Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.4.1
Assigning Secure Desktop, Cache Cleaner, and Detection Settings to Policies
Downloads: The complete bookPDF (PDF - 2.28MB) | Feedback

Assigning Secure Desktop, Cache Cleaner, and Detection Settings to Policies

Table Of Contents

Assigning Secure Desktop, Cache Cleaner, and Detection Settings to Policies

Enabling and Disabling Secure Desktop or Cache Cleaner

Configuring Keystroke Logger and Host Emulator Detection

Configuring Cache Cleaner

Configuring Secure Desktop (Vault) General

Configuring Secure Desktop (Vault) Settings

Configuring the Secure Desktop (Vault) Browser


Assigning Secure Desktop, Cache Cleaner, and Detection Settings to Policies


See the following sections to specify CSD policy settings:

Enabling and Disabling Secure Desktop or Cache Cleaner

Configuring Keystroke Logger and Host Emulator Detection

Configuring Cache Cleaner

Configuring Secure Desktop (Vault) General

Configuring Secure Desktop (Vault) Settings

Configuring the Secure Desktop (Vault) Browser

Enabling and Disabling Secure Desktop or Cache Cleaner

To view and change the settings assigned to a prelogin policy, note the label on the green end node of the Prelogin Policy pane, then click the menu with the same name in the Secure Desktop Manager menu. The Privacy Protection pane for that policy opens (Figure 6-1).

Figure 6-1 Privacy Protection

This pane lets you specify a remote installation module to run on any remote computer that matches the prelogin policy criteria.

Check one of the following:

Secure Desktop—To run Secure Desktop (Vault) on the remote PC.


Note If you check Secure Desktop, make sure that both the Secure Desktop and Cache Cleaner settings are appropriate for this policy. Cache Cleaner serves as a fall-back security solution for operating systems that Secure Desktop does not support.


Cache Cleaner—To run Cache Cleaner on the remote PC.

Neither Secure Desktop nor Cache Cleaner—Uncheck both options if the PC is secure (for example, if the prelogin checks reveal the PC is a corporate computer) or you do not want either module to load.

Configuring Keystroke Logger and Host Emulator Detection

You can configure each prelogin policy to scan for keystroke logging applications on Windows and deny access if a suspected keystroke logging application is present. You can specify the keystroke logging applications that are safe or let the remote user interactively approve the applications the scan identifies.

Host emulation detection, another feature of prelogin policies, determines whether a remote Microsoft Windows operating system is running over virtualization software. You can enable or disable this feature to deny access if a host emulator is present, or report the detection to the user and let the user decide whether to end the session.

By default, keystroke logger detection and host emulation detection are disabled for each prelogin policy. If you enable them, they download along with Secure Desktop, Cache Cleaner, or Host Scan onto the remote computer. The associated module runs only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications or host emulator the scan identifies.


Note CSD only detects keystroke loggers if the user has administrator privileges. If the user does not, keystroke logger detection does not run.


Keystroke logger detection and host emulation detection support Microsoft Windows Vista, Windows XP, and Windows 2000.

Configure scanning for keystroke loggers as follows:


Step 1 Click Keystroke Logger & Safety Checks under the name of the prelogin policy you are configuring in the menu on the left.

The Keystroke Logger & Safety Checks window opens (Figure 6-2).

Figure 6-2 Keystroke Logger & Safety Checks

The "List of Safe Modules" window lists the paths to program applications on the remote PC that have keystroke logging capabilities, but are safe to use, as determined by the administrator. Such programs, such as Corel (previously Jasc) Paint Shop Pro, typically invoke functions when the user presses particular keystroke combinations from within another application.

Step 2 Check Check for keystroke loggers to scan for a keystroke logging application on the remote PC.

By default, this attribute is not checked, and the other attributes and buttons are grayed out. If you check this attribute, the "Force admin control on list of safe modules" attribute becomes active.

Step 3 Check Force admin control on list of safe modules to specify which keystroke loggers are exempt from scanning, or uncheck it to let the remote user decide.

If you check this attribute, the Add button become active.

Uncheck this attribute if you want to give the remote user the right to determine if any detected keystroke logger is safe. If this attribute is unchecked and suspect modules are detected, a window on the remote PC lists the path and name of each suspected module. To determine whether a given module is safe, the user can click the "Click for info" link adjacent to the name to display Internet search results for the module. To run Secure Desktop, Cache Cleaner, or Host Scan, the user must insert a check next to all of the keystroke loggers in the list to acknowledge that they are safe. Otherwise, the user must terminate the session.


Note Unchecking this attribute deactivates but does not delete the contents of the "List of Safe Modules" window.


Step 4 Click Add to specify a module as safe, or choose an entry in the List of Safe Modules window and click Edit if you want to modify its path.

Secure Desktop Manager opens the Input dialog box.

Step 5 Type the full path and name of the module or application in the Please enter module path field, then click OK.

You can also enter environment variables to specify whitelist entries. For example:

%windir%\system32\keylogger.exe

%programfiles%\mylogger\logme.exe

%commonprogramfiles%\logger\watch.exe

Secure Desktop Manager closes the dialog box and lists the entry in the List of Safe Modules window.


Note To remove an entry from the list, click it in the "Path of safe modules" list, then click Delete.


Step 6 Check Check for host emulation if you want to determine whether the operating system is running over virtualization software, such as VMWare.

Step 7 Check Always deny access if running within emulation to prevent the module (Secure Desktop, Cache Cleaner, or Host Scan) from running if CSD detects that the operating system is running over virtualization software. Uncheck this attribute to alert the user about the host emulation software and let the user choose whether to terminate the session.

Step 8 Click Apply All to save the configuration changes.


Configuring Cache Cleaner

Cache Cleaner attempts to disable or erase data that a user downloaded, inserted, or created in the browser, including cached files, configuration changes, cached browser information, passwords entered, and auto-completed information. Cache Cleaner supports the following:

WebLaunch of Cisco AnyConnect running on Microsoft Windows, Mac OS, and Linux.

Clientless (browser-based) SSL VPN connections on Windows Vista, Windows XP, Windows 2000, Mac OS X 10.4, and Linux.

Cache Cleaner does not support the standalone startup of AnyConnect Client from any computer.

For each prelogin policy for which either Secure Desktop (Vault) or Cache Cleaner is enabled, click Cache Cleaner under the profile you are configuring. The Cache Cleaner pane appears. Figure 6-3 shows the default settings.

Figure 6-3 Cache Cleaner

This window lets you configure the Cache Cleaner for the associated prelogin policy. Check the following fields as required by your security policy:

Launch hidden URL after installation—(For Microsoft Windows only. Cache Cleaner ignores it if the operating system is Mac OS or Linux.) Check to use a URL for administrative purposes, hidden from the remote PC, so that you know that the user has the Cache Cleaner installed. For example, you could place a cookie file on the user's PC, and later check for the presence of that cookie.

Hidden URL—Type the URL to use for administrative purposes, if you checked "Launch hidden URL after installation."

Show success message at the end of successful installation. (Windows only)—Check to display a dialog box on the remote PC informing the user when the Cache Cleaner installation is successful.

Launch cleanup upon timeout based on inactivity—Check to close Cache Cleaner automatically after a period of mouse inactivity. This parameter applies only to Microsoft Windows. Cache Cleaner ignores it if the operating system is Mac OS or Linux.


Note Network activity restarts the Idle Timeout (referred to here as the "traffic timer"). The traffic timer is configurable on the internal group policy. Either timer terminates the session if the user forgets to log out or could not log out properly (if the computer freezes, for example). When the mouse timer reaches its limit, the security appliance ends the session and closes the browser window. Any movement of the mouse connected to the remote computer restarts this timer, regardless of the application in use. The mouse timer ensures the user is still present even if a large download is in progress. The user of a Cache Cleaner session can view the countdown while they work by double-clicking the CSD lock icon next to the Windows time clock. The "Enable Secure Desktop inactivity timeout" on the Secure Desktop (Vault) General configuration panel performs the same function for Secure Desktop, except the countdown display automatically opens when nine seconds are left, accompanied by an optional audible timer that beeps each second. The traffic timer is useful for browsing web pages that take a short time to load but a long time to read. To configure the traffic timer, choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Group Policies > Add or Edit > General > More Options and change the value of the Idle Timeout attribute.


Timeout after—Choose the number of minutes (1, 2, 5, 10, 15, 30, or 60) to set the timeout period if you checked the "Launch cleanup upon timeout based on inactivity" attribute. This attribute is the associated inactivity timer. Read the note above before entering a number.

Launch cleanup upon closing of all browser instances or SSL VPN connection—Check to clean up the cache when all browser windows are closed or the user session is closed.

Clean the whole cache in addition to the current session cache (IE only)—Check to remove data from the Internet Explorer cache. Upon activation, Cache Cleaner attempts to remove the files generated, browsing history, and typed fields and passwords retained before the session began.

Disable Cancel button—(For Microsoft Windows only) Check to prevent the remote user from canceling the deletion of the cache.

Secure Delete—Upon termination, Cache Cleaner performs a U.S. Department of Defense (DoD) sanitation algorithm to clean the browser cache. Choose the number of times to perform this cleanup task. The default setting is 3 passes. Following the completion of the task the number of times specified, Secure Desktop removes the pointer to the file.


Note Click Apply All to save the running CSD configuration.


Configuring Secure Desktop (Vault) General

Click Secure Desktop (Vault) General under the prelogin policy name to enable or disable the Secure Desktop (Vault) features and customize the user experience.

The Secure Desktop (Vault) General pane appears. Figure 6-4 shows the default settings.

Figure 6-4 Secure Desktop (Vault) General

Check the following attributes to configure the general Secure Desktop settings for the prelogin policy you are configuring, as required by your security policy:

Enable switching between Secure Desktop and Local Desktop—We strongly recommend that you check this attribute to let users switch between Secure Desktop and the untrusted desktop. Called desktop switching, this feature provides users with the flexibility they might need to respond to a prompt from another application requiring an OK to let Secure Desktop continue processing. Unchecking this attribute minimizes the potential security risk posed by a user who leaves traces on the untrusted desktop. You might choose to uncheck this option if the deployment advantages outweigh the security risk. If you permit switching, a Windows XP user can switch between the Secure Desktop and an AnyConnect session running on the local desktop. Operating System limitations may prevent Secure Desktop from enforcing prevention of desktop switching, even if this feature is disabled. AnyConnect and Secure Desktop cannot run simultaneously on Windows Vista.

Enable Vault Reuse—Check to allow users to close Secure Desktop and open it again at a later time. Secure Desktop becomes a persistent desktop that is available from one session to the next. If you enable this option, users must enter a password (up to 127 characters in length) to restart Secure Desktop. This option is useful if users are running Secure Desktop on PCs that are likely to be reused; for example, a home PC. When a user closes Secure Desktop, it does not self-destruct. If you do not enable this option, Secure Desktop automatically self-destructs upon termination.

If unchecked, this attribute activates the following two attributes.

Suggest application uninstall upon Secure Desktop closing—Check to prompt the user and recommend that Secure Desktop be uninstalled when it closes. In contrast to the option below, the user has the choice to refuse the uninstallation.


Note Checking this option uninstalls Secure Desktop from the remote PC when the user session closes, so leave this option disabled if access to Secure Desktop is important.


Force application uninstall upon Secure Desktop closing—Check if you do not want to leave Secure Desktop on untrusted PCs after users finish using it. Secure Desktop uninstalls when it closes.


Note Checking this option uninstalls Secure Desktop from the remote PC when the session closes, so leave this option disabled if access to Secure Desktop is important.


Launch cleanup upon timeout based on inactivity—Check to close Cache Cleaner automatically after a period of mouse inactivity. This parameter applies only to Microsoft Windows. Cache Cleaner ignores it if the operating system is Mac OS or Linux.

Enable Secure Desktop inactivity timeout—Check to close Secure Desktop automatically after a period of mouse inactivity.


Note Network activity restarts the Idle Timeout (referred to here as the "traffic timer"). The traffic timer is configurable on the internal group policy. Either timer terminates the session if the user forgets to log out or could not log out properly (if the computer freezes, for example). When nine seconds remain on the mouse timer, a countdown display automatically opens, accompanied by an optional audible timer that beeps each second. Any movement of the mouse connected to the remote computer restarts this timer, regardless of the application in use. If the mouse timer reaches its limit, the security appliance ends the session and closes the browser window. The mouse timer ensures the user is still present even if a large download is in progress. The "Launch cleanup upon timeout based on inactivity" timer on the Cache Cleaner configuration panel performs the same function for Cache Cleaner, except the user double-clicks the CSD lock icon next to the Windows time clock to view the countdown. The audible timer associated with mouse movement is a feature provided only for Secure Desktop. The traffic timer is useful for browsing web pages that take a short time to load but a long time to read. To configure the traffic timer, choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Group Policies > Add or Edit > General > More Options and change the value of the Idle Timeout attribute.


If checked, this attribute activates the following attribute.

Timeout After—Choose the number of minutes (1, 2, 5, 10, 15, 30, or 60) to set the timeout period if you checked the "Enable Secure Desktop inactivity timeout" attribute. This attribute is the associated inactivity timer. Read the note above before entering a number.

Open following web page after Secure Desktop closes—Check this box and enter a URL in the field to make Secure Desktop automatically open a web page when it closes.

Secure Delete—Secure Desktop encrypts and writes itself to the remote PC disk. Upon termination, it performs a U.S. Department of Defense (DoD) sanitation algorithm. Choose the number of times to perform this cleanup task. The default setting is 3 passes. Following the completion of the task the number of times specified, Secure Desktop removes the pointer to the file.

Launch the following application after installation—This option lets you start an application automatically after Secure Desktop installs on the remote PC. Enter only the path to the application that follows the C:\Program Files\ portion. The application must be in the Program Files directory.


Note Click Apply All to save the running CSD configuration.


Configuring Secure Desktop (Vault) Settings

Click Secure Desktop (Vault) Settings under the prelogin policy name to place restrictions on Secure Desktop.

The Secure Desktop (Vault) Settings pane appears. Figure 6-5 shows the default settings.

Figure 6-5 Secure Desktop (Vault) Settings

Check the boxes to apply the associated restrictions. The restrictions are as follows:

Restrict application usage to the web browser only—Check to let only the originating browser and any browser helpers you specify run on Secure Desktop. Choosing this option limits the user's ability to use other applications, but increases the level of security.

If you check this attribute, Secure Desktop Manager inserts a text box under it (Figure 6-6).

Figure 6-6 Restrict Application Usage

To specify browser helpers that can run on Secure Desktop, click Add Browser Helpers and select them from a preconfigured list. If the applications are not in the preconfigured list, enter the names of the executable files into the text box. The text is not case-sensitive. For added security, you can insert the full paths of the applications.


Caution If you check Restrict application usage, but want to provide users with access to Java applets on the web pages they open, you must add the following entries to the browser list:
c:\program
java.exe
jp2launcher.exe

Otherwise, if you check Restrict application usage, browsers on systems with JRE 6 Update 10 or later freeze when they encounter Java applets. These lines are necessary for applets with Update 10 and later because Java starts differently from standard practice. You must also add these lines as smart tunnel applications if you configure smart tunnel access.

Entering these lines provides access to all of the Java applets we tested; however, we recommend testing the Java applets that are most important to your users. Also, a few applets appear to load before they have completely done so; you might want to instruct your users to wait for a minute if an applet appears to fail.

The entries above do not interfere with Java applets for users who have JRE 6 versions that are earlier than Update 10.

(Optional) Specify a hash to help ensure the executable files are authentic. To do so, download the Microsoft File Checksum Integrity Verifier (FCIV). Then click the i icon under the text box, follow the instructions to use FCIV to calculate the SHA-1 hash, and add it to the file name.

Disable access to network drives and network folders—Leave checked to attempt to prevent user access to network resources and network drives while running Secure Desktop. The network resources are those that use the Server Message Block (SMB) client/server, request-response protocol to share such resources as files, printers, and APIs. Because CSD does not clean up files written to mapped network drives, we strongly recommend that you leave this attribute checked.

Disable access to removable drives and removable foldersCheck to prevent the user from accessing portable drives while running Secure Desktop. Otherwise, the user can save files to a removable drive and remove the drive before closing the session. After closing the session, the user could forget to take the removable drive. For maximum security, we recommend that you check this attribute.

This attribute applies only to the drives that Microsoft names "Removable" in the Windows Explorer "My Computer" window.

Disable registry modification—Check to prevent the user from modifying the registry from within Secure Desktop. For maximum security, we recommend that you check this attribute.

Disable command prompt access—Check to prevent the user from running the DOS command prompt from within Secure Desktop. For maximum security, we recommend that you check this attribute.

Disable printing—Check to prevent the user from printing while using Secure Desktop. For maximum security of sensitive data, check this option.

Allow email applications to work transparently—Check to let the user open e-mail while on Secure Desktop and to prevent it from deleting e-mail upon the termination of the session. The use of the term transparent means that Secure Desktop handles e-mail the same way that the local desktop handles it. Transparent handling works for the following e-mail applications:

Microsoft Outlook Express

Microsoft Outlook

Eudora

Lotus Notes

If this attribute is checked and the remote user uses an e-mail application to save an attachment to the "My Documents" folder, it is visible from both Secure Desktop and the local desktop. Similarly, deleting such a file from within the e-mail application running over Secure Desktop removes the file from both desktops.


Note Deleting transparent or nontransparent files from outside of Outlook, such as from a Windows Explorer window, while in a Secure Desktop removes the file only from Secure Desktop.


Click Apply All to save the running CSD configuration.

Configuring the Secure Desktop (Vault) Browser

Click Secure Desktop (Vault) Browser under the prelogin policy name to specify the URL that opens when the user in a Secure Desktop clicks Home. This option also lets you specify the folders and URLs that populate the Bookmarks or Favorites menu during the Secure Desktop session.

The Secure Desktop (Vault) Browser pane appears. Figure 6-7 shows the default settings.

Figure 6-7 Secure Desktop (Vault) Browser

For the duration of the Secure Desktop session, the browser does not list the user's bookmarks or favorites. It lists only the ones shown in this pane.

Configure the Secure Desktop (Vault) Browser as follows:


Step 1 Type the URL of the page that you want to open when the remote user clicks Home, into the Home Page field.

The Customized Bookmarks pane lists the folders and URLs that populate the browser Bookmarks or Favorites menu.

Step 2 Use the following guidelines to add, modify, and delete entries in the Customized Bookmarks pane:

To add a folder, select the folder to contain it, click Add Folder, type the new folder name in the dialog box, then click OK.

To add a bookmark to the list, select the folder to contain it, click Add Bookmark, type the URL in the dialog box, then click OK.

To modify a URL, select it, click Edit, type the new URL in the dialog box, then click Edit.

To remove a folder or a URL, select it and click Delete.


Note Click Apply All to save the running CSD configuration.