DriveLock Agent 2019.2 (Device and Application … › versions › 2019_2 › pdf › en ›...

© 2020 DriveLock SE

DriveLock 2019.2

Manual Supplement for Certification Compliant Operation

DriveLock Agent 2019.2 (Device and Application Control)

i

Contents

1 ABOUT THIS DOCUMENTATION .................................................................................................................. 1

1.1 Document Structure .......................................................................................................................................................... 1

1.2 Document Conventions ................................................................................................................................................... 1

2 INTRODUCTION ............................................................................................................................................ 2

2.1 Roles ........................................................................................................................................................................................ 2

2.2 Documentation of Evaluated Functionality ............................................................................................................. 2

2.2.1 For Administrators ....................................................................................................................................................2

2.2.2 For Users.......................................................................................................................................................................2

2.3 Further Documentation ................................................................................................................................................... 2

3 PREPARATIVE PROCEDURES ......................................................................................................................... 4

3.1 DriveLock Administrators ................................................................................................................................................ 4

3.2 Obtaining and Verifying the Software ....................................................................................................................... 4

3.3 Configuration Type ............................................................................................................................................................ 4

3.4 Certificates ............................................................................................................................................................................ 5

3.5 Installing an Enterprise Service (DES) ......................................................................................................................... 5

3.6 Installing the Management Console (DMC) ............................................................................................................ 5

3.7 Creating Policies ................................................................................................................................................................. 5

3.7.1 Agent Hardening and Global Security Settings ............................................................................................6

3.7.2 Audit Settings .............................................................................................................................................................6

3.7.3 Enterprise Service Connection Settings ...........................................................................................................7

3.7.4 Device Control Settings ..........................................................................................................................................8

3.7.5 Application Control Settings ................................................................................................................................9

3.7.6 Application Permissions Settings .......................................................................................................................9

3.8 Preparing the Workstation ............................................................................................................................................. 9

3.9 Installing the Agent ........................................................................................................................................................ 11

4 OPERATIVE PROCEDURES.......................................................................................................................... 12

4.1 Roles ..................................................................................................................................................................................... 12

4.2 For Administrators .......................................................................................................................................................... 12

4.2.1 Certificates ................................................................................................................................................................ 12

4.3 For Users ............................................................................................................................................................................. 13

4.3.1 Security Relevant Incidents ................................................................................................................................ 13

5 REFERENCES ............................................................................................................................................... 14



Page 1 of 14

1 About this Documentation

This supplement to the DriveLock 2019.2 product documentation explains how to configure and operate

the DriveLock Agent 2019.2 so that the resulting installation is compliant with the certified configuration.

It is primarily intended for administrators but also contains guidance for users (see section 4.3)

This document is not intended as a replacement for the product documentation. Instead, it shall serve as

guide for that documentation, highlighting certain aspects that are essential to replicate the evaluated

configuration.

Only a subset of the possible installation and configuration variants has been evaluated, and the security

claims in the Security Target are only valid if the product is installed and operated as described. Should

any instruction in this guide conflict with the remaining product documentation, this guide takes

precedence over the regular documentation.

1.1 Document Structure

This guide is organized in sections according to time of use and intended audience. Section 2 contains a

short overview of all available product documentation.

Section 3 is intended for administrators only and describes the setup and configuration of the product

and required infrastructure (preparative procedures). Readers should be familiar with Windows Client and

Server administration.

Section 4 contains information for the day-to-day use of the product (operative procedures) for both

administrators and users.

1.2 Document Conventions

Items in [brackets] are hyperlinks and refer to one of the documents listed at the end of this document.

Document version 1.50, last changed: 2020-07-02



Page 2 of 14

2 Introduction

2.1 Roles

The DriveLock Agent recognizes only two roles: Users and Administrators. The term DriveLock

Administrator is used here to avoid confusion with workstation administrators. The latter are Users with

administrative privileges to the workstation running the DriveLock Agent. However, they do have access

to a few functions that regular users don’t (see section 4.1 for details). Since regular users aren’t permitted

to set up or modify the configuration, most of this guide applies to administrators. Users may want to skip

to the operative instructions relevant to them, described in section 4.3 of this document.

2.2 Documentation of Evaluated Functionality

The documentation described in the following sections is available for the evaluated functionality; the

documents can be downloaded from https://www.drivelock.help/versions/2019_2.

2.2.1 For Administrators

DriveLock Installation Guide: This document gives a detailed description of how to set up a DriveLock

installation, covering both the administrative backend and the workstation setup.

DriveLock Administration Guide: This is the main reference on the product for administrators. It describes

in detail the concepts, available functions, and settings.

DriveLock Events: This document lists all available audit events for the DriveLock Agent and the

administration software.

Release Notes: These are issued with each software release and contain detailed information on technical

issues related to this software release. They may also contain corrections or additions for the product

documentation.

Manual Supplement for Certification Compliant Operation: This guide.

2.2.2 For Users

DriveLock User Guide: This is the primary reference for users. It describes the functions and options

available to the users of a DriveLock-protected workstation.

Manual Supplement for Certification Compliant Operation: This guide.

2.3 Further Documentation

These documents describe additional components and functions of the product, which are not part of the

evaluated functionality. They are included for completeness and intended for administrators.

DriveLock Quickstart Guide: This document describes the steps to set up a basic DriveLock installation

using a setup wizard. It is primarily intended for administrators to e.g. quickly install the product for

testing.

https://www.drivelock.help/versions/2019_2



Page 3 of 14

DriveLock Control Center User Guide: This document describes the DriveLock Control Center, which is used

to monitor the status of DriveLock-protected workstations. It is intended for DriveLock administrators.

Although the Control Center itself is not part of the evaluated functionality, it is essential for analyzing the

data generated by the evaluated audit functionality.

DriveLock Security Awareness Guide: This document describes the use of the Security Awareness

component.

DriveLock BitLocker Management Guide: This document describes the BitLocker Management component.



Page 4 of 14

3 Preparative Procedures

An essential aspect of every evaluation is to verify that a security solution (the TOE, “Target of Evaluation”)

effectively counters certain threats (which are described in detail in a published Security Target). However,

this usually requires that the TOE be configured in a specific way. This section describes the specifics of

setting up the infrastructure as required for a compliant installation. This requires installing the

management components. An overview of the components of a DriveLock installation is available in

section 2.1 of [INSTALLG].

3.1 DriveLock Administrators

DriveLock administrators must be trustworthy and sufficiently familiar with the DriveLock software to

minimize the risk inadvertent misconfiguration. They must also be trusted to not intentionally subvert its

operation.

3.2 Obtaining and Verifying the Software

The certified version of the DriveLock software is available to registered customers only, after purchasing

a license. Registered customers have access to non-public information in the DriveLock Support Portal

(accessible at https://my.drivelock.support/wm/kb.html). Knowledgebase article KBA00341 contains

information on and links to the software, its documentation, and this document.

The software is provided as a downloadable ISO image. The knowledgebase article also contains a SHA2

hash value of the ISO file which can be used to verify the integrity of the file. In addition, the article lists

the SHA2 hashes of the principal installation archives inside the ISO file.

3.3 Configuration Type

DriveLock supports several mechanisms for configuration and policy deployment. For an overview of

these methods and their properties refer to section 3 of [INSTALLG].

For the evaluated configuration, the method Centrally Stored Policy must be used. In addition, the

centrally stored policies need to be signed before they are deployed, i.e. the server connection must be

set up using a configuration certificate (refer to 3.9 Installing the Agent for details).

All other deployment methods available were not evaluated and cannot be used.

The essential steps required to set up a compliant installation are therefore:

1. Install an Enterprise Service

2. Install the Management Console

3. Create an initial policy

4. Install the Agent(s)

The certification relevant aspects for each step are explained in the following sections.

https://my.drivelock.support/wm/kb.html



Page 5 of 14

3.4 Certificates

Configuration signing and the secure TLS connection to the Enterprise Service use certificates. The

certificates are a security critical component for these mechanisms and should generally fulfill at least the

following requirements:

RSA ECC (supported for TLS only)

Key Length 3072 256

Integrity Hash SHA2 or better SHA2 or better

Validity ≤ 4 years ≤ 4 years

Shortly before expiration of the validity period the certificates need to be replaced. For TLS this can be

achieved using Windows administrative tools. For the configuration certificate a new one needs to be

created in the Management Console (see section 5.4.4 of [INSTALLG]) and deployed.

3.5 Installing an Enterprise Service (DES)

The evaluated configuration requires at least one instance of the DES (DriveLock Enterprise Service) to

distribute the policies. This process is described in part V section 5.2 of [INSTALLG]. When the installer

asks for an SSL certificate (page 23) one of the certificate options must be selected. The evaluated

configuration requires that TLS be used to secure the communication between the Enterprise Service and

the Agents.

The remaining steps of the server installation, including database setup, can be completed as described

on pages 24 thru 27 of [INSTALLG]. Additional detail on configuration and administration of the Enterprise

Service can be found in [ADMING], part X.

To guard against the use of outdated versions of the SSL and TLS protocols, the server shall be configured

to use only TLS 1.2. This is achieved by setting the string value securityProtocols under

HKLM/SOFTWARE/CenterTools/DES to the value Tls12.

3.6 Installing the Management Console (DMC)

The Management Console installation is described in part V section 5.3 of [INSTALLG]. The certified

configuration places no special requirements on this process.

To define and maintain centrally stored policies a connection to the DES hosting the policies must be set

up. This process is described in part II, section 2.4 of [ADMING].

3.7 Creating Policies

As mentioned above in section 3.3 above, Centrally Stored Policy configuration mode is required for a

certification compliant installation. Policies are created in the Management Console; the general steps for

creating a centrally stored policy are explained part III, section 3.3 of [ADMING], starting on page 31.

To achieve a certification compliant installation, certain policy settings must be set to specific values. In

the following sections these are described, grouped by topic or functionality.

Generally, DriveLock administrators shall ensure that the policies are kept current and that policy rules are

configured to apply to the intended users and computers.



Page 6 of 14

3.7.1 Agent Hardening and Global Security Settings

These settings control general access to and behavior of the DriveLock Agent. [ADMING] part VI, section

6.4 explains these settings. The table below shows the required assignments.

Setting Value Remarks

Agent Service Permissions Other permissions than Query

Service Information shall only be

allowed for DriveLock

administrators

Run Agent in Non-stoppable

mode

Checked

Start DriveLock Agent in safe

mode

Checked

Agent Remote Control Settings:

Enable HTTPS

Checked

Agent Remote Control Settings:

Enforce HTTPS

Checked

Password to uninstall DriveLock Checked Set a suitably complex

password.

Disable Offline Unlock requests Checked

3.7.2 Audit Settings

Part VII of [ADMING] describes how to configure the auditing function. To use the DriveLock Control

Center for audit trail analysis a connection to the DES (DriveLock Enterprise Service) needs to be

configured (on the DES tab). Also, the requisite events need to be enabled for DES by checking them in

the event list shows on the Events tab. To ensure that audit events are not lost, the queue sizes for the

event destinations must be set appropriately. The required size depends on the expected time a

workstation may not be able to connect to its server.

For the evaluated configuration, at least the following events must be enabled:

Event ID Text

105 Service started

108 Service stopped

456 No server connection detected

639 Server certificate error

522 Error loading policy assignments

523 Policy integrity check failed

294 Cannot download centrally stored policy

130 Device connected and not locked



Page 7 of 14

129 Device connected and locked

473 Process blocked

474 Process started

600 Program start approved

221 Application hash database missing

222 Cannot open application hash database

A complete list of available events can be found in the events documentation [EVENTG].

3.7.3 Enterprise Service Connection Settings

Configuration of the Enterprise Service Connection is explained in detail in part X of [ADMING]. The

following aspects need to be considered for a certification compliant installation:

• Permissions (section 10.4): These must be set to allow only DriveLock administrators to change

the Enterprise Service configuration.

• Updates (section 10.6): Automatic updates must be disabled. An Agent update would replace the

certified software version with a newer version, which is likely not certified.

• Network settings (section 10.7): The Use SSL for connections from agent to the server option must

be checked (enabled) to secure the connections. Note that SSL is used as a generic term here,

designating both the SSL and TLS protocols.



Page 8 of 14

3.7.4 Device Control Settings

The configuration of the Device Control functionality is described in [ADMING], part VIII.

As mentioned before, an evaluation verifies that the evaluated solution is effective against specific threats

when configured properly. For Device Control these threats can be summarized (more detail is available in

the Security Target) as follows:

• Unwanted data import and export using unauthorized removable devices

• Compromise of workstation data or processing

• Malicious devices

To counter these threats described using the evaluated functionality, drive locking must be enabled (and

appropriate whitelist rules defined) for at least these drive types:

• Floppy disk drives

• CD-ROM/DVD drives

• USB connected drives

• Firewire (IEEE-1394) bus connected drives

• SD bus connected drives

• Other removable drives

• Fixed disks, because e.g. an external drive connected to an eSATA port may be detected as a fixed

disk

Section 8.1 of [ADMING] describes how to set up drive locking. Note that sections 8.1.2.6 Creating File

Filters, 8.1.2.8 Using Media Authorization, and 8.1.2.9 Monitoring Data Transfers Using Shadowing do not

apply to the evaluated configuration, i.e. they describe functions that were not evaluated. There is,

however, no reason to not use them if desired.

In addition, locking must be enabled (and appropriate rules defined) for these ports:

• Serial and parallel ports

• Bluetooth transmitters

• Infrared interfaces

• PCMCIA controllers

and these device classes:

• Human Interface Devices (to thwart Bad USB and related attacks)

• Mobile phones (as they usually provide data export and import to/from their storage)

• Modems

• Media Player devices

• SD Host Controllers

• Tape Drives

• PCMCIA and flash memory devices



Page 9 of 14

Section 8.2 of [ADMING] describes how these rules are set up. Rules must be configured to apply to all

users (including those with administrative privileges on the workstation). Only DriveLock administrators

may (but don’t have to) be exempt. This may e.g. require setting up a special user group for the DriveLock

administrators in the directory with control of group membership limited to those administrators.

3.7.5 Application Control Settings

The configuration of the Application Control functionality is described in [ADMING], part XV, starting

section 15.2. The threats countered by Application Control can be summarized as:

• Execution of unwanted programs on the workstation

• Unwanted resource access by allowed programs

The evaluated configuration uses whitelist mode based on hash database rules. Section 15.2.1.2 describes

configuration of the hash algorithm used. This must be set to SHA-256 to be compliant.

Section 15.2.2.1 of [ADMING] describes how to create and maintain hash databases, as well as how to

create rules using them.

Rules must be configured to apply to all users (including those with administrative privileges on the

workstation). Only DriveLock administrators may (but don’t have to) be exempt. This may e.g. require

setting up a special user group for the DriveLock administrators in the directory with control of group

membership limited to those administrators, because DriveLock administrators are not necessarily

workstation or domain administrators and vice versa.

3.7.6 Application Permissions Settings

Since suitable application permissions rules are largely dependent on the applications installed on the

workstation and their use, no specific requirements can be given here. Use and configuration of

application permissions is described in [ADMING], starting with section 15.3. This includes a set of typical

use cases and configuration examples for this functionality.

3.8 Preparing the Workstation

The settings in this section serve to ensure the workstation complies with the requirements for the

operational environment described in the Security Target. These requirements are important for the

secure operation of the DriveLock Agent (the TOE) but cannot be fulfilled by the Agent itself.

• The workstation must be running the 64-bit edition of Windows 10, with all security updates

installed.

• If the system event log is used to store the audit events generated by the DriveLock Agent, the

event log size on the workstation must be configured large enough for the selected review

period.

• The workstation must be configured to require user authentication before any access to the

system. This is required to correctly identify the current user for rule evaluation and association of

audit events with users. If manual user logon is not feasible due to operational concerns,

unauthorized access to the workstation must be prevented by other means.

• The workstation time and date need to be set correctly. This is required for proper timestamps on

audit records, and for certificate and policy update verification. The easiest way



Page 10 of 14

to achieve this is to have the workstation synchronize its clock with a domain controller or an

internet time source, which both NIST and Microsoft provide.

• The workstation needs a secure connection via TLS to the DriveLock Enterprise Server. The TLS

configuration defaults (cipher suites and priorities) of Windows 10 are suitable for this purpose;

they should only be changed with good reason by experienced security experts. However, to

ensure that the workstation does not permit connections using outdated versions of the secure

connection protocols, SSL 3.0, TLS 1.0, and TLS 1.1 need to be disabled. This can be achieved by

changing the SCHANNEL security provider settings in the registry as described in [TLS]. The

registry script shown below disables all protocol versions older than TLS 1.2.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"Enabled"=dword:00000000



Page 11 of 14

3.9 Installing the Agent

The Agent needs to be installed using a configuration certificate. The process is described in part V

section 5.4.4, starting on page 39, of [INSTALLG]. Using a policy signing certificate and configuring the

Agent to only accept signed policies is required for the evaluated configuration.

When creating the signing certificate, ensure that the HTTPS option is selected (see page 41). This ensures

the communication between the server and the Agent(s) will be secured using the TLS protocol.

Pages 43 thru 45 describe how to sign and publish a policy using the signing certificate, and how to

prepare a customized Agent deployment package that includes the signing certificate a/k/a configuration

certificate.

Proper configuration of the Agent should be verified at least once (see directions at the bottom of page

47).



Page 12 of 14

4 Operative Procedures

4.1 Roles

For the sake of clarity, the following description distinguishes between these three user classes although

the DriveLock Agent does not maintain three roles (see section 2.1 for a definition):

Role Access to Agent User Interface(s)

User • System Tray status UI

• Status interface of the Agent UI (available

from the Start Menu

• Status commands of the Agent command

line interface

Workstation Administrator • All available to User

• A few additional commands of the Agent

command line interface

DriveLock Administrator Identical to User or Workstation Administrator

(depending on operating system privilege level).

This results from the fact that the Agent

recognizes the DriveLock Administrator only

indirectly (a properly signed policy must have

been created by a DriveLock administrator); a

DriveLock Administrator logging on to a

workstation assumes the role User.

4.2 For Administrators

DriveLock Administrators do not interact with the DriveLock Agent directly, except when they log on to a

workstation protected by it. In this situation they assume the role User (with regard to the Agent installed

on the workstation), and the guidance in the next section applies.

Within the administrative infrastructure (the Management Console) the DriveLock administrators need to

• Define and deploy the proper policies for Device Control, Application Control, and Audit

• Ensure the policies remain current and effective, taking into account any changes in workstation

configuration, user assignments, etc.

• Verify that the policies are in effect on the workstations protected by the Agent, e.g. by using the

DriveLock Control Center to analyze audit data generated by the Agent’s audit function.

4.2.1 Certificates

DriveLock administrators need to keep an eye on the configuration certificate(s) in use, especially

certificate validity. To ensure continued proper operation the certificate(s) must be replaced before they

expire. This is best done by deploying new configuration certificates before the old certificates expire. To

support a seamless transition the old (if still valid) certificate can be added as an



Page 13 of 14

additional signing certificate in a dedicated extension of the new certificate. Refer to [INSTALLG] page 39ff

for instructions on creating policy signing certificates.

4.3 For Users

The guidance for day-to-day operation of the Agent on the workstation is described in the User Manual

[USERG]. Regular users will likely interact only infrequently with the Agent, at least if only the evaluated

functionality is used.

General guidance for the Agent user interface (run “DriveLock” from the Windows Start Menu) can be

found in part III, section 3.2, of [USERG].

Part IV describes functionality that was not evaluated. Note that Offline Unlock Requests cannot be used

as they are disabled (see 3.7.1 Agent Hardening and Global Security Settings).

Parts II, V, and VII of [USERG] describe Agent functionality that was not evaluated. However, using these

features (encryption and secure deletion) does not interfere with the evaluated functionality and is

therefore permitted.

4.3.1 Security Relevant Incidents

The following table describes the security relevant situations users may be confronted with and the

proper reaction to them.

Situation What to Do

Message: “Device was blocked” or similar (the

message may have been modified by your

administrator)

This is normal for a device that is not permitted by

a policy. If the device should be accessible but

isn’t, contact your administrator.

Message: “Application was blocked” or similar This is normal for an application that is not

permitted by a policy. If the application should be

available but isn’t, contact your administrator.

Message: “You have been offline for more than x

days” or similar

The workstation has not been able to contact any

configured server in a while. If the workstation was

indeed not connected to the company network,

connecting it should resolve the issue. Otherwise,

contact your administrator.

Status display of the DriveLock application shows

issues with one or more services

The installation or its configuration may be

damaged. Contact your administrator.



Page 14 of 14

5 References

[INSTALLG] DriveLock Installation Guide; DriveLock SE; Version 2019.2

[ADMING] DriveLock Administration Guide; DriveLock SE; Version 2019.2

[USERG] DriveLock User Guide; DriveLock SE; Version 2019.2

[DCCG] DriveLock Control Center Guide; DriveLock SE; Version 2019.2

[EVENTG] DriveLock Events; DriveLock SE; Version 2019.2

[TLS] Transport Layer Security (TLS) registry settings; Microsoft, Feb 2019:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

DriveLock Agent 2019.2 (Device and Application … › versions › 2019_2 › pdf › en ›...

Documents

Transcript of DriveLock Agent 2019.2 (Device and Application … › versions › 2019_2 › pdf › en ›...