You are on page 1of 160

NATO UNCLASSIFIED

COMPUSEC COURSE No 279 Demonstrations


NCSA
GE NCY
NATO

SE

RVICES

To remain at NCISS
Please do not take away
NATO UNCLASSIFIED

CI

NATO UNCLASSIFIED

Table of Contents
Module 07 TrendMicro ScanMail Install Demo v1 _________________ 1 Module 07 TrendMicro ScanMail Config Demo v1 ________________ 19 Module 08 McAfee AV Install and Update Demo v1 _______________ 37 Module 08 McAfee AV Config V8.0 Demo v1____________________ 56 Module 09 ePO 3_6 Demo v1 ________________________________ 88 Module 10 WAC Demo v1 __________________________________ 105

NATO UNCLASSIFIED

NATO UNCLASSIFIED

Trend Micro Scan Mail Module 7


Installation

NATO UNCLASSIFIED

Overview
Demonstration describes step by step all actions required to install the Trend Micro Scan Mail for Microsoft Exchange Server.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 1

NATO UNCLASSIFIED

Requirements
for Scan Mail 8.0

Operating System and Service Packs


Microsoft Windows Server 2003 with Service Pack 1 (32-bit) Microsoft Windows Server 2003 R2 (32-bit) Microsoft Windows Server 2003 with Service Pack 2 (32-bit)

Microsoft Exchange Server 2003


Microsoft Exchange Server 2003 with Service Pack 2 or above

Applications
the latest approved version of the Java Runtime Environment (Jre-1_5_0_10 or above)
NATO UNCLASSIFIED

Preparations
Following installation files to be downloaded from NCIRC web site (you can also request your product CD issued by NITC NCIRC TC): SMEXV8.0-b1.zip - contains installation files for Scan Mail V8.0. smex_80_win_en_patch2.exe - contains installation files for ScanMail V8.0 Patch 2 It is recommended to download and unzip files into a separate temporary folder on the server before commencing the installation.
NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 2

NATO UNCLASSIFIED

Step 1: Verify that your system meets requirements:

Windows Server 2003 with Service Pack 2 or above Exchange Server 2003 with Service Pack 2 or above Java Runtime Environment 1_5_0_10 or above

NATO UNCLASSIFIED

Step 2: Locate the SMEX v8 application on the hard drive and <Double Click> Setup.exe to start the installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 3

NATO UNCLASSIFIED

Step 3: The Welcome to Trend Micro ScanMail Setup screen opens. Click Next to continue the installation

NATO UNCLASSIFIED

Step 4: The License Agreement window opens. To continue the installation, <Click> the I accept the terms in the license agreement radio button, then <Click> the [Next]

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 4

NATO UNCLASSIFIED

Step 5: The Select an Action screen appears. To perform a fresh installation or upgrade, <Click> the Install/Upgrade option then <Click> [Next] to continue with the installation.

NATO UNCLASSIFIED

Step 6: The Server Role Selection screen opens. Specify the server role onto which ScanMail will be installed. <Click> the Exchange Server 2000/2003 option. And then <Click> [Next] to continue with the installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 5

NATO UNCLASSIFIED

Step 7: The Select Target Server(s) screen appears. The Setup program can install ScanMail to a number of single servers or to multiple servers in a domain. You must be using an account with the appropriate admin privileges to access every target server. <Click> Browse and browse the computers that are available on your network.

NATO UNCLASSIFIED

Step 8: Select the server where you want to install ScanMail. <Double click> on SCHOOL and then <Click> on EXSERVER2003. <Click> OK to continue.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 6

NATO UNCLASSIFIED

Step 9: After the server selection window closes, verify that the server names listed in the Select Target Server(s) window are correct, and if so, <Click> [Next].

NATO UNCLASSIFIED

Step 10: The Log On screen opens. Log on to target servers where you want to install ScanMail. You must log on using an account with Domain Administrator privileges unless you have manually created the "SMEX Admin group" and user account for the Web management console administrator account in your domain. Type domain\user_name and password (e.g. SCHOOL\Administrator and xxxxxxxx in the VMWare environment created for this class) to log on to the target server to install ScanMail. Click Next to accept the Logon credentials for the target servers and continue the installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 7

NATO UNCLASSIFIED

Step 11: Accept the default directory path to where you will install ScanMail on the target server. Accept also the shown default share name for which the specified user has access rights or keep the default temporary share directory, C$. The Setup program uses the share directory to copy temporary files during installation and can be accessed only by the administrator. Click Next to accept the Logon credentials for the target servers and continue the installation.

NATO UNCLASSIFIED

Step 12: The Checking Target Server System Requirements window opens. SMEX checks that your Exchange server and system requirements. It needs minimum Exchange 2003 SP2. Verify that the correct Exchange Virtual server is displayed. <Click> [Next>].

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 8

NATO UNCLASSIFIED

Step 13: The Web Server Information screen opens. <Click> the radio button to select Microsoft Internet Information Services 5.0 or 6.0. Keep the default drop down selection, Virtual Web Site and the Port Number 16372.

NATO UNCLASSIFIED

Step 14: The Connection Settings screen appears. By default, the proxy server is disabled. If a proxy server handles Internet traffic on your network, you must enter the proxy server information at this screen.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 9

NATO UNCLASSIFIED

Step 15: Activate the product

Enter Activation Code to get full ScanMail protection. You can contact the COMPUSEC NCIRC Malware Protection Cell at antivirus@ncirc.nato.int for the official Activation key. You can copy the Activation Code and paste it in the first input field of the Activation Code on this screen. The Setup program parses the entire string and populates the remaining fields for the Activation Code. <Click> Next to continue the installation.

NATO UNCLASSIFIED

Step 16: The World Virus Tracking Program screen appears. Read the statement and <Click> No, I dont want to participate. <Click> [Next] to continue installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 10

10

NATO UNCLASSIFIED

Step 17: The End User Quarantine Setting screen opens. <Click> Integrate with Outlook Junk E-mail to send all ScanMail detected spam messages to the Junk E-mail folder in Outlook. <Click> [Next] to continue.

NATO UNCLASSIFIED

Step 18: The Control Manager Server Settings screen opens. Generally the Trend Micro Control Manager is not used in NATO so leave the Register ScanMail agent to Control Manager Server check box empty. <Click> [Next] to continue.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 11

11

NATO UNCLASSIFIED

Step 19: The Web Management Console Configuration screen opens. This screen is used to create the Active Directory Domain Group and Account used to manage SMEX from web management console. For a new installation <Click> Create a new account. <Click> [Next] to continue.

NATO UNCLASSIFIED

Step 20: Create the administrator account for Scan Mail

Accept the Trend Micro default Username, or change it to a simple Username. For this class use: User name: SMEXadmin. Password: xxxxxxxx Setup creates the "SMEX Admin Group" and your SMEX administrator account on the Active Directory; your SMEX administrator account is then added to the SMEX Admin Group. <Click> Next to continue the installation.
NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 12

12

NATO UNCLASSIFIED

Step 21: The Review Settings screen opens. Read and verify the configuration settings; if you are happy with the choices, <Click> [Next]

NATO UNCLASSIFIED

Step 22: The Installation Progress Screen opens. This screen shows the installation process. <Click> [View Details] to display a list of all computers to which ScanMail is being installed and their current status.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 13

13

NATO UNCLASSIFIED

Step 23: Progress status screen opens. <Click> [OK] to return to the Installation Progress screen.

NATO UNCLASSIFIED

Step 24: Return to the Installation Progress Screen. <Click> [Next] to continue installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 14

14

NATO UNCLASSIFIED

Step 25: The Installation Complete screen appears. This screen informs you that the installation was successful. When the installation is completed, <Click> the View the Readme file check box to open the readme file when finished. Please read the file, especially the Known Issues section. <Click> [Finish] to exit the Setup program. Read the Readme file.

NATO UNCLASSIFIED

Step 26: Verify a Successful Installation

Check that Scan Mail is installed to the following directory:


C:\Program Files\Trend Micro\SMEX\

Check for following services, using Microsofts Services component (click Start\All Programs\Administrative Tools\Services:
ScanMail for Microsoft Exchange Master Service ScanMail for Microsoft Exchange Remote Configuration Server ScanMail for Microsoft Exchange System watcher

Verify that Scan Mail added the following keys to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ScanMail for Exchange HLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Private-<MDB-GUID>\VirusScanEnabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Private-<MDB-GUID>\VirusScanBackgroundScanning HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Public-<MDB-GUID>\VirusScanEnabled HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Public-<MDB-GUID>\VirusScanBackgroundScanning NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 15

15

NATO UNCLASSIFIED

Step 27: Install the latest SMEX software update patch. The latest SMEX patch can be found on the NCIRC NS web portal at the following URL: http://www.ncirc.nato.int/software/antimalware.htm. On the website, <Click> on the [Mail Server Solutions] tab then go to the Patches Trend Micro ScanMail v.8.0 section. Patches are normally cumulative; currently the latest patch is SMEX 8.0 Patch 2. Download and unzip the file into a temp folder on all the servers that need to be patched.

NATO UNCLASSIFIED

Step 28: A ScanMail for Microsoft Exchange 8.0 Patch 1 window opens. This window shows the Trend Micro License Agreement. <Click> the I accept the terms of the legal agreement radio button then <Click> [Next] to continue installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 16

16

NATO UNCLASSIFIED

Step 29: The ScanMail for Microsoft Exchange Patch Installation -Welcome window opens. You could scroll down within this install screen to read the installation notes. <Click> [Install] to continue patch installation.

NATO UNCLASSIFIED

Step 30: The Trend Micro Install package window opens. Do not close any command window that may appear during installation. <Click> [Yes] to continue.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 17

17

NATO UNCLASSIFIED

Step 31: The ScanMail for Microsoft Exchange Patch Installation - Welcome opens. This window shows the installation progress. NOTE: Please do not close any command prompt during patch installation.

NATO UNCLASSIFIED

Step 32: Using the Microsoft Services Manager, verify that the ScanMail servers are running.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 18

18

NATO UNCLASSIFIED

Trend Micro Scan Mail Module 7


Configuration

NATO UNCLASSIFIED

Overview
Demonstration 2 provides basic steps required to configure the Trend Micro ScanMail for Microsoft Exchange Server. A Web management console is used to access, configure and control ScanMail. The console allows to manage multiple MS Exchange servers and remote servers from any computer on the network. The management console is password protected, ensuring only ScanMail administrator can modify ScanMail settings. Java-enabled web browser, such as internet explorer 5.5 with sp3 and above, that supports frames is required to access and manage the Web management console. Make sure the Java virtual machine is installed on your computer before you start ScanMail Web Management Console. The settings as ticked in this demonstration are recommended by NATO NCIRC. NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 19

NATO UNCLASSIFIED

Step 1: View the Web management console:

<Click> [Start > programs > Trend Micro ScanMail for Microsoft Exchange > ScanMail management Console] in order to view the Web management console or Use Internet Explorer and access the following site: http://<Scanmail servername>:<portnumber>/smex, e.g. http://localhost:16382/smex (by default HTTP port number is 16382).

NATO UNCLASSIFIED

Step 2: Enter your SMEX User name and Password

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 20

NATO UNCLASSIFIED

Step 3: ScanMail Summary page is downloaded when you are logged on successfully.

NATO UNCLASSIFIED

Step 4: Verify that SMTP scanning is activated .

Both SMTP and VSAPI (Mailstore) Scanning is enabled by default. While scanning in both SMTP and VSAPI modes may result in some files being scanned twice, with SMTP scanning also enabled, it is possible for SMEX to perform the Delete entire message and Quarantine Entire Message actions. This functionality is more important than the possible small performance increase from disabling SMTP scanning.

If the SMTP scanning is disabled the icon is RED, enable SMTP Scanning by <Clicking> the icon so it turns GREEN.
NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 21

NATO UNCLASSIFIED

Step 5: <Click> Virus Scan on the sidebar and then <Click> Enable real-time virus scan. Configure Target tab:
Default scan section: <Click> the All attachment files IntelliTrap section: deselect Enable IntelliTrap checkbox Additional Threat Scan section: deselect all checkboxes Advanced Options section: set Scan Restriction Criteria
Message Body size exceeds: 30 MB Attachments size exceeds: 30 MB Decompressed file count exceeds: 9999 Size of decompressed file exceeds: 100 MB Number of layers of compression exceeds: 5 Size of decompressed file is x times the size of compressed file: 1000

to save all changes, <Click> on the Save button


NATO UNCLASSIFIED

Step 6: Configure the Virus Scan > Action tab.


<Click> the radio button Customized Action for detected threats. <Click> the check box Enable Action on Mass-mailing behaviour (This overwrites all other actions.) In the drop down boxes <Select> Quarantine entire message action and Notify for notification. In Detected Threats subsection, <Select> Specify action per detected threat. For each case <Specify>: Quarantine entire message action item, and Notify for notification For the option Uncleanable files, choose Quarantine entire message from the drop down box <Click> the check box to select the option Do not clean infected compressed files to improve NATO UNCLASSIFIED performance.

NATO UNCLASSIFIED
Page 22

NATO UNCLASSIFIED

Step 7: continue Virus Scan > Action tab configuration: Advanced Options section
In Macros section, <Select> the option Enable advanced macro scanning. Then <Select> Heuristic Levels option and in the drop down box, set option to 2-Default filtering.
In Backup and Quarantine settings section, view the default settings and ensure they are set as follows:
Backup Directory: <Drv>:\<system directory>\Trend Micro\smex\storage\backup Quarantine Directory: <Drv>:\<system directory>\Trend Micro\smex\storage\ quarantine

In Replacement Settings section, review to ensure the default settings are configured as follows:
Replacement File name:
VIRUS_DETECTED_AND_REMOVED.TXT

Replacement text: ScanMail detected and removed a virus from the original mail entity. You can safely save or delete this replacement attachment.

NATO UNCLASSIFIED To

save all the changes, <Click> the Save button.

Step 8: Configure Virus Scan > Notification tab


<Expand> Notify Administrator view, <Select> To radio button and add NCIRC email address, i.e. epo-alert@ncirc.nato.int (in the demonstration it is mapped to Testuser1) all local notification e-mail addresses (use the semicolon sign without spaces to separate e-mail addresses). In the Subject field add meaningful information that identifies your organization and site. An example of a subject field entry is Virus Scanning Notification from NATO School. In Advanced Notification section, <Select> Write to Windows event Log.
NATO UNCLASSIFIED

<Click> on the Save icon to save all your changes.

NATO UNCLASSIFIED
Page 23

NATO UNCLASSIFIED

Step 9: Configure Attachment Blocking Target tab


Enable real-time attachment blocking. Go to the subsection Block these attachments. <Click> to select the option Specified Attachments. Then <Click> to select the option Specified file extensions to block. The default specified file extensions being blocked are: ADE; ADP; ASX;
BAS; BAT; BIN; CHM; CMD; COM; CPL; CRT; DLL; EML; EXE; HIV; HLP; HTA; INF; INS; ISP; JS; JSE; JTD; MSC; MSI; MSP; MST; OCX; OFT; OVL; PCD; PIF; PL; PLX; SCR; SCT; SH; SHB; SHS; SYS; VB; VBE; VBS; VSS; VST; VXD; WSC; WSF; WSH. Remember to use a semicolon [;] to separate the file extensions

Next, <Click> to select the option Block attachment types or names with zip files.

NATO UNCLASSIFIED

To save your changes, <Click> the Save button.

Step 10: Go to the Attachment Blocking > [Action] tab.


Go to the subsection Select an action and <Click> to select Replace attachment with text/file. The default text currently states ScanMail detected and removed a file that violated policy from the original mail entity. You can safely save or delete this replacement attachment.. Go to the subsection AND, then <Click> the radio button to select Notify option. To save changes, <Click> the Save button.To save your changes, <Click> the Save button.
NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 24

NATO UNCLASSIFIED

Step 11: Go to the Attachment Blocking > [Notification] tab


Go to subsection People to notify. <Click> the check box to select the Notify Administrator option. Expand the Notify Administrator to show all the configuration options.
In the To field, add local system notification email addresses and the NCIRC-TC ScanMail alerts email address, epo-alert@ncirc.nato.int . Use a semicolon [;] to separate the email addresses. In the Subject field, include the name of your organization and site in the attachment blocking notification wording; for example: Attachment Blocking Notification from NATO School.

Go to the Settings section and <Click> to select the option Send consolidated notification every and the default values of 2 hours. Go to the subsection Advanced Notification then <Click> to select Write to windows event Log.
NATO UNCLASSIFIED

To save changes <Click> the Save button.

Step 12: <Click> Content Filtering on the side bar, then make sure that the option Enable real-time content filtering is NOT selected. See figure below. <Click> the Save button.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 25

NATO UNCLASSIFIED

Step 13: On the left side bar, <Click> Anti-Spam. Ensure that the option Anti-Spam is disabled. See figure below. <Click> the Save button.

NATO UNCLASSIFIED

Step 14: Configure Scheduled Scan <Click> Scheduled Scan on the sidebar and then select the Add tab to add a new scan task.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 26

NATO UNCLASSIFIED

Step 15: Continue Scheduled Scan configuration


In the [Scan task name:] field, enter a title for scan task, for example Daily Mailbox Scan <classification> (e.g. Daily Mailbox Scan NS) ". Go to the subsection Scheduling. <Click> to select the option Daily. In the Start Time choose the quietest local time, for example 03(hh) 00 (mm) (24hr), to start the Exchange database scan. Next, go to the Database Selection section. <Click> to select ALL databases on your exchange server/s. Next, go to the Select scan type section and <Click> to select the options Virus scan and Attachment blocking. <Click> the Save button.

NATO UNCLASSIFIED

Step 16: When saved, make sure the scheduled is enabled as shown in the screenshot below.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 27

NATO UNCLASSIFIED

Step 17: Configure the updates for the scan engine and virus pattern.
On the sidebar <Click> Updates to expand the Updates side bar drop down menu. On the sidebar, <Click> the option Scheduled from the previously expanded Updates drop down menu. In this section, <Click> to select Enable scheduled updates. In Components Update section, from the list of options <Click> appropriate check boxes to select Virus pattern, Additional threat pattern and Scan engine. In Update Schedule section, Update every: subsection, <Click> the radio button to select the option Hour(s). The option Hour(s) can be set to 4 so that updates are attempted every 4 hours. Adjust the update frequency to match local requirements.

To save changes <Click> the Save


NATO UNCLASSIFIEDbutton.

Step 18: Configure the Download Source


On the sidebar, from the previously expanded Updates drop down menu, <Click> the option Download Source. The Classification of your network will determine the download source address: NU network: <Click> the radio button to select Trend Micros ActiveUpdate Server. NS network: <Click> the radio button to select Other Update Source. Enter the URL http://www.ncirc.nato.int/data/avupdates/activupdate

To save changes <Click> the Save button.


NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 28

10

NATO UNCLASSIFIED

Step 19: For the demonstration purposes, updates are downloaded locally from EXSERVER2003 server. See the screenshot below for settings used in the demonstration. The updates were downloaded from NCIRC website.

NATO UNCLASSIFIED

Step 20: Test your servers connectivity with the anti-virus repository by initiating the Manual Update
On the Side Bar, from the previously expanded Updates drop down menu, <Click> the option Manual. Ensure that at least the options Virus pattern, Additional threat pattern and Scan Engine are selected. If any of these options are NOT selected, then <Click> the check box to make the selection.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 29

11

NATO UNCLASSIFIED

Step 21: Monitor the manual updates screen to view the progress of the update and make sure it was able to connect to the update location.

NATO UNCLASSIFIED

Step 22: Verify successful Manual Update.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 30

12

NATO UNCLASSIFIED

Step 23: Configure the alerts for System Events


<Click> Alerts > System Events Ensure that the following options are selected. If not, then <Click> the relevant checkboxes to select them:
ScanMail Service process did not start successfully ScanMail service is unavailable. Update Each time update was: unsuccessful Manual/Scheduled scan tasks were: Unsuccessful The disk space on the local drive (volume) of the backup, quarantine, and archive directory is less than; (set this to) 1 GB. Specify time interval to send consecutive alerts if above problem still exists; (set this to) 1 hr(s) The size of the database to keep quarantine and logs exceeds: (set this to) 1 GB Specify time interval to send consecutive alerts if above problem still exists; (set this to) 1 hr(s)

To save changes <Click> the Save button.


NATO UNCLASSIFIED

Step 24: configure the Outbreak Alert events


<Click> Alerts > Outbreak Alert In the section Outbreak Alert >Conditions, <Click> the checkboxes to select, and configure, the following options: Viruses detected exceed the following number within the shown time: 25 in 24hr(s) Uncleanable viruses exceed the following number within the shown time: 25 in 24hr(s) Blocked attachments exceed the following number within the shown time: 25 in 24hr(s)

To save changes <Click> the Save button.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 31

13

NATO UNCLASSIFIED

Step 25: Configure Logs

On the sidebar <Click> Logs to expand the Logs side bar drop down menu. <Click> to select Maintenance, then the [Automatic] tab. <Click> the check box to select Enable Automatic Maintenance. In the subsection Target, <Click> the radio button to select All logs. Go to subsection Action; for the option Delete logs older than, enter the value 90 days.

To save changes <Click> the Save button.

NATO UNCLASSIFIED

Step 26: Configure Quarantine


<Click> Quarantine on the sidebar to expand the sidebar menu. <Click> to select Maintenance, then <Click> the [Automatic] tab. Ensure that the option Enable automatic maintenance is selected; if not <Click> the check box to select it. Subsection Files to delete <Click> the radio button to select All quarantined files In the Subsection Action, increase the value of the option Delete selected files older than to 90 days.

To save changes <Click> the Save button.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 32

14

NATO UNCLASSIFIED

Step 27: Configure Administration > Proxy (If you use a proxy on your
network) If your environment uses a proxy sever to access websites, from the Administration side bar drop down menu, <Click> to select Proxy. In the Proxy configuration window, <Click> the check box to select the option use a proxy server for update and product license notification. In the setting s subsection, fill in the Address field with the HTTP address of the proxy server and the Port field with the port number (e.g. 8080). In the subsection Proxy Password, fill in the user credentials required for SMEX to use the proxy to access the antivirus update website.

To save changes <Click> the Save button.

NATO UNCLASSIFIED

Step 28: Configure Administration Notification settings


From the left Administration side bar drop down menu, <Click> to select Notification Settings. In the Notification Settings window, configure the following subsections:
In the Administrator Notification subsection, fill in the Email Address: field with the email addresses of the administrators and other mandated entities. Enter the email address for NCIRCTC epoalert@ncirc.nato.int into this field. To add the email addresses, <Click> the [Apply All] button. (NOTE: use a semicolon ; to separate multiple email addresses). In the subsection Sender Settings, fill in the Sender: field with the email address of the local system administrator. This email address is the reply-to address on all alerts sent from the system.

To save the changes, <Click> the Save button. Email notifications should be tested. Coordinate the verification with local administrators, NCIRCTC and other intended recipients. The NCIRC TC watch keepers can be reached at the below address:
NCN: 254-6666 / 6670 Civil: +32 (0)65 44-6666 / 6670 NS/NU email: NCIRCTC@ncirc.nato.int

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 33

15

NATO UNCLASSIFIED

Step 29: Check your Product License


From the Administration side bar drop down menu, <Click> to select Product License. View the details of your license in the Product License window. If you need a license, please contact the COMPUSEC NCIRCTC to get your up to date license.

NATO UNCLASSIFIED

Step 30: Configure the World Virus Tracking

From the Administration side bar drop down menu, <Click> to select World Virus tracking. Make sure the radio button No, I dont want to participate to the request to participate in the world virus tracking program is selected.

To save changes <Click> the Save button.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 34

16

NATO UNCLASSIFIED

Step 31: Verify monitoring with Real-time monitor


The Real-time monitor application displays details of the SMEX server Scan Engine and Pattern versions as well as near real-time information for all incoming and outgoing messages. It also shows the current count for detected viruses. <Click> the Real-Time monitor link on the overhead bar to display monitoring information about your local server, or remotely monitored ScanMail server.

NATO UNCLASSIFIED

Step 32: Sample Real Time Monitor view

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 35

17

NATO UNCLASSIFIED

Step 33: View the Server Management Console


The ScanMail server management console enables you to view all of the ScanMail servers on a network. <Click> Server Management link on the overhead bar to view features of all the ScanMail servers on a network.

NATO UNCLASSIFIED

Step 34: The following features are viewable from the Server management console: Pattern and engine version, Scanning result, Scanning status, Last replication.

The Server Management Console can be used to replicate any or all SMEX configurations from one ScanMail server to other ScanMail servers. Replicating configuration settings to other servers in this way is much faster and easier than configuring each server separately. In addition, it ensures that SMEX configuration is consistent across all ScanMail servers- or group of servers- that provide the same kind of protection. NOTE**: Replicate SMEX settings ONLY with the prior knowledge and NATO Approval of all Exchange server UNCLASSIFIED system administrators within your domain.

NATO UNCLASSIFIED
Page 36

18

NATO UNCLASSIFIED

McAfee Enterprise Virus Scan


Installation

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 37

NATO UNCLASSIFIED

McAfee Enterprise Virus Scanner


Part One Installation
Version V8.0

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 38

NATO UNCLASSIFIED

Download from NCIRC

Download the latest McAfee NATO installation file from www.ncirc.nato.int. The file is located via Security & Software tab under Server and Workstation Solutions.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 39

NATO UNCLASSIFIED

Unzip

And open

Unzip the downloaded file (in this case it is called VSE710LEN) to a folder on the desktop. Open the folder.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 40

NATO UNCLASSIFIED

Start installion

Setup

Start the installation by double clicking on the Setup icon.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 41

NATO UNCLASSIFIED

Progress bar

A progress bar appears whilst the system is being prepared for installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 42

NATO UNCLASSIFIED

README text

The McAfee Virus Enterprise Setup dialog appears click on Next to proceed.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 43

NATO UNCLASSIFIED

License to agree
Choose All Other Countries and Perpetual on the license agreement page. Select I accept the terms in the license agreement and click OK.

A license agreement dialog box appears. On the Country List Box select All Other Countries. On the expiry type select Perpetual. Select the accept radio button option and click OK to proceed.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 44

NATO UNCLASSIFIED

Select typical install

A setup type dialog box appears, select the radio button option for typical install and click next.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 45

NATO UNCLASSIFIED

Finishing preparation

A ready to install dialog box appears, click Install to proceed with installation.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 46

10

NATO UNCLASSIFIED

During installation a progress dialog box appears.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 47

11

NATO UNCLASSIFIED

Start scan

Once installation is complete a dialog box appears denoting the successful install and provides two options. The first; Update Now may only be used if the host machine is connected to the Internet and invokes an automatic check at the McAfee web site for the latest virus definition files. Leave this option unchecked. The second option invokes an immediate scan, select this option to confirm the software is running correctly. Click Finish to start the scan.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 48

12

NATO UNCLASSIFIED

Accept or Update

Depending on how old the virus definitions are a warning that the virus definitions files are out of date will appear: click OK to confirm notification and allow the scan to run (update of virus definitions will follow). Alternatively an Update can be enforce by clicking on Update.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 49

13

NATO UNCLASSIFIED

Watch progress

During the scan a progress dialog box will appear.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 50

14

NATO UNCLASSIFIED

McAfee Enterprise Virus Scanner


Part Two Updating the Signature File.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 51

15

NATO UNCLASSIFIED

Download signatures

Download the latest signature file from http://www.mcafee.com/apps/downloads/security_updates/ or obtain from the local network administrator. Activate the update by double clicking on the file (in this case 5087xdat).

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 52

16

NATO UNCLASSIFIED

Start update

An installation dialog box will appear, click Next to continue.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 53

17

NATO UNCLASSIFIED

A progress dialog box appears whilst the system is prepared for update.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 54

18

NATO UNCLASSIFIED

Complete update

On completion a dialog box appears confirming correct installation of the update. Click Finish to end, there is no requirement to restart the computer as the update is activated immediately.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 55

19

NATO UNCLASSIFIED

McAfee Enterprise V 8.0 Virus


Configuration (as per exercise)

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 56

NATO UNCLASSIFIED

Open McAfee Scan item

From the toolbar in the lower right hand corner, right click on the McAfee Virus Scan icon (a small shield) and select On-Access Scan Properties from the sub menu.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 57

NATO UNCLASSIFIED

General settings - overview

A properties dialog box will appear defaulting a tab marked General. Ensure that the following configuration options are applied; In the Scan box Boot Sectors - Selected Floppy during shutdown Selected In the General box; Enable on access scanning at system startup Selected Quarantine Folder Set to \quarantine\ In the Scan time box; Maximum archive scan time (seconds) Set to 60 Enforce a maximum scanning time for all files Selected Maximum scan time (seconds) set to 61 After these settings have been configured click Apply

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 58

NATO UNCLASSIFIED

General settings - Scriptscan

In the same dialog box under the ScriptScan tab the following configuration items will be applied; Ensure that the Enable ScriptScan tick box is selected. After these settings have been configured click Apply

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 59

NATO UNCLASSIFIED

General settings - Blocking

In the same dialog box under the Blocking tab the following configuration items will be applied; Ensure that the Send a message tick box is clear. Ensure that the Block the connection tick box is selected. Ensure that the Unblock connections after (minutes) option is set to 10 (minutes). Ensure that the Block if an unwanted program is detected tick box is selected. After these settings have been configured click Apply

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 60

NATO UNCLASSIFIED

General settings - messages

In the same dialog box under the Messages tab the following configuration items will be applied; In the Messages box; Show the messages dialog when a virus is detected Selected Text to display in message Set to Alert!! Call <ADP Co-ordinator> on Helpdesk Ext <local Helpdesk extension number> Remove messages from the list Selected Clean infected files Selected Delete files Selected Move infected files to the quarantine folder Selected Click Apply after making configuration changes

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 61

NATO UNCLASSIFIED

General settings - Reports

In the same dialog box under the Reports tab In the Log file box Log to file -Select (retaining the existing default text of %VSEDEFLOGDIR%\OnAccessScanLog.txt.) Limit size of log file to Select and amend to 2 megabyte. Format - Unicode (UTF8) In the What to log in addition to virus activity box Session settings Selected Session summary Selected Failure to scan encrypted files Selected User name Selected Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 62

NATO UNCLASSIFIED

All Processes - Processes

In the left hand side of the dialog box click on All Processes. The default tab Processes is open. Select option Use the settings on these tabs for all processes option. Click Apply

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 63

NATO UNCLASSIFIED

All Processes - Detection

Open the Detection tab In the Scan files box; When writing to disk Select When reading from disk Select On network drives Deselect In the What to scan box; All files Select Default + additional file types De-select Specified file types De-select Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 64

NATO UNCLASSIFIED

All Processes - Advanced

Open the Advanced tab In the Heuristics box; Find unknown program viruses Select Find unknown macro viruses Select In the Compressed files box; Scan inside archives (e.g. ZIP) De-Select Decode MIME encoded files De-Select Click Apply after making configuration changes

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 65

10

NATO UNCLASSIFIED

All Processes - Actions

Open the Actions tab Under When a virus is found Select Clean infected files automatically Under If the above Action fails Select Move infected files to a folder Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 66

11

NATO UNCLASSIFIED

All Processes Unwanted Programs

Open the Unwanted Programs tab Detect unwanted programs Select Under When an unwanted program is found; Primary Action Clean files automatically Secondary action Move files to a folder Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 67

12

NATO UNCLASSIFIED

On Delivery E-Mail Scanner

1. Open the VirusScan Console and right click on the On-Delivery E-mail Scanner item, select Properties from the sub menu.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 68

13

NATO UNCLASSIFIED

E-Mail Scanner -- Detection

Open the Detection tab In the Scanning of e-mail box; In the Attachments to scan box; All file types Select Default + additional file types [0] De-select Specified file types [0] De-select Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 69

14

NATO UNCLASSIFIED

E-Mail Scanner -- Advanced

Open the Advanced tab In the Heuristics box; Find unknown program viruses Select Find unknown macro viruses Select Find attachments with multiple extensions Select In the Compressed files box; Scan inside archives (e.g. ZIP) Select Decode MIME encoded files Select In the E-mail message body box; Scan e-mail message body Select Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 70

15

NATO UNCLASSIFIED

E-Mail Scanner -- Actions

Open the Actions tab Under When an infected attachment is found Select Primary Action When a virus is found Clean infected attachments Select Secondary Action If the first action fails Move infected attachments to a folder Select Move To Folder - Quarantine. Under Allowed actions in prompt dialog box Clean attachment Selected Delete attachment Selected Move attachment - Selected Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 71

16

NATO UNCLASSIFIED

E-Mail Scanner -- Alerts

Open the Alerts tab. In the E-mail alert box select Send alert to mail user then click Configure.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 72

17

NATO UNCLASSIFIED

E-Mail Scanner Unwanted Programs

Open the Unwanted Programs tab Detect unwanted programs Selected Under When an unwanted attachment is found Set Primary Action to Clean attachments Set Secondary Action to Move attachments to a folder Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 73

18

NATO UNCLASSIFIED

E-Mail Scanner -- Reports

Open the Reports tab In the Log file box; Log to file Select (leave at default file location of %VSEDEFLOGDIR%\EmailOnDeliveryLog.txt Select option Limit size of log file to and set size to 2 megabyte. Set Format: Unicode (UTF8). In the What to log in addition to virus activity box; Session settings Select Session summary Select Failure to scan encrypted files Select User name Select Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 74

19

NATO UNCLASSIFIED

User Interface Options

In the VirusScan Console open the menu item Tools and select User Interface Options from the sub menu.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 75

20

NATO UNCLASSIFIED

User Interface Options-- Display

Open the Display Options tab In the System tray icon box; Show the system tray icon with all menu options De-select Show the system tray icon with minimal menu options Select Do not show the system tray icon De-select Allow this system to make remote console connections to other systems - Select Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 76

21

NATO UNCLASSIFIED

User Interface Options -- Password

Open the Password options tab and make the following configuration changes: No password Select Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 77

22

NATO UNCLASSIFIED

Access Protection

Open the VirusScan Console and right click on the Access protection item, select Properties from the sub menu.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 78

23

NATO UNCLASSIFIED

Access Protection Port Blocking

In the Access Protection Properties dialog box select the Port Blocking tab Report access attempts in the log file and /or by generating alert Manager, and ePO events. Specify .. - Select Set Minimum time interval between reports (minutes) to 1 Under the Ports to block heading tick the following rules: Prevent mass mailing worms from sending mail - tick Prevent IRC communication - tick Prevent IRC communication - tick Prevent FTP inbound (stops viruses such as Nimda spreading) tick Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 79

24

NATO UNCLASSIFIED

Access Protection File/Folder Protection

In the Access Protection Properties dialog box select the File, Share and Folder Protection tab Leave shares with existing access rights Select Set file and folders to block: Rule: as follows; Prevent Internet Explorer from launching anything from the temp folder - tick Prevent Internet Explorer from launching files from the downloaded program folder (.exe) - tick Prevent Outlook from launching anything from the Temp folder - tick Prevent outlook Express from launching anything from the Temp folder - tick Prevent packager from launching anything from the Temp folder - tick Prevent MSN from launching anything from the Temp folder - tick Prevent WinZip32 from launching anything from the Temp folder - tick Prevent WinRaR from launching anything from the Temp folder - tick Prevent execution of scripts from the Temp folder - tick Prevent access to suspicious startup items (.exe) - tick Prevent access to suspicious startup items (.scr) - tick Prevent access to suspicious startup items (.hta) - tick Prevent access to suspicious startup items (.pif) - tick Prevent access to suspicious startup items (.com) - tick Prevent remote modification of files (.exe) - tick Prevent remote modification of files (.scr) - tick Prevent remote modification of files (.ocx) - tick Prevent remote modification of files (.dll) - tick Prevent remote creation/modification/deletion of anything in the windows folders and subfolders - tick Prevent remote creation/modification/deletion of files in the windows folders and subfolders (.ini) - tick Prevent remote creation/modification/deletion of anything in the system Root - tick Prevent remote creation/modification/deletion of files (.pif) - tick Prevent remote creation of autorun.inf files - tick Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 80

25

NATO UNCLASSIFIED

Access Protection Reports

In the Access Protection Properties dialog box select the Reports tab Log to file - Select Ensure log location is set %VSEDEFLOGDIR%\AccessProtectionLog.txt Limit size of log file - Select Set Maximum log file size (MB): 2 Set Format: Unicode (UTF8) Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 81

26

NATO UNCLASSIFIED

Buffer Overflow Protection

Open the VirusScan Console and right click on the Buffer Overflow Protection item, select Properties from the sub menu.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 82

27

NATO UNCLASSIFIED

Buffer Overflow Protection - Options

In the Buffer Overflow Protection Properties dialog box select the Buffer Overflow Protection tab. Enable buffer overflow protection - Select Protection mode - Select Show the message dialog box when a buffer overflow is detected Select Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 83

28

NATO UNCLASSIFIED

Buffer Overflow Protection - Reports

In the Buffer Overflow Protection Properties dialog box select the Reports tab. Log to file: - Select Ensure log location is set to %VSEDEFLOGDIR%\BufferOverflowProtectionLog.txt Limit size of log file - Select Set Maximum log file size (MB): to 1 Set Format: Unicode (UTF8) Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 84

29

NATO UNCLASSIFIED

Unwanted Programs Policy

Open the VirusScan Console and right click on the Unwanted Programs Policy item, select Properties from the sub menu.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 85

30

NATO UNCLASSIFIED

Unwanted Programs Policy -Detection

In the Unwanted Programs Policies Properties dialog box select the Detection tab. Select The categories of detections that are in the DATs Spyware - tick Adware - tick Remote Administration Tools - tick Dialers - tick Password Crackers - tick Jokes - tick Other Potentially Unwanted Programs tick Click Apply after making configuration changes.

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 86

31

NATO UNCLASSIFIED

Finished .
McAfee Enterprise AV configuration is now completed

NATO UNCLASSIFIED

NATO UNCLASSIFIED
Page 87

32

NATO UNCLASSIFIED

Enterprise Policy Orchestrator (ePO) Module 9


Demonstration

NATO UNCLASSIFIED
Page 88

NATO UNCLASSIFIED

Demonstration Overview
Section One:
ePO Server and Console Installation

Section Two:
ePO Configuration

NATO UNCLASSIFIED
Page 89

NATO UNCLASSIFIED

Section One
ePO Server and Console Installation

NATO UNCLASSIFIED
Page 90

NATO UNCLASSIFIED

ePO Server and Console Install


Download the following files and extract in separate temporary folders
Installations files for ePO 3.6 server, console and database epo361LMN.zip EPO Patch file ePO361P3N.zip

Must logon to the server with an account that has domain admin rights for a successful install.

Record the two temporary folders for future reference.

NATO UNCLASSIFIED
Page 91

NATO UNCLASSIFIED

Start server installation


Run setup.exe in from directory During the initial stage a number of warnings will appear regarding additional files in the package these can safely be accepted.

Locate setup.exe file located in the temp folder where EPO350NML.ZIP was extracted.

NATO UNCLASSIFIED
Page 92

NATO UNCLASSIFIED

Start server installation


Setup Screen Appears click Next

NATO UNCLASSIFIED
Page 93

NATO UNCLASSIFIED

License Agreement
Choose All Other Countries and Perpetual on the license agreement page. Select I accept the terms in the license agreement and click OK.

NATO UNCLASSIFIED
Page 94

NATO UNCLASSIFIED

Installation Options
select Install Server and Console and click Next.

If you see a message box stating that your server does not have a static IP address, stop the installation. Please restart with the installation after defining a static IP address.

NATO UNCLASSIFIED
Page 95

NATO UNCLASSIFIED

Set Server Password


select Install Server and Console and click Next.

Enter the password you would like to use for the ePO server. You cannot leave this blank.

NATO UNCLASSIFIED
Page 96

NATO UNCLASSIFIED

Server Service Account


Deselect Use Local System Account Enter in the Account Information.

In the Account Information area, enter a domain or select your domain, user name and password to be used by the ePO server service. Note: If the account you specified is not an administrator account, you will see a warning that you cannot use ePO to deploy agents. If you want the ePO server service to have rights to deploy agents, click OK then Back and type a user account and password with appropriate administrator rights.

NATO UNCLASSIFIED
Page 97

10

NATO UNCLASSIFIED

Select Database Server


Select Install a server on this computer and use it. click Next.

By selecting the Install a server on this computer and use it option installs the free MSDE database included with ePolicy Orchestrator.

NATO UNCLASSIFIED
Page 98

11

NATO UNCLASSIFIED

Database Server Account


Deselect Use the same account as the Server service, then select This is SQL Server account Click Next

On the Database Server Account dialog box, deselect Use the same account as the Server service, then select This is SQL Server account. Type in and verify a secure password. This is the SA account that your ePO server service uses to access the MSDE database. Please note down this password as it could be valuable for maintenance reasons. Click Next to save the database account information

NATO UNCLASSIFIED
Page 99

12

NATO UNCLASSIFIED

HTTP Configuration
change HTTP ports to those defined in document epo361_ports.pdf available on the NCIRC site. Click Next.

Change the HTTP port for Agent communication to 8090 and the HTTP port for Console communication to 8091. Please change all the ports ranging starting from 8090 to 8096 accordingly as shown in the screen capture above. Click Next to save the port information.

NATO UNCLASSIFIED
Page 100

13

NATO UNCLASSIFIED

Set E-mail Address


In an operational setting this address would be epo-alert@ncirc.nato.int

Type the email address to which the default notification rules send messages are sent once they are enabled. This address is: epo-alert@ncirc.nato.int This e-mail address is used by the ePO Notifications feature

NATO UNCLASSIFIED
Page 101

14

NATO UNCLASSIFIED

Installation Completion
Click Install to begin the installation on the Ready to Install dialog box During installation some messages Digital Signature not found will come up. Please answer yes to all of these. Click OK when prompted to reboot. Log back in with the same account at the beginning of the installation to allow the installation to continue.

On the Ready to Install dialog box, click Install to begin the installation. The installation takes approximately 25 minutes to complete and may prompt you to reboot the computer during the installation. During the installation some messages Digital Signature not found will come up. Please answer yes to all of these. Click OK when prompted to reboot and be sure to log back in with the same account when the computer reboots to allow the installation to continue. When installation is finished, click Finish. Reboot if requested.

NATO UNCLASSIFIED
Page 102

15

NATO UNCLASSIFIED

Section Two
ePO Server Configuration

NATO UNCLASSIFIED
Page 103

16

NATO UNCLASSIFIED

Configuration Highlights
Master Repository Setup Populating the ePO Server with Servers and Computers Importing of VirusScan and ePO Agent policies Deploying the ePO Agent

Refer to Exercise 1 for details of the configuration requirements.

NATO UNCLASSIFIED
Page 104

17

NATO UNCLASSIFIED

Pointsec Protector Module 10

NATO UNCLASSIFIED
Page 105

NATO UNCLASSIFIED

Overview
Section One:
Demonstration of Protector installation

Section Two:
Implementation of the Approved Profiles with Demonstration

Section Three:
Procedure for changing templates

NATO UNCLASSIFIED
Page 106

NATO UNCLASSIFIED

Section One
Demonstration of Protector installation

NATO UNCLASSIFIED
Page 107

NATO UNCLASSIFIED

Exercise architecture
Windows 2003 Domain Controller (W2003DC1) Windows 2003 Member Server 1 (W2003MS1)

Windows XP Workstation 1 (CLIENT1)

Windows XP Workstation 2 (CLIENT2)

Ensure that all four VMware guest operating systems are on the Baseline Security Settings Template.

NATO UNCLASSIFIED
Page 108

NATO UNCLASSIFIED

Protector Server Install


Protector stores profiles and logs in a SQL database Two installation options
Existing Microsoft SQL 2000 (or later) Microsoft SQL Desktop Engine (MSDE)

MSDE is a lightweight version of MS SQL This exercise is based on a full SQL install

Full version of Microsoft SQL requires a valid licence and must be installed and configured before installation of the Protector server. MSDE is a stripped down version of SQL 2000 that vendors bundle with products to avoid customers having to pay for the additional SQL licence. MSDE is selected automatically during a standard install if no existing SQL server is found on the system.

NATO UNCLASSIFIED
Page 109

NATO UNCLASSIFIED

Start server installation


Run setup.exe from the server distribution directory The Splash Screen appears

Note that the normal installation procedure begins by inserting the Pointsec Protector Installation CD-ROM into the CD Drive. The CD should autorun, if not, double click on the AutoRun.exe located on the root of the CD. This will display the a menu screen. Select the Software menu and then Install Reflex Pointsec Protector Enterprise Server for Windows NT/2000/2003/XP from the list of options. The setup program will launch and this splash screen will display. From this point the installation procedures are identical.

NATO UNCLASSIFIED
Page 110

NATO UNCLASSIFIED

To continue, click Next

NATO UNCLASSIFIED
Page 111

NATO UNCLASSIFIED

Accept the agreement

Like all other software that we use on a daily basis you must accept the license agreement before you may continue with the installation. Clicking on I do not accept the agreement and pressing next will cancel the installation. Selecting the I accept the agreement radio button and then clicking on Next will take you to the Setup Type dialog box.

NATO UNCLASSIFIED
Page 112

NATO UNCLASSIFIED

Licence Information
Enter Licence details on the Information Screen

The Registration screen requires a User Name, Company Name and Serial Number. The Serial number is generated using the Company Name so it is vital that when entering the Company Name it is entered exactly as it is written in the licence file. Note that all 0s are the number zero. A serial number will never be released from Pointsec that contains the letter O. It is also possible so load the licence directly from a text file delivered from Pointsec. Pressing Next will take you to the Setup Type dialogue box.

NATO UNCLASSIFIED
Page 113

NATO UNCLASSIFIED

Setup Type
Select a Custom Install

Complete Custom

The three possible types of installation are detailed on this screen. Complete installs all modules. Custom allows the selection of specific Protector components. The option to install a Server Administration Console allows a management console to be installed on a system other than the one running the Pointsec Protector server. Selecting Complete and pressing Next displays the Select program Folder dialog box.

NATO UNCLASSIFIED
Page 114

10

NATO UNCLASSIFIED

Select Features
Deselect Microsoft SQL Database Engine

If the installer does not detect an existing SQL Server installation on the local machine it automatically selects the MSDE installation unless prevented from doing so.

NATO UNCLASSIFIED
Page 115

11

NATO UNCLASSIFIED

Type in the SQL Server


Protector Service Account must be member of Database Creators on this server

DATABASE1

Click Next to carry on

NATO UNCLASSIFIED
Page 116

12

NATO UNCLASSIFIED

Select Program Folder


Accept the default and press Next

This will allow you to change the location that the software will install its shortcuts. Pressing Next displays the SMTP Setup dialog box.

NATO UNCLASSIFIED
Page 117

13

NATO UNCLASSIFIED

TCP Port and SMTP Setup


Accept the default TCP port number Configure appropriate SMTP settings

smtp.school.nato.int validuser1 admin@school.nato.int

*************

The SMTP Setup screen allows us to set the information that will allow DiskNet to automatically send email alerts. Reflex Disknet Pro Server Port Number this is the TCP/IP port number that the server will use to communicate with the client. SMTP Server- if you wish to use the email alert feature of Reflex Disknet Pro you need to enter the name of the SMTP server and provide a logon name and password for an account to access this SMTP server (if required). Pressing Next will take Select Service Account dialog box.

NATO UNCLASSIFIED
Page 118

14

NATO UNCLASSIFIED

Select the Service Account

This is the account that the Protector will run as, protector_service should be selected from the users on the local machine (not from the School domain). Note that protector_service account was created prior to the install and added to both the Local Administrators and LG_ServiceLogonRight groups. The LG_ServiceLogonRight is added to the domain wide Logon as a Service group by the application of the NATO security settings. Note that the installation of the Protector client also adds this protector_service account to the domain wide Logon as a Service group but the subsequent reapplication of the security settings later removes it again. The use of local groups in this way allows Administrators to assign local rights without the need for domain wide administrative privileges.

NATO UNCLASSIFIED
Page 119

15

NATO UNCLASSIFIED

Summary Screen
Last chance to go back and make changes

This dialog displays a summary of the installation options you have selected. Check this information is correct and click Next to continue. The installation will now copy all files required to complete the installation and display the Finish dialog when complete.

NATO UNCLASSIFIED
Page 120

16

NATO UNCLASSIFIED

Installing Microsoft SQL Desktop Engine

The Disknet Pro Server uses a Microsoft SQL database to store the profile and user information and installs the Microsoft SQL Database Engine during setup. During this automatic install the these two windows will pop-up:

NATO UNCLASSIFIED
Page 121

17

NATO UNCLASSIFIED

Installation Wizard Complete


Pointsec Protector server is installed

Click the Finish button to complete the installation

NATO UNCLASSIFIED
Page 122

18

NATO UNCLASSIFIED

Protector Client Install


Four main options for the client install
1. 2. 3. 4. Pointsec Deployment Server Active Directory Group Policy Add to Disk Image (Windows Baseline) Manual Install

Instruction for options 1 to 3 can be found on the WAC Portal on the NCIRC NS site

NATO UNCLASSIFIED
Page 123

19

NATO UNCLASSIFIED

NCIRC WAC Web Portal


http://nww.ncirc.nato.int/

WAC SecOps

Instructions for using the deployment server, Active Directory Group Policy, creating a Windows Image (Baseline) or manually installing the client are provided on the NCIRC WAC Portal on the NATO Secret WAN. Note that manual installation, the deployment server and disk image installs can be used interchangeably. For group policy, however, if the client is installed using group policy it must be upgraded or removed using group policy.

NATO UNCLASSIFIED
Page 124

20

NATO UNCLASSIFIED

Splash Screen
Double click on the client install setup.exe

Wait until Welcome Screen

NATO UNCLASSIFIED
Page 125

21

NATO UNCLASSIFIED

Welcome Screen
Click on Next to proceed

Wait until Welcome Screen

NATO UNCLASSIFIED
Page 126

22

NATO UNCLASSIFIED

Accept Licence Agreement

Click Next to accept licence agreement

NATO UNCLASSIFIED
Page 127

23

NATO UNCLASSIFIED

Setup Type
Select Complete and click Next

Leave set to Complete and press Next to continue

NATO UNCLASSIFIED
Page 128

24

NATO UNCLASSIFIED

Server Name and Port


Use Browse then Add to select the server

Select the name of the Protector server (or alternatively type in its IP address 10.10.10.11. Leave port at default (9738) and press Next to continue

NATO UNCLASSIFIED
Page 129

25

NATO UNCLASSIFIED

Start Copying Files


Click on Next to proceed

Press Next to continue

NATO UNCLASSIFIED
Page 130

26

NATO UNCLASSIFIED

Setup Status

Wait until installation is complete

NATO UNCLASSIFIED
Page 131

27

NATO UNCLASSIFIED

Install Wizard Complete


Click on Finish to restart the workstation

Press Finish to reboot and complete the Installation

NATO UNCLASSIFIED
Page 132

28

NATO UNCLASSIFIED

Section Two
Implementation of the Approved DNP Profiles with Demonstration

NATO UNCLASSIFIED
Page 133

29

NATO UNCLASSIFIED

Introduction to Profiles

This window shows the current standard set of NATO profiles, only a brief description is given here as ore detail is given on the important profiles later in the presentation. Admin Allows an administrator to optionally disable each of the Protector protection modules and thus bypass the protection mechanisms. Authorise Allows a user to authorise media using the Removable Media Manager Baseline This is the profile used for all non privileged users. It basically takes the default profile and adds CD/DVD ROM read access and turns on auditing for most unauthorised device access events. CDRW Adds the CD/DVD ROM Write privilege Default The default profile is the basis on which all other profiles are built and it is also the profile of any user not explicitly added to ant particular group. Encrypt Profile Allows a user to create encrypted USB mass storage devices Fixed Disk Allows access to External Hard Drives Floppy Allows READ/WRITE Access to floppy disk drives STI Device Allows access to still image devices such as digital cameras and scanners USB Allows user access to encrypted USB mass storage devices

NATO UNCLASSIFIED
Page 134

30

NATO UNCLASSIFIED

NITC Standard Groups

Each of the profiles is linked to a group with a similar sounding name. A user is simply added to the appropriate group in order to acquire the appropriate rights. The profiles are designed in such a way so that they can be nested. i.e. a user added to the CDRW Access and the Floppy Device access group will get both rights. The synchronisation order determines how to handle the situation when different groups define different settings, the lower the number the higher the priority.

NATO UNCLASSIFIED
Page 135

31

NATO UNCLASSIFIED

Adding a user to a group

To add a user to a group simply right click on the appropriate group and select Add users to group from the menu. Type the name of the user in the Enter object names to select field and press Check Names. If the correct user is displayed in the window press OK to apply.

NATO UNCLASSIFIED
Page 136

32

NATO UNCLASSIFIED

The Default Profile

The default program is used here as an introduction to the three most important modules in the Protector security architecture. Device Manger provides the ability to control the many different types of devices that can be used on a client workstation. Device Manager can be considered as the first line of protection by managing the use of these devices and/or ports. DM can also be used to apply audit rules, allow write access (where appropriate), enforce encryption. It can also control whether or not files can be run directly from external media or not. This Default Profile allows only CDROM Read Only access and enables locally connected printers. Removable Media Manager (RMM) takes the control and management of removable media devices a step further. By using RMM you will be able to authorise individual media such as floppy disks, USB removable disks etc. for use on the Protector enabled workstations on your network. Once removable media has been authorised it can be used anywhere within the Protector network environment. The current setting does not allow removable media authorisation. Authorisation is performed at the client workstation. This part of the authorisation process can be made to enforce a virus scan of the media to ensure the contents are virus free before allowing it onto the network. There is also an additional check that can be performed to reject any media that contains executable and other unwanted or active code file types (EXEs, DLLs, MP3s etc). The Encryption tab controls all aspects of encrypting removable media, the Default Profile disables all access to encrypted media.

NATO UNCLASSIFIED
Page 137

33

NATO UNCLASSIFIED

CDRW Access Group

The CD (and DVD) Access group is used here to show the relationship between a group and a profile. The group properties window on the left indicates that two profile templates are applied; the Default and the CDRW Profile. The CDRW Access Group only defines settings for the Device Manager. A view of the Device Manager properties for this profile shows that Access has been granted to DVD/CD-ROM Drive drives. Note that as the R/O (Read Only) box is not selected for DVD/CD-Rom devices therefore Read/Write access is granted. This slide also gives an introduction to the concept of the define column, which indicates whether or not a particular access right is defined in this profile. A closed blue padlock indicates that the property is inherited from a previously applied profile, in this case the Default. An open green padlock indicates that the particular right is defined in this profile.

NATO UNCLASSIFIED
Page 138

34

NATO UNCLASSIFIED

Authorise Profile

The Authorise Profile defines settings only for the Removable Media Manager (RMM). A member of the Authorise users group is allowed to authorise removable media for use within the Protector enabled network. Authorisation involves two automated scans of the files on the removable media. The first uses a standard third party virus checker, in this case MacAfee, to check for malicious code. The second, Reflex Datascan, compares the file types to a user defined list of prohibited file types. Members of this group have the option to select which scanners to use ( if more than one virus checker is installed), they also have the right to delete and rejected files during the authorisation procedure, thus allowing authorisation to complete successfully. Authorisation in this context involves creating a digital signature comprised of information about the files on the media and a Media Key that is unique to this particular installation. Each time the media is removed the signature is re-calculated and written back to the device. When the device is next plugged into a Protector protected system the signature is calculated and compared with the stored value, if they are equal then the device can be accessed. If they differ then it means that something has changed with one or more files on the device and so the device must be re-authorised as described earlier.

NATO UNCLASSIFIED
Page 139

35

NATO UNCLASSIFIED

Encrypt Profile

The Encrypt profile defines settings for the Encryption tab and applies to members of the Encrypt Users group. The Encrypt check box has to be selected on the Removable Media Devices tab. The most important setting here is that a member of this group can create an encrypted Removable Media Device for other users. Members of this group would normally be an Infosec Officer or worker in The Registry depending on the local policy for issuing authorised USB mass storage devices.

NATO UNCLASSIFIED
Page 140

36

NATO UNCLASSIFIED

USB Profile

The USB Profile should only be used temporarily to access USB tokens that have originated outside of the Protector protected environment. The devices are mounted in Read Only mode so that can only be used to import data into the protected environment.

NATO UNCLASSIFIED
Page 141

37

NATO UNCLASSIFIED

Combining Profiles (1)

Testuser1 has been made a member of two groups, which in turn has lead to the application of two profiles in addition to the Default. This combination of group memberships would enhance the Baseline with the ability allow Read/Write access to floppy drives. The Resulting Profile window on the right is the result of pressing the View/Edit button.

NATO UNCLASSIFIED
Page 142

38

NATO UNCLASSIFIED

Combining Profiles (2)

This is the same view as the previous slide but testuser1 has also been added to the CDRW Group. Pressing View/Edit now shows that the Device Manager settings have been extended to include write access to CD/DVD ROMs (i.e. the R/O check mark has been removed).

NATO UNCLASSIFIED
Page 143

39

NATO UNCLASSIFIED

Program Security Guard

The above settings for user testuser1 for Program Security Guard (PSG) are defined in the Default profile, they therefore apply to all other profiles. PSG is used to block the introduction or modification of any file type specified in the box on the right. This can be any executable file (EXE, DLL, SYS etc.), media and audio files (AVI, MP3, WMA etc.) or can be customised to include any other file type that you would like to control. All file types protected by PSG will be blocked from being introduced to the system from any location, i.e. not just removable media devices. Note that these settings will also apply to files downloaded by a web browser from the Internet. Note that this list is different from the list of unsafe file types used by the Data Scan process during the USB media authorisation procedure. The DataScan list can be found in an XML file located with the Protector client executable files known as CheckDat.xml. The picture in the bottom right shows what happens on the client workstation when PSG is triggered. A dialog appears telling the users that an unauthorised file operation has occurred. The dialog will show the user what process caused the alert and what file the process tried to operate on. In the above example VMWareUser.exe.exe was the blocked process attempting to copy the file setup.cmd.

NATO UNCLASSIFIED
Page 144

40

NATO UNCLASSIFIED

User Interface Properties

The User Interface, or what the user of the client workstation sees can also be controlled by the use of profiles. Users can also be given the right to disable individual modules if required. These rights are only available in the Administrators profile in the standard NCIRC profiles.

NATO UNCLASSIFIED
Page 145

41

NATO UNCLASSIFIED

Audit Properties

Protector has extensive auditing capabilities which are controlled by the use of profiles. The standard NCIRC audit profile has been defined in the Default profile, which in turn is inherited by all other profiles. There is an option to either ignore or log the standard events. The logging is further divided into immediate or register. Registered events are transferred to the database at a pre-programmed regular intervals whereas immediate events are transferred as the name implies, immediately.

NATO UNCLASSIFIED
Page 146

42

NATO UNCLASSIFIED

Log Archive
Audit policy generates lots of events Ensure period archiving of logs

The WAC Portal contains a document that describes how to clear the log if the database file gets too large for the normal log archival mechanism to function correctly. The title of the document is

NATO UNCLASSIFIED
Page 147

43

NATO UNCLASSIFIED

Log Archive (2)

NATO UNCLASSIFIED
Page 148

44

NATO UNCLASSIFIED

Computer Groups

A Computer Group is created much in the same way as a User Group, profiles can then be linked to computer groups in the same way as user groups. Workstation policies are of minimal use in a classified environment where the security policy requires individual accountability. As a result of this the NCIRC default templates do not currently define any workstation groups. In order to assign a computer to a Group, a simple Drag & Drop method is used. Computer Groups allow any user to log into a computer and use the facilities that have been made available to the user in the Computer Profile. If the computer profile states that the machine can access and write to a CD then regardless of who logs in, the user will have access to record their own media.

NATO UNCLASSIFIED
Page 149

45

NATO UNCLASSIFIED

Section Three
Procedure for changing Protector templates

NATO UNCLASSIFIED
Page 150

46

NATO UNCLASSIFIED

Steps in making a change


A change request is made to the local Compusec officer The Compusec officer forwards the request to NITC NITC assesses the change and determines if the change will impact everyone or only the local headquarters

How do we make a change to Protector? Its a long process, but a simple one. The people who make the decisions are Compusec/Infosec officers for the headquarters in question and NITC. The Compusec officer is involved in the chain because it is up to the Compusec officer to allow or deny the end users request. They are the people who say Yes you can have access to your USB ports or No, you cant. However, the Compusec/Infosec person is not the only person in the chain. NITC are the controllers of the template/profile. They will determine if changes to the profile need to be made NATO wide or if the change can be made locally. It is vital that they be kept up to date on any changes that users wish to have made to the system.

NATO UNCLASSIFIED
Page 151

47

NATO UNCLASSIFIED

Steps in making a change (continued)


Authorisation for the change will occur via email to the system administration team The change will be input into the system The profile that has changed will be resent to all of the machines in the network

If the change is local to the headquarters an email will be sent to the system administration team authorising them to change the profile locally. This email will need to be printed off and stored with their change management documentation for later audit purposes. If it is a change that would be best to implement NATO wide a change will be made to the templates/profiles that are on the NCIRC website (http://nww.ncirc.nato.int). The script file can then be downloaded and run on the Protector server. The templates/profiles will then have to be resent to the workstations (either by the users logging off and logging on or via the automatic method through the administrative console).

NATO UNCLASSIFIED
Page 152

48

NATO UNCLASSIFIED

Step by step through a simple request


Scenario The site has decided to upgrade its infrastructure to allow for desktop VTC to all of the users on the network

This is a simple scenario because everyone will be impacted by the change that is coming in. Upgrading to a desktop VTC capacity puts a web cam on everyones desk. If everyone is supposed to be able to use the camera then a change to the baseline profile is needed.

NATO UNCLASSIFIED
Page 153

49

NATO UNCLASSIFIED

Step one Compusec


Compusec will receive a request to alter the users rights and privileges with respect to the webcam. Compusec will approve or deny the request. Compusec will forward that request to NITC, once it is approved, to have them determine what should be done.

In this case, as part of the upgrade procedure that the Compusec officer has already agreed to, he/she will need to send a request to NITC outlining the approved change that is being made to the network in the office.

NATO UNCLASSIFIED
Page 154

50

NATO UNCLASSIFIED

Step two - NITC


Once NITC receives the request they will assess the change by testing in their testbed to ensure that the change can be done without giving the end user to many rights. Once the change has been tested NITC will then assess whether the change should be made to NATO as a whole, or only to the individual headquarters.

NITC is responsible for the testing and approval of all software and software updates/patches. Their website contains things like the approved software listing, antivirus signature files and patch notices. With respect to DiskNet they have documentation, scripts and software updates listed on the website.

NATO UNCLASSIFIED
Page 155

51

NATO UNCLASSIFIED

Step two NITC (contd)


If it is determined that the change would benefit all of NATO then NITC will alter their script and republish it on the website. If it is determined that the change would only benefit the individual headquarters then NITC will send an email authorizing the alteration of the profile.

Once the change has been approved and tested NITC will send an email back to the requestor. This note will either authorise the site to make the change or will state that the change has been approved and the site needs to download the script file again and run it on their DiskNet server.

NATO UNCLASSIFIED
Page 156

52

NATO UNCLASSIFIED

Step three System Administration


Once the approval notice has been received back at the site the change will need to be made inside the Administrative Console. The System Administrator will download the script file from the NITC website (http://nww.ncirc.nato.int) and run the executable file on the server.

The script file is located by going to the website, http://nww.ncirc.nato.int on an NS machine. Found within the left hand bar on the site is a section labelled software and within that box is a link to Workstation Access Control. Click on that link and the Workstation Access Control documents, policies, profiles and settings will appear in the main window.

NATO UNCLASSIFIED
Page 157

53

NATO UNCLASSIFIED

Step three System Administration (contd)


In the case of a change that is only to be made at the local site, the person in charge of the profiles will need to open the console and make the approved change, and file the approval email from NITC.

The person in charge of the profiles may be the Compusec officer, it may be a System Administrator. This is a policy decision made by the individual headquarters in conjunction with their NCSA representatives.

NATO UNCLASSIFIED
Page 158

54

You might also like