Integrity Clientless Security Administrator GuideObtaining anti-virus application information .....62 Obtaining application checksums .....62 . ICS Administrator Guide 7 ... ICS Administrator

Integrity Clientless Security

1-0230-0410-2006-11-17

Administrator GuideVersion 4.1

© 2006 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

TRADEMARKS:

© 2006 Check Point Software Technologies Ltd.

All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, Zone Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications.

ICS Administrator Guide 5

ContentsPreface

About this Guide ...................................................................... 9Other Documentation ................................................................ 9Feedback ............................................................................... 10

Chapter 1 IntroductionIntegrity Clientless Security Features ........................................ 11

Integrity Clientless Security Scanner ...........................................11Advanced Anti-Keylogger ............................................................12Integrity Secure Workspace ........................................................12

Reports ................................................................................. 13ICSInfo Utility ........................................................................ 13Customization ........................................................................ 13Installing and Upgrading ICS ................................................... 13

Chapter 2 Upgrading and Reconfiguring ICSUpgrade Installation Process ................................................... 16Uninstallation Process ............................................................ 17Reconfiguration Processes ....................................................... 18

Configuring ICS to receive software updates .................................18Moving ICS to another server ......................................................19Changing the protected gateway ..................................................20Relocating the Administrator Console ..........................................20

Chapter 3 General Administration TasksPlanning for Security .............................................................. 23

Security scenarios .....................................................................24Understanding Security Lifecycles ...............................................28Supporting the Endpoint User .....................................................29

Logging In ............................................................................. 30Configuration Workflow ........................................................... 30General Administration Tasks .................................................. 31

Configuring ICS to fail open ........................................................31Configuring updates ...................................................................31

Chapter 4 Administering Security Scanner Policies

Understanding Integrity Clientless Security Scanner .................. 33Implementing Policies ............................................................ 34Understanding Enforcement Rules ........................................... 34


Enforcement Rule Types ............................................................35Firewall Application Rules ..........................................................36Anti-virus Application Rules .......................................................36Anti-Spyware Scan Rules ...........................................................38Custom Application Rules ..........................................................39Custom Group Rules ..................................................................40

Creating Policies .................................................................... 41Activating Policies .................................................................. 41

Chapter 5 Administering Advanced Anti-KeyloggerUnderstanding Keylogger Protection ......................................... 43Administering ICS Advanced Anti-Keylogger .............................. 44

Activating ICS Advanced Anti-Keylogger ......................................44Configuring Advanced Anti-Keylogger to fail open .........................45Monitoring Advanced Anti-Keylogging ..........................................45

Chapter 6 Administering Integrity Secure WorkspaceUnderstanding Integrity Secure Workspace ............................... 47

Supported Applications ..............................................................48Administering Integrity Secure Workspace ................................ 49

Configuring and Activating ISW ...................................................49Configuring ISW permissions ......................................................50Configuring Secure Workspace to fail open ...................................51

Testing Integrity Secure Workspace .......................................... 52

Chapter 7 Logging and ReportsLogging ................................................................................. 53

Server-side logs .........................................................................54Log and database rotation ..........................................................55Endpoint computer logs .............................................................58

Reports ................................................................................. 58Generating Reports ....................................................................58Access Statistics .......................................................................59Security Scan Results ................................................................59Spyware Found ..........................................................................59Rules Broken ............................................................................59Anti-Keylogger ...........................................................................59Errors .......................................................................................60

Chapter 8 The ICSInfo UtilityTroubleshooting endpoint user issues ..........................................61Obtaining anti-virus application information .................................62Obtaining application checksums ................................................62


Chapter 9 Customizing the User InterfaceAssumptions .......................................................................... 65Customization Methods ........................................................... 66Customizing ICS ..................................................................... 66

Creating the customization folder ................................................66Modifying the CSS file ...............................................................67Modifying the template file .........................................................67Adding Administrator Contact Information ....................................68Changing the logo ......................................................................68Changing the colors ...................................................................69Changing the fonts ....................................................................70Configuring the custom text ........................................................70

Style Reference ...................................................................... 70Customizing the Integrity Secure Workspace ............................. 81

Changing message text ...............................................................81Changing the images .................................................................81

Index ............................................................................ 83


PrefaceThis preface provides an overview of Integrity Clientless Security (ICS) documentation.

It contains the following topics:

“About this Guide,” on page 9

“Other Documentation,” on page 9

About this GuideThe Integrity Clientless Security Administrator Guide provides:

Installation instructions

Administration information, including background and task-oriented administrative procedures

Endpoint user interface customization instructions

Information about using the various utilities included with Integrity Clientless Security

Please make sure you have the most up-to-date version of this guide for the version of Integrity Clientless Security that you are using. Versions are available from the Check Point User Center Web site.

Before using this document to administer Integrity Clientless Security, you should read and understand the information in the Readme. See “Readme,” on page 10.

Other DocumentationYou should familiarize yourself with the other documentation that is available for Integrity Clientless Security.

Online Help

The online help provides the field-level information you need to understand the UI elements in the ICS Administrator Console. The online help includes detailed information about what each element does and what entries are valid. Use the online help after reading the procedural information in the ICS Administrator Guide. You can access the help from any page in the ICS Administrator Console by clicking the help link.

Feedback

ICS Administrator Guide Preface 10

ReadmeA readme file is included with ICS. It includes information about what is new in this release, as well as known issues and workarounds. You should also check the Check Point User Center Web site to make sure you have the most recent version of this document.

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

[email protected]

Chapter


1Introduction

Check Point Integrity™ Clientless Security (ICS) protects your network by scanning endpoint computers, providing advanced anti-keylogging protection, and creating a secure workspace for your users. Use it to do the following:

Check endpoint computers for known spyware, worms, and other potential threats

Check that endpoint computers are compliant with your anti-virus, firewall, and other software policies

Protect data on endpoint computers from keyloggers

Protect your organization’s data by providing an encrypted and firewall-protected workspace on the endpoint computer

This chapter contains the following topics:

“Integrity Clientless Security Features,” on page 11

“Reports,” on page 13

“ICSInfo Utility,” on page 13

“Customization,” on page 13

“Installing and Upgrading ICS,” on page 13

Integrity Clientless Security FeaturesICS consists of several features, each providing a unique type of security protection. You can choose which features to implement. This section provides an overview of these features.

Integrity Clientless Security ScannerUse the Integrity Clientless Security Scanner policies to make sure that endpoint computers connecting to your network meet your security requirements. The Integrity Clientless Security Scanner checks endpoint computers for applications according to the enforcement rules you create. Enforcement rules either prohibit or require certain applications. If the endpoint computer does not meet the requirements of the enforcement rule, it is considered to be

Advanced Anti-Keylogger

ICS Administrator Guide Introduction 12

‘non-compliant’. You can choose to restrict or warn non-compliant users or simply log the event. For more detailed information about enforcement rules, see “Understanding Enforcement Rules,” on page 34.

Advanced Anti-KeyloggerUse the Advanced Anti-Keylogger feature to protect your organization’s data against malicious programs that record keyboard activity while your endpoint users are logged into your network. For more detailed information about Advanced Anti-KeyLogger see “Understanding Keylogger Protection,” on page 43.

Integrity Secure WorkspaceUse the Integrity Secure Workspace to protect your company’s sensitive data while your endpoint users are connected to your network. Many organizations make sensitive documents available to endpoint users who are logged onto their network. Integrity Secure Workspace protects the data while your endpoint user works with it, encrypts it when it is saved locally, and deletes it from the endpoint computer upon logoff. For more information, see “Understanding Integrity Secure Workspace,” on page 47.

Reports


ReportsUse reports to monitor how ICS is protecting your network and to plan new policies. For more information about reports, see “Logging and Reports,” on page 53.

ICSInfo UtilityICS includes the ICSInfo Utility. The ICSInfo utility collects program and other information from endpoint computers that you can use when creating your policies or troubleshooting user issues. See “The ICSInfo Utility,” on page 61.

CustomizationYou can customize the endpoint user interface to match your company’s Web site. You can also embed the ICS interface in your Web site. See “Customizing ICS,” on page 66.

Installing and Upgrading ICSFor instructions on how to install ICS, see the ICS Getting Started Guide. For instructions on how to upgrade or reconfigure an existing ICS application, see “Upgrading and Reconfiguring ICS” in this document.

Installing and Upgrading ICS


Chapter

ICS Getting Started Guide 15

2Upgrading and Reconfiguring ICS

For instructions on how to perform a new installation of ICS, see the ICS Getting Started Guide.


“Upgrade Installation Process,” on page 16

“Uninstallation Process,” on page 17

“Reconfiguration Processes,” on page 18

Upgrade Installation Process

ICS Getting Started Guide Upgrading and Reconfiguring ICS 16

Upgrade Installation ProcessUse the following instructions to upgrade an older version of ICS to the current release version.

To upgrade ICS from release 4.0 or 4.0 HFA1 to the current release version

1. Stop your Web server application.

2. Stop all running instances of the report.cgi application.

3. Remove the ISAPI filter for ICS from your Web Site properties (IIS only).

4. Copy the policy.xml file from /bin/data to a temporary directory.

5. Extract the files to the directory where you want to install ICS.

6. Install the current version of ICS.

For installation instructions, see the Integrity Clientless Security Getting Started Guide.

7. Copy the policy.xml file from the temporary directory to /bin/data.

8. Change directories to ics_server/bin and perform the appropriate command for your operating system:

Linux: db_upgrade.sh

Windows: report.cgi convert

This step updates the scan reporting database report.db. This process may last up to several hours, depending on your server hardware and the size of the report database.

To upgrade ICS from release 3.7 to the current release version

1. Stop your Web server application.

2. Remove the ISAPI filter for ICS from your Web site properties (IIS only).

3. Copy the enforcement_rules.xml file from /sre/data to a temporary directory.

4. Change directories to the ICS 3.7 server location and run the command:

uninstall.sre.bat

This uninstalls the ICS 3.7 application.

5. Extract the installation files to the directory where you want to install ICS 4.1.

6. Install the current version of ICS.

For installation instructions, see the Integrity Clientless Security Getting Started Guide.

Uninstallation Process


7. Move the enforcement_rules.xml file from the temporary directory where you saved it to the ics_server/ctool directory.

This step does not migrate anti-spyware rules; you must recreate them in the Administrator Console.

8. Open the ICS Administrator Console, then click either Policies or Enforcement Rules.

You will receive a message stating that the old policy has been found and that it will be migrated.

9. Perform the following steps:

a. Open the Policies or Enforcement Rules page and check that your saved policies have been copied over correctly.

Due to restrictions in the Custom Rules format in ICS 4.1 (such as file path and registry format), some rules that were valid in ICS 3.7 may be invalid in ICS 4.1. If you created your own enforcement rules in ICS 3.7 and imported them into ICS 4.1, those rules must be recreated and saved in the ICS 4.1 Enforcement Rules page.

b. Click Save Configuration.

c. Close the ICS Administrator Console.

d. Change directories to ics_server/ctool and remove the enforcement_rules.xml file.

Uninstallation ProcessUse the following instructions to uninstall ICS.

To uninstall ICS

1. Stop the Web server.

2. Stop all running instances of report.cgi.

3. If you are running Apache Web server, remove the ics-apache.conf configuration from apache configs (from httpd.conf or automatically included sub-folders).

4. If you are running Microsoft IIS, perform the following steps:

a. Remove the Virtual Directory which you created for ICS.

b. Remove ics_filter.dll from the ISAPI filters for your Web server.

The protected gateway URL must be the same as the one protected by the ICS 3.7 installation.

Reconfiguration Processes


c. Remove the Web Service Extension which you created for ICS (for IIS 6.0 only).

d. Remove the .tpl file extension MIME type which you created for ICS (for IIS 6.0 only).

5. Delete the ics_server folder.

6. Restart the Web server.

Reconfiguration ProcessesIf needed, you can use parameters to reconfigure ICS after the initial installation. Use the reconfiguration parameters to:

Configure ICS to receive software updates. “Configuring ICS to receive software updates,” on page 18

Move ICS to another server. “Moving ICS to another server,” on page 19.

Change the protected gateway. “Changing the protected gateway,” on page 20.

Relocate the Administrator Console. “Relocating the Administrator Console,” on page 20.

Configuring ICS to receive software updatesTo configure ICS to receive software updates, you must:

Download a license file for ICS.

Set the ALL_PROXY variable.

Downloading a license file for ICS

ICS requires a valid license file in order to download software updates.

To download a license file

1. Sign up for a Check Point User Center account at https://usercenter.checkpoint.com.

You will be provided a user ID and password. Save them for future reference.

2. In the Check Point User Center, activate your ICS product.

The User Center generates a unique license file cp.lic.

3. Download the cp.lic license file from the Check Point User Center and save it to:

<ics_server>/bin/data/cp.lic

Moving ICS to another server


4. Ensure that the Apache Web server has read permission for cp.lic.

Setting the ALL_PROXY variable

The ICS server requires access to the Internet for software updates. ICS includes the CURL library for external HTTP communication. If you use a proxy server for Internet access, you must set the ALL_PROXY environment variable.

To set the ALL_PROXY environment variable

1. Get the name and port number of the proxy server.

You will need this information for the ALL_PROXY variable.

2. Define the variable by using one of the following methods:

Table 2-1: ALL_PROXY Definition Methods

Method Web Server/OS Reboot required?

Server restart

required?

Define ALL_PROXY in the .htaccess file in the /ics_server/bin folder.

Apache only No No

Define ALL_PROXY in the httpd.conf configuration file for the Apache server.

Apache only No Yes

Export the definition as a global environment variable.

Windows only Yes N/A

Define ALL_PROXY in the Environment Variables

Windows only Yes N/A

Moving ICS to another serverUse the following instructions to move ICS server to another location. This location must be on the same server computer as the Apache Web server.

To move the ICS server:

1. In the new location, run the executable with the ‘reconfigure’ parameter.

install.sh reconfigure for Linux servers

install.exe reconfigure for Windows servers

2. If you are using Apache, add the content of the new ics-apache.conf file to the Apache Web server configuration file.

Either use the ‘include’ directive or copy the ics-apache.conf file to the folder that was automatically included by Apache during configuration.

Changing the protected gateway


3. If you are using Internet Information Services, restart the Web server.

Changing the protected gatewayUse the instructions in this section if you need to reconfigure ICS to protect a different gateway. The gateway must be on the same server computer as the Apache Web server.

To change the protected gateway:

1. In the new location, run the executable with the ‘portal_url’ parameter and the URL of the new portal.

install.sh portal_url http://www.<your new portal url> for Linux servers

install.exe portal_url http://www.<your new portal url> for Windows servers

2. If you are using Apache, add the contents of the new ics-apache.conf file to the Apache Web server configuration file.


3. If you are using Internet Information Services, restart the Web server.

Relocating the Administrator ConsoleUse the instructions in this section to change the ICS Web location. This is the location that administrators use to access the Administrator Console.

To relocate the Administrator Console:

1. In the new location, run the executable with the ‘ics_url’ parameter and the URL of the new portal.

install.sh ics_url http://www.<your new Web location URL> for Linux servers

install.exe ics_url http://www.<your new Web location URL> for Windows servers

If Virtual Host entries are set up in your Apache configuration, then you must add the first three lines (starting with ‘Rewrite’) from ics-apache.conf into every Virtual Host entry that corresponds to a portal you are going to protect with ICS.


Relocating the Administrator Console


2. Add the contents of the new ics-apache.conf file to the Apache Web server configuration file.



Relocating the Administrator Console


Chapter


3General Administration Tasks

This chapter provides information about the general administration of ICS. It contains the following topics:

“Planning for Security,” on page 23

“Security scenarios,” on page 24

“Understanding Security Lifecycles,” on page 28

“Supporting the Endpoint User,” on page 29

“Logging In,” on page 30

“Configuration Workflow,” on page 30

“General Administration Tasks,” on page 31

“Configuring ICS to fail open,” on page 31

“Configuring updates,” on page 31

Planning for SecurityBefore you start to configure and administer ICS, you should consider which security features you want to use and how they will affect your users. You should balance security with the ability of your users to access your network. If you implement a large number of security requirements, then you will achieve high security; however, if the endpoint computers do not comply, then your users will not be able to access your network. This can cause a considerable support burden and negatively impact productivity. Alternatively, if you configure ICS to be too lenient, you might not achieve the level of security you need.

When planning your implementation, be sure to take into account your particular security situation. ICS provides a variety of features to suit different needs. Depending on your security goals and your users, you may use only a portion of those features. Use the information in “Security scenarios,” on page 24, to determine which features are suitable for your implementation.

Even if you find that you need a very secure, very restrictive security implementation, it may not be a good idea to immediately impose it upon your users. The recommended way to

Security scenarios

ICS Administrator Guide General Administration Tasks 24

achieve high security with lower user impact is to start with a less demanding configuration and then implement progressively more strict configurations in an iterative manner. The process you use to manage these iterative configurations is called a ‘security lifecycle’. For more information, see “Understanding Security Lifecycles,” on page 28.

Security scenariosICS is designed to provide flexible configuration options that allow you to tailor its protection to your security needs. When deciding which ICS security solutions to use you should consider the following:

Security vulnerabilities

Threats

Type of endpoint users and disruption tolerance

Sample Scenarios

Use the following sample scenarios to help plan your implementation. These samples include three of the most common implementation types.

Full network access. See “Full network access,” on page 25.

Web-only access. See “Web-only access,” on page 26.

E-commerce. See “E-Commerce,” on page 27.

The following table gives a summary of these scenarios. For more details, see the section on each scenario.

Table 3-1: Sample Scenarios

Full Network Access Web-Only Access E-commerce

Vulnerabilities Network resources

File servers

Endpoint computers

Application servers

Sensitive data

User accounts

Sensitive data

User Accounts

User accounts

Financial transactions

Security scenarios


Full network access

In the full network access scenario, you are providing endpoint users with unlimited access to your entire network.

Vulnerabilities

In this scenario, your entire network is vulnerable, including:

Network resources

File servers

Application servers

User accounts

Endpoint computers

Your security goals are to provide data protection, session confidentiality, and protection from network infection.

Risks

In this scenario, your organization’s intellectual property is threatened by:

Viruses

Trojans

Worms

Hackers

Risks Viruses

Trojans

Worms

Hackers

Keyloggers

Spyware

Cache reading

Indexing software

Keyloggers

Users Employees Employees

Partners

Consumers

Solution Integrity Security Scanner

Integrity Secure Workspace

Integrity Secure Workspace

Integrity Security Scanner (optional)


Table 3-1: Sample Scenarios

Full Network Access Web-Only Access E-commerce

Security scenarios


Endpoint users and disruption tolerance

Your endpoint users are mainly your employees. They are professionals with a medium-to-high level of computer expertise. They are more likely to understand the need for security and to tolerate a higher degree of disruption while becoming compliant with your security implementation’s demands.

Sample solution

For this scenario, a recommended solution is to use the Integrity Secure Workspace, and the ICS Security Scanner. You do not need to use the Advanced Anti-keylogger feature in this scenario, as the Integrity Secure Workspace provides keylogger protection during the session.

Integrity Secure Workspace provides zero-day protection from malware through the stealth session. The Security Scanner protects against network infection and known spyware through the policy you configure. The Security Scanner policy should require an antivirus application and a firewall on each endpoint computer. The policy should also prohibit all types of spyware.

Although the final goal of this security solution is to have a rather demanding and restrictive policy, you can minimize endpoint user disruption through the use of security lifecycles. You can implement a limited number of security features at first and use more lenient options while your users become compliant. Once users have begun to comply, you can add more security features, and use the less permissive options. For more information see “Understanding Security Lifecycles,” on page 28.

Web-only access

In this scenario you are providing your endpoint users with moderated network access. This type of scenario is often used to give access to Web applications, e-mail, or download sites.

Vulnerabilities

This scenario makes only the moderated part of your network vulnerable, including:

Sensitive data

User accounts

Your security goals are to provide data protection and session confidentiality.

Risks

In this scenario, your organization’s user accounts and sensitive data are at risk from the following:

Keyloggers and other spyware

Cache reading

Indexing software

Security scenarios



Your endpoint users are primarily your organization’s employees and partners. They range in computer expertise from low to high and require a high degree of productivity. They will tolerate some disruption, but not the restriction of their access.

Sample solution

For this scenario, a recommended solution is to use the Integrity Secure Workspace. The Integrity Secure Workspace provides zero-day protection against keyloggers, indexing software, and other malware. It prevents these programs from recording the sensitive data that the user accesses during stealth session. It also provides protection against cache reading by encrypting the sensitive information while the endpoint user is working with it and then deleting it at the end of the session.

You do not need to use the Advanced Anti-keylogger feature in this scenario, as the Integrity Secure Workspace provides keylogger protection during the session.

E-Commerce

In this scenario, you are providing endpoint users with access to accounts and services online.

Vulnerabilities

In this scenario your endpoint user accounts and financial transactions are at risk.

Your security goal is to protect account and transaction information.

Risks

Endpoint user accounts and financial transactions are at risk from keyloggers.


Your endpoint users in this scenario will include some employees, but will mostly be made up of consumers. Consumers often have a lower degree of computer experience and are unaware of security risks. Your users will have a very low tolerance for disruption and will not tolerate restriction. In this instance, you must provide protection with very little impact to the user.

Sample Solution

For this scenario, a recommended solution is to use Advanced Anti-keylogger. Advanced Anti-keylogger protects your endpoint user accounts and transaction information from keyloggers. Unlike other types of keylogging protection, Advanced Anti-keylogger provides behavior-based protection by restricting access to the APIs that keyloggers exploit. This provides protection, not only against current keyloggers, but also against new keyloggers as they are created.

Understanding Security Lifecycles


Understanding Security LifecyclesSecurity lifecycles allow you to gradually increase your security while maintaining reasonable user access to your network. By using a security lifecycle, you can also keep your system up to date, by implementing changes according to changes in your systems security needs.

Consider starting out with a security configuration that is lenient. Strategies for creating more lenient security configurations include:

Minimizing security features — Using only one or two features, or using the less disruptive features, such as Advanced Anti-Keylogger. To make these features even less disruptive, allow endpoint computers to connect, even if the operating systems are not supported by the feature.

Minimizing enforcement rules — Only using enforcement rules for the most important security requirements, such as requiring an antivirus application. To make these enforcement rules even less disruptive, set them to ‘warn’ or ‘observe’.

Use the following steps in your security lifecycle:

1. Plan your security implementation.

Use the sample security scenarios to help plan your implementation. See “Sample Scenarios,” on page 24. When planning your security implementation you should consider the following:

What applications do you want to prohibit?

Commonly prohibited application types include IM clients, file system indexers, games, and file sharing applications. For each prohibited application you should consider whether you want to deny access for users who have it or simply warn them that the application is prohibited. If you are unsure what the user impact would be, you can choose to allow access without a warning. This allows you to track incidents in your reports without troubling the user.

What applications do you want to require?

Commonly required applications include anti-virus applications and firewalls.

Do you want to protect against Keyloggers?

Do you want to use Integrity Secure Workspace?

Do you want to allow access for endpoints that have unsupported operating systems.

What remediation information do you need to provide to your users so they can become compliant with your policies?

2. Configure your security implementation.

Use the Integrity Clientless Security Administrator Console to configure your security settings. See “Configuration Workflow,” on page 30.

Supporting the Endpoint User


3. Monitor the results.

Use the reports to see how well ICS is protecting your network and to see its impact on your endpoint users. See “Reports,” on page 58.

4. Return to step 1.

Use the information you obtain from the reports to plan your next configuration.

Figure 3-1: Security Lifecycle

Supporting the Endpoint UserIn order to ensure that your users will be able to have the access they need and are not needlessly inconvenienced by your security policies, you should plan how to provide support and education for them.

One of the most important things you can do to make your ICS implementation run smoothly, is provide information to your users. If users understand your security rules and why they are being scanned, you will greatly reduce the volume of unnecessary help desk requests.

You can help your users to understand ICS and comply with your security requirements by doing the following:

Providing remediation information — Always provide complete, clear remediation information and links if your enforcement rules are set to ‘warn’ or ‘restrict. This allows users to deal with their own issues efficiently, without resorting to help desk requests. See “Understanding Enforcement Rules,” on page 34.

Logging In


Logging InOnce you have finished installing ICS, you can log into the ICS Administrator Console. This is the Web-based graphical user interface that allows you to set your security configurations.

The ICS Administrator Console is located at: <the Web location you specified during installation>/bin/ctool.cgi.

The default username and password is ‘icsadm/icsadm’. If you have not already done so, you should change this username and password. See the Integrity Clientless Security Getting Started Guide for information about changing the password.

Configuration WorkflowOnce you have planned your security configuration, you can begin to configure ICS. While you may perform some configuration functions at any time, the following is the recommended order for configuring your system:

1. Create enforcement rules.

Enforcement rules determine what applications your users must or must not have on their computers. Enforcement rules are the basic building blocks of your policies. You can use the same enforcement rules in multiple policies. For more information, see “Understanding Enforcement Rules,” on page 34.

2. Create policies.

Policies provide a convenient way to specify which enforcement rules you want to use at the same time. For more information, see “Creating Policies,” on page 41.

3. Activate your policy.

Choose the policy that you want to use. You can create as many different policies as you want, but only one policy can be active at a time. See “Activating Policies,” on page 41.

4. Configure Anti-Keylogging.

Choose your Anti-Keylogging options. See “Administering Advanced Anti-Keylogger,” on page 43.

5. Configure Secure Workspace

Choose your Secure Workspace options. See “Administering Integrity Secure Workspace,” on page 47.

6. Save.

After completing any configuration steps, you must always save to have your changes take effect.

General Administration Tasks


General Administration TasksUse this section to perform general configuration tasks, including:

“Configuring ICS to fail open,” on page 31

“Configuring updates,” on page 31

Configuring ICS to fail openIf you want to minimize disruption to your users, you should configure ICS to ‘fail open.’ This means that endpoint users that are not running a supported operating systems can still access your network, without being serviced by ICS. For information about allowing unsupported operating systems with Integrity Secure Workspace and the Advanced Anti-Keylogger features, see the chapters on those features.

How to configure ICS to fail open:

1. Log into the ICS Administrator Console.

2. Go to the Gateway Configuration tab.

3. In the section Settings for endpoints running a non-supported OS select Allow access to endpoints running a non-supported OS.

4. Click Save.

This will cause those unsupported users to bypass all the scans and security features of ICS. These endpoint users will not be protected by ICS. Users with supported operating systems will still be protected.

Configuring updatesCheck Point periodically releases updates to client components, such as support for new anti-virus providers. When updated versions of the client components are available, you can download them. Client components include the following:

Security Scanner

Enforcement agent


Secure Workspace

Java and ActiveX launchers

It is recommended that you update your system once a week. If you do not update ICS, your system will be out-of-date and you will not have the best protection available.

To update your ICS system, you must have the following:

Configuring updates


Check Point User Center account ID and password. If you do not have a Check Point User Center user ID and password, you must sign up to receive them at https://usercenter.checkpoint.com.

Certificate key for your ICS product. Your certificate key was provided by Check Point with the ICS product. If you no longer have the certificate key, contact Check Point Sales to recover the certificate key.

How to update your ICS system:


2. Go to the Product Information page.

3. In the Update Information section, perform the following steps:

a. Enter your Check Point User Center user ID.

b. Enter the password for your User Center account.

c. Enter your certificate key.

4. Click Update Client Components.

A message will appear to show the status of your update.

5. When the update is complete, click Finish to continue.

Chapter


4Administering Security Scanner Policies

This chapter contains information about how to administer your policies using the ICS Administrator Console. Policies control what the Integrity Clientless Security Scanner checks for on your endpoint computers. Policies consist of collections of enforcement rules, which specify whether to prohibit or require certain applications, and what action to take if the endpoint computer is out of compliance with the rule.

This chapter consists of the following sections:

“Understanding Integrity Clientless Security Scanner,” on page 33

“Implementing Policies,” on page 34

“Understanding Enforcement Rules,” on page 34

“Enforcement Rule Types,” on page 35

“Firewall Application Rules,” on page 36

“Anti-virus Application Rules,” on page 36

“Anti-Spyware Scan Rules,” on page 38

“Custom Application Rules,” on page 39

“Custom Group Rules,” on page 40

“Creating Policies,” on page 41

“Activating Policies,” on page 41

Understanding Integrity Clientless Security Scanner

Integrity Clientless Security Scanner requires no pre-installed software on endpoint computers, except a supported browser. The Security Scan is performed by a Java or ActiveX

Implementing Policies

ICS Administrator Guide Administering Security Scanner Policies 34

component that is deployed from your Web server to each endpoint computer that requests access.

Implementing PoliciesThis section describes all the steps you need in order to use policies to secure your endpoints. If you do not complete all these steps, your policies will not be enforced.

To implement policies

1. Create your enforcement rules. See “Understanding Enforcement Rules,” on page 34.

2. Use the enforcement rules to create a policy. See “Creating Policies,” on page 41.

3. Activate the policy. See “Activating Policies,” on page 41.

4. Execute the command # cat /dev/null > ics_server/bin/data/cookies to erase all exisiting cookie data from the ICS database.

If you change your security policy to be more restrictive, ICS considers all users currently logged in as compliant until their cookies expire. Cookies expire after 1 hour if the user doesn’t select any portal links; otherwise, the cookie expiration timer resets and the 1-hour countdown starts over.

5. Save your configuration.

Understanding Enforcement RulesUse the Enforcement Rule page in the ICS Administrator Console to manage your enforcement rules. You must add an enforcement rule to a policy and make that policy the active policy for the rule to take effect. Any changes you make to an enforcement rule affects all the policies that contain that rule. When you delete an enforcement rule, it is removed from all your policies. You are warned when you delete an enforcement rule that is currently being used in a policy.

Each enforcement rule consists of the following parts:

Conditions — Use the conditions area to indicate the criteria that the endpoint computer must meet. For instance, that it must have a certain file running.

If you do not want to create your own policies, you can use the sample policies included with ICS. ICS includes high, medium, and low security sample policies that you can activate. You can also edit these rules to customize them.

If Enforce Scan Interval is enabled and configured in the ICS Administrator console, every scan is performed using the most recent policy. Using frequent scans can avoid the cookie expiration issue.

Enforcement Rule Types


Action — Use the action area to indicate what ICS should do when the endpoint computer is out of compliance with the rule.

Actions affect the user experience as described in “Action behaviors,” on page 35.

Table 4-1: Action behaviors

Remediation — Use the remediation area to specify resources and information that the endpoint users need to become compliant with the enforcement rule. For example, if the rule requires an anti-virus program, you should provide a link to a location where the endpoint user can download the application and instructions on how to install it. Since users may be repeatedly warned, or even denied access if they do not comply, it is important to make sure you provide sufficient and clear remediation resources.

Enforcement Rule TypesUse enforcement rules to control which applications your users must, or must not have on their computer when they connect to your network. There are the following types of enforcement rules:

Firewall Application — Use firewall application rules to require a certain firewall application. See “Firewall Application Rules,” on page 36.

Anti-Virus Application — Use anti-virus application rules to require a supported anti-virus application. If you want to require an anti-virus application that is not supported, use the custom application rule. See “Anti-virus Application Rules,” on page 36.

Anti-Spyware Scan — Use anti-spyware scan rules to prohibit certain spyware types. See “Anti-Spyware Scan Rules,” on page 38.

Custom Application — Use custom application rules to prohibit or require any application. See “Custom Application Rules,” on page 39.

Custom Group — Use Custom Group rules to bundle custom application enforcement rules into one rule. When you put enforcement rules in a group, the endpoint computer must meet at least one of the conditions in order to be in compliance. See “Custom Group Rules,” on page 40.

Option Behavior

Restrict Prevents the users from logging on. ICS displays the scan report and any remediation information you have specified. Users must become compliant before being allowed to proceed.

Observe Does not prevent users from logging on. ICS records the violation in the log. This option is useful for gathering information about potential issues with your network before you restrict endpoint connections.

Warn Does not prevent users from logging on. ICS displays the scan report and any remediation information you have specified. Users may proceed without becoming compliant. Users are asked to become compliant every time they are scanned by ICS.

Allow ICS does not check for spyware you have set to ‘allow’. This action is only available for Anti-spyware scan rules.

Firewall Application Rules


Firewall Application RulesFirewall application rules determine which firewall applications endpoint computers must have when they are logged onto your network. You can use this feature to require that endpoint users obtain the latest version of an Integrity client when they connect to your gateway.

Creating a Firewall Application Rule

The steps below give an overview of creating a firewall application rule. For detailed information about individual user interface elements, and how to complete the page, see the online help.

To create a firewall application rule:

1. Log into the ICS Administrator Console and click Policy Manager.

2. Select a rule from the list and click Edit.

3. On the Edit Policy page click New Rule and choose Firewall Application.

4. Select the firewalls you want to require.

This sets the conditions for the rule. If endpoint computers violate these conditions they are considered to be out of compliance.

5. Select the action you want ICS to take if the endpoint user is not in compliance with this rule.

6. Use the remediation area to specify any information or resources you want to provide to endpoint users to help them to become compliant with this rule.

7. Click Save Rule.

Anti-virus Application RulesIt is important to protect your network from viruses. Every time an endpoint user logs in, your network is exposed to any viruses that the endpoint computer is infected with. Users who access your network through a gateway are particularly likely to be infected, since they are more likely to use their computers for personal uses, which put them at risk for viruses.

In order to protect your organization from viruses, you should require your users to have anti-virus protection. Effective anti-virus protection requires not only having the correct anti-virus software on your endpoint computers, but also having a recent version of that software and up-to-date software definitions. If endpoint users have out-of-date software definitions, they will not be protected against the latest viruses.

Anti-virus application rules determine which anti-virus applications your endpoint computers must have when they are logged into your network. Since users can sometimes disable their anti-virus software, all anti-virus applications rules require that the application be running. For your convenience, anti-virus enforcement rules are pre-configured with supported anti-virus providers.

Y

Anti-virus Application Rules


If you want to require that your endpoint computers have a supported form of anti-virus protection, create an anti-virus enforcement rule for your policy. It is recommended that you require an anti-virus application with a DAT file no older than 14 days. In the case of a virus outbreak, you should require that the DAT file be no more than 24 hours old.

Creating an Anti-virus Application Rule

The steps below give an overview of creating an anti-virus application rule. For detailed information about individual user interface elements, and how to complete the page, see the online help.

To create an anti-virus application rule:



3. On the Edit Policy page click New Rule and choose Anti-Virus Application.

4. Select the anti-virus applications you want to require.

The endpoint computer must have at least one of these anti-virus applications to be in compliance with the rule.

5. You can optionally edit the conditions for each application.

For each anti-virus application you can specify more detailed criteria and remediation information that is specific to the application.

a. Click Edit.

The Anti-Virus Application Details page appears.

b. Specify the operating system that this anti-virus application is required for.

c. Specify the application conditions.

It is recommended that you require a recent version of the application and a DAT file no older than 14 days. This ensures that your endpoint computers have up-to-date protection against viruses.

Y

d. Specify the remediation information and resources.

This remediation information is specific to the application.

If you want to create an enforcement rule for an anti-virus provider not supported by the anti-virus applications rules, you can do so by creating a custom software rule to require the application. See “Custom Application Rules,” on page 39.

The format of these entries is important and formats vary from one anti-virus provider to another. To obtain the engine version, DAT file version, and DAT age information for your supported anti-virus software in the correct format, run the ICSInfo utility included with Integrity Clientless Security on your reference computer. For more information, see “Obtaining anti-virus application information,” on page 62.

Anti-Spyware Scan Rules


e. Click Save Rule.

You return to the Anti-Virus Enforcement Rule Settings page.



This remediation information is for all the anti-virus applications and should be more generic than the remediation information you provided for the specific applications.

8. Click Save Rule.

Anti-Spyware Scan RulesThe term ‘spyware’ refers to applications that collect user data on host computers for either commercial or malicious purposes.

Spyware may do any of the following:

Aid hackers in circumventing your security and spreading malicious code. Spyware can introduce worms, dial out to toll lines, and introduce other serious security breaches.

Send information about a user, the user’s behavior, the computer system or the computer system’s use without requesting permission from the user to do so. This can be a serious breach of security for your users and your organization.

Present advertising, often without notification, to the users without any additional benefit. This is a less serious threat, but is annoying to users and can have a serious impact on productivity.

Y

For more information about types of spyware and the risks they present, see the online help for the Anti-Spyware Enforcement rules.

Use anti-spyware scan rules to protect your endpoints from spyware. Anti-spyware scan rules allow you to control gateway access for users who have spyware software on their endpoint computers. ICS comes preconfigured with software definitions for many types of known spyware, organized by type. Through anti-spyware enforcement rules you can protect your organization, and encourage or require your users to remove spyware residing on their computers.

For each type of spyware, you can set the action you would like ICS to take when that spyware type is detected on an endpoint computer. You can also create exceptions for specific spyware programs you consider benign and want to allow.

If you want to protect your Gateway and your endpoint users from spyware, create an anti-spyware enforcement rule for your policy. You can only use one Anti-spyware scan rule for each policy, though you may wish to use different rules in different policies. Only the rule included in your active policy will be enforced for your users.

To provide more complete protection against keyloggers, see “Administering Advanced Anti-Keylogger,” on page 43.

Custom Application Rules


Creating an Anti-spyware Rule

The steps below give an overview of creating an Anti-spyware scan rule. For detailed information about individual user interface elements, and how to complete the page, see the online help.

To create an anti-spyware rule:



3. On the Edit Policy page click New Rule and choose Anti-Spyware Scan.

4. Enter a Name and Description for the rule.

5. For each screened software type, choose the action you want ICS to take when it detects this kind of spyware.

If you warn or restrict the endpoint computer, it is recommended that you include a Remedy Message, informing the user of what they need to do to treat the spyware.

6. If you want ICS to ignore certain spyware applications, add them to the exclusions list.

7. Optionally, you can select Display SmartDefense Advisor article link.

Selecting this option will display a Check Point article to the endpoint users that will explain what the spyware is and offer treatment advice. It is highly recommended that you select this option.

8. Click Save Rule.

Custom Application RulesWhile most of the common applications that you might want to control are governed by the other types of rules, you might wish to prohibit or require other applications.

If you wish to prohibit or require an application not covered by any of the other rule types, use a custom application rule. A typical use of a custom application rule is to create a rule requiring an anti-virus application that is not supported by the preconfigured antivirus application rules.

To create a custom application rule:


Custom Group Rules



3. On the Edit Policy page click New Rule and choose Custom Application.

4. Enter a Name and a Description for the rule.

5. Choose the endpoint computer operating system you want this rule to apply to.

6. Specify the conditions for this rule.

If you are creating a rule requiring an anti-virus application, it is recommended that you require that the application be running, to prevent users from disabling the application. You should also require that it be modified no more than a week ago, to ensure that endpoint computers are getting virus definition updates regularly. During a virus outbreak, you will want to require that the file be modified no more than 24 hours ago.

Y



9. Click Save Rule.

Custom Group RulesUse custom group rules to group together custom application enforcement rules. Endpoint computers have to be compliant with at least one rule in the group. For example, you may want to make a rule group that requires a certain security patch or a certain service pack, if having either one would fulfill your organization’s security requirements.

Creating Custom Group Rules

To create a custom group:



3. On the Edit Policy page click New Rule and choose Custom Group.

4. Enter a Name and a Description for the rule.

5. Choose the enforcement rules you want to include in the group.

Endpoint users will have to be compliant with at least one of these rules. You can only add custom application rules to a group rule.

To obtain the checksum for your custom application, run the ICSInfo utility included with Integrity Clientless Security on your reference computer. For more information, see “Obtaining application checksums,” on page 62.

Creating Policies




This remediation information is for all the enforcement rules in the group and should be more generic than the remediation information you provided for specific enforcement rules.

8. Click Save Rule.

Creating PoliciesPolicies are made up of Enforcement rules. When an endpoint computer is scanned, its state is compared to all the enforcement rules in the currently active policy. If you have more than one enforcement rule in a policy, the endpoint users must comply with all of the rules. If you need to enforce compliance with just one rule out of a group, create a custom group rule out of the rules.

To create a policy:


2. On the Enforcement Rules page, click New Policy.

3. Enter a Name and Description for the policy.

4. In the Rules selected for this policy table, select the enforcement rules you want in this policy.

5. Click Save Policy.

Activating PoliciesYou can create as many policies as you need, but only one is enforced at a time. You must activate your policy in order to have it be enforced. You may also set the scan interval.

To activate a policy:

1. Log into the ICS Administrator Console and click Gateway Configuration.

This policy will not be enforced until you activate it.

Activating Policies


2. Select your policy in the Scanner Policy dropdown list.

3. Optionally, you can select to enforce a scan interval.

Use a scan interval to require that the endpoint computers be re-scanned while they are connected to your network. If a user is connected to your network, and then directs a browser to another location, they may become infected with spyware after the original scan. Use the scan interval to trigger a periodic re-scan to help ensure that your endpoint users remain free of spyware while connected. The re-scan is silent to the user, unless they are out of compliance with rules that warn or restrict.

4. Click Save.

The recommended scan interval is 15 minutes. Be aware that if you have configured rules that warn, your non-compliant users will be warned and prompted to remediate every time the scan runs. If you do not want warnings to be punitively disruptive, you may wish to set the scan interval to a longer time until most of your users are in compliance.

Do not require both a re-scan and the Integrity Secure Workspace.

Chapter


5Administering Advanced Anti-Keylogger

Use ICS Anti-Keylogging to protect your endpoint users from keyloggers. Keyloggers are malicious applications that record the keys that your endpoint users press. Keyloggers record those keystrokes and relay the information to another individual or server. Keyloggers can record passwords, login names, and other sensitive information. Once a third party has this sensitive data it can be exploited for malicious purposes.


“Understanding Keylogger Protection,” on page 43

“Administering ICS Advanced Anti-Keylogger,” on page 44

“Activating ICS Advanced Anti-Keylogger,” on page 44

“Configuring Advanced Anti-Keylogger to fail open,” on page 45

“Monitoring Advanced Anti-Keylogging,” on page 45

Understanding Keylogger ProtectionNew keyloggers are constantly emerging. In order to protect your endpoint users and their data from keyloggers you need to not only protect against existing, known keyloggers, but also against the new ones as they develop. By combining the ICS Advanced Anti-Keylogger feature with Anti-Spyware protection rules, you provide more complete keylogging protection.

You can use ICS to protect against keyloggers in the following ways:

By checking signatures —Every application has a unique ‘fingerprint’ or ‘signature’. This prevents malicious applications from masquerading as benign applications by using the benign application’s file name. The anti-keylogging feature included in ICS Anti-Spyware Scan rules protects against known keyloggers by comparing their signature to a list of known keylogger signatures. These signatures are provided by Check Point as part of your regular updates. By using the Anti-Spyware Scan rule anti-keylogging feature, and performing regular updates, you are protecting your endpoint users and their data from

Administering ICS Advanced Anti-Keylogger

ICS Administrator Guide Administering Advanced Anti-Keylogger 44

known keyloggers. For more information about Anti-Spyware Scan rules, see “Anti-Spyware Scan Rules,” on page 38.

By checking behavior—Keyloggers exploit APIs in order to record keyboard activity. ICS Advanced Anti-Keylogging allows only legitimate, trusted applications to use these APIs. By doing this, ICS Advanced Anti-Keylogger can protect your endpoints against new keylogging threats without needing a signature. This means ICS Advanced Anti-Keylogger protects your endpoints against new keyloggers that have not yet been identified.

It is highly recommended that you use both the ICS Anti-Spyware Scan rules (in conjunction with regular updates) and ICS Advanced Anti-Keylogger in order to provide the most complete keylogger protection.

Y

Certain keyboard controls, such as volume control

Keyboard macros

Keyboard emulating applications, such as some translation software

Administering ICS Advanced Anti-KeyloggerUse this section to administer Advanced Anti-Keylogger. Anti-Keylogger administration tasks include:

“Activating ICS Advanced Anti-Keylogger,” on page 44

“Configuring Advanced Anti-Keylogger to fail open,” on page 45

“Monitoring Advanced Anti-Keylogging,” on page 45

Activating ICS Advanced Anti-KeyloggerUse the ICS Administrator Console to easily activate Advanced Anti-Keylogger.

To activate ICS Advanced Anti-Keylogger:


ICS Advanced Anti-Keylogger may inhibit certain legitimate activities on endpoint computers, such as:

Generally, these limitations cause only minor impact, as they are only exhibited while the endpoint user is connected to your network. Users can resume these activities when they disconnect.

Configuring Advanced Anti-Keylogger to fail open


2. Click Gateway Configuration.

3. Select Require Advanced Anti-Keylogger.

4. Click Save Configuration.

When endpoint users connect to your network they are prompted to accept a Java applet. Once they accept the applet, Advanced Anti-Keylogger will protect them from keyloggers without any further endpoint user input. An icon will appear in the title bar of their browser to let them know they are being protected. This protection persists until they close the browser.

Configuring Advanced Anti-Keylogger to fail open

If you require ICS Advanced Anti-Keylogger, endpoint computers with operating systems that are not supported by ICS Advanced Anti-Keylogger are denied access to your gateway. Denied endpoint users are given a warning that tells them that they are using an unsupported operating system. The warning message informs them of the supported operating systems and gives the helpdesk/administrator contact information that you supply.

If you want to minimize disruption to your users, you should configure Advanced Anti-Keylogger to ‘fail open’. This means that endpoint users that are not running a supported operating systems can still access to your network, without Advanced Anti-Keylogger protection. Only endpoint users with the supported operating systems receive keylogger protection. For more information about what operating systems are supported by ICS Advanced Anti-Keylogger, see the Integrity Clientless Security Getting Started Guide.

To configure Advanced Anti-Keylogger to fail open:



3. In the Anti-Keylogger Settings area, choose Allow endpoints that can’t run Advanced Anti-Keylogger.


Monitoring Advanced Anti-KeyloggingUse the Anti-Keylogging report to monitor how well ICS Advanced Anti-Keylogging is protecting your users from keyloggers. See “Anti-Keylogger,” on page 59.

Monitoring Advanced Anti-Keylogging


Chapter


6Administering Integrity Secure Workspace

Your company’s sensitive data is at risk when users access it through your gateway. Endpoint users may accidentally or deliberately compromise the security of your data as they work with it on their endpoint computers. For example, a user might send a confidential file to unauthorized recipient, or save a sensitive document on an endpoint computer that is then stolen. Use Integrity Secure Workspace (ISW) to protect your company’s data while still making it available for your endpoints to view and work with.


“Understanding Integrity Secure Workspace,” on page 47

“Supported Applications,” on page 48

“Administering Integrity Secure Workspace,” on page 49

“Configuring and Activating ISW,” on page 49

“Configuring ISW permissions,” on page 50

“Configuring Secure Workspace to fail open,” on page 51

“Testing Integrity Secure Workspace,” on page 52

Understanding Integrity Secure WorkspaceISW provides a secure environment on the endpoint computer which allows users to safely work with your company’s data. While the user is logged into your gateway, ISW stores data (data files and registry changes) in an encrypted user profile on the endpoint computer. The data cannot be accessed by other applications and it is deleted from the endpoint computer when the user logs off. ISW also provides a lightweight firewall application for the protected endpoint.

Supported Applications

ICS Administrator Guide Administering Integrity Secure Workspace 48

Supported ApplicationsIn order to provide a trusted and secure environment ISW controls all applications in the secure workspace. The endpoint user is only able to use applications that you allow them to use.

The following applications are made available to the user by default. You can allow other applications by adding them to the list of allowed applications in the Secure Workspace Settings page:

General Applications

Microsoft Notepad

Microsoft Wordpad

Microsoft Word

Microsoft Excel

Microsoft PowerPoint

Microsoft Paint

Microsoft Calculator

Adobe Acrobat Reader (v. 5.0 or later)

FTP Applications

Microsoft FTP (command line) (v. 5.1)

Ipswitch WS_FTP Home/PRO (v. 2006.0.1.0)

GlobalSCAPE CuteFTP (v. 6.0)

Web Browsing (HTTP, HTTPS, passive FTP) Applications

Microsoft Internet Explorer (v. 5.5 or later)

Mozilla Firefox (v. 1.0.4 or later)

Mozilla (v. 1.7.8) or later

Netscape Browser (v. 8.0)

Terminal Service Applications

Microsoft Remote Desktop Connection (v. 5.1)

VNC Viewer (v. 4.1)

Famatech Remote Administrator (v. 2.2)

Administering Integrity Secure Workspace


Telnet/SSH Applications

Microsoft Telnet (command line) (v. 5.1)

Microsoft HyperTerminal (v. 5.1)

Putty (v. 0.58)

SecureCRT (v. 5.0)

TN3270 Applications

Ericom PowerTerm InterConnect for Windows (v. 7.1)

IBM Personal Communications Workstation Program (v. 5.080)

Y

Administering Integrity Secure Workspace

Configuring and Activating ISWUse the ICS Administrator Console to configure and activate ISW.

To configure ande activate Integrity Secure Workspace:



3. Select Require Integrity Secure Workspace.

Y

4. Click Secure Workspace Settings.

5. To add applications that endpoints are allowed to use, perform the following steps:

a. Click the Approved Applications tab.

b. Click Add Application.

c. Enter the application name, file path, and description, then click Save Application.

See the online Help for more detailed information on these fields.

All Internet Explorer plugins installed on the endpoint user’s regular desktop are available in the Secure Workspace.

Do not require both a re-scan and the Integrity Secure Workspace.

Configuring ISW permissions


6. To set outbound firewall rules for endpoints, perform the following steps:

a. Click the Outbound Firewall Rules tab.

b. Click Add Rule.

c. Enter a rule name, description, file address, and port number, then click Save Rule.


7. To specify where endpoints are allowed to save files in ISW, perform the following steps:

a. Click the Allowed Save Locations tab.

b. Click Add Location.

c. Enter the location name, location path, and description.


8. Select the appropriate checkbox to allow endpoints to print secure documents and to secure clipboard contents.


Configuring ISW permissionsISW is configured, by default, to have limited read, write, and execute permissions, which might prevent some client applications to operate successfully. Optionally, you can configure ISW to change these read, write and execute permissions

Integrity Secure Workspace uses the file CPSWS.xml to control these permissions.

To configure the ISW permissions:

1. Back up the CPSWS.xml file.

2. Use any text editor to open CPSWS.xml.

3. Search for the "FSPolicy" tag.

Example:

<FSPolicy Access="Deny" Write="Allow" Execute="Allow">

<Access PathName="%WINDIR%\System32\pstorec.dll" />

<Write PathName="%ProgramFiles%\CheckPoint" />

< Execute PathName="telnet.exe" />

</FSPolicy>

Configuring Secure Workspace to fail open


4. If you want to allow a specific file to be executed, perform the following steps:

a. If the value of the "Execute" attribute in the "FSPolicy" tag is "Allow", add the following child tag to the "FSPolicy" tag:

<Execute PathName=filename.exe/>

Y

b. If the value of the ‘Execute’ attribute in the ‘FSPolicy’ tag is ‘Deny,’ search for an ‘Execute’ child tag that refers to the exact file requested and delete the tag.

5. If you want to allow all files to be executed, perform the following steps:

a. In the FSPolicy tag, change the Execute attribute value to Deny

Example: <FSPolicy Access="???" Write="???" Execute="Deny"/>

b. Delete all ‘Execute’ child tags inside the "FSPolicy" tag. Since no files are explicitly set as denied, all files can be executed.

Y

Configuring Secure Workspace to fail openIf you require ISW, endpoint computers with operating systems that are not supported by ISW are denied access to your gateway. Denied endpoint users are given a warning that tells them that they are using an unsupported operating system. The warning message informs them of the supported operating systems and gives the helpdesk/administrator contact information that you supply.

If you want to minimize disruption to your users, you should configure Secure Workspace to ‘fail open.’ This means that endpoint users that are not running a supported operating system can still access your network, without Secure Workspace protection. For more information about what operating systems are supported by ISW, see the Integrity Clientless Security Getting Started Guide.

To configure Secure Workspace to fail open:


Using a full path of the file, for example, c:\folder\filename.exe, will allow the command to run only from that path. Using just the filename will allow running the command from any path.

An execute file might try to read, update, or execute other files. All appropriate permissions must be updated for such a file to run properly.

Testing Integrity Secure Workspace



3. In the Integrity Secure Workspace Settings area, choose Allow endpoints that can’t run Secure Workspace.


Testing Integrity Secure WorkspaceUse the following steps to obtain ISW and test it on an endpoint computer. This allows you to see whether you have correctly configured the application permissions.

To test Integrity Secure Workspace:

1. On the ICS server, go to <local path>/ics_server/components.

2. Copy the following files to an endpoint computer:

cpsws.dll.gz

cpsws.exe.gz

cpsws.jpg

cpsws.xml.gz

cpswsl.xml.gz

iswrcs.dll.gz

3. Unzip all of the files.

4. Run cpsws.exe.

5. Try to use the various applications to see if you have correctly configured the permissions.

Chapter


7Logging and Reports

Use this chapter to configure logging and understand how to use reports to enhance your implementation. This chapter contains the following sections:

“Logging,” on page 53

“Server-side logs,” on page 54

“Log and database rotation,” on page 55

“Endpoint computer logs,” on page 58

“Reports,” on page 58

“Access Statistics,” on page 59

“Security Scan Results,” on page 59

“Spyware Found,” on page 59

“Rules Broken,” on page 59

“Anti-Keylogger,” on page 59

“Errors,” on page 60

LoggingInformation about sessions and endpoint scans is stored on the ICS server for analysis, and can be viewed via the ICS Administrator Console. Flow logging on the endpoint computer is done to handle client-side issues and perform troubleshooting.

All instructions and ICS file names used in this chapter are identical for both Apache and IIS Web servers.

Server-side logs

ICS Administrator Guide Logging and Reports 54

Server-side logsServer logging is divided by ICS gateway components: redirection filter, translator script, and scan reporting. Use the following to configure logging:

Redirection Filter component

Use this section to modify your redirection filter component logging.

To modify the redirection filter component logging:

1. Open the ics_config.lua file.

The ics_config.lua file is in <local path>/ics_server/bin/data/.

2. Modify the following parameters:

Table 7-1: Redirection filter component logging parameters

Parameter Description

ics_config.filter_log_file = data_dir .. "apache_filter.log"

Specifies the name of the redirection filter component log file. If a name is not specified, logs are not written.

Note: this file name is identical for both Apache and IIS Web servers.

ics_config.filter_log_level = 1 Specifies the log level for the redirection filter component. 5 is the highest level of detail and 1 is the lowest. The default is 1.

3. Restart your Web server in order to apply new settings.

Translator script component

Use this section to modify your translator script component logging.

To modify the translator script component logging:

1. Open the ics_config.lua file.


Log and database rotation



Table 7-2: Translator script component logging parameters


ics_config.translator_log_file = data_dir .. "translator.log"

Specifies the name of the translator script component log file. If a name is not specified, logs are not written.

ics_config.translator_log_level=1 Specifies the logging level for the translator script component. 5 is the highest level of detail and 1 is the lowest. The default is 1.

Scan reporting component

Use this section to configure logging for the scan reporting component.

To configure logging for the scan reporting component:

1. Open the report.conf file.

The report.conf file is in <local path>/ics_server/bin/data/.


Table 7-3: Scan reporting component logging parameters


log_path = data/report.log Specifies the name of the scan reporting component log. If a name is not specified, logs are not written.

log_level = 3 Specifies the logging level for the scan reporting component. 5 is the highest level of detail and 1 is the lowest. The default is 3.

3. Stop and restart the report daemon report.cgi in order to apply new settings.

Log and database rotationICS allows you to truncate server-side logging in order to increase ICS server productivity by archiving and purging old log and database information. When a file achieves the maximum file size, it is saved under a new name (file name and copy number) and the existing file is cleared. This rotation is performed automatically according to the parameters you specify.

Report log and database

Use this section to modify the report log and database rotation.



To set up rotation:

1. Open report.conf.

The report.conf file is in <local path>/ics_server/bin/data/.

2. Set the following parameters:

Table 7-4: Report log and database rotation parameters


log_truncate_size = 65535 Specifies the maximum file size (in bytes) the report log file can achieve before truncating. The default is 65535 bytes.

log_truncate_parts = 1 Specifies the number of files that the archived report log file is split into when the existing file reaches its maximum size. The default is one backup file.

db_path Specifies the path to the report database report.db.

The ICS installation by default puts this file in the ics_server_bin directory.

db_auto_truncate = 1 Specifies if ICS truncates the report database automatically. The default is yes (1).

When the report database is 1 GB in size or greater, truncation locks up the database for extended periods. You should set this parameter to “0” and truncate the database manually using the command report.cgi truncate. For best results, you should schedule truncation for once per month, outside normal working hours.

db_truncate_size Specifies the maximum file size (in bytes) the report database file can achieve before truncating. This parameter is absent by default, which results in no database rotation or truncation by size.

db_truncate_period Specifies the maximum amount of time the report database can run before it is truncated (in 24 hour periods). This parameter is absent by default, which results in no database rotation or truncations by age.



Filter and translator logs

Use this section to modify the filter and translator log rotation.

To set up log rotation:

1. Open ics_config.lua.


2. Set the following parameters:

Table 7-5: Filter and translator log rotation parameters


ics_config.filter_log_maxsize = 0 Specifies the maximum file size (in bytes) the filter log can achieve before truncating. This parameter is set to 0 by default, which results in no filter log rotation or truncation by size.

ics_config.filter_log_maxpart = 0 Specifies the number of backups of the filter log file that will be created when the existing file reaches its maximum size. This parameter is set to 0 by default, which results in no filter log backups.

ics_config.translator_log_maxsize = 0 Specifies the maximum file size (in bytes) the translator log file can achieve before truncating. This parameter is set to 0 by default, which results in no translator log rotation or truncation by size.

ics_config.translator_log_maxpart = 0 Specifies the number of backups of the translator log file that will be created when the existing file reaches its maximum size. This parameter is set to 0 by default, which results in no translator log backups.

host IP address of the reporting IPC. The default is 127.0.0.1. If this default value is used by other services, change this value to any other free valid address.

port Port number of the reporting IPC. The default is 3113.

Table 7-4: Report log and database rotation parameters


Endpoint computer logs


Endpoint computer logsEndpoint computer logs are collected for troubleshooting reasons. By default, endpoint computer logging is shut off. To enable client-side ICS logging, set the system environment variable ICSLOG on the endpoint computer to a number between 1 and 4. 4 is the highest level of detail and 1 is the lowest.

The log file, ics.log, is shared between all client components and is located in the user’s temp folder.

ReportsUse the ICS reports to monitor security events occurring on your network. Use the information in these reports to improve your policies, provide better remediation for users, and observe how ICS is protecting your network.

ICS includes the following major reports, you can also drill down to detail-level reports:

“Access Statistics,” on page 59

“Security Scan Results,” on page 59

“Spyware Found,” on page 59

“Rules Broken,” on page 59

“Anti-Keylogger,” on page 59

“Errors,” on page 60

Generating ReportsAll ICS report pages use the same method to generate reports. Use the following instructions to generate reports, then see the section on that report.

To generate a report:


2. Click Reports.

3. Choose your report.

4. Set filtering criteria for the report.

For more information on filtering options for each report, see the online Help page for the report.

5. Click Generate Report.

The report is generated for all scan events that match the filter criteria you specify.

Access Statistics


Access StatisticsUse the Access Statistics report to see what the results were for all the users who attempted to connect to your gateway. Attempted user connections are counted per session, with the session determined by the persistence of the cookie. If a user connects to your gateway, disconnects and reconnects again, that is counted as one connection attempt, unless the cookie has expired.

This report shows how many users were compliant with your security rules and what happened to those who were not compliant. Use the legend to see details about the users in each category.

You can use the information in this report to refine your policies. If an excessive amount of users are being warned, or even restricted, your rules may be too strict or you may not be providing enough remediation information. Use the Rules Broken report to see which rules your endpoint users are having the most trouble with. Once most users are compliant, you can increase your security requirements.

Security Scan Results The Security Scan Results report shows the total numbers of enforcement rules broken and the total amount of spyware found for each user’s scan. You can use this report to find out why a user was warned or restricted. Using this information, you can then provide remediation information to the user.

Spyware Found Use the Spyware Found report to see how often particular spyware applications were found on your endpoint computers. If you find that ICS is scanning for a particular spyware application that you want to allow, you can add it to the ignore list. See “Anti-Spyware Scan Rules,” on page 38.

Rules Broken Use the Rules Broken report to determine which rules are causing your endpoint users the most trouble. This report includes rules that are set to ‘observe’. If a rule is consistently being broken at a high rate, that may indicate the the rule is too strict or that you are not providing enough remediation information for that rule.

Anti-Keylogger The Anti-Keylogger report shows processes that were flagged by ICS as potentially being keyloggers. This report shows you how ICS protects your network and endpoint users from keyloggers.

Errors


Errors Use the Errors report to view the ICS errors that endpoint users are experiencing when they attempt to connect to your gateway. This report only shows errors when the user connects to the ICS server. To diagnose connection issues due to endpoint configuration, use the ICSInfo utility. See “Troubleshooting endpoint user issues,” on page 61.

Chapter


8The ICSInfo Utility

The ICSInfo utility collects program and other information from endpoint computers that you can use when creating your policies or troubleshooting user issues.

Use the ICSInfo utility to perform the following tasks:

“Troubleshooting endpoint user issues,” on page 61

“Obtaining anti-virus application information,” on page 62

“Obtaining application checksums,” on page 62

Troubleshooting endpoint user issuesIf your users are unable to connect to your network, you may need to help them to become compliant. Have your users run the ICSInfo utility to determine what is wrong.

The ICSInfo utility provides the following information for supported operating systems:

Host — Processor, Memory, OS

User — User Name, Profile location, Groups

Java — MS-JVM and Sun-JRE versions (and if they are installed)

Browser — IE version (and if JRE is enabled), current default browser location and version

Internet Options — The options set in the Internet Options of Internet Explorer (per zone).

ICS Component — The ICS components currently on the endpoint computer

Anti-Virus — The anti-virus application information

Applications/Modules — The applications currently found on the endpoint computer

Network Preferences — The settings for the installed network adapters

Obtaining anti-virus application information

ICS Administrator Guide The ICSInfo Utility 62

How to troubleshoot endpoint user issues:

1. Have your endpoint user obtain the ICSinfo.exe file.

The ICSInfo utility is available in <local path>/ics_server/components. You can send this to your user. Alternatively, the user can also click the link in certain errors to obtain the file. You can also include it in other errors by customizing the text. See “Configuring the custom text,” on page 70.

2. Have your endpoint user run the ICSinfo.exe file.

3. Have your endpoint user perform the following steps to obtain the icsinfo.xml file:

a. Run the ICSinfo.exe file.

b. When prompted, click Browse and select a location to save the icsinfo.xml file.

c. Click Run.

The ICSInfo utility runs and the file is saved to the specified location.

4. Have the endpoint user send the icsinfo.xml file to you for analysis.

Obtaining anti-virus application informationWhen creating anti-virus enforcement rules, you need to use the correct format for your anti-virus provider information. This format varies from provider to provider. Use the ICSinfo utility to scan a reference computer to obtain the information for all the installed anti-virus programs in the correct format.

To obtain anti-virus application information:

1. Set up a reference computer with your anti-virus applications installed.

Be sure to obtain the updates for your anti-virus providers.

2. Obtain the ICSinfo.exe file and copy it to your reference computer.

The ICSInfo utility is available in <local path>/ics_server/components.

3. Run the ICSInfo.exe file

Using a command prompt run ICSInfo.exe -avinfo. When you run the ICSInfo utility using this parameter, the ICSInfo utility produces an icsinfo.xml file that contains only anti-virus application information.

4. Check the icsinfo.xml file for the application information.

Obtaining application checksumsUse the ICSInfo utility to obtain checksums for applications. Use these checksums when creating custom application enforcement rules. Since checksum are unique, verifying a file by checksum prevents another file from masquerading as that file.

Obtaining application checksums


To obtain application checksums:

1. Set up a reference computer with a trusted copy of the application.

2. Obtain the ICSinfo.exe file and copy it to your reference computer, to the same location as your application.

The ICSInfo utility is available in <local path>/ics_server/components.

3. Run the ICSInfo.exe file

Using a command prompt run ICSInfo.exe -fileinfo. When you run the ICSInfo.exe file using this parameter the ICSInfo utility produces an icsinfo.xml file that contains the version, size, checksum and vendor information for each dll and exe file in the folder.

4. Open the icsinfo.xml file and use the information to create your custom application enforcement rules.

Obtaining application checksums


Chapter


9Customizing the User Interface

You can fully customize the ICS endpoint user interface to make the look and feel match your company’s Web site. Use the instructions in this chapter to perform your customizations. This chapter contains the following topics:

“Assumptions,” on page 65

“Customization Methods,” on page 66

“Customizing ICS,” on page 66

“Creating the customization folder,” on page 66

“Modifying the CSS file,” on page 67

“Modifying the template file,” on page 67

“Adding Administrator Contact Information,” on page 68

“Changing the logo,” on page 68

“Changing the colors,” on page 69

“Changing the fonts,” on page 70

“Configuring the custom text,” on page 70

“Style Reference,” on page 70

“Customizing the Integrity Secure Workspace,” on page 81

“Changing message text,” on page 81

“Changing the images,” on page 81

AssumptionsThis chapter assumes that you have:

A working knowledge of Cascading Style Sheets (CSS)

A working knowledge of HTML

Customization Methods

ICS Administrator Guide Customizing the User Interface 66

Access to your company’s logos and color palette

Customization MethodsYou can customize the ICS user interfaces using the following methods:

Style sheet — By altering the styles included in the cascading style sheet you can modify the appearance of the ICS user interface. For more information, see “Modifying the CSS file,” on page 67.

Template File — Use this file to modify text displayed in the ICS user interface. For more information, see “Modifying the template file,” on page 67.

Administrator Console — You can use the administrator console to specify remediation information and resources for your enforcement rules.

Customizing ICSUse the CSS file in conjunction with the HTML files to make changes to the Endpoint User Interface. This section provides step-by-step information about how to perform the most common customizations. For reference documentation to help you to understand the style sheet see “Style Reference,” on page 70.

Creating the customization folderIn order to have your new CSS and TPL files override the defaults, you must place your customized files into a customization folder. Files in this folder will not be overwritten when you upgrade, allowing you to retain your customizations. If you do not specify a customized file in the customization folder, ICS will use the default values. ICS will also use the default values for any values you do not specify in your customized files, so you can include only values you wish to change.

To create the customization folder:

1. Go go <installation path>/ics_server.

2. Create a folder and name it ‘custom’.

This is the customization folder. You must save all your changes to the CSS file to this location.

Since the values in the customization folder are retained when you upgrade, your specified values may obscure some changes. To see all the changes in an upgrade, save copies of your customized files in another location, then remove them all from the customization folder. Adjust your customization to the needs of the new version of ICS.

Modifying the CSS file


Modifying the CSS fileUse the custom.css file to modify the look and feel of the ICS user interface. ICS provides you with a default CSS file that you can modify. To make your new CSS file override the settings of the default CSS file, you need to save it in a customization folder.

To modify the CSS file:

1. Create a customization folder.

See “Creating the customization folder,” on page 66.

2. Go to <installation path>/ics_server.

3. Copy the scanner.css to the customization folder and save as custom.css.

4. Open the custom.css file using a CSS editor.

5. Make your changes to the file.

You only need to include the classes you want to change. All classes you do not include will use the default settings. When working with your custom.css file, you should set the global classes first, then make any changes needed for specific pages. For detailed information about all the classes contained in the custom.css file, see “Style Reference,” on page 70.

6. Save the custom.css file to the customization folder.

Be sure to refresh your browser to see the changes.

Modifying the template file

To modify the template file:

1. Create a customization folder.

See “Creating the customization folder,” on page 66.

2. Go to <installation path>/ics_server/bin/templates/ and copy the messages.tpl file to the customization folder.

3. In the customization folder, open the messages.tpl file using an HTML editor.

4. Make your changes to the file.

You only need to include the messages you want to change in this file. Messages you do not change will use the default text. Change only the text, contained between the double brackets, in this file. Do not change the LUA tags.

5. Save the messages.tpl file to the customization folder.

If you include large images in your HTML, they must be referenced from another server. Serving large images from the ICS server is detrimental to performance.

Adding Administrator Contact Information


Adding Administrator Contact InformationIt is recommended that you include contact information so your users can get help when they need it. You can modify both the content and the style of this area.

Modify the content by changing the messages.tpl file. For information about where to obtain the messages.tpl file and where to save it, see “Modifying the template file,” on page 67.

To add contact information:

1. Open the messages.tpl file in the customization folder using an HTML editor.

2. Add your administrator or user support information.

You only need to include the information that you want to change. ICS will use the default values for any items not specified in the customized file.

3. Save the messages.tpl file to the customization folder.

You will need to reload the user interface page to see the results.

Optionally, you can also change the font style of this text by modifying the .admin_contact class in the custom.css file. See “Changing the fonts,” on page 70.

Changing the logoYou can replace the ICS logo with your own logo, or turn the branding bar on or off. Use the CSS file to make these changes. For information about the custom.css file and where to save it, see “Modifying the CSS file,” on page 67.

To replace the ICS Logo:

1. Save your logo image to the customization folder.

If you want to have a blinking image, save the image that you want to alternate with it to the same location.

2. Open the custom.css file.

3. In the Global Styles section of that file, locate the .message_branding class.

4. Replace ics_message_branding.jpg with the name of your own image.

5. To change the animated icon on the left side, change the .message_branding_icon class as well.

You can either remove the icon from the style or replace it with one of your own.



To turn off the branding bar:


Changing the colors


2. In the Global Styles section of that file, create the class ‘.iss_brand’.

3. Set the display value to ‘none’.

display:none;



Changing the colorsYou can change the colors in the ICS endpoint user interface to match your company’s colors. Use the CSS file to make these changes. For information about the custom.css file and where to save it, see “Modifying the CSS file,” on page 67.

The following steps give information about changing the basic color scheme. To change the colors of elements not mentioned here, see “Style Reference,” on page 70.

Generally, when customizing the interface with your company’s colors, you will need three or four colors or pattern images at a minimum:

One light color or pattern for the background

One darker color or pattern for branding and other areas.

One or two medium-saturation colors for headers

To change the basic color scheme:


2. Set the .template_background class background color to your light color or pattern.

If you decide to have different backgrounds for some pages, you will need to specify those individually. See “Style Reference,” on page 70.

3. Set the following classes to your darker color or pattern:

.message_branding

.report_title

4. Set the following classes to your medium-saturation colors or patterns:

.requirements_header

.status_header

.solutions_header

.software_header

Changing the fonts



Changing the fontsUse the CSS file to change the fonts for the text in the ICS endpoint user interface. For information about the custom.css file and where to save it, see “Modifying the CSS file,” on page 67.

To change the fonts:


2. Set the font style for each class you want to modify.

As a minimum, you will want to modify the following classes:

.message

.requirements_title

.permission_title

.admin_contact


Configuring the custom textUse the resource pages to configure the custom text. At a minimum, you will want to customize the following:

The administrator contact information

Scan Text

Style ReferenceUse this reference to understand the classes included in the ICS style sheet. This reference only defines classes that are specific to ICS. Standard classes are not defined here.

This section is organized by page. It contains classes for the following pages:

“Global Pages,” on page 71.

“Error Page,” on page 74.

“Scanning Page,” on page 74.

“Report page - General,” on page 75.

“Report Page - Message Table,” on page 76.

“Report Page - Report Wrapper Layout,” on page 78.

Style Reference


“Reports Page - Requirements,” on page 78.

“Reports Page - Status,” on page 79.

“Reports Page - Suggestions,” on page 80.

Global Pages

Global page classes apply to all the ICS user interface pages, except the ISW pages. You should modify these classes first, as these styles are inherited by the other ICS pages.

Figure 9-1: Global Classes

Style Reference


Figure 9-2: Global Classes

.links

Use this class to control the style for the links in the user interface.

.template_background

Use this class to change the background behind all the ICS panels. As a default, ICS provides the image file ‘integrity_brand_pattern.gif’. If you change this to another image, be sure to host that image on another server.

If you want to change just the background for a particular page, see the .background class for that page.

.iss_brand

Use this class to control whether or not the branding bar is displayed at the top of the general ICS pages. To disable ICS branding, set the display value to ‘none’. See “Changing the logo,” on page 68.

This applies only to general ICS branding. Integrity Secure Workspace branding is not effected by this class and cannot be disabled.

.message_branding

Use this class to control the style of the branding bar at the top of the general ICS pages. By default, this class displays the image ics_message_branding.jpg.

If you need to change the logo for Integrity Clientless Security, see “Changing the logo,” on page 68.

If you change the style for this class you may also want to change the .message_branding_icon class as well. This class controls the blinking icon on the left side.

.message_branding_icon

Use this class to control the scanning animation that appears in the branding bar for Integrity Clientless Security. By default this is set to use the iss_logo_animation.gif image.

.ICS_inside

Style Reference


Use this class to control the cell that contains the entire ICS user interface.

.topcell

The ICS endpoint user interface is surrounded by hidden customization cells that you can use to display HTML. This is the cell that appears above the primary content area. Use this class to modify the size and other attributes of this cell.

.leftcell

The ICS endpoint user interface is surrounded by hidden customization cells that you can use to display HTML. This is the cell that appears to the left of the primary content area. Use this class to modify the size and other attributes of this cell.

.centercell

This cell contains the primary content of the ICS pages. Do not modify the values in this cell.

.bottomcell

The ICS endpoint user interface is surrounded by hidden customization cells that you can use to display HTML. This is the cell that appears below the primary content area. Use this class to modify the size and other attributes of this cell.

.admin_contact

Use this class to control the appearance of the administrator contact information. To change the content of this area, see “Adding Administrator Contact Information,” on page 68.

.cell_space

Use this class to control a spacer cell used in some pages.

.ics_button

Use this class to control the appearance of all the buttons in the endpoint user interface.

If you want to change the buttons on a specific page, see the section on that page.

.error_buttons

Use this class to control the table cell that contains the buttons.

.info_message

Use this class to control the table row that the message appears in for ICS messages.

.info_message_title

Use this class to control the message that appears at the top of some ICS messages.

.message_table

Use this class to control the appearance of message boxes in the user interface.

Style Reference


.message

Use this class to control the table cell that contains the main body of the ICS page.

.message_icon

Use this class to control the cell that contains the icons for warning, restriction, and caution.

.odd_row

Use this class to control the appearance of all the odd-numbered rows in columns. This class does not apply to the Reports page.

Error Page

If your endpoint users experience difficulty in downloading and running the scanner, they will see the Error page. Use these classes to control the appearance of the Error page.

Figure 9-3: Error Page Classes

.background_branding_error

Use this class to change the background behind the Error page panels. As a default, this class inherits the styles defined for .template_background. If you change this to another image, be sure to host that image on another server.

Scanning Page

Your endpoint users see the scanning page while ICS is scanning their computer. Use the classes in this section to control the appearance of this page.

Style Reference


Figure 9-4: Scanning Page Classes

.background_branding_scanning

Use this class to change the background behind the Scanning page panel. As a default, this class inherits the styles defined for .template_background. If you change this to another image, be sure to host that image on another server.

.scan_message

Use this class to control the table cell that contains the scan message text.

.scan_graphic

Use this class to insert a graphic on the scanning page. You might want to use an animated graphic here to show that the scan is still running.

.scan_text

Use this class to insert scrolling text into the scanning page.

Report page - General

The Report page shows your users what security rules they have violated and provides links to remediation information. Use the classes in this section to control the appearance of this page.

Style Reference


Figure 9-5: General Report Page Classes

.background_branding_report

Use this class to change the background behind the Report page panels. As a default, this class inherits the styles defined for .template_background. If you change this to another image, be sure to host that image on another server.

.message_table

Use this class to control the appearance of the upper message box on the Report page. This is a global class. See “.message_table,” on page 73.

.report_wrapper

Use this class to control the appearance of the the lower message box on the Report page.

Report Page - Message Table

The Message table contains message text displayed to users. Use the classes in this section to control the appearance of this page.

Style Reference


Figure 9-6: Report Page Message Table Classes

.restricted_message

Use this class to control the appearance of the table row containing the message that appears at the top of Report page when the user has failed the scan and is restricted. Changing this class is not recommended.

.warned_message

Use this class to control the appearance of the table row containing the message that appears at the top of Report page when the endpoint user has failed the scan, but is allowed to continue. Changing this class is not recommended.

.pass_message

Use this class to control the appearance of the table row containing message that appears at the top of Report page when the endpoint user has passed the scan. Changing this class is not recommended.

.restricted_message_title

Use this class to control the appearance of the table cell containing the message that appears at the top of Report page when the user has failed the scan and is restricted. Changing this class is not recommended.

.warning_message_title

Use this class to control the appearance of the table cell containing the message that appears at the top of Report page when the user has failed the scan, but is allowed to continue. Changing this class is not recommended.

.pass_message_title

Style Reference


Use this class to control the appearance of the table cell containing the message that appears at the top of Report page when the user has passed the scan. Changing this class is not recommended.

.report_buttons

Use this class to control the table cell that contains the buttons on the report page.

Report Page - Report Wrapper Layout

The Report Wrapper Layout displays the results of security scans. Use the classes in this section to control the appearance of this page.Figure 9-7: Report Page Report Wrapper Layout

.report_title_wrapper

Use this class to control the appearance of the the title bar on the lower message box on the Report page.

If you change the background color of the title bar, you may want to change the text color as well. The .report_title class controls the text color.

.report_title

Use this class to control the appearance of the text in the title bar on the lower message box on the Report page.

.report_table

Use this class to control the appearance of the lower report box on the Report page. Generally, this color is inherited by even numbered rows to allow alternating colors for the rows.

Reports Page - Requirements

The Requirements section lists required anti-virus, anti-spyware, and firewall applications. Use the classes in this section to control the appearance of this page.

Style Reference


Figure 9-8: Reports Page Requirements Classes

.requirements_header

Use this class to control the appearance of the header of the Security Requirements column.

.requirements_item

Use this class to control the appearance for items in the security requirements column. If you do not set ICS to check for a particular requirement type, the row for that requirement type is not shown. Because this causes the arrangement of the requirement types to vary, you cannot customize these tables to show alternating row colors.

Reports Page - Status

The Status section shows your users what security rules they have violated and provides links to remediation information. Use the classes in this section to control the appearance of this page.

Figure 9-9: Reports Page Status Classes

.status_header

Style Reference


Use this class to control the appearance of the header of the Security Status column.

If you change the background color of the header background, you may want to change the text color as well.

.status_icon

Use this class to change the table cells containing the status icon.

.status_item

Use this class to control the appearance of the even-numbered items in the Security Status column. Odd-numbered items are controlled by the global class, ‘.odd_row’. See page 74.

.status_item_restricted

Use this class to change the table cells containing the restricted security status items.

.status_item_warned

Use this class to change the table cells containing the warned security status items.

.status_item_passed

Use this class to change the table cells containing the passed security status items.

Reports Page - Suggestions

The Suggestions section displays links to supplemental remediation information. Use the classes in this section to control the appearance of this page.

Figure 9-10: Reports Page Suggestions Classes

.suggestions_header

Customizing the Integrity Secure Workspace


Use this class to control the appearance of the header of the Solutions column.

If you change the background color of the header background, you may want to change the text color as well.

.suggestions_item

Use this class to control the appearance of the even-numbered items in the Solutions column. Odd-numbered items are controlled by the global class, .odd_row. See page 74.

Customizing the Integrity Secure WorkspaceYou can customize the ISW by supplying alternative image files and by modifying the XML file that contains the messages that endpoint users see. These files are downloaded to the endpoint computer and used in the ISW user interface. In order to override the default XML and image files, you must be sure to save you files in the customization folder. See “Creating the customization folder,” on page 66.

Changing message textYou can modify the text of messages that endpoint users see in ISW.

To change message text:

1. Open the CPSWSI.xml.gz file.

The CPSWSI.xml.gz file is located in <local path>/ics_server/components.

2. Extract the CPSWSI.xml file and copy it to the customization folder as ISW_customl.xml.

3. Modify the messages.

Be sure to modify only the text of the messages, do not modify the XML tags.

4. Save the ISW_customl.xml file.

Changing the imagesIn order to change the appearance of the ISW, place image files into the customization folder. If you do not put images into this folder, ISW will use the default images.

Changing the images


To change the images:

1. Place one or more of the following images into the customization folder.

Some images must be of a specified size.

Table 9-1: Customization images

File Name Description Size (in pixels)

ISW_background.jpg The background image for ISW. This image is stretched to form the desktop background on the endpoint computer while ISW is running.

1280x1024

(default)

ISW_start_menu.bmp The image for the Start menu in the ISW.

43x130

(required)

ISW_dlg_title.bmp The image in the header of the messages in ISW.

600x68

(required)

ISW_icon_secured.ico The ISW icon that appears in the system tray while the user is working in the Secure Workspace. The endpoint user clicks this icon to switch to the regular workspace.

N/A

ISW_icon_unsecured.ico The ISW icon that appears in the system tray while the user is working in the regular workspace. The endpoint user clicks this icon to switch to the secure workspace.

N/A


IndexAAccess Statistics report 59Activating

Advanced Anti-keylogger 44Policies 41

Admin consolelogging in to 30

AdministeringICS Advanced Anti-Keylogger 44Integrity Secure Workspace (ISW) 49

Advanced Anti-keyloggeractivating 44fail open configuration 45monitoring 45

Anti-Keylogger report 59Anti-spyware Rule

creating 39Anti-Spyware Scan Rules

creating 38Anti-virus Application Rule

creating 37Anti-virus Application Rules

creating 36Application information

Obtaining application checksums 62obtaining for anti-virus application 62

CChanging

gateway 20Checksums

obtaining for applications 62Configuring

Integrity Secure Workspace (ISW) permissions 50updates to ICS client components 31

Configuring ICSoverview 30

Configuring ICS to receive software updates 18Creating

Anti-spyware Rule 39Anti-virus Application Rule 37Custom Application Rule 39Custom Group Rule 40Firewall Application Rule 36Policies 41

Custom Application Rulecreating 39

Custom Group Rulecreating 40

Customizationoverview 13

DDocumentation 9

EE-Commerce

security scenario 27Educating endpoint users 29Endpoint computers

logging information 58troubleshooting issues 61

Enforcement rulesdefined 34definition of types 35

Errors report, overview 60Example security scenario

e-commerce 27full network access 25

FFail open configuration

Advanced Anti-keylogger 45ICS 31Secure Workspace 51

Filter log rotation 57Firewall Application Rule

creating 36FTP Applications supported by ISW 48Full network access

security scenario 25

GGateway

changing 20Generating

Reports 58

IICS

configuring client updates 31configuring to receive software updates 18fail open configuration 31logging in to admin console 30migrating to alternate server 19overview of configuration 30relocating administrator console 20

ICS Advanced Anti-Keyloggeradministering 44

ICSInfo Utility overview 13Integrity Clientless Security Scanner

overview 33Integrity Secure Workspace (ISW)

administering 49instructions for testing 52overview 47permissions 50supported applications 48


KKeylogger Protection

overview 43

LLogging

redirection filter 54scan reporting 55translator script component 54

Logging in to ICS 30Logs

filter and translator 57for endpoint computers 58

MMigrating ICS to another server 19Monitoring

Advanced Anti-keylogging 45

PPlanning, security 23Policies

activating 41creating 41instructions for implementing 34

Providing information to endpoint users 29

RRedirection Filter logging 54Relocating, administrator Console 20Reports

Access Statistics 59Anti-keylogger 59Anti-keylogger, monitoring 45errors, overview 60instructions for generating 58overview 13Rules Broken 59Security Scan Results 59Spyware Found 59

Rotationof filter and translator logs 57

RulesAnti-spyware scan 38anti-virus application 36creating anti-spyware 39creating anti-virus application 37creating custom application 39creating Custom Group 40creating firewall application 36definition of enforcement types 35enforcement, defined 34

Rules Broken report, overview 59

SScan reporting component logging 55

Secure Workspacefail open configuration 51

Security Lifecyclesoverview 28

Security planning overview 23Security Scan Results report, overview 59Security scenario

Web-only access 26Security scenarios overview 24Software updates, receiving 18Spyware Found report, overview 59Supporting endpoint users 29

TTelnet/SSH

versions supported by ISW 49Terminal Service applications

versions supported by ISW 48Testing

Integrity Secure Workspace (ISW) 52TN3270 applications

versions supported by ISW 49Translator log rotation 57Translator script component logging 54Troubleshooting

endpoint user issues 61

UUpdates

to ICS components 31Utilities

ICSInfo, overview 13

WWeb Browsing (HTTP, HTTPS, passive FTP) applications

versions supported by ISW 48



Documents

Integrity Clientless Security Administrator GuideObtaining anti-virus application information .....62 Obtaining application checksums .....62 . ICS Administrator Guide 7 ... ICS Administrator