DriveLock Agent 2019.2 (Device and Application … › versions › 2019_2 › pdf › en ›...
Transcript of DriveLock Agent 2019.2 (Device and Application … › versions › 2019_2 › pdf › en ›...
DriveLock Agent 2019.2 (Device and Application Control)
i
Contents
1 ABOUT THIS DOCUMENTATION .................................................................................................................. 1
1.1 Document Structure .......................................................................................................................................................... 1
1.2 Document Conventions ................................................................................................................................................... 1
2 INTRODUCTION ............................................................................................................................................ 2
2.1 Roles ........................................................................................................................................................................................ 2
2.2 Documentation of Evaluated Functionality ............................................................................................................. 2
2.2.1 For Administrators ....................................................................................................................................................2
2.2.2 For Users.......................................................................................................................................................................2
2.3 Further Documentation ................................................................................................................................................... 2
3 PREPARATIVE PROCEDURES ......................................................................................................................... 4
3.1 DriveLock Administrators ................................................................................................................................................ 4
3.2 Obtaining and Verifying the Software ....................................................................................................................... 4
3.3 Configuration Type ............................................................................................................................................................ 4
3.4 Certificates ............................................................................................................................................................................ 5
3.5 Installing an Enterprise Service (DES) ......................................................................................................................... 5
3.6 Installing the Management Console (DMC) ............................................................................................................ 5
3.7 Creating Policies ................................................................................................................................................................. 5
3.7.1 Agent Hardening and Global Security Settings ............................................................................................6
3.7.2 Audit Settings .............................................................................................................................................................6
3.7.3 Enterprise Service Connection Settings ...........................................................................................................7
3.7.4 Device Control Settings ..........................................................................................................................................8
3.7.5 Application Control Settings ................................................................................................................................9
3.7.6 Application Permissions Settings .......................................................................................................................9
3.8 Preparing the Workstation ............................................................................................................................................. 9
3.9 Installing the Agent ........................................................................................................................................................ 11
4 OPERATIVE PROCEDURES.......................................................................................................................... 12
4.1 Roles ..................................................................................................................................................................................... 12
4.2 For Administrators .......................................................................................................................................................... 12
4.2.1 Certificates ................................................................................................................................................................ 12
4.3 For Users ............................................................................................................................................................................. 13
4.3.1 Security Relevant Incidents ................................................................................................................................ 13
5 REFERENCES ............................................................................................................................................... 14
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 1 of 14
1 About this Documentation
This supplement to the DriveLock 2019.2 product documentation explains how to configure and operate
the DriveLock Agent 2019.2 so that the resulting installation is compliant with the certified configuration.
It is primarily intended for administrators but also contains guidance for users (see section 4.3)
This document is not intended as a replacement for the product documentation. Instead, it shall serve as
guide for that documentation, highlighting certain aspects that are essential to replicate the evaluated
configuration.
Only a subset of the possible installation and configuration variants has been evaluated, and the security
claims in the Security Target are only valid if the product is installed and operated as described. Should
any instruction in this guide conflict with the remaining product documentation, this guide takes
precedence over the regular documentation.
1.1 Document Structure
This guide is organized in sections according to time of use and intended audience. Section 2 contains a
short overview of all available product documentation.
Section 3 is intended for administrators only and describes the setup and configuration of the product
and required infrastructure (preparative procedures). Readers should be familiar with Windows Client and
Server administration.
Section 4 contains information for the day-to-day use of the product (operative procedures) for both
administrators and users.
1.2 Document Conventions
Items in [brackets] are hyperlinks and refer to one of the documents listed at the end of this document.
Document version 1.50, last changed: 2020-07-02
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 2 of 14
2 Introduction
2.1 Roles
The DriveLock Agent recognizes only two roles: Users and Administrators. The term DriveLock
Administrator is used here to avoid confusion with workstation administrators. The latter are Users with
administrative privileges to the workstation running the DriveLock Agent. However, they do have access
to a few functions that regular users don’t (see section 4.1 for details). Since regular users aren’t permitted
to set up or modify the configuration, most of this guide applies to administrators. Users may want to skip
to the operative instructions relevant to them, described in section 4.3 of this document.
2.2 Documentation of Evaluated Functionality
The documentation described in the following sections is available for the evaluated functionality; the
documents can be downloaded from https://www.drivelock.help/versions/2019_2.
2.2.1 For Administrators
DriveLock Installation Guide: This document gives a detailed description of how to set up a DriveLock
installation, covering both the administrative backend and the workstation setup.
DriveLock Administration Guide: This is the main reference on the product for administrators. It describes
in detail the concepts, available functions, and settings.
DriveLock Events: This document lists all available audit events for the DriveLock Agent and the
administration software.
Release Notes: These are issued with each software release and contain detailed information on technical
issues related to this software release. They may also contain corrections or additions for the product
documentation.
Manual Supplement for Certification Compliant Operation: This guide.
2.2.2 For Users
DriveLock User Guide: This is the primary reference for users. It describes the functions and options
available to the users of a DriveLock-protected workstation.
Manual Supplement for Certification Compliant Operation: This guide.
2.3 Further Documentation
These documents describe additional components and functions of the product, which are not part of the
evaluated functionality. They are included for completeness and intended for administrators.
DriveLock Quickstart Guide: This document describes the steps to set up a basic DriveLock installation
using a setup wizard. It is primarily intended for administrators to e.g. quickly install the product for
testing.
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 3 of 14
DriveLock Control Center User Guide: This document describes the DriveLock Control Center, which is used
to monitor the status of DriveLock-protected workstations. It is intended for DriveLock administrators.
Although the Control Center itself is not part of the evaluated functionality, it is essential for analyzing the
data generated by the evaluated audit functionality.
DriveLock Security Awareness Guide: This document describes the use of the Security Awareness
component.
DriveLock BitLocker Management Guide: This document describes the BitLocker Management component.
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 4 of 14
3 Preparative Procedures
An essential aspect of every evaluation is to verify that a security solution (the TOE, “Target of Evaluation”)
effectively counters certain threats (which are described in detail in a published Security Target). However,
this usually requires that the TOE be configured in a specific way. This section describes the specifics of
setting up the infrastructure as required for a compliant installation. This requires installing the
management components. An overview of the components of a DriveLock installation is available in
section 2.1 of [INSTALLG].
3.1 DriveLock Administrators
DriveLock administrators must be trustworthy and sufficiently familiar with the DriveLock software to
minimize the risk inadvertent misconfiguration. They must also be trusted to not intentionally subvert its
operation.
3.2 Obtaining and Verifying the Software
The certified version of the DriveLock software is available to registered customers only, after purchasing
a license. Registered customers have access to non-public information in the DriveLock Support Portal
(accessible at https://my.drivelock.support/wm/kb.html). Knowledgebase article KBA00341 contains
information on and links to the software, its documentation, and this document.
The software is provided as a downloadable ISO image. The knowledgebase article also contains a SHA2
hash value of the ISO file which can be used to verify the integrity of the file. In addition, the article lists
the SHA2 hashes of the principal installation archives inside the ISO file.
3.3 Configuration Type
DriveLock supports several mechanisms for configuration and policy deployment. For an overview of
these methods and their properties refer to section 3 of [INSTALLG].
For the evaluated configuration, the method Centrally Stored Policy must be used. In addition, the
centrally stored policies need to be signed before they are deployed, i.e. the server connection must be
set up using a configuration certificate (refer to 3.9 Installing the Agent for details).
All other deployment methods available were not evaluated and cannot be used.
The essential steps required to set up a compliant installation are therefore:
1. Install an Enterprise Service
2. Install the Management Console
3. Create an initial policy
4. Install the Agent(s)
The certification relevant aspects for each step are explained in the following sections.
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 5 of 14
3.4 Certificates
Configuration signing and the secure TLS connection to the Enterprise Service use certificates. The
certificates are a security critical component for these mechanisms and should generally fulfill at least the
following requirements:
RSA ECC (supported for TLS only)
Key Length 3072 256
Integrity Hash SHA2 or better SHA2 or better
Validity ≤ 4 years ≤ 4 years
Shortly before expiration of the validity period the certificates need to be replaced. For TLS this can be
achieved using Windows administrative tools. For the configuration certificate a new one needs to be
created in the Management Console (see section 5.4.4 of [INSTALLG]) and deployed.
3.5 Installing an Enterprise Service (DES)
The evaluated configuration requires at least one instance of the DES (DriveLock Enterprise Service) to
distribute the policies. This process is described in part V section 5.2 of [INSTALLG]. When the installer
asks for an SSL certificate (page 23) one of the certificate options must be selected. The evaluated
configuration requires that TLS be used to secure the communication between the Enterprise Service and
the Agents.
The remaining steps of the server installation, including database setup, can be completed as described
on pages 24 thru 27 of [INSTALLG]. Additional detail on configuration and administration of the Enterprise
Service can be found in [ADMING], part X.
To guard against the use of outdated versions of the SSL and TLS protocols, the server shall be configured
to use only TLS 1.2. This is achieved by setting the string value securityProtocols under
HKLM/SOFTWARE/CenterTools/DES to the value Tls12.
3.6 Installing the Management Console (DMC)
The Management Console installation is described in part V section 5.3 of [INSTALLG]. The certified
configuration places no special requirements on this process.
To define and maintain centrally stored policies a connection to the DES hosting the policies must be set
up. This process is described in part II, section 2.4 of [ADMING].
3.7 Creating Policies
As mentioned above in section 3.3 above, Centrally Stored Policy configuration mode is required for a
certification compliant installation. Policies are created in the Management Console; the general steps for
creating a centrally stored policy are explained part III, section 3.3 of [ADMING], starting on page 31.
To achieve a certification compliant installation, certain policy settings must be set to specific values. In
the following sections these are described, grouped by topic or functionality.
Generally, DriveLock administrators shall ensure that the policies are kept current and that policy rules are
configured to apply to the intended users and computers.
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 6 of 14
3.7.1 Agent Hardening and Global Security Settings
These settings control general access to and behavior of the DriveLock Agent. [ADMING] part VI, section
6.4 explains these settings. The table below shows the required assignments.
Setting Value Remarks
Agent Service Permissions Other permissions than Query
Service Information shall only be
allowed for DriveLock
administrators
Run Agent in Non-stoppable
mode
Checked
Start DriveLock Agent in safe
mode
Checked
Agent Remote Control Settings:
Enable HTTPS
Checked
Agent Remote Control Settings:
Enforce HTTPS
Checked
Password to uninstall DriveLock Checked Set a suitably complex
password.
Disable Offline Unlock requests Checked
3.7.2 Audit Settings
Part VII of [ADMING] describes how to configure the auditing function. To use the DriveLock Control
Center for audit trail analysis a connection to the DES (DriveLock Enterprise Service) needs to be
configured (on the DES tab). Also, the requisite events need to be enabled for DES by checking them in
the event list shows on the Events tab. To ensure that audit events are not lost, the queue sizes for the
event destinations must be set appropriately. The required size depends on the expected time a
workstation may not be able to connect to its server.
For the evaluated configuration, at least the following events must be enabled:
Event ID Text
105 Service started
108 Service stopped
456 No server connection detected
639 Server certificate error
522 Error loading policy assignments
523 Policy integrity check failed
294 Cannot download centrally stored policy
130 Device connected and not locked
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 7 of 14
129 Device connected and locked
473 Process blocked
474 Process started
600 Program start approved
221 Application hash database missing
222 Cannot open application hash database
A complete list of available events can be found in the events documentation [EVENTG].
3.7.3 Enterprise Service Connection Settings
Configuration of the Enterprise Service Connection is explained in detail in part X of [ADMING]. The
following aspects need to be considered for a certification compliant installation:
• Permissions (section 10.4): These must be set to allow only DriveLock administrators to change
the Enterprise Service configuration.
• Updates (section 10.6): Automatic updates must be disabled. An Agent update would replace the
certified software version with a newer version, which is likely not certified.
• Network settings (section 10.7): The Use SSL for connections from agent to the server option must
be checked (enabled) to secure the connections. Note that SSL is used as a generic term here,
designating both the SSL and TLS protocols.
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 8 of 14
3.7.4 Device Control Settings
The configuration of the Device Control functionality is described in [ADMING], part VIII.
As mentioned before, an evaluation verifies that the evaluated solution is effective against specific threats
when configured properly. For Device Control these threats can be summarized (more detail is available in
the Security Target) as follows:
• Unwanted data import and export using unauthorized removable devices
• Compromise of workstation data or processing
• Malicious devices
To counter these threats described using the evaluated functionality, drive locking must be enabled (and
appropriate whitelist rules defined) for at least these drive types:
• Floppy disk drives
• CD-ROM/DVD drives
• USB connected drives
• Firewire (IEEE-1394) bus connected drives
• SD bus connected drives
• Other removable drives
• Fixed disks, because e.g. an external drive connected to an eSATA port may be detected as a fixed
disk
Section 8.1 of [ADMING] describes how to set up drive locking. Note that sections 8.1.2.6 Creating File
Filters, 8.1.2.8 Using Media Authorization, and 8.1.2.9 Monitoring Data Transfers Using Shadowing do not
apply to the evaluated configuration, i.e. they describe functions that were not evaluated. There is,
however, no reason to not use them if desired.
In addition, locking must be enabled (and appropriate rules defined) for these ports:
• Serial and parallel ports
• Bluetooth transmitters
• Infrared interfaces
• PCMCIA controllers
and these device classes:
• Human Interface Devices (to thwart Bad USB and related attacks)
• Mobile phones (as they usually provide data export and import to/from their storage)
• Modems
• Media Player devices
• SD Host Controllers
• Tape Drives
• PCMCIA and flash memory devices
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 9 of 14
Section 8.2 of [ADMING] describes how these rules are set up. Rules must be configured to apply to all
users (including those with administrative privileges on the workstation). Only DriveLock administrators
may (but don’t have to) be exempt. This may e.g. require setting up a special user group for the DriveLock
administrators in the directory with control of group membership limited to those administrators.
3.7.5 Application Control Settings
The configuration of the Application Control functionality is described in [ADMING], part XV, starting
section 15.2. The threats countered by Application Control can be summarized as:
• Execution of unwanted programs on the workstation
• Unwanted resource access by allowed programs
The evaluated configuration uses whitelist mode based on hash database rules. Section 15.2.1.2 describes
configuration of the hash algorithm used. This must be set to SHA-256 to be compliant.
Section 15.2.2.1 of [ADMING] describes how to create and maintain hash databases, as well as how to
create rules using them.
Rules must be configured to apply to all users (including those with administrative privileges on the
workstation). Only DriveLock administrators may (but don’t have to) be exempt. This may e.g. require
setting up a special user group for the DriveLock administrators in the directory with control of group
membership limited to those administrators, because DriveLock administrators are not necessarily
workstation or domain administrators and vice versa.
3.7.6 Application Permissions Settings
Since suitable application permissions rules are largely dependent on the applications installed on the
workstation and their use, no specific requirements can be given here. Use and configuration of
application permissions is described in [ADMING], starting with section 15.3. This includes a set of typical
use cases and configuration examples for this functionality.
3.8 Preparing the Workstation
The settings in this section serve to ensure the workstation complies with the requirements for the
operational environment described in the Security Target. These requirements are important for the
secure operation of the DriveLock Agent (the TOE) but cannot be fulfilled by the Agent itself.
• The workstation must be running the 64-bit edition of Windows 10, with all security updates
installed.
• If the system event log is used to store the audit events generated by the DriveLock Agent, the
event log size on the workstation must be configured large enough for the selected review
period.
• The workstation must be configured to require user authentication before any access to the
system. This is required to correctly identify the current user for rule evaluation and association of
audit events with users. If manual user logon is not feasible due to operational concerns,
unauthorized access to the workstation must be prevented by other means.
• The workstation time and date need to be set correctly. This is required for proper timestamps on
audit records, and for certificate and policy update verification. The easiest way
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 10 of 14
to achieve this is to have the workstation synchronize its clock with a domain controller or an
internet time source, which both NIST and Microsoft provide.
• The workstation needs a secure connection via TLS to the DriveLock Enterprise Server. The TLS
configuration defaults (cipher suites and priorities) of Windows 10 are suitable for this purpose;
they should only be changed with good reason by experienced security experts. However, to
ensure that the workstation does not permit connections using outdated versions of the secure
connection protocols, SSL 3.0, TLS 1.0, and TLS 1.1 need to be disabled. This can be achieved by
changing the SCHANNEL security provider settings in the registry as described in [TLS]. The
registry script shown below disables all protocol versions older than TLS 1.2.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 11 of 14
3.9 Installing the Agent
The Agent needs to be installed using a configuration certificate. The process is described in part V
section 5.4.4, starting on page 39, of [INSTALLG]. Using a policy signing certificate and configuring the
Agent to only accept signed policies is required for the evaluated configuration.
When creating the signing certificate, ensure that the HTTPS option is selected (see page 41). This ensures
the communication between the server and the Agent(s) will be secured using the TLS protocol.
Pages 43 thru 45 describe how to sign and publish a policy using the signing certificate, and how to
prepare a customized Agent deployment package that includes the signing certificate a/k/a configuration
certificate.
Proper configuration of the Agent should be verified at least once (see directions at the bottom of page
47).
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 12 of 14
4 Operative Procedures
4.1 Roles
For the sake of clarity, the following description distinguishes between these three user classes although
the DriveLock Agent does not maintain three roles (see section 2.1 for a definition):
Role Access to Agent User Interface(s)
User • System Tray status UI
• Status interface of the Agent UI (available
from the Start Menu
• Status commands of the Agent command
line interface
Workstation Administrator • All available to User
• A few additional commands of the Agent
command line interface
DriveLock Administrator Identical to User or Workstation Administrator
(depending on operating system privilege level).
This results from the fact that the Agent
recognizes the DriveLock Administrator only
indirectly (a properly signed policy must have
been created by a DriveLock administrator); a
DriveLock Administrator logging on to a
workstation assumes the role User.
4.2 For Administrators
DriveLock Administrators do not interact with the DriveLock Agent directly, except when they log on to a
workstation protected by it. In this situation they assume the role User (with regard to the Agent installed
on the workstation), and the guidance in the next section applies.
Within the administrative infrastructure (the Management Console) the DriveLock administrators need to
• Define and deploy the proper policies for Device Control, Application Control, and Audit
• Ensure the policies remain current and effective, taking into account any changes in workstation
configuration, user assignments, etc.
• Verify that the policies are in effect on the workstations protected by the Agent, e.g. by using the
DriveLock Control Center to analyze audit data generated by the Agent’s audit function.
4.2.1 Certificates
DriveLock administrators need to keep an eye on the configuration certificate(s) in use, especially
certificate validity. To ensure continued proper operation the certificate(s) must be replaced before they
expire. This is best done by deploying new configuration certificates before the old certificates expire. To
support a seamless transition the old (if still valid) certificate can be added as an
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 13 of 14
additional signing certificate in a dedicated extension of the new certificate. Refer to [INSTALLG] page 39ff
for instructions on creating policy signing certificates.
4.3 For Users
The guidance for day-to-day operation of the Agent on the workstation is described in the User Manual
[USERG]. Regular users will likely interact only infrequently with the Agent, at least if only the evaluated
functionality is used.
General guidance for the Agent user interface (run “DriveLock” from the Windows Start Menu) can be
found in part III, section 3.2, of [USERG].
Part IV describes functionality that was not evaluated. Note that Offline Unlock Requests cannot be used
as they are disabled (see 3.7.1 Agent Hardening and Global Security Settings).
Parts II, V, and VII of [USERG] describe Agent functionality that was not evaluated. However, using these
features (encryption and secure deletion) does not interfere with the evaluated functionality and is
therefore permitted.
4.3.1 Security Relevant Incidents
The following table describes the security relevant situations users may be confronted with and the
proper reaction to them.
Situation What to Do
Message: “Device was blocked” or similar (the
message may have been modified by your
administrator)
This is normal for a device that is not permitted by
a policy. If the device should be accessible but
isn’t, contact your administrator.
Message: “Application was blocked” or similar This is normal for an application that is not
permitted by a policy. If the application should be
available but isn’t, contact your administrator.
Message: “You have been offline for more than x
days” or similar
The workstation has not been able to contact any
configured server in a while. If the workstation was
indeed not connected to the company network,
connecting it should resolve the issue. Otherwise,
contact your administrator.
Status display of the DriveLock application shows
issues with one or more services
The installation or its configuration may be
damaged. Contact your administrator.
Manual Supplement for Certification Compliant Operation
DriveLock Agent 2019.2 (Device and Application Control)
Page 14 of 14
5 References
[INSTALLG] DriveLock Installation Guide; DriveLock SE; Version 2019.2
[ADMING] DriveLock Administration Guide; DriveLock SE; Version 2019.2
[USERG] DriveLock User Guide; DriveLock SE; Version 2019.2
[DCCG] DriveLock Control Center Guide; DriveLock SE; Version 2019.2
[EVENTG] DriveLock Events; DriveLock SE; Version 2019.2
[TLS] Transport Layer Security (TLS) registry settings; Microsoft, Feb 2019:
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings