Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.1.1
Tutorial
Downloads: This chapterpdf (PDF - 198.0KB) The complete bookPDF (PDF - 1.19MB) | Feedback

Tutorial

Table Of Contents

Tutorial

Step One: Define Windows Locations

Step Two: Define Windows Location Identification

Work

Home

Insecure

Step Three: Configure Windows Location Modules

Work

Home

Insecure

Step Four: Configure Windows Location Features

Work

Home

Insecure

Step Five: Configure Windows CE Features

Step Six: Configure Macintosh and Linux Features


Tutorial


CSD is a highly customizable suite of security tools that you can deploy in many different ways to secure remote systems and enforce your company's network security polices. Becoming familiar with the configuration procedure can help you understand the following:

How to deploy CSD

Which security decisions you need to make to best accommodate your users and secure your network


Note This tutorial introduces you to the CSD configuration settings. Subsequent sections reinforce the instructions with detailed descriptions.


The following sections guide you through the CSD configuration sequence:

Step One: Define Windows Locations

Step Two: Define Windows Location Identification

Step Three: Configure Windows Location Modules

Step Four: Configure Windows Location Features

Step Five: Configure Windows CE Features

Step Six: Configure Macintosh and Linux Features

Step One: Define Windows Locations

Begin configuring CSD by defining Windows locations. Windows locations apply to supported Microsoft Windows clients only; they do not apply to Windows CE, Macintosh, and Linux clients.

Locations let you deploy an appropriately secure environment to hosts that connect through the VPN. They let you increase security on hosts that you determine are likely to be insecure, and offer flexibility to clients you determine are secure. You can restrict user privileges when they connect from unknown computers. You can also deploy the Secure Desktop and Cache Cleaner modules on insecure hosts to minimize session information that might contain confidential company information. We recommend that you consider the different types of hosts that will connect through the VPN before you determine the criteria needed to secure those hosts and the security policies to assign to those criteria. In addition, because it is physically impossible to ensure 100 percent removal of all data sent to a remote system, organizations may use Cisco Secure Desktop to minimize access to trusted assets.

This tutorial describes how to configure three example locations: "Work," "Home," and "Insecure." "Work" is for those connecting to the VPN from a workstation in the office, "Home" is for those working from home, and "Insecure" is for those who do not meet the criteria for either, such as those connecting from a cybercafé.

In this tutorial, "Work" provides clients with full access, "Home" provides some flexibility, and "Insecure" restricts access. This tutorial defines the locations as follows:

Work

Identified by a registry entry

Secure Desktop and Cache Cleaner are disabled

Full access: all features ON

Home

Identified by a certificate given by the administrator

Secure Desktop and Vault Reuse are enabled, with no timeout

Vault Reuse lets users close the Secure Desktop and open it again at a later time, creating a persistent desktop that is available from one session to the next. If you enable this option, users must enter a password (up to 127 characters in length) when CSD creates the Secure Desktop.

Advanced features require company antivirus software, company antispyware, company firewall, and Windows 2000 Service Pack 4 or Windows XP

Check for keystroke logger

Insecure

No identification

Cache Cleaner

All features disabled except web browsing

To create the three locations:


Step 1 Choose Windows Location Settings in the CSD menu.

The Windows Location Settings pane appears.

Step 2 Type the following names in the Location name field, and click Add after typing each one:

Work

Home

Insecure


CSD evaluates client connections against the location entries in the order listed on the Windows Location Settings pane. CSD grants privileges to a client PC based on the first location definition it matches. Our example includes "Work," "Home," and "Insecure" in that order; to assign privileges to a host, CSD first determines whether it is a "Work" host. If it is not, it determines whether it is a "Home" host. If it is not, it assigns the privileges associated with the "Insecure" location.

To change the order of the evaluation, choose a location name and click Move Up or Move Down.

Click Apply All to save the running CSD configuration to the flash device.


Note An "Unapplied Changes" dialog box prompts you to save the CSD configuration if you try to navigate away from it or exit without having saved the configuration. Clicking Apply Changes in that window is equivalent to clicking the Apply All button.


Step Two: Define Windows Location Identification

For each Windows location, define the criteria used to identify the location and the security modules to be deployed for that location. Specify this information by clicking on the location name in the menu on the left side of the CSD Manager. An Identification pane lets you enable the identification criteria for the location: certificate, IP address range, and file/registry. The "Use Module" attribute at the bottom of the pane lets you enable or disable the Secure Desktop or Cache Cleaner modules for the associated location.

Work

Identify clients in the "Work" location by registry entry as follows:


Step 1 Click the name Work in the menu on the left.

The Identification pane opens.

Step 2 Check Enable identification using Registry or File criteria.

Step 3 Add a registry criteria such as, "HKEY_LOCAL_MACHINE\SOFTWARE\Company exists."

Step 4 Do not deploy a security module because the hosts in this location are inside the office; uncheck both Secure Desktop and Cache Cleaner next to "Use Module."


Home

Identify clients in the "Home" location by a certificate given by the administrator to users who connect from home, as follows:


Step 1 Click the name Home in the menu on the left.

Step 2 Check Enable identification using certificate criteria.

Step 3 Complete the Issued to and Issued By fields of the certificate.

Step 4 Check Secure Desktop next to "Use Module."


Insecure

Do not specify any criteria for the final location entry, "Insecure." It applies to all clients that do not match the criteria specified in the previous location entries. Enable the Cache Cleaner module for these clients, as follows:


Step 1 Click the name Insecure in the menu on the left.

Step 2 Check Cache Cleaner next to "Use Module."


Click Apply All to save the running CSD configuration to the flash device.

Step Three: Configure Windows Location Modules

This section describes how to customize the CSD deployment for each location. Each location in the menu has six options: VPN Feature Policy, Keystroke Logger, Cache Cleaner, Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser.

If you selected Cache Cleaner next to "Use Module" in the location configuration, configure the Cache Cleaner. If you selected Secure Desktop, configure both the Secure Desktop and Cache Cleaner because CSD supports only the Cache Cleaner on Windows 98 machines.

Work

Because you assigned neither the Secure Desktop and Cache Cleaner security modules to the location entry named "Work," do not configure the associated VPN Feature Policy, Keystroke Logger, Cache Cleaner, Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser settings.

Home

Use the Secure Desktop for the "Home" location and allow vault reuse, no timeout, access to printing, and the command prompt. Also, allow connections using the Cache Cleaner for Windows 98 hosts. Set up the "Home" location with these settings as follows:


Step 1 Click Cache Cleaner under "Home."

The Cache Cleaner pane opens.

Step 2 Uncheck Launch cleanup upon inactivity timeout.

Step 3 Uncheck Disable cancellation of cleaning.

See the option descriptions in "Configuring Cache Cleaner for a Location" for more information about the settings on this pane.

Step 4 Click Secure Desktop General under "Home."

The Secure Desktop General pane appears (Figure 4-1).

Figure 4-1 Secure Desktop General

Step 5 Check Enable switching between Secure Desktop and Local Desktop.

Step 6 Check Enable Vault Reuse.

Step 7 Uncheck Enable Secure Desktop inactivity timeout.

With this attribute unchecked, the timeout has no effect.

See the option descriptions in "Configuring Secure Desktop General for a Location" for more information about the settings on this pane.

Step 8 Click Secure Desktop Settings under "Home."

The Secure Desktop pane appears.

Uncheck all options except for Allow e-mail applications to work transparently.

See the option descriptions in "Configuring Secure Desktop Settings for a Location" for more information about the settings on this pane.


Insecure

Use the default Cache Cleaner settings for the "Insecure" location. Assign or confirm the associated Cache Cleaner settings as follows:


Step 1 Click Cache Cleaner under "Insecure."

The Cache Cleaner pane appears.

Step 2 Check Launch cleanup upon inactivity timeout.

When checked, this option forces a timeout if the user leaves the computer without logging out.

Step 3 Set Timeout after to 5 minutes.


Click Apply All to save the running CSD configuration to the flash device.

Step Four: Configure Windows Location Features

CSD creates security modules for each location when you create it. Refer to the following sections to specify the level of access for each location.

Work

Provide full access to users in the "Work" location as follows:


Step 1 Click VPN Feature Policy under "Work."

Step 2 Set the following attributes to ON to ensure users connecting from the office environment have access to all of the VPN features:

Web Browsing

File Access

Port Forwarding

Full Tunneling


Home

Users connecting from home have advanced features like File Access, Port Forwarding, and Full Tunneling only if they meet the company network policies for antivirus software, antispyware, firewall software, and Windows 2000 Service Pack 4 or Windows XP. Provide users in the "Home" location with this level of access as follows:


Step 1 Click VPN Feature Policy under "Home."

Step 2 Set Web Browsing to ON.

Step 3 Set File Access to ON if criteria are matched.

Step 4 Click the ellipsis (...) button under "Web Browsing."

A dialog box opens.

Step 5 Check AntiVirus and choose the antivirus software.


Note To choose multiple options for a given field, Control-click them.


Step 6 Check Anti-spyware and choose the antispyware software.

Step 7 Check Firewall and choose the firewall software.

Step 8 Check OS and choose 2000 SP4, XP no SP, XP SP1, and XP SP2.

Step 9 Click OK.

Step 10 Repeat Steps 3 to 9 for Port Forwarding and Full Tunneling.


Insecure

These instructions grant web browsing access only, and only if the Secure Desktop is active. Provide this level of access to users in the "Insecure" location as follows:


Step 1 Click VPN Feature Policy under "Insecure."

Step 2 Set Web Browsing to ON if criteria are matched.

Step 3 Click the ellipses (...) button under "Web Browsing."

A dialog box opens.

Step 4 Check AntiVirus and choose the antivirus software.


Note To choose multiple options for a given field, Control-click them.


Step 5 Check Firewall and choose the company firewall software.

Step 6 Check Anti-spyware and choose the antispyware software.

Step 7 Check OS and choose 2000 SP4, XP no SP, XP SP1, and XP SP2.

Step 8 Check Feature and choose Cache Cleaner.

Step 9 Click OK.

Step 10 Make sure File Access, Port Forwarding, and Full Tunneling are unchecked.

Step 11 Click OK.

See the option descriptions in "Configuring a VPN Feature Policy for a Location" for more information.


Click Apply All to save the running CSD configuration to the flash device.

Step Five: Configure Windows CE Features

CSD provides limited features and restrictions for Windows CE clients. The following instructions explain how to grant or restrict web browsing and file access privileges to these clients.

Configure CSD for Windows CE clients as follows:


Step 1 Click Windows CE.

The Windows CE pane appears.

Step 2 Set Web Browsing to ON.

Step 3 Set File Access to ON.


See the option descriptions in "Setting Up CSD for Microsoft Windows CE Clients" for more information about the settings in this window.

Click Apply All to save the running CSD configuration to the flash device.

Step Six: Configure Macintosh and Linux Features

CSD handles Macintosh and Linux systems differently from Windows. Instead of using different settings per location, all Macintosh and Linux hosts use the same settings. (Hosts connecting from both secure and insecure locations connect with the same settings.) The following instructions explain how to grant only web browsing access privileges with a global timeout.

Configure the Macintosh and Linux cache cleaner as follows:


Step 1 Click Mac & Linux Cache Cleaner.

The Cache Cleaner - Mac & Linux pane appears.

Step 2 Check Launch cleanup upon global timeout.

Step 3 Set the Timeout after value to 5 minutes.

Step 4 Check Let user reset timeout.

Step 5 Set Web Browsing to ON.

Step 6 Set File Access to ON.

Step 7 Set Port Forwarding to OFF.

See the option descriptions in "Setting Up CSD for Macintosh and Linux Clients" for more information about the settings in this window.


Click Apply All to save the running CSD configuration to the flash device.