Cisco Secure Desktop Configuration Guide for VPN 3000 Concentrator Series and Catalyst 6500 Series WebVPN Services Module Administrators, Release 3.1.1
Setting Up CSD for Microsoft Windows Clients
Downloads: This chapterpdf (PDF - 377.0KB) The complete bookPDF (PDF - 1.48MB) | Feedback

Setting Up CSD for Microsoft Windows Clients

Table Of Contents

Setting Up CSD for Microsoft Windows Clients

About Windows Locations

Creating Windows Locations

Defining Location Criteria

Configuring the Secure Desktop for Clients that Match Location Criteria

VPN Feature Policy

Keystroke Logger

Cache Cleaner for Windows

Secure Desktop General

Secure Desktop Settings

Secure Desktop Browser


Setting Up CSD for Microsoft Windows Clients


See the following sections to configure CSD for remote clients running Microsoft Windows:

About Windows Locations

Creating Windows Locations

Defining Location Criteria

Configuring the Secure Desktop for Clients that Match Location Criteria

About Windows Locations

Windows locations let you determine how clients connect to your virtual private network, and protect it accordingly.

For example, clients connecting from within a workplace LAN on a 10.x.x.x network behind a NAT device are an unlikely risk for exposing confidential information. For these clients, you might set up a CSD Windows Location named Work that is specified by IP addresses on the 10.x.x.x network, and disable both the Cache Cleaner and the Secure Desktop function for this location.

In contrast, users' home PCs might be considered more at risk to viruses due to their mixed use. For these clients, you might set up a location named Home that is specified by a corporate-supplied certificate that employees install on their home PCs. This location would require the presence of antivirus software and specific, supported operating systems to grant full access to the network.

Finally, for untrusted locations such as Internet cafes, you might set up a location named "Insecure" that has no matching criteria (thus making it the default for clients that do not match other locations). This location would require full Secure Desktop functions, and include a short timeout period to prevent access by unauthorized users.


Caution If you create a location and do not specify criteria, make sure it is the last entry in the "Locations in priority order" list described in the next section.

CSD checks locations in the order listed on the Windows Location Settings window, and grants privileges to client PCs based on the first location definition they match.

Browse through the options for the Windows Location settings in this chapter to plan a configuration that meets the security requirements of your network.

Creating Windows Locations

Click Windows Location Settings in the menu on the left to define the location based settings (also called adaptive policies) for CSD. The Windows Location Settings window opens (Figure 6-1).

Figure 6-1 Windows Location Settings Window

The elements in this window are as follows:

Locations in priority order — Lists the locations that you have configured.

Move Up/Move Down — Choose a location name from the list of locations and use these buttons to set the priority of the locations. When a client PC connects, the Secure Desktop Installer checks through the location settings in the order that you define here.

Location name and Add — To add a location from which users can connect, type a new location name in the Location name field and click Add. As you add locations, the Secure Desktop Manager adds their names to the menu on the left of the window and to the list of "Locations in priority order" in the middle of the window.

Delete — Choose a location name from the list of locations and click Delete to remove it from the list and discard its configuration.

Close all opened browser windows upon installation — Check this option to remove unsecured web browser sessions from the client when CSD is installed. This option prevents confusion over whether CSD secures the data. This option applies to all Windows Locations. The default setting for this attribute is uncheck.

Web Browsing — Set this attribute to ON to permit the use of the Secure Desktop to browse the web if the client PC does not match any of the configured locations criteria.

The default setting for this attribute is OFF.

File Access — Set this attribute to ON to permit the use of the Secure Desktop connection to access files on a remote server if the client PC does not match any of the configured locations criteria.

The default setting for this attribute is OFF.

Port Forwarding — Set this attribute to ON to permit the use of the Secure Desktop to connect a client application installed on the local PC to the TCP/IP port of a peer application on a remote server if the client PC does not match any of the configured locations criteria.

The default setting for this attribute is OFF.

Full Tunneling — Set this attribute to ON to permit the use of the SSL VPN Client to establish a VPN tunnel if the client PC does not match any of the configured locations criteria.

The default setting for this attribute is OFF.

Click Save next to "Settings Modified" to save the configuration changes before continuing.

Defining Location Criteria

To define and configure the settings for a location, click the location name in the menu on the left. The Identification for <Location> window opens (Figure 6-2).

Figure 6-2 Identification for <Location> Window

This window lets you specify the criteria that defines the location. A location can be based on any of the following matching criteria:

Certificate name and issuer

IP address range

Presence or absence of a particular file or registry key.

CSD considers the three location criteria in a logical "AND" relationship. For example, if you specify an IP address range under "Enable identification using IP criteria," and you specify "File company_software.exe #does exist#" under "Enable identification using File or Registry criteria," the client must meet both of these conditions to match the location.

Within each area, only one of the criteria you specify must match; that is, CSD considers the criteria in a logical "OR" relationship. For example, if you specify several files under "Enable identification using File or Registry criteria," only one of these files must be present.


Note To push the Secure Desktop to all client PCs regardless of their status, configure only one location and do not specify a certificate, IP address range, or file or registry criteria. This default location pushes the Secure Desktop to all computers from which users connect.


The attributes in this window are as follows:

Enable identification using certificate criteria — Check to enable this feature. Enter both of the following:

Name — Display the Details window for the certificate. Click Subject in the Field column. The panel below the Field column displays the subordinate fields and values of the Subject field of the certificate. The subordinate fields include such names as "CN" for common name, "O" for organization unit name, and "E" for e-mail address. Type the value of one of these subordinate fields in the Name field on the left side of the Identification for <Location> window to match it against the Subject field of the certificate.


Note Specify the value of a subordinate field. For example, type the value of the "O" field, not the "O" itself.


Issuer — Display the Details window for the certificate. Click Issuer in the Field column. The panel below the Field column displays the subordinate fields and values of the Issuer field of the certificate. The subordinate fields include such names as "CN" for common name, "O" for organization unit name, and "E" for e-mail address. Type the value of one of these subordinate fields in the Issuer field on the right side of the Identification for <Location> window to match it against the Issuer field of the certificate.

CSD assigns the location to the client only if it has a certificate that contains both of the following, and only if it matches at least one criterion in each of the completed areas in the Identification for <Location> window:

Value in the Subject field that matches the value you specified in the "Name" field

Value in the Issuer field that matches the value you specified in the "Issuer" field

For details on setting up your server to work with client certificates, see the "Frequently Asked Questions" section.

Enable identification using IP criteria — Check to enable this feature. Enter one or more IP address ranges by clicking Add. CSD checks the IP addresses of clients trying to connect and if a client has an address within the specified range, CSD validates the location. Note that if the client has more than one network card, CSD uses only the address of the first card detected.

Enable identification using File or Registry criteria — Note the window above the Add button. This window lists any registry key and file requirements needed to qualify a remote client to obtain the access rights associated with the location you are configuring. Each entry in the window is a logical OR operator (that is, the evaluation result for any entry must be TRUE to assign the location. Click Add if you want the client system to comply with a specific registry key or file requirement in order to obtain the access rights associated with the location. The Registry Key or File Information window opens (Figure 6-3).


Note To push the Secure Desktop to all client PCs regardless of their status, configure only one location and do not specify a certificate, IP address range, or file or registry criteria. This default location pushes the Secure Desktop to all computers from which users connect.


The attributes in this window are as follows:

Enable identification using certificate criteria — Check to enable this feature. Use one of the following instructions to examine the certificate Subject and Issuer fields to identify the values to be completed:

If you have a certificate file,

a. Double-click the certificate (for example, a *.cer or *.pfx file).

The Certificate window opens.

b. Click the Details tab.

If you have a signed file (that is, the file is not a certificate file, but contains a certificate),

a. Right click the file and choose Properties.

The Properties window opens.

b. Click the Digital Signatures tab (which appears only if the file is signed).

c. Click the Details button.

d. Click the View Certificate button.

The Certificate window opens.

e. Click the Details tab.

If you have neither a certificate file nor a signed file, go to the certificates in your store (your computer), as follows:

a. Open the Control Panel.

b. Choose Internet Options.

c. Click the Content tab.

d. Click the Certificates button.

e. Choose a certificate and click the View button.

The Certificate window opens.

f. Click the Details tab.

Use the following field descriptions for the fields under "Enable identification using certificate criteria" in the Identification for <Location> window:

Name — Click Subject in the Field column under the Details tab of the Certificate window. The panel below the Field column displays the subordinate fields and values assigned to the Subject field of the certificate. The subordinate fields include such names as "CN" for common name, "O" for organization unit name, and "E" for e-mail address. Type the value of one of these subordinate fields in the Name field on the left side of the Identification for <Location> window to match it against the Subject field of the certificate.


Note Specify the value of a subordinate field. For example, type the value of the "O" field, not the "O" itself.


Issuer — Click Issuer in the Field column under the Details tab of the Certificate window. The panel below the Field column displays the subordinate fields and values assigned to the Issuer field of the certificate. The subordinate fields include such names as "CN" for common name, "O" for organization unit name, and "E" for e-mail address. Type the value of one of these subordinate fields in the Issuer field on the right side of the Identification for <Location> window to match it against the Issuer field of the certificate.

CSD assigns the location to the client only if it has a certificate that contains both of the following, and only if it matches at least one criterion in each of the completed areas in the Identification for <Location> window:

Value in the Subject field that matches the value you specified in the "Name" field

Value in the Issuer field that matches the value you specified in the "Issuer" field

For details on setting up your server to work with client certificates, see the "Frequently Asked Questions" section.

Enable identification using IP criteria — Check to enable this feature. Enter one or more IP address ranges by clicking Add. CSD checks the IP addresses of clients trying to connect and if a client has an address within the specified range, CSD validates the location. Note that if the client has more than one network card, CSD uses only the address of the first card detected.

Enable identification using File or Registry criteria — Note the window above the Add button. This window lists any registry key and file requirements needed to qualify a remote client to obtain the access rights associated with the location you are configuring. Each entry in the window is a logical OR operator (that is, the evaluation result for any entry must be TRUE to assign the location). Click Add if you want the client system to comply with a specific registry key or file requirement in order to obtain the access rights associated with the location. The Registry Key or File Information window opens (Figure 6-3).

Figure 6-3 Registry Key or File Information Window

The attributes in this window differ as shown, depending on whether you choose Registry or File.


Note You can use the value types to be specified in this window as a guide to set up one or more secret criteria within the remote client's system to match those specified for this location. For example, you can add a Dword or string value to a registry key on client computers to qualify them for the location you are configuring.


The attributes in this window are as follows:

Type — Click the button next to one of the following options:

Registry if you want to confirm the presence or absence of a registry key as a condition for assigning the location you are configuring to the remote client.

File if you want to confirm the presence or absence of a file as a condition for assigning the location you are configuring to the remote client.

Path — Type one of the following entries, depending on whether you choose Registry or File:

Type one of the following hives (initial directory path within the registry), followed by the name of the registry key required to be present or absent on the client system:

HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
HKEY_CLASSES_ROOT\
HKEY_USERS\

Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.

Type the directory path to the name of a file required to be present or absent on the client system.


Note Refer to the subsequent attribute descriptions for examples of Registry and File paths.


Exists/Does not exist — Click the button next to one of the following options:

Exists if the key or file specified in the Path field must be present on the remote client computer to assign the location you are configuring.

Does not exist if the key or file specified in the Path field must be absent from the remote client computer to assign the location you are configuring.

For example, you might want to choose Exists to require the following registry key to be present to match a criterion for assigning a location:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>

And/or you might want to choose Does not exist to require the following registry key to be absent to match a criterion for assigning a location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<Evil_SpyWare>

You might also choose "File" and "Exists" to ensure a security application is installed, as follows:

C:\Program Files\<Security Application>\<Protective_Application.exe>


Note If you choose File, specify a path, and choose Does not exist, CSD grays out the remaining options. If so, click OK. The Registry Key window closes and the new criterion appears as an entry in the File or Registry Criteria field in the Identification for <Location> window. Click Add again if you want to specify another registry key or file criterion, or refer to the "Use Module" attribute description below to continue with the configuration of this location.


DWORD value (Appears only if you choose Registry) — Choose this option if the registry key includes a Dword ("double word," which is 32 bits) and you want to specify its value as a criterion.


Note The regedit application, accessed on the Windows command line, lets you view the Dword value of a registry key or add one to the key.


Choose one of the following options to specify the relationship of the Dword value of the registry key to the value to be specified in the field under "DWORD value."

less than

less than or equal to

equal to

different from

greater than

greater than or equal to

Type a decimal into the field to compare with the value of the Dword registry key on the client computer.

For example, you might want to choose "Exists" and a DWORD value "greater than or equal to" "7" to require that a protective software application meet a minimum version requirement:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Version

String value (Appears only if you choose Registry) — Choose this option if the registry key includes a string and you want to specify its value as a criterion.


Note The regedit application, accessed on the Windows command line, lets you view the String value of a registry key or add one to the key.


Choose one of the following options to specify the relationship of the value to be specified in the field to the string value of the registry key:

contains

matches

differs

Type a string into the field to compare with the string value of the registry key on the client computer.

For example, you might want a criterion in addition to the one in the last example to ensure the protective software application is active. To do so, you type the following path, choose Exists, choose String value matches, and type Active in the "String value" field:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Status


Note Click OK if you choose to use a registry key as a criterion. The Registry Key window closes and the new criterion appears as an entry in the File or Registry Criteria field in the Identification for <Location> window. Click Add again if you want to specify another registry key or file criterion, or refer to the "Use Module" attribute description below to continue with the configuration of this location.


Version (Present only if you choose "File" and active only if you choose "Exists") — Check if you want to specify a version of a file as a criterion. Use can this criterion to require that a specific application is a particular version. You can display the version of an .exe file by viewing its "Properties" and clicking the "Version" tab. Choose one of the following options to specify the relationship of the "Version value" of the file to the version number to be typed in the Version field:

less than

less than or equal to

equal to

different from

greater than

greater than or equal to

Type a string (typically dotted decimal) in the Version field to compare with the Version of the file on the client computer.

Checksum (Present only if you choose "File" and active only if you choose "Exists") — Check to specify a checksum to authenticate the file named in the Path field. When you check this attribute, CSD adds the following text below it:

Use Crc32.exe to calculate a checksum (click open)

Click the Crc32.exe link in the window if you would like to download a small program from the CSD host to your computer and calculate a checksum on one or more files. Your browser opens a new download window that prompts you to save the file. Click Save. The browser saves it to its default download location or prompts you to specify where to save the file.

Use Windows Explorer to open the "crc32.exe" file. The Crc32 window opens (Figure 6-4).

Figure 6-4 Crc32 Window

Click Browse and choose the file on which to calculate the checksum. The File Path field displays the path to the file you chose. Click Calculate. The Crc32 application inserts the checksum in hexadecimal format into the Crc32 field. Copy the checksum, close the Crc32 window (unless you want to use it to for subsequent file checksums) and paste the checksum into the Checksum field in the File Information window.

Click OK in the File Information window. The window closes and the new criterion appears as an entry in the File or Registry Criteria field in the Identification for <Location> window. Click Add again if you want to specify another registry key or file criterion, or refer to the next attribute description to continue with the configuration of this location.

Use Module — Check a box to specify which CSD module to use for this location. The options are Cache Cleaner, Secure Desktop, or neither (no boxes checked). You cannot use Cache Cleaner and Secure Desktop at the same time. If neither is checked, the configured VPN feature policy applies.


Note If you check Secure Desktop here and configure the Secure Desktop settings, you should still configure the Cache Cleaner as well. The Cache Cleaner serves as a fall-back security solution for older Windows operating systems such as Windows 98, which the full Secure Desktop functions do not support.


Click Save next to "Settings Modified" to save the configuration changes before continuing.

Configuring the Secure Desktop for Clients that Match Location Criteria

Refer to the following sections to define the Secure Desktop experience for clients that match the criteria defined for a specific location:

VPN Feature Policy

Keystroke Logger

Cache Cleaner for Windows

Secure Desktop General

Secure Desktop Settings

Secure Desktop Browser

VPN Feature Policy

Click VPN Feature Policy under the name of the location you are configuring in the menu on the left. The VPN Feature Policy window opens (Figure 6-5).

Figure 6-5 VPN Feature Policy Window

Each of the attributes in this window have the same set of options, as follows:

ON — Enables the feature if the client matches the location criteria.

OFF — Disables this feature if the client matches the location criteria.

ON if criteria are matched — Enables the feature if the client matches both the location criteria and the criteria specified in the window accessed by clicking the ellipses (...) button below this attribute. The Secure Desktop Manager displays the configured criteria in the field to the left of the ellipses button. An "On if criteria are matched" setting with a blank field underneath is equivalent to an ON setting.


Note An "ON if criteria are matched," setting without criteria is equivalent to "ON."


The attributes in this window are as follows:

Web Browsing — Permits the use of the Secure Desktop to browse the web.

The default setting for this attribute is "OFF."

File Access — Permits the use of the Secure Desktop to access files on a remote server.

The default setting for this attribute is "OFF."

Port Forwarding — Permits the use of the Secure Desktop to connect a client application installed on the local PC to the TCP/IP port of a peer application on a remote server.

The default setting for this attribute is "OFF."

Full Tunneling — Lets the SSL VPN Client establish a VPN tunnel.

The default setting for this attribute is "OFF."

To require specified software or security to be present on the client as a condition for enabling the feature, choose ON if criteria are matched from the drop-down list box, then click the associated ellipses (...) button. The VPN Feature Policy Criteria dialog window opens (Figure 6-6).

Figure 6-6 VPN Feature Policy Criteria Dialog Window

This window lets you enable System Detection of antivirus software, antispyware, a personal firewall, service packs, and the CSD Secure Desktop or Cache Cleaner.


Note For each attribute in this window, the associated options have a logical "OR" relationship: the client must be running one of the highlighted applications to satisfy the System Detection requirement for the associated feature.


Click one or more security categories to require their presence as a condition to enable the feature checked in the previous window. For each enabled security category you check, click one of the options or control-click multiple options. The browser highlights the options as you choose them. You can only choose one option next to the Feature attribute.

The relationship among attributes is an "AND" relationship. If you choose only one category, it alone must pass the System Detection check. If you choose all categories, the client must meet all of the conditions set by the criteria (that is, the client must be running at least one each of the antivirus software, antispyware software, personal firewall software, operating system and service pack, and the selected "Feature") to enable the selected module.

The categories and options in this window are as follows:

Anti-Virus — Check to enable System Detection for the presence of antivirus software that is running. Control-click each antivirus software application to add it to the System Detection list. CSD requires one of the applications highlighted to be running on the client PC to satisfy the anti-virus requirement.

The antivirus applications that System Detection checks for includes:

Avast AntiVirus (4.0)

AVG AntiVirus (7.0)

eTrust Antivirus (7.0 to 2005)

F-Secure Antivirus (2003 to 2005)

McAfee VirusScan (8.0 to 10.0, Enterprise 7.0 to 8.0)

Norton AntiVirus For Windows (Corporate 8.0 to 9.0, Professional 2004 to 2005)

Panda AntiVirus (Titanium 2004 or Platinum 7.0 to 8.0)

PC-cillin 2003 or 2004

Anti-Spyware — Control-click each antispyware application to add it to the System Detection list; CSD requires one of the applications highlighted to be running on the client PC to satisfy the anti-virus requirement.

The antispyware applications that System Detection checks for includes:

Microsoft Anti-Spyware

Anonymizer AntiSpyware

Firewall — Check to enable System Detection for the presence of a personal firewall that is running. Then control-click each personal firewall application to add it to the System Detection list. CSD requires one of the applications highlighted to be running on the client PC to satisfy the personal firewall requirement.

The personal firewall software that System Detection checks for includes:

Cisco Security Agent (4.0 to 4.5)

Internet Connection Firewall (ICF) (Windows XP to XP SP2)

ISS BlackICE PC Protection (3.6)

McAfee Personal Firewall (4.0 to 5.0)

Norton Personal Firewall (2003 to 2005)

Sygate Personal Firewall (5.0 to 5.6)

ZoneAlarm Personal Firewall (4.0 to 5.5)

OS — Check to enable System Detection for the presence of a particular operating system and service pack. Then control-click each option to add it to the System Detection list. CSD requires one of the applications highlighted to be running on the client PC to satisfy the operating system requirement.

The operating systems and service packs that System Detection checks for include:

Windows XP Service Pack 2

Windows XP Service Pack 1

Windows XP (no service pack)

Windows 2000 Service Pack 4

Windows 2000 Service Pack 3

Windows 2000 Service Pack 2

Windows 2000 Service Pack 1

Windows 2000 (no service pack)

Windows NT Service Pack 6

Windows Millennium Edition

Windows 98

Feature — Check if you want to require the presence of Secure Desktop or Cache Cleaner as a criterion for assigning the feature (that is, Web Browsing, File Access, Port Forwarding, or Full Tunneling), then choose the module to require: Secure Desktop or Cache Cleaner.

If that feature is not active, the client fails the VPN feature policy criteria check.

Click OK.

The box to the left of the ellipses (...) button displays a string beginning with the respective options you chose.


Note Click Save next to "Settings Modified" to save the configuration changes before continuing.


Keystroke Logger

You can configure a location type to scan for keystroke logging applications on the remote client. You can list the keystroke logging applications that are safe or let the remote user approve of the applications the scan identifies. Secure Desktop and Cache Cleaner launch only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications the scan identifies. It may not be possible for CSD to detect all keystroke loggers present, including hardware keystroke logging devices.

Click Keystroke Logger under the name of the location you are configuring in the menu on the left. The Keystroke Logger window opens (Figure 6-7).

Figure 6-7 Keystroke Logger Window

Complete the following fields:

Check for keystroke loggers — Check to scan for a keystroke logging application on the client PC and make sure one is not running before creating the Secure Desktop space. By default, this attribute is not checked, and the other attributes and buttons are grayed out. If you check this attribute, the "Force admin control on list of safe modules" attribute becomes active.

Force admin control on list of safe modules — Check to give the administrator control over which key loggers are exempt from scanning, or uncheck to give the remote user this control. If you check this attribute, the remaining elements in the window become active.

The "Path of safe modules" window lists the paths to program applications on the client PC that have keystroke logging capabilities, but are safe to use, as determined by the administrator. Such programs, such as Corel (previously Jasc) Paint Shop Pro, typically invoke functions when the user presses particular keystroke combinations from within another application. Unchecking the Force admin control on list of safe modules attribute deactivates but does not delete the contents of the "Path of safe modules" window.

Do not check the Force admin control on list of safe modules attribute if you want to give the remote user the right to determine if any detected keystroke logger is safe. If this attribute is unchecked, CSD lists the keystroke loggers discovered on the client computer. To access the Secure Desktop, the user must insert a check next to all of the keystroke loggers in the list to indicate they are safe. Otherwise, the user must terminate the session.

Module path — To add a program to the "Path of safe modules" list, type the path and name of the program in this field, then click Add.

To remove a program from the list, click the entry in the "Path of safe modules" list, then click Delete.


Note Click Save next to "Settings Modified" to save the configuration changes before continuing.


Cache Cleaner for Windows

For each location for which the Cache Cleaner is enabled, click Cache Cleaner under the location you are configuring to configure Cache Cleaner for Windows. The Cache Cleaner window opens (Figure 6-8).

Figure 6-8 Cache Cleaner for Windows

This window lets you configure the Cache Cleaner for the associated location only. Check the following fields as required by your network:

Launch hidden URL after installation — Enter the URL that you use for administrative purposes, so that you know that the user has the Cache Cleaner installed. For example, you could place a cookie file on the user's computer, and later check for the presence of that cookie.

Show message at the end of successful installation — Check to display a dialog box on client PCs informing the user when the Cache Cleaner installation is successful.

Launch cleanup upon inactivity timeout — Check to set a specific timeout period after which the cleanup begins.

Timeout after — Choose an option to set the timeout period if you checked the "Launch cleanup upon inactivity timeout" attribute. This attribute is the inactivity timer.

Launch cleanup upon closing of all browser instances — Check to clean up the cache when all browser windows are closed.

Disable cancellation of cleaning — Check to disable the "cancel" feature.

Clean the whole cache in addition to the current session cache (IE only) — Check to remove data from the Internet Explorer cache upon activation, including files generated before the client's CSD session began.

Secure Delete — CSD encrypts and writes the cache to the remote client's disk. Upon termination of the Secure Desktop, CSD converts all bits occupied by the cache to all 0's, then to all 1's, and then to randomized 0's and 1's. Choose the number of times for CSD to perform this cleanup task. The default setting, 1 pass, meets the US Department of Defense (DoD) standard for securely deleting files. Following the completion of the task the number of times specified, CSD removes the pointer to the file (that is, performs a "Windows-delete").

Click Save next to "Settings Modified" to save the configuration changes before continuing.

Secure Desktop General

Click Secure Desktop General under the location name to enable or disable the Secure Desktop features and customize the user experience.

The Secure Desktop General window opens (Figure 6-9).

Figure 6-9 Secure Desktop General

Check the following fields as required by your network:

Automatically switch to Secure Desktop after installation — Check to set the Secure Desktop to load automatically after installation. This option forces users into the Secure Desktop.

Enable switching between Secure Desktop and Local Desktop—We strongly recommend that you check this attribute to let users switch between Secure Desktop and the untrusted desktop. Called desktop switching, this feature provides users with the flexibility they might need to respond to a prompt from another application requiring an OK to let CSD continue processing. (The Cisco Secure Tunneling Client is not one of those applications; it is accessible on both the local desktop and the CSD.) Unchecking this attribute minimizes the potential security risk posed by a user who leaves traces on the untrusted desktop. Thus, you might choose to uncheck this option if the security risk is a bigger issue than the deployment advantages of the alternative. Operating System limitations may prevent CSD from enforcing prevention of desktop switching, even if you disable this feature.

You can configure both the Secure Desktop component of CSD and Cisco SSL VPN Client (SVC) to run simultaneously on client PCs. If you check this attribute, the SVC connection becomes available to both.

Enable Vault Reuse — Check to allow users to close the Secure Desktop and open it again at a later time, creating a persistent desktop that is available from one session to the next. If you enable this option, users must enter a password (up to 127 characters in length) when CSD creates the Secure Desktop. This is useful if users are running the Secure Desktop on computers that are likely to be reused; for example, a home computer. When a user closes the Secure Desktop, CSD does not destroy the Vault. If you do not enable this option, CSD automatically destroys the Vault at the end of each Secure Desktop session.

Enable Secure Desktop inactivity timeout — Check to specify the duration of inactivity after which CSD automatically closes the Secure Desktop. Because CSD is running on the client machine, it can detect real inactivity and close the Secure Desktop to avoid leaving anything behind.

Timeout After Choose an option to set the timeout period if you checked the "Enable Secure Desktop inactivity timeout" attribute. This attribute is the associated inactivity timer.

Open following web page after Secure Desktop closes — Check this box and type a URL in the field to make CSD automatically open a web page when the Secure Desktop closes.

Suggest application uninstall upon Secure Desktop closing — Check to prompt the user and recommend that the Secure Desktop be uninstalled when it closes. In contrast to the option below, the user has the choice to refuse the uninstallation.


Note Leave this option disabled if you want users to be able to use the Vault. Checking this option uninstalls the Vault from the user's computer when the Secure Desktop closes.


Force application uninstall upon Secure Desktop closing — Check if you do not want to leave the Secure Desktop application on untrusted computers after users are done using it. The Secure Desktop uninstalls when it closes.


Note Leave this option disabled if you want users to be able to use the Vault. Checking this option uninstalls the Vault from the user's computer when the Secure Desktop closes.


Secure Delete — CSD encrypts and writes the Secure Desktop to the remote client's disk. Upon termination of the Secure Desktop, CSD converts all bits occupied by the Secure Desktop to all 0's, then to all 1's, and then to randomized 0's and 1's. Choose the number of times for CSD to perform this cleanup task. The default setting, 1 pass, meets the US Department of Defense (DoD) standard for securely deleting files. Following the completion of the task the number of times specified, CSD removes the pointer to the file (that is, performs a "Windows-delete").

Launch the following application after installation—Use this attribute to start an application automatically after Secure Desktop installs on the remote PC. The application must be in the Program Files directory. Enter only the path to the application that follows the C:\Program Files\ portion.

Click Save next to "Settings Modified" to save the configuration changes before continuing.

Secure Desktop Settings

Click Secure Desktop Settings under the location name to place restrictions on the Secure Desktop.

The Secure Desktop Settings window opens (Figure 6-10).

Figure 6-10 Secure Desktop Settings Window

Check the boxes in this window to apply the associated restrictions. The restrictions are as follows:

Put Secure Desktop in restricted mode — Check to let only the originating browser run on the Secure Desktop. If you choose this option, the browser that started CSD (Internet Explorer, Netscape, Firefox, etc.) is the only browser permitted to run in Secure Desktop mode. Choosing this option limits the user's ability to use other applications, but increases the level of security.

Restrict network folder and drive access on Secure Desktop — Check to prevent the user from accessing network resources and network drives while on the Secure Desktop. The network resources are those that use the Server Message Block (SMB) client/server, request-response protocol to share such resources as files, printers, and APIs. For maximum security, we recommend that you check this attribute. If you do, the Secure Desktop Manager grays out the "Restrict network folder and drive access on Secure Desktop" attribute.

Restrict removable drive access on Secure Desktop — Check to prevent the user from accessing portable drives while on the Secure Desktop. Otherwise, the user can save files to a removable drive and remove the drive before closing the CSD session. After closing the CSD session, the user could forget to take the removable drive. For maximum security, we recommend that you check this attribute. If you do, the Secure Desktop Manager grays out the "Do not encrypt files on removable drives" attribute.

This attribute applies only to the drives that Microsoft names "Removable" in the Windows Explorer "My Computer" window.

Restrict Registry tools on Secure Desktop — Check to prevent the user from modifying the registry from within the Secure Desktop. For maximum security, we recommend that you check this attribute.

Restrict DOS-CMD tools on Secure Desktop — Check to prevent the user running the DOS command prompt from within the Secure Desktop. For maximum security, we recommend that you check this attribute.

Restrict Printing on Secure Desktop — Check to prevent the user from printing while using the Secure Desktop space. For maximum security of sensitive data, check this option.

Do not encrypt files on network drives — Check to prevent the user from saving encrypted files to drives onto the network while on the Secure Desktop. The Secure Desktop Manager grays out this attribute if you check "Restrict network folder and drive access on Secure Desktop."

Do not encrypt files on removable drives — Check to prevent the user from saving encrypted files onto portable drives while on the Secure Desktop. The Secure Desktop Manager grays out this attribute if you check "Restrict removable drive access on Secure Desktop."

This attribute applies only to the drives that Microsoft names "Removable" in the Windows Explorer "My Computer" window.

Allow e-mail applications to work transparently — Check to let the user open e-mail while on the Secure Desktop, and prevent CSD from deleting e-mail upon the termination of the CSD session. The use of the term transparent means that the Secure Desktop handles e-mail applications the same way that the local desktop handles them.

With this attribute checked, an attachment saved using Outlook to the "My Documents" folder on the remote client is visible from both the Secure Desktop and the local desktop. Similarly, deleting such a file from within Outlook running on a Secure Desktop removes the file from both desktops.


Note Deleting transparent or nontransparent files from outside of Outlook, such as from a Windows Explorer window, during a Secure Desktop session removes the file only from the Secure Desktop.


Click Save next to "Settings Modified" to save the configuration changes.

Secure Desktop Browser

Click Secure Desktop Browser under the location name to specify the Home Page to which the browser connects when the remote user establishes a CSD session. This option also lets you specify the folders and bookmarks (or "favorites") to insert into the respective browser menu during the CSD session.

The Secure Desktop Browser window opens (Figure 6-11).

Figure 6-11 Secure Desktop Settings Window


Note For the duration of the CSD session, the browser does not list the user's bookmarks or favorites. It lists only the ones you specify in this window.


Complete the following fields:

Home Page — Type the URL of the page that opens when the remote user establishes a CSD session.

Customize bookmarks —This window lists the URLs and the folders that appear in the browser Favorites or Bookmarks menu.

To add a folder, choose the parent folder to contain it, type the new folder in the field below the Customize bookmarks window, then click Add Folder. The Secure Desktop Manager inserts the new folder into the selected folder.

To remove a folder, choose it and click Delete. The Secure Desktop Manager removes the folder and its contents from the window.

To add a bookmark, choose the parent folder to contain it, type the URL in the field below the Customize bookmarks window, then click Add Bookmark. The Secure Desktop Manager inserts the new URL into the selected folder.

To modify a URL, choose it, type the new URL to replace it, then click Overwrite.

To remove a URL, choose it and click Delete. The Secure Desktop Manager removes it from the window.


Note Click Save next to "Settings Modified" to save the configuration changes before continuing.