Integrity Clientless Security Administrator Guide Version 4.1

1-0230-0410-2006-11-17

© 2006 Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

TRADEMARKS:

© 2006 Check Point Software Technologies Ltd.

All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, -1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, Zone Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications.

Contents

Preface About this Guide ...... 9 Other Documentation ...... 9 Feedback ...... 10

Chapter 1 Introduction Integrity Clientless Security Features ...... 11 Integrity Clientless Security Scanner ...... 11 Advanced Anti-Keylogger ...... 12 Integrity Secure Workspace ...... 12 Reports ...... 13 ICSInfo Utility ...... 13 Customization ...... 13 Installing and Upgrading ICS ...... 13

Chapter 2 Upgrading and Reconfiguring ICS Upgrade Installation Process ...... 16 Uninstallation Process ...... 17 Reconfiguration Processes ...... 18 Configuring ICS to receive software updates ...... 18 Moving ICS to another server ...... 19 Changing the protected gateway ...... 20 Relocating the Administrator Console ...... 20

Chapter 3 General Administration Tasks Planning for Security ...... 23 Security scenarios ...... 24 Understanding Security Lifecycles ...... 28 Supporting the Endpoint User ...... 29 Logging In ...... 30 Configuration Workflow ...... 30 General Administration Tasks ...... 31 Configuring ICS to fail open ...... 31 Configuring updates ...... 31

Chapter 4 Administering Security Scanner Policies Understanding Integrity Clientless Security Scanner ...... 33 Implementing Policies ...... 34 Understanding Enforcement Rules ...... 34

ICS Administrator Guide 5 Enforcement Rule Types ...... 35 Firewall Application Rules ...... 36 Anti-virus Application Rules ...... 36 Anti- Scan Rules ...... 38 Custom Application Rules ...... 39 Custom Group Rules ...... 40 Creating Policies ...... 41 Activating Policies ...... 41

Chapter 5 Administering Advanced Anti-Keylogger Understanding Keylogger Protection ...... 43 Administering ICS Advanced Anti-Keylogger ...... 44 Activating ICS Advanced Anti-Keylogger ...... 44 Configuring Advanced Anti-Keylogger to fail open ...... 45 Monitoring Advanced Anti-Keylogging ...... 45

Chapter 6 Administering Integrity Secure Workspace Understanding Integrity Secure Workspace ...... 47 Supported Applications ...... 48 Administering Integrity Secure Workspace ...... 49 Configuring and Activating ISW ...... 49 Configuring ISW permissions ...... 50 Configuring Secure Workspace to fail open ...... 51 Testing Integrity Secure Workspace ...... 52

Chapter 7 Logging and Reports Logging ...... 53 Server-side logs ...... 54 Log and database rotation ...... 55 Endpoint computer logs ...... 58 Reports ...... 58 Generating Reports ...... 58 Access Statistics ...... 59 Security Scan Results ...... 59 Spyware Found ...... 59 Rules Broken ...... 59 Anti-Keylogger ...... 59 Errors ...... 60

Chapter 8 The ICSInfo Utility Troubleshooting endpoint user issues ...... 61 Obtaining anti-virus application information ...... 62 Obtaining application checksums ...... 62

ICS Administrator Guide 6 Chapter 9 Customizing the User Interface Assumptions ...... 65 Customization Methods ...... 66 Customizing ICS ...... 66 Creating the customization folder ...... 66 Modifying the CSS file ...... 67 Modifying the template file ...... 67 Adding Administrator Contact Information ...... 68 Changing the logo ...... 68 Changing the colors ...... 69 Changing the fonts ...... 70 Configuring the custom text ...... 70 Style Reference ...... 70 Customizing the Integrity Secure Workspace ...... 81 Changing message text ...... 81 Changing the images ...... 81

Index ...... 83

ICS Administrator Guide 7

Preface

This preface provides an overview of Integrity Clientless Security (ICS) documentation. It contains the following topics:

„ “About this Guide,” on page 9

„ “Other Documentation,” on page 9

About this Guide The Integrity Clientless Security Administrator Guide provides:

„ Installation instructions

„ Administration information, including background and task-oriented administrative procedures

„ Endpoint user interface customization instructions

„ Information about using the various utilities included with Integrity Clientless Security Please make sure you have the most up-to-date version of this guide for the version of Integrity Clientless Security that you are using. Versions are available from the Check Point User Center Web site. Before using this document to administer Integrity Clientless Security, you should read and understand the information in the Readme. See “Readme,” on page 10.

Other Documentation You should familiarize yourself with the other documentation that is available for Integrity Clientless Security.

Online Help

The online help provides the field-level information you need to understand the UI elements in the ICS Administrator Console. The online help includes detailed information about what each element does and what entries are valid. Use the online help after reading the procedural information in the ICS Administrator Guide. You can access the help from any page in the ICS Administrator Console by clicking the help link.

ICS Administrator Guide 9 Feedback

Readme A readme file is included with ICS. It includes information about what is new in this release, as well as known issues and workarounds. You should also check the Check Point User Center Web site to make sure you have the most recent version of this document.

Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: [email protected]

ICS Administrator Guide Preface 10 Chapter 1 Introduction

Check Point Integrity™ Clientless Security (ICS) protects your network by scanning endpoint computers, providing advanced anti-keylogging protection, and creating a secure workspace for your users. Use it to do the following:

„ Check endpoint computers for known spyware, worms, and other potential threats

„ Check that endpoint computers are compliant with your anti-virus, firewall, and other software policies

„ Protect data on endpoint computers from keyloggers

„ Protect your organization’s data by providing an encrypted and firewall-protected workspace on the endpoint computer This chapter contains the following topics:

„ “Integrity Clientless Security Features,” on page 11

„ “Reports,” on page 13

„ “ICSInfo Utility,” on page 13

„ “Customization,” on page 13

„ “Installing and Upgrading ICS,” on page 13

Integrity Clientless Security Features ICS consists of several features, each providing a unique type of security protection. You can choose which features to implement. This section provides an overview of these features.

Integrity Clientless Security Scanner

Use the Integrity Clientless Security Scanner policies to make sure that endpoint computers connecting to your network meet your security requirements. The Integrity Clientless Security Scanner checks endpoint computers for applications according to the enforcement rules you create. Enforcement rules either prohibit or require certain applications. If the endpoint computer does not meet the requirements of the enforcement rule, it is considered to be

ICS Administrator Guide 11 Advanced Anti-Keylogger

‘non-compliant’. You can choose to restrict or warn non-compliant users or simply log the event. For more detailed information about enforcement rules, see “Understanding Enforcement Rules,” on page 34.

Advanced Anti-Keylogger

Use the Advanced Anti-Keylogger feature to protect your organization’s data against malicious programs that record keyboard activity while your endpoint users are logged into your network. For more detailed information about Advanced Anti-KeyLogger see “Understanding Keylogger Protection,” on page 43.

Integrity Secure Workspace

Use the Integrity Secure Workspace to protect your company’s sensitive data while your endpoint users are connected to your network. Many organizations make sensitive documents available to endpoint users who are logged onto their network. Integrity Secure Workspace protects the data while your endpoint user works with it, encrypts it when it is saved locally, and deletes it from the endpoint computer upon logoff. For more information, see “Understanding Integrity Secure Workspace,” on page 47.

ICS Administrator Guide Introduction 12 Reports

Reports Use reports to monitor how ICS is protecting your network and to plan new policies. For more information about reports, see “Logging and Reports,” on page 53.

ICSInfo Utility ICS includes the ICSInfo Utility. The ICSInfo utility collects program and other information from endpoint computers that you can use when creating your policies or troubleshooting user issues. See “The ICSInfo Utility,” on page 61.

Customization You can customize the endpoint user interface to match your company’s Web site. You can also embed the ICS interface in your Web site. See “Customizing ICS,” on page 66.

Installing and Upgrading ICS For instructions on how to install ICS, see the ICS Getting Started Guide. For instructions on how to upgrade or reconfigure an existing ICS application, see “Upgrading and Reconfiguring ICS” in this document.

ICS Administrator Guide Introduction 13 Installing and Upgrading ICS

ICS Administrator Guide Introduction 14 Chapter 2 Upgrading and Reconfiguring ICS

For instructions on how to perform a new installation of ICS, see the ICS Getting Started Guide. This chapter contains the following topics:

„ “Upgrade Installation Process,” on page 16

„ “Uninstallation Process,” on page 17

„ “Reconfiguration Processes,” on page 18

ICS Getting Started Guide 15 Upgrade Installation Process

Upgrade Installation Process Use the following instructions to upgrade an older version of ICS to the current release version.

To upgrade ICS from release 4.0 or 4.0 HFA1 to the current release version 1. Stop your Web server application.

2. Stop all running instances of the report.cgi application. 3. Remove the ISAPI filter for ICS from your Web Site properties (IIS only). 4. Copy the policy.xml file from /bin/data to a temporary directory. 5. Extract the files to the directory where you want to install ICS. 6. Install the current version of ICS. For installation instructions, see the Integrity Clientless Security Getting Started Guide. 7. Copy the policy.xml file from the temporary directory to /bin/data.

8. Change directories to ics_server/bin and perform the appropriate command for your operating system:

ƒ : db_upgrade.sh

ƒ Windows: report.cgi convert

This step updates the scan reporting database report.db. This process may last up to several hours, depending on your server hardware and the size of the report database.

To upgrade ICS from release 3.7 to the current release version 1. Stop your Web server application. 2. Remove the ISAPI filter for ICS from your Web site properties (IIS only). 3. Copy the enforcement_rules.xml file from /sre/data to a temporary directory. 4. Change directories to the ICS 3.7 server location and run the command:

uninstall.sre.bat This uninstalls the ICS 3.7 application. 5. Extract the installation files to the directory where you want to install ICS 4.1. 6. Install the current version of ICS. For installation instructions, see the Integrity Clientless Security Getting Started Guide.

ICS Getting Started Guide Upgrading and Reconfiguring ICS 16 Uninstallation Process

The protected gateway URL must be the same as the one protected by the ICS 3.7 installation.

7. Move the enforcement_rules.xml file from the temporary directory where you saved it to the ics_server/ctool directory. This step does not migrate anti-spyware rules; you must recreate them in the Administrator Console. 8. Open the ICS Administrator Console, then click either Policies or Enforcement Rules. You will receive a message stating that the old policy has been found and that it will be migrated. 9. Perform the following steps: a. Open the Policies or Enforcement Rules page and check that your saved policies have been copied over correctly. Due to restrictions in the Custom Rules format in ICS 4.1 (such as file path and registry format), some rules that were valid in ICS 3.7 may be invalid in ICS 4.1. If you created your own enforcement rules in ICS 3.7 and imported them into ICS 4.1, those rules must be recreated and saved in the ICS 4.1 Enforcement Rules page. b. Click Save Configuration. c. Close the ICS Administrator Console. d. Change directories to ics_server/ctool and remove the enforcement_rules.xml file.

Uninstallation Process Use the following instructions to uninstall ICS.

To uninstall ICS 1. Stop the Web server.

2. Stop all running instances of report.cgi.

3. If you are running Apache Web server, remove the ics-apache.conf configuration from apache configs (from httpd.conf or automatically included sub-folders). 4. If you are running Microsoft IIS, perform the following steps: a. Remove the Virtual Directory which you created for ICS. b. Remove ics_filter.dll from the ISAPI filters for your Web server.

ICS Getting Started Guide Upgrading and Reconfiguring ICS 17 Reconfiguration Processes

c. Remove the Web Service Extension which you created for ICS (for IIS 6.0 only). d. Remove the .tpl file extension MIME type which you created for ICS (for IIS 6.0 only). 5. Delete the ics_server folder. 6. Restart the Web server.

Reconfiguration Processes If needed, you can use parameters to reconfigure ICS after the initial installation. Use the reconfiguration parameters to:

„ Configure ICS to receive software updates. “Configuring ICS to receive software updates,” on page 18

„ Move ICS to another server. “Moving ICS to another server,” on page 19.

„ Change the protected gateway. “Changing the protected gateway,” on page 20.

„ Relocate the Administrator Console. “Relocating the Administrator Console,” on page 20.

Configuring ICS to receive software updates

To configure ICS to receive software updates, you must:

„ Download a license file for ICS.

„ Set the ALL_PROXY variable.

Downloading a license file for ICS

ICS requires a valid license file in order to download software updates.

To download a license file 1. Sign up for a Check Point User Center account at https://usercenter.checkpoint.com. You will be provided a user ID and password. Save them for future reference. 2. In the Check Point User Center, activate your ICS product. The User Center generates a unique license file cp.lic. 3. Download the cp.lic license file from the Check Point User Center and save it to:

/bin/data/cp.lic

ICS Getting Started Guide Upgrading and Reconfiguring ICS 18 Moving ICS to another server

4. Ensure that the Apache Web server has read permission for cp.lic.

Setting the ALL_PROXY variable

The ICS server requires access to the Internet for software updates. ICS includes the CURL library for external HTTP communication. If you use a proxy server for Internet access, you must set the ALL_PROXY environment variable.

To set the ALL_PROXY environment variable 1. Get the name and port number of the proxy server. You will need this information for the ALL_PROXY variable. 2. Define the variable by using one of the following methods:

Table 2-1: ALL_PROXY Definition Methods Server Reboot Method Web Server/OS restart required? required? Define ALL_PROXY in the Apache only No No .htaccess file in the /ics_server/bin folder. Define ALL_PROXY in the Apache only No Yes httpd.conf configuration file for the Apache server. Export the definition as a global Windows only Yes N/A environment variable. Define ALL_PROXY in the Windows only Yes N/A Environment Variables

Moving ICS to another server

Use the following instructions to move ICS server to another location. This location must be on the same server computer as the Apache Web server.

To move the ICS server: 1. In the new location, run the executable with the ‘reconfigure’ parameter.

ƒ install.sh reconfigure for Linux servers

ƒ install.exe reconfigure for Windows servers 2. If you are using Apache, add the content of the new ics-apache.conf file to the Apache Web server configuration file. Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.

ICS Getting Started Guide Upgrading and Reconfiguring ICS 19 Changing the protected gateway

If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.

3. If you are using Internet Information Services, restart the Web server.

Changing the protected gateway

Use the instructions in this section if you need to reconfigure ICS to protect a different gateway. The gateway must be on the same server computer as the Apache Web server.

To change the protected gateway: 1. In the new location, run the executable with the ‘portal_url’ parameter and the URL of the new portal.

ƒ install.sh portal_url http://www. for Linux servers

ƒ install.exe portal_url http://www. for Windows servers 2. If you are using Apache, add the contents of the new ics-apache.conf file to the Apache Web server configuration file. Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.

If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.

3. If you are using Internet Information Services, restart the Web server.

Relocating the Administrator Console

Use the instructions in this section to change the ICS Web location. This is the location that administrators use to access the Administrator Console.

To relocate the Administrator Console: 1. In the new location, run the executable with the ‘ics_url’ parameter and the URL of the new portal.

ƒ install.sh ics_url http://www. for Linux servers

ƒ install.exe ics_url http://www. for Windows servers

ICS Getting Started Guide Upgrading and Reconfiguring ICS 20 Relocating the Administrator Console

2. Add the contents of the new ics-apache.conf file to the Apache Web server configuration file. Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.

If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.

ICS Getting Started Guide Upgrading and Reconfiguring ICS 21 Relocating the Administrator Console

ICS Getting Started Guide Upgrading and Reconfiguring ICS 22 Chapter 3 General Administration Tasks

This chapter provides information about the general administration of ICS. It contains the following topics:

„ “Planning for Security,” on page 23

ƒ “Security scenarios,” on page 24

ƒ “Understanding Security Lifecycles,” on page 28

ƒ “Supporting the Endpoint User,” on page 29

„ “Logging In,” on page 30

„ “Configuration Workflow,” on page 30

„ “General Administration Tasks,” on page 31

ƒ “Configuring ICS to fail open,” on page 31

ƒ “Configuring updates,” on page 31

Planning for Security Before you start to configure and administer ICS, you should consider which security features you want to use and how they will affect your users. You should balance security with the ability of your users to access your network. If you implement a large number of security requirements, then you will achieve high security; however, if the endpoint computers do not comply, then your users will not be able to access your network. This can cause a considerable support burden and negatively impact productivity. Alternatively, if you configure ICS to be too lenient, you might not achieve the level of security you need. When planning your implementation, be sure to take into account your particular security situation. ICS provides a variety of features to suit different needs. Depending on your security goals and your users, you may use only a portion of those features. Use the information in “Security scenarios,” on page 24, to determine which features are suitable for your implementation. Even if you find that you need a very secure, very restrictive security implementation, it may not be a good idea to immediately impose it upon your users. The recommended way to

ICS Administrator Guide 23 Security scenarios

achieve high security with lower user impact is to start with a less demanding configuration and then implement progressively more strict configurations in an iterative manner. The process you use to manage these iterative configurations is called a ‘security lifecycle’. For more information, see “Understanding Security Lifecycles,” on page 28.

Security scenarios

ICS is designed to provide flexible configuration options that allow you to tailor its protection to your security needs. When deciding which ICS security solutions to use you should consider the following:

„ Security vulnerabilities

„ Threats

„ Type of endpoint users and disruption tolerance

Sample Scenarios

Use the following sample scenarios to help plan your implementation. These samples include three of the most common implementation types.

„ Full network access. See “Full network access,” on page 25.

„ Web-only access. See “Web-only access,” on page 26.

„ E-commerce. See “E-Commerce,” on page 27. The following table gives a summary of these scenarios. For more details, see the section on each scenario.

Table 3-1: Sample Scenarios Full Network Web-Only Access E-commerce Access Vulnerabilities Network Sensitive data User accounts resources User Accounts Financial File servers transactions Endpoint computers Application servers Sensitive data User accounts

ICS Administrator Guide General Administration Tasks 24 Security scenarios

Table 3-1: Sample Scenarios Full Network Web-Only Access E-commerce Access Risks Viruses Keyloggers Keyloggers Trojans Spyware Worms Cache reading Hackers Indexing software Users Employees Employees Consumers Partners Solution Integrity Security Integrity Secure Advanced Anti- Scanner Workspace Keylogger Integrity Secure Integrity Security Workspace Scanner (optional)

Full network access

In the full network access scenario, you are providing endpoint users with unlimited access to your entire network.

Vulnerabilities In this scenario, your entire network is vulnerable, including:

„ Network resources

„ File servers

„ Application servers

„ User accounts

„ Endpoint computers Your security goals are to provide data protection, session confidentiality, and protection from network infection.

Risks In this scenario, your organization’s intellectual property is threatened by:

„ Viruses

„ Trojans

„ Worms

„ Hackers

ICS Administrator Guide General Administration Tasks 25 Security scenarios

Endpoint users and disruption tolerance Your endpoint users are mainly your employees. They are professionals with a medium- to-high level of computer expertise. They are more likely to understand the need for security and to tolerate a higher degree of disruption while becoming compliant with your security implementation’s demands.

Sample solution For this scenario, a recommended solution is to use the Integrity Secure Workspace, and the ICS Security Scanner. You do not need to use the Advanced Anti-keylogger feature in this scenario, as the Integrity Secure Workspace provides keylogger protection during the session. Integrity Secure Workspace provides zero-day protection from through the stealth session. The Security Scanner protects against network infection and known spyware through the policy you configure. The Security Scanner policy should require an antivirus application and a firewall on each endpoint computer. The policy should also prohibit all types of spyware. Although the final goal of this security solution is to have a rather demanding and restrictive policy, you can minimize endpoint user disruption through the use of security lifecycles. You can implement a limited number of security features at first and use more lenient options while your users become compliant. Once users have begun to comply, you can add more security features, and use the less permissive options. For more information see “Understanding Security Lifecycles,” on page 28.

Web-only access

In this scenario you are providing your endpoint users with moderated network access. This type of scenario is often used to give access to Web applications, e-mail, or download sites.

Vulnerabilities This scenario makes only the moderated part of your network vulnerable, including:

„ Sensitive data

„ User accounts Your security goals are to provide data protection and session confidentiality.

Risks In this scenario, your organization’s user accounts and sensitive data are at risk from the following:

„ Keyloggers and other spyware

„ Cache reading

„ Indexing software

ICS Administrator Guide General Administration Tasks 26 Security scenarios

Endpoint users and disruption tolerance Your endpoint users are primarily your organization’s employees and partners. They range in computer expertise from low to high and require a high degree of productivity. They will tolerate some disruption, but not the restriction of their access.

Sample solution For this scenario, a recommended solution is to use the Integrity Secure Workspace. The Integrity Secure Workspace provides zero-day protection against keyloggers, indexing software, and other malware. It prevents these programs from recording the sensitive data that the user accesses during stealth session. It also provides protection against cache reading by encrypting the sensitive information while the endpoint user is working with it and then deleting it at the end of the session. You do not need to use the Advanced Anti-keylogger feature in this scenario, as the Integrity Secure Workspace provides keylogger protection during the session.

E-Commerce

In this scenario, you are providing endpoint users with access to accounts and services online.

Vulnerabilities In this scenario your endpoint user accounts and financial transactions are at risk. Your security goal is to protect account and transaction information.

Risks Endpoint user accounts and financial transactions are at risk from keyloggers.

Endpoint users and disruption tolerance Your endpoint users in this scenario will include some employees, but will mostly be made up of consumers. Consumers often have a lower degree of computer experience and are unaware of security risks. Your users will have a very low tolerance for disruption and will not tolerate restriction. In this instance, you must provide protection with very little impact to the user.

Sample Solution For this scenario, a recommended solution is to use Advanced Anti-keylogger. Advanced Anti-keylogger protects your endpoint user accounts and transaction information from keyloggers. Unlike other types of keylogging protection, Advanced Anti-keylogger provides behavior-based protection by restricting access to the APIs that keyloggers exploit. This provides protection, not only against current keyloggers, but also against new keyloggers as they are created.

ICS Administrator Guide General Administration Tasks 27 Understanding Security Lifecycles

Understanding Security Lifecycles

Security lifecycles allow you to gradually increase your security while maintaining reasonable user access to your network. By using a security lifecycle, you can also keep your system up to date, by implementing changes according to changes in your systems security needs. Consider starting out with a security configuration that is lenient. Strategies for creating more lenient security configurations include:

„ Minimizing security features — Using only one or two features, or using the less disruptive features, such as Advanced Anti-Keylogger. To make these features even less disruptive, allow endpoint computers to connect, even if the operating systems are not supported by the feature.

„ Minimizing enforcement rules — Only using enforcement rules for the most important security requirements, such as requiring an antivirus application. To make these enforcement rules even less disruptive, set them to ‘warn’ or ‘observe’. Use the following steps in your security lifecycle: 1. Plan your security implementation. Use the sample security scenarios to help plan your implementation. See “Sample Scenarios,” on page 24. When planning your security implementation you should consider the following:

ƒ What applications do you want to prohibit? Commonly prohibited application types include IM clients, file system indexers, games, and file sharing applications. For each prohibited application you should consider whether you want to deny access for users who have it or simply warn them that the application is prohibited. If you are unsure what the user impact would be, you can choose to allow access without a warning. This allows you to track incidents in your reports without troubling the user.

ƒ What applications do you want to require? Commonly required applications include anti-virus applications and firewalls.

ƒ Do you want to protect against Keyloggers?

ƒ Do you want to use Integrity Secure Workspace?

ƒ Do you want to allow access for endpoints that have unsupported operating systems.

ƒ What remediation information do you need to provide to your users so they can become compliant with your policies? 2. Configure your security implementation. Use the Integrity Clientless Security Administrator Console to configure your security settings. See “Configuration Workflow,” on page 30.

ICS Administrator Guide General Administration Tasks 28 Supporting the Endpoint User

3. Monitor the results. Use the reports to see how well ICS is protecting your network and to see its impact on your endpoint users. See “Reports,” on page 58. 4. Return to step 1. Use the information you obtain from the reports to plan your next configuration.

Figure 3-1: Security Lifecycle

Supporting the Endpoint User

In order to ensure that your users will be able to have the access they need and are not needlessly inconvenienced by your security policies, you should plan how to provide support and education for them. One of the most important things you can do to make your ICS implementation run smoothly, is provide information to your users. If users understand your security rules and why they are being scanned, you will greatly reduce the volume of unnecessary help desk requests. You can help your users to understand ICS and comply with your security requirements by doing the following:

„ Providing remediation information — Always provide complete, clear remediation information and links if your enforcement rules are set to ‘warn’ or ‘restrict. This allows users to deal with their own issues efficiently, without resorting to help desk requests. See “Understanding Enforcement Rules,” on page 34.

ICS Administrator Guide General Administration Tasks 29 Logging In

Logging In Once you have finished installing ICS, you can log into the ICS Administrator Console. This is the Web-based graphical user interface that allows you to set your security configurations.

The ICS Administrator Console is located at: /bin/ctool.cgi. The default username and password is ‘icsadm/icsadm’. If you have not already done so, you should change this username and password. See the Integrity Clientless Security Getting Started Guide for information about changing the password.

Configuration Workflow Once you have planned your security configuration, you can begin to configure ICS. While you may perform some configuration functions at any time, the following is the recommended order for configuring your system: 1. Create enforcement rules. Enforcement rules determine what applications your users must or must not have on their computers. Enforcement rules are the basic building blocks of your policies. You can use the same enforcement rules in multiple policies. For more information, see “Understanding Enforcement Rules,” on page 34. 2. Create policies. Policies provide a convenient way to specify which enforcement rules you want to use at the same time. For more information, see “Creating Policies,” on page 41. 3. Activate your policy. Choose the policy that you want to use. You can create as many different policies as you want, but only one policy can be active at a time. See “Activating Policies,” on page 41. 4. Configure Anti-Keylogging. Choose your Anti-Keylogging options. See “Administering Advanced Anti-Keylogger,” on page 43. 5. Configure Secure Workspace Choose your Secure Workspace options. See “Administering Integrity Secure Workspace,” on page 47. 6. Save. After completing any configuration steps, you must always save to have your changes take effect.

ICS Administrator Guide General Administration Tasks 30 General Administration Tasks

General Administration Tasks Use this section to perform general configuration tasks, including:

„ “Configuring ICS to fail open,” on page 31

„ “Configuring updates,” on page 31

Configuring ICS to fail open

If you want to minimize disruption to your users, you should configure ICS to ‘fail open.’ This means that endpoint users that are not running a supported operating systems can still access your network, without being serviced by ICS. For information about allowing unsupported operating systems with Integrity Secure Workspace and the Advanced Anti-Keylogger features, see the chapters on those features.

How to configure ICS to fail open: 1. Log into the ICS Administrator Console. 2. Go to the Gateway Configuration tab. 3. In the section Settings for endpoints running a non-supported OS select Allow access to endpoints running a non-supported OS. 4. Click Save. This will cause those unsupported users to bypass all the scans and security features of ICS. These endpoint users will not be protected by ICS. Users with supported operating systems will still be protected.

Configuring updates

Check Point periodically releases updates to client components, such as support for new anti-virus providers. When updated versions of the client components are available, you can download them. Client components include the following:

„ Security Scanner

„ Enforcement agent

„ Advanced Anti-Keylogger

„ Secure Workspace

„ Java and ActiveX launchers It is recommended that you update your system once a week. If you do not update ICS, your system will be out-of-date and you will not have the best protection available. To update your ICS system, you must have the following:

ICS Administrator Guide General Administration Tasks 31 Configuring updates

„ Check Point User Center account ID and password. If you do not have a Check Point User Center user ID and password, you must sign up to receive them at https://usercenter.checkpoint.com.

„ Certificate key for your ICS product. Your certificate key was provided by Check Point with the ICS product. If you no longer have the certificate key, contact Check Point Sales to recover the certificate key.

How to update your ICS system: 1. Log into the ICS Administrator Console. 2. Go to the Product Information page. 3. In the Update Information section, perform the following steps: a. Enter your Check Point User Center user ID. b. Enter the password for your User Center account. c. Enter your certificate key. 4. Click Update Client Components. A message will appear to show the status of your update. 5. When the update is complete, click Finish to continue.

ICS Administrator Guide General Administration Tasks 32 Chapter 4 Administering Security Scanner Policies

This chapter contains information about how to administer your policies using the ICS Administrator Console. Policies control what the Integrity Clientless Security Scanner checks for on your endpoint computers. Policies consist of collections of enforcement rules, which specify whether to prohibit or require certain applications, and what action to take if the endpoint computer is out of compliance with the rule. This chapter consists of the following sections:

„ “Understanding Integrity Clientless Security Scanner,” on page 33

„ “Implementing Policies,” on page 34

„ “Understanding Enforcement Rules,” on page 34

ƒ “Enforcement Rule Types,” on page 35

ƒ “Firewall Application Rules,” on page 36

ƒ “Anti-virus Application Rules,” on page 36

ƒ “Anti-Spyware Scan Rules,” on page 38

ƒ “Custom Application Rules,” on page 39

ƒ “Custom Group Rules,” on page 40

„ “Creating Policies,” on page 41

„ “Activating Policies,” on page 41

Understanding Integrity Clientless Security Scanner Integrity Clientless Security Scanner requires no pre-installed software on endpoint computers, except a supported browser. The Security Scan is performed by a Java or ActiveX

ICS Administrator Guide 33 Implementing Policies

component that is deployed from your Web server to each endpoint computer that requests access.

Implementing Policies This section describes all the steps you need in order to use policies to secure your endpoints. If you do not complete all these steps, your policies will not be enforced.

If you do not want to create your own policies, you can use the sample policies included with ICS. ICS includes high, medium, and low security sample policies that you can activate. You can also edit these rules to customize them.

To implement policies 1. Create your enforcement rules. See “Understanding Enforcement Rules,” on page 34. 2. Use the enforcement rules to create a policy. See “Creating Policies,” on page 41. 3. Activate the policy. See “Activating Policies,” on page 41.

4. Execute the command # cat /dev/null > ics_server/bin/data/cookies to erase all exisiting cookie data from the ICS database. If you change your security policy to be more restrictive, ICS considers all users currently logged in as compliant until their cookies expire. Cookies expire after 1 hour if the user doesn’t select any portal links; otherwise, the cookie expiration timer resets and the 1- hour countdown starts over.

If Enforce Scan Interval is enabled and configured in the ICS Administrator console, every scan is performed using the most recent policy. Using frequent scans can avoid the cookie expiration issue.

5. Save your configuration.

Understanding Enforcement Rules Use the Enforcement Rule page in the ICS Administrator Console to manage your enforcement rules. You must add an enforcement rule to a policy and make that policy the active policy for the rule to take effect. Any changes you make to an enforcement rule affects all the policies that contain that rule. When you delete an enforcement rule, it is removed from all your policies. You are warned when you delete an enforcement rule that is currently being used in a policy. Each enforcement rule consists of the following parts:

„ Conditions — Use the conditions area to indicate the criteria that the endpoint computer must meet. For instance, that it must have a certain file running.

ICS Administrator Guide Administering Security Scanner Policies 34 Enforcement Rule Types

„ Action — Use the action area to indicate what ICS should do when the endpoint computer is out of compliance with the rule. Actions affect the user experience as described in “Action behaviors,” on page 35. Table 4-1: Action behaviors

Option Behavior Restrict Prevents the users from logging on. ICS displays the scan report and any remediation information you have specified. Users must become compliant before being allowed to proceed. Observe Does not prevent users from logging on. ICS records the violation in the log. This option is useful for gathering information about potential issues with your network before you restrict endpoint connections. Warn Does not prevent users from logging on. ICS displays the scan report and any remediation information you have specified. Users may proceed without becoming compliant. Users are asked to become compliant every time they are scanned by ICS. Allow ICS does not check for spyware you have set to ‘allow’. This action is only available for Anti-spyware scan rules.

„ Remediation — Use the remediation area to specify resources and information that the endpoint users need to become compliant with the enforcement rule. For example, if the rule requires an anti-virus program, you should provide a link to a location where the endpoint user can download the application and instructions on how to install it. Since users may be repeatedly warned, or even denied access if they do not comply, it is important to make sure you provide sufficient and clear remediation resources.

Enforcement Rule Types

Use enforcement rules to control which applications your users must, or must not have on their computer when they connect to your network. There are the following types of enforcement rules:

„ Firewall Application — Use firewall application rules to require a certain firewall application. See “Firewall Application Rules,” on page 36.

„ Anti-Virus Application — Use anti-virus application rules to require a supported anti-virus application. If you want to require an anti-virus application that is not supported, use the custom application rule. See “Anti-virus Application Rules,” on page 36.

„ Anti-Spyware Scan — Use anti-spyware scan rules to prohibit certain spyware types. See “Anti-Spyware Scan Rules,” on page 38.

„ Custom Application — Use custom application rules to prohibit or require any application. See “Custom Application Rules,” on page 39.

„ Custom Group — Use Custom Group rules to bundle custom application enforcement rules into one rule. When you put enforcement rules in a group, the endpoint computer must meet at least one of the conditions in order to be in compliance. See “Custom Group Rules,” on page 40.

ICS Administrator Guide Administering Security Scanner Policies 35 Firewall Application Rules

Firewall Application Rules

Firewall application rules determine which firewall applications endpoint computers must have when they are logged onto your network. You can use this feature to require that endpoint users obtain the latest version of an Integrity client when they connect to your gateway.

Creating a Firewall Application Rule

The steps below give an overview of creating a firewall application rule. For detailed information about individual user interface elements, and how to complete the page, see the online help.

To create a firewall application rule: 1. Log into the ICS Administrator Console and click Policy Manager. 2. Select a rule from the list and click Edit. 3. On the Edit Policy page click New Rule and choose Firewall Application. 4. Select the firewalls you want to require. This sets the conditions for the rule. If endpoint computers violate these conditions they are considered to be out of compliance. 5. Select the action you want ICS to take if the endpoint user is not in compliance with this rule. 6. Use the remediation area to specify any information or resources you want to provide to endpoint users to help them to become compliant with this rule. 7. Click Save Rule.

Anti-virus Application Rules

It is important to protect your network from viruses. Every time an endpoint user logs in, your network is exposed to any viruses that the endpoint computer is infected with. Users who access your network through a gateway are particularly likely to be infected, since they are more likely to use their computers for personal uses, which put them at risk for viruses. In order to protect your organization from viruses, you should require your users to have anti- virus protection. Effective anti-virus protection requires not only having the correct anti-virus software on your endpoint computers, but also having a recent version of that software and up-to-date software definitions. If endpoint users have out-of-date software definitions, they will not be protected against the latest viruses. Anti-virus application rules determine which anti-virus applications your endpoint computers must have when they are logged into your network. Since users can sometimes disable their anti-virus software, all anti-virus applications rules require that the application be running. For your convenience, anti-virus enforcement rules are pre-configured with supported anti- virus providers.

ICS Administrator Guide Administering Security Scanner Policies 36 Anti-virus Application Rules

If you want to create an enforcement rule for an anti-virus provider not supported by the anti-virus applications rules, you can do so by creating a custom software rule to Y require the application. See “Custom Application Rules,” on page 39.

If you want to require that your endpoint computers have a supported form of anti-virus protection, create an anti-virus enforcement rule for your policy. It is recommended that you require an anti-virus application with a DAT file no older than 14 days. In the case of a virus outbreak, you should require that the DAT file be no more than 24 hours old.

Creating an Anti-virus Application Rule

The steps below give an overview of creating an anti-virus application rule. For detailed information about individual user interface elements, and how to complete the page, see the online help.

To create an anti-virus application rule: 1. Log into the ICS Administrator Console and click Policy Manager. 2. Select a rule from the list and click Edit. 3. On the Edit Policy page click New Rule and choose Anti-Virus Application. 4. Select the anti-virus applications you want to require. The endpoint computer must have at least one of these anti-virus applications to be in compliance with the rule. 5. You can optionally edit the conditions for each application. For each anti-virus application you can specify more detailed criteria and remediation information that is specific to the application. a. Click Edit. The Anti-Virus Application Details page appears. b. Specify the operating system that this anti-virus application is required for. c. Specify the application conditions. It is recommended that you require a recent version of the application and a DAT file no older than 14 days. This ensures that your endpoint computers have up-to-date protection against viruses. The format of these entries is important and formats vary from one anti-virus provider to another. To obtain the engine version, DAT file version, and DAT age Y information for your supported anti-virus software in the correct format, run the ICSInfo utility included with Integrity Clientless Security on your reference computer. For more information, see “Obtaining anti-virus application information,” on page 62.

d. Specify the remediation information and resources. This remediation information is specific to the application.

ICS Administrator Guide Administering Security Scanner Policies 37 Anti-Spyware Scan Rules

e. Click Save Rule. You return to the Anti-Virus Enforcement Rule Settings page. 6. Select the action you want ICS to take if the endpoint user is not in compliance with this rule. 7. Use the remediation area to specify any information or resources you want to provide to endpoint users to help them to become compliant with this rule. This remediation information is for all the anti-virus applications and should be more generic than the remediation information you provided for the specific applications. 8. Click Save Rule.

Anti-Spyware Scan Rules

The term ‘spyware’ refers to applications that collect user data on host computers for either commercial or malicious purposes. Spyware may do any of the following:

„ Aid hackers in circumventing your security and spreading malicious code. Spyware can introduce worms, dial out to toll lines, and introduce other serious security breaches.

„ Send information about a user, the user’s behavior, the computer system or the computer system’s use without requesting permission from the user to do so. This can be a serious breach of security for your users and your organization.

„ Present advertising, often without notification, to the users without any additional benefit. This is a less serious threat, but is annoying to users and can have a serious impact on productivity. For more information about types of spyware and the risks they present, see the online help for the Anti-Spyware Enforcement rules. Use anti-spyware scan rules to protect your endpoints from spyware. Anti-spyware scan rules allow you to control gateway access for users who have spyware software on their endpoint computers. ICS comes preconfigured with software definitions for many types of known spyware, organized by type. Through anti-spyware enforcement rules you can protect your organization, and encourage or require your users to remove spyware residing on their computers. For each type of spyware, you can set the action you would like ICS to take when that spyware type is detected on an endpoint computer. You can also create exceptions for specific spyware programs you consider benign and want to allow.

To provide more complete protection against keyloggers, see “Administering Advanced Anti-Keylogger,” on page 43.

Y

If you want to protect your Gateway and your endpoint users from spyware, create an anti- spyware enforcement rule for your policy. You can only use one Anti-spyware scan rule for each policy, though you may wish to use different rules in different policies. Only the rule included in your active policy will be enforced for your users.

ICS Administrator Guide Administering Security Scanner Policies 38 Custom Application Rules

Creating an Anti-spyware Rule

The steps below give an overview of creating an Anti-spyware scan rule. For detailed information about individual user interface elements, and how to complete the page, see the online help.

To create an anti-spyware rule: 1. Log into the ICS Administrator Console and click Policy Manager. 2. Select a rule from the list and click Edit. 3. On the Edit Policy page click New Rule and choose Anti-Spyware Scan. 4. Enter a Name and Description for the rule. 5. For each screened software type, choose the action you want ICS to take when it detects this kind of spyware. If you warn or restrict the endpoint computer, it is recommended that you include a Remedy Message, informing the user of what they need to do to treat the spyware. 6. If you want ICS to ignore certain spyware applications, add them to the exclusions list. 7. Optionally, you can select Display SmartDefense Advisor article link. Selecting this option will display a Check Point article to the endpoint users that will explain what the spyware is and offer treatment advice. It is highly recommended that you select this option. 8. Click Save Rule.

Custom Application Rules

While most of the common applications that you might want to control are governed by the other types of rules, you might wish to prohibit or require other applications. If you wish to prohibit or require an application not covered by any of the other rule types, use a custom application rule. A typical use of a custom application rule is to create a rule requiring an anti-virus application that is not supported by the preconfigured antivirus application rules.

To create a custom application rule: 1. Log into the ICS Administrator Console and click Policy Manager.

ICS Administrator Guide Administering Security Scanner Policies 39 Custom Group Rules

2. Select a rule from the list and click Edit. 3. On the Edit Policy page click New Rule and choose Custom Application. 4. Enter a Name and a Description for the rule. 5. Choose the endpoint computer operating system you want this rule to apply to. 6. Specify the conditions for this rule. If you are creating a rule requiring an anti-virus application, it is recommended that you require that the application be running, to prevent users from disabling the application. You should also require that it be modified no more than a week ago, to ensure that endpoint computers are getting virus definition updates regularly. During a virus outbreak, you will want to require that the file be modified no more than 24 hours ago.

To obtain the checksum for your custom application, run the ICSInfo utility included with Integrity Clientless Security on your reference computer. For more information, Y see “Obtaining application checksums,” on page 62.

7. Select the action you want ICS to take if the endpoint user is not in compliance with this rule. 8. Use the remediation area to specify any information or resources you want to provide to endpoint users to help them to become compliant with this rule. 9. Click Save Rule.

Custom Group Rules

Use custom group rules to group together custom application enforcement rules. Endpoint computers have to be compliant with at least one rule in the group. For example, you may want to make a rule group that requires a certain security patch or a certain service pack, if having either one would fulfill your organization’s security requirements.

Creating Custom Group Rules

To create a custom group: 1. Log into the ICS Administrator Console and click Policy Manager. 2. Select a rule from the list and click Edit. 3. On the Edit Policy page click New Rule and choose Custom Group. 4. Enter a Name and a Description for the rule. 5. Choose the enforcement rules you want to include in the group. Endpoint users will have to be compliant with at least one of these rules. You can only add custom application rules to a group rule.

ICS Administrator Guide Administering Security Scanner Policies 40 Creating Policies

6. Select the action you want ICS to take if the endpoint user is not in compliance with this rule. 7. Use the remediation area to specify any information or resources you want to provide to endpoint users to help them to become compliant with this rule. This remediation information is for all the enforcement rules in the group and should be more generic than the remediation information you provided for specific enforcement rules. 8. Click Save Rule.

Creating Policies Policies are made up of Enforcement rules. When an endpoint computer is scanned, its state is compared to all the enforcement rules in the currently active policy. If you have more than one enforcement rule in a policy, the endpoint users must comply with all of the rules. If you need to enforce compliance with just one rule out of a group, create a custom group rule out of the rules.

To create a policy: 1. Log into the ICS Administrator Console and click Policy Manager. 2. On the Enforcement Rules page, click New Policy. 3. Enter a Name and Description for the policy. 4. In the Rules selected for this policy table, select the enforcement rules you want in this policy.

5. Click Save Policy. This policy will not be enforced until you activate it.

Activating Policies You can create as many policies as you need, but only one is enforced at a time. You must activate your policy in order to have it be enforced. You may also set the scan interval.

To activate a policy: 1. Log into the ICS Administrator Console and click Gateway Configuration.

ICS Administrator Guide Administering Security Scanner Policies 41 Activating Policies

2. Select your policy in the Scanner Policy dropdown list. 3. Optionally, you can select to enforce a scan interval. Use a scan interval to require that the endpoint computers be re-scanned while they are connected to your network. If a user is connected to your network, and then directs a browser to another location, they may become infected with spyware after the original scan. Use the scan interval to trigger a periodic re-scan to help ensure that your endpoint users remain free of spyware while connected. The re-scan is silent to the user, unless they are out of compliance with rules that warn or restrict. The recommended scan interval is 15 minutes. Be aware that if you have configured rules that warn, your non-compliant users will be warned and prompted to remediate every time the scan runs. If you do not want warnings to be punitively disruptive, you may wish to set the scan interval to a longer time until most of your users are in compliance.

Do not require both a re-scan and the Integrity Secure Workspace.

4. Click Save.

ICS Administrator Guide Administering Security Scanner Policies 42 Chapter 5 Administering Advanced Anti-Keylogger

Use ICS Anti-Keylogging to protect your endpoint users from keyloggers. Keyloggers are malicious applications that record the keys that your endpoint users press. Keyloggers record those keystrokes and relay the information to another individual or server. Keyloggers can record passwords, login names, and other sensitive information. Once a third party has this sensitive data it can be exploited for malicious purposes. This chapter contains the following topics:

„ “Understanding Keylogger Protection,” on page 43

„ “Administering ICS Advanced Anti-Keylogger,” on page 44

ƒ “Activating ICS Advanced Anti-Keylogger,” on page 44

ƒ “Configuring Advanced Anti-Keylogger to fail open,” on page 45

ƒ “Monitoring Advanced Anti-Keylogging,” on page 45

Understanding Keylogger Protection New keyloggers are constantly emerging. In order to protect your endpoint users and their data from keyloggers you need to not only protect against existing, known keyloggers, but also against the new ones as they develop. By combining the ICS Advanced Anti-Keylogger feature with Anti-Spyware protection rules, you provide more complete keylogging protection. You can use ICS to protect against keyloggers in the following ways:

„ By checking signatures —Every application has a unique ‘fingerprint’ or ‘signature’. This prevents malicious applications from masquerading as benign applications by using the benign application’s file name. The anti-keylogging feature included in ICS Anti-Spyware Scan rules protects against known keyloggers by comparing their signature to a list of known keylogger signatures. These signatures are provided by Check Point as part of your regular updates. By using the Anti-Spyware Scan rule anti-keylogging feature, and performing regular updates, you are protecting your endpoint users and their data from

ICS Administrator Guide 43 Administering ICS Advanced Anti-Keylogger

known keyloggers. For more information about Anti-Spyware Scan rules, see “Anti- Spyware Scan Rules,” on page 38.

„ By checking behavior—Keyloggers exploit APIs in order to record keyboard activity. ICS Advanced Anti-Keylogging allows only legitimate, trusted applications to use these APIs. By doing this, ICS Advanced Anti-Keylogger can protect your endpoints against new keylogging threats without needing a signature. This means ICS Advanced Anti-Keylogger protects your endpoints against new keyloggers that have not yet been identified. It is highly recommended that you use both the ICS Anti-Spyware Scan rules (in conjunction with regular updates) and ICS Advanced Anti-Keylogger in order to provide the most complete keylogger protection.

ICS Advanced Anti-Keylogger may inhibit certain legitimate activities on endpoint computers, such as:

Y ƒ Certain keyboard controls, such as volume control

ƒ Keyboard macros

ƒ Keyboard emulating applications, such as some translation software

Generally, these limitations cause only minor impact, as they are only exhibited while the endpoint user is connected to your network. Users can resume these activities when they disconnect.

Administering ICS Advanced Anti-Keylogger Use this section to administer Advanced Anti-Keylogger. Anti-Keylogger administration tasks include:

„ “Activating ICS Advanced Anti-Keylogger,” on page 44

„ “Configuring Advanced Anti-Keylogger to fail open,” on page 45

„ “Monitoring Advanced Anti-Keylogging,” on page 45

Activating ICS Advanced Anti-Keylogger

Use the ICS Administrator Console to easily activate Advanced Anti-Keylogger.

To activate ICS Advanced Anti-Keylogger: 1. Log into the ICS Administrator Console.

ICS Administrator Guide Administering Advanced Anti-Keylogger 44 Configuring Advanced Anti-Keylogger to fail open

2. Click Gateway Configuration. 3. Select Require Advanced Anti-Keylogger. 4. Click Save Configuration. When endpoint users connect to your network they are prompted to accept a Java applet. Once they accept the applet, Advanced Anti-Keylogger will protect them from keyloggers without any further endpoint user input. An icon will appear in the title bar of their browser to let them know they are being protected. This protection persists until they close the browser.

Configuring Advanced Anti-Keylogger to fail open

If you require ICS Advanced Anti-Keylogger, endpoint computers with operating systems that are not supported by ICS Advanced Anti-Keylogger are denied access to your gateway. Denied endpoint users are given a warning that tells them that they are using an unsupported operating system. The warning message informs them of the supported operating systems and gives the helpdesk/administrator contact information that you supply. If you want to minimize disruption to your users, you should configure Advanced Anti- Keylogger to ‘fail open’. This means that endpoint users that are not running a supported operating systems can still access to your network, without Advanced Anti-Keylogger protection. Only endpoint users with the supported operating systems receive keylogger protection. For more information about what operating systems are supported by ICS Advanced Anti-Keylogger, see the Integrity Clientless Security Getting Started Guide.

To configure Advanced Anti-Keylogger to fail open: 1. Log into the ICS Administrator Console. 2. Click Gateway Configuration. 3. In the Anti-Keylogger Settings area, choose Allow endpoints that can’t run Advanced Anti-Keylogger. 4. Click Save Configuration.

Monitoring Advanced Anti-Keylogging

Use the Anti-Keylogging report to monitor how well ICS Advanced Anti-Keylogging is protecting your users from keyloggers. See “Anti-Keylogger,” on page 59.

ICS Administrator Guide Administering Advanced Anti-Keylogger 45 Monitoring Advanced Anti-Keylogging

ICS Administrator Guide Administering Advanced Anti-Keylogger 46 Chapter 6 Administering Integrity Secure Workspace

Your company’s sensitive data is at risk when users access it through your gateway. Endpoint users may accidentally or deliberately compromise the security of your data as they work with it on their endpoint computers. For example, a user might send a confidential file to unauthorized recipient, or save a sensitive document on an endpoint computer that is then stolen. Use Integrity Secure Workspace (ISW) to protect your company’s data while still making it available for your endpoints to view and work with. This chapter contains the following topics:

„ “Understanding Integrity Secure Workspace,” on page 47

ƒ “Supported Applications,” on page 48

„ “Administering Integrity Secure Workspace,” on page 49

ƒ “Configuring and Activating ISW,” on page 49

ƒ “Configuring ISW permissions,” on page 50

ƒ “Configuring Secure Workspace to fail open,” on page 51

„ “Testing Integrity Secure Workspace,” on page 52

Understanding Integrity Secure Workspace ISW provides a secure environment on the endpoint computer which allows users to safely work with your company’s data. While the user is logged into your gateway, ISW stores data (data files and registry changes) in an encrypted user profile on the endpoint computer. The data cannot be accessed by other applications and it is deleted from the endpoint computer when the user logs off. ISW also provides a lightweight firewall application for the protected endpoint.

ICS Administrator Guide 47 Supported Applications

Supported Applications

In order to provide a trusted and secure environment ISW controls all applications in the secure workspace. The endpoint user is only able to use applications that you allow them to use. The following applications are made available to the user by default. You can allow other applications by adding them to the list of allowed applications in the Secure Workspace Settings page:

General Applications

„ Microsoft Notepad

„ Microsoft Wordpad

„ Microsoft Word

„ Microsoft Excel

„ Microsoft PowerPoint

„ Microsoft Paint

„ Microsoft Calculator

„ Adobe Acrobat Reader (v. 5.0 or later)

FTP Applications

„ Microsoft FTP (command line) (v. 5.1)

„ Ipswitch WS_FTP Home/PRO (v. 2006.0.1.0)

„ GlobalSCAPE CuteFTP (v. 6.0)

Web Browsing (HTTP, HTTPS, passive FTP) Applications

„ Microsoft Internet Explorer (v. 5.5 or later)

„ Mozilla Firefox (v. 1.0.4 or later)

„ Mozilla (v. 1.7.8) or later

„ Netscape Browser (v. 8.0)

Terminal Service Applications

„ Microsoft Remote Desktop Connection (v. 5.1)

„ VNC Viewer (v. 4.1)

„ Famatech Remote Administrator (v. 2.2)

ICS Administrator Guide Administering Integrity Secure Workspace 48 Administering Integrity Secure Workspace

Telnet/SSH Applications

„ Microsoft Telnet (command line) (v. 5.1)

„ Microsoft HyperTerminal (v. 5.1)

„ Putty (v. 0.58)

„ SecureCRT (v. 5.0)

TN3270 Applications

„ Ericom PowerTerm InterConnect for Windows (v. 7.1)

„ IBM Personal Communications Workstation Program (v. 5.080)

All Internet Explorer plugins installed on the endpoint user’s regular desktop are available in the Secure Workspace.

Y

Administering Integrity Secure Workspace

Configuring and Activating ISW

Use the ICS Administrator Console to configure and activate ISW.

To configure ande activate Integrity Secure Workspace: 1. Log into the ICS Administrator Console. 2. Click Gateway Configuration. 3. Select Require Integrity Secure Workspace.

Do not require both a re-scan and the Integrity Secure Workspace.

Y

4. Click Secure Workspace Settings. 5. To add applications that endpoints are allowed to use, perform the following steps: a. Click the Approved Applications tab. b. Click Add Application. c. Enter the application name, file path, and description, then click Save Application. See the online Help for more detailed information on these fields.

ICS Administrator Guide Administering Integrity Secure Workspace 49 Configuring ISW permissions

6. To set outbound firewall rules for endpoints, perform the following steps: a. Click the Outbound Firewall Rules tab. b. Click Add Rule. c. Enter a rule name, description, file address, and port number, then click Save Rule. See the online Help for more detailed information on these fields. 7. To specify where endpoints are allowed to save files in ISW, perform the following steps: a. Click the Allowed Save Locations tab. b. Click Add Location. c. Enter the location name, location path, and description. See the online Help for more detailed information on these fields. 8. Select the appropriate checkbox to allow endpoints to print secure documents and to secure clipboard contents. 9. Click Save Configuration.

Configuring ISW permissions

ISW is configured, by default, to have limited read, write, and execute permissions, which might prevent some client applications to operate successfully. Optionally, you can configure ISW to change these read, write and execute permissions Integrity Secure Workspace uses the file CPSWS.xml to control these permissions.

To configure the ISW permissions: 1. Back up the CPSWS.xml file. 2. Use any text editor to open CPSWS.xml. 3. Search for the "FSPolicy" tag. Example:

< Execute PathName="telnet.exe" />

ICS Administrator Guide Administering Integrity Secure Workspace 50 Configuring Secure Workspace to fail open

4. If you want to allow a specific file to be executed, perform the following steps: a. If the value of the "Execute" attribute in the "FSPolicy" tag is "Allow", add the following child tag to the "FSPolicy" tag:

Using a full path of the file, for example, c:\folder\filename.exe, will allow the command to run only from that path. Using just the filename will allow running the Y command from any path.

b. If the value of the ‘Execute’ attribute in the ‘FSPolicy’ tag is ‘Deny,’ search for an ‘Execute’ child tag that refers to the exact file requested and delete the tag. 5. If you want to allow all files to be executed, perform the following steps: a. In the FSPolicy tag, change the Execute attribute value to Deny Example: b. Delete all ‘Execute’ child tags inside the "FSPolicy" tag. Since no files are explicitly set as denied, all files can be executed.

An execute file might try to read, update, or execute other files. All appropriate permissions must be updated for such a file to run properly.

Y

Configuring Secure Workspace to fail open

If you require ISW, endpoint computers with operating systems that are not supported by ISW are denied access to your gateway. Denied endpoint users are given a warning that tells them that they are using an unsupported operating system. The warning message informs them of the supported operating systems and gives the helpdesk/administrator contact information that you supply. If you want to minimize disruption to your users, you should configure Secure Workspace to ‘fail open.’ This means that endpoint users that are not running a supported operating system can still access your network, without Secure Workspace protection. For more information about what operating systems are supported by ISW, see the Integrity Clientless Security Getting Started Guide.

To configure Secure Workspace to fail open: 1. Log into the ICS Administrator Console.

ICS Administrator Guide Administering Integrity Secure Workspace 51 Testing Integrity Secure Workspace

2. Click Gateway Configuration. 3. In the Integrity Secure Workspace Settings area, choose Allow endpoints that can’t run Secure Workspace. 4. Click Save Configuration.

Testing Integrity Secure Workspace Use the following steps to obtain ISW and test it on an endpoint computer. This allows you to see whether you have correctly configured the application permissions.

To test Integrity Secure Workspace: 1. On the ICS server, go to /ics_server/components. 2. Copy the following files to an endpoint computer:

ƒ cpsws.dll.gz

ƒ cpsws.exe.gz

ƒ cpsws.jpg

ƒ cpsws.xml.gz

ƒ cpswsl.xml.gz

ƒ iswrcs.dll.gz 3. Unzip all of the files. 4. Run cpsws.exe. 5. Try to use the various applications to see if you have correctly configured the permissions.

ICS Administrator Guide Administering Integrity Secure Workspace 52 Chapter 7 Logging and Reports

Use this chapter to configure logging and understand how to use reports to enhance your implementation. This chapter contains the following sections:

„ “Logging,” on page 53

ƒ “Server-side logs,” on page 54

ƒ “Log and database rotation,” on page 55

ƒ “Endpoint computer logs,” on page 58

„ “Reports,” on page 58

ƒ “Access Statistics,” on page 59

ƒ “Security Scan Results,” on page 59

ƒ “Spyware Found,” on page 59

ƒ “Rules Broken,” on page 59

ƒ “Anti-Keylogger,” on page 59

ƒ “Errors,” on page 60

All instructions and ICS file names used in this chapter are identical for both Apache and IIS Web servers.

Logging Information about sessions and endpoint scans is stored on the ICS server for analysis, and can be viewed via the ICS Administrator Console. Flow logging on the endpoint computer is done to handle client-side issues and perform troubleshooting.

ICS Administrator Guide 53 Server-side logs

Server-side logs

Server logging is divided by ICS gateway components: redirection filter, translator script, and scan reporting. Use the following to configure logging:

Redirection Filter component

Use this section to modify your redirection filter component logging.

To modify the redirection filter component logging: 1. Open the ics_config.lua file. The ics_config.lua file is in /ics_server/bin/data/. 2. Modify the following parameters:

Table 7-1: Redirection filter component logging parameters Parameter Description ics_config.filter_log_file = data_dir .. Specifies the name of the redirection "apache_filter.log" filter component log file. If a name is not specified, logs are not written. Note: this file name is identical for both Apache and IIS Web servers. ics_config.filter_log_level = 1 Specifies the log level for the redirection filter component. 5 is the highest level of detail and 1 is the lowest. The default is 1.

3. Restart your Web server in order to apply new settings.

Translator script component

Use this section to modify your translator script component logging.

To modify the translator script component logging: 1. Open the ics_config.lua file. The ics_config.lua file is in /ics_server/bin/data/.

ICS Administrator Guide Logging and Reports 54 Log and database rotation

2. Modify the following parameters:

Table 7-2: Translator script component logging parameters Parameter Description ics_config.translator_log_file = data_dir .. Specifies the name of the translator "translator.log" script component log file. If a name is not specified, logs are not written. ics_config.translator_log_level=1 Specifies the logging level for the translator script component. 5 is the highest level of detail and 1 is the lowest. The default is 1.

Scan reporting component

Use this section to configure logging for the scan reporting component.

To configure logging for the scan reporting component:

1. Open the report.conf file.

The report.conf file is in /ics_server/bin/data/. 2. Modify the following parameters:

Table 7-3: Scan reporting component logging parameters Parameter Description log_path = data/report.log Specifies the name of the scan reporting component log. If a name is not specified, logs are not written. log_level = 3 Specifies the logging level for the scan reporting component. 5 is the highest level of detail and 1 is the lowest. The default is 3.

3. Stop and restart the report daemon report.cgi in order to apply new settings.

Log and database rotation

ICS allows you to truncate server-side logging in order to increase ICS server productivity by archiving and purging old log and database information. When a file achieves the maximum file size, it is saved under a new name (file name and copy number) and the existing file is cleared. This rotation is performed automatically according to the parameters you specify.

Report log and database

Use this section to modify the report log and database rotation.

ICS Administrator Guide Logging and Reports 55 Log and database rotation

To set up rotation:

1. Open report.conf.

The report.conf file is in /ics_server/bin/data/. 2. Set the following parameters: Table 7-4: Report log and database rotation parameters Parameter Description log_truncate_size = 65535 Specifies the maximum file size (in bytes) the report log file can achieve before truncating. The default is 65535 bytes. log_truncate_parts = 1 Specifies the number of files that the archived report log file is split into when the existing file reaches its maximum size. The default is one backup file. db_path Specifies the path to the report database report.db. The ICS installation by default puts this file in the ics_server_bin directory. db_auto_truncate = 1 Specifies if ICS truncates the report database automatically. The default is yes (1). When the report database is 1 GB in size or greater, truncation locks up the database for extended periods. You should set this parameter to “0” and truncate the database manually using the command report.cgi truncate. For best results, you should schedule truncation for once per month, outside normal working hours. db_truncate_size Specifies the maximum file size (in bytes) the report database file can achieve before truncating. This parameter is absent by default, which results in no database rotation or truncation by size. db_truncate_period Specifies the maximum amount of time the report database can run before it is truncated (in 24 hour periods). This parameter is absent by default, which results in no database rotation or truncations by age.

ICS Administrator Guide Logging and Reports 56 Log and database rotation

Table 7-4: Report log and database rotation parameters Parameter Description host IP address of the reporting IPC. The default is 127.0.0.1. If this default value is used by other services, change this value to any other free valid address. port Port number of the reporting IPC. The default is 3113.

Filter and translator logs

Use this section to modify the filter and translator log rotation.

To set up log rotation: 1. Open ics_config.lua. The ics_config.lua file is in /ics_server/bin/data/. 2. Set the following parameters:

Table 7-5: Filter and translator log rotation parameters Parameter Description ics_config.filter_log_maxsize = 0 Specifies the maximum file size (in bytes) the filter log can achieve before truncating. This parameter is set to 0 by default, which results in no filter log rotation or truncation by size. ics_config.filter_log_maxpart = 0 Specifies the number of backups of the filter log file that will be created when the existing file reaches its maximum size. This parameter is set to 0 by default, which results in no filter log backups. ics_config.translator_log_maxsize = 0 Specifies the maximum file size (in bytes) the translator log file can achieve before truncating. This parameter is set to 0 by default, which results in no translator log rotation or truncation by size. ics_config.translator_log_maxpart = 0 Specifies the number of backups of the translator log file that will be created when the existing file reaches its maximum size. This parameter is set to 0 by default, which results in no translator log backups.

ICS Administrator Guide Logging and Reports 57 Endpoint computer logs

Endpoint computer logs

Endpoint computer logs are collected for troubleshooting reasons. By default, endpoint computer logging is shut off. To enable client-side ICS logging, set the system environment variable ICSLOG on the endpoint computer to a number between 1 and 4. 4 is the highest level of detail and 1 is the lowest. The log file, ics.log, is shared between all client components and is located in the user’s temp folder.

Reports Use the ICS reports to monitor security events occurring on your network. Use the information in these reports to improve your policies, provide better remediation for users, and observe how ICS is protecting your network. ICS includes the following major reports, you can also drill down to detail-level reports:

„ “Access Statistics,” on page 59

„ “Security Scan Results,” on page 59

„ “Spyware Found,” on page 59

„ “Rules Broken,” on page 59

„ “Anti-Keylogger,” on page 59

„ “Errors,” on page 60

Generating Reports

All ICS report pages use the same method to generate reports. Use the following instructions to generate reports, then see the section on that report.

To generate a report: 1. Log into the ICS Administrator Console. 2. Click Reports. 3. Choose your report. 4. Set filtering criteria for the report. For more information on filtering options for each report, see the online Help page for the report. 5. Click Generate Report. The report is generated for all scan events that match the filter criteria you specify.

ICS Administrator Guide Logging and Reports 58 Access Statistics

Access Statistics

Use the Access Statistics report to see what the results were for all the users who attempted to connect to your gateway. Attempted user connections are counted per session, with the session determined by the persistence of the cookie. If a user connects to your gateway, disconnects and reconnects again, that is counted as one connection attempt, unless the cookie has expired. This report shows how many users were compliant with your security rules and what happened to those who were not compliant. Use the legend to see details about the users in each category. You can use the information in this report to refine your policies. If an excessive amount of users are being warned, or even restricted, your rules may be too strict or you may not be providing enough remediation information. Use the Rules Broken report to see which rules your endpoint users are having the most trouble with. Once most users are compliant, you can increase your security requirements.

Security Scan Results

The Security Scan Results report shows the total numbers of enforcement rules broken and the total amount of spyware found for each user’s scan. You can use this report to find out why a user was warned or restricted. Using this information, you can then provide remediation information to the user.

Spyware Found

Use the Spyware Found report to see how often particular spyware applications were found on your endpoint computers. If you find that ICS is scanning for a particular spyware application that you want to allow, you can add it to the ignore list. See “Anti-Spyware Scan Rules,” on page 38.

Rules Broken

Use the Rules Broken report to determine which rules are causing your endpoint users the most trouble. This report includes rules that are set to ‘observe’. If a rule is consistently being broken at a high rate, that may indicate the the rule is too strict or that you are not providing enough remediation information for that rule.

Anti-Keylogger

The Anti-Keylogger report shows processes that were flagged by ICS as potentially being keyloggers. This report shows you how ICS protects your network and endpoint users from keyloggers.

ICS Administrator Guide Logging and Reports 59 Errors

Errors

Use the Errors report to view the ICS errors that endpoint users are experiencing when they attempt to connect to your gateway. This report only shows errors when the user connects to the ICS server. To diagnose connection issues due to endpoint configuration, use the ICSInfo utility. See “Troubleshooting endpoint user issues,” on page 61.

ICS Administrator Guide Logging and Reports 60 Chapter 8 The ICSInfo Utility

The ICSInfo utility collects program and other information from endpoint computers that you can use when creating your policies or troubleshooting user issues. Use the ICSInfo utility to perform the following tasks:

„ “Troubleshooting endpoint user issues,” on page 61

„ “Obtaining anti-virus application information,” on page 62

„ “Obtaining application checksums,” on page 62

Troubleshooting endpoint user issues

If your users are unable to connect to your network, you may need to help them to become compliant. Have your users run the ICSInfo utility to determine what is wrong. The ICSInfo utility provides the following information for supported operating systems:

„ Host — Processor, Memory, OS

„ User — User Name, Profile location, Groups

„ Java — MS-JVM and Sun-JRE versions (and if they are installed)

„ Browser — IE version (and if JRE is enabled), current default browser location and version

„ Internet Options — The options set in the Internet Options of Internet Explorer (per zone).

„ ICS Component — The ICS components currently on the endpoint computer

„ Anti-Virus — The anti-virus application information

„ Applications/Modules — The applications currently found on the endpoint computer

„ Network Preferences — The settings for the installed network adapters

ICS Administrator Guide 61 Obtaining anti-virus application information

How to troubleshoot endpoint user issues: 1. Have your endpoint user obtain the ICSinfo.exe file. The ICSInfo utility is available in /ics_server/components. You can send this to your user. Alternatively, the user can also click the link in certain errors to obtain the file. You can also include it in other errors by customizing the text. See “Configuring the custom text,” on page 70. 2. Have your endpoint user run the ICSinfo.exe file. 3. Have your endpoint user perform the following steps to obtain the icsinfo.xml file: a. Run the ICSinfo.exe file. b. When prompted, click Browse and select a location to save the icsinfo.xml file. c. Click Run. The ICSInfo utility runs and the file is saved to the specified location. 4. Have the endpoint user send the icsinfo.xml file to you for analysis.

Obtaining anti-virus application information

When creating anti-virus enforcement rules, you need to use the correct format for your anti- virus provider information. This format varies from provider to provider. Use the ICSinfo utility to scan a reference computer to obtain the information for all the installed anti-virus programs in the correct format.

To obtain anti-virus application information: 1. Set up a reference computer with your anti-virus applications installed. Be sure to obtain the updates for your anti-virus providers. 2. Obtain the ICSinfo.exe file and copy it to your reference computer. The ICSInfo utility is available in /ics_server/components. 3. Run the ICSInfo.exe file

Using a command prompt run ICSInfo.exe -avinfo. When you run the ICSInfo utility using this parameter, the ICSInfo utility produces an icsinfo.xml file that contains only anti-virus application information. 4. Check the icsinfo.xml file for the application information.

Obtaining application checksums

Use the ICSInfo utility to obtain checksums for applications. Use these checksums when creating custom application enforcement rules. Since checksum are unique, verifying a file by checksum prevents another file from masquerading as that file.

ICS Administrator Guide The ICSInfo Utility 62 Obtaining application checksums

To obtain application checksums: 1. Set up a reference computer with a trusted copy of the application. 2. Obtain the ICSinfo.exe file and copy it to your reference computer, to the same location as your application. The ICSInfo utility is available in /ics_server/components. 3. Run the ICSInfo.exe file

Using a command prompt run ICSInfo.exe -fileinfo. When you run the ICSInfo.exe file using this parameter the ICSInfo utility produces an icsinfo.xml file that contains the version, size, checksum and vendor information for each dll and exe file in the folder. 4. Open the icsinfo.xml file and use the information to create your custom application enforcement rules.

ICS Administrator Guide The ICSInfo Utility 63 Obtaining application checksums

ICS Administrator Guide The ICSInfo Utility 64 Chapter 9 Customizing the User Interface

You can fully customize the ICS endpoint user interface to make the look and feel match your company’s Web site. Use the instructions in this chapter to perform your customizations. This chapter contains the following topics:

„ “Assumptions,” on page 65

„ “Customization Methods,” on page 66

„ “Customizing ICS,” on page 66

ƒ “Creating the customization folder,” on page 66

ƒ “Modifying the CSS file,” on page 67

ƒ “Modifying the template file,” on page 67

ƒ “Adding Administrator Contact Information,” on page 68

ƒ “Changing the logo,” on page 68

ƒ “Changing the colors,” on page 69

ƒ “Changing the fonts,” on page 70

ƒ “Configuring the custom text,” on page 70

„ “Style Reference,” on page 70

„ “Customizing the Integrity Secure Workspace,” on page 81

ƒ “Changing message text,” on page 81

ƒ “Changing the images,” on page 81

Assumptions This chapter assumes that you have:

„ A working knowledge of Cascading Style Sheets (CSS)

„ A working knowledge of HTML

ICS Administrator Guide 65 Customization Methods

„ Access to your company’s logos and color palette

Customization Methods You can customize the ICS user interfaces using the following methods:

„ Style sheet — By altering the styles included in the cascading style sheet you can modify the appearance of the ICS user interface. For more information, see “Modifying the CSS file,” on page 67.

„ Template File — Use this file to modify text displayed in the ICS user interface. For more information, see “Modifying the template file,” on page 67.

„ Administrator Console — You can use the administrator console to specify remediation information and resources for your enforcement rules.

Customizing ICS Use the CSS file in conjunction with the HTML files to make changes to the Endpoint User Interface. This section provides step-by-step information about how to perform the most common customizations. For reference documentation to help you to understand the style sheet see “Style Reference,” on page 70.

Creating the customization folder

In order to have your new CSS and TPL files override the defaults, you must place your customized files into a customization folder. Files in this folder will not be overwritten when you upgrade, allowing you to retain your customizations. If you do not specify a customized file in the customization folder, ICS will use the default values. ICS will also use the default values for any values you do not specify in your customized files, so you can include only values you wish to change.

Since the values in the customization folder are retained when you upgrade, your specified values may obscure some changes. To see all the changes in an upgrade, save copies of your customized files in another location, then remove them all from the customization folder. Adjust your customization to the needs of the new version of ICS.

To create the customization folder: 1. Go go /ics_server. 2. Create a folder and name it ‘custom’. This is the customization folder. You must save all your changes to the CSS file to this location.

ICS Administrator Guide Customizing the User Interface 66 Modifying the CSS file

Modifying the CSS file

Use the custom.css file to modify the look and feel of the ICS user interface. ICS provides you with a default CSS file that you can modify. To make your new CSS file override the settings of the default CSS file, you need to save it in a customization folder.

To modify the CSS file: 1. Create a customization folder. See “Creating the customization folder,” on page 66.

2. Go to /ics_server.

3. Copy the scanner.css to the customization folder and save as custom.css. 4. Open the custom.css file using a CSS editor. 5. Make your changes to the file. You only need to include the classes you want to change. All classes you do not include will use the default settings. When working with your custom.css file, you should set the global classes first, then make any changes needed for specific pages. For detailed information about all the classes contained in the custom.css file, see “Style Reference,” on page 70.

6. Save the custom.css file to the customization folder. Be sure to refresh your browser to see the changes.

Modifying the template file

To modify the template file: 1. Create a customization folder. See “Creating the customization folder,” on page 66.

2. Go to /ics_server/bin/templates/ and copy the messages.tpl file to the customization folder.

3. In the customization folder, open the messages.tpl file using an HTML editor. 4. Make your changes to the file. You only need to include the messages you want to change in this file. Messages you do not change will use the default text. Change only the text, contained between the double brackets, in this file. Do not change the LUA tags.

5. Save the messages.tpl file to the customization folder.

If you include large images in your HTML, they must be referenced from another server. Serving large images from the ICS server is detrimental to performance.

ICS Administrator Guide Customizing the User Interface 67 Adding Administrator Contact Information

Adding Administrator Contact Information

It is recommended that you include contact information so your users can get help when they need it. You can modify both the content and the style of this area. Modify the content by changing the messages.tpl file. For information about where to obtain the messages.tpl file and where to save it, see “Modifying the template file,” on page 67.

To add contact information:

1. Open the messages.tpl file in the customization folder using an HTML editor. 2. Add your administrator or user support information. You only need to include the information that you want to change. ICS will use the default values for any items not specified in the customized file.

3. Save the messages.tpl file to the customization folder. You will need to reload the user interface page to see the results. Optionally, you can also change the font style of this text by modifying the .admin_contact class in the custom.css file. See “Changing the fonts,” on page 70. Changing the logo

You can replace the ICS logo with your own logo, or turn the branding bar on or off. Use the CSS file to make these changes. For information about the custom.css file and where to save it, see “Modifying the CSS file,” on page 67.

To replace the ICS Logo: 1. Save your logo image to the customization folder. If you want to have a blinking image, save the image that you want to alternate with it to the same location.

2. Open the custom.css file.

3. In the Global Styles section of that file, locate the .message_branding class.

4. Replace ics_message_branding.jpg with the name of your own image.

5. To change the animated icon on the left side, change the .message_branding_icon class as well. You can either remove the icon from the style or replace it with one of your own.

6. Save the custom.css file to the customization folder. You will need to reload the user interface page to see the results.

To turn off the branding bar:

1. Open the custom.css file.

ICS Administrator Guide Customizing the User Interface 68 Changing the colors

2. In the Global Styles section of that file, create the class ‘.iss_brand’. 3. Set the display value to ‘none’.

display:none;

4. Save the custom.css file to the customization folder. You will need to reload the user interface page to see the results.

Changing the colors

You can change the colors in the ICS endpoint user interface to match your company’s colors. Use the CSS file to make these changes. For information about the custom.css file and where to save it, see “Modifying the CSS file,” on page 67. The following steps give information about changing the basic color scheme. To change the colors of elements not mentioned here, see “Style Reference,” on page 70. Generally, when customizing the interface with your company’s colors, you will need three or four colors or pattern images at a minimum:

„ One light color or pattern for the background

„ One darker color or pattern for branding and other areas.

„ One or two medium-saturation colors for headers

To change the basic color scheme:

1. Open the custom.css file.

2. Set the .template_background class background color to your light color or pattern. If you decide to have different backgrounds for some pages, you will need to specify those individually. See “Style Reference,” on page 70. 3. Set the following classes to your darker color or pattern:

ƒ .message_branding

ƒ .report_title 4. Set the following classes to your medium-saturation colors or patterns:

ƒ .requirements_header

ƒ .status_header

ƒ .solutions_header

ƒ .software_header

ICS Administrator Guide Customizing the User Interface 69 Changing the fonts

5. Save the custom.css file to the customization folder. Changing the fonts

Use the CSS file to change the fonts for the text in the ICS endpoint user interface. For information about the custom.css file and where to save it, see “Modifying the CSS file,” on page 67.

To change the fonts: 1. Open the custom.css file. 2. Set the font style for each class you want to modify. As a minimum, you will want to modify the following classes:

ƒ .message

ƒ .requirements_title

ƒ .permission_title

ƒ .admin_contact 3. Save the custom.css file to the customization folder.

Configuring the custom text

Use the resource pages to configure the custom text. At a minimum, you will want to customize the following:

„ The administrator contact information

„ Scan Text

Style Reference Use this reference to understand the classes included in the ICS style sheet. This reference only defines classes that are specific to ICS. Standard classes are not defined here. This section is organized by page. It contains classes for the following pages:

„ “Global Pages,” on page 71.

„ “Error Page,” on page 74.

„ “Scanning Page,” on page 74.

„ “Report page - General,” on page 75.

„ “Report Page - Message Table,” on page 76.

„ “Report Page - Report Wrapper Layout,” on page 78.

ICS Administrator Guide Customizing the User Interface 70 Style Reference

„ “Reports Page - Requirements,” on page 78.

„ “Reports Page - Status,” on page 79.

„ “Reports Page - Suggestions,” on page 80.

Global Pages

Global page classes apply to all the ICS user interface pages, except the ISW pages. You should modify these classes first, as these styles are inherited by the other ICS pages.

Figure 9-1: Global Classes

ICS Administrator Guide Customizing the User Interface 71 Style Reference

Figure 9-2: Global Classes

.links Use this class to control the style for the links in the user interface.

.template_background Use this class to change the background behind all the ICS panels. As a default, ICS provides the image file ‘integrity_brand_pattern.gif’. If you change this to another image, be sure to host that image on another server. If you want to change just the background for a particular page, see the .background class for that page.

.iss_brand Use this class to control whether or not the branding bar is displayed at the top of the general ICS pages. To disable ICS branding, set the display value to ‘none’. See “Changing the logo,” on page 68. This applies only to general ICS branding. Integrity Secure Workspace branding is not effected by this class and cannot be disabled.

.message_branding Use this class to control the style of the branding bar at the top of the general ICS pages. By default, this class displays the image ics_message_branding.jpg. If you need to change the logo for Integrity Clientless Security, see “Changing the logo,” on page 68. If you change the style for this class you may also want to change the .message_branding_icon class as well. This class controls the blinking icon on the left side.

.message_branding_icon Use this class to control the scanning animation that appears in the branding bar for Integrity Clientless Security. By default this is set to use the iss_logo_animation.gif image.

.ICS_inside

ICS Administrator Guide Customizing the User Interface 72 Style Reference

Use this class to control the cell that contains the entire ICS user interface.

.topcell The ICS endpoint user interface is surrounded by hidden customization cells that you can use to display HTML. This is the cell that appears above the primary content area. Use this class to modify the size and other attributes of this cell.

.leftcell The ICS endpoint user interface is surrounded by hidden customization cells that you can use to display HTML. This is the cell that appears to the left of the primary content area. Use this class to modify the size and other attributes of this cell.

.centercell This cell contains the primary content of the ICS pages. Do not modify the values in this cell.

.bottomcell The ICS endpoint user interface is surrounded by hidden customization cells that you can use to display HTML. This is the cell that appears below the primary content area. Use this class to modify the size and other attributes of this cell.

.admin_contact Use this class to control the appearance of the administrator contact information. To change the content of this area, see “Adding Administrator Contact Information,” on page 68.

.cell_space Use this class to control a spacer cell used in some pages.

.ics_button Use this class to control the appearance of all the buttons in the endpoint user interface. If you want to change the buttons on a specific page, see the section on that page.

.error_buttons Use this class to control the table cell that contains the buttons.

.info_message Use this class to control the table row that the message appears in for ICS messages. .info_message_title Use this class to control the message that appears at the top of some ICS messages.

.message_table Use this class to control the appearance of message boxes in the user interface.

ICS Administrator Guide Customizing the User Interface 73 Style Reference

.message Use this class to control the table cell that contains the main body of the ICS page.

.message_icon Use this class to control the cell that contains the icons for warning, restriction, and caution.

.odd_row Use this class to control the appearance of all the odd-numbered rows in columns. This class does not apply to the Reports page.

Error Page

If your endpoint users experience difficulty in downloading and running the scanner, they will see the Error page. Use these classes to control the appearance of the Error page.

Figure 9-3: Error Page Classes

.background_branding_error Use this class to change the background behind the Error page panels. As a default, this class inherits the styles defined for .template_background. If you change this to another image, be sure to host that image on another server.

Scanning Page

Your endpoint users see the scanning page while ICS is scanning their computer. Use the classes in this section to control the appearance of this page.

ICS Administrator Guide Customizing the User Interface 74 Style Reference

Figure 9-4: Scanning Page Classes

.background_branding_scanning Use this class to change the background behind the Scanning page panel. As a default, this class inherits the styles defined for .template_background. If you change this to another image, be sure to host that image on another server.

.scan_message Use this class to control the table cell that contains the scan message text.

.scan_graphic Use this class to insert a graphic on the scanning page. You might want to use an animated graphic here to show that the scan is still running.

.scan_text Use this class to insert scrolling text into the scanning page.

Report page - General

The Report page shows your users what security rules they have violated and provides links to remediation information. Use the classes in this section to control the appearance of this page.

ICS Administrator Guide Customizing the User Interface 75 Style Reference

Figure 9-5: General Report Page Classes

.background_branding_report Use this class to change the background behind the Report page panels. As a default, this class inherits the styles defined for .template_background. If you change this to another image, be sure to host that image on another server.

.message_table Use this class to control the appearance of the upper message box on the Report page. This is a global class. See “.message_table,” on page 73.

.report_wrapper Use this class to control the appearance of the the lower message box on the Report page.

Report Page - Message Table

The Message table contains message text displayed to users. Use the classes in this section to control the appearance of this page.

ICS Administrator Guide Customizing the User Interface 76 Style Reference

Figure 9-6: Report Page Message Table Classes

.restricted_message Use this class to control the appearance of the table row containing the message that appears at the top of Report page when the user has failed the scan and is restricted. Changing this class is not recommended.

.warned_message Use this class to control the appearance of the table row containing the message that appears at the top of Report page when the endpoint user has failed the scan, but is allowed to continue. Changing this class is not recommended.

.pass_message Use this class to control the appearance of the table row containing message that appears at the top of Report page when the endpoint user has passed the scan. Changing this class is not recommended.

.restricted_message_title Use this class to control the appearance of the table cell containing the message that appears at the top of Report page when the user has failed the scan and is restricted. Changing this class is not recommended.

.warning_message_title Use this class to control the appearance of the table cell containing the message that appears at the top of Report page when the user has failed the scan, but is allowed to continue. Changing this class is not recommended.

.pass_message_title

ICS Administrator Guide Customizing the User Interface 77 Style Reference

Use this class to control the appearance of the table cell containing the message that appears at the top of Report page when the user has passed the scan. Changing this class is not recommended.

.report_buttons Use this class to control the table cell that contains the buttons on the report page.

Report Page - Report Wrapper Layout

The Report Wrapper Layout displays the results of security scans. Use the classes in this section to control the appearance of this page. Figure 9-7: Report Page Report Wrapper Layout

.report_title_wrapper Use this class to control the appearance of the the title bar on the lower message box on the Report page. If you change the background color of the title bar, you may want to change the text color as well. The .report_title class controls the text color.

.report_title Use this class to control the appearance of the text in the title bar on the lower message box on the Report page.

.report_table Use this class to control the appearance of the lower report box on the Report page. Generally, this color is inherited by even numbered rows to allow alternating colors for the rows.

Reports Page - Requirements

The Requirements section lists required anti-virus, anti-spyware, and firewall applications. Use the classes in this section to control the appearance of this page.

ICS Administrator Guide Customizing the User Interface 78 Style Reference

Figure 9-8: Reports Page Requirements Classes

.requirements_header

Use this class to control the appearance of the header of the Security Requirements column.

.requirements_item Use this class to control the appearance for items in the security requirements column. If you do not set ICS to check for a particular requirement type, the row for that requirement type is not shown. Because this causes the arrangement of the requirement types to vary, you cannot customize these tables to show alternating row colors.

Reports Page - Status

The Status section shows your users what security rules they have violated and provides links to remediation information. Use the classes in this section to control the appearance of this page.

Figure 9-9: Reports Page Status Classes

.status_header

ICS Administrator Guide Customizing the User Interface 79 Style Reference

Use this class to control the appearance of the header of the Security Status column. If you change the background color of the header background, you may want to change the text color as well.

.status_icon Use this class to change the table cells containing the status icon.

.status_item Use this class to control the appearance of the even-numbered items in the Security Status column. Odd-numbered items are controlled by the global class, ‘.odd_row’. See page 74.

.status_item_restricted Use this class to change the table cells containing the restricted security status items.

.status_item_warned Use this class to change the table cells containing the warned security status items.

.status_item_passed Use this class to change the table cells containing the passed security status items.

Reports Page - Suggestions

The Suggestions section displays links to supplemental remediation information. Use the classes in this section to control the appearance of this page.

Figure 9-10: Reports Page Suggestions Classes

.suggestions_header

ICS Administrator Guide Customizing the User Interface 80 Customizing the Integrity Secure Workspace

Use this class to control the appearance of the header of the Solutions column. If you change the background color of the header background, you may want to change the text color as well.

.suggestions_item Use this class to control the appearance of the even-numbered items in the Solutions column. Odd-numbered items are controlled by the global class, .odd_row. See page 74.

Customizing the Integrity Secure Workspace You can customize the ISW by supplying alternative image files and by modifying the XML file that contains the messages that endpoint users see. These files are downloaded to the endpoint computer and used in the ISW user interface. In order to override the default XML and image files, you must be sure to save you files in the customization folder. See “Creating the customization folder,” on page 66.

Changing message text

You can modify the text of messages that endpoint users see in ISW.

To change message text:

1. Open the CPSWSI.xml.gz file.

The CPSWSI.xml.gz file is located in /ics_server/components.

2. Extract the CPSWSI.xml file and copy it to the customization folder as ISW_customl.xml. 3. Modify the messages. Be sure to modify only the text of the messages, do not modify the XML tags.

4. Save the ISW_customl.xml file. Changing the images

In order to change the appearance of the ISW, place image files into the customization folder. If you do not put images into this folder, ISW will use the default images.

ICS Administrator Guide Customizing the User Interface 81 Changing the images

To change the images: 1. Place one or more of the following images into the customization folder. Some images must be of a specified size.

Table 9-1: Customization images Size File Name Description (in pixels) ISW_background.jpg The background image for ISW. This 1280x1024 image is stretched to form the desktop (default) background on the endpoint computer while ISW is running. ISW_start_menu.bmp The image for the Start menu in the 43x130 ISW. (required) ISW_dlg_title.bmp The image in the header of the 600x68 messages in ISW. (required) ISW_icon_secured.ico The ISW icon that appears in the system N/A tray while the user is working in the Secure Workspace. The endpoint user clicks this icon to switch to the regular workspace. ISW_icon_unsecured.ico The ISW icon that appears in the system N/A tray while the user is working in the regular workspace. The endpoint user clicks this icon to switch to the secure workspace.

ICS Administrator Guide Customizing the User Interface 82 Index

A E Access Statistics report 59 E-Commerce Activating security scenario 27 Advanced Anti-keylogger 44 Educating endpoint users 29 Policies 41 Endpoint computers Admin console logging information 58 logging in to 30 troubleshooting issues 61 Administering Enforcement rules ICS Advanced Anti-Keylogger 44 defined 34 Integrity Secure Workspace (ISW) 49 definition of types 35 Advanced Anti-keylogger Errors report, overview 60 activating 44 Example security scenario fail open configuration 45 e-commerce 27 monitoring 45 full network access 25 Anti-Keylogger report 59 Anti-spyware Rule creating 39 F Anti-Spyware Scan Rules Fail open configuration creating 38 Advanced Anti-keylogger 45 Anti-virus Application Rule ICS 31 creating 37 Secure Workspace 51 Anti-virus Application Rules Filter log rotation 57 creating 36 Firewall Application Rule Application information creating 36 Obtaining application checksums 62 FTP Applications supported by ISW 48 obtaining for anti-virus application 62 Full network access security scenario 25 C Changing G gateway 20 Gateway Checksums changing 20 obtaining for applications 62 Generating Configuring Reports 58 Integrity Secure Workspace (ISW) permissions 50 updates to ICS client components 31 Configuring ICS I overview 30 Configuring ICS to receive software updates 18 ICS Creating configuring client updates 31 Anti-spyware Rule 39 configuring to receive software updates 18 Anti-virus Application Rule 37 fail open configuration 31 Custom Application Rule 39 logging in to admin console 30 Custom Group Rule 40 migrating to alternate server 19 Firewall Application Rule 36 overview of configuration 30 Policies 41 relocating administrator console 20 Custom Application Rule ICS Advanced Anti-Keylogger creating 39 administering 44 Custom Group Rule ICSInfo Utility overview 13 creating 40 Integrity Clientless Security Scanner Customization overview 33 overview 13 Integrity Secure Workspace (ISW) administering 49 instructions for testing 52 D overview 47 permissions 50 Documentation 9 supported applications 48

ICS Administrator Guide 83 K Secure Workspace fail open configuration 51 Keylogger Protection Security Lifecycles overview 43 overview 28 Security planning overview 23 Security Scan Results report, overview 59 L Security scenario Logging Web-only access 26 redirection filter 54 Security scenarios overview 24 scan reporting 55 Software updates, receiving 18 translator script component 54 Spyware Found report, overview 59 Logging in to ICS 30 Supporting endpoint users 29 Logs filter and translator 57 for endpoint computers 58 T Telnet/SSH M versions supported by ISW 49 Terminal Service applications Migrating ICS to another server 19 versions supported by ISW 48 Monitoring Testing Advanced Anti-keylogging 45 Integrity Secure Workspace (ISW) 52 TN3270 applications versions supported by ISW 49 P Translator log rotation 57 Planning, security 23 Translator script component logging 54 Policies Troubleshooting activating 41 endpoint user issues 61 creating 41 instructions for implementing 34 Providing information to endpoint users 29 U Updates to ICS components 31 R Utilities Redirection Filter logging 54 ICSInfo, overview 13 Relocating, administrator Console 20 Reports Access Statistics 59 W Anti-keylogger 59 Web Browsing (HTTP, HTTPS, passive FTP) Anti-keylogger, monitoring 45 applications errors, overview 60 versions supported by ISW 48 instructions for generating 58 overview 13 Rules Broken 59 Security Scan Results 59 Spyware Found 59 Rotation of filter and translator logs 57 Rules Anti-spyware scan 38 anti-virus application 36 creating anti-spyware 39 creating anti-virus application 37 creating custom application 39 creating Custom Group 40 creating firewall application 36 definition of enforcement types 35 enforcement, defined 34 Rules Broken report, overview 59

S Scan reporting component logging 55

ICS Administrator Guide 84 ICS Administrator Guide 85 ICS Administrator Guide 86