Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6
Details: Assigning Prelogin Criteria to Policies
Downloads: This chapterpdf (PDF - 209.0KB) The complete bookPDF (PDF - 2.21MB) | Feedback

Details: Assigning Prelogin Criteria to Policies

Table Of Contents

Details: Assigning Prelogin Criteria to Policies

Understanding Prelogin Policies

Checking for a Registry Key (Microsoft Windows Only)

Checking for a File

Checking for a Certificate

Checking the OS

Checking for an IP Address

Modifying the Prelogin Assessment Configuration


Details: Assigning Prelogin Criteria to Policies


A prelogin assessment consists of the matching criteria associated with the prelogin policies. Use the following sections to configure the prelogin assessment to be downloaded to the remote PC:

Understanding Prelogin Policies

Checking for a Registry Key (Microsoft Windows Only)

Checking for a File

Checking for a Certificate

Checking the OS

Checking for an IP Address

Modifying the Prelogin Assessment Configuration


Caution This chapter describes features that have been deprecated. Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.

For more information, see the deprecation field notice " Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection Features Are Deprecated."

Understanding Prelogin Policies

Secure Desktop Manager lets you specify the checks to be performed between the time the user establishes a connection with the ASA and the time the user enters the login credentials. These checks determine whether to assign a prelogin policy or whether to display a "Login Denied" message for the remote user. The settings of the matched prelogin policy determine whether Secure Desktop (Vault) or Cache Cleaner loads. The application of a prelogin policy to a dynamic access policy (DAP) determines the access rights and restrictions placed on the connection, and determines the behavior of the CSD component before, during, and after the user logs in. For example, it determines whether to check for keystroke loggers or whether to apply an inactivity timeout.

To view the prelogin assessments present in the configuration, choose Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin Policy.

Figure 5-1 shows the default prelogin assessment configuration, including the default prelogin policy named "Default."

Figure 5-1 Default Elements in the Prelogin Policy Pane

By default, the Prelogin Policy pane displays the following elements:

Start—Displayed in blue, this node provides a visual indication of the beginning of the sequence of checks to be performed. You cannot edit the start node.

Line—Provides a visual indication of the conditional relationship of the node to its left and the one that follows. You cannot move or remove a line.

Plus sign—Click to insert a prelogin check between the two nodes on either side of the line. Secure Desktop Manager lets you insert the following types of checks:

Registry—Lets you detect the presence or absence of a registry key.

File—Lets you specify the presence or absence of a particular file, its version, and its checksum.

Certificate—Lets you specify the issuer of a certificate and one certificate attribute and value to match.

For each additional attribute of a single certificate that you want to match, create another prelogin check that species that attribute and value.

OS Check—Lets you configure checks for Microsoft Windows 2000, Windows XP, and Windows Vista; Win 9x (for Windows 98), Mac (for Apple Mac OS X 10.4), and Linux. The editor inserts a Failure line and Login Denied end node for remote connections that fail the OS checks.

IP Address—Lets you specify an IP address range, or network address and subnet mask.

Default—Displayed in green, this end node specifies a prelogin policy named "Default." By default, CSD assigns this profile to every remote computer that attempts a VPN session, if you enable CSD. You can add prelogin checks to this policy or any other prelogin policy to specify criteria to match before CSD assigns the policy to a remote VPN session.

If you insert a check before an end node, Secure Desktop Manager automatically assigns at least one instance of each of the following:

Success tag to the line leading from the new check to the prelogin policy that is already present.

Failure tag to a second line leading from the new check to a "Login Denied" node. This node, displayed in red, signifies that a "Login Denied" message appears; CSD denies the user access to the ASA.

You can change the name or type of any node except for the Start node. You can change an end node following a Success tag to a Login Denied node, and the end node following a Failure tag to a prelogin policy. You can also change either type of end node to a subsequence node. Displayed in blue, this node indicates a continuation to another blue node vertically aligned under the Start node. To assign a subsequence to a set of conditions, click an end node, then click Subsequence. You must assign a unique name to each subsequence you create. Secure Desktop Manager assigns the name to both instances of the subsequence node-the one at the end of the branch-and the one at the beginning of the new branch. To reuse a subsequence, type the name of the subsequence that is already present when you are changing an end node to a subsequence node.

You can rename any prelogin policy, including the one named "Default." To do so, return to the Prelogin Policy pane and click the "Default" node. Replace the text in the Label field with a name for a prelogin policy that is meaningful to you. For example, you may want to rename it "Secure" to indicate the profile applies to corporate PCs (that is, those that meet the most stringent requirements, as determined by the checks to be inserted). Secure Desktop Manager automatically renames the node in the associated menu.You can then adjust the settings for the prelogin policy accordingly.

Checking for a Registry Key (Microsoft Windows Only)

The prelogin assessment ignores registry key checks if the computer is running Mac OS or Linux.

Insert a check for a specific registry key on a remote computer running a Microsoft Windows operating system, as follows:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the registry check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Choose Registry Check and click Add.

Secure Desktop Manager inserts the Registry Check node into the window and opens the Registry Check window (Figure 5-2).

Figure 5-2 Registry Check


Tip You can use the value types to be specified in this window as a guide to set up one or more criteria within the remote PC to match those specified for this prelogin policy. For example, you can add a DWORD (double word, an unsigned 32-bit integer) value or string value to a registry key on a remote PC to qualify it for the prelogin policy you are configuring.


Step 4 Assign values to the mandatory attributes in the Registry Check window as follows:

Key Path menu—Choose the hive, the initial directory path to a registry key. The options are as follows:

HKEY_CLASSES_ROOT\
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
 
   

Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.

Key Path field—Enter the name of the registry key required to be present on or absent from the remote PC.


Caution Do not type quotes in a Registry Key name that includes spaces.

Refer to the subsequent attribute descriptions for examples of Entry Path strings.

Step 5 Click one radio button from the following list and assign the associated values:

Exists—Click if the mere presence of the named registry key on the remote PC is sufficient to match the prelogin policy you are configuring.

EXAMPLE Click Exists if you want to require the following registry key to be present to match a criterion for assigning a prelogin policy:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>
 
   

Does not exist—Click if the absence of the named registry key from the remote PC is sufficient to match the prelogin policy you are configuring.

EXAMPLE Click Does not exist if you want to require the following registry key to be absent to match a criterion for assigning a prelogin policy:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<Evil_SpyWare>
 
   

DWORD value radio button—Click if the registry key includes a "Dword" ("double word," a 32-bit integer) and you want to specify its value as a criterion.

"DWORD" refers to the attribute in the Add/Edit Registry Criterion dialog box. "Dword" refers to the attribute as it appears in the registry key.


Note Use the regedit application, accessed on the Windows command line, to view the Dword value of a registry key, or use it to add a Dword value to the registry key to satisfy the requirement you are configuring.


DWORD value menu—Choose an option (<, <=, =, !=, >, or >=) to specify the relationship of the Dword value of the registry key to the value to be entered to the right.

DWORD value field—Enter a decimal to compare with the Dword value of the registry key on the remote PC.

EXAMPLE Choose greater than or equal to and enter a decimal if you want to require that the following protective software application meet a minimum version requirement:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Version
 
   

String value radio button—Click if the registry key includes a string and you want to specify its value as a criterion.


Note Use the regedit application, accessed on the Windows command line, to view the String value of a registry key, or use it to add a String value to the registry key to satisfy the requirement you are configuring.


String value menu—Choose one of the following options to specify the relationship of the String value of the registry key to the value to be entered to the right:

contains

matches

differs

String value field—Enter a string to compare with the String value of the registry key on the remote PC.

EXAMPLE Choose matches and enter Active if you want to ensure the following protective software application is active:

HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Status
 
   

Case sensitive—Check to require the String value of the registry key on the remote PC to match the case used in the String value field to satisfy the criterion.

Step 6 Click Update.


Checking for a File

The file criterion prelogin check lets you specify that a certain file must or must not exist to be eligible for the associated prelogin policy. For example, you might want to use a file prelogin check to ensure a corporate file is present or one or more peer-to-peer file-sharing programs containing malware are not present before assigning a prelogin policy.

Use the following procedure to insert a prelogin assessment for files on the remote PC:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the file check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Choose File Check and click Add.

Secure Desktop Manager inserts the File Check node into the window and opens the File Check window (Figure 5-3).

Figure 5-3 File Check

Step 4 Assign a value to the following mandatory attribute:

File Path—Enter the directory path to the file.

Secure Desktop Manager retains the case of the text you enter to check for a path to a file on the remote device. The match results are case-sensitive only if the devices are running Linux or Mac OS. The Microsoft Windows file system is not case-sensitive.

For example,

C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
 
   

Step 5 Click one of the following mandatory radio buttons:

Exists—Click if the file must be present on the remote PC.

Does not exist—Click if the file must be absent from the remote PC, then go to Step 7.

Step 6 Use the following attributes if you want to specify the file version.

Version check box—Check if you want to specify the version of the file as a criterion. Use this criterion to require that a specific application is or is not a particular version.


Note To display the version of an .exe file, use Windows Explorer to right-click the file, choose Properties, and click the Version tab.


Version drop-down list—Choose an option (<, <=, =, !=, >, or >=) to specify the relationship of the version of the file to the string to be entered to the right.

Version field—Type a string to compare with the version of the file on the remote PC.

Checksum check box—Check to specify a checksum to authenticate the file named in the Path field.

Checksum field—Enter a checksum in hexadecimal format, beginning with 0x, or click Compute CRC32 Checksum to calculate the checksum of a file stored locally and insert the value in this field.

The Compute CRC32 Checksum dialog box opens (Figure 5-4).

Figure 5-4 Compute CRC32 Checksum

Retrieve the checksum as follows:

f. Click Browse and choose the file on which to calculate the checksum.

The field at the top of the Compute CRC32 Checksum dialog box displays the path to the file you chose.

g. Click Calculate.

The field at the bottom of the Compute CRC32 Checksum dialog box displays the checksum in hexadecimal format.

h. Click OK.

The Compute CRC32 Checksum dialog box closes and the hexadecimal value appears in the Checksum field.

Step 7 Click Update in the File Check window.


Checking for a Certificate

The prelogin assessment performs certificate checks on Microsoft Windows, Mac OS, and Linux operating systems.

Insert a check for a specific certificate on the remote computer as follows:


Step 1 Go to the Secure Desktop Manager menu on ASDM and choose Prelogin Policy.

Step 2 Determine the position of the certificate check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Choose Certificate Check and click Add.

Secure Desktop Manager inserts the Certificate Check node into the window and opens the Certificate Check window (Figure 5-5).

Figure 5-5 Add Certificate Check


Note Insert more than one certificate check if you want to require more than one match.


Step 4 Use the applicable procedure in Table 5-1 to begin the process of choosing a certificate attribute to evaluate for a match, and to identify the issuer of the certificate.

Table 5-1 Viewing Certificate Attributes and Values

Certificate (.cer) File
File that Contains a Certificate
Certificate Store

Double-click the certificate.

a. Right click the file and choose Properties.

b. Click the Digital Signatures tab (which appears only if the file is signed).

c. Click Details.

d. Click View Certificate.

e. Click the Details tab.

a. Open the Control Panel.

b. Choose Internet Options.

c. Click the Content tab.

d. Click Certificates.

e. Choose a certificate and click View.


Step 5 Do one of the following:

Click the General tab in the Certificate window and copy the string from the Issued to field to the Issued to text box in ASDM.

Click the Details tab in the Certificate window, then click the Issuer or Subject field below it.

The certificate issuer displays all of the Issuer or Subject values in the adjacent Value column, and lists each distinct parameter and value associated with the Issuer or Subject field in the box at the bottom of the window.

The format of the parameter names in the bottom box varies, depending on the certificate authority. The following list matches the parameters in the ASDM drop-down list with the typical parameter name in parentheses. The absence of a name in parentheses in this list indicates that the parameter usage is not typical.

Common Name (CN)

Given Name (GN)

Surname (SN)

Country (C)

Locality (L)

State or Province (ST)

Street Address (STREET)

Organization (O)

Organizational Unit (OU)

Title (T)

Initials (I)

Dn Qualifier (DNQ)

Domain Component (DC)

In ASDM, select the name of a parameter associated with one displayed on the bottom window on the Details tab. Then copy the adjacent value to the top, unnamed text box in the ASDM Add Certificate Check window.


Note CSD cannot match the following certificate fields during prelogin:


Description

Business Category

Postal Address (PA)

Postal Code (POSTALCODE)

Member (M)

Owner

Role Occupant


Step 6 Click the General tab on the Certificate window, and copy the string from the Issued by field to the Issuer text box in the ASDM Add Certificate window.

Step 7 Click Update.


Checking the OS

The prelogin assessment includes a check for the OS attempting to establish a VPN connection. When the user attempts to connect, however, CSD automatically checks for the OS, regardless of whether you insert an OS prelogin check.

If the prelogin policy assigned to the connection has Secure Desktop (Vault) enabled and if the remote PC is running a supported version of Microsoft Windows, it installs Secure Desktop, regardless of whether you insert an OS prelogin check. If the prelogin policy has Secure Desktop enabled and the operating system is a supported version of Mac OS X or Linux, Cache Cleaner runs instead. Therefore, you should make sure the Cache Cleaner settings are appropriate for a prelogin policy on which you have configured Secure Desktop or Cache Cleaner to install.

Although CSD automatically checks for the OS, you may want to insert an OS prelogin check as a condition for applying a prelogin policy to isolate subsequent checks for each OS.

Use the following procedure to insert an OS check:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the Windows check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Choose OS Check and click Add.

Secure Desktop Manager inserts the OS check node into the diagram (Figure 5-6).

Figure 5-6 OS Check

If you wish, you can click any Login Denied node to change it to a prelogin policy or a subsequence node.


Checking for an IP Address

You can insert a check for the IP address of a remote host attempting a VPN connection, into the prelogin assessment. If the IP address is within the number range or the range specified by the network address, the remote host passes the check; otherwise, it fails. For example, PCs connecting from within a workplace LAN on a 10.x.x.x network are an unlikely risk for exposing confidential information. For these PCs, you might set up a prelogin policy named Secure that is specified by IP addresses on the 10.x.x.x network, and disable the prelogin policy settings that enable the installation of Cache Cleaner and Secure Desktop.


Note If the PC has more than one IP address, CSD uses only the first address detected.


Use the following procedure to check for an IP address as part of a prelogin assessment:


Step 1 Choose Prelogin Policy.

Step 2 Determine the position of the IP address check to be inserted and click the associated plus sign.

A window prompts you for the type of check to be inserted.

Step 3 Select IP Address Check to add an address check for an IPv4 address and click Add. If you are using AnyConnect 3.1.00495 or later, or HostScan 3.1.00495 or later, you can also pick an IPv6 address range and mask in the prelogin check.

Secure Desktop Manager inserts the IP Address Check node and opens the IP address check window below the diagram. The IP address check window to the left in Figure 5-7 shows the default Mask attributes, and the IPv4 address check window to the right shows the attributes that display when you click Range. Figure 5-8 shows the dialog boxes when specifying an IPv6 address.

Figure 5-7 IPv4 Address Check (Both Mask and Range Options)

Figure 5-8 IPv6 Address Check (Both Mask and Range Options)

Step 4 Choose either of the following options to indicate the type of IP address check:

Click Mask and enter the network address and subnet mask.

Click Range and enter the IP address in the From fields, leaving a 0 in one or more of the right-most fields to indicate the range, and enter the subnet mask in the To fields.

Step 5 Click Update.


Modifying the Prelogin Assessment Configuration

You can modify any node in the Prelogin Policy window except for the Start and OS nodes. You can delete any node except for the Start and end nodes. To modify or delete a node window, click the node. Make the changes as needed and click Update, or click Delete to remove the node from the configuration.

To insert a prelogin check, click the plus sign located in the position where you want to insert the check. Secure Desktop Manager inserts the window that lets you specify the check you want to select. After doing so, click Add. Use the instructions in the previous section to set the attributes in the check type window and click Update.

To change the type and name of any end node, double click the end node, click Login Denied, Policy, or Subsequence to change the node type, type the name of the node in the Label field if it is of type Policy or Subsequence, and click Update.