Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.2.1
Configuring Cisco Secure Desktop
Downloads: This chapterpdf (PDF - 589.0KB) The complete bookPDF (PDF - 2.22MB) | Feedback

Configuring Cisco Secure Desktop

Table Of Contents

Configuring Cisco Secure Desktop

Understanding Prelogin Policies

Configuring the Prelogin Assessment

Checking for a Registry Key (Microsoft Windows Only)

Checking for a File

Checking for a Certificate (Microsoft Windows Only)

Checking the OS

Checking for an IP Address

Modifying the Prelogin Assessment Configuration

Assigning Settings to a Prelogin Policy

Configuring Secure Session and Cache Cleaner

Configuring Keystroke Logger and Host Emulator Detection

Configuring Cache Cleaner

Configuring Secure Desktop (Secure Session) General

Configuring Secure Desktop (Secure Session) Settings

Configuring the Secure Session Browser

Configuring Host Scan

Configuring Basic Host Scan Entries

Adding a File Check to the Basic Host Scan

Adding a Registry Key Check to the Basic Host Scan (Microsoft Windows Only)

Adding a Process Check to the Basic Host Scan

Enabling and Disabling Host Scan Extensions

Configuring Advanced Endpoint Assessment

Configuring Personal Firewall Rules

Configuring a Dynamic Access Policy


Configuring Cisco Secure Desktop


See the following sections to configure Cisco Secure Desktop:

Understanding Prelogin Policies

Configuring the Prelogin Assessment

Assigning Settings to a Prelogin Policy

Configuring Secure Session and Cache Cleaner

Configuring Host Scan

Configuring a Dynamic Access Policy

Understanding Prelogin Policies

Secure Desktop Manager lets you specify the checks to be performed between the time the user establishes a connection with the security appliance and the time the user enters the login credentials. These checks determine whether to assign a prelogin policy or whether to display a "Login Denied" message for the remote user. The settings of the matched prelogin policy determine whether Secure Session or Cache Cleaner loads. The application of a prelogin policy to a dynamic access policy (DAP) determines the access rights and restrictions placed on the connection, and determines the behavior of the CSD component before, during, and after the user logs in. For example, it determines whether to check for keystroke loggers or whether to apply an inactivity timeout.

To view the prelogin assessments present in the configuration, choose Secure Desktop Manager > Prelogin Policy.

Figure 3-1 shows the default prelogin assessment configuration, including the default prelogin policy named "Default."

Figure 3-1 Default Elements in the Prelogin Policy Pane

By default, the Prelogin Policy pane displays the following elements:

Start—Displayed in blue, this node provides a visual indication of the beginning of the sequence of checks to be performed. You cannot edit the start node.

Line—Provides a visual indication of the conditional relationship of the node to its left and the one that follows. You cannot move or remove a line.

Plus sign—Click to insert a prelogin check between the two nodes on either side of the line. Secure Desktop Manager lets you insert the following types of checks:

Registry—Lets you detect the presence or absence of a registry key.

File—Lets you specify the presence or absence of a particular file, its version, and its checksum.

Certificate—Lets you specify the issuer of a certificate and one certificate attribute and value to match.

For each additional attribute of a single certificate that you want to match, create another prelogin check that species that attribute and value.

OS Check—Lets you configure checks for Microsoft Windows 2000, Windows XP, and Windows Vista; Win 9x (for Windows 98), Mac (for Apple Mac OS X 10.4), and Linux. The editor inserts a Failure line and Login Denied end node for remote connections that fail the OS checks.

IP Address—Lets you specify an IP address range, or network address and subnet mask.

Default—Displayed in green, this end node assigns specifies a prelogin policy named "Default." By default, Cisco Secure Desktop assigns this profile to every remote computer that attempts a VPN session, if you enable Cisco Secure Desktop. You can add prelogin checks to this policy or any other prelogin policy to specify criteria to match before Cisco Secure Desktop assigns the policy to a remote VPN session.

If you insert a check before an end node, Secure Desktop Manager automatically assigns at least one instance of each of the following:

Success tag to the line leading from the new check to the prelogin policy that is already present.

Failure tag to a second line leading from the new check to a "Login Denied" node. This node, displayed in red, signifies that a "Login Denied" message appears; Cisco Secure Desktop denies the user access to the security appliance.

You can change the name or type of any node except for the Start node. You can change an end node following a Success tag to a Login Denied node, and the end node following a Failure tag to a prelogin policy. You can also change either type of end node to a subsequence node. Displayed in blue, this node indicates a continuation to another blue node vertically aligned under the Start node. To assign a subsequence to a set of conditions, click an end node, then click Subsequence. You must assign a unique name to each subsequence you create. Secure Desktop Manager assigns the name to both instances of the subsequence node-the one at the end of the branch-and the one at the beginning of the new branch. To reuse a subsequence, type the name of the subsequence that is already present when you are changing an end node to a subsequence node.

You can rename any prelogin policy, including the one named "Default." To do so, return to the Prelogin Policy pane and click the "Default" node. Replace the text in the Label field with a name for a prelogin policy that is meaningful to you. For example, you may want to rename it "Secure" to indicate the profile applies to corporate PCs (that is, those that meet the most stringent requirements, as determined by the checks to be inserted). Secure Desktop Manager automatically renames the node in the associated menu.You can then adjust the settings for the prelogin policy accordingly.

Configuring the Prelogin Assessment

When a remote PC attempts to establish a remote VPN connection, Cisco Secure Desktop automatically checks for the conditions you configure, and assigns the attribute settings of the prelogin policy associated with the result of the checks to the connection, or issues a Login Denied message.

Use the following sections to configure a prelogin assessment to be downloaded to the remote PC:

Checking for a Registry Key (Microsoft Windows Only)

Checking for a File

Checking for a Certificate (Microsoft Windows Only)

Checking the OS

Checking for an IP Address

Modifying the Prelogin Assessment Configuration

Checking for a Registry Key (Microsoft Windows Only)

The prelogin assessment ignores registry key checks if the computer is running Mac OS or Linux.

Insert a check for a specific registry key on a remote computer running a Microsoft Windows operating system, as follows:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the registry check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Choose Registry Check and click Add.

Secure Desktop Manager inserts the Registry Check node into the window and opens the Registry Check window (Figure 3-2).

Figure 3-2 Registry Check


Tip You can use the value types to be specified in this window as a guide to set up one or more criteria within the remote PC to match those specified for this prelogin policy. For example, you can add a DWORD (double word, an unsigned 32-bit integer) value or string value to a registry key on a remote PC to qualify it for the prelogin policy you are configuring.


Step 4 Assign values to the mandatory attributes in the Registry Check window as follows:

Key Path menu—Choose the hive, the initial directory path to a registry key. The options are as follows:

HKEY_CLASSES_ROOT\
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\

Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.

Key Path field—Enter the name of the registry key required to be present on or absent from the remote PC.


Caution Do not type quotes in a Registry Key name that includes spaces.

Refer to the subsequent attribute descriptions for examples of Entry Path strings.

Step 5 Click one radio button from the following list and assign the associated values:

Exists—Click if the mere presence of the named registry key on the remote PC is sufficient to match the prelogin policy you are configuring.

EXAMPLE Click Exists if you want to require the following registry key to be present to match a criterion for assigning a prelogin policy:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>

Does not exist—Click if the absence of the named registry key from the remote PC is sufficient to match the prelogin policy you are configuring.

EXAMPLE Click Does not exist if you want to require the following registry key to be absent to match a criterion for assigning a prelogin policy:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<Evil_SpyWare>

DWORD value radio button—Click if the registry key includes a "Dword" ("double word," a 32-bit integer) and you want to specify its value as a criterion.

"DWORD" refers to the attribute in the Add/Edit Registry Criterion dialog box. "Dword" refers to the attribute as it appears in the registry key.


Note Use the regedit application, accessed on the Windows command line, to view the Dword value of a registry key, or use it to add a Dword value to the registry key to satisfy the requirement you are configuring.


DWORD value menu—Choose an option (<, <=, =, >, or >=) to specify the relationship of the Dword value of the registry key to the value to be entered to the right.

DWORD value field—Enter a decimal to compare with the Dword value of the registry key on the remote PC.

EXAMPLE Choose greater than or equal to and enter a decimal if you want to require that the following protective software application meet a minimum version requirement:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Version

String value radio button—Click if the registry key includes a string and you want to specify its value as a criterion.


Note Use the regedit application, accessed on the Windows command line, to view the String value of a registry key, or use it to add a String value to the registry key to satisfy the requirement you are configuring.


String value menu—Choose one of the following options to specify the relationship of the String value of the registry key to the value to be entered to the right:

contains

matches

differs

String value field—Enter a string to compare with the String value of the registry key on the remote PC.

EXAMPLE Choose matches and enter Active if you want to ensure the following protective software application is active:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Status

Case sensitive—Check to require the String value of the registry key on the remote PC to match the case used in the String value field to satisfy the criterion.

Step 6 Click Update.


Checking for a File

The file criterion prelogin check lets you specify that a certain file must or must not exist to be eligible for the associated prelogin policy. For example, you might want to use a file prelogin check to ensure a corporate file is present or one or more peer-to-peer file-sharing programs containing malware are not present before assigning a prelogin policy.

Use the following procedure to insert a prelogin assessment for files on the remote PC:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the file check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Choose File Check and click Add.

Secure Desktop Manager inserts the File Check node into the window and opens the File Check window (Figure 3-3).

Figure 3-3 File Check

Step 4 Assign a value to the following mandatory attribute:

File Path—Enter the directory path to the file.

Secure Desktop Manager retains the case of the text you enter to check for a path to a file on the remote device. The match results are case-sensitive only if the devices are running Linux or MacOS. The Microsoft Windows file system is not case-sensitive.

For example,

C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe

Step 5 Click one of the following mandatory radio buttons:

Exists—Click if the file must be present on the remote PC.

Does not exist—Click if the file must be absent from the remote PC, then go to Step 7.

Step 6 Use the following attributes if you want to specify the file version.

Version check box—Check if you want to specify the version of the file as a criterion. Use this criterion to require that a specific application is or is not a particular version.


Note To display the version of an .exe file, use Windows Explorer to right-click the file, choose Properties, and click the Version tab.


Version drop-down list—Choose an option (<, <=, =, >, or >=) to specify the relationship of the version of the file to the string to be entered to the right.

Version field—Type a string to compare with the version of the file on the remote PC.

Checksum check box—Check to specify a checksum to authenticate the file named in the Path field.

Checksum field—Enter a checksum in hexadecimal format, beginning with 0x, or click Compute CRC32 Checksum to calculate the checksum of a file stored locally and insert the value in this field.

The Compute CRC32 Checksum dialog box opens (Figure 3-4).

Figure 3-4 Compute CRC32 Checksum

Retrieve the checksum as follows:

a. Click Browse and choose the file on which to calculate the checksum.

The field at the top of the Compute CRC32 Checksum dialog box displays the path to the file you chose.

b. Click Calculate.

The field at the bottom of the Compute CRC32 Checksum dialog box displays the checksum in hexadecimal format.

c. Click OK.

The Compute CRC32 Checksum dialog box closes and the hexadecimal value appears in the Checksum field.

Step 7 Click Update in the File Check window.


Checking for a Certificate (Microsoft Windows Only)

The prelogin assessment ignores certificate checks if the computer is running Mac OS or Linux.

Insert a check for a specific certificate on the remote computer as follows:


Step 1 Use Table 3-1 to prepare to identify the attribute and value to require, and to identify the issuer of the certificate. This table contains three procedures. Use the procedure in the column associated with the certificate you want to require.

Column 1 shows how to view the values if you have a certificate file (such as one with a .cer or .pfx file extension).

Column 2 shows how to view the values if you have a signed file (that is, the file is not a certificate file, but contains a certificate).

Column 3 shows how to view the values if you have neither a certificate file nor a signed file.

Table 3-1 Viewing Certificate Attributes and Values

Certificate File
Signed File
Your Store (your PC)

A. Double-click the certificate.

A. Right click the file and choose Properties.

A. Open the Control Panel.

B. Click the Details tab.

B. Click the Digital Signatures tab (which appears only if the file is signed).

B. Choose Internet Options.

C. Click Details.

C. Click the Content tab.

D. Click View Certificate.

D. Click Certificates.

E. Click the Details tab.

E. Choose a certificate and click View.

F. Click the Details tab.


Step 2 Go to the Secure Desktop Manager menu on ASDM and choose Prelogin Policy.

Step 3 Determine the position of the certificate check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 4 Choose Certificate Check and click Add.

Secure Desktop Manager inserts the Certificate Check node into the window and opens the Certificate Check window (Figure 3-5).

Figure 3-5 Add Certificate Check

Using the untitled drop-down list, choose the certificate attribute for which you want to specify a value to match to the certificate on the remote host.


Note Insert more than one certificate check if you want to require more than one attribute value match.


The options name the attributes in the Field column of the Details tab, as follows:

Issued To

Common Name

Given Name

Surname

Country

Locality

State or Province

Street Address

Organization

Organizational Unit

Title

Description

Business Category

Postal Address

Postal Code

Member

Owner

Role Occupant

Initials

Dn Qualifier

Domain Component

Step 5 Copy the string from the Value column to the right of the attribute name on the Details tab to the unnamed text box in the ASDM Add Certificate window.

Step 6 Copy the string from the Value column to the right of Issuer on the Details tab to the Issuer text box in the ASDM Add Certificate window.

Step 7 Click Update.


Checking the OS

The prelogin assessment includes a check for the OS attempting to establish a VPN connection. When the user attempts to connect, however, Cisco Secure Desktop automatically checks for the OS, regardless of whether you insert an OS prelogin check.

If the prelogin policy assigned to the connection has Secure Desktop (Secure Session) enabled and if the remote PC is running Microsoft Windows XP or Windows 2000, it installs Secure Session, regardless of whether you insert an OS prelogin check. If the prelogin policy has Secure Desktop enabled and the operating system is Microsoft Windows Vista, Mac OS X 10.4, or Linux, Cache Cleaner runs instead. Therefore, you should make sure the Cache Cleaner settings are appropriate for a prelogin policy on which you have configured Secure Desktop or Cache Cleaner to install.

Although Cisco Secure Desktop automatically checks for the OS, you may want to insert an OS prelogin check as a condition for applying a prelogin policy to isolate subsequent checks for each OS.

Use the following procedure to insert an OS check:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the Windows check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Choose OS and click Add.

Secure Desktop Manager inserts the OS check node into the diagram (Figure 3-6).

Figure 3-6 OS Check

If you wish, you can click any Login Denied node to change it to a prelogin policy or a subsequence node.


Checking for an IP Address

You can insert a check for the IP address of a remote host attempting a VPN connection, into the prelogin assessment. If the IP address is within the number range or the range specified by the network address, the remote host passes the check; otherwise, it fails. For example, PCs connecting from within a workplace LAN on a 10.x.x.x network are an unlikely risk for exposing confidential information. For these PCs, you might set up a prelogin policy named Secure that is specified by IP addresses on the 10.x.x.x network, and disable the prelogin policy settings that enable the installation of Cache Cleaner and Secure Session.


Note If the PC has more than one IP address, Cisco Secure Desktop uses only the first address detected.


Use the following procedure to check for an IP address as part of a prelogin assessment:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the IP address check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Select IP Address Check and click Add.

Secure Desktop Manager inserts the IP Address Check node and opens the IP address check window below the diagram. The IP address check window to the left in Figure 3-7 shows the default Mask attributes, and the IP address check window to the right shows the attributes that display when you click Range.

Figure 3-7 IP Address Check (Both Mask and Range Options Displayed)

Step 4 Choose either of the following options to indicate the type of IP address check:

Click Mask and enter the network address and subnet mask.

Click Range and enter the IP address in the From fields, leaving a 0 in one or more of the right-most fields to indicate the range, and enter the subnet mask in the To fields.

Step 5 Click Update.


Modifying the Prelogin Assessment Configuration

You can modify any node in the Prelogin Policy window except for the Start and OS nodes. You can delete any node except for the Start and end nodes. To modify or delete a node window, click the node. Make the changes as needed and click Update, or click Delete to remove the node from the configuration.

To insert a prelogin check, click the plus sign located in the position where you want to insert the check. Secure Desktop Manager inserts the window that lets you specify the check you want to select. After doing so, click Add. Use the instructions in the previous section to set the attributes in the check type window and click Update.

To change the type and name of any end node, double click the end node, click Login Denied, Policy, or Subsequence to change the node type, type the name of the node in the Label field if it is of type Policy or Subsequence, and click Update.

Assigning Settings to a Prelogin Policy

To view the settings assigned to a prelogin policy, note the label on the green end node of the Prelogin Policy pane, then click the menu with the same name in the Secure Desktop Manager menu. The Privacy Protection pane for that policy opens (Figure 3-8).

Figure 3-8 Privacy Protection

This pane lets you specify a remote installation module to run on any remote computer that matches the prelogin policy criteria.

Check one of the following:

Secure Desktop—To run Secure Session on the remote PC.


Note If you check Secure Desktop, make sure that both the Secure Desktop and Cache Cleaner settings are appropriate for this policy. Cache Cleaner serves as a fall-back security solution for operating systems that Secure Session does not support.


Cache Cleaner—To run Cache Cleaner on the remote PC.

Neither Secure Desktop nor Cache Cleaner—Uncheck both options if the PC is secure (for example, if the prelogin checks reveal the PC is a corporate computer) or you do not want either module to load.

Configuring Secure Session and Cache Cleaner

Refer to the following sections to define the Cisco Secure Desktop experience for PCs that match the criteria defined for a specific prelogin policy:

Configuring Keystroke Logger and Host Emulator Detection

Configuring Cache Cleaner

Configuring Secure Desktop (Secure Session) General

Configuring Secure Desktop (Secure Session) Settings

Configuring the Secure Session Browser

Configuring Keystroke Logger and Host Emulator Detection

You can configure each prelogin policy to scan for keystroke logging applications and deny access if a suspected keystroke logging application is present. You can specify the keystroke logging applications that are safe or let the remote user interactively approve the applications the scan identifies.

Host emulation detection, another feature of prelogin policies, determines whether a remote Microsoft Windows operating system is running over virtualization software. You can enable or disable this feature to deny access if a host emulator is present, or report the detection to the user and let the user decide whether to end the session.

By default, keystroke logger detection and host emulation detection are disabled for each prelogin policy. If you enable them, they download along with Secure Desktop, Cache Cleaner, or Host Scan onto the remote computer. The associated module runs only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications or host emulator the scan identifies.


Note Cisco Secure Desktop only detects keystroke loggers if the user has administrator privileges. If the user does not, keystroke logger detection does not run.


Keystroke logger detection and host emulation detection support Microsoft Windows Vista, Windows XP, and Windows 2000.

Configure scanning for keystroke loggers as follows:


Step 1 Click Keystroke Logger & Safety Checks under the name of the prelogin policy you are configuring in the menu on the left.

The Keystroke Logger & Safety Checks window opens (Figure 3-9).

Figure 3-9 Keystroke Logger & Safety Checks

The "List of Safe Modules" window lists the paths to program applications on the remote PC that have keystroke logging capabilities, but are safe to use, as determined by the administrator. Such programs, such as Corel (previously Jasc) Paint Shop Pro, typically invoke functions when the user presses particular keystroke combinations from within another application.

Step 2 Check Check for keystroke loggers to scan for a keystroke logging application on the remote PC.

By default, this attribute is not checked, and the other attributes and buttons are grayed out. If you check this attribute, the "Force admin control on list of safe modules" attribute becomes active.

Step 3 Check Force admin control on list of safe modules to specify which keystroke loggers are exempt from scanning, or uncheck it to let the remote user decide.

If you check this attribute, the Add button become active.

Uncheck this attribute if you want to give the remote user the right to determine if any detected keystroke logger is safe. If this attribute is unchecked and suspect modules are detected, a window on the remote PC lists the path and name of each suspected module. To determine whether a given module is safe, the user can click the "Click for info" link adjacent to the name to display Internet search results for the module. To run Secure Session, Cache Cleaner, or Host Scan, the user must insert a check next to all of the keystroke loggers in the list to acknowledge that they are safe. Otherwise, the user must terminate the session.


Note Unchecking this attribute deactivates but does not delete the contents of the "List of Safe Modules" window.


Step 4 Click Add to specify a module as safe, or choose an entry in the List of Safe Modules window and click Edit if you want to modify its path.

Cisco Secure Desktop Manager opens the Input dialog box.

Step 5 Type the path and name of the module or application in the Please enter module path field, then click OK.

Cisco Secure Desktop Manager closes the dialog box and lists the entry in the List of Safe Modules window.


Note To remove a program from the list, click the entry in the "Path of safe modules" list, then click Delete.


Step 6 Check Check for host emulation if you want to determine whether the operating system is running over virtualization software, such as VMWare.

Step 7 Check Always deny access if running within emulation to prevent the module (Secure Session, Cache Cleaner, or Host Scan) from running if Cisco Secure Desktop detects that the operating system is running over virtualization software. Uncheck this attribute to alert the user about the host emulation software and let the user choose whether to terminate the session.

Step 8 Click Apply All to save the configuration changes.


Configuring Cache Cleaner

Cache Cleaner attempts to disable or erase data that a user downloaded, inserted, or created in the browser, including cached files, configuration changes, cached browser information, passwords entered, and auto-completed information. Cache Cleaner supports the following:

WebLaunch of Cisco AnyConnect on a PC running Microsoft Windows Vista, Windows XP, or Windows 2000.

Clientless (browser-based) SSL VPN connections with Microsoft Internet Explorer 5.0 or later on Windows Vista, Windows XP, Windows 2000, Mac OS X 10.4, and Linux.

Cache Cleaner does not support the standalone startup of AnyConnect Client from any computer.

For each prelogin policy for which either Secure Desktop (Secure Session) or Cache Cleaner is enabled, click Cache Cleaner under the profile you are configuring. The Cache Cleaner pane appears. Figure 3-10 shows the default settings.

Figure 3-10 Cache Cleaner

This window lets you configure the Cache Cleaner for the associated prelogin policy. Check the following fields as required by your security policy:

Launch hidden URL after installation—Check to use a URL for administrative purposes, hidden from the remote PC, so that you know that the user has the Cache Cleaner installed. For example, you could place a cookie file on the user's PC, and later check for the presence of that cookie.


Note This parameter applies only to Microsoft Windows. Cache Cleaner ignores it if the operating system is Mac OS or Linux.


Hidden URL—Type the URL to use for administrative purposes, if you checked "Launch hidden URL after installation."

Show success message at the end of successful installation. (Windows only)—Check to display a dialog box on the remote PC informing the user when the Cache Cleaner installation is successful.

Launch cleanup upon timeout based on inactivity—This attribute is not supported in this release.


Note This parameter applies only to Microsoft Windows. Cache Cleaner ignores it if the operating system is Mac OS or Linux.



Note Mouse movement restarts this timer, referred to here as the "mouse timer." Network activity restarts the Idle Timeout (referred to here as the "traffic timer"). The traffic timer is configurable on the internal group policy. Either timer terminates the session if the user forgets to log out or could not log out properly (if the computer freezes, for example). When the mouse timer reaches its limit, the security appliance ends the session and closes the browser window. Any movement of the mouse connected to the remote computer restarts this timer, regardless of the application in use. The mouse timer ensures the user is still present even if a large download is in progress. The user of a Cache Cleaner session can view the countdown while they work by double-clicking the Cisco Secure Desktop lock icon next to the Windows time clock. The "Enable Secure Desktop inactivity timeout" on the Secure Desktop General configuration panel performs the same function for Secure Session, except the countdown display automatically opens when nine seconds are left, accompanied by an optional audible timer that beeps each second. The traffic timer is useful for browsing web pages that take a short time to load but a long time to read. To configure the traffic timer, choose Configuration > Network (Client) Access or Clientless SSL VPN Access > Group Policies > Add or Edit > General > More Options and change the value of the Idle Timeout attribute.


Timeout after—This attribute is not supported in this release.


Note This parameter applies only to Microsoft Windows. Cache Cleaner ignores it if the operating system is Mac OS or Linux.


Launch cleanup upon closing of all browser instances or SSL VPN connection—Check to clean up the cache when all browser windows are closed or the user session is closed.

Clean the whole cache in addition to the current session cache (IE only)—Check to remove data from the Internet Explorer cache. Upon activation, Cache Cleaner attempts to remove the files generated, browsing history, and typed fields and passwords retained before the session began.

Secure Delete—Upon termination, Cache Cleaner performs a U.S. Department of Defense (DoD) sanitation algorithm to clean the browser cache. Choose the number of times to perform this cleanup task. The default setting is 3 passes. Following the completion of the task the number of times specified, Secure Session removes the pointer to the file.


Note Click Apply All to save the running Cisco Secure Desktop configuration.


Configuring Secure Desktop (Secure Session) General

Click Secure Desktop General under the prelogin policy name to enable or disable the Secure Session features and customize the user experience.

The Secure Desktop General pane appears. Figure 3-11 shows the default settings.

Figure 3-11 Secure Desktop General

Check the following attributes to configure the general Secure Session settings for the prelogin policy you are configuring, as required by your security policy:

Enable switching between Secure Desktop and Local Desktop—We strongly recommend that you check this attribute to let users switch between Secure Session and the untrusted desktop. Called desktop switching, this feature provides users with the flexibility they might need to respond to a prompt from another application requiring an OK to let Secure Session continue processing. Unchecking this attribute minimizes the potential security risk posed by a user who leaves traces on the untrusted desktop. Thus, you might choose to uncheck this option if the security risk is a bigger issue than the deployment advantages of the alternative. Operating System limitations may prevent Secure Session from enforcing prevention of desktop switching, even if you disable this feature.

Enable Vault Reuse—Check to allow users to close Secure Session and open it again at a later time. Secure Session becomes a persistent desktop that is available from one session to the next. If you enable this option, users must enter a password (up to 127 characters in length) to restart Secure Session. This option is useful if users are running Secure Session on PCs that are likely to be reused; for example, a home PC. When a user closes Secure Session, it does not self-destruct. If you do not enable this option, Secure Session automatically self-destructs upon termination.

If unchecked, this attribute activates the following two attributes.

Suggest application uninstall upon Secure Desktop closing—Check to prompt the user and recommend that Secure Session be uninstalled when it closes. In contrast to the option below, the user has the choice to refuse the uninstallation.


Note Checking this option uninstalls Secure Session from the remote PC when the user session closes, so leave this option disabled if access to the Secure Session is important.


Force application uninstall upon Secure Desktop closing—Check if you do not want to leave Secure Session on untrusted PCs after users finish using it. Secure Session uninstalls when it closes.


Note Checking this option uninstalls Secure Session from the remote PC when the session closes, so leave this option disabled if access to Secure Session is important.


Enable Secure Desktop inactivity timeout—Check to close Secure Session automatically after a period of inactivity.


Note Mouse movement restarts this timer, referred to here as the "mouse timer." Network activity restarts the Idle Timeout (referred to here as the "traffic timer"). The traffic timer is configurable on the internal group policy. Either timer terminates the session if the user forgets to log out or could not log out properly (if the computer freezes, for example). When nine seconds remain on the mouse timer, a countdown display automatically opens, accompanied by an optional audible timer that beeps each second. Any movement of the mouse connected to the remote computer restarts this timer, regardless of the application in use. If the mouse timer reaches its limit, the security appliance ends the session and closes the browser window. The mouse timer ensures the user is still present even if a large download is in progress. The "Launch cleanup upon timeout based on inactivity" timer on the Cache Cleaner configuration panel performs the same function for Cache Cleaner, except the user double-clicks the Cisco Secure Desktop lock icon next to the Windows time clock to view the countdown. The audible timer associated with mouse movement is a feature provided only for Secure Desktop. The traffic timer is useful for browsing web pages that take a short time to load but a long time to read. To configure the traffic timer, choose Configuration > Network (Client) Access or Clientless SSL VPN Access > Group Policies > Add or Edit > General > More Options and change the value of the Idle Timeout attribute.


If checked, this attribute activates the following attribute.

Timeout After—Choose the number of minutes (1, 2, 5, 10, 15, 30, or 60) to set the timeout period if you checked the "Enable Secure Desktop inactivity timeout" attribute. This attribute is the associated inactivity timer. Read the note above before entering a number.

Open following web page after Secure Desktop closes—Check this box and enter a URL in the field to make Secure Session automatically open a web page when it closes.

Secure Delete—Secure Session encrypts and writes itself to the remote PC disk. Upon termination, it performs a U.S. Department of Defense (DoD) sanitation algorithm. Choose the number of times to perform this cleanup task. The default setting is 3 passes. Following the completion of the task the number of times specified, Secure Session removes the pointer to the file.


Note Click Apply All to save the running Cisco Secure Desktop configuration.


Configuring Secure Desktop (Secure Session) Settings

Click Secure Desktop Settings under the prelogin policy name to place restrictions on Secure Session.

The Secure Desktop Settings pane appears. Figure 3-12 shows the default settings.

Figure 3-12 Secure Desktop Settings

Check the boxes to apply the associated restrictions. The restrictions are as follows:

Restrict application usage to the web browser only—Check to let only the originating browser and any browser helpers that you specify to run on Secure Session. Choosing this option limits the user's ability to use other applications, but increases the level of security.

If you check this attribute, Secure Desktop Manager inserts a text box under it (Figure 3-13).

Figure 3-13 Restrict Application Usage

To specify browser helpers that can run on Secure Session, click Add and select them from a preconfigured list. If the applications are not in the preconfigured list, type the names of the executable files into the box. You can also insert the full paths of the applications and specify a hash to help ensure the executable files are authentic. The on-screen help links you to the Microsoft File Checksum Integrity Verifier, which you can download to calculate the hash value of a browser helper on your local PC and copy to your clipboard. To add a hash value, append a colon (:) to the filename extension in the text box, then paste the hash value.

Disable access to network drives and network folders—Check to attempt to prevent user access to network resources and network drives while running Secure Session. The network resources are those that use the Server Message Block (SMB) client/server, request-response protocol to share such resources as files, printers, and APIs. For maximum security, we recommend that you check this attribute. If you do, Secure Desktop Manager dims the following attribute.

Do not encrypt files on network drives—Check to let the user save files to network drives. Secure Session does not encrypt the files and leaves the files behind after the session ends. If you uncheck "Disable access to network drives and network folders" and this attribute, Secure Session encrypts the files the user saves to network drives, then removes them upon Secure Session termination. Secure Desktop Manager dims this attribute if you check the previous attribute.

Disable access to removable drives and removable foldersCheck to prevent the user from accessing portable drives while running Secure Session. Otherwise, the user can save files to a removable drive and remove the drive before closing the session. After closing the session, the user could forget to take the removable drive. For maximum security, we recommend that you check this attribute. If you do, Secure Desktop Manager dims the next attribute.

This attribute applies only to the drives that Microsoft names "Removable" in the Windows Explorer "My Computer" window.

Do not encrypt files on removable drives—Check to let the user save files to portable drives that Microsoft names "Removable" in the Windows Explorer "My Computer" window. Secure Session does not encrypt the files and leaves the files behind after the session ends. If you uncheck both "Disable access to removable drives and removable folders" and this attribute, Secure Session encrypts the files the user saves to portable drives, then removes them upon session termination. Secure Desktop Manager dims this attribute if you check the previous attribute.

Disable registry modification—Check to prevent the user from modifying the registry from within Secure Session. For maximum security, we recommend that you check this attribute.

Disable command prompt access—Check to prevent the user from running the DOS command prompt from within Secure Session. For maximum security, we recommend that you check this attribute.

Disable printing—Check to prevent the user from printing while using Secure Session. For maximum security of sensitive data, check this option.

Allow email applications to work transparently—Check to let the user open e-mail while on Secure Session and to prevent it from deleting e-mail upon the termination of the session. The use of the term transparent means that Secure Session handles e-mail the same way that the local desktop handles it. Transparent handling works for the following e-mail applications:

Microsoft Outlook Express

Microsoft Outlook

Eudora

Lotus Notes

If this attribute is checked and the remote user uses an e-mail application to save an attachment to the "My Documents" folder, it is visible from both Secure Session and the local desktop. Similarly, deleting such a file from within the e-mail application running over Secure Session removes the file from both desktops.


Note Deleting transparent or nontransparent files from outside of Outlook, such as from a Windows Explorer window, while in a Secure Session removes the file only from Secure Session.


Click Apply All to save the running Cisco Secure Desktop configuration.

Configuring the Secure Session Browser

Click Secure Desktop Browser under the prelogin policy name to specify the URL that opens when the user in a Secure Session clicks Home. This option also lets you specify the folders and URLs that populate the Bookmarks or Favorites menu during the Secure Session.

The Secure Desktop Browser pane appears. Figure 3-14 shows the default settings.

Figure 3-14 Secure Desktop Browser

For the duration of the Secure Session, the browser does not list the user's bookmarks or favorites. It lists only the ones shown in this pane.

Configure the Secure Desktop Browser as follows:


Step 1 Type the URL of the page that you want to open when the remote user clicks Home, into the Home Page field.

The Customized Bookmarks pane lists the folders and URLs that populate the browser Bookmarks or Favorites menu.

Step 2 Use the following guidelines to add, modify, and delete entries in the Customized Bookmarks pane:

To add a folder, select the folder to contain it, click Add Folder, type the new folder in the dialog box, then click OK.

To add a bookmark to the list, select the folder to contain it, click Add Bookmark, type the URL in the dialog box, then click OK.

To modify a URL, select it, click Edit, type the new URL in the dialog box, then click Edit.

To remove a folder or a URL, select it and click Delete.


Note Click Apply All to save the running Cisco Secure Desktop configuration.



Configuring Host Scan

The Secure Desktop Manager > Host Scan window shown in Figure 3-15 lets you do the following:

To configure and view the registry entries, filenames, and process names for which to scan, see "Configuring Basic Host Scan Entries."

To enable or disable scanning for antispyware, antivirus, and personal firewall applications and updates, see "Enabling and Disabling Host Scan Extensions."

To configure enforcement of the antispyware, antivirus, and personal firewall applications and updates of your choice, see "Configuring Advanced Endpoint Assessment" and "Configuring Personal Firewall Rules." This option requires an Advanced Endpoint Assessment license.

Figure 3-15 Host Scan


Note Regardless of whether you have an Advanced Endpoint Assessment license, you can use ASDM to configure Dynamic Access Policies for making policy decisions based on the scan results.


Configuring Basic Host Scan Entries

You can specify a set of registry entries, filenames, and process names, which form a part of Basic Host Scan. The host scan, which includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the prelogin assessment but before the assignment of a DAP. Following the Basic Host Scan, the security appliance uses the login credentials, the host scan results, prelogin policy, and other criteria you configure to assign a DAP.

See the sections that name the types of Basic Host Scan entries you would like to configure:

Adding a File Check to the Basic Host Scan

Adding a Registry Key Check to the Basic Host Scan (Microsoft Windows Only)

Adding a Process Check to the Basic Host Scan

Adding a File Check to the Basic Host Scan

Add a check for a specific file to the Basic Host Scan as follows:


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan pane opens (Figure 3-15).

Step 2 Click Add > File Scan.

The Add File Scan pane opens (Figure 3-16).

Figure 3-16 Add File Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

File-okclient.exe

File Path—Enter the directory path to the file.

Secure Desktop Manager retains the case of the text you enter to check for a path to a file on the remote device. The match results are case-sensitive only if the devices are running Linux or MacOS. The Microsoft Windows file system is not case-sensitive.

For example,

C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe

Step 4 Click OK.

ASDM closes the Add File Scan window and inserts the entry into the Basic Host Scan table.


Adding a Registry Key Check to the Basic Host Scan (Microsoft Windows Only)

Registry key scans apply only to computers running Windows Microsoft Windows operating systems. Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.

Add a check for a specific registry key to Basic Host Scan as follows:


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan pane opens (Figure 3-15).

Step 2 Click Add > Registry Scan.

The Add Registry Scan pane opens (Figure 3-17).

Figure 3-17 Add Registry Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

Registry-SecureDesktop

Entry Path menu—Choose the hive, the initial directory path to the registry key. The options are as follows:

HKEY_CLASSES_ROOT\
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\

Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.

Entry Path field—Enter the name of the registry key.


Caution Do not type quotes in a Registry Key name that includes spaces.

For example,

SOFTWARE\CISCO SYSTEMS\SECURE DESKTOP\(Default)

Step 4 Click OK.

ASDM closes the Add Registry Scan window and inserts the entry into the Basic Host Scan table.


Adding a Process Check to the Basic Host Scan

Add a check for a specific process to Basic Host Scan as follows:


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan pane opens (Figure 3-15).

Step 2 Click Add > Process Scan.

The Add Process Scan pane opens (Figure 3-18).

Figure 3-18 Add Process Scan

Step 3 Assign values to the following attributes:

Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.

For example,

Process-Agent.exe

Process Name—Enter the name of the process. You can display it in Microsoft Windows by opening the Windows Task Manager window and clicking the Processes tab.

For example,

Agent.exe

Step 4 Click OK.

ASDM closes the Add Process Scan window and inserts the entry into the Basic Host Scan table.


Enabling and Disabling Host Scan Extensions

You can configure a scan for antivirus, personal firewall, and antispyware applications and updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, Cisco Secure Desktop loads Endpoint Assessment checks and reports the results back to the security appliance for use in assigning a DAP.

To enable or disable Host Scan Extensions,


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan window opens (Figure 3-15).

Step 2 Check one of the following options in the Host Extensions area of the Host Scan window:

Endpoint Assessment—If you check this option the remote PC scans for a large collection of antivirus, antispyware, and personal firewall applications, and associated updates.

Advanced Endpoint Assessment—This option is present only if the configuration includes a key for an Advanced Endpoint Assessment license. It includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant PCs to meet the version requirements you specify. To turn on this option after acquiring a key from Cisco, choose Device Management > System Image/Configuration > Activation Key, enter the key in the New Activation Key field, and click Update Activation Key.

When you check this option, Secure Desktop Manager inserts a check mark next to both options.

To disable the host scan extensions, uncheck both options in the Host Extensions area of the Host Scan window.


Configuring Advanced Endpoint Assessment

Advanced Endpoint Assessment lets you configure an attempt to update noncompliant computers to meet the version requirements you specify. If you configure enforcement of antivirus and antispyware versions, and associated definitions updates; and personal firewall versions, and associated rules, Host Scan attempts to remediate the host if the applications are present.

To configure Advanced Endpoint Assessment,


Step 1 Choose Secure Desktop Manager > Host Scan.

The Host Scan window opens (Figure 3-15).

Step 2 Check or click Advanced Endpoint Assessment.

If this option is unavailable, you need to get an Advanced Endpoint Assessment license and enter the key, as described in the previous section. Otherwise, Secure Desktop Manager activates the Configure button.

Step 3 Click Configure.

The Windows, Mac OS, and Linux tabs let you specify enforcement settings for each respective operating system. The three tabs are the same; only the vendors and applications differ. By default, Host Scan does not attempt to remediate enforcement. Figure 3-19 shows the default Windows tab.

Figure 3-19 Advanced Endpoint Assessment (Windows Tab Example)


Note Secure Desktop Manager activates attributes and buttons in response to a selection only if the application supports the attributes and button functions. For example, you can click Add to add a personal firewall rule only if the selected personal firewall application supports rules.


Step 4 Click Add next to the Antivirus table, select one or more Vendor-Product options from the dialog box, and click OK.

Cisco Secure Desktop Manager inserts the options you selected into the antivirus table.

Step 5 Set the following optional antivirus attributes:

Force File System Protection—(Enabled only if the selected antivirus application supports this feature) Check if you want to turn on ongoing background scanning by the installed antivirus application. The application checks files as they are received and blocks access to files that are likely to contain viruses.

Force Virus Definitions Update—Check to require the remote host to check for a virus definitions update for the installed application. If you check this option, you must specify the number of days.

if not updated in last— Enter the age in days of the last update that triggers a new update.

Step 6 Click Add next to the Personal Firewall table, select one or more Vendor-Product options from the dialog box, and click OK.

Step 7 Configure the optional Personal Firewall action and rules, as follows:

Firewall Action—The contents of this drop-down list depend on the options available for the selected personal firewall. Select None, Force Enable to enable the firewall, or Force Disable to disable the firewall.

Rules—This table is available only if the selected personal firewall supports rules. It lets you specify applications and ports for which the firewall allows or blocks ports or applications. See "Configuring Personal Firewall Rules" for instructions.

Step 8 Click Add next to the Antispyware table, select one or more Vendor-Product options from the dialog box, and click OK.

Step 9 Set the following optional antispyware attributes:

Force Spyware Definitions Update—Check to require the remote host to check for a spyware definitions update for the selected application. If you check this option, you must specify the number of days.

if not updated in last— Enter the age in days of the last update that triggers a new update.

Step 10 Click OK.


Configuring Personal Firewall Rules

Personal firewall rules let you specify applications and ports for the firewall to allow or block. The Add, Edit, and Delete buttons next to the Rules table in the Advanced Endpoint Assessment window (Figure 3-19) are active only if the selected personal firewall supports rules. For example, the applications that appear under the Internet Security Systems, Inc. options support personal firewall rules.

If you configure Advance Endpoint Assessment as described in the previous section and click Add or Edit next to the Rules table, the Add or Edit Rule window opens (Figure 3-20).

Figure 3-20 Add Personal Firewall Rule

To set the attributes in the Add or Edit Rule window,


Step 1 Use the following attribute description to select the rule.

Rule—Choose the action of this rule. The options are ALLOW Application, BLOCK Application, ALLOW Port, and Block Port.

Step 2 Go to the Application area and set the following attributes if you selected ALLOW Application or BLOCK Application.

Name—Enter the full file name and extension of the application to be allowed or blocked.

Full path—Enter the entire path to the application file.

Step 3 Go to the Port area and set the following attributes if you selected ALLOW Port or BLOCK Port.

Protocol—Select the protocols to be allowed or blocked. The options are Any, UDP, and TCP.

Port—Enter the port number to be allowed or blocked.

Step 4 Click OK.

Repeat this procedure for each personal firewall rule you want to configure.


Configuring a Dynamic Access Policy

You can use a match of a prelogin policy, Basic Host Scan entry, Host Scan Extension, or any combination of these and any other policy attributes to assign access rights and restrictions. At minimum, configure dynamic access policies (DAP) to assign to each prelogin policy and Basic Host Scan entry.

Configure DAPs as follows:


Step 1 Choose Configuration > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit.

The Add or Edit Dynamic Policy window opens (Figure 3-21).

Figure 3-21 Add Dynamic Access Policy

Step 2 Name the policy and assign a priority to the policy using the fields near the top of the window.

Step 3 Select the ANY, ALL, or NONE option in the drop-down list on the left side of the Selection Criteria area.

Step 4 Click the Add button on the left to specify AAA attribute type and values, then click OK. Repeat for each AAA attribute to use for this DAP.

Step 5 Move the mouse to the right of the Endpoint Attribute table and click Add.

The Add Endpoint Attribute window opens (Figure 3-22).

Figure 3-22 Add Endpoint Attribute


Note If the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked and you select Antispyware, Antivirus, or Personal Firewall, ASDM populates the Vendor ID and Vendor Description drop-down menus. Otherwise, it shows blank fields next to the Vendor ID and Vendor Description attribute names.


Step 6 Choose one or more of the methods in Table 3-2 to match the endpoint:

Table 3-2 Endpoint Attribute Types Associated with Cisco Secure Desktop

To Match this Secure Desktop Manager object
Select this Endpoint Attribute Type
And do this

Prelogin policy present in the Secure Desktop Manager > Prelogin Policy pane

Policy

Select the name of the prelogin policy from the drop-down list.

File specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

File

Select the Endpoint ID that matches the Basic Host Scan file entry ID from the drop-down list.

Process specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

Process

Select the Endpoint ID that matches the Basic Host Scan process entry ID from the drop-down list.

Registry key specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane

Registry

Select the Endpoint ID that matches the Basic Host Scan registry entry ID from the drop-down list.

Antispyware application of interest, applicable only if the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked.

Antispyware

Select the options in the Vendor ID and Vendor Description drop-down lists.

Antivirus application of interest, applicable only if the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked.

Antivirus

Select the options in the Vendor ID and Vendor Description drop-down lists.

Personal firewall application of interest, applicable only if the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked.

Personal Firewall

Select the options in the Vendor ID and Vendor Description drop-down lists.


Step 7 Click OK.

The Add or Edit Endpoint Attribute window closes, leaving the Add or Edit Dynamic Policy window open.

Step 8 Complete the configuration of any other endpoint attributes to specify any other criteria you want to use to identify the remote access devices for which the DAP applies.

Step 9 Set the access policy attributes in the tabs at the bottom of the window to provide access rights and restrictions, then click OK.