware Rule The Add Rule dialog box appears 1 Add Rule In the Add Rule dialog box in the Description box type the name of the Content Aware Rule By default the Content Aware Rule has the same name as the specified content group but you can enter a different name Under Applies to specify the type of operation associated with the rule T
321. er You can filter data in Shadow Log Viewer so that only records that meet specified conditions are displayed in the list To open the Filter dialog box use Filter from the context menu of Shadow Log Viewer or press the appropriate button on the toolbar 173 DeviceLock Management Console Filter Ince Evchade Shadow Hatut Success J incerplete C Fated Computer File Hame S punce Dti Uoer Process Fis size More Than Generated Date Time Freee Records On 127 172000 17 58 43 AM gt To LastReceed Recened Date Time Fi Fit Recod To LattRecerd Ena ite There is not much difference between the service s shadow log filter and the server s shadow log filter so first see Shadow Log Filter Service In comparison with the service s shadow log filter the server s filter has the following additional fields e Computer the text that matches a value in the Shadow Log Viewer s Computer column This field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Received Date Time specifies the time period to filter records based on when they were received by DeviceLock Enterprise Server From specifies the earliest date and time from which you want records while To specifies the latest date and time from which you want records The possible values of the From parameter are First Record Records On Select Fir
322. er Date Time the date and time when the event was received by DeviceLock Service This value matches the value in the Date Time column of the server s Audit Log Viewer Source the type of device or protocol involved This value matches the value in the Source column of the server s Audit Log Viewer Action the user s activity type This value matches the value in the Action column of the server s Audit Log Viewer Name the name of the object file USB device etc This value matches the value in the Name column of the server s Audit Log Viewer Information other device specific information for the event such as the access flags device names and so on This value matches the value in the Information column of the server s Audit Log Viewer User the name of the user associated with this event This value matches the value in the User column of the server s Audit Log Viewer PID the identifier of the process associated with this event This value matches the value in the PID column of the server s Audit Log Viewer Process the fully qualified path to the process executable file In some cases the process name may be displayed instead of the path This value matches the value in the Process column of the server s Audit Log Viewer Event the number identifying the event type This value matches the value in the Event column of the server s Audit Log Viewer The following information is displayed in Log
323. er is enabled all files are extracted from CD DVD images upon delivery to the server and stored in the database separately one record per file Otherwise whole Shadowed CD DVD images are stored in the database Use the context menu on other parameters to open dialogs that enable making changes Alternatively you can double click on the parameter to open its dialog box All these parameters are described in detail in the Installing DeviceLock Enterprise Server section of this manual To run the configuration wizard and review or set all these parameters step by step use the Properties item from the context menu of Server Options The configuration wizard is also described in the Installing DeviceLock Enterprise Server section of this manual Audit Log Viewer Server The audit log viewer allows you to retrieve the audit log stored on DeviceLock Enterprise Server DeviceLock Enterprise Server stores audit records received from a remote computer only if DeviceLock Log or Event amp DeviceLock Logs is selected in the Audit log type parameter in Service Options on that computer Otherwise audit records are stored in the local Windows event logging subsystem of the remote computer and can be viewed using the service s audit log viewer lt DeviceLock Management Console Fle Action Wes Help P B E vx hal DeviceLock Type T a pihini Service Local WINKPPROSPS Pippo 12 200 et Audet t Shadow Options if ais DavicaLock Enterprise Sar
324. er channel Tap actrees congusters Top Scie Weer Top cogisd Fies Note You can create only those reports that are based on the predefined templates You cannot modify the predefined report templates or create your own custom report templates There are two categories of report templates e Audit Log reports e Shadow Log reports The report types available in each category are described below 365 DeviceLock Reports Note When you upgrade to DeviceLock version 7 0 the previously generated reports are automatically updated with the new name The name of the Allowed amp Denied access requests per device type reports changes to Allowed amp Denied access requests per channel The name of the Allowed vs Denied device access reports changes to Allowed vs Denied access requests The name of the Copied files per device type reports changes to Copied files per channel Audit Log Reports Audit Log reports are reports that use the DeviceLock Enterprise Server audit log files as a data source The following table provides summary information on the report types available in this category REPORT TYPE Allowed amp Denied access requests per channel Allowed vs Denied access requests DESCRIPTION This report shows the number of allowed and denied access requests per data transmission channel devices and or protocols The report consists of three sections
325. er dialog box appears 4 In the DeviceLock Content Security Server dialog box do the following 198 TO DO THIS To install the private key of DeviceLock Certificate To remove the private key of DeviceLock Certificate 5 Click OK DeviceLock Management Console FOLLOW THESE STEPS 1 Next to the Certificate Name box click the ellipsis button to open the Select the DeviceLock Certificate file dialog box and browse for the file to use In the Select the DeviceLock Certificate file dialog box in the Look tn list click the location that contains the certificate file In the folder list locate and open the folder that contains the certificate file Click the file and then click Open The certificate name now appears in the Certificate Name box of the DeviceLock Content Security Server dialog box Next to the Certificate Name box click Remove Task Change the TCP port that is used to connect to DeviceLock Management Console Over time you might need to change the TCP port that DeviceLock Content Security Server uses to connect to DeviceLock Management Console To change the TCP port that is used to connect to DeviceLock Management Console 1 In the console tree expand DeviceLock Content Security Server 2 Under DeviceLock Content Security Server select Server Options When you select Server Options in the console tree they are displayed in the details pane 3 In the details pane do
326. er monitoring just stops nothing logged If some error occurs at any step described above then the record about that will be written to the monitoring log If this error is not critical computer monitoring may continue If it is a critical error then computer monitoring stops Also some very critical errors such as no memory can halt execution of the whole task Create Modify Task Each task contains its own set of computers actions and configuration parameters 182 DeviceLock Management Console S DeviceLock Management Console Sie Ed Fie Action View Help ee ei I smartine Devicelock eg DeviceLock Service SAmonitoning Log Viewer bab DeviceLock Enterprise Server GE Critical Machines 3 Generic Compubers SE Server Options 57 Audit Log Viewer gah Shadow Log Viewer BP Server Log viewer 20 Fi J Create Task nal Export List To create a new task use Create Task from the context menu of the Monitoring item To edit an existing task select this task in the console tree and use Edit Task from the context menu If you wish to delete the task permanently select this task in the console tree and use Delete Task from the context menu el Edit Task eae Critical Machines e Active Computers static bist Mehwork discovery methods Ping sweep Advanced settings H NetBIOS queries CTCF discovery ports Service Connection settings
327. erations Cl Eiei FireWire controler if access is darted Check devices you would like to set permissions to Check the Create local groups if not existing flag to instruct Setup to create the special local user group Allow_Access_To_ for each device type e g Allow_Access_To_Floppy for floppy drives if these do not exist on the local computer Setup assigns Read Write Format and Eject generic rights to members of the Administrators group and the SYSTEM account Members of the Allow_Access_To_ group will have Read Write and Eject generic rights Also you can define Security Settings to exclude certain types of devices from the access check 29 Installation Check Access control for USB HID Access control for USB printers Access control for USB scanners and still image devices Access control for USB Bluetooth adapters Access control for USB storage devices or Access control for FireWire storage devices to allow DeviceLock Service to control security for Human Interface Devices mouse keyboard etc printers scanners and still image devices Bluetooth adapters or storage devices such as flash drives plugged into the USB and FireWire port To allow access control for USB and FireWire network cards check Access control for USB and FireWire network cards Otherwise even if ports USB and or FireWire are locked these devices continue to function as usual To allow access control for serial modems internal and or external che
328. erations for specified content Delete and write operations are controlled together Content Aware Rules allow you to do the following 256 Content Aware Rules for Devices Regular Profile e Grant read write access to specified file content when access is denied at the device type level e Deny read write access to specified file content when access is granted at the device type level Note DeviceLock can check access to devices at two levels the interface port level and the type level Some devices are checked at both levels while others only at one level either interface port or type For example a USB flash drive belongs to both levels interface USB and type Removable Content Aware Rules work only when access checking occurs at the type level Removable Floppy etc DeviceLock does not perform the access check for USB devices at the type level if the following conditions are true the device is not added to the USB Devices White List Access control for USB storage devices is enabled in Security Settings and the user has no access to the USB port device type OR the device is added to the USB Devices White List and the Control As Type check box is cleared for it The following table provides summary information on access rights that can be specified in Content Aware Rules ACCESS RIGHTS DESCRIPTION Generic Read Controls whether the user can read specified content from a device Applies to the DVD CD ROM
329. erprise Server uses all selected discovery methods in their given order until the status available is returned for the target computer If none of the selected methods returns the available status then the target computer receives the unavailable status Three types of the network scan are supported iP 3 Ping sweep DeviceLock Enterprise Server sends a regular ICMP ping to the target computer and then waits for its reply NetBIOS queries if the Client for Microsoft Networks is installed on the target computer then this computer will answer the NetBIOS type query sent by DeviceLock Enterprise Server TCP discovery ports DeviceLock Enterprise Server checks for a particular open TCP port on the target computer Using the comma or semicolon as a separator you can specify several ports so they will be checked one by one in their given order Note A firewall running on a target computer can block the sending of some or all network packets so such a computer will be detected as unavailable even if it is switched on and working To define additional parameters for discovery methods click the Advanced settings button and open the Network Discovery Settings dialog box Hetwork Discovery Settings PIK Number of rebries Reply Hirmnegyt 187 DeviceLock Management Console Number of retries the number of times that DeviceLock Enterprise Server will perform each type of scan when it returns the unavailable statu
330. erprise Servers or all of the specified DeviceLock Enterprise Servers become unavailable at the same time Best Practice The most reliable way to secure client server communication is to use DeviceLock Certificate authentication For client server certificate authentication the public key must be installed on client computers while the private key must be installed on DeviceLock Enterprise Server s If the certificate the private key is installed only on DeviceLock Enterprise Server the server will reject connections and client computers will work in offline mode If the certificate the public key is installed only on client computers the server and the client will authenticate each other once a connection is established though this type of authentication is less secure than certificate based authentication For detailed information on DeviceLock Certificates see DeviceLock Certificates Indicates that the connection state of a client computer is determined by whether or not it can connect to the appropriate Active Directory domain controller a domain controller of the domain to which the client computer belongs Thus a client computer works in online mode if it can connect to the appropriate domain controller A client computer works in offline mode if the appropriate domain controller becomes unavailable A client computer that is not joined to a domain a workgroup or stand alone computer always works in offline mode
331. ervice Log on as First of all you should choose an account under which the DeviceLock Content Security Server service will start As with many other Windows services the DeviceLock Content Security Server service can start under the special local system account the SYSTEM user and on behalf of any user To start the service under the SYSTEM user select the Local System account option Keep in mind that the process working under the SYSTEM user cannot access Shared network resources and authenticates on remote computers as an anonymous user Therefore DeviceLock Content Security Server configured to run under the SYSTEM user is not able to access DeviceLock Enterprise Server running on the remote computer and it must use DeviceLock Certificate for authentication on it For more information about authentication methods please read the description of the Certificate Name parameter To start the service on behalf of the user select the This account option enter the user s account name and the password It is recommended to use a user account that has administrative privileges on all the computers where DeviceLock Enterprise Server is running Otherwise you will need to use DeviceLock Certificate authentication If you are installing DeviceLock Content Security Server in the domain environment we recommend that you use a user account that is a member of the Domain Admins 71 Installation group Since Domain Admins is a member of
332. es simultaneously and select Set Auditing amp Shadowing from the context menu available by the right mouse click Alternatively you can press the appropriate button on the toolbar Auditing amp Shading Devices Types Windows Mobis Computer Mame Local Computer liuit Alkcewed Ait bared Iz Z d e6 eH ujjain ts ese ee Beet Adel Ji Diit i Set Catana la Rits ilyas Aude E Wia Eregub Repi herrri Wio Harnhiri Fekar Wrke erie Peelers Sunday though Saturday Prom 12 To 12 E aud Tre O Momani Tire AE Annaa 134 DeviceLock Management Console There are two types of user access that can be logged to the audit log e Allowed all access attempts that were permitted by DeviceLock Service that is the user was able to access a device e Denied all access attempts that were blocked by DeviceLock Service that is the user was not able to access a device To enable logging to the audit log for one or both of these access types check Audit Allowed and or Audit Denied These flags are not linked to users groups they are related to a whole device type The names of the users and user groups assigned to a device type are shown in the list of accounts on the top left hand side of the Auditing amp Shadowing dialog box To add a new user or user group to the list of accounts click Add You can add several accounts simultaneously To delete a record from the list of accounts use the Delete button Usin
333. ests Enables audit logging of user attempts to submit Web 339 PROTOCOL ICQ AOL Messenger Protocols Regular Profile AUDIT SHADOWING RIGHTS form data to a Web site The POST Request action and the URL of the script that sent the POST request are written to the log Audit Outgoing Files Enables audit logging of user attempts to upload a file to a Web site The Outgoing File action the absolute path and complete name of the file for example http domain path myfile doc the IP address with the port number and the name of the host are written to the log Shadowing Incoming Data Enables shadow copying of web pages and objects on web pages scripts Flash files up to 1 5 MB in size images up to 512 KB in size text up to 200 KB in size etc Shadow copies of web pages and their constituent components are written to the log Shadowing Incoming Files Enables shadow copying of files downloaded from a Web site Shadow copies of downloaded files are written to the log Shadowing Outgoing Data This right has no impact on shadow copying Shadowing POST Requests Enables shadow copying of data entered into Web forms Shadow copies of data entered into Web forms are written to the log Shadowing Outgoing Files Enables shadow copying of files uploaded to a Web site Shadow copies of uploaded files are written to the log Audit Connection Enables audit logging of user attempts to connect to the
334. eter affects only users that are trying to import DeviceLock Service settings via the DeviceLock applet from the Windows Control Panel When an XML file with settings is loaded using Load Service Settings from the context menu in DeviceLock Management Console or DeviceLock Group Policy Manager the expiration information if any is ignored 5 Decide whether the resultant file can be used only on specific computers or not If you want to allow users to import settings from this file on any computers disable the Only for computer s flag If you enable the Only for computer s flag and specify the computer name then users will be able to import settings from this file only on this specified computer Using the semicolon aS a separator you can specify several computer names such that the resultant file can be used on any of these computers Note You can t use the computer s IP address in this parameter You must specify the computer name exactly as it is displayed in the System applet from the Windows Control Panel You can also load a predefined list of computers from the external text file To open an external file press the button This text file must contain each computer s name on separate lines Please note that this parameter affects only users that are trying to import DeviceLock Service settings via the DeviceLock applet from the Windows Control Panel When an XML file with settings is loaded using Load Service Set
335. ettings USB Devices White List Regular Profile The devices white list allows you to authorize only specific devices that will not be locked regardless of any other settings The intention is to allow special devices but lock all other devices lt DeviceLock Ma napement Console TES ILA ZK administrator File Action View Help Bn Re SASSI ef DevkeLock Service ppy uSgIvD 0ga 0040 HF Service Options Canten Awar e Poles nE Security Settings EF Audit Log Viewer A Shadow Log Viewer ahi DeviceLock Erterprise Server a C DeviceLock Content Security Ser USS Devices Destabearsee Vay Export List Help Laats LIE Devices Wha List Prom a File Devices in the white list can be defined individually for every user and group For more information on how the devices white list works please read the Managed Access Control section of this manual Note Audit is not performed for users attempts to access a whitelisted device while users attempts to insert or remove a whitelisted device are audited There are two ways to identify devices in the white list 143 DeviceLock Management Console e Device Model represents all devices of the same model Each device is identified by a combination of Vendor Id VID and Product Id PID This combination of VID and PID describes a unique device model but not a unique device unit It means that all devices belonging to the certain model of the certain vendor will be
336. eviceLock Service randomly selects a server from the list This parameter has an effect only if there is more than one server specified in the DeviceLock Enterprise Server s parameter Traffic priority DeviceLock supports traffic shaping allowing you to define bandwidth limits for sending audit and shadow logs from DeviceLock Service to DeviceLock Enterprise Server B Traffic Priority Computer Mame xpwirt Treat Fic C High You can set three types of traffic priority high medium and low When High is selected it means that 100 of bandwidth can be used To allow use of only up to 50 of bandwidth select Medium Select Low to allow use of just up to 10 of bandwidth Please note that medium and low priorities have an effect only if the Quality of Service Packet Scheduler QoS Packet Scheduler component is installed on a computer running DeviceLock Service Otherwise the Traffic priority parameter is disabled and 100 of bandwidth is used For more information on QoS please refer 109 DeviceLock Management Console to Microsoft s on line article Always show tray icon Use this option to enable or disable the display of the DeviceLock Tray Notification Utility icon in the notification area of the taskbar on client computers End users working on client computers can refresh the connection state online or offline of DeviceLock Service To do so they need to right click the DeviceLock Tray Notification Utility ic
337. ey are denied access they receive a Protocols blocked message if Protocols blocked message is enabled in Service Options For detailed information on this message see Protocols blocked message in Service Options Content Aware Rules for Shadow Copy Operations Before you can use Content Aware Rules for shadow copy operations you must turn on Shadowing in Auditing and Shadowing at the protocol level Content Aware Rules that apply to shadow copy operations filter the shadow copies of data and files transmitted by the user The following table provides summary information on shadowing rights that can be specified for each protocol in Content Aware Rules PROTOCOL SHADOWING RIGHTS DESCRIPTION FTP HTTP Generic Incoming Files Controls whether or not files with specified content downloaded from an FTP server are shadow copied Generic Outgoing Files Controls whether or not files with specified content uploaded to an FTP server are shadow copied SSL Incoming Files Controls whether or not files with specified content downloaded from an FTP server using FTPS are Shadow copied SSL Outgoing Files Controls whether or not files with specified content uploaded to an FTP server using FTPS are shadow copied Generic Incoming Files Controls whether or not files with specified content downloaded from a Web server are shadow copied Generic POST Requests Controls whether or not Web form data with specified content submitted
338. ey while clicking them 7 In the right pane of the Protocols White List dialog box under Rules click Add The Add Rule dialog box appears 354 Protocols Regular Profile E Add Rule Protacol Description 8 In the Add Rule dialog box specify general and protocol specific parameters for this rule To specify general parameters do the following To specify the protocol in the Protocol list click the protocol of your choice To specify the rule name in the Description box type a name To specify protocol specific parameters do the following To specify the hosts in the Hosts box type host names or IP addresses separated by a comma or semicolon For more information on how to specify hosts see the description of the Hosts parameter earlier in this section To specify the ports in the Ports box type port numbers separated by a comma or semicolon For more information on how to specify ports see the description of the Ports parameter earlier in this section To configure the SSL options under SSL click any of the following Allowed allows SSL connections Denied disallows SSL connections or Required requires that all connections use SSL To specify the IM local sender ID s in the Local sender ID s box type user identifiers separated by a comma or semicolon For more information on how to specify user identifiers see the description of the Local sender ID s parameter earlier in this section To
339. f a client computer is determined by connectivity whether or not the network cable is connected to the Network Interface Card NIC This is the simplest and least secure method of detecting the connection state Thus a client computer works in online mode if the network cable is connected to the NIC A client computer works in offline mode if the network cable is disconnected from the NIC Please note that wireless network connections Wi Fi etc and modem connections are ignored This option is selected by default For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile DeviceLock Administrators This parameter allows you to define the list of user accounts with administrative access rights to DeviceLock Service e4 DeviceLock Management B EY af Smartline DeviceLock User Name DeviceLock Service Lf vezoo0an pomain Admins Full access 9 Service Options ym2000aD Testadmin Read only F eg beviceLock Administrat ocz MU a Seea an Full access TA Shadowing BD Devices SF Audit Log Viewer A Shadow Log Viewer Export List er DeviceLock Enterprise Server View Help Enables you bo define Devicelock Administrators Use the context menu available by a right mouse click on the DeviceLock Administrators item to open the configuration dialog box 112 DeviceLock Management Console fi DeviceLock Administrators Computer Hare Local Computer
340. f users are allowed to access Gmail but disallowed to use HTTP they nevertheless can access the service Access checking can occur at two levels the protocol level and the data content level All network connections except for Telnet connections are checked at both levels Consider the case of a user connecting to a social networking site Here DeviceLock would first check whether Social Networks are open or locked at the protocol level Next DeviceLock will also check permissions at the data content level Content Aware Rules 14 Overview CUD Cy Social Network a User Resource Protocol Level YES Is Resource In Protocols White List for User Is User in Social Networks permissions list DACL Is User allowed to access this Is User denied to access this data content in Content data content in Content Aware Rules Aware Rules Access Denied Access Allowed Also DeviceLock supports the white listing of protocols With the Protocols White List you can turn off access control for connections with specific parameters for example HTTP connections to specific hosts and ports 15 Overview Understanding DeviceLock Content Security Server DeviceLock Content Security Server is a new optional component of DeviceLock It includes Search Server which provides full text searching of logged data stored on DeviceLock
341. ff the default security by unchecking the Enable Default Security flag Then you need to specify authorized accounts users and or groups that can connect to DeviceLock Enterprise Server To add a new user or user group to the list of accounts click on the Add button You can add several accounts simultaneously To delete a record from the list of accounts use the Delete button Using Ctrl and or Shift you can highlight and remove several records simultaneously To define which actions are to be allowed for a user or user group set the appropriate rights 59 Installation e Full access to enable full access to DeviceLock Enterprise Server Users can change settings and run reports e Change to enable change access to DeviceLock Enterprise Server Users can change settings install uninstall DeviceLock Enterprise Server and run reports but they can t add new users to the list of authorized accounts that can connect to DeviceLock Enterprise Server or change access rights for existing users in this list e Read only to enable only read access to DeviceLock Enterprise Server Users can run reports and view settings but can t modify anything Note We strongly recommend that accounts included in this list have local administrator privileges because in some instances installing updating and uninstalling DeviceLock Enterprise Server s service may require access rights to Windows Service Control Manager SCM and shared netwo
342. ffline OR e Select White List and then click Save Offline on the toolbar OR e Expand White List right click any user or group specified in the white list and then click Save Offline OR 442 6 DeviceLock Security Policies Offline Profile Expand White List select any user or group specified in the white list In the details pane right click the white list rule and then click Save OR Expand White List select any user or group specified in the white list and then click Save Offline on the toolbar OR Right click White List and then click Manage Offline In the right pane of the Protocols White List Offline dialog box under Rules click Save The Save As dialog box appears In the Save As dialog box in the Save in box browse to the location where you want to save the pwil file In the File name box type the file name you want Click Save When you export the offline Protocols White List it is saved in a file with a pwl extension To import the offline Protocols White List 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service us
343. ffline Audit and Shadowing Rules To define and edit offline audit and shadowing rules 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following 432 5 DeviceLock Security Policies Offline Profile a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Auditing amp Shadowing When you select Auditing amp Shadowing in the console tree in the details pane you can view protocols for which you can define audit and shadowing rules In the details pane you can also view the current state of offline rules for each protocol in the Offline column In the details pane do one of the following e Right click the protocol for which you want to define or edit rules and then click Set Offline Auditing amp Shadowing OR e Select the protocol for which you want to define or edit rules and then click Set Offline Auditing amp Shadowing on the toolbar The Auditing amp Shadowing Offline dialog box appears 1s Auditing amp Shadowing Offline Pr
344. field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Server the text that matches a value in the Monitoring Log Viewer s Server column This field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Event ID the number that matches a value in the Monitoring Log Viewer s Event column You can enter multiple values separated by a semicolon e From specifies the beginning of the interval of events that you want to filter Select First Event to see events starting with the first event recorded in the log Select Events On to see events that occurred starting with a specific time and date e To specifies the end of the range of events that you want to filter Select Last Event to see events ending with the last event recorded in the log Select Events On to see events that occurred ending with a specific time and date Managing and Using DeviceLock Content Security Server Navigating DeviceLock Content Security Server Before addressing the functionality of DeviceLock Content Security Server you need to examine how to perform basic navigation Use the DeviceLock Content Security Server node in DeviceLock Management Console to configure and use DeviceLock Content Security Server 192 DeviceLock Management Console lt gt DeyiceLock Management Console TANYADC adm Sel Eg File Action Wew Heip e Am
345. file Wu Content Aware Rules Type Pattern b4 Keywords Errada Keywords kiraan Eranda Fie Typs D danba Anand Ris hone Lars 4 In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Keywords The Add Keywords Group dialog box appears rE Add Keywor ds Group Parie Ceescription Condition Match any keyword s Keywords 5 In the Add Keywords Group dialog box do the following USE THIS TO DO THIS Name Specify the name of the group Description Specify a description for the group 304 USE THIS Condition Threshold Keywords Case Sensitive Whole Word Weight Content Aware Rules for Protocols Regular Profile TO DO THIS Specify conditions for firing rules associated with this content group To do so in the Condition list click any of the following options e Match any keyword s indicates that a rule associated with this content group is activated every time any of the specified keywords is found within text data Match all keyword s indicates that a rule associated with this content group is activated every time all of the specified keywords are found within text data e Only when combined score exceeds or equal to threshold indicates that a rule associated with this content group is activated every time the total number sum of occurrences of all found keywords within
346. fined periods 5 15 30 60 minutes 5 hours 1 or 2 days 1 or 2 weeks 1 month until the device is unplugged or until the user is logged off When you select a fixed time period e g 10 minutes the user is granted access to the requested device for only this period As soon as the allowed time expires access to the device is denied again It doesn t matter what the user is doing with this device even if he she is still copying files onto the USB disk or printing a document on the USB printer all operations will be aborted To allow the user to use a requested device without any time limitations select until unplug in Allowed Period The user is then granted access to the 85 DeviceLock Signing Tool device while it is plugged into the port As soon as the user unplugs this device access to it is denied again 4 Press the Generate button to create an Unlock Code Provide this code to the user over the phone or in any other suitable way The process of generating an Unlock Code can be a time consuming operation It depends on your computer s processing speed and could take as long as several seconds Service Settings To avoid unauthorized modification you can sign an XML file containing DeviceLock Service settings exported from DeviceLock Management Console or DeviceLock Group Policy Manager or created using DeviceLock Service Settings Editor Later this file can be sent to users whose computers are not online and thus o
347. fline on the toolbar OR e Expand Media White List right click any user or group specified in the white list and then click Load Offline OR e Expand Media White List and then select any user or group specified in the white list In the details pane right click the white listed device and then click Load OR e Right click Media White List and then click Manage Offline In the lower right pane of the Media White List Offline dialog box under Media click Load The Open dialog box appears In the Open dialog box in the Look in list click the location that contains the file you want to import In the folder list locate and open the folder that contains the file Click the file and then click Open Undefining Offline Media White List You can return the previously defined offline white list to the unconfigured state If the offline white list is undefined the regular white list is applied to offline client computers To undefine the offline Media White List 1 i 3 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a
348. formation can also be displayed as a g3 DeviceLock Enterprise Manager R plain list To change the mode point to View Mode ml Toolbar on the View menu and click either Tree or List status Bar Please note that View Mode must be set for each plug Log Window in individually m You can hide the status bar and or the log window by Enabled deselecting appropriate items on the View menu g Select Columns To enable the gridlines around items in the plug in s We Filter window click Enable Grid on the View menu This mode sets for each plug in individually To sort data in any plug in s window click the column heading you want to sort by To reverse the sort order click the column heading a second time If you need to sort the top level tree s items such as domains and a computers use appropriate buttons on the Main toolbar There is a log window at the bottom of the main window The log window is Log window used to display useful information about Enable Grid ongoing activity as well as diagnostic EE Ey Save As and error messages There are two log L Report Permissions Auditi lists Information and po Kesp Last Message in View Warnings Errors Set Message Count Disable Log You can click the right mouse button on the log window to open the useful 233 DeviceLock Enterprise Manager context menu Scan Network Dialog Box The Scan Network dialog box allows you to select computers on you
349. from the following options e Anyone who uses this computer all users Creates desktop shortcuts to DeviceLock management consoles for all users e Only for me Creates desktop shortcuts to DeviceLock management consoles only for the account that is installing DeviceLock iF DevieeLock Setu p Customer Information Liner Mane Instal this apobcation for E Aryana who uses this computer all users C Oriy For me 0 52 Installation On the Setup type page select the required setup type You have the following two choices either install both DeviceLock Enterprise Server and DeviceLock management consoles using the Server Consoles option or install only DeviceLock Enterprise Server using the Custom option and selecting the DeviceLock Enterprise Server component DeviceLock Set up Setup Type Choose the setup type that best suits your needs Pease selec asehap bps BT 4 DeviceLock Service DeviceLock Enterprise Manager DeviceLock Service Consoles gt Poia h i ae Whee s delete bet installed Server C les DeviceLock Enterprise Server DewiceLock Management Console ansa and DeviceLock Group Policy Manager will be installed Choose which program features you want installed and where they wall be installed Recommended for advanced users Chick on an icon in the ist below to change how a feature is installed Feature Description J DeviceLock Service 3 Eee This package contains The
350. g CTRL and or SHIFT you can select and remove several records simultaneously Use the Set Default button to set default audit and shadowing rules for devices members of the Users group and the Everyone account have Read and Write audit rights and shadowing is disabled for them Using special time control you can define a time when the audit rule for the selected user or user group will or will not be active Time control appears at the top right side of the Auditing amp Shadowing dialog box Use the left mouse button and select the time when the rule is active audit time To select a time when the rule is not active non audit time use the right mouse button Also you can use the keyboard to set times arrow keys for navigation and the spacebar to toggle audit non audit time To define which user s actions on devices are to be logged to either the audit or Shadow log set the appropriate audit rights All rights are divided into two groups Audit and Shadowing Each group has its own set of rights e Audit rights that belong to this group are responsible for actions logged into the audit log e Read to log the read access attempts For BlackBerry Bluetooth FireWire port Infrared port Parallel port Serial port USB port and WiFi device types you can enable this right only if Write is selected in the Audit group e Write to log the write access attempts For BlackBerry Bluetooth FireWire port Infrared port Parallel po
351. g field values that are identical to the defined value for example PID 3764 e Greater than gt selects data having field values that are greater than the defined value for example PID gt 4 e Less than lt selects data having field values that are less than the defined value for example PID lt 4 e Not Equal to selects data having field values that are different from the defined value for example PID 0 e Between in selects data having field values that are between the two defined values for example PID in 3000 4000 e Not Between out selects data having field values that are outside of the two defined values for example PID out 3000 4000 e Regular expression selects only data having field values matching an expression The expression may contain wildcards for example 300 If you do not want to perform a logical operation for a field select Not defined from the list of logical operations e Value columns contain user defined arguments The second Value column is used only when the Between in or Not Between out logical operation is selected For all other logical operations only the first Value column is needed After you define a filtering expression press the Apply button to start the filtering process You can save a filtered result in an external ANM file or Peep export it to a text file TXT and CSV or MS Excel select Save As from the File menu or press the ap
352. g ins list in the Scan Network dialog box see Selecting Plug ins Report PnP Devices Settings ie e Report Connected Devices Only select this check box to report only those devices that are currently connected to the computer Otherwise you will see all devices that were ever connected to the computer e Report FireWire Devices select this check box to report devices that are plugging into the FireWire port e Report PCMCIA Devices select this check box to report devices that are plugging into the PCMCIA slot e Report USB Devices select this check box to report devices that are plugging into the USB port Set Service Settings The Set Service Setting plug in reads the policy settings permissions audit and shadowing rules from the external XML file and deploys it to DeviceLock Services across the network Note Only settings that are explicitly defined in a policy file apply to client computers All policy settings that have the Not Configured state are ignored by client computers Before you can use this plug in you should define settings permissions and or audit rules that you want to deploy You can do this by clicking the Settings button below the plug ins list in the Scan Network dialog box see Selecting Plug ins 246 DeviceLock Enterprise Manager gt Select Service Geltings 6f20 2007 8 06 45 PM 6 20 2007 8 06 52 PM YM2000AD Administrator ee TER VENAT Sieve eo eee Fir
353. gin There are two simple steps for the user to import DeviceLock Service settings from the signed file 1 In the Signed file field specify the full path to this signed file Use the button to select the file 88 DeviceLock Signing Tool Import DeviceLock Service Settings Select a signed fle vath DewiceLock Service Settings provided by the Adeumistrater Signed fie C exchange dhSenice Sethngs_signed xml Ca 2 Press the Finish button If the digital signature in the file is valid then the new settings will be applied to DeviceLock Service immediately Import DeviceLock Service Settings Eg File has been successtuly loaded The user can also load the signed file with DeviceLock Service settings using the command line DLTempdAccess cpl s lt path to signed file gt where lt path to signed file gt is the path to the signed file with DeviceLock Service settings For example DLTempdAccess cpl s C Program Files DeviceLock settings_signed dls All successful attempts to load settings are logged if logging of changes is enabled in the Service Options 89 DeviceLock Management Console DeviceLock Management Console Overview DeviceLock Management Console is a snap in for Microsoft Management Console MMC Using DeviceLock Management Console you can view and change permissions and audit rules install and update DeviceLock Service as well as view audit records for indi
354. group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Keywords Content Groups Keywords groups are used to control access to files based on whether certain words or phrases occur in a document 265 Content Aware Rules for Devices Regular Profile By defining rules based on Keywords groups you can for example allow read access to all documents containing the phrases Top Secret and For Official Use Only from Removable Floppy and DVD CD ROM devices but deny write access to Removable and Floppy devices for these documents You can also specify that only documents containing the phrases Top Secret and For Official Use Only will be shadow copied DeviceLock includes 157 predefined built in Keywords groups that you can use to set up the desired configuration of permissions and or shadow copy operations You can use the built in content groups as they are create their editable copies duplicates or create your own content groups to suit your particular organization s needs The following table lists these predefined content groups BUILT IN KEYWORDS GROUPS Accounting Documentation Terms Accounting Documentation Types Acquisition Active substance Admission Discharge Adult Keywords American Address American Name Bank ABA Bank ACNT Bank STMT Board Meeting Breach of Obligation Breach of Standards Breac
355. h acer Ceescrioticen LER Derki eras Lig Lise s Uyari 400 DeviceLock Security Policies Offline Profile 4 In the upper pane of the USB Devices White List Offline dialog box under USB Devices Database click USB Devices Database The USB Devices Database dialog box appears E USE Devices Database Arala UGE Daries Local Comber jc TescelD Presseare In the upper pane of the USB Devices Database dialog box under Available USB Devices you can view the devices that are currently plugged in To view all devices ever plugged into USB ports on the computer click Show all devices To view available devices on a remote computer click Remote Computer The Remote Computer button is unavailable when the management console is connected to the local computer 5 In the upper pane of the USB Devices Database dialog box under Available USB Devices select the device you want to add to the USB Devices White List and then click Add The device that you added is displayed under USB Devices Database in the lower pane of the dialog box Note You can add a device to the USB Devices White List only after you add this device to the USB Devices Database The same USB Devices Database is used for both the regular and offline USB Devices White List To delete a device from the USB Devices Database in the lower pane of the USB Devices Database dialog box under USB Devices Database do one of the following
356. h of the Law Business Documentation Business Documentation Terms Business Documentation Types Business Rivals Business Trips amp Meetings C Source Code C C Source Code Cellular Operator Call Log COBOL Source Code Common Disease Common Medical Terms Company Development Compensation and Benefits Compliance Report Confidential Confidential Partners Information Credit Report Credits Discontent Discrediting Information Driver s License Employer Identification Number Ethnicity Executive Job Searches Production Charges Profanity Profiles Profit Loss Project Names Project Release Dates Property Racism Keywords Resume Russian Russian Russian Russian Account Statement Accounting Documentation Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Russian Accounting Documentation Terms Accounting Documentation Types Bank Account Bank Operations Banking Operations Participants Breach of Commitment Breach of Law Business Documentation Business Documentation Terms Business Documentation Types Business Partners Business Trips amp Meetings Company Development Plan Compensation and Benefits Confidential Information Corporate Capital Corporate Property Expenses Failures Financial Information Russian Russian Russian Russian Russian Russian Russian
357. has DeviceLock Service DeviceLock ships with three different management consoles DeviceLock Management Console the MMC snap in DeviceLock Enterprise Manager and DeviceLock Group Policy Manager integrates into the Windows Group Policy Editor DeviceLock Management Console is also used to manage DeviceLock Enterprise Server and DeviceLock Content Security Server 10 Overview DeviceLock management consoles Network ie DeviceLock Administrator DeviceLock Service is DeviceLock Service DeviceLock Management Console MMC snap in Bence Procedure DeviceLock Enterprise Manager Call RPC iz DeviceLock Service DeviceLock Group Policy Manager Windows GPO Editor Policy Active Directory Domain Controller i DeviceLock Service Managed Access Control for Devices and Protocols Access control for devices works in the following way Every time the user wants to access a device DeviceLock intercepts this request at the kernel level of the OS Depending on the device s type and the connection interface e g USB DeviceLock checks the user rights in the appropriate Access Control List ACL If the user does not have the right to access this device an access denied error is returned Access checking can occur at three levels the interface port level the type level and the file content level Some devices are checked at all three levels while others only at one level
358. has the following effects storage devices such as flash drives floppies hard disks DVD CD ROMs etc can be read but not written to non storage devices such as printers scanners etc cannot be accessed Format to enable the formatting checking and any other direct access of drives You can enable this right only if Read is selected in the Generic group Applies only to FireWire port Floppy Hard disk Removable and USB port device types When this right is enabled for USB and FireWire ports it affects only storage devices plugged into these ports Eject to enable ejection of the media You can enable this right only if Read is selected in the Generic group This right controls only ejection via software Hardware ejection using the eject button on a device s front panel cannot be prevented Applies only to DVD CDROM FireWire port Floppy Removable and USB port device types When this right is enabled for USB and FireWire ports it affects only storage devices plugged into these ports Execute to enable the remote code execution on the device s side Applies only to the Windows Mobile device type Print to enable document printing Applies only to the Printer device type Copy to clipboard to enable data pasting from the clipboard Applies only to the Clipboard device type This right automatically grants full access to the clipboard e Encrypted encrypted rights only apply to devices that are recognized by DeviceLoc
359. he available options are e Permissions Specifies that the rule will apply to access control operations e Shadowing Specifies that the rule will apply to shadow copy operations e Permissions Shadowing Specifies that the rule will apply to both access control and shadow copy operations Under Device Type s select the appropriate device type s you would like this rule to be applied to Content Aware Rules can be applied to the DVD CD ROM Floppy iPhone Palm Removable and Windows Mobile device types If you select several device types that have different access rights under Action s the dialog box displays only those access rights that are common to all selected device types 286 11 12 13 Content Aware Rules for Devices Regular Profile Under Action s specify which user actions are allowed or disallowed on files and which user actions are logged to the shadow log You can select any of the following options Read Write Read and Write If the rule applies to shadow copy operations or both access control and shadow copy operations the Read option becomes unavailable For detailed information on user rights that can be specified in Content Aware Rules see Content Aware Rules for Access Control Operations and Content Aware Rules for Shadow Copy Operations Click OK The rule you created is displayed under Rules in the lower right pane of the Content Aware Rules dialog box Click OK
360. he installation process For more information on this see Unattended Installation and Remote Installation via DeviceLock Enterprise Manager If you need to change the port configuration when DeviceLock Service is already installed use the Install service plug in For information on which ports are required for which actions see Plug ins Selecting Plug ins The second step is to select a plug in to process the network computers selected on the first step To select deselect plug ins you can use the context menu available with a right mouse click 240 DeviceLock Enterprise Manager OS Install service OE Report Permissions Auditing Oe Report PrP Devices 4 5eb Service Settings 25 h Shadow Log Viewer oe Unrirrstall service To define parameters for the selected plug in use the Settings button below the plug ins list If the plug in does not have additional parameters this button is unavailable Tasks are passed to the plug in by DeviceLock Enterprise Manager The plug in performs the task and returns the information to DeviceLock Enterprise Manager Upon receipt of a plug in s information DeviceLock Enterprise Manager displays it in a separate window Starting a Scan Once you have selected computers and the appropriate plug in the final step is starting the scan process Click Scan to initiate the process Right after the scan process is initiated you can start to explore the information
361. he Indexing Interval box type or select the number of minutes for the indexing interval 5 Click OK Task Configure a schedule for merge operations Merge operations are used to combine temporary indexes into a permanent master index that is used for search queries You can schedule the merging process to start at a predetermined interval The schedule is configured based on the merge interval The merge interval determines how often in minutes Search Server combines temporary indexes into a permanent master index or in other words updates the master index with new data during an indexing operation By default the merge is performed every 10 minutes The range of values that you can specify is 1 to 1 000 000 When specifying the merge interval consider the following e Asmall merge interval will result in faster updates of the master index e You cannot perform full text searches while merging is in progress To configure a schedule for merge operations 1 In the console tree expand DeviceLock Content Security Server and then expand Server Options 2 Under Server Options select Search Server Options When you select Search Server Options in the console tree they are displayed in the details pane 3 In the details pane double click Merge Interval or right click Merge Interval and then click Properties The Merge Interval dialog box appears 204 DeviceLock Management Console Merge Interval Computer Name Local
362. he dialog box under User s Rights select or clear the Allow check box next to the appropriate audit and shadowing rights In the upper left pane of the dialog box under Users select the user or group and then click Delete or press the DELETE key When you remove a user or group any rules for that user or group will also be removed 434 DeviceLock Security Policies Offline Profile 6 Click OK or Apply Undefining Offline Audit and Shadowing Rules You can return previously defined offline audit and shadowing rules to the unconfigured state If offline rules are undefined regular rules are applied to offline client computers To undefine offline audit and shadowing rules 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Auditing amp Shadowing When you select Auditing amp Shadowing in the console tree in the details pane you can view protocols for which you can define audit an
363. he hosts can be accessed through all available ports An application with an embedded SSL certificate for example Microsoft Office Communicator Dropbox iTunes Google contacts synchronization module etc will fail to connect to its server when the NetworkLock module is active The NetworkLock module becomes active when you define settings for protocols To solve this issue add the server host to the white list for SSL You can use TcpView to look up the server host Whitelisting a server host causes all SSL traffic between an application and the specified server host to bypass access control audit shadow copying and content filtering Applies to the FTP HTTP ICQ AOL Messenger IRC Jabber Mail ru Agent SMTP SSL Telnet Windows Messenger and Yahoo Messenger protocols Specifies the port or ports to open for this rule If this list is specified these ports will not be blocked You can specify either a single port or an inclusive range of ports separated by a dash For example to open port 25 specify 25 To open ports 5000 to 5020 inclusive specify 5000 5020 Multiple ports or port ranges must be separated by a comma or semicolon For example 25 36 8080 5000 5020 You can also press ENTER after each entry Note If you specify ports and do not specify hosts users can access all hosts available through the specified ports Applies to the FTP HTTP ICQ AOL Messenger IRC Jabber SMTP and Web Mail protocols
364. he specified user group In effect this designates the media as authorized and allows it read access for this user group at the type DVD CD ROM level Note You can define different online vs offline Media White Lists for the same user or sets of users The online Media White List Regular Profile applies to client computers that are working online The offline Media White List Offline Profile applies to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define the offline Media White List see Managing Offline Media White List To define the online regular media white list select Manage from the context menu available with a right mouse click Alternatively you can press the appropriate button on the toolbar E Media White List BBC OSNES OCI EF 44 bea ze0 CVO AOD ROM AIFF ADE 171 SCEPC SSE ZICH 2A AS DVD 0O ROM Madia GS SQLENTSEL 42F SSF ARE TTD ACISORE Pa 4d AT AS DDA D ADM 149 DeviceLock Management Console In the Media Database list at the top of the dialog box you can see all media that were added to the database Once media are added from the database to the white list of a certain user they become authorized media for which access control i
365. he user interface of DeviceLock Management Console Service Settings Editor and DeviceLock Group Policy Manager by the Protocols node PE Service Options et Devices Tia Protocals NetworkLock includes the following key features and benefits e Protocol access control You can control which users or groups can gain access to the FTP HTTP SMTP Telnet protocols instant messengers ICQ AOL Instant Messenger Windows Live Messenger and Windows Messenger Jabber IRC Yahoo Messenger Mail ru Agent as well as webmail and social networking applications AOL Mail Gmail GMX Mail Hotmail Mail ru Rambler Mail Web de Yahoo Mail Yandex Mail Facebook Google LinkedIn LiveJournal MeinVZ Myspace Odnoklassniki SchuelerVZ StudiVZ Tumblr Twitter Vkontakte XING depending on the time of day and day of the week e Protocols White List Lets you selectively allow network communication over specified protocols regardless of existing protocol blocking settings The white list is most effective in least privilege scenarios when you block all 18 Overview protocol traffic and then specifically authorize only what is required for employees to perform their daily job duties e Content Aware Rules File Type Detection You can selectively allow or deny access to specific types of files transmitted over the network Recognition and identification of file types is based solely upon the content of files This efficient
366. hen you select Media White List in the console tree in the details pane the following message is displayed Offline Media White List is configured to use Regular Media White List The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console Managing Offline Content Aware Rules for Devices For a detailed description of the Content Aware Rules feature for devices see Content Aware Rules for Devices Regular Profile The offline Content Aware Rules can have one of the following states STATE DESCRIPTION Not Configured Indicates that Content Aware Rules are not defined The following message is displayed Offline Content Aware Rules are not configured This is the default state Configured Indicates that Content Aware Rules are defined Use Regular Indicates that the inheritance of offline Content Aware Rules is blocked and regular Content Aware Rules are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager 412 DeviceLock Security Policies Offline Profile STATE DESCRIPTION The enforcement of regular Content Aware Rules is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of regular Content Aware Rules lets you prevent offline Content Aware Rules inherited from a higher leve
367. ht to connect to a Web server send and receive protocol data web pages and objects on web pages such as scripts Flash files JPEG PNG and GIF images etc Generic POST Requests The right to submit Web form data to a Web server using HTTP Generic Outgoing Files The right to upload files to a Web server using HTTP SSL Send Receive Data The right to connect to a Web server send and receive protocol data web pages and objects on web pages such as scripts Flash files JPEG PNG and GIF images etc using HTTPS SSL POST Requests The right to submit Web form data to a Web server using HTTPS SSL Outgoing Files The right to upload files to a Web server using HTTPS ICQ AOL Generic Send Receive Data The right to connect to the ICQ and AOL Instant 331 PROTOCOL Messenger IRC Jabber Mail ru Agent SMTP Social Networks Protocols Regular Profile ACCESS RIGHTS Messenger server and receive instant messages Generic Outgoing Messages The right to send instant messages It does not control file transfers SSL Send Receive Data The right to connect to the ICQ and AOL Instant Messenger server and receive instant messages using SSL SSL Outgoing Messages The right to send instant messages using SSL It does not control file transfers Generic Send Receive Data The right to connect to an IRC server and receive instant messages Generic Outgoing Messages The right to send instant messages It doe
368. http support microsoft com default aspx scid kb en us 203607 Policy can also be reapplied on demand To refresh the current policy settings immediately on Windows XP and later administrators can call the gpupdate exe force command line utility provided by Microsoft On Windows 2000 administrators can call another command line utility provided by Microsoft secedit refreshpolicy machine_policy enforce When applying policy the system queries the directory service for a list of Group Policy Objects GPOs to process Each GPO is linked to an Active Directory container to which the computer or user belongs By default the system processes the GPOs in the following order local site domain then organizational unit Therefore the computer receives the policy settings of the last Active Directory container processed When processing the GPO the system checks the access control list ACL associated with the GPO If an access control entry ACE denies the computer access to the GPO the system does not apply the policy settings specified by the GPO If the ACE allows access to the GPO the system applies the policy settings specified by the GPO Standard GPO Inheritance Rules Any unconfigured settings anywhere in a GPO can be ignored since they are not inherited down the tree only configured settings are inherited There are three possible scenarios e A parent has a value for a setting and a child does not e A parent has a value
369. iceLock Certificate the private key enters the Device Code selects an appropriate temporary access period 5 15 etc minutes until the device is unplugged or until the user is logged off generates an Unlock Code and relays this Unlock Code to the user 5 Upon receipt of the Unlock Code the user enters it into Temporary White List Authorization Tool Access to the requested device is then granted for the specified period Temporary White List Authorization Tool The Temporary White List Authorization Tool is a part of the Windows Control Panel applet that users should use to obtain temporary access to devices To run the Temporary White List Authorization Tool the user should run the DeviceLock applet from the Control Panel and select the Temporary White List Authorization Tool option E Control Panel fx Edit View Favorites Tools Help EJ P i J J Search E Folders He s Control Panel vl Ga amp amp Bb we E Control Panel ka qi Accessiblity Add Hardware Ace r Administrative G Switch bo Cabegory View Options Remo Tools See Also i i a S Automatic Date and Time h Windows Update Updabes 4 Help and Support a A d Foder Options Fonts Internet Petala Options Note On Windows XP and later the user must switch the Control Panel to Classic View in order to view all available applets 461 Temporary White List i Devicelock This tool allows you to obtain temporary access bo a device a
370. iceLock Content Security Server was configured using a fixed port you should specify this port in square brackets next to the computer name e g computer_name port number To connect to the local computer use the Local computer option Press the OK button to connect to the selected computer Note Make sure that the remote computer you ve selected to connect to is accessible from the computer where DeviceLock Management Console is running The remote computer must work under a DeviceLock compatible OS Windows NT 4 0 SP6 and later It must have a functioning TCP IP protocol In case a firewall including built in Windows Firewall is installed on the remote computer it must be properly configured to allow connection with DeviceLock Service DeviceLock Enterprise Server and or DeviceLock Content Security Server DeviceLock Service automatically adds itself to the exception list of Windows Firewall When you re trying to connect to DeviceLock Service on a computer where it is not installed or is outdated DeviceLock Management Console suggests that you install or update the service For more information regarding the remote service deployment please read the Remote Installation via DeviceLock Management Console section of this manual You receive the warning message when you connect to DeviceLock Service configured to work in the Group Policy mode Warning A This machine i configured to use Group Policy settings You can sviteh it
371. iceLock Enterprise Server or DeviceLock Content Security Server is running Use the context menu Connect item or the appropriate button on the toolbar zm p 2a sae e mB e as oo ae Smartline Gey Mame Smartline DewiceLock Mame reviceLo pe Options 4 DeviceLock Service Server Options DeviceLock DeviceLock Enterprise Server SF adt an Viewer Reconnect jewer as Connect g Viewer Jy Connect to Local Computer at Startup g Viewer Reconnect Yiewer Load Service Settings E w Connect to Lask Used Server at Startup Za Devi Save Service Settings ce Certificate Generation Tool Save amp Sign Service Settings DeviceLock Signing Tool Certificate Generation Tool About Devicelock DeviceLock Signing Tool About Devicelock You can simultaneously connect to DeviceLock Service DeviceLock Enterprise Server and DeviceLock Content Security Server even if they are running on different computers Select Computer DewceLlock Management Console vill manage Local computer the computer this console is running on Another computer WWM 20005E RivER Browse Specify the remote computer name or IP address you want to connect to in the Another computer parameter To browse for available computers in your network use the Browse button 93 DeviceLock Management Console To connect DeviceLock Management Console to the computer where DeviceLock Service DeviceLock Enterprise Server or Dev
372. iceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar 307 Content Aware Rules for Protocols Regular Profile The Content Aware Rules dialog box appears Wu Content Aware Rules Conbert Cit sbhaee Ceescripticn T ABA Fiouting Number Pattern ba Eyvan Keevords kavand keyvani Eend File Type D Filey Tyee Ch ne Conherk a Rus hunt ti ers In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Pattern The Add Pattern Group dialog box appears Add Pattern Group Wakdation Bo Wabdation Conii Greater than 1 Test sample In the Add Pattern Group dialog box do the following USE THIS TO DO THIS Name Specify the name of the group Description Specify a description for the group 308 USE THIS Expression Validate Validation Condition Advanced Test sample Content Aware Rules for Protocols Regular Profile TO DO THIS Specify a pattern by creating a regular expression For information on how to create Perl regular expressions refer to the Perl regular express
373. icense infomation You have valid icensefs installed PLEASE REMEMBER THAT THIS 15 4 30 047 TALL VERSION License information If you ve purchased a license for DeviceLock you should load this license into DeviceLock Enterprise Server DeviceLock Enterprise Server handles only the licensed number of DeviceLock Services For example if you have a license for 100 computers but there are 101 DeviceLock Services working in your network DeviceLock Enterprise Server will work with only first 100 DeviceLock Services and ignore the remaining one To load the license press the Load License s button and select the license file You can load several license files in series one by one If there are no valid licenses loaded DeviceLock Enterprise Server works in the trial mode and can handle only two DeviceLock Services Note If a computer with DeviceLock Service leaves the network DeviceLock Enterprise Server will handle its replacement only after a restart or after 6 hours Press the Next button to install licenses and proceed to the fourth page On the fourth page you can configure database parameters 61 Installation DeviceLock Enterprise Server Database name DevicelockDB Connection type ODBC Dina mmm SOL Server name YM2U00SERVERWMINS TANCE Browse Windows authentication SOL Sener sulherticalion Login name a Store shadow files m SOL Server obone palhe ssSystemRoot DLSTORE Browse
374. ices and protocols The Content Database is a part of the DeviceLock Service policy and is also saved in an XML file with service settings that can be created using DeviceLock Management Console DeviceLock Service Settings Editor and DeviceLock Group Policy Manager There are several types of content groups File Type Detection groups Keywords groups Pattern groups Document Properties groups and Complex groups The sections below describe these groups and how to use them File Type Detection Content Groups File Type Detection groups are used to control access to files based on file types These groups contain definitions of the file types that make up these groups A file type definition consists of two properties a file name extension for example DOC and a description for example Microsoft Word document When you apply a rule based on a File Type Detection group the rule is applied to all file types included in that group DeviceLock includes 34 predefined built in File Type Detection groups that you can use to set up the desired configuration of permissions and or shadow copy operations You can use the built in content groups as they are create their editable copies duplicates or create your own content groups to suit your particular organization s needs The following table lists these predefined content groups BUILT IN FILE TYPE DETECTION GROUPS Archives MS Outlook amp Outlook Express Audio Video amp Flash MS
375. ick Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the rule and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules dialog box To delete a user or group in the lower left pane of the Content Aware Rules dialog box under Users select the user or group and then click Delete or press the DELETE key In the lower left pane of the Content Aware Rules dialog box under Users select the users or groups for which you want to define the rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the upper pane of the Content Aware Rules dialog box under Content Database select the desired content group and then click Add Note You can specify only one content group for a Content Aware Rule The Add Rule dialog box appears 321 10 11 12 Content Aware Rules for Protocols Regular Profile Wu Add Rule In the Add Rule dialog box in the Description box type the name of the Content Aware Rule By default the Content Aware Rule has the same name as the specified content group but you can enter a different name Under Applies to specify the type of operation associated with the rule The available options are e Permis
376. icking them b Right click the selection and then click Remove Offline The offline state of the permissions changes to Use Regular The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console Managing Offline Audit and Shadowing Rules For a detailed description of the Auditing amp Shadowing feature see Auditing amp Shadowing Regular Profile Offline audit and shadowing rules can have one of the following states 394 DeviceLock Security Policies Offline Profile STATE DESCRIPTION Not Configured Indicates that audit and shadowing rules are not defined for a device type This is the default state Configured Indicates that audit and shadowing rules are defined for a device type No Audit Indicates one of the following e Audit rights are not set for all of the users and groups specified in audit and shadowing rules for a device type e All users and groups specified in audit and shadowing rules for a device type are removed e The Everyone account has no Audit and Shadowing rights and is the only account specified in audit and shadowing rules for a device type Use Regular Indicates that the inheritance of offline audit and shadowing rules is blocked and regular audit and shadowing rules are enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcemen
377. ient computers To undefine offline permissions I 4 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices select Permissions When you select Permissions in the console tree in the details pane you can view device types for which you can set permissions In the details pane you can also view the current state of offline permissions for each device type in the Offline column In the details pane right click the device type for which you want to undefine offline permissions and then click Undefine Offline You can undefine offline permissions set for several device types at the same time To do this do the following 393 DeviceLock Security Policies Offline Profile a In the details pane select several device types by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Undefine Offline The offline state of the perm
378. ight mouse click 2 Click the Add button in the Permissions dialog box and add the Everyone user type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box select the Everyone record and disable all rights in the User s Rights list 3 Click the Security Settings button in the Permissions dialog box and then clear the Access control for USB HID mouse keyboard etc check box amp Security Settings Access control for USS printers Access control for USS scanners and stil image devices v Access control for USS Bluetooth adapters Acoess control for USE storage devices Access control for USS and FireWire network cards 4 Click OK to close the Security Settings dialog box and then click the USB White List button in the Permissions dialog box 471 Appendix Permissions and Audit Examples A USS Devices White List USE Devoe Dolaba Dencnphcrn ee Lesa Flach Cea WSs a MorpLe iB 14QEOF SC 1B S051 requis Don USS10 DAAD 10 USS Devices Databare Show Ad Types USE Device Whe Lint ants maa Upee Description Dmi Rerdakne Type Fj Adriristratoes oe Lewes Flai One USED ODADERID_WDROSCI ESS Urgas Darta 5 Click the Add button below the Users list and add the Administrators group type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box and then select the Administrators re
379. ii voi iod riain a e 24 INTERACTIVE TNS TALLA TION deriye e E a aies 24 UNATTENDED INS TALEATION doiiar aaa nes uet a Sekai tls ooh ed oalad a 31 INSTALLATION VIA MICROSOFT SYSTEMS MANAGEMENT SERVER asses 32 REMOTE INSTALLATION VIA DEVICELOCK MANAGEMENT CONSOLE 33 REMOTE INSTALLATION VIA DEVICELOCK ENTERPRISE MANAGER 064 34 INSTALLATION VIA GROUP POLICY sneiiwtedsnertnndotivienetvedaxeeasnd siento onto 35 INSTALLING MANAGEMENT CONSOLES iaieineea h a a a OENE 43 INSTALLING DEVICELOCK ENTERPRISE SERVER cccceeee eee e teen eee eee een e eens 50 PLANNING INFRASTRUCTURE rnis oita uE a N a NE a E 51 INTERACTIVE INSTALLATION scscusnasereesseantntetaet aaa 51 INSTALLING DEVICELOCK CONTENT SECURITY SERVER cc cece cece 68 DEVICELOCK CERTIFICATES iiciin a 77 OVERVIEWS carrai A E a aN 77 GENERATING DEVICELOCK CERTIFICATES urner Ea a 77 INSTALLING REMOVING DEVICELOCK CERTIFICATE ssssssssssssrnnnrrnrrnrrnrrrnrrnrrn 79 DEVICELOCK SIGNING TOOL Griineisen a 84 OVER VLE W girenin TE T A E 84 DEVICE CODE mereinen aa E a a sea akaatan 84 SERVICE SETFHINGS ene eer Ome E E E E rene nner eer ere ert 86 DEVICELOCK MANAGEMENT CONSOLE s ssusss55551 5 5 5 5 90 OVERVIEW usccaceeosnssctatenosa earn stan sanaedseeannasenenie naar T ANa 90 INTERFACE sent tantenginicie tyne inane oa bynes bene ae ratai 92 CONNECTING TO COMPUTERS ci vorctntasteconctnetndcgcaspereguanedaniag EEE 93 POSSIB
380. ik a Shadow Options Vien Enes ADO a6 Servia Set Servis Options 3 Expat Let Poatie arnei it to o Fb Help The audit log stores events generated by a user s device related activities that fall under the audit rules For more information please read the Auditing amp Shadowing section of this manual Also changes in a DeviceLock Service s configuration generate events in the audit log if the appropriate check box is selected in Service Options The columns of this viewer are defined as follows 155 DeviceLock Management Console e Type the class of an event either Success for allowed access or Failure for denied access e Date Time the date and the time when an event was received by DeviceLock Service e Source the type of device or protocol involved e Action the user s activity type e Name the name of the object file USB device etc e Information other device specific information for the event such as the access flags devices names and so on e User the name of the user associated with this event e PID the identifier of the process associated with this event e Process the fully qualified path to the process executable file In some cases the process name may be displayed instead of the path To refresh the list of events select Refresh from the context menu available by a right mouse click or press the appropriate button on the toolbar To clear all events from the aud
381. ile DeviceLock Security Policies Offline Profile Today organizations have many users who must continue working with business critical information when they are disconnected from the corporate network For example traveling sales representatives insurance agents and regional inspectors increasingly use corporate laptops or notebooks at disconnected locations Protecting the sensitive information on these mobile computers has become a priority for many organizations DeviceLock provides greater protection of sensitive corporate information in disconnected environments Now you can control user access to devices and protocols as well as shadow copying of the data written by the user or transmitted over the network in different offline scenarios DeviceLock also offers more management flexibility as you can define different online vs offline security policies for the same user or set of users A user s online policies are applied when connected to the corporate network or specified DeviceLock Enterprise Servers or Active Directory domain controllers Offline policies are applied when the user is working disconnected from the corporate network or specified DeviceLock Enterprise Servers or Active Directory domain controllers To configure DeviceLock to enforce different policies for online vs offline scenarios begin by setting permissions for two profile types e Regular Profile These settings are used by client computers that are worki
382. in the User s Rights list 467 Appendix Permissions and Audit Examples tr a fee ae eS Derka Types UGE pot Compuber Name Local Computer Users 4 at MPever pone Sanr sens use wine ua 3 Click OK to apply changes and close the Permissions dialog box 4 Select DVD CD ROM Floppy and Removable records from the list of device types under Permissions and then select Set Permissions from the context menu available by a right mouse click ea DeviceLock Management Smartline DeviceLock DeviceLock Service Service Options BF Devices c Perinissions Se ata aoe eal Set Permissions USS Devices White List e Flush Buffers Megdia White List aie pork 4 Security Settings F Paralel port Help 57 Audit Log Viewer Removable Bp Shadow Log viewer af Gs DeviceLock Enterprise Server a USE park T Wei Manages permissions For selected device s 5 Click the Add button in the Permissions dialog box add the Everyone user type the name or browse for all available names and select the needed one click OK to close the Select Users or Groups dialog box select the Everyone record and disable all rights in the User s Rights list 468 Appendix Permissions and Audit Examples Pennissions Devices Types Fio Remcwable DOORDA OM Computer Name Local Computer Liers CE Everpore Security Settings Masdis vatte List 6 Click OK to apply changes and clos
383. indows can overwrite then DeviceLock Service is unable to write new audit records to this log If you wish to reset current settings to the default values click Restore Defaults Default values are e The Maximum log size parameter is set to 512 kilobytes e The Overwrite events older than option is selected and set to 7 days Audit Log Filter Service You can filter data in Audit Log Viewer so that only records that meet specific conditions are displayed in the list To open the Filter dialog box use Filter from the context menu of Audit Log Viewer or press the appropriate button on the toolbar Filter Include Exchade Event Ippeg C Succes oud Fabie gudi Herme SALINE Auction In ornatiore User Guest Process Pid From EvertsOn 12 1 20 amp 4i21 4M amp Tox Everts On 2731 2010 641 214M gt There are two types of filters 157 DeviceLock Management Console e Include only entries that match conditions specified on the Include tab are shown in the list e Exclude entries that match conditions specified on the Exclude tab are not Shown in the list To use any filter you should activate it first Select the Enable filter check box to make a filter active To temporary deactivate the filter clear the Enable filter check box When the filter is active you can define its condition by entering values into the following fields e Success audit specifies whether to filter device ac
384. ing a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices 3 Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears Wu Content Aware Rules Combet Cut sheen Description Type T ABA Routing Number Pattern dba T Acguanitien Eaa Zl Admission Discharge Keawords Fl adult keye ds Kerodi TI american Address Keywords T Arresracamn Hawt Keywords El Archivs File Tyga D T dudy Wiehe amp Flash File Typs Dv gt ar Conherk Avaa Fuki Lers Uara ppi Prisons 4 In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Keywords The Add Keywords Group dialog box appears 268 Content Aware Rules for Devices Regular Profile Ez Add Keywords Group Mare Description Condition Matth any keywords n Kevwords Care Senctive Whole Word 5 In the Add Keywords Group dialog box do the following USE THIS TO DO THIS Name Specify the name of the group Description Specify a description for the group Condition Specify conditions for firing rules associated with this content group To do so in the Condition list click any of the following options e Mat
385. inistrators and Everyone accounts For information about which permissions are set for these accounts by default see Managing Permissions for Protocols To set 1 Inthe upper left pane of the dialog box under Users click Add permissions for The Select Users or Groups dialog box appears an additional 2 Inthe Select Users or Groups dialog box in the Enter the user or group object names to select box type the name of the user or group and then click OK The users and groups that you added are displayed under Users in the upper left pane of the Permissions Offline dialog box 429 TO DO THIS To change permissions for an existing user or group To remove an existing user or group and permissions 6 Click OK or Apply Undefining Offline Permissions DeviceLock Security Policies Offline Profile FOLLOW THESE STEPS 3 In the upper left pane of the Permissions Offline dialog box under Users select the user or group You can select multiple users and or groups by holding down the SHIFT key or the CTRL key while clicking them In the lower left pane of the Permissions Offline dialog box under User s Rights select or clear the Allow check box next to the appropriate access rights In the right pane of the Permissions Offline dialog box you can set day and time restrictions that narrow user access to the specified protocol s Use the left mouse button to select days and hours when the selec
386. interface level includes all devices that can be connected to the computer via the parallel LPT ports Printer type level includes all local and network printers with any type of connection interface USB LPT Bluetooth etc to the computer DeviceLock can even optionally control virtual printers which do not send documents to real devices but instead print to files for example PDF converters Removable type level includes all internal and external devices with any connection interface USB FireWire PCMCIA IDE SATA SCSI etc that are recognized by Windows as removable devices for example USB flash drives ZIP drives card readers magneto optical drives and so on DeviceLock treats all external USB FireWire and PCMCIA hard drives as the Removable type as well Also DeviceLock treats as Removable some internal hard drives usually SATA and SCSI if they support the hot plug feature and Windows is not installed and running on them 125 Note users DeviceLock Management Console Serial port interface level includes all devices that can be connected to the computer via the serial COM ports including internal modems Tape type level includes all internal and external tape drives with any connection interface SCSI USB IDE etc USB port interface level includes all devices that can be plugged into the USB port except the hub devices WiFi type level includes all internal and external
387. ion To import Content Aware Rules 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Load OR e Select Content Aware Rules and then click Load on the toolbar OR e Expand Content Aware Rules right click any user or group to which the rule is applied and then click Load OR e Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Load OR e Expand Content Aware Rules select any user or group to which the rule is applied and then click Load on the toolbar OR e Right click Content Aware Rules and then click Manage In the lower right pane of the Content Aware Rules dialog box under Rules click Load The Open dialog box appears 4 In the Open dialog box in the Look tn list click the location that contains th
388. ion Message Text By default the Content Verification Message Text is as follows Please wait while DeviceLock is verifying the CONTENT_NAME content where CONTENT_NAME is the name of the file or protocol to be inserted The file name is inserted when DeviceLock checks the content of files copied to a device The protocol name is inserted when DeviceLock checks the content of data transmitted over the network Restore Defaults Restore the default settings For a detailed description of the Content Aware Rules feature see Content Aware Rules for Devices Regular Profile and Content Aware Rules for Protocols Regular Profile DeviceLock Enterprise Server s If you want to allow DeviceLock Service to send its logs to DeviceLock Enterprise Server specify the name or IP address of this server s computer f Devicelock Enterprise Server s Computer Mame xpi DeweeLock Entenpaise Servers sprairt vm2000server OF Cancel Using the semicolon as a separator you can specify several DeviceLock Enterprise Servers to uniformly spread the network load At its startup DeviceLock Service chooses one server for sending logs If the selected server is unavailable DeviceLock Service tries to choose another one from the list Make sure that DeviceLock Enterprise Server is properly installed and accessible for DeviceLock Service otherwise logs will not be stored in the centralized database For more informatio
389. ions quick start tutorial and Perl regular expressions tutorial Check regular expression syntax Perform the actual validation on the potential matches returned by the regular expression The following options are available No validation this option is selected by default ABA Routing Number Canadian Social Insurance Number Credit Card Number All Credit Card Number American Express Credit Card Number Diners Club Credit Card Number Diners Club En Route Credit Card Number Discover Credit Card Number JCB Credit Card Number Laser Credit Card Number Maestro Credit Card Number Master Card Credit Card Number Solo Credit Card Number Switch Credit Card Number Visa Credit Card Number Visa Electron Date Date ISO Email Address European VAT Number IBAN IP Address LUHN Checksum Russian Bank Account Number Russian Health Insurance Number Russian Taxpayer Identification Number Russian Main State Registration Number Russian Classification Of Enterprises And Organizations UK National Insurance Number UK Phone Number UK Post Code UK Tax Code URL US Social Security Number Specify conditions for firing rules associated with this content group To do so in the Condition list click any of the following options e Less than or indicates that a rule associated with this content group is activated every time the number of matches returned by the regular expression is less than or equal to the specifie
390. iple rules that you want to delete by holding down the SHIFT key or the CTRL key while clicking them Undefining Offline Content Aware Rules You can return the previously defined offline Content Aware Rules to the unconfigured state If offline rules are undefined regular rules are applied to offline client computers To undefine offline Content Aware Rules I If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following 421 DeviceLock Security Policies Offline Profile a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices right click Content Aware Rules and then click Undefine Offline The offline state of Content Aware Rules changes to Not Configured When you select Content Aware Rules in the console tree in the details pane the following message is displayed Offline Content Aware Rules are not configured Removing Offline Content Aware Rules If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls De
391. is happens because such keyloggers are Standalone devices and do not require any OS or drivers Log event You can instruct DeviceLock Service to write an event to the audit log when the hardware USB keylogger is detected Treat any USB hub as keylogger By enabling this parameter you can instruct DeviceLock Service to treat any external USB hub to which the keyboard is connected as a hardware keylogger 119 DeviceLock Management Console Otherwise DeviceLock Service detects only those hub keyloggers that exist in its internal database Notify user You can define a custom message to be displayed to users when DeviceLock Service detects hardware USB keyloggers Since DeviceLock Service starts before the user logs in to Windows this message can alert the user and prevent him her from typing the password on the keyboard connected to the USB keylogger Motify User Computer Mame pvit Notify User Notification Caption DeviceLock Security Subsystem Notificakion Text The hardware keylogger is detected on DEVICES Please check how your keyboard is connected to the USB port Restore Defaults To enable this custom message select the Notify User check box Also you can define additional parameters such as e Notification Caption the text to be displayed as a caption You can use the predefined macros within the text DEVICE inserts the name of the keyboard s device for example USB Keyboard receiv
392. is not written to the log Audit Outgoing Messages Enables audit logging of user attempts to send messages comments posts etc 342 PROTOCOL Telnet Web Mail Windows Messenger Protocols Regular Profile AUDIT SHADOWING RIGHTS The Outgoing Message action and the following information lt site_name gt _ lt content_name gt _ lt Recipient ID gt are written to the log Recipient IDs are written to the log only if users attempt to send messages Recipient IDs are written in a number format Audit Outgoing Files Enables audit logging of user attempts to upload media and file content to a social networking site The Outgoing File action and the following information lt site_name gt _ lt file_name gt are written to the log Shadowing Outgoing Messages Enables shadow copying of sent messages comments posts etc Shadow copies of sent messages comments etc are written to the log Shadowing Outgoing Files Enables shadow copying of files uploaded to a social networking site Shadow copies of uploaded files are written to the log Audit Connection Enables audit logging of user attempts to connect to a Telnet site The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Connection Enables audit logging of user attempts to access
393. isplays the dialog box with information about the DeviceLock version and your licenses Server Options These parameters allow you to tune up the DeviceLock Enterprise Server configuration Devicelock Management Console Fis Acton View Heb e lm B em dd DeviceLock Hame gf DevieLod Service Local WINEPPROSPS ER carunr Administrators Se DeviceLock Enterprise Server Local WIN i DeviceLock certificate a GP Server Options BE service startup account LocalSysem l cS as i a aan A TCP port Dynamic Ty Server Log viewer Database nome DenceokDE Connection type ODBC Driver 49 Monitoring i ip Reports SQL Server nama WIKEPPROSPS 5 fj DeviceLock Content Security Server Ee path WeSySHOMR ont Store shadow files in SOL Server Oisabled GA perrelotk kanse Trial mode g Strean compression Enabled G Unpack 150 images Disabled Local Computer 167 DeviceLock Management Console Use the context menu available by a right mouse click or double click on the Stream compression parameter to enable or disable it By enabling the Stream compression parameter you instruct DeviceLock to compress audit logs and shadow data sending from DeviceLock Services to DeviceLock Enterprise Server Doing this decreases the size of data transfers and thus reduces the network load By enabling the Unpack ISO images parameter you can instruct DeviceLock Enterprise Server to extract files from shadowed CD DVD images If this paramet
394. issions changes to Not Configured Removing Offline Permissions If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of higher level offline permissions and enforce regular permissions on specific lower level groups of client computers To enforce regular permissions you must remove offline permissions To remove offline permissions 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices select Permissions When you select Permissions in the console tree in the details pane you can view device types for which you can set permissions In the details pane you can also view the current state of offline permissions for each device type in the Offline column 4 In the details pane right click the device type for which you want to remove offline permissions and then click Remove Offline You can remove Offline permissions set for several device types at the same time To do this do the following a In the details pane select several device types by holding down the SHIFT key or the CTRL key while cl
395. it Examples 3 Select the Audit Allowed and Audit Denied check box at the top of the Audit dialog box and then click OK to apply changes and close the Auditing amp Shadowing dialog box Log only files and folders names related to denied write actions for removable storage devices for members of the Users group 1 Select the Removable record from the list of device types under Auditing amp Shadowing and then select Set Auditing amp Shadowing from the context menu available by a right mouse click ea DeviceLock Management EE fx Fie Help a Smartline Dewicelak DeviceLock Service gal Infrared port Service Opbions paral os DevioeLock Administrators fit ol GA Shadowing E Devices amp Permissions fo Auditing amp Shadowing Manages auditing and shadowing settings For selected device 2 Click the Add button in the Audit dialog box and add the Users group type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box select the Users record and enable only the Write audit right in the User s Rights list os Auditing amp Shadowing 4 it 4 i etegdceGBeBeideigzected ge 6 a BG ajaj Al ree Alya Tuesday Wednesday Uess Pugtits a k O Friday E iot Time Cl hamdi Time 476 Appendix Permissions and Audit Examples 3 Select only the Audit Denied check box at the top of the Audit dialog and then click OK to
396. it log select Clear from the context menu or press the appropriate button on the toolbar Audit Log Settings Service To define a maximum log size and what Windows should do if the audit log becomes full use Settings from the context menu of Audit Log Viewer or press the appropriate button on the toolbar DeviceLock Audit Lop Settings Log size Piaxinum lige sine olz When maxsimum bog siza is reached C Overwrite events as needed Overnsrite events older than 7 das C Do not overwrite events 7 chear log manualy l Cancel In the Maximum log size parameter you can specify the maximum size of the log file in kilobytes The log file is created and used only by the Windows Event Log service This file is usually located in the SystemRoot system32 config directory and has the DeviceLo evt name To specify what Windows should do when an event log is full when Maximum log size is reached select one of these options 156 DeviceLock Management Console e Overwrite events as needed the system will overwrite old events if Maximum log size is reached e Overwrite events older than specifies that records that are newer than this value will not be overwritten specified in days e Do not overwrite events clear log manually the system will not overwrite old events if Maximum log size is reached and you will need to clear events manually Note When the event log is full and there are no records that W
397. ith a right mouse click Alternatively you can press the appropriate button on the toolbar F USE Devices White List USE Dreset Diatsbacs Qescnptern Denice Type Len Plah Dave USE OOTDGRIO 140 Ureque eves Se Hro Fath USBV taja 1001 Doca Modded Add USB Devices Database USE Dirotta Li cers Devier Lisers eacipin Denice Aewwtalics Type PMO ntiair g Lason Flach Dire USED OD AAD IARAA Drepa Dirai Euan Donan lipur 144 DeviceLock Management Console In the USB Devices Database list at the top of the dialog box you can see devices that were added to the database Once devices are added from the database to the white list of a certain user they become authorized devices for which access control is disabled when this user is logged in You can add a device to the USB Devices White List in two steps 1 Select a user or user group for which this device should be allowed Click Add under the Users list to add the user group To delete the record from the Users list click Delete 2 Select the appropriate device record in the USB Devices Database list and click Add If the device has an assigned serial number it can be added to the white list two times as Device Type and as Unique Device In this case Device Type has a priority over Unique Device When the Control as Type check box is selected access control for white listed devices is disabled only on the interface USB lev
398. itor Defining Content Aware Rules Content Aware Rules are created based on either the built in or custom content groups For detailed information on these groups see Configuring Content Detection Settings To define a Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears 320 4 Content Aware Rules for Protocols Regular Profile Wu Content Aware Rules Conbert Database Descriptor T ABA Fiouting Mumbi T again TI Admission Diachange T Auda Keywords TL american Address TL Armerican Narre T Auge Wiehe d Flash Corer Au les Liners Uker foe Protons toad In the lower left pane of the Content Aware Rules dialog box under Users cl
399. ity Server 2 Under DeviceLock Content Security Server right click Server Options and then click Properties The first page of the wizard appears 3 Move through the wizard After completing each page move to the following one by clicking Next or move to the preceding one by clicking Back On the final page click Finish to complete the wizard For detailed information on how to configure DeviceLock Content Security Server using the configuration wizard see Installing DeviceLock Content Security Server 195 DeviceLock Management Console Below are step by step instructions explaining how to perform individual configuration tasks using DeviceLock Management Console Task Configure which users have access to DeviceLock Content Security Server You can select users you want to have access to your DeviceLock Content Security Server This restricts outsiders from accessing or damaging the server To configure which users have access to the server 1 In the console tree expand DeviceLock Content Security Server 2 Under DeviceLock Content Security Server do one of the following e Select Server Options In the details pane double click Server Administrators or right click Server Administrators and then click Properties When you select Server Options in the console tree they are displayed in the details pane OR e Expand Server Options Under Server Options right click Server Administrators and then click
400. k Management Console the MMC snap in DeviceLock Group Policy Manager or DeviceLock Service Settings Editor DeviceLock Signing Tool Ed Certificate Mame DeviceLock Certificate 05 11 2006 01 26 52 PM mm First of all you should load the corresponding DeviceLock Certificate the private key The DeviceLock Signing Tool must use the private key that belongs to the same certificate as the public key installed on the user s computer By default the DeviceLock Signing Tool automatically loads the last certificate used You can load another certificate by pressing the button and selecting a file with the private key To generate the new certificate you can run the Certificate Generation Tool directly from the DeviceLock Signing Tool To do so you should press the New button However please keep in mind that if you generate a new certificate and intend to use its new private key in the DeviceLock Signing Tool you must also deploy the corresponding public key on the user s computer Then decide what action you want to perform generate an Unlock Code or sign an XML file containing DeviceLock Service settings Device Code To grant the user temporary access to a requested device you should generate an Unlock Code upon receiving the Device Code from this user For more information on using temporary white list please read the Temporary White List section of this manual 84 DeviceLock Signing Tool d DeviceLoc
401. k Enterprise Server uses MS SQL Server to store its data Hence it is necessary to have MS SQL Server installed and started in your network before installing DeviceLock Enterprise Server If you don t have MS SQL Server you can install the free edition called SQL Server Express Edition available for free download at the Microsoft Web site http www microsoft com sqlserver 2005 en us express aspx It is not necessary to run MS SQL Server and DeviceLock Enterprise Server on the Same machine Moreover for performance and reliability reasons it is better to install DeviceLock Enterprise Server on a separate computer There are three scenarios for connecting DeviceLock Enterprise Server and MS SQL Server You should decide which scenario best fits your needs before installing DeviceLock Enterprise Server 1 ONE TO ONE you install one DeviceLock Enterprise Server and connect it to one Microsoft SQL Server This scenario is most appropriate for small networks up to several hundreds of computers 2 MANY TO MANY you install several DeviceLock Enterprise Servers and connect each of them to its own Microsoft SQL Server This scenario is typical for medium and large networks geographically distributed across a variety of segments 3 MANY TO ONE you install several DeviceLock Enterprise Servers and connect all of them to the one Microsoft SQL Server This scenario could be used for medium and large networks with a powerful large amount of
402. k Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following Right click Content Aware Rules and then click Load Offline OR Select Content Aware Rules and then click Load Offline amp on the toolbar OR Expand Content Aware Rules right click any user or group and then click Load Offline OR Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Load OR Expand Content Aware Rules select any user or group to which the rule is applied and then click Load Offline on the toolbar OR Right click Content Aware Rules and then click Manage Offline In the lower right pane of the Content Aware Rules Offline dialog box under Rules click Load The Open dialog box appears In the Open dialog box in the Look in list click the location that contains the file you want to import In the folder list locate and open the folder that contains the file Click the file and then click Open You can import only one cwil file at a time 420 DeviceLock Security Policies Offline Profile Deleting Offline Content Aware Rules You can delete individual offline Content Aware Rules when they are no longer required To delete an offline Content Aware Rule i
403. k Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols right click Content Aware Rules click Manage Offline and then do the following a In the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box b In the lower right pane of the Content Aware Rules Offline dialog box under Rules select the rule you want to edit and then click Edit OR Under Protocols expand Content Aware Rules and then do the following a Under Content Aware Rules select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them in the details pane b In the details pane right click the rule you want to edit and then click Edit OR In the details pane double click the rule you want to edit The Edit Rule dialog box appears In the Edit Rule dialog box modify the rule properties as required to meet your needs Click OK to apply the changes Copying Offline Content Aware Rules You can perform a cut and paste operation a copy and paste operation or a drag and drop operation to reuse existing offline Conte
404. k Manage on the toolbar The Content Aware Rules dialog box appears 4 In the upper pane of the Content Aware Rules dialog box under Content Database select any content group you want to test and then click Test Group You can test only one group at a time The Open dialog box appears 5 In the Open dialog box in the Look in list click the location that contains the file you want to use for testing the specified content group In the folder list locate and open the folder that contains the file Click the file and then click Open The Result message box is displayed If the file matches with the specified content group the Result message box contains the following text Selected file matches with the group If the file does not match with the specified content group the Result message box contains the following text Selected file does not match with the group When testing is in progress the console stops responding hangs Managing Content Aware Rules Managing Content Aware Rules involves the following tasks 319 Content Aware Rules for Protocols Regular Profile e Defining Content Aware Rules e Editing Content Aware Rules e Copying Content Aware Rules e Exporting and importing Content Aware Rules e Undefining Content Aware Rules e Deleting Content Aware Rules You can manage Content Aware Rules using DeviceLock Management Console DeviceLock Group Policy Manager or DeviceLock Service Settings Ed
405. k Management Console item is disabled when the DeviceLock Signing Tool has no previously loaded private key Certificate Generation Tool runs the special tool that allows you to generate DeviceLock Certificates For more information please read the Generating DeviceLock Certificates section of this manual Create MSI Package creates the custom Microsoft Software Installer MSI package with settings from the currently connected DeviceLock Service At the first step you need to select the source MSI package with DeviceLock Service You may use MSI packages that ship with DeviceLock such as DeviceLock Service msi and DeviceLock Service x64 msi Then you need to specify the name of the resultant target MSI package that will be generated based on the source MSI package specified at the first step and settings from the currently connected DeviceLock Service Later this custom MSI package can be used to deploy DeviceLock Service instances across the network with predefined policies For more information on how to deploy DeviceLock Service using MSI please read the Installation via Group Policy section of this manual Note If you use a custom MSI package with defined DeviceLock Service settings to deploy DeviceLock Service using Group Policy these settings are not applied to client computers if any one of the following conditions is true The default security is disabled on remotely running DeviceLock Services The GPO applied
406. k Service as encrypted devices For more information on encryption integration please read the Encryption section of this manual Read to enable data reading from an encrypted device Applies only to the Removable device type Write to enable data writing to an encrypted device You can enable this right only if Read is selected in the Encrypted group Applies only to the Removable device type Format to enable the formatting checking and any other direct access of encrypted drives You can enable this right only if Read is selected in the Encrypted group Applies only to the Removable device type e Special Permissions these rights only apply to iPhone Windows Mobile Palm and Clipboard device types The content types Ca endar Contacts Tasks etc that are controlled by these rights for iPhone Windows Mobile and Palm devices represent the same content types that exist in iTunes HotSync Microsoft ActiveSync and WMDC applications For Palm devices you can enable any Write right only if the corresponding Read right is also enabled Read Calendar to enable reading the calendar on a mobile device from a PC 129 DeviceLock Management Console e Write Calendar to enable writing to a calendar on a mobile device from a PC e Read Contact to enable reading contacts on a mobile device from a PC e Write Contact to enable writing contacts from a PC to a mobile device e Read E mail to enable reading e mails
407. k Service can detect PGP encrypted removable storage devices and apply special encrypted permissions to them when the PGP Whole Disk Encryption product is installed on the computer where DeviceLock Service is running and Integration is enabled For step by step instructions on how to install and use PGP Whole Disk Encryption with DeviceLock please refer to the PGP DeviceLock Integration Guide created by PGP For more information on PGP Whole Disk Encryption please visit PGP s Web site http www com products wholediskencryption index html SafeDisk DeviceLock Service can detect encrypted SafeDisk containers stored on USB flash drives and other removable media and apply special encrypted permissions to them if Integration is enabled Using these encrypted permissions you can for example allow writing only to encrypted removable devices and deny writing to unencrypted media For more information on ViPNet Safe Disk visit the following Web site http www infotecs biz Soft safe_disk htm Note To get access to SafeDisk containers and work with their contents users should have at least read access to unencrypted Removable devices SafeGuard DeviceLock Service can detect Sophos SafeGuard Easy encrypted disks USB flash drives and other removable media and apply special encrypted permissions to them if Integration is enabled Using these encrypted permissions you can for example allow writing o
408. k Service using the Custom option and selecting the DeviceLock Service component iE DeviceLock Setup Choose the Sa ee aa DeviceLock Service Sebi ctctertt atabiked th DesiceLock be installed F j inat DeviceLock Enterprise Server DeviceLock Management Console and DeviceLock Group Policy Manager wil be installed cee ee ea ene et E salts instaled Recommended fi 26 Installation if DeviceLock Set up Chick on an icon in the list below bo change how a feature is installed P Ea DeviceLock Service eects sid This hesture wall be instakbad on local hard diae E98 This festure and al subfestures wil be installed on local hard drive Tht feature wal not be avaiable contre to devices This Feature requires LOMB on Note On the Custom Setup page you can select the RSoP component to install This component enables support for DeviceLock s Resultant Set of Policy planning mode on domain controllers The RSoP component is required only when DeviceLock management consoles are installed but DeviceLock Service is not installed on the computer For more information on RSoP planning mode refer to the Microsoft documentation On the Custom Setup page you can change the default installation directory By default the DeviceLock installation directory is ProgramFiles DeviceLock To change the default installation directory click Change to open the Change Current Destination Folder page ii DeviceLock Setup Change
409. k Signing Tool Eg Certficate Name DeviceLock Certificate 05 11 2006 01 26 52 Pr Device Code Service Settings Device Code HEetKG EMNC2 HLDV JF31 OSSD Device Class Disk drives Unique Allowed Period 1 day al Generate Unlock Code LETVIOK 7206 1 GOOO R 1LIN KOICO S0D0R s05v 4 There are four simple steps to generating an Unlock Code for the user 1 Load the corresponding DeviceLock Certificate see above 2 Enter the Device Code the user provides to you As soon as the correct Device Code is entered you can see the class of the device the user wants access to in the Device Class field The device class information helps you to control what kind of device the user is going to use If for example a user tells the administrator that he she is going to use a USB scanner but actually is trying to obtain access to a USB flash drive the administrator would recognize the discrepancy There is also a field in round brackets showing whether the requested device can be authorized as a unique device Unique or can be authorized only as a model Model i e whether or not it has a serial number If you authorize the device as a model then the user is granted access to all devices of this model For more information on this please read the USB Devices White List section of this manual 3 Select the period when the requested device will be allowed In Allowed Period you can select several prede
410. l DeviceLock Content Security Server connect to it using DeviceLock Management Console change its settings and run search 196 TO DO THIS 4 Click OK DeviceLock Management Console FOLLOW THESE STEPS queries Change enables change access to DeviceLock Content Security Server Users can install uninstall DeviceLock Content Security Server connect to it using DeviceLock Management Console change its settings and run search queries but they cannot add and remove users to and from the Server Administrators group or change access rights granted to Server Administrators Read only enables read only access to DeviceLock Content Security Server Users can connect to DeviceLock Content Security Server using DeviceLock Management Console run search queries and view settings but they cannot modify any settings or create a new index for Search Server Note We strongly recommend that members of the Servers Administrators group have local administrator privileges To remove a user or group from the Server Administrators group under Users select the user or group and then click Delete You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them Task Change the service startup account or password Over time you might need to change the account that you specified as the service startup account for DeviceLock Content Security Server during the installation process You can als
411. l Service Uninstall UDP 137 this port must be opened only when a connection is SEICE established by the computer name If an IP address is used this port is not required TCP 139 or TCP 445 Report Permissions Auditing Set Service Settings Shadow Log Viewer TCP 135 this port is required only when the Dynamic ports connection is used TCP lt all ports above 1024 gt these ports are required only when the Dynamic ports connection is used TCP lt custom port gt this port is required only when the Fixed port connection is used UDP 137 this port must be opened only when a connection is established by computer name If an IP address is used this port is not required For information on how to use either the Dynamic ports or Fixed port connection in DeviceLock Enterprise Manager see Setting Port When a plug in is connected to a remote computer it may receive some of these error messages e The product version on the client and server machines does not match 7049 you are trying to connect to a computer where an old version of DeviceLock Service is installed You should upgrade DeviceLock Service first using the Install Service plug in e The network path was not found 53 you are trying to connect to a computer that either does not exist the wrong name or IP address or is not accessible Make sure that the computer name you have specified is correct Try to access this computer with Windows Explorer
412. l delivery of a report you can use Server Log Viewer to determine the reason For more information on Server Log Viewer see Server Log Viewer If your computer has anti virus or anti spam software installed and running and an error occurs during the e mail delivery of a report the error information may not be reported in the DeviceLock Enterprise Server log This behavior occurs because anti virus and anti spam products for example Symantec Norton AntiVirus can automatically intercept e mail traffic For information about how your anti virus or anti spam program works consult the manufacturer s documentation included with your program e Status Possible values Generating Ready Error Generating indicates that the report is being generated Ready indicates that the report was successfully completed Error indicates that an error occurred while the report was being generated If an error occurs while the report is being generated you can do the following to determine the reason Click the error report to display the error message OR Use Server Log Viewer For more information on Server Log Viewer see Server Log Viewer Refreshing Reports Because current reports and the current status of reports are not updated automatically you need to perform a refresh operation To refresh reports i aS a Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the co
413. l from being applied to a specific group of client computers at a lower level For more information on the enforcement of regular Content Aware Rules see Removing Offline Content Aware Rules Managing offline Content Aware Rules involves the following tasks e Defining offline Content Aware Rules e Editing offline Content Aware Rules e Copying offline Content Aware Rules e Exporting and importing offline Content Aware Rules e Deleting offline Content Aware Rules e Undefining offline Content Aware Rules e Removing offline Content Aware Rules Defining Offline Content Aware Rules Content Aware Rules are created based on either the built in or custom content groups For detailed information on these groups see Configuring Content Detection Settings To define an offline Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Conten
414. l sent messages Audit Connection Enables audit logging of user attempts to connect to a Jabber server The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Incoming Messages Outgoing Messages Enables audit logging of user attempts to send and receive instant messages The Chat action IDs of all IM participants the IP address with the port number and the name of the host are written to the log The ID of the local participant precedes the ID of a remote participant Shadowing Incoming Messages Enables shadow copying of received instant messages Shadow copies of received instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all received messages Shadowing Outgoing Messages Enables shadow copying of sent instant messages Shadow copies of sent instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all sent mes
415. lar state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console Managing Offline Media White List For a detailed description of the Media White List feature see Media White List Regular Profile The offline Media White List can have one of the following states STATE DESCRIPTION Not Configured Indicates that the white list is not defined The following message is displayed Offline Media White List is not configured This is the default state Configured Indicates that the white list is defined Use Regular Indicates that the inheritance of the offline white list is blocked and the regular white list is enforced Offline DeviceLock settings can have this state only in DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The enforcement of the regular white list is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of the regular white list lets you prevent the offline white list inherited from a higher level from being applied to a specific group of client computers at a lower level For more information on the enforcement of the regular white list see Removing Offline Media White List Managing the offline Media White List involves the following tasks Defining and editing the offline Media White List Exporting and importing the offline Media White List
416. lbar The Content Aware Rules Offline dialog box appears 4 In the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group to which the rule that you want to copy is applied By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box 5 In the lower right pane of the Content Aware Rules Offline dialog box under Rules right click the rule you want to copy and then click Copy or Cut The rule you cut or copy is automatically copied to the Clipboard You can use the CTRL C CTRL X and CTRL V key combinations to copy cut and paste the rule When you cut the rule the rule will be cut only after you paste it To perform a drag and drop operation select the rule and move it to the user or group to which you want to apply the copied rule 6 In the lower left pane of the Content Aware Rules Offline dialog box under Users click Add The Select Users or Groups dialog box appears 7 In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups to which you want to apply the copied rule and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules Offline dialog box 8 In the lower left pane of the Content Aware Rules Offline dialog box under Users select the users or groups
417. le 1 has the following columns e File Name Shows a file name e Number of Files Shows the number of copied files Values in this column are sorted in descending order Table 2 lists the top N where N is a specific number copied files by size Table 2 has the following columns e File Name Shows a file name e Data Size Shows the total size of all copied files Values in this column are sorted in descending order Configuring E mail Delivery of Reports DeviceLock allows you to distribute reports through e mail E mail delivery of reports requires a Simple Mail Transport Protocol SMTP server Before you can use e mail delivery of reports you must specify which SMTP server will be used to send the e mail messages and which e mail address will be used as the sender address 372 To configure e mail delivery of reports Open DeviceLock Management Console and connect it to the computer running i 4 DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server DeviceLock Reports Under DeviceLock Enterprise Server right click Reports and then click Notification Settings OR Select Reports and then click Notification Settings The Mail Server Parameter dialog box appears Mail Server Parameters Lise e mai notifications for reports SMTP host Port Sender Address In the Mail Server Parameter dialog box do the following USE THIS TO DO THIS 3 on the toolbar Use
418. le any time you want To edit a white list rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols right click White List click Manage and then do the following a In the left pane of the Protocols White List dialog box under Users select the user or group for which you want to edit the rule 356 Protocols Regular Profile By selecting users or groups you can view the white list rules applied to them under Rules in the right pane of the dialog box b In the right pane of the Protocols White List dialog box under Rules select the rule you want to edit and then click Edit OR Right click the rule and then click Edit OR Under Protocols expand White List and then do the following a Under White List select the user or group for which you want to edit the rule By selecting users or groups you can view the white list rules applied to them in the details pane b In th
419. le by a right mouse click F w Connect bo Local Computer at Startup inner l a Load Service Settings t T Devi Save Service Settings Save amp Sign Service Settings Certificate Generation Tool DeviceLock Signing Tool About DeviceLock When DeviceLock Group Policy Manager is used you don t need to connect to any computer since it connects to the Group Policy Object Also you don t need to connect to the computer when modifying the policy in the XML file using DeviceLock Service Settings Editor Activate the Service Options item 80 DeviceLock Certificates F Smartline DeviceLock ff DeviceLock Service G DeviceLock Administrators Disabled 3 Service Options ia Shadowing ER DeviceLock Administrators m USB Firewire blocked message Disabled r Shadowing lal Expired message Disabled 7 E ashore Viewer UG DeviceLock Enterprise Serveris eprint Lil Log policy changes and Start Stop events Enabled gy Shadow Log Viewer pesca ecu Se SE El DeviceLock Enterprise Server ee Certinicate DeviceLock Certificabe 05 11 2006 4 Use Group Policy Disabled Double click the DeviceLock certificate parameter to open the configuration dialog box B DeviceLock Certificate Computer Name Local Computer Cerificate Mame DewiceLock Certificate 05 11 2006 01 26 52 PH Specify the path to the public key in the Certificate Name parameter if you want to install the certificate You can use the but
420. lete or press the DELETE key In the lower left pane of the USB Devices White List Offline dialog box under Users select the user or group You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the upper pane of the USB Devices White List Offline dialog box under USB Devices Database select the device you want to add to the white list for the selected user or group and then click Add You can select multiple devices by holding down the SHIFT key or the CTRL key while clicking them The devices that you added to the white list are displayed under Devices in the lower right pane of the dialog box To delete a device from the white list for the selected user or group in the lower right pane of the USB Devices White List Offline dialog box under Devices do the following e Select the device and then click Delete OR e Right click the device and then click Delete OR e Select the device and then press the DELETE key To edit a device s description in the lower right pane of the USB Devices White List Offline dialog box under Devices do the following 402 DeviceLock Security Policies Offline Profile Select the device and then click Edit OR Right click the device and then click Edit 11 Click OK or Apply Exporting and Importing Offline USB Devices White List You can export the offline USB Devices White List to a whl file that you can
421. level For more information on the enforcement of the regular white list see Removing Offline USB Devices White List Managing the offline USB Devices White List involves the following tasks Defining and editing the offline USB Devices White List Exporting and importing the offline USB Devices White List 399 DeviceLock Security Policies Offline Profile e Undefining the offline USB Devices White List e Removing the offline USB Devices White List Defining and Editing Offline USB Devices White List To define and edit the offline USB Device White List 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click USB Devices White List and then click Manage Offline OR e Select USB Devices White List and then click Manage Offline El on the toolbar The USB Devices White List Offline dialog box appears E USE Dewices White List OF UGE Derbe Des
422. lgorithm The algorithm used in the monitoring process is simple but effective 1 First of all DeviceLock Enterprise Server tries to scan the monitored computer to determine whether or not it is working If the scan succeeds then the computer receives the available status and computer monitoring continues Otherwise it receives the unavailable status and computer monitoring stops the record is written to the monitoring log Then DeviceLock Enterprise Server tries to connect to DeviceLock Service If the connection succeeds then DeviceLock Service receives the available status and computer monitoring continues Otherwise it receives the unavailable status and computer monitoring stops the record is written to the monitoring log If this task should verify DeviceLock Service policy integrity then computer monitoring continues Otherwise computer monitoring stops nothing logged DeviceLock Enterprise Server downloads the policy from DeviceLock Service and compares it with the master policy assigned to this task If no difference is found computer monitoring stops nothing logged If there is a difference between the two policies then computer monitoring continues the record is written to the monitoring log If this task should restore the broken policy then DeviceLock Enterprise Server writes the master policy to DeviceLock Service and computer monitoring stops the record is written to the monitoring log Otherwise comput
423. licies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of higher level offline audit and shadowing rules and enforce regular audit and shadowing rules on specific lower level groups of client computers To enforce regular audit and shadowing rules you must remove offline audit and shadowing rules To remove offline audit and shadowing rules 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 398 2 3 Mana Forad DeviceLock Security Policies Offline Profile Expand Devices Under Devices select Auditing amp Shadowing When you select Auditing amp Shadowing in the console tree in the details pane you can view device types for which you can define audit and shadowing rules In the details pane you can also view the current state of offline rules for each device type in the Offline column In the details pane right click the device type for which you want to remove offline audit and shadowing rules and then click Remove Offline You can remove audit and shadowing rules defined for several device types at the same time To do this do the following
424. lick the DeviceLock certificate parameter to open the configuration dialog box DeviceLock Enterprise Server Enable Default Security Full access P VM 20004047 est Read ank Bj Administrators Full access i oa e a NOTE We strongly recommend that accounts m thes list have local administrator privileges Certiicate Mame DeviceLock Certiicate 05 11 2006 01 28 52 PM wa Remove cancel Specify the path to the private key in the Certificate Name parameter if you want to install the certificate You can use the button to select the file with a private key To remove the private key use the Remove button Press the OK button to close the configuration dialog box and apply changes For more information regarding installing the private key on DeviceLock Enterprise Server and DeviceLock Content Security Server please read Installing DeviceLock 82 DeviceLock Certificates Enterprise Server and Installing DeviceLock Content Security Server sections of this manual 83 DeviceLock Signing Tool DeviceLock Signing Tool Overview The DeviceLock Signing Tool is used to grant users temporary access to requested devices and sign XML files containing DeviceLock Service settings exported from DeviceLock Management Console or DeviceLock Group Policy Manager To run the DeviceLock Signing Tool select DeviceLock Signing Tool from the File menu in DeviceLock Enterprise Manager or from the context menu in DeviceLoc
425. licking them Load Import a list of Keywords from a tab delimited text file 6 Click OK to close the Add Keywords Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Pattern Content Groups Pattern groups let you control access to text files using patterns of text described by Perl regular expressions Patterns provide a flexible and powerful way to automatically detect potentially sensitive content for example credit card numbers Social Security numbers e mail addresses and phone numbers within documents For more information on creating and using Perl regular expressions refer to the Perl regular expressions quick start tutorial and Perl regular expressions tutorial By defining rules based on Pattern groups you can for example prevent certain users or groups from writing documents containing credit card numbers to Removable and Floppy 270 Content Aware Rules for Devices Regular Profile devices You can also turn off shadow copying of documents that do not contain credit card numbers DeviceLock includes 45 predefined built in Pattern groups that you can use to set up the desired configuration of permissions and or shadow copy operations You can use the built in content groups as they are create their editable copies duplicates or create your own content groups to suit your particular
426. log Audit Incoming Messages Outgoing Messages Enables audit logging of 343 Protocols Regular Profile PROTOCOL AUDIT SHADOWING RIGHTS user attempts to send and receive instant messages The Chat action the ID of the local participant the IP address with the port number and the name of the host are written to the log Shadowing Incoming Messages Enables shadow copying of received instant messages Shadow copies of received instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all received messages Shadowing Outgoing Messages Enables shadow copying of sent instant messages Shadow copies of sent instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all sent messages Yahoo Audit Connection Enables audit logging of user attempts to connect to the Messenger Yahoo Messenger server The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name i
427. log Shadowing Write Non files Audit Read Audit Write Print Print action documents and printer names write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print All data sent to the printer is written to the shadow log in the native print spooler format Shadowing Write Non files 140 DEVICE TYPE Removable Serial port Tape DeviceLock Management Console RIGHTS Audit Read Open Mount Unmount and Direct Access actions file names and flags Read DirectRead Eject DirList write to the audit log Audit Write Print Open Open Create Overwrite Create Direct Access Delete Rename and Create new actions file names and flags Write DirectWrite Format Del DirCreate write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Files are written to the shadow log Shadowing Write Non files Audit Read Mount Unmount Insert Remove and Device Access actions write to the audit log Audit Write Print Mount Unmount Insert Remove and Device Access actions write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print All data sent to the port is written to the shadow log Shadowing Write Non files Audit Read
428. lower right pane of the Media White List Offline dialog box under Media do the following e Select the medium and then click Edit OR e Right click the medium and then click Edit Click OK or Apply Exporting and Importing Offline Media White List You can export the offline Media White List to a mwil file that you can import and use on another computer Exporting and importing can also be used as a form of backup To export the offline Media White List If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following 409 DeviceLock Security Policies Offline Profile a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices 3 Under Devices do one of the following Right click Media White List and then click Save Offline OR Select Media White List and then click Save Offline on the toolbar OR Expand Media White List right click any user or group specified in the white list and then click Save Offline OR Expand Media White List and then sele
429. lumn are sorted in descending order This report shows the most active users sorted according to the number of allowed and denied access requests sent by each user By default the report lists the first 10 users but you can specify any number of users The report consists of three sections the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e Channel s Shows the device types and or protocols that were specified for the report The Report Results section contains two tables with detailed results of the report Table 1 lists the top N where N is a specific number users having allowed access Table 2 lists the top N where N is a specific number users having denied access These tables have the following columns e User Name Shows a user name e Access Count Shows the number of access requests Values in this colu
430. lumns This report shows the most frequently used computers sorted according to the number of allowed and denied access requests By default the report lists the first 10 computers but you can specify any number of computers The report consists of three sections the Report Header Report Parameters and 367 REPORT TYPE Top active users DeviceLock Reports DESCRIPTION Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Channel s Shows the device types and or protocols that were specified for the report The Report Results section contains two tables with detailed results of the report Table 1 lists the top N where N is a specific number computers having allowed access Table 2 lists the top N where N is a specific number computers having denied access These tables have the following columns e Computer Name Shows a computer name e Access Count Shows the number of access requests Values in this co
431. manually If you wish to reset current settings to the default values click Restore Defaults Default values are e The Maximum log size parameter is set to 10000 records e The Overwrite events older than option is selected and set to 7 days If there is no space for new records in the audit log and there is nothing to delete then DeviceLock Enterprise Server does not remove audit data from remote users computers This prevents you from loosing the audit data due to lack of space in the log When some space becomes available in the log DeviceLock Enterprise Server moves the remaining audit data from users computers to this log Audit Log Filter Server You can filter data in Audit Log Viewer so that only records that meet specified conditions are displayed in the list To open the Filter dialog box use Filter from the context menu of Audit Log Viewer or press the appropriate button on the toolbar 170 DeviceLock Management Console Filter SEE F Include Exchade Event types Succes akii F Fade audi Computer Manne SOUNGE Senice Auctions Keylogger Chehected Indonnatior User Process Evert ID Generated Date T ime Fiore Fira Event Ta LatEvert Hecemed Oale T ine Fise Fisl Event To Lat Even Eni a There is not much difference between the service s audit log filter and the server s audit log filter so first read the Audit Log Filter Service section of thi
432. ministrator is going to manage DeviceLock s settings and run reports It is not necessary to install management consoles on the server domain controller or others even if you are going to use DeviceLock Group Policy Manager to manage 43 Installation settings via Active Directory Group Policy you can do it from your local workstation proper privileges required Note In order to use DeviceLock Management Console the MMC snap in and DeviceLock Service Settings Editor on computers with Windows NT 4 0 you should install the Microsoft Management Console update You can download this update for free from the Microsoft s Web site http www microsoft com downloads details aspx familyid 3F620A07 C996 4A81 AAD8 30134A43EC46 amp displaylang en Run Setup setup exe and follow the instructions that appear on the screen ie DeviceLock Setup Welcome bo the DeviceLock Setup program This program val install DewiceLock verson 7 0 0 RC Build 26667 on your COMpUbeEr Tk is shronghy recommended that you erik all windows programs before munning this Setup progam Click Cancel to quit Setup and then close ary programs you hawe running Click Mest bo continue with the Setup program WARNING This program ii protected by copyright law and Stop Data From inanmam reaties Slippi Through ree Unauthorized reproduction or distribution of this program ce Your Fingers any portion of it may reru in severe chal and criminal Cont
433. mma Delimited CSV If you export information into an external file you will not be able to load it back to DeviceLock Enterprise Manager because DeviceLock Enterprise Manager can open and load only files of its own format However the ability to export into an external file is useful when you wish to exchange data between DeviceLock Enterprise Manager and other applications Comparing Data DeviceLock Enterprise Manager allows you to track changes on network computers by comparing two previously saved projects Tracking changes is important when managing a wide range of computers on one network DeviceLock Enterprise Manager provides a very useful and intuitive Wizard to compare two ANM files To open this Wizard select Compare from the File menu There are three simple steps which enable you to compare two files using the Compare Wizard 1 The first step is to select the files you want to compare 249 DeviceLock Enterprise Manager Select Projects To Compare Select the first file and then select the second file by using the ellipsis buttons Please note that you can compare files of the same type only For example you cannot compare information received from the Report Permissions Auditing plug in with information from the Report PnP Devices plug in When you have selected two files press the Next button to go to the Wizard s next page 2 The second step is to select the columns you wish to include in the
434. mn 4 In the details pane do one of the following e Right click the device type for which you want to set or edit permissions and then click Set Offline Permissions OR 391 DeviceLock Security Policies Offline Profile e Select the device type for which vou want to set or edit permissions and then click Set Offline Permissions amp on the toolbar The Permissions Offline dialog box appears ES Penmssions 0i ine Derka Type Bemorshle Computer Name Local Computer Ukers Net Configured Li C D o LI C 5 In the Permissions Offline dialog box do the following TO DO THIS FOLLOW THESE STEPS To set the e In the upper left pane of the dialog box under Users click Set default Default permissions The default permissions are assigned to the Administrators Everyone and SYSTEM accounts For information about which permissions are set for these accounts by default see Permissions Regular Profile To set 1 In the upper left pane of the dialog box under Users click Add permissions for The Select Users or Groups dialog box appears an additional 2 In the Select Users or Groups dialog box in the Enter the user or group object names to select box type the name of the user or group and then click OK The users and groups that you added are displayed under Users in the upper left pane of the Permissions Offline dialog box 3 Inthe upper left pane of the Permissions Offline
435. mn are sorted in descending order 368 REPORT TYPE Top inserted USB amp FireWire devices Top used USB devices DeviceLock Reports DESCRIPTION This report shows the most frequently inserted USB and FireWire devices sorted according to the number of the Insert actions By default the report lists the first 10 devices but you can specify any number of devices The report consists of three sections the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e Users s Shows the users that were specified for the report The Report Results section contains a table with detailed results of the report This table has the following columns e Device Name Shows a device name e Insert Count Shows the number of the Insert actions Values in this column are sorted in descending order This report sho
436. move them to the right list by clicking the gt button If you need to exclude some computers from the monitoring process select them in the right list and then click the lt button By using gt gt and lt lt buttons you can add and remove all available computers at the same time no need to select computers in the list There are several flexible ways to choose network computers from the left list e Computers you browse the network tree and select computers e From File you load a predefined list of computers from the external text file and then select the computers To open an external file click 184 DeviceLock Management Console the button A text file must contain each computer s name or IP address on separate lines and can be either Unicode or non Unicode e Manual you type computer names manually to select the computers Each computer s name or IP address must be typed on a separate line 2 Dynamic list instead of computer names or IP addresses the dynamic list contains a path to the container for example an organizational unit in the directory service tree such as Active Directory Novell eDirectory OpenLDAP and so on Each time the task is executing DeviceLock Enterprise Server retrieves all the computers that currently exist in this container Hence if some computer was removed from the directory tree or moved to another container it will not be monitored anymore And vice versa if ther
437. mpare from the context menu or Gl 07 05 2005 17 24 40 press the appropriate button on the Project i pl 07 05 2005 17 24 22 We Fiter toolbar il 03 05 2005 19 29 14 GA 03 05 2005 19 29 01 m KE 21 04 2005 16 07 24 view Mode m GA 21 04 2005 16 05 01 GE 02 04 2005 21 14 23 Enable Grid GA 02 04 2005 21 11 04 GT 15 03 2005 16 58 20 Please note that you may select only two projects and both projects must be of the same type gt Delete project s DeviceLock Enterprise Manager provides two buttons on the Compare toolbar which help you to easily navigate through the compare result Press the lt button to select the previous record in the compare result that contains changes Press the gt button to select the next record in the compare result that contains changes You can also save the compare result to an external ANM file or export it into MS Excel or the text file TXT and CSV Select Save As from the File menu or press y ail I the appropriate button on the Main toolbar to save or export the compare result Main Toolbar As with any other DeviceLock Enterprise Manager file the saved compare result can be opened and loaded to DeviceLock Enterprise Manager To load the previously saved compare result you can select Open from the File menu or press the appropriate button on the Main Toolbar You will need to specify a file you want to open You can load files of ANM type only Filtering Data
438. mplates Please note that using RSoP you cannot modify the policy all parameters are in the read only mode RSoP is very useful when you need to understand which particular GPO will be applied to the computer For more information on Resultant Set of Policy please refer to the Microsoft s on line article http technet microsoft com en us library cc775741 28WS 10 29 aspx 229 DeviceLock Service Settings Editor DeviceLock Service Settings Editor Overview DeviceLock Service Settings Editor is used for creating and modifying external XML files with settings permissions audit and shadowing rules for DeviceLock Service DeviceLock Service Settings Editor installs together with the other management consoles fy DeviceLock Service Settings Editor Sie I Fie Action View Help He 89a DeviceLock fag Service Options Undetine entire policy ED Devicelock Load Service Settings GA Auditing amp Save Service Settings GP nti keylog Save amp Sign Service Settings ay Eneryption Cerificate Generation Tool i Devices DeviceLock Signing Tool Permissions About DeviceLock dat Auditing amp B USE Device Help ley Media White List fa Security Settings There is almost no difference between the procedures for defining policies via DeviceLock Management Console versus via DeviceLock Service Settings Editor For more information see Managing DeviceLock Service In compa
439. n In the details pane do one of the following e Right click the protocol for which you want to set or edit permissions and then click Set Permissions OR e Select the protocol for which you want to set or edit permissions and then click Set Permissions amp on the toolbar You can select several protocols for which you want to set the same permissions by holding down the SHIFT key or the CTRL key while clicking them Note When selecting several protocols that have different access rights consider the following 335 5 Protocols Regular Profile The Permissions dialog box displays only those access rights that are common to all selected protocols If all access rights displayed in the Permissions dialog box are allowed for the specified users these users will have full access to the selected protocols If all access rights displayed in the Permissions dialog box are denied for the specified users these users will have no access to the selected protocols Some access rights depend on other rights If you grant a right that requires another right the required right is granted automatically For example if you grant only the Generic Outgoing Files right for the Social Networks and Web Mail protocols the following rights are granted automatically Generic Send Receive Data Generic Outgoing Messages Generic Outgoing Files The Permissions dialog box appears C Penmissions Protescais FTP Computer Mama L
440. n Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Permissions When you select Permissions in the console tree in the details pane you can view protocols for which you can set permissions In the details pane you can also view the current state of offline permissions for each protocol in the Offline column 4 In the details pane right click the protocol for which you want to remove offline permissions and then click Remove Offline You can remove Offline permissions set for several protocols at the same time To do this do the following a In the details pane select several protocols by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Remove Offline The offline state of the permissions changes to Use Regular The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console 431 DeviceLock Security Policies Offline Profile Managing Offline Audit and Shadowing Rules for Protocols For a detailed description of the Auditing amp Shadowing feature for protocols see Managing Audit and Shadowing Rules for Protocols Offline audit and shadowing rules can have one of the following states STATE DESCRIPTION Not Configured Indicates that audit and shadowing rules are not defined for a protocol
441. n and identification of data files is based on the specified keywords or phrases Pattern indicates that recognition and identification of data files is based on the specified patterns of text described by Perl regular expressions Document Properties indicates that recognition and identification of files is based on their properties Complex indicates that recognition and identification of data files is based on the specified content described by a Boolean expression e Action s Shows which user actions are allowed or disallowed on files and which user actions are logged to the shadow log e Applies To Possible values Permissions Shadowing and Permissions Shadowing Permissions indicates that the rule applies to access control operations Shadowing indicates that the rule applies to shadow copy operations Permissions Shadowing indicates that the rule applies to both access control and shadow copy operations e Device Type s The device type s to which the rule applies e Profile Possible values Regular and Offline Regular indicates that the rule applies to client computers that are working online Offline indicates that the rule applies to computers that are working offline You can define different online vs offline Content Aware Rules for the same user or sets of users For information about how to define online Content Aware Rules see Managing Content Aware Rules Editing Offline Content Aware Rules You can modify th
442. n on how to install DeviceLock Enterprise Server please read the Installing DeviceLock Enterprise Server section of this manual Log Policy changes and Start Stop events You can enable the logging of changes in the DeviceLock Service s configuration and report the time when DeviceLock Service starts and stops It is possible to log changes in permissions audit rules white lists and in other settings 107 DeviceLock Management Console To allow this logging enable the Log Policy changes and Start Stop events parameter DeviceLock Certificate Use this parameter to install or remove a DeviceLock Certificate B DeviceLock Certificate Computer Name Local Computer Cerbficate Hame DeviceLock Certificate 05 11 2006 01 28 52 PM Bal Remove mo Specify the path to the public key in the Certificate Name parameter if you want to install the certificate You can use the button to select the file with a public key To remove the public key use the Remove button For more information about DeviceLock Certificates please read the DeviceLock Certificates section of this manual Use Group Policy If DeviceLock Service is configured to work with Group Policy in an Active Directory domain you can control the effective policy mode Group Policy or Local Policy To activate the Group Policy mode for this DeviceLock Service enable the Use Group Policy parameter In this mode all settings that you set via DeviceLock
443. n the details pane select any Security Setting and then click Manage Offline Bl on the toolbar When you select Security Settings in the console tree they are displayed in the details pane The Security Settings Offline dialog box appears In the Security Settings Offline dialog box return the appropriate check boxes to the indeterminate state Note All check boxes in the Security Settings Offline dialog box have three states selected cleared and indeterminate that correspond to the Enabled Disabled and Not Configured states of Security Settings Removing Offline Security Settings If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of higher level offline Security Settings and enforce regular Security Settings on specific lower level groups 426 DeviceLock Security Policies Offline Profile of client computers To enforce regular Security Settings you must remove offline Security Settings You can remove only individual Security Settings To remove offline Security Settings 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then exp
444. n the shadow log as a file and can be saved to the local computer as a file too When a user has written data to a CD DVD disk all data is stored in a shadow log as a single CD DVD image one image per each written CD DVD disk or session in the CUE format CD DVD images as well as other data that originally was not transferred as files direct media access or serial parallel ports transfer have auto generated names 161 DeviceLock Management Console based on the action s type drive s letter or device s name and time date for example direct_write E 19 18 29 17 07 2006 bin Each CD DVD image is saved to the local computer as two files the data file with the bin extension for example direct_write E_ 19_18 29 17_07_2006 bin and the cue sheet file that has the same name as its data file with the cue extension for example direct_write E_ 19_18 29 17_07_2006_bin cue These both files are necessary to open the CD DVD image in the external application that supports the CUE format such as Cdrwin Nero DAEMON Tools IsoBuster UltraISO WinISO and many others Save As Raw Data When you select a record that contains the data originally written as an additional session to a multi session CD DVD disk the Save As Raw Data item is available in the context menu It allows you to save the data to the local computer as is without fixing references to the data in previous sessions If you are using the regular saving function
445. n the upper pane of the Content Aware Rules dialog box under Content Database select any built in group you want to duplicate and then click Duplicate 5 In the dialog box that opens edit the content group as required and then click OK The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Editing and Deleting Custom Content Groups You can modify or delete custom content groups at any time To edit or delete a custom content group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following 282 Content Aware Rules for Devices Regular Profile a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears In the upper pane of the Content Aware Rules
446. nd audit logs stored in the centralized database DeviceLock can automatically recognize index search and display documents in many formats such as Adobe Acrobat PDF Ami Pro Archives GZIP RAR ZIP Lotus 1 2 3 Microsoft Access Microsoft Excel Microsoft PowerPoint Microsoft Word Microsoft Works OpenOffice documents spreadsheets and presentations Quattro Pro WordPerfect WordStar and many others In addition to the standard per computer way of managing permissions DeviceLock also provides you with a more powerful mechanism permissions and settings can be changed and deployed via Group Policy in an Active Directory domain Tighter integration into the Active Directory is a very important function of DeviceLock It makes DeviceLock s permissions management and deployment easier for large networks and more convenient for system administrators Integration into the Active Directory eliminates the need to install more third party applications for centralized management and deployment DeviceLock does not need to have its own server based version to control the entire network instead it uses standard functions provided by the Active Directory DeviceLock consists of three parts the agent DeviceLock Service the server DeviceLock Enterprise Server and DeviceLock Content Security Server and the management console DeviceLock Management Console DeviceLock Group Policy Manager or DeviceLock Enterprise Manager Overview
447. nd load the signed tle wih new seth Temporary White List Authorization Tool Import Service Settings Click Next below to begr There are five simple steps for the user to request and obtain temporary access to a device 1 Plug the needed device into the USB port 2 Select the device from the list of all available USB devices 9 DeviceLock Temporary White List Authorization Tool x 5 elect a device you want to oblain access bo 58 Mass Sbor vice ge USBI Storage Devi Be JUS8 DISK 124 USB Device g Genenc volume F 3 Contact an Administrator and tell him her the name of the certificate and the Device Code Please note that the Device Code is only valid within 24 hours of the time it was generated by the applet i DeviceLock Temporary White List Authorization Tool id Ed Call the Administrator and quote Device Code and Certificate Name displayed below Cetfcate Name DeweeLock Certificate 05 11 2006 01 25 52 PM Device Code BSMMH 24HG 4k 3 ME5SA FRAT GBFO Enter Unlock Code the Adnunistrator tells you in the fields below TMOL GNV21 EUOND 1 JTIPD RBMGH B722R TBFJL L Reinitialize the device before ganting access 462 Temporary White List 4 Enter an Unlock Code received from the Administrator If it is necessary to force the requested device to reinitialize replug before allowing access to it select the Reinitialize device before granting access check b
448. nd or modify them after the server has been installed and is functioning Note You must be a member of the Server Administrators group and have sufficient rights to manage and use DeviceLock Content Security Server Before you can use DeviceLock Management Console you must connect it to the computer on which DeviceLock Content Security Server is installed and running To do so in the console tree right click DeviceLock Content Security Server and then click Connect For more information see Connecting to Computers With DeviceLock Management Console you can perform the following configuration tasks e Configure which users have access to DeviceLock Content Security Server e Change the startup account information such as the account name or the password for the DeviceLock Content Security Server service e Install or remove DeviceLock Certificate used to authenticate communications between DeviceLock Content Security Server and DeviceLock Enterprise Server e Change the TCP port that DeviceLock Content Security Server uses to connect to DeviceLock Management Console You can perform these tasks individually or collectively To perform the tasks collectively you can use the DeviceLock Content Security Server wizard This is the wizard that starts automatically when you install or upgrade DeviceLock Content Security Server To perform configuration tasks collectively 1 In the console tree expand DeviceLock Content Secur
449. nd then click Refresh l on the toolbar OR e Inthe console tree select Current Activity In the details pane in the Name column right click any name of DeviceLock Enterprise Server or Merge Index and then click Refresh OR e Inthe console tree select Current Activity In the details pane select the name of any DeviceLock Enterprise Server or Merge Index and then click Refreshl on the toolbar Using Search Server Using Search Server involves the following e Performing a full text search operation e Working with search results Performing a Full Text Search Operation With Search Server you can locate every occurrence of a word or phrase in the DeviceLock Enterprise Server database Because most searches return a large number of results you can set search options to fine tune and optimize your search Search options specify how search results should be returned Using search options you can specify e How many search results to return per page e How to filter the search results that are retrieved Search results can be filtered by date and log For example you can limit the number of results to those within a certain date range and to those that are retrieved from certain logs Here are some notes to consider when using full text search e Searches are not case sensitive 207 DeviceLock Management Console You can search for words and phrases and use familiar wildcards such as asterisks and question ma
450. nd time but you can type any other name 2 Define the path and file names for private and public keys DeviceLock Certificate Generation Tool Path to the Pubic key C Program Files DewceLock DewceLock Cebhcate 05_07_2006 13 i Path to the Prate kev C Program Files DeviceLock DeviceLock Cemiheate 05_07_2006 13 m As soon as the DeviceLock Certificate is generated you can start deploying the public key to users computers 78 DeviceLock Certificates Note A newly generated DeviceLock Certificate does not automatically install on computers from the Certificate Generation Tool You must deploy it manually from a DeviceLock management console Installing Removing DeviceLock Certificate To install remove the public key on from user computers running DeviceLock Services you can use any DeviceLock management console e DeviceLock Enterprise Manager On the Scan Network dialog box select the computers targeted for installation removal of the public key and select the Set Service Settings plug in ET Scan Network i Select compuberts From the LOAP tree Select Plug in LDAP w HL Oy audi Log Viewer i CS instal service E Buikin Je Report Permissions jAsdtirg E Computers og Report PoP Devices O SF veeo00rrnorsr4 3 Set Service Settings O E ventas 9 Shadow Log Viewer oO Wy vers O E wW3k 5TEN YM E E VIRT O S virt_z 3 Domain Controllers O By vao005eRver C ForeignSecurity rincipals C Users U
451. nded audit s feature called data shadowing the ability to mirror all data copied to external storage devices or transferred through serial and parallel ports A full copy of the data is logged The shadow log is stored locally in the special directory see Service Options and then can be transferred to the DeviceLock Enterprise Server specified in Service Options to store it in the SQL database To view the locally stored shadow log use DeviceLock Management Console s built in Shadow log viewer For more information see Shadow Log Viewer Service To view the shadow log stored on DeviceLock Enterprise Server use the server s shadow log viewer Note You can define different online vs offline audit and shadowing rules for the same user or sets of users Online audit and shadowing rules Regular Profile apply to client computers that are working online Offline audit and shadowing rules Offline Profile apply to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define offline audit and shadowing rules see Managing Offline Audit and Shadowing Rules To define online regular audit and shadowing rules for a device type highlight it use Ctrl and or Shift to select several typ
452. ng a In the details pane select multiple reports by holding down the SHIFT key or the CTRL key while clicking them 383 DeviceLock Reports b Right click the selection point to Save As and then click any of the following options HTML PDF RTF The Browse for folder dialog box appears c In the Browse for folder dialog box select the folder in which you want to Save the reports and then click OK Sending Reports Through E mail DeviceLock provides the ability to send generated reports through e mail To send generated reports through e mail 1 a E Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server expand Reports Expand Audit Log or Shadow Log Under Audit Log or Shadow Log select the report template that you used for generating the report you want to send through e mail When you select a report template in the console tree you can view the reports associated with it in the details pane In the details pane right click the report you want to send and then click Send via e mail You can select multiple reports by holding down the SHIFT key or the CTRL key while clicking them The Send report via e mail dialog box appears In the Send report via e mail dialog box in the Recipients box type the e mail addresses of the recipients separated by commas
453. ng a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices select Auditing amp Shadowing When you select Auditing amp Shadowing in the console tree in the details pane you can view device types for which you can define audit and shadowing rules In the details pane you can also view the current state of offline rules for each device type in the Offline column 4 In the details pane right click the device type for which you want to undefine offline audit and shadowing rules and then click Undefine Offline You can undefine audit and shadowing rules defined for several device types at the same time To do this do the following a In the details pane select several device types by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Undefine Offline The offline state of the audit and shadowing rules changes to Not Configured Removing Offline Audit and Shadowing Rules If you deploy DeviceLock po
454. ng amp Shadowing OR e Select the protocol for which you want to define or edit rules and then click Set Auditing amp Shadowing on the toolbar OR e Double click the protocol for which you want to define or edit rules The Auditing amp Shadowing dialog box appears Auditing amp Shadowing Probocck s ic FIP Computer Name Loca Computer Caud Allowed C Deere Lier Liners Fights Audit Corret Dairi Pies incoming Files In the Auditing amp Shadowing dialog box do the following TO DO THIS FOLLOW THESE STEPS To define the 1 Inthe upper left area of the dialog box specify which events are default audit written to the Audit Log Select the Audit Allowed check box to and shadowing audit successful attempts to gain access to a protocol Select the rules Audit Denied check box to audit unsuccessful attempts to gain access to a protocol 2 Inthe upper left pane of the dialog box under Users click Set 347 TO DO THIS To define audit 1 and shadowing rules for an additional user or group 2 3 4 5 To change L audit and shadowing 2 rules for an existing user or group To remove an existing user or group and rules 6 Click OK or Apply Protocols Regular Profile FOLLOW THESE STEPS Default The default audit and shadowing rules apply to the Users and Everyone groups For information about which Audit and Shadowing rights are set for these accounts by
455. ng online e Offline Profile These settings are used by client computers that are working offline for example when corporate users travel with laptop computers If offline profile settings are not configured regular profile settings are used instead You can use different regular vs offline profiles for Permissions Auditing and Shadowing USB Devices White List Media White List Protocols White List Content Aware Rules and Security Settings You can manage offline profile settings using DeviceLock Management Console DeviceLock Service Settings Editor or DeviceLock Group Policy Manager The following examples describe typical scenarios in which you are likely to set different online vs offline security policies to better protect your corporate data e Scenario 1 Suppose you have a Finance group in your organization As an administrator you can allow members of this group to write files to Removable DVD CD ROM USB and Floppy devices when they work online Their online activity will be audited Any copied files will be shadow copied and audit and shadow logs will be sent to DeviceLock Enterprise Server When offline members of the Finance group will be denied write access These security policies let you monitor the activity of the Finance group members in real time mode By examining audit and shadow logs on DeviceLock Enterprise Server often on a daily basis you can respond promptly and appropriately when a data leakage inciden
456. ng Offline Protocols White List To define the offline Protocols White List 1 3 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click White List and then click Manage Offline OR e Select White List and then click Manage Offline on the toolbar The Protocols White List Offline dialog box appears 437 8 DeviceLock Security Policies Offline Profile E Protocols White List Offline Extra param In the left pane of the Protocols White List Offline dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the Protocols White List and then click OK The users and groups that you added are displayed under Users in the left pane of the Protocols White
457. ng these settings please read the Installing DeviceLock Enterprise Server section of this manual As soon as Setup has installed DeviceLock it suggests that you point your default Internet browser to the DeviceLock Web site fe DevieeLock Setup Installation Wizard Completed The installation Wizard has successfully installed DeviceLock Click Finish bo ext the wizard Stop Data From Slipping Through Your Fingers Control Information With Device 49 Installation Clear the Open DeviceLock home page check box if you do not want to visit the DeviceLock Web site Click Finish to finish the installation You can locate and run DeviceLock management consoles from the Programs menu available by clicking the Windows Start button k S ial Windows Media Pilaw 3 Windows Messenger D Tour Windows XF A Files and Settings Tra Wizard Command Prompt All Programs Certificate Generation Tool ca DeviceLock Enterprise Manager E DeviceLock P T Startup i gE Adobe Reader 7 0 internet Explorer WI msn GA Outlook Express pe Remote Assistance Windows Media Player 4 Windows Messenger DeviceLock Enterprise Manager Help DeviceLock Management Console DevicelLock Management Console Help Devicelock Manual Frequently Asked Questions How bo Resgisber License greement Read Me D aM AEl E ita Remove Devicel ack E Technical Sup
458. nish the installation Note To uninstall DeviceLock do one of the following Use Add or Remove Programs in Control Panel to remove DeviceLock OR Click Start point to All Programs point to DeviceLock and then click Remove DeviceLock Installing DeviceLock Content Security Server Follow these steps to install DeviceLock Content Security Server e Step 1 Prepare for the installation e Step 2 Start the installation e Step 3 Configure DeviceLock Content Security Server and complete the installation Step 1 Prepare for the installation Before you install DeviceLock Content Security Server consider the following important notes e The computer on which you install DeviceLock Content Security Server must meet the following system requirements 68 Installation Operating Microsoft Windows NT 4 0 Service Pack SP 6 Windows System 2000 Windows XP Windows Server 2003 Windows Server 2008 Windows Vista or Windows 7 Installation is supported on both the 32 bit and the 64 bit editions of the operating system Web Browser Microsoft Internet Explorer version 4 0 or later must be installed on computers running Windows NT 4 0 SP 6 Hard Disk Space 19 MB e You must have administrator permissions to install DeviceLock Content Security Server e For optimal performance and reliability we recommend that you install DeviceLock Enterprise Server and DeviceLock Content Security Server on different computers e
459. nly to encrypted removable devices and deny writing to unencrypted media For more information on SafeGuard Easy visit the Sophos Web site TrueCrypt DeviceLock Service can detect TrueCrypt s encrypted removable storage devices and apply special encrypted permissions to them when the TrueCrypt product is installed on the computer where DeviceLock Service is running and Integration is enabled For more information on TrueCrypt please visit TrueCrypt s Web site http www truecrypt or Note If the TrueCrypt s volume type is File hosted container then to get access to this container and work with its content the user should have at least read access to unencrypted Removable devices 122 DeviceLock Management Console e Windows BitLocker To Go DeviceLock Service can detect BitLocker To Go encrypted drives and apply special encrypted permissions to them if Integration is enabled For more information on the BitLocker Drive Encryption feature of Windows 7 refer to the Microsoft documentation Note If integration with Windows BitLocker To Go is enabled the Deny write access to removable drives not protected by BitLocker policy setting located in Computer Configuration Administrative Templates Windows Components BitLocker Drive Encryption Removable Data Drives cannot be enabled If you do not want to allow DeviceLock Service to detect one of the encryption products listed above and to apply special en
460. ns that can be performed on a selected field You can select only one logical operation for each field DeviceLock Enterprise Manager supports two groups of logical operations those for string data and non string data Logical operations that can be performed on string data target string being the string you specify for example Explorer exe e Is exactly selects only data having fields with strings that are identical to the target string e Includes selects only data having fields with strings that include a defined target string e Is not selects only data having fields with strings that are different from the target string 254 DeviceLock Enterprise Manager e Not includes selects only data having fields with strings that do not include the target string e Empty selects only data having fields with empty strings e Not Empty selects only data having fields with strings that are not empty e Regular expression selects only data having fields with strings matching an expression The expression may contain wildcards for example explorer If you want to narrow the search to the string s exact case for example Explorer exe is different from explorer exe select the Match case for string data check box Otherwise case is ignored for example Explorer exe and explorer exe are identical Logical operations that can be performed on non string data e Equal to selects data havin
461. nsole tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server expand Reports Expand Audit Log or Shadow Log Under Audit Log or Shadow Log right click any report template and then click Refresh OR 381 DeviceLock Reports Under Audit Log or Shadow Log select the report template that you used for generating reports and then do one of the following e Click Refresh on the toolbar OR e In the details pane right click any report and then click Refresh When you select a report template in the console tree you can view the reports associated with it in the details pane Viewing Reports After a report is successfully completed you can open it in DeviceLock Management Console To view a report 1 aS a Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server expand Reports Expand Audit Log or Shadow Log Under Audit Log or Shadow Log select the report template that you used for generating the report you want to view When you select a report template in the console tree you can view the reports associated with it in the details pane In the details pane right click the report you want to view and then click Open The report opens in the application associated with the report default format you chose By default the report opens in th
462. nt Aware Rules To copy an offline Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor 451 DeviceLock Security Policies Offline Profile b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage Offline OR e Select Content Aware Rules and then click Manage Offline SI on the toolbar The Content Aware Rules Offline dialog box appears 4 In the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group to which the rule that you want to copy is applied By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box 5 In the lower right pane of the Content Aware Rules Offline dialog box under Rules right click the rule you want to copy and then click Copy or Cut The rule you cut or copy is automatically copied to the Clip
463. ntains graphic images each image is saved as a gif file in the same directory as the htm file To export and save reports 1 oS eS Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server expand Reports Expand Audit Log or Shadow Log Under Audit Log or Shadow Log select the report template that you used for generating the report you want to export and save When you select a report template in the console tree you can view the reports associated with it in the details pane If you want to export and save a single report do the following a In the details pane right click the report you want to export and save point to Save As and then click any of the following options HTML PDF RTF The Save As dialog box appears b In the Save As dialog box in the Save in box browse to the location where you want to save the report c In the File name box type the file name you want By default the file name is Report_Type dd mm yy hh mm ss where dd mm yy hh mm ss is the current date and time d Click Save If you save a report as HTML and the report contains one or more graphic images the images will be extracted from the report and saved as separate gif files along with the htm file in the same directory If you want to export and save multiple reports do the followi
464. ntent Aware Rules Offline dialog box under Users select the users or groups for which you want to define the rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the upper pane of the Content Aware Rules Offline dialog box under Content Database select the desired content group and then click Add Note You can specify only one content group for a Content Aware Rule The Add Rule dialog box appears 414 8 10 11 12 DeviceLock Security Policies Offline Profile 1 Add Rule Descrip Appir bo Destes Taree sie In the Add Rule dialog box in the Description box type the name of the Content Aware Rule By default the Content Aware Rule has the same name as the specified content group but you can enter a different name Under Applies to specify the type of operation associated with the rule The available options are e Permissions Specifies that the rule will apply to access control operations e Shadowing Specifies that the rule will apply to shadow copy operations e Permissions Shadowing Specifies that the rule will apply to both access control and shadow copy operations Under Device Type s select the appropriate device type s you would like this rule to be applied to Content Aware Rules can be applied to the DVD CD ROM Floppy iPhone Palm Removable and Windows Mobile device types Under Action s specify which
465. ntent Aware Rules dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups to which you want to apply the copied rule and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules dialog box In the lower left pane of the Content Aware Rules dialog box under Users select the users or groups to which you want to apply the copied rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the lower right pane of the Content Aware Rules dialog box right click in the Rules pane and then click Paste The copied rule is displayed under Rules in the lower right pane of the Content Aware Rules dialog box 325 Content Aware Rules for Protocols Regular Profile 10 Click OK or Apply to apply the copied rule Exporting and Importing Content Aware Rules You can export all your current Content Aware Rules to a cwl file that you can import and use on another computer Exporting and importing can also be used as a form of backup To export Content Aware Rules 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service
466. ntrol for USE HID mouse keyboard etc Acess contred for USG printers Acess comro for LEE atancerd ane old mage devices Access control for LSS Bluetooth sdacters Acces control fer LEB shonape devines v Aiia control hor LSE andl FireWire network cant F Aines contred for FireWire chorage dewices H Access control for serisi modems internal and external v Access control for virtual C RA Wircows 20000 and babe access control for virtual prinbers Windows 2000 and Later 7 iocess control for inter anccabon copy paste chobosrd operations Eiei Firpo controdier F acces is denied Click Skip if you prefer to wait until after installation to set permissions for devices using DeviceLock management consoles For more information regarding these settings please read the Deploying DeviceLock Service section of this manual 48 Installation If you opted to install DeviceLock Enterprise Server as well Setup suggests that you define its settings using the configuration wizard DeviceLock Enterprise Server Log on as C Local System account This account VM 200040 Adminish abot Password cesset Conii passwoid A NOTE We Strongh recommend unning DeviceLock Enterpise Serve under an account in the Doman Adme group DeviceLock Enterprise Server must have administrative access to every compute that is lying bo connect to it Connection settings Dynamic ports Fined TCP poit For more information regardi
467. o Messenger instant messaging client for Yahoo Note The SSL protocol is used in the Protocols White List to allow applications with embedded SSL certificates to connect to their servers You can manage protocol security policies by using DeviceLock Management Console Service Settings Editor or DeviceLock Group Policy Manager You can also use the Report Permissions Auditing plug in in DeviceLock Enterprise Server to view and change security policies defined for protocols For more information see Report Permissions Auditing Managing Permissions for Protocols To govern the exchange of information at the transport level configure access to communications protocols by setting appropriate permissions These permissions specify who can gain access to which protocols and what level of access users have Permissions can be set on a per user or per group basis The following table describes access rights available for permissions associated with protocols PROTOCOL ACCESS RIGHTS FTP Generic Send Receive Data The right to connect to an FTP server send and receive protocol data download files from an FTP server Generic Outgoing Files The right to upload files to an FTP server SSL Send Receive Data The right to connect to an FTP server send and receive protocol data download files from an FTP server using FTPS SSL Outgoing Files The right to upload files to an FTP server using FTPS HTTP Generic Send Receive Data The rig
468. o change the password of the service startup account To change the service startup account or password 1 In the console tree expand DeviceLock Content Security Server 2 Under DeviceLock Content Security Server select Server Options When you select Server Options in the console tree they are displayed in the details pane 3 In the details pane double click Service startup account or right click Service startup account and then click Properties The DeviceLock Content Security Server dialog box appears 4 In the DeviceLock Content Security Server dialog box do the following TO DO THIS To change the service startup account FOLLOW THESE STEPS In the Log on as area click Browse The Select User dialog box appears In the Select User dialog box in the Enter the object 197 DeviceLock Management Console TO DO THIS FOLLOW THESE STEPS name to select box type the name of the user and then click OK The user that you selected is displayed in the This account box in the DeviceLock Content Security Server dialog box We recommend that you use an account that has administrative privileges on all computers running DeviceLock Enterprise Server In a domain environment we recommend that you use an account that is a member of the Domain Admins group Otherwise you will need to use DeviceLock Certificate authentication To change the 1 In the Log on as area type a new password in the service account Passw
469. o install the service and apply changes Also the similar error may occur when the current user doesn t have local administrative privileges on the computer where DeviceLock Enterprise Server is installing DeviceLock Enterprise Server ChangeConfigservice error 5 Eg X Access is deniad 57 Installation If you ve specified an incorrect user name for the This account option or the wrong user password DeviceLock Enterprise Server will not be able to start DeviceLock Enterprise Server ChangeConfigService error 1057 Eg The sccount name is invalid or does not exist or the password E invalid for the account name specified You will be notified if the user s account specified for the This account option is not a member of the Domain Admins group DeviceLock Enterprise Server The account ymz000editest does not belong to the Domain Admins group Do you went to continue ves J m You may continue by pressing the Yes button However keep in mind that in this case either the specified user must have full administrative access to all remotely running DeviceLock Services or DeviceLock Certificate the public key must be installed on every computer with DeviceLock Service If the user s account specified for the This account option doesn t have the Log On As A Service system privilege the wizard automatically assigns it This privilege is needed to start the service on behalf of the user DeviceLock En
470. o one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears 310 4 s7 Content Aware Rules for Protocols Regular Profile Wu Content Aware Rules Pattern Ea Kear Errada Keywords Kawani kayvoni Fie Types D Corben Aun Pubes Lers ikers In the upper pane of the Content Aware Rules dialog box under Content Database click the drop down arrow next to Add Group and then click Document Properties Add Document Properties Group Par Descripti n Properties File mame Mexdified Not specified 4 File size Not specified Paseword protected C Text extraction not supported O Contains bext Accessed by process The Add Document Properties Group dialog box appears In the Add Document Properties Group dialog box do the following USE THIS TO DO THIS Name Specify the name of the group 311 USE THIS Description File name Modified File size Password protected Content Aware Rules for Protocols Regular Profile TO DO THIS Specify a description for the group Specify the file names You can use wildcards such as asterisks and question marks For example type txt to specify all files that have the txt extension Multiple file names must be separated by a semicolon for example d
471. o one of the following e Right click White List and then click Manage Offline OR e Select White List and then click Manage Offline on the toolbar The Protocols White List Offline dialog box appears In the left pane of the Protocols White List Offline dialog box under Users select the user or group to which the rule that you want to copy is applied By selecting users or groups you can view the white list rules applied to them under Rules in the right pane of the dialog box In the right pane of the Protocols White List Offline dialog box under Rules right click the rule you want to copy and then click Copy or Cut The rule you cut or copy is automatically copied to the Clipboard You can use the CTRL C CTRL X and CTRL V key combinations to copy cut and paste the rule When you use the CTRL X key combination to cut the rule the rule will be cut only after you paste it In the left pane of the Protocols White List Offline dialog box under Users click Add 441 DeviceLock Security Policies Offline Profile The Select Users or Groups dialog box appears 7 In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups to which you want to apply the copied rule and then click OK The users and groups that you added are displayed under Users in the left pane of the Protocols White List Offline dialog box 8 In the left pane of the Protocol
472. obanki FTF Computer Name Local Computer ndt abd 7 unit Denied Users In the Auditing amp Shadowing Offline dialog box do the following TO DO THIS FOLLOW THESE STEPS To define the 1 Inthe upper left area of the dialog box specify which events are default audit written to the Audit Log Select the Audit Allowed check box to 433 TO DO THIS and shadowing rules To define audit and shadowing rules for an additional user or group To change audit and shadowing rules for an existing user or group To remove an existing user or group and rules DeviceLock Security Policies Offline Profile FOLLOW THESE STEPS audit successful attempts to gain access to a protocol Select the Audit Denied check box to audit unsuccessful attempts to gain access to a protocol In the upper left pane of the dialog box under Users click Set Default The default audit and shadowing rules apply to the Users and Everyone groups For information about which Audit and Shadowing rights are set for these groups by default see Managing Audit and Shadowing Rules for Protocols In the upper left area of the dialog box specify which events are written to the Audit Log Select the Audit Allowed check box to audit successful attempts to gain access to a protocol Select the Audit Denied check box to audit unsuccessful attempts to gain access to a protocol In the upper left pane of the dialog box under Users click Ad
473. oc docx An asterisk replaces an unlimited number of characters The question mark replaces a single character Specify the last modification date time of the file To do so in the Modified list click any of the following options e Not specified this option is selected by default e Before than indicates that the file s modified date time must be earlier than the specified date time e After than indicates that the file s modified date time must be later than the specified date time e Between indicates that the file s modified date time must fall within the specified date time range e Not older than indicates that the file s modified date time must not be older than the specified number of seconds minutes days weeks months and years e Older than indicates that the file s modified date time must be older than the specified number of seconds minutes days weeks months and years Note The Modified property does not apply to files transmitted over the network If specified it is ignored during content analysis Specify the file size in bytes kilobytes megabytes gigabytes or terabytes To do so in the File size list click any of the following options e Not specified this option is selected by default e Equal to indicates that the file s must have a size that is equal to the size you specify e Less than indicates that the file s must have a size that is less than the size you specify e Mor
474. ocal Computer Users d i Efl Everyone eect ee a E E T a a a cee eee eis de add Delete Set tof Uess Fights Gener Send Receere Data uboceng Pies 551 SerdiReceye Data Gubgcerng Fikes E Showed Time O Deried Time In the Permissions dialog box do the following TO DO THIS FOLLOW THESE STEPS To set the e Inthe upper left pane of the dialog box under Users click Set default Default The default permissions are assigned to the Administrators and Everyone accounts For information about which permissions are set for these accounts by default see Managing Permissions for Protocols permissions To set 1 In the upper left pane of the dialog box under Users click Add permissions for an additional user or group The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the name of the user or group and then click OK The users and groups that you added are displayed under Users 336 Protocols Regular Profile TO DO THIS FOLLOW THESE STEPS in the upper left pane of the Permissions dialog box 3 Inthe upper left pane of the Permissions dialog box under Users select the user or group You can select multiple users and or groups by holding down the SHIFT key or the CTRL key while clicking them 4 In the lower left pane of the Permissions dialog box under User s Rights select or clear the Allow
475. ol Windows Media Pilaw a Ganes b cat DeviceLock Enterprise Manager 2 Startup HI DeviceLock Enterprise Manager Help 3s Windows Messenger cil Adobe Reader 7 0 DeviceLock Management Console internet Explorer G OeviceLock Management Console Help amp Tour Windows XP Fag na SO DeviceLock Manual A Files and Settings Tr e Outlook Express Frequently Asked Questions ae Wizerd pe Remote Assistance E How to Register Command Prompt Windows Media Player f License Agreement 4 Windows Messenger E Read Me SU is Gil Windows Movie Maker Remove DeviceLack E Technical Support 2 Log OFF SERENS Temporary White List Administration Til 232 DeviceLock Enterprise Manager Interface DeviceLock Enterprise Manager has a Multi Document Interface MDI structure allowing you to keep each task in its own window The main window of DeviceLock Enterprise Manager can be resized DeviceLock Enterprise Manager saves its size and position and restores these at its next startup There is a menu at the top of the main window Many functions are accessible through this menu E es DeviceLock Enterprise Manager Main Toolbar To change the columns displayed in the plug in s windows a sj fen click Select Columns on the View menu or click the appropriate button on the Main toolbar By default DeviceLock Enterprise Manager displays information received from the plug ins in the form of a tree However in
476. ompany You can configure and use DeviceLock Content Security Server by using DeviceLock Management Console How Search Server Works Search Server performs the following functions e Indexes DeviceLock Enterprise Server data e Executes full text queries after the data has been indexed These functions are described in more detail below Indexing DeviceLock Enterprise Server Data Indexing is a process through which the textual data on DeviceLock Enterprise Server becomes searchable and retrievable 16 Overview Search Server starts the indexing process automatically as soon as you specify DeviceLock Enterprise Server s The indexing process can result in either the creation or update of the full text index There is only one full text index per Search Server making management more efficient The full text index stores information about significant words and their location During index creation or update Search Server discards noise words such as prepositions articles and so on that do not help the search Search Server indexes all text data from the following content sources Audit Log Shadow Log Deleted Shadow Data Log Server Log and Monitoring Log The indexing process happens in two stages In the first stage Search Server extracts significant words from shadow copies and log records and saves them to temporary indexes for each specified DeviceLock Enterprise Server For each temporary index Search Server proces
477. on Incoming Messages Audit Incoming Messages Outgoing Messages Audit Outgoing Messages SMTP Connection Audit Connection Outgoing Messages Audit Outgoing Messages Outgoing Files Audit Outgoing Files Social Networks Connection Audit Connection Outgoing Messages Audit Outgoing Messages Outgoing Files Audit Outgoing Files Telnet Audit Connection Audit Connection Web Mail Audit Connection Audit Connection Audit Outgoing Messages Audit Outgoing Messages 345 Protocols Regular Profile GROUP EVERYONE PROTOCOL Audit Outgoing Files Audit Outgoing Files Windows Audit Connection Audit Connection Messenger Audit Incoming Messages Audit Incoming Messages Audit Outgoing Messages Audit Outgoing Messages Yahoo Audit Connection Audit Connection Messenger Audit Incoming Messages Audit Incoming Messages Audit Outgoing Messages Audit Outgoing Messages Managing online regular audit and shadowing rules for protocols involves the following tasks e Defining and editing audit and shadowing rules e Undefining audit and shadowing rules Online audit and shadowing rules for a protocol can have one of the following states STATE DESCRIPTION Not Configured Indicates that audit and shadowing rules are not defined for a protocol Configured Indicates that audit and shadowing rules are defined for a protocol No Audit Indicates one of the following e Audit rights are not set for all of the users and g
478. on Multiple file names must be separated by a semicolon for example doc docx An asterisk replaces an unlimited number of characters The question mark replaces a single character Note For shadowing data captured from the Printer device type the file name value you specify is compared with names provided in the File Name column of the Shadow Log Viewer Specify the last modification date time of the file To do so in the Modified list click any of the following options e Not specified this option is selected by default e Before than indicates that the file s modified date time must be earlier than the specified date time e After than indicates that the file s modified date time must be later than the specified date time e Between indicates that the file s modified date time must fall within the specified date time range e Not older than indicates that the file s modified date time must not be older than the specified number of seconds minutes days weeks months and years e Older than indicates that the file s modified date time must be older than the specified number of seconds minutes days 276 USE THIS File size Password protected Text extraction not supported Contains text Content Aware Rules for Devices Regular Profile TO DO THIS weeks months and years Specify the file size in bytes kilobytes megabytes gigabytes or terabytes To do so in the File size list
479. on a mobile device from a PC For iPhone this content type represents e mail account settings but not messages because iTunes does not support sync of messages e Write E mail to enable writing e mails from a PC to a mobile device For iPhone this content type represents e mail account settings but not messages because iTunes does not support sync of messages e Read Attachment to enable reading e mail attachments on a Windows Mobile device from a PC You can enable this right only if Read E mail is selected in the Special Permissions group e Write Attachment to enable writing e mail attachments from a PC to a Windows Mobile device You can enable this right only if Write Email is selected in the Special Permissions group e Read Favorite to enable reading favorites on a Windows Mobile device and iPhone from a PC e Write Favorite to enable writing favorites from a PC to a Windows Mobile device and iPhone e Read File to enable reading files on a mobile device from a PC For iPhone data flows of the Applications iTune s type are treated as files e Write File to enable writing files from a PC to a mobile device Fora Palm device this right also enables Write Document in the Special Permissions group For iPhone data flows of the Applications iTune s type are treated as files e Read Media to enable reading media content using Windows Media Player on a Windows Mobile device and reading media files on a Palm device
480. on about monitored computers and DeviceLock Services lt S DeviceLock Management Console File al Smartline DeviceLock T EEk Action View Help EA Yu x Task Mame Computer Name Critical Machines Date Time _ 12 26 2007 10 47 24 PM 4 DeviceLock Service D Information Dewicelock Enterprise Server d E Success A Warning guotess D Warning Es Information E Information 1z 26 2007 10 47 24 PM WZi2bis007 10 47 22 PM IZiz6 2007 10 47 22 PM 12 26 2007 10 47 21 PM 1Z z6 2007 10 47 21 PM 12 26 2007 10 47 16 PM Warning WiZoiS007 10 47 16 PM Ay warning 1z z6 2007 10 47 15 PM Gi Information 12 26 2007 10 47 15 PM BF Server Options Sy Audit Log viewer Shadow Log Viewer Oy Server Log Viewer g4 Monitoring ep Monitoring Log Viewer 8 Critical Machines i Generic Computers 10 1 10 1 3 4 1 1 3 Critical Machines Critical Machines Critical Machines Critical Machines Critical Machines Critical Flachines Critical Machines Critical Machines Critical Machines VMNT45FE VMNT45P6 ViFaO00SER YER Vriat0oSER YER VMNT45P6 Vri000SER ER 189 DeviceLock Management Console The columns of this viewer are defined as follows e Type the class of an event Success Information Warning or Error e Date Time the date and the time when an event has occurred e Event a number identifying the particular event type e Task Name the name of the task responsible for
481. on in the notification area of the taskbar and then click Refresh Current State End users can also click the DeviceLock Tray Notification Utility icon to view the latest DeviceLock message balloon shown for the notification in the notification area of a client computer To enable or disable the display of the DeviceLock Tray Notification Utility icon right click Always show tray icon and then click Enable Disable or double click Always show tray icon Archives content inspection on read Use this option to enable or disable content inspection of files within archives when users try to read archive files For more information see the description of the Inspection of files within archives feature To enable or disable content inspection of files within archives right click Archives content inspection on read and then click Enable Disable or double click Archives content inspection on read Note If this option is disabled inspection of images embedded in PDF files RTF and Microsoft Office documents is also not performed Archives content inspection on write Use this option to enable or disable content inspection of files within archives when users try to write archive files For more information see the description of the Inspection of files within archives feature To enable or disable content inspection of files within archives right click Archives content inspection on write and then click Enable Disable or double click Archives
482. ongh recommend unning DeviceLock Enterpise Serve under an account in the Doman Adme group DeviceLock Enteprise Server must have administrative access to every compute that is ying bo connect to it Conmection settings Dynamic ports Fined TCP poit Log on as First of all you should choose an account under which the DeviceLock Enterprise Server s service will start AS many other Windows services the DeviceLock Enterprise Server s service can start under the special local system account the SYSTEM user and on behalf of any user To start the service under the SYSTEM user select the Local System account option Keep in mind that the process working under the SYSTEM user can t access Shared network resources and authenticates on remote computers as an anonymous user Therefore DeviceLock Enterprise Server configured to run under the SYSTEM user is not able to store shadow files on the remote computer e g on the file 56 Installation server and it must use DeviceLock Certificate for authentication on DeviceLock Services running on remote computers For more information about authentication methods please read the description of the Certificate Name parameter To start the service on behalf of the user select the This account option enter the user s account name and the password It is recommended to use a user account that has administrative privileges on all the computers where DeviceLock Service is running
483. ontent Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Expand Content Aware Rules right click the user or group to which the rule is applied and then click Delete user When you delete a user or group the rule associated with this user or group is automatically deleted 328 Content Aware Rules for Protocols Regular Profile OR Expand Content Aware Rules and then select the user or group to which the rule is applied In the details pane right click the rule associated with this user or group and then click Delete OR Right click Content Aware Rules and then click Manage In the lower left pane of the Content Aware Rules dialog box under Users select the user or group to which the rule is applied In the lower right pane of the Content Aware Rules dialog box under Rules select the rule and then click Delete or right click the rule and then
484. ontent Aware Rules dialog box under Rules click Load 291 Content Aware Rules for Devices Regular Profile The Open dialog box appears 4 In the Open dialog box in the Look tn list click the location that contains the file you want to import In the folder list locate and open the folder that contains the file Click the file and then click Open You can import only one cwil file at a time Undefining Content Aware Rules If you deploy DeviceLock policies using DeviceLock Group Policy Manager or DeviceLock Service Settings Editor in some situations you may want to prevent Content Aware Rules from being applied to a specific group of client computers To do so you need to return the previously defined Content Aware Rules to the unconfigured state All undefined DeviceLock settings are ignored by client computers To undefine Content Aware Rules 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree right click DeviceLock Settings or DeviceLock Service and then click Load Service Settings to open the XML file with defined DeviceLock policies c In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices 3 Under Devices right click Content Aware
485. ontroller you need to have the GPO editor installed locally We recommend that you install the Group Policy Management Console GPMC It can be downloaded from the Microsoft Download Center To open DeviceLock Group Policy Manager you should run the GPO editor first 1 Start the Group Policy Management snap in If the Group Policy Management snap in is not installed on your computer you may use the Active Directory Users and Computers snap in instead 2 In the console tree select your domain S Group Policy Management ldel 3 Group Policy Management A Forest vm t tad com U Domains P cre ate and Link a GPO Here ore pen Enk an Existing GPO lu E Block Inheritance ap DeviceLock Group Policy Object No ee bor PGC ew Organizational Unit A Sibes TE Group Pole Search Change Domain Controler Create a GPO iin this do Fa 5 coe 3 Select the group policy object that you need and then click Edit on the context menu available by a right mouse click If you wish to create a new group policy object click Create and Link a GPO Here on the context menu of the selected domain If you are using the Active Directory Users and Computers snap in right click your domain then click Properties 220 DeviceLock Group Policy Manager f Active Direction Users and Computers Delegate Control Fred Connect to Domain Er nine ct tc Do nan
486. opy File Copy File Screenshot Copy File Screenshot Copy Copy Unidentified Screenshot Copy Unidentified Content Content Unidentified Content DVD CD ROM Generic Read Write Generic Read Write Generic Read Eject Eject Write Eject FireWire port Generic Read Write Generic Read Write Generic Read Eject Format Eject Write Format Eject Floppy Generic Read Write Generic Read Write Generic Read Eject Format Eject Write Format Eject Hard disk Generic Read Write Generic Read Write Generic Read 127 DeviceLock Management Console ACCOUNT DEVICE TYPE EVERYONE ADMINISTRATORS SYSTEM Write Format Infrared port Generic Read Write Generic Read Write iPhone Generic Read Write Generic Read Write Palm Generic Read Write Generic Read Write Parallel port Generic Read Write Generic Read Write Printer Generic Print Generic Print Removable Generic Read Write Generic Read Write Generic Read Eject Format Eject Write Format Eject Encrypted Read Encrypted Read Encrypted Read Write Format Write Format Write Format Serial port Generic Read Write Generic Read Write Generic Read Write Tape Generic Read Write Generic Read Write Generic Read Eject Format Eject Write Format Eject USB port Generic Read Write Generic Read Write Generic Read Eject Format Eject Write Format Eject WiFi Generic Read Write Generic Read Write Generic Read Write Win
487. or do the following a Open DeviceLock Service Settings Editor b In the console tree right click DeviceLock Settings or DeviceLock Service and then click Load Service Settings to open the XML file with defined DeviceLock policies c In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 337 Protocols Regular Profile 2 Expand Protocols 3 Under Protocols select Permissions When you select Permissions in the console tree in the details pane you can view protocols for which you can set permissions 4 In the details pane right click the protocol whose permissions you want to undefine and then click Undefine You can undefine permissions for multiple protocols at the same time To do this do the following a In the details pane select multiple protocols by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Undefine Managing Audit and Shadowing Rules for Protocols DeviceLock provides the capability to audit and shadow copy data file transfers via different protocols Auditing and shadow copying are used to monitor and record security critical data transfer operations Regular analysis of log data is an effective way to detect and trace misuse of sensitive information and data bre
488. or Apply to apply the rule The users or groups to which the Content Aware Rule applies are displayed under Content Aware Rules in the console tree When you select a user or group to which a Content Aware Rule applies in the console tree in the details pane you can view detailed information regarding this rule This information includes the following e Description The name of the rule By default the rule has the same name as the specified content group e Type The type of the content analysis Possible values File Type Detection Keywords Pattern Document Properties and Complex File Type Detection indicates that recognition and identification of files is based on their characteristic signatures Keywords indicates that recognition and identification of data files is based on the specified keywords or phrases Pattern indicates that recognition and identification of data files is based on the specified patterns of text described by Perl regular expressions Document Properties indicates that recognition and identification of files is based on their properties Complex indicates that recognition and identification of data files is based on the specified content described by a Boolean expression e Action s Shows which user actions are allowed or disallowed on files and which user actions are logged to the Shadow Log e Applies To Possible values Permissions Shadowing and Permissions Shadowing Permissions indicates that the rule applie
489. or just reinstalling DeviceLock Enterprise Server and want to keep its current configuration you don t need to go through this wizard again just press the Cancel button to close the wizard and keep all existing settings unchanged In case you need to change some parameters but keep others edit only needed parameters and go through all the wizard s pages up to the Finish button on the very last page Note If you are installing DeviceLock Enterprise Server for the first time there are no existing settings on this computer yet and you cancel the configuration wizard upon opening Setup will not be able to install DeviceLock Enterprise Server s service so you ll need to run the configuration wizard again 55 Installation DeviceLock Setup The wizard was interrupted before DeviceLock Enterprise Server could be completely installed Do you want to run the wizard again click No to continue this installation process without confiquring CeviceLock Enterprise Server If you press the No button to continue without installing the DeviceLock Enterprise Server s service you will need to run Setup later and install the service anyway On the first page of the wizard you can opt to install DeviceLock Enterprise Server s service and define its startup parameters DeviceLock Enterprise Server Log on as C Local System account This account VM20004D Administratot Password oooee Conii peiceveord A NOTE We Str
490. or more information on how to resolve this issue see the description of the Service connection settings parameter 8 No License this status means that DeviceLock Enterprise Server is unable to monitor the computer running DeviceLock Service due to an insufficient number of licenses DeviceLock Enterprise Server handles as many DeviceLock Service instances as there are licenses loaded into DeviceLock Enterprise Server For more information see License information in Installing DeviceLock Enterprise Server The computer s icon will be green computer with exclamation mark Also the same status messages except Computer is available are written to the monitoring log so you can overview the situation with monitored computers later e Last Scan Time the date and time of the last scan attempt This scan attempt can be either successful or not e Last Successful Scan Time the date and time of the last successful scan attempt e Service Uptime shows how long DeviceLock Service has been working on the monitored computer 181 DeviceLock Management Console Computer Uptime shows how long the monitored computer has been working By comparing the computer s uptime with the service s uptime see above you can always see whether or not DeviceLock Service was stopped during the current computer s session Service Version the version of DeviceLock Service Last five digits indicate the build number Monitoring A
491. or protocols can have one of the following states STATE DESCRIPTION Not Configured Indicates that Security Settings are not defined for protocols Enabled Indicates that Security Settings are enabled for protocols Disabled Indicates that Security Settings are disabled for protocols 362 Protocols Regular Profile Defining and Changing Security Settings To define and change Security Settings 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Select Security Settings In the details pane right click the Security Setting and then click Enable or Disable When you select Security Settings in the console tree they are displayed in the details pane OR e Right click Security Settings and then click Manage In the Security Settings dialog box that opens select or clear the appropriate check box and then click OK To open the Security Settings die 29 bo
492. ord box password 2 Re type your new password in the Confirm password box To assign the e Inthe Log on as area click Local System account Local System If the service uses this account it cannot access account to the DeviceLock Enterprise Server running on a remote server service computer and must use the DeviceLock Certificate for authentication on it 5 Click OK Task Install or remove DeviceLock Certificate used to authenticate communications between DeviceLock Content Security Server and DeviceLock Enterprise Server There can be situations when the user account under which DeviceLock Content Security Server is running cannot access remote DeviceLock Enterprise Server In these situations you can use DeviceLock Certificate authentication To do so install the same private key of DeviceLock Certificate on DeviceLock Content Security Server and DeviceLock Enterprise Server For detailed information on DeviceLock Certificates see DeviceLock Certificates To install or remove DeviceLock Certificate on DeviceLock Content Security Server 1 In the console tree expand DeviceLock Content Security Server 2 Under DeviceLock Content Security Server select Server Options When you select Server Options in the console tree they are displayed in the details pane 3 In the details pane double click DeviceLock certificate or right click DeviceLock certificate and then click Properties The DeviceLock Content Security Serv
493. ord or phrase you want to find To set search options click Options and then do the following e To specify the number of search results to display per page in the Display results per page list click any of the following options 10 20 30 50 100 The default number of returned results is 20 e To limit the scope of the search to specific data stores select the appropriate check boxes under Limit results to the following logs By default Search Server retrieves search results from the Audit Log Shadow Log and Deleted Shadow Log 208 DeviceLock Management Console e To filter search results by date specify a date range that limits the data retrieved from the data sources To do so set the following date parameters PARAMETER DESCRIPTION From Specifies the beginning of the date range in which to search Possible values First Record or Records On The default value is First Record First Record causes Search Server to retrieve data starting with the first record written to the log Records On causes Search Server to retrieve data that was written starting with a specific date To Specifies the end of the date range in which to search Possible values Last Record or Records On The default value is Last Record Last Record causes Search Server to retrieve data ending with the last record written to the log Records On causes Search Server to retrieve data that was written ending with a specific date If you set
494. ores miormation about how to connect to EJ the indicated data provider A System data source i visible to all users on this machine including HT services If in the data source configuration SQL Server Authentication was chosen then you also need to specify the SQL user name login in Login name and its password in Password If Windows Authentication was selected then you should leave these fields blank 63 Installation To refresh the Data Source Name list press the Refresh button When connection to SQL Server is defined you may want to test it Press the Test Connection button to make sure that all the parameters were specified correctly Test Connection Testing the conmection to SOL Server The connection was successful Please note that it only checks connectivity and your access rights to SQL Server If there are problems with the database or your access rights to this database you don t see those problems in the Test Connection dialog box If some connection parameters were specified incorrectly you may see one of these errors e SQL Server does not exist or access denied you ve specified an incorrect name of SQL Server in the SQL Server name parameter or the remote SQL Server s computer is not accessible It is possible that you ve specified the name of the computer where SQL Server is running but this SQL Server also has an instance name which should be specified as well e g computer ins
495. ority over rules with Allow settings if they apply to the same users or groups e When users try to overwrite an existing file with a new file to which they are denied write access the old file is deleted e When users try to modify a file to which they are denied write access the file is deleted e Unsafe removal of a device can result in the corruption of the device s file system and data e When users try to copy files to which they are denied write access these files are temporarily visible in Windows Explorer or other file manager applications Actually these files do not really exist on the target device they are located in the memory cache and are removed from this cache immediately after DeviceLock finishes checking their content e When users open a file from the USB flash drive modify tt by inserting the content to which they are denied write access and then try to save changes the file is deleted e Checking the content of files can be a time consuming operation You cannot safely remove the device while this operation Is in progress even if the copied files become visible in Windows Explorer or other file manager 259 Content Aware Rules for Devices Regular Profile applications In this situation you receive an error message indicating that the device is currently busy e Newly copied files cannot be opened for reading until DeviceLock finishes Checking their content e Checking the content of files can be a
496. ortant information such as configuration changes start stop events version and so on lt 2 Devicelock Management Console File Action View Help e 0H B Rm fh mx el DeviceLock Type Hpi DeviteLock Service Local WINKPPRLOSPS gpro gp DeviceLock Enterprise Server Local WING I formation a Server Options Sethinge pec with charmer Refresh nip icp wath e 4 Information IZLADI 8 34 2 Fiter mig with dina EF Audit Log Viewer success 1A IJ200 RZ clear d successfully T ae aa Ajinfomaton 1213200 5 32 2 Te uae From wint 2 39 morion success 12 13 2010 8 34 2 se Server 7 0 rr E Reports i Information L2 L3 2000 8 34 2 This Server ic licensed to work wath rT fe Devicelock Content Security Server A indormation 12 12 2010 9 30 2 Using protocol nean rp wath dyn y Success iaaii S302 APC server intiiaized successfully AD Information ising protoral micaecri_ip_ bcp with g s AE gt You may use the information from this log to diagnose problems if any to monitor changes in the server s configuration and to see who has cleared logs and when The columns of this viewer are defined as follows e Type the class of an event Success Information Warning or Error e Date Time the date and the time when an event has occurred e Event a number identifying the particular event type e Information event specific information such as error warning descriptions names and values of chang
497. ory Users and Computers snap in Expand the Software Settings container that contains the Software installation item with which you deployed the package Click the Software installation container that contains the package In the right pane of the Group Policy window right click the program point to All Tasks and then click Remove Click Immediately uninstall the software from users and computers and then click OK Close the Windows Group Policy Object editor Please keep in mind e Deployment occurs only when the computer starts up not on a periodic basis This prevents undesirable results such as uninstalling or upgrading an application that is in use e DeviceLock Service will be copied to the ProgramFiles DeviceLock Agent folder if this service doesn t exist on the system If the service exists on the system but its version is lower than 7 0 DeviceLock Service will also be copied to the default ProgramFiles DeviceLock Agent folder If the service exists on the system but its version is 7 0 or higher DeviceLock Service will be copied to the directory of the old version and the old version will be replaced Installing Management Consoles DeviceLock management consoles are the control interfaces that systems administrators use to remotely manage DeviceLock Service DeviceLock Enterprise Server and DeviceLock Content Security Server The DeviceLock management consoles should be installed on the computer from which the ad
498. osoft Corporation Descnption This nape allows pou to wiam the Resultant Set of Policy for a user ona machine The snap in can be used to view policy that has been applied as well as predict what policy would be applied to a user on a machine 5 Click Close to close the Add Standalone Snap in window and then click OK to add the snap in 6 In the console tree select Resultant Set of Policy i Console Console Root Resultant Set of Policy Sele t File Action View Favorites Window Help x E4 J Console Root i T Resultant Set of Policy 7 Resultant Set of Policy Generate RSof Data ew A Action required New Window From Here New Taskpad View Select Generate RSoP Data From the Action mer Help _ Extended Launches 4 wizard to obtain Resultant Set of Policy information 7 Click Generate RSoP Data on the context menu available by a right mouse click 8 Go through the Resultant Set of Policy Wizard to obtain RSoP information from the selected computer 228 DeviceLock Group Policy Manager 9 Expand the Computer Configuration container and then select DeviceLock i Console Console Root XPYIRT RSoP Computer Configurations Sie Ed t File Action View Favorites Window Help JEN C Console Root 3 XPVIRT RSoP Computer Configuration Software Settings J Windows Settings i E Smartline DevireLock C Administrative Te
499. ot need to go through this wizard again just click Cancel to close the wizard and keep all existing settings unchanged In case you need to change some parameters but keep others edit only needed parameters and go through all the wizard s pages up to the Finish button on the final page Note If you are installing DeviceLock Content Security Server for the first time there are no existing settings on this computer yet and you cancel the configuration wizard upon opening Setup will not be able to install DeviceLock Content Security Server s service so you will need to run the configuration wizard again Step 3 Configure DeviceLock Content Security Server and complete the installation The DeviceLock Content Security Server wizard opens automatically during the installation process This wizard will guide you through the required settings you must configure to use DeviceLock Content Security Server 70 Installation The first page of the wizard looks like this DeviceLock Content Security Server L g ori a Local Syetem accourd ANY NOTE We strongly recommend running DewceLock Corterd Secuny Servet under an account in the Domain Admine group DewiceLock Content Security Serv must have adneresirairve access lo cve DevceLock Entespese Server that i g Inang bo connect bo Cannacion selir Dynamic ports O Feed TOP pot On this page you configure startup options for the DeviceLock Content Security Server s
500. ou to keep an eye on monitored computers in real time 179 DeviceLock Management Console 3 DeviceLock Management Console Fie Action View Help ja Smartine DeviceLock Computer Status Last Scan Time Service Uptime By M20005ERVER Compuber is available 12i26 2007 11 19 45 PM 0l E vrerit4sP6 Computer unav alabie 12 26 2007 11 19 37 P i i Server Options Blsrvirt Settings are corrupted 12 26 2007 11 19 38 PM 00 35 12 DeviceLock Enterprise Server lay Audit Log Viewer H Shadow Log Viewer Gh server Log viewer 92 Monitoring 4 Monitoring Log Viewer 1 Critical Machines ei Generic Computers To view the monitored computers that belong to the task select this task in the console tree To refresh the information displayed in the computers list select Refresh from the context menu available by a right mouse click or press the appropriate button on the toolbar e Computer Name the name of the monitored computer e Status the status of the monitored computer and DeviceLock Service The status also affects the small picture an icon displayed next to the Computer Name parameter The general rules for interpreting computer icons are e Green computer means that the computer is working and DeviceLock Service is running on it e Red computer means that the computer is not working not found or it is working but without DeviceLock Service e Computer with exclamation mark means tha
501. ouble click Protocols blocked message i Protocols blocked message Computer Name Local Computer 7 Enable Protocols Blocked Message Blocked Message Caption DewireLock Security Subsystem Blocked Mastaga Text You do not have permissions bo socees PROTOCOLS Please contact uur system administrator Restore Ceefauiks In the Protocols blocked message dialog box do the following USE THIS Enable Protocols Blocked Message Blocked Message Caption Blocked Message Text Restore Defaults TO DO THIS Enable or disable the display of the Protocols blocked message Select the Enable Protocols Blocked Message check box to enable the display of the message Clear the Enable Protocols Blocked Message check box to disable the display of the message Specify the text to display in the title bar of the message balloon By default the Blocked Message Caption text is as follows DeviceLock Security Subsystem Specify the text to display in the message balloon By default the Blocked Message Text is as follows You do not have permissions to access PROTOCOL Please contact your system administrator where PROTOCOL is the name of the protocol to be inserted Restore the default settings 105 DeviceLock Management Console For a detailed description of the Protocols feature see Protocols Regular Profile Content verification message Checking the content of files copied to devices or transmit
502. owing When you select Auditing amp Shadowing in the console tree in the details pane you can view device types for which you can define audit and shadowing rules In the details pane you can also view the current state of offline rules for each device type in the Offline column In the details pane do one of the following e Right click the device type for which you want to define or edit rules and then click Set Offline Auditing amp Shadowing OR e Select the device type for which you want to define or edit rules and then click Set Offline Auditing amp Shadowing on the toolbar The Auditing amp Shadowing Offline dialog box appears r Auditing amp Shadowing OT tine Deas Type Rigas Compia Hama Local Compuber Caud ee de In the Auditing amp Shadowing Offline dialog box do the following TO DO THIS FOLLOW THESE STEPS To define the 1 In the upper left area of the dialog box specify which events are default audit written to the audit log Select the Audit Allowed check box to and audit successful attempts to gain access to a device Select the shadowing Audit Denied check box to audit unsuccessful attempts to gain rules access to a device 2 Inthe upper left pane of the dialog box under Users click Set Default The default audit and shadowing rules apply to members of the Users group and Everyone account For information about which Audit and Shadowing rights are set for these accounts by defaul
503. ox Some USB devices like the mouse will not work without being reinitialized so it is recommended to keep this check box selected for non storage devices It is recommended to keep the Reinitialize device before granting access check box unselected for storage devices such as flash drives CD DVD ROMs external hard drives and so on Some USB devices cannot be reinitialized from DeviceLock Service It means that their drivers do not support the software replug If such a device was white listed but does not work the user should remove it from the port and then insert it back manually to restart the device s driver 5 Press the Finish button If the Unlock Code is valid then access to the device will be provided in several seconds DeviceLock Temporary White List Authorization Tool Eg The device has been successfully unlocked for 1 day All successful attempts to add devices to a Temporary White List are logged if logging of changes is enabled in Service Options 463 Appendix Permissions and Audit Examples Appendix Permissions and Audit Examples for Devices Using the following examples you can better understand how to properly define permissions audit and shadowing rules in DeviceLock All examples assume that you are using DeviceLock Management Console the MMC snap in and it is already connected to the computer where DeviceLock Service is running For more information on how to use DeviceLock Management
504. ox in the Not column AND OR Join each content group you select with the logical AND or OR operator To do so select the desired group in the Criteria column and then click either AND or OR in the appropriate list in the AND OR column Clear Clear the current list of content groups in the Criteria column Validate Validate your expression If the expression was defined incorrectly for example an opening parenthesis was not matched with a closing parenthesis you receive an error message 6 Click OK to close the Add Complex Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Viewing Built in Content groups You can view any built in content groups but you cannot edit or delete them To view a built in content group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do on
505. p Policy Manager The enforcement of regular Security Settings is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of regular Security Settings lets you prevent offline Security Settings inherited from a higher level from being applied to a specific group of client computers at a lower level For more information on the enforcement of regular Security Settings see Removing Offline Security Settings Managing offline Security Settings involves the following tasks Defining and changing offline Security Settings Undefining offline Security Settings Removing offline Security Settings Defining and Changing Offline Security Settings To define and change offline Security Settings 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock 457 DeviceLock Security Policies Offline Profile 2 Expand Protocols 3 Un
506. parated by a semicolon e From specifies the beginning of the interval of events that you want to filter Select First Event to see events starting with the first event recorded in the log Select Events On to see events that occurred starting with a specific time and date e To specifies the end of the range of events that you want to filter Select Last Event to see events ending with the last event recorded in the log Select Events On to see events that occurred ending with a specific time and date Monitoring This functionality of DeviceLock Enterprise Server allows you to implement real time monitoring of DeviceLock Services across the network DeviceLock Enterprise Server can monitor remote computers in real time checking DeviceLock Service status running or not policy consistency and integrity The detailed information is written to the special log and can be viewed using the Monitoring Log Viewer Also it is possible to define a master policy that can be automatically applied across selected remote computers in the event that their current policies are suspected to be out of date or damaged Moreover you can use this policy recovery feature as an alternative way of deploying settings permissions audit and shadowing rules to remote DeviceLock Services 178 DeviceLock Management Console across the network Architecture Overview All actions computers monitoring policy consistency and integrity checking etc
507. pe Note You can define different online vs offline Security Settings for the same user or sets of users Online Security Settings Regular Profile apply to client computers that are working online Offline Security Settings Offline Profile apply to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define offline Security Settings see Managing Offline Security Settings To change online regular security parameters double click the parameter s record to switch its state enable disable Alternatively you can select Manage from the context menu available with a right mouse click or press the appropriate button on the toolbar 53 Security Settings Access control For USE HID mouse keyboard etc Access control tor USE painters Access control tor USE Bluetooth adapters Access control for USO and FireWire network cards Access contra For USS scanners ond stil image devices Access contol tor serial modems internal amp external Access contra tor USE storage devices Access contd tor virtual CYD CD ROtds Windows 2000 and later Access contra tor Fighe storage devices Access control for virtual printers Windows 2000 and Liter H Access control for Clipboard date within one proce
508. pen Project window has its own toolbar and context menu available by a right mouse click You can group saved projects by the date when they were scanned and by the type of information they contain Select Group by Plug ins or Group by Date from the context menu or press appropriate buttons on the Project toolbar To open a saved project select it from the list and press the Open Project button on the Project toolbar Using CTRL and or SHIFT you can select and open several projects simultaneously 248 DeviceLock Enterprise Manager 2 Another way to save received information in the format of DeviceLock Enterprise Manager is select Save As from the File menu This enables you to save a file of the ANM type to any place on your hard disk or any other media with any name you choose To load previously saved files you can select Open from the File menu or press the appropriate button on the Main toolbar You will need to specify a file you wish to open You can load files of the ANM type only 3 If you need to pass received information to a third party application you can export it into an external file and then import it to this application To export data into the external file select Save As from the File menu and then select the file s type from the Save as type box DeviceLock Enterprise Manager supports the export into MS Excel if it is installed on the local computer and two formats of text files Tab Delimited TXT and Co
509. pied Controls whether or not instant messages with specified content sent by the user using SSL are Shadow copied Controls whether or not instant messages with specified content received by the user are shadow copied Controls whether or not instant messages with specified content sent by the user are shadow copied Controls whether or not e mail messages with specified content sent by the user are shadow copied Controls whether or not e mail attachments with specified content sent by the user are shadow copied Controls whether or not e mail messages with specified content sent by the user using SSL are Shadow copied Controls whether or not e mail attachments with specified content sent by the user using SSL are Shadow copied Controls whether or not messages comments and posts with specified content sent by the user are Shadow copied Controls whether or not media and other files with specified content uploaded to a social networking site are shadow copied 297 Content Aware Rules for Protocols Regular Profile Configuring Content Detection Settings Content Aware Rules are created based on content groups that enable you to centrally define types of content for which you want to control access Content groups specify content filtering criteria that will be used to select data to which rules should be applied All content groups are stored in the Content Database The same Content Database is used for both dev
510. played Offline Protocols White List is not configured Removing Offline Protocols White List If you deploy DeviceLock policies using Group Policy or DeviceLock Service Settings files dls DeviceLock provides you with the ability to block the inheritance of the higher level offline white list and enforce the regular white list on specific lower level groups of client computers To enforce the regular Protocols White List you must remove the offline Protocols White List To remove the offline Protocols White List 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor 445 Mana DeviceLock Security Policies Offline Profile b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols right click White List and then click Remove Offline The offline state of the white list changes to Use Regular When you select White List in the console tree in the details pane the following message is displayed Offline Protocols White List is configured to use Regular Protocols White List The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console ging Offline Content Aware Rules for Protocols
511. port b JA Windows Movie Maker P Log Off g Shut Dow E Temporary White List Administration Til ig Start Note DeviceLock Group Policy Manager integrates into Windows Group Policy Editor and is not available as a stand alone application In order to use DeviceLock Group Policy Manager you must run the standard Windows Group Policy Editor To uninstall DeviceLock do one of the following Use Add or Remove Programs in Control Panel to remove DeviceLock OR Click Start point to All Programs point to DeviceLock and then click Remove DeviceLock Installing DeviceLock Enterprise Server DeviceLock Enterprise Server is the optional component for centralized collection and storage of shadow data and audit logs Also DeviceLock Enterprise Server can monitor remote computers in real time checking DeviceLock Service status running or not policy consistency and integrity In order to use DeviceLock Enterprise Server on Windows NT 4 0 SP6 and Windows 2000 computers you should install Microsoft Data Access Components MDAC version 2 8 or later MDAC is available for free download at the Microsoft Web site http www microsoft com downloads details aspx familyid 78cac895 efc2 4f8e a9e0 3alafbd5922e amp displaylang en 50 Installation Planning Infrastructure You can install several DeviceLock Enterprise Servers on different computers across your network to uniformly spread the network load DeviceLoc
512. possible to e Install DeviceLock Service on all the computers on a network even those that are not currently running and new computers that are just connecting to the network For more information regarding DeviceLock Service deployment see Installation via Group Policy e Control and configure DeviceLock Service on a large number of computers in different domains organizational units simultaneously Even if some computers are not currently running or they are new computers that are just connecting to the network they are included in DeviceLock s automatic deployment of predefined settings e View the policy currently being applied and predict what policy would be applied For more information see Using Resultant Set of Policy RSoP Note In order to manage DeviceLock via Group Policy you must have Active Directory properly installed and configured For more information about installing and configuring Active Directory please refer to the related Microsoft documentation 218 DeviceLock Group Policy Manager Applying Group Policy Policy is applied when the computer starts up When a user turns on the computer the system applies DeviceLock s policy Policy can be optionally reapplied on a periodic basis By default policy is reapplied every 90 minutes To set the interval at which policy will be reapplied use the Group Policy Object Editor For more information please refer to the Microsoft Knowledge Base
513. progress lt log_name gt The progress counter shows the percentage complete of the indexing process Merging related progress and status indicators You can control the merge process by watching its status and progress counter The status indicator shows the status of the merge operation The following table shows possible status values and their descriptions STATUS VALUE DESCRIPTION Idle The merge is not performed Merging The merge is in process Defragmenting Compressing optimizing the index Compressing the index optimizes the index structure removing obsolete data and defragmenting search structures for better performance The progress counter shows the percentage complete of the merge process 206 DeviceLock Management Console To monitor and refresh the status of the current indexing activity 1 In the console tree expand DeviceLock Content Security Server and then expand Search Server 2 Under Search Server select Current Activity When you select Current Activity in the console tree indexing and merging related progress and status indicators are displayed in the details pane Because the status of the current indexing and merging related operations is not updated automatically you need to perform a refresh operation To perform a refresh operation do one of the following e Inthe console tree right click Current Activity and then click Refresh OR e Inthe console tree select Current Activity a
514. propriate button on the Main toolbar to save or export the filtered result As with any other DeviceLock Enterprise Manager file filtered data can be opened and loaded into DeviceLock Enterprise Manager To load a file select Open from the File menu or press the appropriate button on the Main toolbar Then specify the file you want to open You can only load files that were previously saved by DeviceLock Enterprise Manager 255 Content Aware Rules for Devices Regular Profile Content Aware Rules for Devices Regular Profile Content Aware Rules extend the basic port device access control functionality of DeviceLock by adding comprehensive file level protection of corporate documents containing confidential company information Content Aware Rules enable automatic content inspection of data copied to external storage devices detection of sensitive content and enforcement of regulatory policies to ensure protection With Content Aware Rules you can selectively allow or deny access to specific file content regardless of preset permissions at the device type level You can also use Content Aware Rules to allow or deny shadow copying of specific content For flexibility Content Aware Rules can be defined on a per user or per group basis You can configure Content Aware Rules to apply to access control operations to shadow copy operations or both The following examples illustrate the use of Content Aware Rules e Example 1 Using
515. ptions select Search Server Options When you select Search Server Options in the console tree they are displayed in the details pane In the details pane double click DeviceLock Enterprise Server s or right click DeviceLock Enterprise Server s and then click Properties The DeviceLock Enterprise Server s dialog box appears 201 DeviceLock Management Console fs DeviceLock Enterprise Server s Computer Hame Local Computer DevineLock Eneps Serveris 4 In the DeviceLock Enterprise Server s dialog box type the IP address or the name of the computer that is running DeviceLock Enterprise Server Multiple computer names or IP addresses must be separated by a semicolon 7 Note Make sure that DeviceLock Enterprise Server is properly installed and accessible to DeviceLock Content Security Server otherwise its data will not be indexed by Search Server To remove computer names or IP addresses click Remove 5 Click OK Task Specify the location of the full text index You can specify where the full text index will reside If you do not specify a location the full text index is created in the default directory ProgramFiles DeviceLock Content Security Server Index Search Server starts the indexing process automatically each time you specify a different location To specify the index location 1 In the console tree expand DeviceLock Content Security Server and then expand Server Options 2 Un
516. r Service Consoles cr Fey Manag and C A LM Console wi inst aT ale DeviceLock Enterprise Server DeviceLock Management Console GR RE eri ara FAG CREST be ee Choose which program Features you want ineteled and where they vill bo bated Recommended for advanced users _ lt Beck I mes C 45 Installation ie DeviceLock Setup Custom Setup Select the program features you want insts od Chick on an icon in the kst below to change how a feature is installed Feature Desoiption DenaceLock Enterprises Manager oa CAL Ok once DenvinebLock Groun Policy Th festure wal be nAakad on local hand drive 98 This festure and al subfestures vall be installed on local hard drive GeviceLock Service DeviceLock Enterprise Server OTe Feature wal not be available ne _concet Note On the Custom Setup page you can select the RSoP component to install This component enables support for DeviceLock s Resultant Set of Policy planning mode on domain controllers The RSoP component is required only when DeviceLock management consoles are installed but DeviceLock Service is not installed on the computer For more information on RSoP planning mode refer to the Microsoft documentation On the Custom Setup page you can change the default installation directory By default the DeviceLock installation directory is ProgramFiles DeviceLock To change the default installation directory click Change to open
517. r Printer or Parallel port device types it always opens in the built in DeviceLock Printer Viewer DeviceLock Printer Viewer is able to display a shadowed printed document in native print spooler format to send it to the printer again or save it as a graphics file such as BMP GIF JPEG PNG EMF or TIFF The following print spooler formats are supported PostScript PCL5 PCL6 PCL XL HP GL 2 GDI printing ZjStream and EMF Spooled Files To save a shadow copy of a file to any local or network location 1 Perform your search 215 DeviceLock Management Console On the search results page click Save under the desired search result The Save As dialog box appears In the Save As dialog box in the Save tn box browse to the location where you want to save the shadow copy In the File name box type the file name you want Click Save If the data was transferred by the user as a file it is stored in the shadow log as a file and can be saved to the local computer as a file too When a user has written data to a CD DVD disk all data is stored in the Shadow log as a single CD DVD image one image per each written CD DVD disk or session in the CUE format CD DVD images as well as other data that originally was not transferred as files direct media access or serial parallel ports transfer have auto generated names based on the action s type drive s letter or device s name and time date for example direct_write E
518. r Profile The Content Aware Rules dialog box appears In the upper pane of the Content Aware Rules dialog box under Content Database select any built in group you want to duplicate and then click Duplicate In the dialog box that opens edit the content group as required and then click OK The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Editing and Deleting Custom Content Groups You can modify or delete custom content groups at any time To edit or delete a custom content group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears In the upper pane of the Content Aware Rules
519. r network and the action install or remove DeviceLock Service set permissions and so on which should be performed for these computers si Scan Network foe RAIA Ey Aud Lon viewer QOS Install service E Buikin OB Report Permissions jAudting m Computers eG Report PnP Devices Fe Domain Controllers 2a Set Service Settings fe ee Ch Shadow Log Viewer FoneignSecurityPrincipals O Uninstall service To open the Scan Network dialog box click Scan Network on the File menu or press the appropriate button on the Main toolbar If the Show this dialog at next startup check box is selected the Scan Network dialog box will open automatically each time DeviceLock Enterprise Manager is started There are three simple steps which enable you to manage DeviceLock Services across the network Selecting Computers The first step is to select the computers to be processed You can use the context menu available by right clicking to select deselect necessary items computers types domains or computers DeviceLock Enterprise Manager provides several flexible ways to select network computers e Network computers can be selected by their types Each type represents all of the computers belonging to the category e Primary Domain Controller a primary domain controller e Backup Domain Controller a backup domain controller e Microsoft SQL Servers any server running with Microsoft SQL Server 234 DeviceLock Enterprise Manager e
520. r or group specified in the white list and then click Save on the toolbar OR Right click White List and then click Manage In the right pane of the Protocols White List dialog box under Rules click Save The Save As dialog box appears In the Save As dialog box in the Save in box browse to the location where you want to save the pwil file In the File name box type the file name you want Click Save When you export the Protocols White List it is saved in a file with a pwl extension To import the Protocols White List 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following 359 e Right click White List and then click Load OR e Select White List and then click Load on the toolbar OR e Expand White List right click any user or group specified in the white list and then click Load OR e Expand White List select an
521. ranstall service V Show this dialog at next startup Press the Settings button or double click on the plug in s record to open the configuration dialog box 79 DeviceLock Certificates Select Service Settings Select DeviceLock Settings that should apply bo computers Name Created Modified Author C FDL Settings 1 06 20 07 20 06 45 06 20 07 20 06 52 vM2000A0 Administrator C SF DL Settings 2 OFMONOF 12 16 05 O6f20 07 20 06 52 YM20004D Administrator O t Main DL Settings OF LOMO 12 16 14 06 20 07 20 06 52 YPIZ0004D Administrator yInstall Certificate OF LOMO 12 16 29 6 20 07 20 06 52 YhIZ000SD Administ ator Create the new XML file or use the existing one to define the policy needed to install remove the certificate Highlight the file in the list and then press the Edit button to modify the policy as described in the next section below When finished modifying the policy select its file by enabling the checkmark next to the file s name in the list Press the OK button to close the configuration dialog box and then press the Scan button on the Scan Network dialog box to start the DeviceLock Certificate installation removal process DeviceLock Management Console DeviceLock Group Policy Manager and DeviceLock Service Settings Editor If you are using DeviceLock Management Console the MMC snap in first you need to connect it to the computer running DeviceLock Service Use the context menu availab
522. rchives In the Content Aware Rules for Devices dialog box under Content Database click the drop down arrow next to Add Group and then click Document Properties In the Add Document Properties Group dialog box do the following a In the Name box specify the name of the group for example Images contain 70 text b Select the Contains text check box and specify 70 c Click OK The new content group you created is added to the existing list of content groups under Content Database in the Content Aware Rules for Devices dialog box This group will be used to control access to images containing a large amount of text In the Content Aware Rules for Devices dialog box under Content Database click the drop down arrow next to Add Group and then click Complex In the Add Complex Group dialog box do the following a In the Name box specify the name of the group for example Complex Group 1 b Click Add In the Content Groups dialog box select the following groups Credit Card Number Images CAD amp Drawing Images contain 70 text Password protected documents and archives and US Social Security Number You can select these groups simultaneously by holding down the CTRL key while clicking them c Compose the following logical expression US Social Security Number OR Password protected documents and archives OR Credit Card Number OR Images CAD amp Drawing AND Images contain 70 text 481 Appendix Permissions
523. re working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define offline audit and shadowing rules for protocols see Managing Offline Audit and Shadowing Rules for Protocols 344 Protocols Regular Profile You can define the default audit and shadowing rules for protocols for both types of profiles Regular Profile and Offline Profile The default rules apply to the Users and Everyone groups The following table lists rights granted to these groups by default GROUP EVERYONE PROTOCOL FTP Connection Audit Connection Incoming Files Audit Incoming Files Outgoing Files Audit Outgoing Files HTTP Connection Audit Connection Incoming Data Audit Incoming Data Incoming Files Audit Incoming Files Outgoing Data Audit Outgoing Data POST Requests Audit POST Requests Outgoing Files Audit Outgoing Files ICQ AOL Connection Audit Connection M essgnger Incoming Messages Audit Incoming Messages Outgoing Messages Audit Outgoing Messages IRC Connection Audit Connection Incoming Messages Audit Incoming Messages Outgoing Messages Audit Outgoing Messages Jabber Connection Audit Connection Incoming Messages Audit Incoming Messages Outgoing Messages Audit Outgoing Messages Mail ru Agent Connection Audit Connecti
524. recognized as the one authorized device e Unique Device represents a unique device unit Each device is identified by a combination of Vendor Id VID Product Id PID and Serial Number SN Not all devices have serial numbers assigned A device can be added to the white list as a Unique Device only if its manufacturer has assigned a serial number to it at the production stage Two steps are required to authorize a device 1 Add the device to the devices database making it available for adding to the white list 2 Add the device to the white list for the specified user group In effect this designates the device as authorized and allows it for this user group at the interface USB level Note You can define different online vs offline USB Devices White Lists for the same user or sets of users The online USB Devices White List Regular Profile applies to client computers that are working online The offline USB Devices White List Offline Profile applies to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define the offline USB Devices White List see Managing Offline USB Devices White List To define the online regular white list select Manage from the context menu available w
525. record of all sent messages Audit Connection Enables audit logging of user attempts to connect to an IRC server The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Incoming Messages Outgoing Messages Enables audit logging of user attempts to send and receive instant messages The Chat action IDs of all IM participants the IP address with the port number and the name of the host are written to the log The ID of the local participant precedes the ID of a remote participant Shadowing Incoming Messages Enables shadow copying of received instant messages Shadow copies of received instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all received messages Shadowing Outgoing Messages Enables shadow copying of sent instant messages Shadow copies of sent instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of al
526. reports The available options are e HTML Format htm e PDF Format pdf e Rich Text Format rtf DeviceLock uses PDF as the default output format for reports To set the default format for reports 1 Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server right click Reports Next point to Set Default Format and then click any of the following options HTML PDF RTF Defining Report Parameters Report parameters help you specify which data from the DeviceLock log files you want to use in a report For example you can specify a date range to restrict the data that appears in the report Report parameters must be set for each report individually To define report parameters use the Report Options dialog box This dialog box appears in one of the following situations e When you right click any report template in the console tree and then click New Report 374 DeviceLock Reports e When you select any report template in the console tree and then click New report on the toolbar Report Options Dialog Box Period from To Specifies the start and end date and time of the report period for which data is displayed The date format is MM DD YYYY where MM specifies the month DD the day YYYY the year The time format is hh mm ss AP M where hh the hour mm the minute
527. rformed for data transfers allowed by the Protocols White List while whitelisted connections are audited The white list consists of rules associated with the specified protocol Each rule specifies users or groups the rule applies to and contains a set of parameters associated with it These parameters fall into two categories 349 Protocols Regular Profile e General parameters that apply to all protocols e Protocol specific parameters The following table describes general parameters for a white list rule PARAMETER Protocol Description DESCRIPTION Specifies the protocol the rule applies to Specifies the name of the rule The following table describes protocol specific parameters for a white list rule PARAMETER Hosts DESCRIPTION Applies to the FTP HTTP ICQ AOL Messenger IRC Jabber Mail ru Agent SMTP SSL Telnet Windows Messenger and Yahoo Messenger protocols Specifies a list of allowed hosts for this rule If this list is specified these hosts will not be blocked Hosts may be specified in any of the following formats e DNS name for example www example com You can use the asterisk wildcard character in DNS names for example example com denotes that the host name is any server whose name ends in the specified name Caution Adding host names with wildcards to the white list for all protocols except HTTP does not guarantee that the white list rule will work as expected B
528. ride Local Policy setting enabled For information about how to create a custom MSI package see Create MSI Package You can use Group Policy to distribute DeviceLock Service by using the following steps e Create a Distribution Point To install DeviceLock Service you must create a distribution point on the server To create a distribution point do the following 1 Log on to the server computer as an administrator 2 Create a shared network folder in which to place the MSI package 35 Installation Set permissions on the share to allow access to the distribution package Copy the MSI package DeviceLock Service msi and or DeviceLock Service x64 msi to the distribution point e Create a Group Policy Object To create a Group Policy object GPO with which to distribute DeviceLock Service do the following 1 Start the Group Policy Management snap in If the Group Policy Management snap in is not installed on your computer you may use the Active Directory Users and Computers snap in instead In the console tree select your domain Group Policy Management 4 i l0 x gt ames oe Fi arid ath vm2000ad com eon Linked Group Policy Objects Group Policy Inheritance Delegation og Create and Link a GPO Here i Enta Se ae Unk an Existing GPO Gy Default Domain Policy No il S a SEEE PE a DeviceLock Group Policy Object No E eo GE Hew Organizational Linit TE Group Polic S
529. ript PCL5 and PCL6 files Encrypted Write Controls whether or not specified content written to an encrypted device is shadow copied Applies only to the Removable device type Special Permissions Controls whether or not specified content written to a calendar ona Write Calendar mobile device from a PC is shadow copied Applies to the iPhone Palm and Windows Mobile device types Special Permissions Controls whether or not contacts with specified content written from a Write Contact PC to a mobile device are shadow copied Applies to the iPhone Palm and Windows Mobile device types Special Permissions Controls whether or not e mail messages with specified content written Write E mail from a PC to a mobile device are shadow copied Applies to the iPhone Palm and Windows Mobile device types For iPhone this right controls Shadow copying of e mail account settings but not e mail messages 260 SHADOWING RIGHTS Special Permissions Write Attachment Special Permissions Write Favorite Special Permissions Write File Special Permissions Write Media Special Permissions Write Backup Special Permissions Write Note Special Permissions Write Pocket Access Special Permissions Write Task Special Permissions Write Expense Special Permissions Write Document Special Permissions Write Unidentified Content Content Aware Rules for Devices Regular Profile DESCRIPTION because
530. rison to DeviceLock Management Console in DeviceLock Service Settings Editor e You do not need to connect to any computer with DeviceLock Service DeviceLock Service Settings Editor modifies and stores settings in external XML files and allows you to create edit policies offline It works similar to DeviceLock Group Policy Manager but instead of GPOs it uses XML files e You can reset any parameter or all parameters at once to the unconfigured state All undefined parameters are ignored when the policy is applied to DeviceLock Service e You can remove any Offline policy settings permissions audit and shadowing rules white lists etc for both devices and protocols in order to enforce regular ones in this policy file To create a new policy from scratch just run DeviceLock Service Settings Editor and start making changes in its default empty policy 230 DeviceLock Service Settings Editor If you want to modify an existing policy you should load the XML file with that policy to DeviceLock Service Settings Editor using the Load Service Settings context menu command and then make desired changes If you create a new policy from scratch you should use Save Service Settings from the context menu to save it in an XML file Alternatively you can use Save amp Sign Service Settings from the context menu to save the policy to an external XML file and automatically sign it with the most recent DeviceLock Certificate the private key
531. rk resources Certificate Name You may need to deploy the private key to DeviceLock Enterprise Server if you want to enable authentication based on DeviceLock Certificate There are two methods of DeviceLock Enterprise Server authentication on remotely running DeviceLock Services e User authentication the DeviceLock Enterprise Server s service is running under the user s account that has full administrative access to DeviceLock Service on the remote computer For more information on how to run DeviceLock Enterprise Server on behalf of the user please read the description of the Log on as parameter e DeviceLock Certificate authentication in situations when the user under which DeviceLock Enterprise Server is running can t access DeviceLock Service on the remote computer you must authenticate based on a DeviceLock Certificate The public key should be installed on DeviceLock Service and the corresponding private key on DeviceLock Enterprise Server To install DeviceLock Certificate press the button and select the file with a private key To remove DeviceLock Certificate press the Remove button For more information regarding DeviceLock Certificate please read the DeviceLock Certificates section of this manual Press the Next button to apply changes and proceed to the third page of the configuration wizard From this page you can load your DeviceLock licenses 60 Installation DeviceLock Enterprise Server L
532. rks in search queries An asterisk replaces an unlimited number of characters The question mark replaces a Single character You can use these wildcards in any position and in any quantity To search for a specific phrase enclose the phrase in double quotes To search for multiple words separate each word with a space The following table shows the search items examples and results of these types of searches SEARCH ITEM EXAMPLE RESULTS Single word price Results that contain the word price You will also find its grammatical variations such as prices priced and so on Phrase confidential Results that contain both of the individual information words confidential and information instead of the exact phrase confidential Results that contain the exact phrase information confidential information Wildcard te t Results that contain test text and so on expression Wildcard mone Results that contain money monetary and expression SO on Wildcard air Results that contain fair impair affair and expression SO On Wildcard assets Results that contain monetary assets liquid expression assets fixed assets current assets and SO On To perform a search operation 1 In the console tree expand DeviceLock Content Security Server and then expand Search Server Under Search Server select Search Page The search page is displayed in the details pane On the search page in the Search box type the w
533. rol penakies and val be prosecuted to the masimum extent Information With possible under lave Device You must accept the DeviceLock s End User License Agreement before continuing the installation process On the Customer Information page type your user name and organization On this page under Install this application for you can specify for whom desktop Shortcuts to DeviceLock management consoles DeviceLock Management Console DeviceLock Enterprise Manager and DeviceLock Service Settings Editor will be created You can select from the following options e Anyone who uses this computer all users Creates desktop shortcuts to DeviceLock management consoles for all users e Only for me Creates desktop shortcuts to DeviceLock management consoles only for the account that is installing DeviceLock 44 Installation i DeviceLock Set up Anyone who uses this computer all users O Oniy For me Q lt Back mts cone On the Setup type page select the required setup type You have the following three choices install both DeviceLock Service and DeviceLock management consoles using the Service Consoles option install both DeviceLock Enterprise Server and DeviceLock management consoles using the Server Consoles option or install only DeviceLock management consoles using the Custom option and selecting the DeviceLock Consoles component iE DeviceLock Setup Sat T i Please select a setup type oe a Manage
534. roups specified in audit and shadowing rules for a protocol e All users and groups specified in audit and shadowing rules for a protocol are removed e The Everyone account has no Audit and Shadowing rights and is the only account specified in audit and shadowing rules for a protocol Defining and Editing Audit and Shadowing Rules To define and edit audit and shadowing rules 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor 346 Protocols Regular Profile b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Auditing amp Shadowing When you select Auditing amp Shadowing in the console tree in the details pane you can view protocols for which you can define audit and shadowing rules In the details pane you can also view the current state of online rules for each protocol in the Regular column In the details pane do one of the following e Right click the protocol for which you want to define or edit rules and then click Set Auditi
535. rprise Server in order to add new index entries to the existing index 205 DeviceLock Management Console Task Monitor and refresh the status of the current indexing activity Full text indexing operations can be time consuming and resource intensive Search Server lets you monitor the progress of the indexing operations that are currently being executed The indexing process happens in two stages In the first stage Search Server extracts significant words from shadow copies and log records and saves them to temporary indexes for each specified DeviceLock Enterprise Server For each temporary index Search Server processes 1 000 records from each log In the second stage when either the number of temporary indexes becomes equal to 50 or 10 minutes pass all temporary indexes are combined into a permanent master index that is used for search queries The process of combining temporary indexes into a master index is called merging Search Server provides indexing and merging related progress and status indicators Indexing progress and status indicators You can control the indexing process on each specified DeviceLock Enterprise Server by watching its status and progress counter The status indicator shows the status of the indexing operation The following table shows possible status values and their descriptions STATUS VALUE DESCRIPTION Idle Indexing is not performed Waiting Waiting for indexing to begin Indexing Indexing is in
536. rs Select the Windows authentication option to authenticate on SQL Server under the account used to run DeviceLock Enterprise Server s service If the service is running under the SYSTEM user and SQL Server is located on the remote computer service will not be able to connect to SQL Server since the SYSTEM user doesn t have a right to access the network For more information on how to run DeviceLock Enterprise Server on behalf of the user please read the description of the Log on as parameter Select the SQL Server authentication option to allow SQL Server to perform the authentication itself by checking the login and password previously defined Before selecting the SQL Server authentication option make sure that your SQL Server was configured to use mixed mode authentication Enter the SQL user name login in Login name and its password in Password Note Windows Authentication is much more secure than SQL Server Authentication When possible you should use Windows Authentication System Data Source you select the predefined system data source from the Data Source Name list To define data sources use the Data Sources ODBC applet from Control Panel gt Administrative Tools 1 ODBC Data Source Administrator User DSN System DSM File DSN Drivers Tracing Connection Pooling About System Data Sources Mame Diver Add Cease SOL Server Remove Configure An ODBC System data source st
537. rs allow you to tune up auditing and shadowing for DeviceLock Service aS DevioeLock Management Console Fie Action View e B M adal Device Lond haia State qf Devicelock Service Local WINKPPRC CEL ozal storage directory System Rodt ISHADOW Service Options I Enable local storage quota Enabled E cenela Aamiiirkas PE esanup Fies oker than days Disabled PECTEN e r PRET EN xi e meee m 2D Devies 5 Prevert data trarefer on errors Enabled Protocols FE Audi Log Type Event Log vay Audit Log viewer Sf iuit Log Settings JI Kb Gwerwnibe ewents older than 7 days Shodi Log Viewer H Transfer full shadow dats to server Enabled a bch Devcebock Enterprise Server Local 1 ie Darkelik Content Security Sever Sid Local Policy is enabled for this machine eguier Profis Use the context menu available via a right mouse click on every parameter Local storage directory Use this parameter to define where on the local disk cached data for shadowing and content analysis is stored E Local storage directory Computer Mame xpi Local Storage Directory 2SystemRool SHADOW Default cee By default DeviceLock Service uses the SystemRoot SHADOW directory to store cached data for shadowing and content analysis on the local computer SystemRoot is a standard environment variable that expands to a path to the Windows root folder for example C Windows You can specify any other directory on any lo
538. rt Serial port USB port and WiFi device types you can enable this right only if Read is selected in the Audit group 135 DeviceLock Management Console Print to log all attempts to send documents to printers Applies only to the Printer device type Execute to log access attempts to remotely execute a code on the device s side Applies only to the Windows Mobile device type Read Non files to log the read access attempts for non file objects Calendar Contacts Tasks etc Applies only to iPhone Windows Mobile and Palm device types Write Non files to log the write access attempts for non file objects Calendar Contacts Tasks etc Applies only to iPhone Windows Mobile and Palm device types Copy to log all attempts to paste data from the clipboard and capture screen shots Applies only to the clipboard e Shadowing rights that belong to this group are responsible for actions logged into the shadow log Write to enable shadowing of all data written by the user Applies only to DVD CD ROM Floppy iPhone Parallel port Removable Serial port Windows Mobile and Palm device types Print to enable shadowing of all documents sent to printers Later these documents can be viewed using the DeviceLock Printer Viewer Applies only to the Printer device type Write Non files to enable shadowing of all non file objects Calendar Contacts Tasks etc written by the user Applies only to iPhone Window
539. rule that you want to copy is applied By selecting users or groups you can view the white list rules applied to them under Rules in the right pane of the dialog box In the right pane of the Protocols White List dialog box under Rules right click the rule you want to copy and then click Copy or Cut The rule you cut or copy is automatically copied to the Clipboard You can use the CTRL C CTRL X and CTRL V key combinations to copy cut and paste the rule When you use the CTRL X key combination to cut the rule the rule will be cut only after you paste it In the left pane of the Protocols White List dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups to which you want to apply the copied rule and then click OK The users and groups that you added are displayed under Users in the left pane of the Protocols White List dialog box In the left pane of the Protocols White List dialog box under Users select the users or groups to which you want to apply the copied rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them In the right pane of the Protocols White List dialog box right click in the Rules pane and then click Paste The copied rule is displayed under Rules in the right pane of the Protocols White List dialog
540. rvice Options Report PnP Devices The Report PnP Devices plug in generates a report displaying the USB FireWire and PCMCIA devices currently connected to computers on the network and those that were connected Note In order to retrieve PnP devices from Windows Vista 7 and Windows Server 2008 computers you should allow remote access to the PnP interface on those computers You can do it via modifying the policy as described in this article support microsoft com kb 947040 The columns are defined as follows e Description the description of the device provided by its vendor e Device Information the additional information about the device provided by its vendor e Connected to the interface where the device is connected USB FireWire or PCMCIA e Class the class of the device provided by Windows e Class description the description of the device s class provided by Windows e Present indicates whether the device is currently connected or not Yes or No 245 DeviceLock Enterprise Manager e DeviceID the unique identification string of the device provided by its vendor e Driver the name of the driver that is controlling this device You can add reported USB devices to the USB Devices Database using the context menu available via a right mouse click Before you can use this plug in you should select the information you want to include in reports You can do this by clicking the Settings button below the plu
541. s The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed 366 REPORT TYPE Read amp Write access requests per device type Top active computers DeviceLock Reports DESCRIPTION The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e User s Shows the users that were specified for the report e Channel s Shows the data transmission channels that were specified for the report The available options are all devices all protocols and all devices and protocols The Report Results section contains a table and a pie chart that show detailed results of the report The table has the following rows e Allowed Shows the total number of allowed access requests and the respective percentage e Denied Shows the total number of denied access requests and the respective percentage e Total Shows the total number of all access requests and the respective percentage The pie chart represents the report res
542. s Denied disallows SSL connections or Required requires that all connections use SSL e To specify the IM local sender ID s in the Local sender ID s box type user identifiers separated by a comma or semicolon For more information on how to specify user identifiers see the description of the Local sender ID s parameter e To specify the IM remote recipient ID s in the Remote recipient ID s box type user identifiers separated by a comma or semicolon For more information on how to specify user identifiers see the description of the Remote recipient ID s parameter e To specify the e mail senders in the Local sender Email s box type sender addresses separated by a comma or semicolon For more information on how to specify sender addresses see the description of the Local sender Email s parameter e To specify the e mail recipients in the Remote recipient Email s box type recipient addresses separated by a comma or semicolon For more information on how to specify recipient addresses see the description of the Remote recipient Email s parameter e To specify the social networking sites under Social Networks select the appropriate check boxes For more information see the description of the Social Networks parameter e To specify the Web based e mail services under Web Mail Services select the appropriate check boxes For more information see the description of the Web Mail Services parameter 9 Click O
543. s O means that no retries will be performed for that scan type after the first failed attempt Reply timeout the time in seconds DeviceLock Enterprise Server will actually wait for a response from the target computer for each type of scan If DeviceLock Enterprise Server is running on a slow or busy network you may need to increase this timeout Service connection settings these options define how DeviceLock Enterprise Server should connect to DeviceLock Services on the monitored computers to obtain service version settings etc If the correct connection settings are not specified DeviceLock Enterprise Server will not be able to connect to monitored services and their computers will not receive the available status DeviceLock Service can be configured to use either a fixed port or dynamic ports during the installation process For more information on this see Unattended Installation and Remote Installation via DeviceLock Enterprise Manager There are two connection options e Dynamic ports to instruct DeviceLock Enterprise Server to use dynamic ports for communication with DeviceLock Service select this option e Fixed TCP port if DeviceLock Service is configured to accept connections on a fixed port then you should select this option and specify that port number Note In order to successfully connect to monitored DeviceLock Services and obtain needed information from them DeviceLock Enterprise Server must ha
544. s Mobile and Palm device types Below you can see what audit rights can be assigned to what device types and what is written to the log For all events DeviceLock Service logs event s type date and time device s type user name and process information as well as the specific event s information described below DEVICE TYPE BlackBerry RIGHTS e Audit Read Device Access action is written to the audit log e Audit Write Print Device Access action is written to the audit log e Audit Execute e Audit Read Non files e Audit Write Non files e Audit Copy e Shadowing Write Print e Shadowing Write Non files 136 DEVICE TYPE Bluetooth Clipboard DVD CD ROM DeviceLock Management Console RIGHTS Audit Read Device Access action is written to the audit log Audit Write Print Device Access action is written to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Shadowing Write Non files Audit Read Audit Write Print Audit Execute Audit Read Non files Audit Write Non files Audit Copy Copy Text Copy File Copy Image Copy Audio Copy Unidentified and Screenshot actions are written to the audit log Shadowing Write Print Shadowing Write Non files Audit Read Open Device Access Direct Access and Eject events file names and flags Read
545. s Movie Maker P Log OF g Shut Cho i start Alternatively you can start MMC and add the DeviceLock Management Console snap in manually 1 Run mmc from the command line or use the Run menu to execute this command 2 Open the File menu and then click Add Remove snap in 90 DeviceLock Management Console ae Consolel Console Root Mimp E ton yew Favorites Window Help _ x New Ctrl eh Oper Chrl 4O Save Chrl S Save AS There are no ibeme bo show in this view ddi Remove Snap in Options 1 C downloads Group Policy msec 2 C WINDOWS compmgmet msc 3 DeviceLock Management msc 4 DeviceLock Management msc Exit 3 Click the Standalone tab and then click Add Add Remove Snap in Standalone Extensions Use thes page to add or remove a standalone Snap in from the console Snap ins added to Ey Console Root 4 Select DeviceLock Management Console from the list then click Add 91 DeviceLock Management Console Add Standalone Snap in Available Standalone Snap ins Snapein 2 ActiveX Control EP Cerlificates re Component Senices E Computer Management a Device Manage 3 DeviceLock Management Console N Disk Defragmenter mal Dick Management Gi Event Viewer C Folder Descipton Vendor Microsolt Corporation Microsoft Corporation Microsolt Corporation Microsoft Corporation Microsoft Corporation SmartLine Inc Miciosolt Corp Emec
546. s White List Offline dialog box under Users select the users or groups to which you want to apply the copied rule You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them 9 In the right pane of the Protocols White List Offline dialog box right click in the Rules pane and then click Paste The copied rule is displayed under Rules in the right pane of the Protocols White List dialog box 10 Click OK or Apply to apply the copied rule Exporting and Importing Offline Protocols White List You can export all your current rules of the offline Protocols White List to a pwl file that you can import and use on another computer Exporting and importing can also be used as a form of backup To export the offline Protocols White List 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click White List and then click Save O
547. s actions file names and flags Read DirectRead Eject DirList write to the audit log Audit Write Print Open Open Create Overwrite Create Direct Access Delete Rename and Create new actions file names and flags Write DirectWrite Format Del DirCreate write to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Shadowing Write Non files 138 DEVICE TYPE Infrared port iPhone DeviceLock Management Console RIGHTS Audit Read Device Access action writes to the audit log Audit Write Print Device Access action writes to the audit log Audit Execute Audit Read Non files Audit Write Non files Audit Copy Shadowing Write Print Shadowing Write Non files Audit Read Read File action and file names write to the audit log Audit Write Print Write File Rename File and Delete File actions and file names write to the audit log Audit Execute Audit Read Non files Read Calendar Read Contact Read Favorite Read E mail Read Backup Read Note and Read Media actions and object names write to the audit log Audit Write Non files Write Calendar Delete Calendar Write Contact Delete Contact Write Favorite Delete Favorite Write E mail Delete E mail Write Backup Write Note Delete Note Write Media Rename Media and Delete Media actions and object names write to
548. s and protocols If you select either of these options and then specify device type s or protocols the report will display data only for the specified device type s or protocols Top computers Specifies the number of the most frequently used computers Appears only for the Top active computers report type The default value is 10 To change the default value type or select the appropriate number of computers in the Top computers box Top users Specifies the number of the most active users Appears only for the Top active users report type The default value is 10 To change the default value type or select the appropriate number of users in the Top users box Top USB and FireWire devices Specifies the number of the most frequently inserted USB and FireWire devices Appears only for the Top inserted USB amp FireWire devices report type The default value is 10 To change the default value type or select the appropriate number of devices in the Top USB and FireWire devices box Top USB devices Specifies the number of the most frequently used USB devices Appears only for the Top used USB devices report type The default value is 10 To change the default value type or select the appropriate number of devices in the Top USB devices box File name Specifies files for the report Appears only for the Top active users Top active computers and Copied files per channel report types in the Shadow Log report category The File n
549. s and select the needed one Click OK to close the Select Users or Groups dialog box select the Everyone record and disable all rights in the User s Rights list 3 Click the Media White List button in the Permissions dialog box ES Moulia White List Medial Type B80 OTIS Re DCICSOEF EEH D OVO CO AOM ST SOLENT SEL oF SSF ABE 171 TCR ICIS0GE 2aCeeATAS CvDCD AOM Weda Dialabane Pedis Va rete Litt ay Haga EE Desenphon badai Tiga EPRI e pini n FJ SOLEMTSEL dF SSP OBE 17 LTA PCD SSCA TAD DVO LD AOM ETIES Ce aoe _ 4 Click the Add button below the Users list and add the Administrators group type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box and then select the Administrators record 5 Select the media s record in the Media Database list and then click the Add button below this list If you do not have records in the Media Database list click the Media Database button below this list and then authorize a media as described in the Media Database section of this manual When you finish authorizing a media click OK to save the database and close the Media Database dialog box 6 Click OK to apply the white list settings and close the Media White List dialog box Click OK to apply changes and close the Permissions dialog box Then click Yes to confirm that you really want to deny access to CD DVD drives for all users 474
550. s disabled when this user is logged in You can add media to the Media White List in two steps 1 Select a user or user group for which this media should be allowed Click Add under the Users list to add the user group To delete the record from the Users list click Delete 2 Select the appropriate media record in the Media Database list and click Add To edit a media s description select the appropriate record in Media White List and click Edit Click Delete to delete a selected media s record use CTRL and or SHIFT to select several records simultaneously To save the media white list to an external file click Save then select the name of the file To load a previously saved white list click Load and select a file that contains the list of medias If you need to manage the media database you can click Media Database and open the appropriate dialog box Note Using the media white list you can only allow read access to authorized media It is impossible to authorize media for writing Media Database In the Media Database dialog box you can add new media to the database and edit existing records 150 DeviceLock Management Console Media Database SQLENTSEL 42F9SFABE 171708 7CIA06E 2304424749 DVD CD ROM Before the media can be authorized in the white list it must be added to the database In the Drives list at the top of the dialog box you can see all drives available on the local computer that c
551. s manual In comparison with the service s audit log filter the server s filter has the following additional fields e Computer this text matches a value in the Audit Log Viewer s Computer column This field is not case sensitive and you may use wildcards You can enter multiple values separated by a semicolon e Event ID this number matches a value in the Audit Log Viewer s Event column You can enter multiple values separated by a semicolon e Received Date Time specifies the time period to filter events based on when they were received by DeviceLock Enterprise Server From specifies the earliest date and time from which you want events while To specifies the latest date and time from which you want events The possible values of the From parameter are First Event Events On Select First Event to see events starting with the first event received by DeviceLock Enterprise Server Select Events On to see events that were received starting with a specific date and time The possible values of the To parameter are Last Event Events On Select Last Event to see events ending with the last event 171 DeviceLock Management Console received by DeviceLock Enterprise Server Select Events On to see events that were received ending with a specific date and time Shadow Log Viewer Server The shadow log viewer allows you to retrieve the shadow log stored on DeviceLock Enterprise Server DeviceLock Management
552. s not control file transfers SSL Send Receive Data The right to connect to an IRC server using SSL SSL Outgoing Messages The right to send instant messages using SSL It does not control file transfers Generic Send Receive Data The right to connect to a Jabber server and receive instant messages Generic Outgoing Messages The right to send instant messages It does not control file transfers SSL Send Receive Data The right to connect to a Jabber server using SSL SSL Outgoing Messages The right to send instant messages using SSL It does not control file transfers Generic Send Receive Data The right to connect Mail ru Agent to the Mail ru server and receive instant messages Generic Outgoing Messages The right to send instant messages It does not control file transfers Generic Send Receive Data The right to connect to an SMTP server and to send and receive protocol data Generic Outgoing Messages The right to send e mail messages without attachments Generic Outgoing Files The right to send e mail attachments SSL Send Receive Data The right to connect to an SMTP server and to send and receive protocol data using SSL SSL Outgoing Messages The right to send e mail messages without attachments using SSL SSL Outgoing Files The right to send e mail attachments using SSL Generic Send Receive Data The right to have view access to a social networking site Generic Outgoing Messages The right to sen
553. s not written to the log Audit Incoming Messages Outgoing Messages Enables audit logging of user attempts to send and receive instant messages The Chat action IDs of all IM participants the IP address with the port number and the name of the host are written to the log The ID of the local participant precedes the ID of a remote participant Shadowing Incoming Messages Enables shadow copying of received instant messages Shadow copies of received instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all received messages Shadowing Outgoing Messages Enables shadow copying of sent instant messages Shadow copies of sent instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all sent messages Note You can define different online vs offline audit and shadowing rules for the same user or sets of users Online audit and shadowing rules Regular Profile apply to client computers that are working online Offline audit and shadowing rules Offline Profile apply to client computers that a
554. s of the local Administrators group It is not a good practice to grant users administrative rights to their computers However if for some reason users on your network have administrator privileges on their local computers DeviceLock provides another level of protection No one except authorized DeviceLock administrators can connect to stop or uninstall DeviceLock Service Even members of the local Administrators group cannot disable DeviceLock if they are not in the list of the authorized DeviceLock administrators Remove the Recovery Console If the Windows Recovery Console is installed on the local computer someone can boot to the recovery mode and workaround any number of security measures including disabling DeviceLock Service however this requires the local administrator password For this reason we recommend deleting the Recovery Console For more information on how to install remove and use the Recovery Console please refer to the Microsoft s on line article http support microsoft com default aspx scid kb en us 307654 23 Installation Installation Requirements DeviceLock works on any computer using Windows NT 4 0 SP 6 2000 XP Vista 7 and Windows Server 2003 2008 It supports 32 bit and 64 bit platforms Windows Internet Explorer version 4 0 or later must be installed on computers running Windows NT 4 0 SP 6 Note NetworkLock an extension to DeviceLock does not work on computers running Windows NT 4 0 SP
555. s to access control operations Shadowing indicates that the rule applies to shadow copy operations Permissions Shadowing indicates that the rule applies to both access control and shadow copy operations e Device Type s The device type s to which the rule applies e Profile Possible values Regular and Offline Regular indicates that the rule applies to client computers that are working online Offline indicates that the rule applies to computers that are working offline You can define different online vs offline Content Aware Rules for the same user or sets of users For information about how to define offline Content Aware Rules see Managing Offline Content Aware Rules for Devices 287 Content Aware Rules for Devices Regular Profile Editing Content Aware Rules You can modify the Content Aware Rule properties such as Description Applies To Device Type s Actions To edit a Content Aware Rule 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration
556. sages 341 PROTOCOL Mail ru Agent SMTP Social Networks Protocols Regular Profile AUDIT SHADOWING RIGHTS Audit Connection Enables audit logging of user attempts to connect Mail ru Agent to the Mail ru server The Connection action the IP address with the port number and the name of the host the name of the protocol are written to the log If IP address to host name resolution fails the host name is not written to the log Audit Incoming Messages Outgoing Messages Enables audit logging of user attempts to send and receive instant messages The Chat action IDs of all IM participants the IP address with the port number and the name of the host are written to the log The ID of the local participant precedes the ID of a remote participant Shadowing Incoming Messages Enables shadow copying of received instant messages Shadow copies of received instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the last active exchange in the chat window or if the user quits the instant messenger It contains an exact record of all received messages Shadowing Outgoing Messages Enables shadow copying of sent instant messages Shadow copies of sent instant messages are written to the log as txt files A shadow copy of messages is written to the log after 30 minutes of inactivity that is 30 minutes after the
557. se settings are stored in the database and they are specific to the log but not to DeviceLock Enterprise Server This means that if there are several DeviceLock Enterprise Servers using one database all have the same log settings Enable the Control log size flag to allow DeviceLock Enterprise Server to control the number of records in the log and delete outdated records if necessary to clean up the space for new ones Otherwise if the Control log size flag is disabled DeviceLock Enterprise Server uses all available space for the SQL Server s database to store the log In the Maximum log size parameter you can specify the maximum number of records that this log can contain Please note that if there is more than one DeviceLock Enterprise Server using this database then the actual number of records in the log can be a little larger by a couple of records than the specified value 169 DeviceLock Management Console To specify what DeviceLock Enterprise Server should do when the log is full when Maximum log size is reached select one of these options e Overwrite events as needed the server will overwrite old events if Maximum log size is reached e Overwrite events older than specifies that records that are newer than this value will not be overwritten specified in days e Do not overwrite events clear log manually the server will not overwrite old events if Maximum log size is reached and you will need to clear events
558. sections below describe these groups and how to use them File Type Detection Content Groups File Type Detection groups are used to control access to files based on file types These groups contain definitions of the file types that make up these groups A file type definition consists of two properties a file name extension for example DOC and a description for example Microsoft Word document When you apply a rule based on a File Type Detection group the rule is applied to all file types included in that group By defining rules based on File Type Detection groups you can for example allow certain users or groups to read Word documents from Floppy devices but prevent them from writing Word documents to Floppy devices You can deny read access to all executable files from Removable DVD CD ROM and Floppy devices but allow write access to all file types for Removable and Floppy devices You can also specify that only Word Excel and PDF documents will be shadow copied DeviceLock includes 34 predefined built in File Type Detection groups that you can use to set up the desired configuration of permissions and or shadow copy operations You can use the built in content groups as they are create their editable copies duplicates or create your own content groups to suit your particular organization s needs The following table lists these predefined content groups BUILT IN FILE TYPE DETECTION GROUPS Archives MS Outlook amp
559. sed using an IP address This setting applies to the following protocols HTTP Social Networks and Web Mail By default the setting is disabled Audit and shadow copying for URLs containing the host IP address are performed at the HTTP level If Block IP addresses in URL is disabled but users have deny access permissions for a protocol all URLs containing the host IP address are also blocked Note If Block IP addresses tn URL is enabled and specific host IP addresses are allowed by the Protocols White List these IP addresses will not be blocked The Protocols White List settings override Security Settings for protocols Note You can define different online vs offline Security Settings for the same user or sets of users Online Security Settings Regular Profile apply to client computers that are working online Offline Security Settings Offline Profile apply to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define offline Security Settings see Managing Offline Security Settings for Protocols Managing online regular Security Settings for protocols involves the following tasks e Defining and changing Security Settings e Undefining Security Settings Online Security Settings f
560. select the user or group for which you want to edit the rule By selecting users or groups you can view the Content Aware Rules applied to them in the details pane b In the details pane right click the rule you want to edit and then click Edit The Edit Rule dialog box appears In the Edit Rule dialog box modify the rule properties as required to meet your needs Click OK to apply the changes Copying Offline Content Aware Rules You can perform a cut and paste operation a copy and paste operation or a drag and drop operation to reuse existing offline Content Aware Rules To copy an offline Content Aware Rule ile If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 417 DeviceLock Security Policies Offline Profile Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Manage Offline OR e Select Content Aware Rules and then click Manage Offline I on the too
561. semicolons or spaces Use the following format user mailserver Click OK If an error occurs during the e mail delivery of a report an appropriate error message will be logged You can use Server Log Viewer to determine the reason For more information on Server Log Viewer see Server Log Viewer Note When you send a report in HTML format the report is included in the body of the e mail message and is not sent as an attachment Deleting reports You can delete reports when they are no longer required To delete reports 1 Open DeviceLock Management Console and connect it to the computer running DeviceLock Enterprise Server In the console tree expand DeviceLock Enterprise Server Under DeviceLock Enterprise Server expand Reports 384 DeviceLock Reports 4 Expand Audit Log or Shadow Log 5 Under Audit Log or Shadow Log select the report template that you used for generating the report you want to delete By selecting a report template in the console tree you can view the reports associated with it in the details pane 6 In the details pane right click the report you want to delete and then click Delete You can delete multiple reports at the same time To do this do the following a In the details pane select multiple reports by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Delete 385 DeviceLock Security Policies Offline Prof
562. ses 1 000 records from each log In the second stage when either the number of temporary indexes becomes equal to 50 or 10 minutes pass all temporary indexes are combined into a permanent master index that is used for search queries The process of combining temporary indexes into a master index is called merging The creation of the master index is a time intensive process Indexing speed can vary considerably depending on the type of data being indexed and the hardware being used Generally indexing speed is between 30 and 120 MB minute Consider the following example e Data 170 GB consisting of 4 373 004 mixed type files HTML office documents text e Indexing time 24 7 hours 6 8 GB hour e Index size 12 of original document size e Hardware Pentium 4 Processor 550 3 40GHz 800 FSB 2GB RAM internal SATA RAID O drives Executing Full Text Queries After the DeviceLock Enterprise Server data has been indexed you can run full text queries These queries can search for one or more specific words or phrases When a search query is executed Search Server processes the query and retrieves a list of results from the index that matches the criteria of the query Filtering can be applied to the search to narrow the result set returned For example the results can be filtered by log or date Querying the full text index is extremely fast and flexible A search operation takes only seconds to locate and return matches for par
563. sing data from logs stored on DeviceLock Enterprise Server Use reports to arrange and display statistical data on a user s device and protocol related activities in a separate file When generating a report you can define report parameters to filter the data and display the information that is relevant to you For example you can specify the start and end date and time of the report period for which data is displayed Reports can be created automatically sent to you via e mail stored exported to a variety of formats and shared with others Reports are created by using DeviceLock Management Console Report Categories and Types DeviceLock comes with a set of predefined report templates that you can use to create new reports These predefined templates are displayed in the console tree under DeviceLock Enterprise Server Reports S DevioeLock Management Console Fie Action View Help A B amp H Ja Device Look Report cabegory a Devidelock Service EF mud Log 3 gj DeviceLlock Enterprise Server Local WIhMkPPROSP Husa Et vlna E PServer Options snack ay budt Log Viewer By Shadow Log Viewer F Sarar Log Vipera qe Monitoring g Reports ay ui Log D Alowed amp Denied access requests per channel Akai ys Deere access reqaershs 5 esd 6 Write scoess requests per device type Gi Top active conmguters Ton ia arg Top neerted USE Frete devices E Top ured USE deket py Shadow Log m Copied files p
564. sions Specifies that the rule will apply to access control operations e Shadowing Specifies that the rule will apply to shadow copy operations e Permissions Shadowing Specifies that the rule will apply to both access control and shadow copy operations Under Protocol s select the appropriate protocol s you would like this rule to be applied to Content Aware Rules can be applied to the following protocols FTP HTTP ICQ AOL Messenger IRC Jabber Mail ru Agent SMTP Social Networks Web Mail Windows Messenger and Yahoo Messenger If you select several protocols that have different access rights under Action s the dialog box displays only those access rights that are common to all selected protocols Under Action s specify which user actions are allowed or disallowed on protocols and which user actions are logged to the Shadow Log For detailed information on user rights that can be specified in Content Aware Rules see Content Aware Rules for Access Control Operations and Content Aware Rules for Shadow Copy Operations Click OK 322 Content Aware Rules for Protocols Regular Profile The rule you created is displayed under Rules in the lower right pane of the Content Aware Rules dialog box 13 Click OK or Apply to apply the rule The users or groups to which the Content Aware Rule applies are displayed under Content Aware Rules in the console tree When you select a user or group to which a Content
565. sole tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols Under Protocols select Permissions 428 DeviceLock Security Policies Offline Profile When you select Permissions in the console tree in the details pane you can view protocols for which you can set permissions In the details pane you can also view the current state of offline permissions for each protocol in the Offline column 4 In the details pane do one of the following e Right click the protocol for which you want to set or edit permissions and then click Set Offline Permissions SOR e Select the protocol for which you want to set or edit permissions and then click Set Offline Permissions amp on the toolbar The Permissions Offline dialog box appears E Permissions Offline Probaos FIP Compia Name Local Compuber Users Not Configured Protocol wit ut 5 Inthe Permissions Offline dialog box do the following TO DO THIS FOLLOW THESE STEPS To set the e Inthe upper left pane of the dialog box under Users click Set default Default permissions The default permissions are assigned to the Adm
566. specify the IM remote recipient ID s in the Remote recipient ID s box type user identifiers separated by a comma or semicolon For more information on how to specify user identifiers see the description of the Remote recipient ID s parameter earlier in this section To specify the e mail senders in the Local sender Email s box type sender addresses separated by a comma or semicolon For more information on how to specify sender addresses see the description of the Local sender Email s parameter earlier in this section To specify the e mail recipients in the Remote recipient Email s box type recipient addresses separated by a comma or semicolon For more information on how to specify recipient addresses see the description of the Remote recipient Email s parameter earlier in this section To specify the social networking sites under Social Networks select the appropriate check boxes For more information see the description of the Social Networks parameter earlier in this section To specify the Web based e mail services under Web Mail Services select the appropriate check boxes For more information see the description of the Web Mail Services parameter earlier in this section 9 Click OK The rule you created is displayed under Rules in the right pane of the Protocols White List dialog box 355 Protocols Regular Profile 10 Click OK or Apply The users or groups to which the white list rule applies ar
567. ss Block FireWire controler if access is denied Security Settings are similar to the device white list but there are three major differences 1 Using Security Settings you can only allow a whole class of device You cannot allow only a specific device model while locking out all other devices of the same class For example by disabling Access control for USB storage devices you allow the use of all USB storage devices no matter their model and vendor By specifying the one USB Flash Drive model you want to allow on the devices white list you ensure that all other USB storage devices remain locked out 154 DeviceLock Management Console 2 Using Security Settings you can only select from the predefined device classes If the device does not belong to one of the predefined classes then it cannot be allowed For example there is no specific class for smart card readers in Security Settings so if you want to allow a smart card reader when the port is locked you should use the devices white list 3 Security Settings cannot be defined on a per user basis they affect all users of the local computer However devices in the white list can be defined individually for the every user and group Note Security Settings work only for those devices that are using standard Windows drivers Some devices are using proprietary drivers and their classes cannot be recognized by DeviceLock Service Hence access control to such devices c
568. st Record to see records starting with the first record received by DeviceLock Enterprise Server Select Records On to see records that were received starting with a specific date and time The possible values of the To parameter are Last Record Records On Select Last Record to see records ending with the last record received by DeviceLock Enterprise Server Select Records On to see records that were received ending with a specific date and time 174 DeviceLock Management Console Deleted Shadow Data Log This viewer allows you to retrieve information about deleted shadow log records When a record is removed from the log in Shadow Log Viewer the record s binary data is deleted but all other information such as the file name and size user name date time process and so on is moved to this log lt Devicelock Management Console File Action view Help hh em iT X hal Devic eLock z Computer Date Time DeviceLlock Service Local WIKMKPPROSPS a DeviceLock Enterprise Server Local WIM settings ay Serer Oplions Refresh Pie Soi0 7 49 Removable Audit Low Wipe ey iter JLA Shadow Log Viewer Clear it Deleted Shadow Data Log Ay Server Log viewer a G Monitoring pa Reparts a 9 DeviceLock Content Security Server Help 4 This log is used when you do not need the content of the shadow data anymore and you want to clean up the storage either SQL Server or the disk but at the same time you
569. st of all you have to prepare the policy you want to deploy If there are no files in the list then you can either create an empty file by clicking the New button or add an existing file by clicking the Add button Then select the file in the list and click Edit to open DeviceLock Service Settings Editor DeviceLock Service Settings Editor is used for creating and modifying external XML files with settings permissions audit and shadowing rules for DeviceLock Service For more information see DeviceLock Service Settings Editor When finished modifying the policy select its file by selecting the check box next to the file s name in the list Then click OK to close the configuration dialog box Shadow Log Viewer The Shadow Log Viewer plug in retrieves the shadow log from DeviceLock Service Use the context menu available by a right mouse click to access all this plug in s functions For more information see Shadow Log Viewer Service Uninstall Service The Uninstall Service plug in removes DeviceLock Service and all its settings and components from computers If the user under which DeviceLock Enterprise Manager is connecting to the computer does not have full administrative access to DeviceLock Service the plug in will not be able to remove the service 247 DeviceLock Enterprise Manager Likewise an error occurs when the user does not have local administrative privileges on the computer where DeviceLock Ser
570. t 396 TO DO THIS To define 1 audit and shadowing rules for an additional user or group 2 To change L audit and shadowing 2 rules for an existing user or group To remove an existing user or group and rules DeviceLock Security Policies Offline Profile FOLLOW THESE STEPS see Auditing amp Shadowing Regular Profile In the upper left area of the dialog box specify which events are written to the audit log Select the Audit Allowed check box to audit successful attempts to gain access to a device Select the Audit Denied check box to audit unsuccessful attempts to gain access to a device In the upper left pane of the dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the name of the user or group and then click OK The users and groups that you added are displayed under Users in the upper left pane of the Auditing amp Shadowing Offline dialog box In the upper left pane of the Auditing amp Shadowing Offline dialog box under Users select the user or group You can select multiple users and or groups by holding down the SHIFT key or the CTRL key while clicking them In the lower left pane of the Auditing amp Shadowing Offline dialog box under User s Rights select or clear the Allow check box next to the appropriate audit and shadowing rights
571. t Aware Rules and then click Manage Offline OR e Select Content Aware Rules and then click Manage Offline EI on the toolbar 413 4 T DeviceLock Security Policies Offline Profile The Content Aware Rules Offline dialog box appears b Content Aware Rules Offline Conbert Database Dair er Routing Mumber Pattern buk imi T Acquisition keym d bult in admission Discharge kerra bult in adult Eerens Keseerorc bult in american Address Keyvrords butin CJ american Marie kerag bat i Tl archives File Type Detection built in TE uadi video amp Flashi File Type Detection buitimi T Gonk ABA Keyerands built in Test Grou Dupicate l Add view Group Show AI Types Wles prg E Leez TE miN Preia gh Cea In the lower left pane of the Content Aware Rules Offline dialog box under Users click Add The Select Users or Groups dialog box appears In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the rule and then click OK The users and groups that you added are displayed under Users in the lower left pane of the Content Aware Rules Offline dialog box To delete a user or group in the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group and then click Delete or press the DELETE key In the lower left pane of the Co
572. t Log viewer Paralel port a Shadow Log viewer printer DeviceLock Enterprise Server JRemovable EF Serial port Sis USE port T WiFi IB Windows Mobile Manages permissions for selected device s Click the Add button in the Permissions dialog box and add the Administrators group type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box select the Administrators record and enable all rights in the User s Rights list Click the Add button in the Permissions dialog box and add the Everyone user type the name or browse for all available names and select the needed one Click OK to close the Select Users or Groups dialog box Select the Everyone record and disable the Write right in the User s Rights list ir fee e eS Te Derka Types DD OD Ace Computer Name Local Computer Leer 3 pA PhEveryore BF scrrareste ators 473 Appendix Permissions and Audit Examples 4 Click OK to apply changes and close the Permissions dialog box For all users all CD and DVD drives are denied but members of the Administrators group can read a certain disk 1 Select the DVD CD ROM record from the list of device types under Permissions and then select Set Permissions from the context menu available by a right mouse click 2 Click the Add button in the Permissions dialog box and add the Everyone user type the name or browse for all available name
573. t is checked DeviceLock Management Console shows only those device types currently available on the current computer Otherwise you will see every type of device that DeviceLock 123 DeviceLock Management Console Supports This is useful when you want to set permissions to device types that are not yet installed or are currently unplugged from the computer Permissions Regular Profile There is a list of device types for which you can define user level permissions 7 DeviceLock Management Console Fie Acton wee Helo B fe oh Crrvacel cock Harna Sef Derkelock Service Local WINEPPROSES ETitacdBeny E G Service Options ED viaa ga asihing b Sheka USE Darios ete List A Ra Meda White List Conherk Aang F E h Protocok ey Audit Log viewer Eri Shaira Log Viewer a Li DeviceLock Enterprise Server Local WEN 4 0 Dewitelock Content Security Server BP ttuetocth L Ciptosrd aBjovn co Aoe ale Wine port al Florey Shard dek gal Infrared port EJ mates A Par abel poet ae Priko Se Ratio ath pT Serial port LE LSE pit T Wri Ripuli Pull Access Full Access Full Access Full Access Full Access Full Access Ful Accens Fill Access Fil Accens Ful Acceis Fil Accens Fil Acos Fil Acceis Fial Access Fial Acces Fil succeed Fil succeta y MB wrw Mote Full Access r Pokey i enabled for thi machine Regular Profile Local Computer Note When you set permissions for a device type you set
574. t occurs In this case a user will not be able to copy sensitive information to a device while offline in an attempt to avoid sending shadow copies to 386 DeviceLock Security Policies Offline Profile DeviceLock Enterprise Server and thus alerting the Security department of the data theft Scenario 2 Imagine Mary a sales representative of a large company who has a notebook computer and frequently works out of the office She needs to be able to provide her business partners with information files resulting from her work In this situation you can allow Mary to write certain files to Removable DVD CD ROM USB and Floppy devices and enable shadow copying of these files when she works offline When online she will be denied write access to the specified device types These security policies give you greater flexibility in managing users within an organization while providing better corporate data security Configuring Offline Mode Detection Settings You can define the network characteristics that DeviceLock uses to detect its connection state whether it is online or offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer To configure offline mode detection settings 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLo
575. t of regular rules is useful if you use Group Policy or DeviceLock Service Settings files dls to deploy DeviceLock policies throughout your network The enforcement of regular rules lets you prevent offline rules inherited from a higher level from being applied to a specific group of client computers at a lower level For more information on the enforcement of regular rules see Removing Offline Audit and Shadowing Rules Managing offline audit and shadowing rules involves the following tasks e Defining and editing offline audit and shadowing rules e Undefining offline audit and shadowing rules e Removing offline audit and shadowing rules Defining and Editing Offline Audit and Shadowing Rules To define and edit offline audit and shadowing rules 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 395 2 3 4 5 DeviceLock Security Policies Offline Profile Expand Devices Under Devices select Auditing amp Shad
576. t something is wrong with the computer or DeviceLock Service There can be eight different statuses 1 Computer is available this status means that the monitored computer is working and DeviceLock Service is running on it Also if this task verifies policy integrity then verification happened without any errors The computer s icon will be green computer If this task restores the broken policy the computer s icon will be green computer with exclamation mark 2 Computer is unavailable this status means that DeviceLock Enterprise Server is unable to scan the monitored computer This occurs when a computer is not working or connections are blocked by a firewall but the computer s name address can be resolved through DNS The computer s icon will be red computer 180 DeviceLock Management Console 3 Service is unavailable this status means that DeviceLock Enterprise Server is unable to connect to DeviceLock Service on the monitored computer This occurs when the computer is working but DeviceLock Service is not running Also it could be the result of running DeviceLock Service on a different TCP port than that specified in the task configuration or due to connections being blocked by the firewall The computer s icon will be red computer with exclamation mark For more information on connection issues see the description of the Service connection settings parameter 4 Settings are corrupte
577. t title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Channel s Shows the device types and or protocols that were specified for the report e File Name Shows the files that were specified for the report The Report Results section contains two tables with detailed results of the report Table 1 lists the top N where N is a specific number computers by the number of copied files Table 1 has the following columns e Computer Name Shows a computer name e Number of Files Shows the number of copied files Values in this column are sorted in descending order Table 2 lists the top N where N is a specific number computers by the amount of copied data Table 2 has the following columns e Computer Name Shows a computer name e Data Size Shows the total size of all copied files Values in this column are sorted in descending order This report shows the most active users sorted according to the number of copied files and total size of all copied files By default the report lists
578. t were specified for the report e Channel s Shows the data transmission channels that were specified for the report The available options are all devices all protocols and all devices and protocols The Report Results section contains two tables and two pie charts that show detailed results of the report Table 1 shows the number of copied files for each data transmission channel Table 1 has the following columns e Channel Shows a data transmission channel e Number of Files Shows the number of copied files Table 1 also has a Total row that sums up all the values in the Number of Files column Table 2 shows the total size of copied files for each data transmission channel Table 2 has the following columns e Channel Shows a data transmission channel e Data Size Shows the total size of all copied files Table 2 also has a Total row that sums up all the values in the Data Size column Each table is followed by a pie chart which represents the report results in percentages This report shows the most frequently used computers sorted according to the number of copied files and total size of all copied files By default the report lists the first 10 computers but you can specify any number of computers The report consists of three sections the Report Header Report Parameters and 370 REPORT TYPE Top active users DeviceLock Reports DESCRIPTION Report Results The Report Header section contains the repor
579. taining credit card numbers telephone numbers and addresses to an FTP server e Example 2 Using Content Aware Rules for shadow copy operations You can specify that IM conversations containing credit card numbers and e mail addresses will be shadow copied for security auditing and incident investigation purposes Note You can define different online vs offline Content Aware Rules for the same user or sets of users Online Content Aware Rules Regular Profile apply to client computers that are working online Offline Content Aware Rules Offline Profile apply to client computers that are working offline By default DeviceLock works in offline mode when the network cable is not connected to the client computer For detailed information on DeviceLock offline policies see DeviceLock Security Policies Offline Profile For information about how to define offline Content Aware Rules for protocols see Managing Offline Content Aware Rules for Protocols Content Aware Rules for Access Control Operations Content Aware Rules allow you to do the following e Grant access to specified content when access is denied at the protocol level e Deny access to specified content when access is granted at the protocol level Content Aware Rules also override any rules defined in the Protocols White List The following table provides summary information on access rights that can be specified for each protocol in Content Aware Rules 294
580. tance e Login failed for user COMPUTER_NAMES you ve selected Windows Authentication but the user account used to run the DeviceLock Enterprise Server service can t get access to the computer with SQL Server It may happen when the service starts either under the SYSTEM user or on behalf of a user that doesn t have local administrative privileges on the remote SQL Server s computer e Login failed for user user_name you ve selected SQL Server Authentication and either specified an incorrect SQL user name login or the wrong password for it Please note that SQL users are different from Windows users and you can t use the regular Windows account in the Login name parameter SQL users exist only in SQL Server and to manage them you 64 Installation Should use SQL Server management consoles such as Microsoft SQL Server Management Studio e Login failed for user user_name The user is not associated with a trusted SQL Server connection you ve selected SQL Server Authentication but your SQL Server doesn t support this mode You should either use Windows Authentication or allow your SQL Server to work in the mixed mode SQL Server and Windows Authentication mode e Login failed for user The user is not associated with a trusted SQL Server connection the data source you ve specified in Data Source Name was configured to use the SQL Server Authentication mode but the Login name parameter is empty e Data source
581. te You can view keywords that are included in the built in Keywords groups but you cannot edit or delete them For information on how to view the built in content groups see Viewing Built in Content Groups Creating Custom Keywords Groups You can define Content Aware Rules based on your own custom content groups if the predefined content groups included with DeviceLock do not meet your requirements Custom Keywords content groups enable you to specify any keywords that you want in the Same group to better meet your individual business needs To create a custom Keywords group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols 3 Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears 303 Content Aware Rules for Protocols Regular Pro
582. ted over the network can be a time consuming operation You can define a Content verification message to be displayed to users when content inspection is in progress This message is displayed 20 seconds after DeviceLock Service starts checking the file content To enable or disable the Content verification message right click Content verification message and then click Properties or double click Content verification message Hi Content verification Messape Computer Hame Local Computer Enable Content Verification Message Content Verification Message Caption DeviceLock Security Subrystem Content Verification Message Text Pesce wak while Devitelock i verihang the SSC ONTENT MAME comberit Restore Ckerauiks In the Content verification message dialog box do the following USE THIS TO DO THIS Enable Content Enable or disable the display of the Content verification message Verification Select the Enable Content Verification Message check box to mensage enable the display of the message Clear the Enable Content Verification Message check box to disable the display of the message Content Specify the text to display in the title bar of the message box Verification Message Caption By default the Content Verification Message Caption text is as follows DeviceLock Security Subsystem 106 DeviceLock Management Console USE THIS TO DO THIS Content Specify the text to display in the message box Verificat
583. ted user or group will have access to the specified protocol s Use the right mouse button to mark days and hours when the selected user or group will not have access to the specified protocol s In the upper left pane of the dialog box under Users select the user or group In the lower left pane of the dialog box under User s Rights select or clear the Allow check box next to the appropriate access rights In the upper left pane of the dialog box under Users select the user or group and then click Delete or press the DELETE key When you remove a user or group any permissions for that user or group will also be removed You can reset previously set offline permissions to the unconfigured state If offline permissions are undefined regular permissions are applied to offline client computers To undefine offline permissions 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select
584. tered e Statistics bar Shows the number of results displayed on the current search results page e Search results Displays a numbered list of items containing information that matched the search criteria you entered e Results navigator Shows how many results pages are returned and allows you to navigate from page to page Each of these areas is described in more detail below Search query This area is located at the top of the search results page Click Options to view additional search criteria you specified 210 DeviceLock Management Console customer Search Options lt lt Display 10 resuks per page Limit results to the folowing logs Audit Log w Shadow Log Deleted Shadow Data Log Server Log wW Montonng Log Limit results to the folowing date range From First Record To Last Record Statistics bar This area is located immediately above the search results area and looks like this Resuts 1 3 Search results for customer This area is located below the search query area and statistics bar and looks like this 1 16 12 28 Success vm2003server testaabdc com Removable Write G Customer database doc 27 5 KB TANYADC Administrator 2864 C WINDOWS E Log Parameters 9 28 2009 4 12 28 PM Deleted Shadow Data Log 2 16 12 28 Success vm2003server testlabde com Removable Write G Customer database doc 27 5 KB TANYADC Administrator 2864 C WINDOWS a Log Parameters 9 28 2009 4
585. terprise Server A The account P IRT Administrator has been granted the Log On As A Service right If all of the service s startup parameters were specified correctly the wizard starts DeviceLock Enterprise Server Starting service Please wak while the program is interacting with a service Starting service OL Server on Local Computer O cancel 58 Installation It takes some time up to a minute before the DeviceLock Enterprise Server s service is started and the wizard s second page is displayed On the second page you can define the list of users that have administrative access to DeviceLock Enterprise Server and install DeviceLock Certificate the private key DeviceLock Enterprise Server Enable Default Securty Users 2 VM 200040 Domain udmr Full access E VM20004D T es Read oriky Add Delete Full access NOTE We shongly recommend that accounts m ihis kA have local adrinistabor privileges Cetticabe Mame DeviceLock Certificate 05 11 2006 01 28 52 PM Enable Default Security In the default security configuration all users with local administrator privileges i e members of the local Administrators group can connect to DeviceLock Enterprise Server using a management console and change its setting and run reports To turn on the default security check the Enable Default Security flag If you need to define more granular access to DeviceLock Enterprise Server turn o
586. text data equals or exceeds the threshold number of occurrences of the keywords Specify the threshold number of occurrences of the keywords This number can range from O to 65535 This property requires a value if you selected the Only when combined score exceeds or equal to threshold option Specify words and phrases that must occur within text data Double click under Keywords to enter a keyword or phrase Determine the case sensitivity of the keywords Select the Case Sensitive check box to specify a case sensitive comparison of the keywords for example the words test and Test will be treated as different keywords Clear the Case Sensitive check box to specify a case insensitive comparison of the keywords for example the words test and Test will be treated as the same keyword Specify keyword matching options Select the Whole Word check box to specify the exact match option allows you to find an exact match of your keyword Clear the Whole Word check box to specify the broad match option allows you to find all grammatical variations of your keyword Specify the degree of importance for each keyword or phrase Weight is used to count the number of occurrences of the specified keywords within text data This property requires a value if you selected the Only when combined score exceeds or equal to threshold option Possible values Heavy Above Normal Normal default value Below Normal Light
587. the Change Current Destination Folder page ie DeviceLock Setup Change Current Destination Folder Browse to the destination folder Leek ini Daevicetock Agent ad Phogins DProvects DeviceLock ships with three different management consoles DeviceLock Management Console the MMC snap in DeviceLock Enterprise Manager and DeviceLock Group Policy Manager integrates into the Windows Group Policy Editor 46 Installation Installed together with other management consoles is DeviceLock Service Settings Editor a tool used for creating and modifying external XML files with settings permissions audit and shadowing rules for DeviceLock Service On the Ready to Install the Program page click Install to begin the installation Select the Add DeviceLock shortcuts to the desktop check box if you want to add DeviceLock Management Console the MMC snap in DeviceLock Enterprise Manager and DeviceLock Service Settings Editor shortcuts to the desktop DeviceLock Setup Ready to Install the Program The wizard is ready to begin installation Chick Install bo begin the installation TF you went bo review or change any of your installation settings cick Back Click Cancel to ent the wizard F Add DevineLock shortouts to the desktop Setup may suggest that you generate a new DeviceLock Certificate DeviceLock Setup Y Do you want to creabe the new DeviceLock Certificate the private and public key pair Wo m Click
588. the USB Devices White List and select the Control as Type check box To deny access to iPhone set the No Access permission for the iPhone device type Method 2 To allow access to iPhone s camera clear the Access control for USB scanners and still image devices check box in Security Settings To deny access to iPhone set the No Access permission for the USB port device type USB Devices Database In the USB Devices Database dialog box you can add new devices to the database and edit existing records 146 DeviceLock Management Console USB Devices Database Available USB Devices evil Description DevicelD USE Mass Storage Device Device Modell USE WID_O9044F1D_ 1001 KUSE Mass Storage Device Device Model USBWID_OD7DEPID_ 1400 Add ExpandAll Collapse All Remote Computer Show all devises Rlelresh USB Dewees Database 2 Desorption Device Type Lexar Flach Dive USE WID_OD DRRID_ 1400 0 SC 18300551 Unique Device Show AI Types Load Save ok ca j a Before the device can be authorized in the white list it must be added to the database In the Available USB Devices list at the top of the dialog box you can see all devices available on the computer Devices are displayed in the form of a simple tree where the parent item represents Device Model and the child item represents Unique Device If there is no Unique Device item then this device does not have an assigned serial num
589. the date parameters to Records On click in the From and To boxes to display the calendar In the calendar click to select the day You can use single arrows lt gt to change what month you view and double arrows lt lt gt gt to change what year you view 4 Click Search Working with Search Results Working with search results involves the following e Interpreting search results e Manipulating search results retrieved from the Shadow Log Interpreting search results After you enter search criteria and submit you search Search Server returns the search results page which looks like this 209 DeviceLock Management Console moe ee Resuks 1 3 for customer 1 16 12 28 Success vm2003server testlabdc com Removable Write G Customer database doc 27 5 KB TANYADC Adminstrator 2864 C WINDOWS Log Parameters 9 28 2009 4 12 28 PM Deleted Shadow Data Log 2 16 12 28 Success vm2003server testabdc com Removable Write G Customer database doc 27 5 KB TANYADC Administrator 2864 C WINDOWS Log Parameters 9 28 2009 4 12 28 PM Deleted Shadow Data Log 3 16 12 28 Success vm2003server testabdc com Removable Write G Customer database doc 27 5 KB TANYADC Adminstrator 2864 C WINDOWS Log Parameters E Document Parameters 9 28 2009 4 12 28 PM 27Kb Shadow Log Open Save View The search results page is divided into the following viewing areas e Search query Displays the search criteria you en
590. the following a Open DeviceLock Service Settings Editor 324 Content Aware Rules for Protocols Regular Profile b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following e Right click Content Aware Rules and then click Manage OR e Select Content Aware Rules and then click Manage amp on the toolbar The Content Aware Rules dialog box appears In the lower left pane of the Content Aware Rules dialog box under Users select the user or group to which the rule that you want to copy is applied By selecting users or groups you can view the Content Aware Rules applied to them under Rules in the lower right pane of the dialog box In the lower right pane of the Content Aware Rules dialog box under Rules right click the rule you want to copy and then click Copy or Cut The rule you cut or copy is automatically copied to the Clipboard You can use the CTRL C CTRL X and CTRL V key combinations to copy cut and paste the rule When you use the CTRL X key combination to cut the rule the rule will be cut only after you paste it To perform a drag and drop operation select the rule and move it to the user or group to which you want to apply the copied rule In the lower left pane of the Co
591. the specified number e Between indicates that a rule associated with this content group is activated every time the number of matches returned by the regular expression is within the specified range Advanced Quickly test your regular expression pattern on sample data Click Advanced to display or hide the Test sample box Test sample Enter a test string and view the result DeviceLock supports real time color highlighting of test results All matches are highlighted in green while strings that do not match the pattern are highlighted in red 6 Click OK to close the Add Pattern Group dialog box The new content group you created is added to the existing list of content groups under Content Database in the upper pane of the Content Aware Rules dialog box Document Properties Content Groups Document Properties groups are used to control access to files based on file properties such as file name size etc You can also use a Document Properties content group to control access to password protected documents and archives as well as text images Note The AND logic is applied to all file properties specified within a Document Properties group For example if you want to control access to files larger than 5 megabyte MB in size and password protected documents and archives you should create two separate Document Properties groups one group for files larger than 5 MB in size and another group for password protected documents and archives
592. the target computers you need to enter alternate credentials DeviceLock Enterprise Manager will use these alternate credentials to automatically login to the target computers In all cases credentials are stored with encryption techniques and are not available to anyone except the user with administrative privileges 238 DeviceLock Enterprise Manager e Set credentials for PRO Credentials can also be supplied via the Credentials dialog box To open the Credentials dialog box click Credentials on the File menu S Credentials Click Add to add new credentials To change existing credentials select the record in the list and click Change To delete credentials select the record in the list and click Delete Using CTRL and or SHIFT you can select and remove several records simultaneously Setting Port You can instruct DeviceLock Enterprise Manager to use a fixed port making it easier to configure a firewall To do so use Set Port from the context menu 239 DeviceLock Enterprise Manager FS Refresh Current Domain Otrl F5 By default DeviceLock Enterprise Manager uses dynamic ports for RPC communication with DeviceLock Service However if DeviceLock Service is configured to accept connections on a fixed port select the Specify port option Set Port for PRO To use the dynamic ports binding click Dynamic ports DeviceLock Service can be configured to use either a fixed port or dynamic ports during t
593. these permissions for every device belonging to that type It is impossible to set different permissions for two different devices if they are of the same type for example both are removable drives To define different permissions for USB devices even if they are of the same type use the White List function There are two levels of control the interface port level and the type level Some devices are checked at both levels while others only at the one level either interface port or type For more information on how access control works please read the Managed Access Control section of this manual DeviceLock supports the following types of devices e BlackBerry type level includes all BlackBerry devices with any type of the connection interface USB Bluetooth to the computer e Bluetooth type level includes all internal and external Bluetooth devices with any type of the connection interface USB PCMCIA etc to the computer e Clipboard includes the Windows Clipboard DeviceLock controls paste operations for data placed on the clipboard 124 DeviceLock Management Console DVD CD ROM type level includes all internal and external CD DVD devices readers and writers with any connection interface IDE SATA USB FireWire PCMCIA etc FireWire port interface level includes all devices that can be plugged into the FireWire IEEE 1394 port except the hub devices Floppy type level includes
594. ticular search criteria For detailed information about the search results page and search results see 17 Overview AMY Working with Search Results Extending DeviceLock Functionality with ContentLock and NetworkLock DeviceLock comes with ContentLock and NetworkLock separately licensed components that provide additional functionality for DeviceLock These components are installed automatically but require a license to function For more information on ContentLock and NetworkLock licenses see Licensing NetworkLock adds comprehensive context control capabilities over endpoint network communications It supports port independent network protocol and application detection and selective blocking message and session reconstruction with file data and parameter extraction as well as event logging and data shadowing NetworkLock controls most popular network protocols and applications such as plain and SSL protected SMTP email communications with messages and attachments controlled separately Web access and other HTTP based applications including content inspection of encrypted HTTPS sessions specifically webmail and social networking applications like Gmail Yahoo Mail Windows Live Mail Facebook Twitter LiveJournal etc instant messengers ICQ AOL MSN Messenger Jabber IRC Yahoo Messenger Mail ru Agent file transfers over FTP and FTP SSL protocols as well as telnet sessions NetworkLock is represented in t
595. tifiers for remote users who are allowed to receive instant messages If this list is specified instant messages to these users will not be blocked ICQ AOL Messenger users are identified by numbers called UIN for example 111222 23232323 Jabber users are identified by Jabber IDs in the following format user example com Mail ru Agent users are identified by mail ru e mail addresses in the following format user mail ru Windows Messenger users are identified by e mail addresses in the following format user example com Yahoo Messenger users are identified by any of the following user ID types e Yahoo ID lt username gt or lt username gt yahoo com e Rocketmail lt username gt rocketmail com e Ymail lt username gt ymail com Multiple user identifiers must be separated by a comma or semicolon You can also press ENTER after each entry Applies to the SMTP and Web Mail protocols Specifies a list of allowed e mail senders for this rule If this list is specified mail from these senders will not be blocked Use the following format for a sender address user domain com You can use the asterisk as a wildcard character to specify a group of recipients You can add the asterisk before or after the at sign in an e mail address For example to allow mail delivery from all users in a domain type domain com Multiple e mail addresses must be separated by a comma or semicolon You can also press
596. time consuming operation You can define a Content verification message to be displayed to users when content inspection is in progress For detailed information on this message see Content verification message in Service Options e When users try to read or write files to which they are denied read or write access they receive a DeviceLock Content Aware blocked read or write message if Content Aware blocked read or write message is enabled in Service Options For detailed information on these messages see Content Aware blocked read message and Content Aware blocked write message in Service Options Content Aware Rules for Shadow Copy Operations Before you can use Content Aware Rules for shadow copy operations you must turn on Shadowing in Auditing and Shadowing at the device type level Content Aware Rules that apply to shadow copy operations filter the shadow copies of files written by the user The following table provides summary information on shadowing rights that can be specified in Content Aware Rules SHADOWING RIGHTS DESCRIPTION Generic Write Controls whether or not specified content written to a device is shadow copied Applies to the Floppy iPhone Removable Palm and Windows Mobile device types Generic Print Controls whether or not documents with specified content sent to printers are shadow copied Applies to the Printer device type DeviceLock extracts and analyzes text from PostSc
597. tings from the context menu in DeviceLock Management Console or DeviceLock Group Policy Manager the computer s name information is ignored 6 Press the Sign button to create a signed file with DeviceLock Service settings Provide this file to the user in any suitable way The process of file signing can be a time consuming operation It depends on your computer s processing speed and could take as long as several seconds When the user wants to apply DeviceLock Service settings from this signed file he she should run the DeviceLock applet from the Control Panel and select the Import Service Settings option 87 DeviceLock Signing Tool File Edit Wew Favorites Tools Help E Control Panel Sie Eg ca J B h E Folders Address E Control Panel Go t z4 i A i a _ m Control Panel A z TA ETE ooessibiity Add Hardware gda Administratie G match bo CLabegory View Options Remo Tags See Also b L E 3 Automatic Date and Time Display Gp Windows Update Updates W Help and Support C5 EB L Ep D Game Internet Controllers Options Note On Windows XP and later the user must switch the Control Panel to Classic View in order to view all available applets i Devicelock This tool allows you bo obtain temporary access bo a device and load the signed file wath new sethregs Temporary White List Authorization Tool amp Import Serice Settings Click Next below to be
598. to Computers section of this manual e Reconnect connects to the currently connected computer once again e Connect to Local Computer at Startup check this flag to instruct DeviceLock Management Console to automatically connect to the local computer each time it starts up e Load Service Settings loads previously saved settings from the XML file and applies these settings to the currently connected DeviceLock Service You need to select the file that was created either by DeviceLock Service Settings Editor DeviceLock Management Console or DeviceLock Group Policy Manager Since the signature is not validated at this step it can be either a signed or non signed file e Save Service Settings exports all settings from the currently connected DeviceLock Service to an external XML file Later this file can be modified using DeviceLock Service Settings Editor and loaded via DeviceLock Management Console and or DeviceLock Group Policy Manager Also this file can be sent to users whose computers are not online and thus out of reach via management consoles To avoid unauthorized modification the file should be signed with the DeviceLock Certificate the private key using the DeviceLock Signing Tool e Save amp Sign Service Settings exports all settings from the currently connected DeviceLock Service to an external XML file and automatically signs it with the most recent DeviceLock Certificate the private key This menu 98 DeviceLoc
599. to client computers has the Override Local Policy setting enabled Please note that the Create MSI Package menu item is disabled when there is no Microsoft Windows Installer version 1 0 or later installed on the local computer DeviceLock Signing Tool runs the special tool that allows you to grant users temporary access to requested devices and sign XML files with DeviceLock Service settings For more information please read the DeviceLock Signing Tool section of this manual About DeviceLock displays a dialog box with information about the DeviceLock version and your licenses Service Options These additional parameters allow you to tune up the DeviceLock Service configuration Use the context menu available by a right mouse click on every parameter 99 DeviceLock Management Console DeviceLock Management Console 00 B eE el Deelah Maire Ifi Devkelock Service Local WINKPPRG E Dervicelock Administrators service Upiens re da diting Shades tes Deane coe Arnir shoes Ep antike UB iing amp Shadorang iene she Anti heyvdogger nana pA a nary USeRire Wire blocked message a ahaa i Expired METANA Devices j E Th Protocols I Cortent Awsre blocked read message TEF Fuit Log Viewer I Gontent Avware blocked write message A Shadow Log Viewer i Protocols blocked message Fe Devicelock Enterprise Server Local t Hi Content weri ation messape a DevieeLock Content Securky Server p jaar Enterprise Serveris
600. ton to select the file with a public key To remove the public key use the Remove button Press the OK button to close the configuration dialog box and apply changes To install remove the private key on from DeviceLock Enterprise Server and DeviceLock Content Security Server you can use DeviceLock Management Console the MMC snap in You need to connect DeviceLock Management Console to the computer running DeviceLock Enterprise Server or DeviceLock Content Security Server Use the context menu available by a right mouse click e mR e 359 89 o ak Smartline DeviceLock Name DeviceLock Service 83 Server Options hj E t an Vinjar Viewer E Reconnect Weare w Connect bo Last Used Server at Startup Certificate Generation Tool DeviceLock Signing Tool About DeviceLock 81 DeviceLock Certificates Activate the Server Options item Ha e g jak Smartline DeviceLock DevicelLock Service Sal DeviceLock Enterprise Server Server Options E Shadow Log Viewer CE Server Administrators Enabled DeviceLock certificate DewiceLock Certificate osfi11 RE Service startup account Localsystem we TOR part Dynamic F Database name DevicelockDBs El connection type ODBC Driver RD SOL Server name YZ0O0SERVERWMINSTANCE Gp SQL Server Login s eo Store path ssyvstemroot ts distore Lat Store shadow files in SOL Server Disabled GA DeviceLock licensets Trial mode Double c
601. tor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols do one of the following Expand Content Aware Rules right click the user or group to which the rule is applied and then click Delete user When you delete a user or group the rule associated with this user or group is automatically deleted OR Expand Content Aware Rules and then select the user or group to which the rule is applied In the details pane right click the rule associated with this user or group and then click Delete aOR Right click Content Aware Rules and then click Manage Offline In the lower left pane of the Content Aware Rules Offline dialog box under Users select the user or group to which the rule is applied In the lower right pane of the Content Aware Rules Offline dialog box under Rules select the rule and then click Delete You can select multiple rules that you want to delete by holding down the SHIFT key or the CTRL key while clicking them Undefining Offline Content Aware Rules You can return the previously defined offline Content Aware Rules to the unconfigured state If offline rules are undefined regular rules are applied to offline client computers To undefine offline Content Aware Rules 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b
602. tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices select Security Settings When you select Security Settings in the console tree they are displayed in the details pane 425 4 DeviceLock Security Policies Offline Profile In the details pane right click any Security Setting you want to undefine and then click Undefine Offline The Security Setting changes its offline state to Not Configured To undefine offline Security Settings collectively 1 If you a b If you a b If you a b use DeviceLock Management Console do the following Open DeviceLock Management Console and connect it to the computer running DeviceLock Service In the console tree expand DeviceLock Service use DeviceLock Service Settings Editor do the following Open DeviceLock Service Settings Editor In the console tree expand DeviceLock Service use DeviceLock Group Policy Manager do the following Open Group Policy Object Editor In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following Right click Security Settings and then click Manage Offline OR Select Security Settings and then click Manage Offline EI on the toolbar OR Select Security Settings In the details pane right click any Security Setting and then click Manage Offline OR Select Security Settings I
603. tributes Create Shortcut and Copy File actions file names and flags write to the audit log Audit Execute Invoke and Execute actions file names and function procedure names write to the audit log Audit Read Non files Read Calendar Read Contact Read Favorite Read E mail Read Attachment Read Note Read Task Read Media Read Pocket Access and Read Unidentified actions and object names write to the audit log Audit Write Non files Write Calendar Delete Calendar Write Contact Delete Contact Write Favorite Delete Favorite Write E mail Delete E Mail Write Attachment Delete Attachment Write Note Delete Note Write Task Delete Task Write Media Delete Media Write Pocket Access Delete Pocket Access Write Unidentified and Delete Unidentified actions and object names write to the audit log 142 DeviceLock Management Console DEVICE TYPE RIGHTS e Audit Copy e Shadowing Write Print Files are written to the shadow log e Shadowing Write Non files All data that contains non file objects Calendar Contacts Tasks etc is written to the shadow log Note Until either Audit Allowed or Audit Denied is selected for the device type logging to the audit log is disabled for that device in spite of defined audit rules Also logging to the audit log is disabled for devices that are in the white list and for a whole class of devices if the access control for that class is turned off in Security S
604. ttings dls This settings file can be created using DeviceLock Management Console DeviceLock Group Policy Manager and or DeviceLock Service Settings Editor 2 Misc If you want to run a program e g batch file after a successful install you can specify the Run parameter Run C mybatchfile bat TO suppress an automatic restart even if Setup needs it set the DisableRestart parameter to 1 Installation via Microsoft Systems Management Server The unattended installation allows you to deploy DeviceLock Service using Microsoft Systems Management Server SMS Use the package definition files DevLock pdf for SMS version 1 x and DevLock sms for SMS version 2 0 and later supplied with 32 Installation DeviceLock located in the sms zip file Remote Installation via DeviceLock Management Console DeviceLock Management Console the MMC snap in supports remote installation to help system administrators set up a service on remote machines without ever having to physically go to them When you re trying to connect to a computer where DeviceLock Service is not installed or is outdated the management console suggests that you install or update it DeviceLock A Device Lock service does not exist on XPWIET Do you want to install it Select the directory that contains all of the files needed for installation such as DeviceLock Service msi DeviceLock Service x64 msi DLRemotelInstaller exe and InstMsiW ex
605. u can create more informative messages for users e Blocked Message Text the main text of the message You can use the predefined macros described above within the text Expired message You can define a custom message to be displayed to users when the allowed period for temporary white listed devices is expired and devices have been removed from Temporary White List O Expired messape Computer Mame xpvir iY Enable Expired Message Expied Message Captor E ewiceLock Secunty Subsystem Exped Message Text The allowed penod for DEVICE Z DRIVE is expired The device has been remowed irom Temporary White List Restore Delauks To enable this custom message select the Enable Expired Message check box Also you can define additional parameters such as e Expired Message Caption the text to be displayed as a caption You can use two predefined macros within the text e DEVICE inserts the name of the device e g USB Mass Storage Device received from the system 101 DeviceLock Management Console e DRIVE inserts the drive letter of the storage device e g F If the device doesn t have a letter then this macro inserts an empty string Using these macros you can create more informative messages for users e Expired Message Text the main text of the message You can use the predefined macros described above within the text Content Aware Blocked Read Message You can define a Content Aware
606. uble arrow button L 376 DeviceLock Reports b Click OK Users Specifies users for the report The User s box is not displayed in the Report Options dialog box for the Top active computers and Top active users report types The User s box is empty by default This means that the report will display data for all users in the DeviceLock Enterprise Server database To specify users for the report do one of the following e Inthe User s box specify user names using wildcards such as asterisks and question marks For example if you specify mydomain the report will display data for all users in mydomain com An asterisk replaces an unlimited number of characters The question mark replaces a single character You can use these wildcards in any position and in any quantity Multiple user names must be separated by a comma or semicolon Note You cannot specify user groups for the report OR e Click Browse next to the User s box and then do the following a In the Select Users dialog box that opens in the Enter the object names to select box type the user account names that you want to specify for the report Multiple user names must be separated by a semicolon b Click OK Threshold Specifies the time interval in seconds between logged events This interval is used for event consolidation It appears for all report types in the Audit Log report category except the Top inserted U
607. uble click TCP port or right click TCP port and then click Properties The DeviceLock Content Security Server dialog box appears 4 In the DeviceLock Content Security Server dialog box in the Connection Settings area do one of the following e Click Dynamic ports to configure DeviceLock Content Security Server to use a dynamic port OR e Click Fixed TCP port to configure DeviceLock Content Security Server to use a Static port Next type the port number in the Fixed TCP port box By default DeviceLock Content Security Server communicates over TCP port 9134 199 DeviceLock Management Console 5 Click OK Configuring Full Text Search Settings for Search Server Full text search settings are related to full text search and apply only to the Search Server component of DeviceLock Content Security Server During the installation of DeviceLock Content Security Server you can only install the Search Server licenses Use DeviceLock Management Console to define the full set of Search Server configuration options With DeviceLock Management Console you can perform the following configuration tasks e Install the required number of Search Server licenses e Specify DeviceLock Enterprise Server s whose data will be indexed for full text search e Specify the location of the full text index e Allow or disallow the index to include textual information from binary data e Configure the full text indexing schedule
608. ue in the Server column of the server s Monitoring Log Viewer e Record N the record number This value matches the value in the Record N column of the server s Monitoring Log Viewer e Document Properties summary information retrieved from the document properties for this search result This information is retrieved randomly and is displayed only for shadow copies Click the plus sign to expand Document Properties and view this information This information is different depending on the file type For example the following information is displayed in Document Properties for a shadow copy of a Word document e Application Microsoft Office Word e Author the name of the user who created the document e Created the date and time when the document was created e LastSaved the date and time when the document was last saved e bLastSavedBy the name of the user who last saved the document e RevisionNumber the number of times the document has been saved e Template the name of the template attached to the document e Title the name of the document e TotalEditingTime the number of minutes that the document has been opened for making changes since it was created e The date and time when the log entry was created e The size of the log entry This value is displayed only for shadow copies retrieved from the Shadow Log 214 DeviceLock Management Console e The name of the log in which matches of the query occurred
609. ular Profile FULL ACCESS NO ACCESS ALLOW READ device type level device type level DENY WRITE device type level deletion and renaming of emty of empty folders and renaming of empty folders and zero byte zero byte 0 files folders and zero byte 0 files 0 files DENY READ denies read access to denies read access to denies read access to ALLOW WRITE specified content all content denies specified content denies allows write access to write access to all but write access to all but file level all content allows specified content specified content allows creation deletion allows creation creation deletion and and renaming of deletion and renaming renaming of empty empty folders and of empty folders and folders and zero byte 0 zero byte 0 files zero byte 0 files files Note If the No Access permission is set for a device type and there is a Content Aware Rule that allows write access to certain content for the same device type the Traverse Folder permission is granted to users for this device type The Traverse Folder permission allows the user to move through folders and see files and folders located in subdirectories even if the user has no Read permission for the traversed folders When using Content Aware Rules consider the following e If Content Aware Rules are defined for both devices and protocols all access Checks are executed in one thread e Content Aware Rules with Deny settings take pri
610. ule is applied In the lower right pane of the Content Aware Rules dialog box under Rules select the rule and then click Delete or right click the rule and then click Delete You can select multiple rules that you want to delete by holding down the SHIFT key or the CTRL key while clicking them 293 Content Aware Rules for Protocols Regular Profile Content Aware Rules for Protocols Regular Profile Content Aware Rules extend the protocol access control functionality of DeviceLock by adding comprehensive content level protection of corporate data containing confidential company information Content Aware Rules enable automatic content inspection of data files transmitted over the network detection of sensitive content and enforcement of regulatory policies to ensure protection With Content Aware Rules you can selectively allow or deny access to specific content transmitted over the network regardless of preset permissions at the protocol level You can also use Content Aware Rules to allow or deny shadow copying of specific content For flexibility Content Aware Rules can be defined on a per user or per group basis You can configure Content Aware Rules to apply to access control operations to shadow copy operations or both The following examples illustrate the use of Content Aware Rules e Example 1 Using Content Aware Rules for access control operations You can prevent certain users or groups from uploading files con
611. ults in percentages This report shows the number of read and write access requests per device type The report provides data only for the Floppy iPhone Removable Hard disk DVD CD ROM Tape Windows Mobile and Palm device types The report consists of three sections the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Access Type s Shows the event types that were specified for the report e Computer s Shows the computers that were specified for the report e User s Shows the users that were specified for the report The Report Results section contains a table and a chart that show detailed results of the report The table has the following columns e Device Type Shows a device type e Read Shows the number of read access requests e Write Shows the number of write access requests The table also has a Total row that sums up all the values in the Read and Write co
612. upports Resultant Set of Policy so you can use the standard Windows snap in to view the DeviceLock policy currently being applied as well as to predict what policy would be applied to a chosen computer To use RSoP you should start MMC and add the Resultant Set of Policy snap in manually 1 Run mmc from the command line or use the Run menu to execute this command 2 On the File menu click Add Remove snap in i Console Console Root Mimpi Achion View Favorites Window Help Chri Ctrl Cilts There are no ibama bo show in bhis view ddi Remove Snap in Crit 1 C downloads Group Policy met 2 C WINDOWS pcompmgrimar 3 DeviceLock Management mse d DeviceLock Management msc Exit Adds or removes individual snap ins 227 DeviceLock Group Policy Manager 3 Click the Standalone tab and then click Add 4 Select Resultant Set of Policy from the list then click Add Add Standalone Snap in Available Standalone Snap ins Snapein Vendor 3 IP Security Monkor Microsolt Corporation IP Securiy Policy Management Microsoft Corporation E Link to Web Address Microsolt Corporation Hj Local Users and Groups Microsoft Corporations Performance Logs and Alerts hicrosoft Corporation i Remote Desktops Microsoft Corporation e Remote Shorage Microsoft Corporation eA emovable Storage Management Microsoft Corporation E Resultan Set of Policy Microsoft Corporation Fi S uriy Conhigurabon and Analysis Micr
613. user account used to run the DeviceLock Enterprise Server service doesn t have full access to files by this path CREATE DATABASE permission denied in database name the user s account login used to connect to SQL Server doesn t have enough privileges to create the database The login should have at least the dbcreator Server 66 Installation role see Server Roles in Login Properties of Microsoft SQL Server Management Studio e The server principal user_name is not able to access the database name under the current security context the user s account login used to connect to SQL Server doesn t have access to the existing database The login should be mapped to this database see User Mapping in Login Properties of Microsoft SQL Server Management Studio e SELECT permission denied on object name database name schema name the user s account login used to connect to SQL Server doesn t have read write access to the existing database The login should have at least db_datareader and db_datawriter Database roles see User Mapping in Login Properties of Microsoft SQL Server Management Studio e Invalid object name name the database specified in the Database name parameter already exists in this SQL Server but has an incorrect format It happens when you are trying to use the database that was not created by DeviceLock Enterprise Server or if the database was corrupted e DeviceLock Database has
614. user actions are allowed or disallowed on files and which user actions are logged to the shadow log You can select any of the following options Read Write Read and Write If the rule applies to shadow copy operations or both access control and shadow copy operations the Read option becomes unavailable For detailed information on user rights that can be specified in Content Aware Rules see Content Aware Rules for Access Control Operations and Content Aware Rules for Shadow Copy Operations Click OK The rule you created is displayed under Rules in the lower right pane of the Content Aware Rules Offline dialog box 415 DeviceLock Security Policies Offline Profile 13 Click OK or Apply to apply the rule The users or groups to which the Content Aware Rule applies are displayed under Content Aware Rules in the console tree When you select a user or group to which a Content Aware Rule applies in the console tree in the details pane you can view detailed information regarding this rule This information includes the following e Description The name of the rule By default the rule has the same name as the specified content group e Type The type of the content analysis Possible values File Type Detection Keywords Pattern Document Properties and Complex File Type Detection indicates that recognition and identification of files is based on their characteristic signatures Keywords indicates that recognitio
615. ussian BIC Uniform Resource Locator URL Russian Car Numbers US Date Russian Classification of Economic US Phone Number Activities US Social Security Number Russian Classification of Enterprises and US Zip Code Organizations VIN Russian Driver s License Number Russian Health Insurance Number Russian International Passport With built in content groups you can quickly create and apply rules without having to define your own content groups Note You can view regular expression patterns that are included in the built in Pattern content groups but you cannot edit or delete them For information on how to view the built in content groups see Viewing Built in Content Groups Creating Custom Pattern Groups You can define Content Aware Rules based on your own custom content groups if the predefined content groups included with DeviceLock do not meet your requirements Custom Pattern content groups enable you to specify any pattern that you want to use to identify sensitive information within text data To create a custom Pattern group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use Dev
616. ut of reach via management consoles 9 DeviceLock Signing Tool A Certficate Name Devicelock Certificate 05 11 2006 01 26 52 PM ig Device Code Service Settings Unsigned file C exchangelbest xmi Signed File Cryexchangellbest _sigmed xml valid until e Ony for computerts i 1 30 2007 12 21 59 PM a xpwirt There are six simple steps to signing an XML file 1 Load the corresponding DeviceLock Certificate see above 2 Load the file with DeviceLock Service settings you need to sign The full path to this file must be specified in the Unsigned file field You can use the button to select the file The XML file with DeviceLock Service settings can be created using Save Service Settings from the context menu in DeviceLock Management Console DeviceLock Group Policy Manager or DeviceLock Service Settings Editor 86 DeviceLock Signing Tool 3 In the Signed file field specify the resultant file You can use the button to select the folder where this file will be created 4 Decide whether the resultant file should contain expiration information or not If you want to allow users to import settings from this file without any time limitations disable the Valid until flag If you enable the Valid until flag and specify the date time then the expiration information writes to the resultant file and users can import settings from this file only before the specified date time Please note that this param
617. uti Microsodt and VERITAS Microsolt Corporation Microsolt Corporation This snapein allows you to configure DeviceLock sethngs Interface DeviceLock Management Console has a user friendly easy to use standard interface provided by Microsoft Management Console MMC At any time you can press the F1 key to get context specific help S DeviceLock Management Console File Action View Help mm Be m HS A FT DeviceLock 2 DeviceLock Service by DeviceLock Enterprise Server Hame efl DeviceLock Service E Devicelock Enterprise Server DeviceLock Management Console consists of a window divided into two panes The left pane contains the console tree the right pane contains details When you select an item in the console tree information about that item is displayed in the details pane 92 DeviceLock Management Console There are three independent parts in DeviceLock Management Console 1 DeviceLock Service allows you to connect to and manage DeviceLock Services running on remote and local computers 2 DeviceLock Enterprise Server allows you to connect to and manage DeviceLock Enterprise Servers running on remote and local computers 3 DeviceLock Content Security Server allows you to connect to and manage DeviceLock Content Security Servers running on remote and local computers Connecting to Computers First of all you should connect to the computer where DeviceLock Service or Dev
618. var Local WINE d sucos 12 16 2010 jet Audit amp Shadow Options G3 Server Options Success 12 16 2010 evite Access l e nae ajer Ty Success 12 16 2010 pen By Server Loy viewer Sh Success iali 72010 Jevis AConSss 5 42 Monitoring Success Lapira pen tw Reports i success L2fa7 2010 Set Audit amp Shadow Options a 6 DeviceLock Content Security Server e ais ai s a ia server s Koss L2ji7j20i0 srmissiong lt 168 DeviceLock Management Console There is not much difference between the service s audit log viewer and the server s audit log viewer so first read the Audit Log Viewer Service section of this manual In comparison with the service s audit log viewer the server s viewer has the following additional columns e Computer the name of the computer from which audit logs were received e Event a number identifying the particular event type e Received Date Time the date and the time when an event was received by DeviceLock Enterprise Server Audit Log Settings Server To define a maximum log size and what DeviceLock Enterprise Server should do if the audit log becomes full use Settings from the context menu of Audit Log Viewer Audit Log Settings Control kag size Maximum log size 10000 records When maximum log size is reached C Overwrite events as needed G Overwrite events older than f days Do not overwrite events clear log manually Restore Defaults Note The
619. ve at least Read only access rights to these services If this task also needs to write some settings to monitored DeviceLock Services then DeviceLock Enterprise Server requires Full access rights to these services To connect to monitored DeviceLock Services DeviceLock Enterprise Server uses the credentials of the account under which its service started It can also use DeviceLock Certificate authentication if a private key is specified For more information see the description of parameters Log on as and Certificate Name Verify Service Settings select this check box if you want to verify policy integrity for DeviceLock Services running on monitored computers e Service Settings file to assign the master policy to the task you should load the XML file with service settings the master policy file This master policy file can be created using DeviceLock Management Console DeviceLock Group Policy Manager and or DeviceLock Service Settings Editor During the policy verification process DeviceLock Enterprise Server downloads the policy from each monitored DeviceLock Service and compares it with the master policy assigned to this task 188 DeviceLock Management Console All unconfigured parameters those which have the Not Configured state in the master policy are ignored during the policy verification process Using this feature you can monitor the integrity of only the most important parameters and allow other parameters to be ch
620. ved files are not analyzed and access to the archive is denied only if any one of the following conditions is true e There is a Deny Content Aware Rule e Permissions set for the device type or protocol deny access All nested archives are also unpacked and analyzed one by one Archive files are detected by content not by extension The following archive formats are supported 7z 7z ZIP zip GZIP gz gzip tgz BZIP2 bz2 bzip2 tbz2 tbz TAR tar LZMA Izma RAR rar CAB cab ARJ arj Z z taz CPIO cpio RPM rpm DEB deb LZH Izh lha CHM chm chw hxs ISO Iso UDF Iso COMPOUND Msi WIM wim swm DMG dmg XAR xar HFS hfs NSIS exe Split or multi volume and password protected archives are not unpacked Text in picture detection The use of the text in picture detection technology allows you to classify all images into two groups text images images that contain text for example scanned documents screen shots of documents and non text images images that do not contain text and separately control access to each group For example you can allow certain users to copy non text images to devices but prevent them from writing text images thus preventing leakage of sensitive information within image files The following image files are supported BMP files Dr Halo CUT files DDS files EXR files Raw Fax G3 files GIF files HDR files ICO files IFF files e
621. vice DewiceLock NK You have denied everyone access bo Floppy No one vall be able bo access Floppy Do wou wish to continue Tes Even if you deny access to hard disks users with local administrative privileges the SYSTEM user and members of the local Administrators group still can access the partition where Windows is installed and running We recommend that you add only those accounts users and or groups to the list which should be able to access a device If the account s list is empty contains no records at all then no one can access a device Also it is recommended to add the SYSTEM user with full access to hard disks and DVD CD ROMs On some systems users may receive the following message when they log in 132 DeviceLock Management Console Messenger Service Message from VM2Z000PROFSP4 to M2000PROFSP4 on 7 13 2006 1 57 33 PM From MbmeSve on M2000PROFSP4 Subi ADMINISTRATOR ALEAT Failed to configure afn CdRom dive device Check event log for details It means that the SYSTEM user cannot access DVD CD ROM To avoid this message set the full access right for SYSTEM on DVD CD ROM Auditing amp Shadowing Regular Profile There is a list of device types for which you can define user level audit and Shadowing rules S DeviceLock Management Console Fie Action Wem Hep e BGS raai hare Jefi DeviceLock Service Local WINMPPRCSPO ET elsdierry H i Service Options stu
622. vice Consoles Setup may suggest that you load the DeviceLock license files If you don t have the license files click Cancel to install DeviceLock in a 30 day trial mode 28 Installation Select the DeviceLock license file s Choose a directory with the licence file s for DeviceLock PRESS CANCEL TO INSTALL A 30 DA TRIAL VERSION C00C UME uaa LOCA SL Temp Temporary Directory 3 For devicelock wainde 0 0206 7 ireen bin zp a EL 3 Floppy A Se Local Disk Cr w E Documents and Settings G Screenshots WINDOWS D Pe Poe iri Lock Devices Lock aufomatically H Fleppy rives Tape Devices Fl Removathe Devices use Poets E ODe PCiets DD RiCeMts _ Infrared Ports Claris Ports FireWire Ports IDDE 13 wA 802 11 Adapters C Prirters Stacker F Creabe local groups Allow _Access_to iF not metshing Security See hire C Access control for LSE HID mouse keyboard etc Acess contred for USG printers Acted control for LEG scammers and stil mage devices Access control for LEE Bluetooth adapters Access control for LEB shonape devines Actets contrel for USG andl FireWire network cards Access control for Firewire shor age dewices Access control for serial modems internal and external Access conira for viris O R Windows 20000 and laber Access contre for virtua printers Windows 2000 and labar v Access control for inter anokkestion copy paste cipbosrd op
623. vice is running Open Save Export DeviceLock Enterprise Manager can store all information received from plug ins The data is saved to external files and is ready for loading into DeviceLock Enterprise Manager when requested There are three ways to save and load data 1 The handiest method to store received information is to save it as a project When you are saving data as a project DeviceLock Enterprise Manager saves each active plug in s window to a separate file of its own format and places this file in the Project subdirectory The names of the project s files are auto generated and depend on the plug in s names and the date and time when the scan was started To save the data as a project you can select Save Project from the File menu or press the appropriate button on the Main toolbar Open Project a E Aud Log Wiewe rad 7715 2006 12 04 31 AM a a Report Pemnssions Auditing f 15 2006 12 05 09 AM 8 p Report PoP Devices a AS20006 12 04 59 AM read Open project s i Group by Pigers 5 Group by Date ey 3 h Shadon Log Viewer H REl 7 15 2006 1 33 15 4M k RE 7719 2006 12 35 11 AM H REl 7 22 2006 12 56 41 AM b ig 7 22 2006 1 0518 AM H GEI 7 22 2006 1 25 18 AM n l 7725 2006 12 31 59 AM e We Filter f B Refresh no View Mode Enable Grid S Delete project s To load previously saved projects select Open Project from the File menu The O
624. viceLock Functionality with ContentLock and NetworkLock section Detect and control access to images based on whether or not they contain text If you select the Contains text check box for a Document Properties group and then create a complex Content Aware Rule based on this content group and the built in Images CAD amp Drawing content group File Type Detection combined by the AND operator this rule will check whether supported image files contain text and control access to text images Clear the Contains text check box if you do not want to detect and control access to text images For information on the supported image files see the description of the Text in picture detection feature If you select the Contains text check box specify the amount of text that images must contain The amount of text is expressed as a percentage of the total image area For example if text occupies 2 of the image the amount of text makes 50 If an image contains only text the amount of text is 100 Note The Contains text option also applies to other supported file formats In this case the percentage means the ratio of the text size in characters to file size in bytes 277 Content Aware Rules for Devices Regular Profile USE THIS TO DO THIS Accessed by Specify the name of the process accessing the document s file You process can use wildcards such as asterisks and question marks Multiple process names must be
625. viceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Content Aware Rules and then click Save OR e Select Content Aware Rules and then click Save on the toolbar OR e Expand Content Aware Rules right click any user or group to which the rule is applied and then click Save OR e Expand Content Aware Rules and then select any user or group to which the rule is applied In the details pane right click the rule and then click Save OR 290 Content Aware Rules for Devices Regular Profile e Expand Content Aware Rules select any user or group to which the rule is applied and then click Save on the toolbar OR e Right click Content Aware Rules and then click Manage In the lower right pane of the Content Aware Rules dialog box under Rules click Save The Save As dialog box appears 4 In the Save As dialog box in the Save in box browse to the location
626. viceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor 353 Protocols Regular Profile b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols 3 Under Protocols do one of the following e Right click White List and then click Manage OR e Select White List and then click Manage on the toolbar The Protocols White List dialog box appears E Protocols White List Rules Description Protocol 5 Extra parameters 4 In the left pane of the Protocols White List dialog box under Users click Add The Select Users or Groups dialog box appears 5 In the Select Users or Groups dialog box in the Enter the object names to select box type the names of the users or groups for which you want to define the Protocols White List and then click OK The users and groups that you added are displayed under Users in the left pane of the Protocols White List dialog box To delete a user or group in the left pane of the Protocols White List dialog box under Users select the user or group and then click Delete 6 In the left pane of the Protocols White List dialog box under Users select the user or group You can select multiple users or groups by holding down the SHIFT key or the CTRL k
627. viceLock provides you with the ability to block the inheritance of higher level offline Content Aware Rules and enforce regular Content Aware Rules on specific lower level groups of client computers To enforce regular Content Aware Rules you must remove offline Content Aware Rules To remove offline Content Aware Rules 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices right click Content Aware Rules and then click Remove Offline The offline state of Content Aware Rules changes to Use Regular When you select Content Aware Rules in the console tree in the details pane the following message is displayed Offline Content Aware Rules are configured to use Regular Content Aware Rules The Use Regular state of DeviceLock settings is displayed as Not Configured in DeviceLock Management Console Managing Offline Security Settings For a detailed description of the Security Settings feature see Security Settings Regular Profile Offline Security Settings can have one of the following states 422 STATE Not Configured Enabled Disabled Use Regular DeviceLock Security
628. vidual computers Also DeviceLock Management Console is used for viewing logs stored on DeviceLock Enterprise Server running search queries on DeviceLock Content Security Server and for managing these servers DeviceLock Management Console should be used on the computer from which the administrator is managing DeviceLock Services DeviceLock Enterprise Servers and DeviceLock Content Security Servers on the network For information on how to install DeviceLock Management Console please read the Installing Management Consoles section of this manual To run DeviceLock Management Console select the appropriate shortcut from the Programs menu available by clicking the Windows Start button 7 Iial Windows Media Plave Certificate Generation Tool ca DeviceLock Enterprise Manager aH DeviceLock T Startup Devicelock Enterprise Manager Help 3 Windows Messenger 4 Adobe Reader 7 0 DeviceLock Management Console a Internet Explorer ti Devicelock Management Console Help T Windows x ai Wi Mn DeviceLock Manual Frequently Asked Questions a How bo Register fe License Agreement E Read Me ta Remove Devicelack iA Technical Support Temporary White List Administration Til ie Outlook Express p Remote Assistance Windows Media Player 4 Windows Messenger E Files and Settings Tre p Wizard Command Prompt All Programs SA Window
629. vidually 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Devices Under Devices select Security Settings 423 DeviceLock Security Policies Offline Profile When you select Security Settings in the console tree they are displayed in the details pane In the details pane right click any Security Setting and then click Enable Offline The Security Setting changes its offline state from Not Configured to Enabled Once you have enabled a particular Security Setting you can disable it To do so right click the enabled Security Setting and then click Disable Offline The Security Setting changes its offline state from Enabled to Disabled To define and change offline Security Settings collectively 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree e
630. views or change any of pour installation settings cick Beck Click Cancel bo exit the wizard Add DevineLock shortouts to the desktop If you selected to install DeviceLock management consoles as well Setup may Suggest that you generate a new DeviceLock Certificate 54 Installation DeviceLock Setup Do you want to creabe the new DeviceLock Certificate the private and public key pair Click No if you already have DeviceLock Certificate and you dont need bo create the new key pair You can always generate the new DeviceLock Certificate later using the Certificate Generation Tool installed with DeviceLock management consoles Hence if at this step you are not sure whether you need the new certificate or not just press the No button and continue the installation For more information on DeviceLock Certificates see DeviceLock Certificates If Setup detects that MS SQL Server is not running on the local computer but its installation package is available Setup suggests that you run the MS SQL Server installation DeviceLock Setup 2 SOL Server is not running on the local commuter Do you want to install it If you don t want to install MS SQL Server on the local computer or it is already installed but just not started press the No button During the installation process you must configure DeviceLock Enterprise Server and define its main settings using the special wizard If you are installing an upgrade
631. ware blocked read message is as follows You do not have permissions to read FILENAME Please contact your system administrator where FILENAME is the path and file name of the file to be inserted Restore the default settings For a detailed description of the Content Aware Rules feature see Content Aware Rules for Devices Regular Profile and Content Aware Rules for Protocols Regular Profile Content Aware Blocked Write Message You can define a Content Aware blocked write message notification balloon to be displayed to users when they try to write a file to which they are denied access This message balloon is shown in the notification area of the taskbar on client computers By default DeviceLock displays the Content Aware blocked write message To enable or disable the Content Aware blocked write message right click Content Aware blocked write message and then click Properties or double click Content Aware blocked write message 103 DeviceLock Management Console Content Aware blocked write message I Computer Hame Local Computer ched Message Blocked Message Caption DeviceLock Security Subsystem Blocked Message Text You do mot have permissions to write FILENAMES Pease contect your system aoministrator Restore Defaults In the Content Aware blocked write message dialog box do the following USE THIS Enable Content Aware Blocked Message Blocked Message Caption
632. well as text images Note The AND logic is applied to all file properties specified within a Document Properties group For example if you want to control access to files larger than 5 megabyte MB in size and password protected documents and archives you should create two separate Document Properties groups one group for files larger than 5 MB in size and another group for password protected documents and archives If you specify these file properties within the same Document Properties group and then create a Content Aware Rule based on this content group this rule will control password protected documents and archives that are larger than 5 MB There are no predefined built in Document Properties content groups to use The following procedure describes how to create your own Document Properties group To create a Document Properties group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock 2 Expand Protocols 3 Under Protocols d
633. wnloaded to the Palm when users synchronize With built in content groups you can quickly create and apply rules without having to define your own content groups Note You can view file type definitions that are included in the built in File Type Detection groups but you cannot edit or delete them For information on how to view the built in content groups see Viewing Built in Content Groups Creating Custom File Type Detection Groups You can define Content Aware Rules based on your own custom content groups if the predefined content groups included with DeviceLock do not meet your requirements Custom File Type Detection content groups enable you to specify any file types that you want in the same group to better meet your individual business needs For example suppose you need to grant certain users access to Word Excel PDF documents and graphic files To do this first you create a new File Type Detection content group that represents these document content types Then you define a rule based on this custom content group To create a custom File Type Detection group 1 If you use DeviceLock Management Console do the following a Open DeviceLock Management Console and connect it to the computer running DeviceLock Service b In the console tree expand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLo
634. work shared resource e g server distore that will be used as storage Make sure that the user account used to run the DeviceLock Enterprise Server service has full access to this network resource 65 Installation Note It is recommended to store binary data on the disk Press the Next button to apply changes and proceed to the last page DeviceLock Enterprise Server ening store path SystemRioot DLS TORE OF Connecting to SOL Server Creahing the databane The database creation completed successhullyy It takes some time to create the database specified in Database name if it does not exist on this SQL Server yet If the database already exists and it has the proper format i e was created by DeviceLock Enterprise Server then DeviceLock Enterprise Server keeps all existing data and uses this database Note If necessary DeviceLock automatically updates the database to the latest version If some parameters on the previous wizard s page were specified incorrectly you may see one of these errors 2 The system cannot find the file specified you ve configured DeviceLock Enterprise Server to store binary data on the disk but the path specified in Store path is incorrect If you ve specified the shared network resource then it is possible that this network resource is not accessible Failed to verify store path 5 Access is denied the path specified in the Store path parameter is correct but the
635. ws the most frequently used USB devices sorted according to the number of the allowed and denied access requests By default the report lists the first 10 devices but you can specify any number of devices The report consists of three sections the Report Header Report Parameters and Report Results The Report Header section contains the report title that appears at the very beginning of the report The report title shows the report type The Report Parameters section contains information on the report parameters you specify when generating the report This information includes e Period from to Shows the start and end date and time of the report period for which data is displayed The date time format for the Period from and to fields is determined by the date time format for the user account under which DeviceLock Enterprise Server is running e Computer s Shows the computers that were specified for the report e Users s Shows the users that were specified for the report The Report Results section contains two tables with detailed results of the report Table 1 lists the top N where N is a specific number USB devices having allowed access Table 2 lists the top N where N is a specific number USB devices having denied access These tables have the following columns e Device Name Shows a device name e Access Count Shows the number of access requests Values in this column are sorted in descending order 369 Devic
636. x you can also select Security Settings and then click Manage on the toolbar Undefining Security Settings If you deploy DeviceLock policies using DeviceLock Group Policy Manager or DeviceLock Service Settings Editor in some situations you may want to prevent Security Settings defined for protocols from being applied to a specific group of client computers To do so you need to return the previously defined Security Settings to the unconfigured state All undefined DeviceLock settings are ignored by client computers To undefine Security Settings 1 If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree right click DeviceLock Settings or DeviceLock Service and then click Load Service Settings to open the XML file with defined DeviceLock policies c In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor 363 Protocols Regular Profile b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Security Settings When you select Security Settings in the console tree they are displayed in the details pane In the details pane right click the Security Setting you want to undefine and then click Undefine 364 DeviceLock Reports DeviceLock Reports DeviceLock lets you create reports u
637. xcept Maya IFF files JBIG JNG files JPEG JIF files JPEG 2000 File Format JPEG 2000 codestream KOALA files Kodak PhotoCD files MNG files PCX files PBM PGM PPM files PFM files PNG files Macintosh PICT files Photoshop PSD files RAW camera files Sun RAS files SGI files TARGA files TIFF files WBMP files XBM files XPM files Inspection of images embedded in documents Allows you to perform deep inspection of each individual image embedded in Adobe Portable Document Format PDF files Rich Text Format RTF and Microsoft Office documents doc xlS ppt docx xlsx pptx All embedded images are extracted from these documents to the Temp folder of the System user and analyzed independently from text to detect the content to which access is denied by Content Aware Rules The text contained inside documents is checked by Content Aware Rules that are created based on Keywords Pattern or Complex content groups Embedded images are checked by Content Aware Rules that are created based on File Type Detection Document Properties or Complex content groups Access to documents is granted only when Content Aware Rules allow access to text and all of the images contained in documents 21 Overview Licensing If you want to use the capabilities of NetworkLock and ContentLock you must purchase NetworkLock and ContentLock licenses in addition to basic DeviceLock licenses A NetworkLock license enables you to use the Protocols featur
638. xpand DeviceLock Service If you use DeviceLock Service Settings Editor do the following a Open DeviceLock Service Settings Editor b In the console tree expand DeviceLock Service If you use DeviceLock Group Policy Manager do the following a Open Group Policy Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Devices Under Devices do one of the following e Right click Security Settings and then click Manage Offline 2 OR e Select Security Settings and then click Manage Offline EI on the toolbar OR e Select Security Settings In the details pane right click any Security Setting and then click Manage Offline OR e Select Security Settings In the details pane select any Security Setting and then click Manage Offline I on the toolbar When you select Security Settings in the console tree they are displayed in the details pane The Security Settings Offline dialog box appears 424 DeviceLock Security Policies Offline Profile a Security Settings Offline Access control for USS HIO mouse keyboard ebec Access control for USB printers Acoess control for USS Bluehooth adapters Access control for USE and Firev ire network cards Acoess control for USE scanners and stil image devices Access control hor serial modems inbernal amp exbernal Acoess control for USS storage devices Access control for virtual DVD CD ROM Windows 2000
639. y Object Editor b In the console tree expand Computer Configuration and then expand DeviceLock Expand Protocols Under Protocols select Auditing amp Shadowing When you select Auditing amp Shadowing in the console tree in the details pane you can view protocols for which you can define audit and shadowing rules 4 In the details pane right click the protocol whose rules you want to undefine and then click Undefine You can undefine rules for multiple protocols at the same time To do this do the following a In the details pane select multiple protocols by holding down the SHIFT key or the CTRL key while clicking them b Right click the selection and then click Undefine Managing Protocols White List The Protocols White List lets you selectively allow network communication over any Supported protocol regardless of existing protocol blocking settings The white list is most effective in least privilege scenarios when you block all protocol traffic and then specifically authorize only what is required for employees to perform their daily job duties For example suppose that you deny all users access to the SMTP and Web Mail protocols and then use the white list to let certain users send mail to specific e mail addresses so that the users can perform their job tasks By applying these security policies you can minimize potential risks of data leakage theft and misuse Note Audit and shadow copying are not pe
640. y Server and run the same search queries on every Search Server in order to get the complete result set from all the data stored on all DeviceLock Enterprise Servers e We strongly recommend that you exit all Windows programs before you start Setup Step 2 Start the installation Use this procedure to begin the installation process 69 Installation To start the installation 1 Open the DeviceLock zip file and then double click the setup_dlicss exe file to start the Setup program You must run the Setup program on each computer on which you want to install DeviceLock Content Security Server Follow the instructions in the Setup program On the License Agreement page read the License Agreement and then click I accept the terms in the license agreement to accept the licensing terms and conditions and proceed with the installation 4 On the Customer Information page type your user name and organization and then click Next 5 On the Destination Folder page accept the default installation location or click Change to modify the path as needed Click Next The default installation directory is ProgramFiles DeviceLock Content Security Server 6 On the Ready to Install the Program page click Install to begin the installation The DeviceLock Content Security Server wizard starts If you are installing an upgrade or just re installing DeviceLock Content Security Server and want to keep its current configuration you do n
641. y user or group specified in the white list In the details pane right click the white list rule and then click Load OR e Expand White List select any user or group specified in the white list and then click Load on the toolbar e Right click White List and then click Manage In the right pane of the Protocols White List dialog box under Rules click Load The Open dialog box appears 4 In the Open dialog box in the Look in list click the location that contains the file you want to import In the folder list locate and open the folder that contains the file Click the file and then click Open If the Protocols White List is already defined and you choose to import a new white list the following message box is displayed DeviceLock E Do you want bo overvanite existing records Tes Qverwrite Ho Append In the message box click Yes to overwrite the existing white list Click No to append a new white list to the existing white list Undefining Protocols White List If you deploy DeviceLock policies using DeviceLock Group Policy Manager or DeviceLock Service Settings Editor in some situations you may want to prevent the Protocols White List from being applied to a specific group of client computers To do so you need to return the previously defined white list to the unconfigured state All undefined DeviceLock settings are ignored by client computers To undefine the Protocols White List 1 If you use Devic
642. ysis and blocks any user attempt to copy the data Audit log type Using this parameter you can define what log should be used to store audit records B Audit Lop Type Computer Mame spirt Type Event Log DeviceLock Log Event amp DeviceLock Logs 117 DeviceLock Management Console There are three options to choose e Event Log only the standard local Windows Event Log is used to store audit records e DeviceLock Log only the protected proprietary log is used to store audit records The data from this log is sent to DeviceLock Enterprise Server and is stored centrally in the database e Event amp DeviceLock Logs both logs are used to store audit records Audit Log Settings Use Audit Log Settings to specify the maximum size of the audit log and overwrite options Audit Log Settings Log size Maximum log size 512 KB When maximum log sine is reached O Overwrite events as needed Overwwite events older than De pot overwrite events clear log manually Restore Defaults For a detailed description of the audit log settings see Audit Log Settings Service Transfer shadow data to server Use this parameter to enable or disable the moving of all shadow data to DeviceLock Enterprise Server If Transfer shadow data to server is disabled only audit data from the DeviceLock proprietary log if this log is used is sent to DeviceLock Enterprise Server while all shadow
Download Pdf Manuals
Related Search