Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6
Tutorial: Assigning Prelogin Criteria to Policies
Downloads: This chapterpdf (PDF - 339.0KB) The complete bookPDF (PDF - 2.21MB) | Feedback

Tutorial: Assigning Prelogin Criteria to Policies

Table Of Contents

Tutorial: Assigning Prelogin Criteria to Policies

Overview

Configuring a Prelogin Assessment

Configuring Prelogin Criteria for a Secure Computer

Configuring Prelogin Criteria for a Home Computer

Configuring Prelogin Criteria for a Public Computer

Example of Complete Prelogin Configuration

Configuring Secure Desktop and Cache Cleaner

Enabling or Disabling Secure Desktop and Cache Cleaner

Configuring Keystroke Logger Scanning

Assigning a DAP for Each Endpoint Profile


Tutorial: Assigning Prelogin Criteria to Policies


This tutorial provides an overview of the CSD configuration sequence. The configuration chapters that follow provide detailed instructions on the attributes. The sections are as follows:

Overview

Configuring a Prelogin Assessment

Configuring Secure Desktop and Cache Cleaner

Assigning a DAP for Each Endpoint Profile


Caution This chapter describes features that have been deprecated. Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.

For more information, see the deprecation field notice " Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection Features Are Deprecated."

Overview

This tutorial describes how to configure three example prelogin policies: "Secure," "Home," and "Public." "Secure" is for those connecting to the VPN from a workstation in the office, "Home" is for those working from home, and "Public" is for those who do not meet the criteria for either, such as those connecting from a cybercafé.


Note This tutorial is only an example; we recommend that you choose profile names and configuration settings in your actual deployment that reflect your VPN security policies.


In this tutorial, "Secure" provides clients with full access, "Home" provides some flexibility, and "Public" restricts access. This tutorial defines the prelogin policies as follows:

Secure

Assign a prelogin assessment to recognize a corporate computer attempting to establish a VPN connection by verifying the OS is Microsoft Windows, that the IP address is within a specified range, and that the computer has a specified registry entry.

Disable Secure Desktop (Vault) and Cache Cleaner.

Use the dynamic access policy (DAP) configuration to assign access rights.

Home

Identify using a certificate given by the administrator and a file check.

Enable Secure Desktop and Vault Reuse with no timeout.

Vault Reuse lets users close Secure Desktop and open it again at a later time. It becomes a persistent desktop that is available from one session to the next. If you enable this option, users must enter a password (up to 127 characters in length) before the establishment of a Secure Desktop session.

Advanced features require company antivirus software, antispyware, and a software firewall.

Check for keystroke logger.

Use the DAP configuration to assign access rights.

Public profile

Check for malware file.

Check for keystroke logger file.

Install Cache Cleaner.

Use the DAP configuration to assign access rights.

Our example includes "Secure," "Home," and "Public" in that order; to assign privileges to a host, CSD first determines whether it is a "Secure" host. If it is not, it determines whether it is a "Home" host. If it is not, it performs several file checks and assigns the privileges associated with the "Public" endpoint profile.

Configuring a Prelogin Assessment

These instructions assume that Secure Desktop Manager has loaded the default configuration. To reload the default configuration, rename the sdesktop/data.xml file, disable CSD, re-enable it, exit ASDM, then start a new ASDM session.

Use the following sections to configure the prelogin assessment and assign names to the prelogin policies:

Configuring Prelogin Criteria for a Secure Computer

Configuring Prelogin Criteria for a Home Computer

Configuring Prelogin Criteria for a Public Computer

Configuring Prelogin Criteria for a Secure Computer

Use the following instructions to specify criteria for a CSD policy for secure computers attempting VPN connections:


Step 1 Choose Prelogin Policy.

The Prelogin Policy pane shows the default endpoint profile named "Default." The menu shows the same profile name, indicating the place where you assign settings to that profile (Figure 4-1).

Figure 4-1 Duplication of the Default Prelogin Policy Name in the Menu


Tip If you would like to explore the options available in the prelogin assessment sequence editor without making permanent changes to the CSD configuration file, data.xml, make the changes, then choose an ASDM option outside the Secure Desktop Manager menu, and click Discard Changes.


Step 2 Click the end node named Default.

This end node represents an endpoint profile. Note that Secure Desktop Manager displays the name of this end node in its menu.

Secure Desktop Manager inserts a window that lets you change the type and name of the end node (Figure 4-2).

Figure 4-2 Change End Node Window

Note that the Policy option is already selected. In this case, you only need to change the name.

Step 3 Replace the name Default in the text box with the name Secure.

Step 4 Click Update.

Secure Desktop Manager closes the change end node window, and changes both the name of the end node and the associated menu option in the Secure Desktop Manager menu (Figure 4-3).

Figure 4-3 Default Policy Name Changed

Step 5 Click the plus sign in the diagram.

A window opens below the diagram, prompting you to select the type of check to be inserted (Figure 4-4).

Figure 4-4 Prelogin Assessment Options

Step 6 Choose OS Check and click Add.

Secure Desktop Manager inserts the OS check node into the diagram (Figure 4-5).

Figure 4-5 OS Check

Step 7 Click the plus sign to the left of the Secure node.

Step 8 Select IP Address Check and click Add.

Secure Desktop Manager inserts the IP Address Check node and opens the IP address check window below the diagram. Figure 4-6 shows the default Mask attributes in the IPv4 address check window. Figure 4-7 shows the default Mask attributes in the IPv6 address check.

Figure 4-6 IPv4 Address Check (Default Mask Attributes Displayed)

Figure 4-7

IPv6 Address Check (Default Range and Mask Attributes Displayed)

Step 9 Click Range to change the type of IP address check.

Secure Desktop Manager changes the attributes in the IP address check window(Figure 4-8).

Figure 4-8 Range Attributes in the IP Address Check Window

Step 10 Enter the IP address range and subnet mask, then click Update.

Step 11 Click the plus sign to the left of the Secure node.

Step 12 Select Registry Check and click Add.

Secure Desktop Manager inserts the Registry Check node and opens the Registry check window below the diagram (Figure 4-9).

Figure 4-9 Registry Check


Note The prelogin assessment performs certificate checks on Microsoft Windows, Mac OS, and Linux operating systems.


Step 13 Select an option next to the Key Path drop-down menu such as HKEY_LOCAL_MACHINE," type the string to indicate the remainder or the path such as "SOFTWARE\Company-Name," select a radio button such as Exists, and click Update.

This step completes the instructions for creating checks for the example Secure node. Continue the tutorial with Configuring Prelogin Criteria for a Home Computer.


Configuring Prelogin Criteria for a Home Computer

Use the following instructions to specify criteria for a CSD policy for home computers attempting VPN connections. In this example, CSD verifies the presence of a certificate to qualify users who connect from home.

Complete the example prelogin assessment for home computers as follows:


Note These instructions assume you have followed the instructions in the previous section.



Step 1 Choose Prelogin Policy.

Step 2 Click the Login Denied end node that follows the IP Address Failure branch.

Secure Desktop Manager inserts a window that lets you change the type and name of the end node.

Step 3 Click the Subsequence radio button, replace the text in the box with the name Home Check, and click Update.

Secure Desktop Manager inserts a window that lets you change the type and name of the end node.

Step 4 Scroll to the Home Check node on the left side of the diagram and click the Login Denied end node to its right.

Step 5 Click the Policy radio button and replace the text in the box with the word Home.

Step 6 Click the plus sign to the left of the end node labeled Home.

Step 7 Select Certificate Check and click Add.

Secure Desktop Manager inserts the Certificate Check node and opens the Certificate check window below the diagram (Figure 4-10).

Figure 4-10 Certificate Check


Note The prelogin assessment performs certificate checks on Microsoft Windows, Mac OS, and Linux operating systems.


Step 8 Select an option from the drop-down box to specify the certificate field to be checked, enter the value of the field to match in the adjacent text box, enter the issuer of the certificate into the Issuer text field, and click Update.

For each additional field of a single certificate that you want to match, create another prelogin check that species that field and value.

See Checking for a Certificate for a complete description of the certificate fields you can match.

Step 9 Click the plus sign to the left of the end node labeled Home.

Step 10 Select File Check and click Add.

Secure Desktop Manager inserts the File Check node and opens the File check window below the diagram (Figure 4-11).

Figure 4-11 File Check

Step 11 Enter a path to the file in the drop-down box, select a radio button such as Exists, and click Update.


Note Secure Desktop Manager retains the case of the text you enter to check for a path to a file on the remote device. The match results are case-sensitive only if the devices are running Mac OS or Linux. The Microsoft Windows file system is not case-sensitive.


This step completes the instructions for creating checks for the example Home node. Continue the tutorial with Configuring Prelogin Criteria for a Public Computer.


Configuring Prelogin Criteria for a Public Computer

Use the following instructions to specify criteria for a CSD policy for a public computer attempting a VPN connection.

These instructions say to add several prelogin file checks to qualify a Windows computer for Cache Cleaner, however, you can use any prelogin checks, or replace any Login Denied end node with a "Public" end node if you do not want to require a match.


Note These instructions assume you have followed the instructions in the previous sections.



Step 1 Choose Prelogin Policy.

Step 2 Click the Login Denied end node that follows the Win 9x branch.

Step 3 Click the Subsequence radio button, replace the text in the box with the name Public Check, and click Update.

Step 4 Change the Login Denied end nodes that follow the Certificate Check and File check boxes to a subsequence end node, also named Public Check.

Step 5 Scroll to the Public Check node on the left side of the diagram and click the Login Denied end node to its right.

Step 6 Click the Policy radio button and replace the text in the box with the word Public.

Step 7 Insert two File Checks to the left of the Public end node.

This step completes the configuration of the example prelogin assessment. See the Example of Complete Prelogin Configuration to see how these different prelogin checks all work together.


Example of Complete Prelogin Configuration

The Example of the Completed Prelogin Configuration in Figure 4-12 illustrates what the prelogin policy looks like after you have completed these steps:

Configuring Prelogin Criteria for a Secure Computer

Configuring Prelogin Criteria for a Home Computer

Configuring Prelogin Criteria for a Public Computer

Figure 4-12 Example of the Completed Prelogin Configuration

Continue with Configuring Secure Desktop and Cache Cleaner to assign the Secure Desktop and Cache Cleaner settings appropriate for each endpoint profile.

Configuring Secure Desktop and Cache Cleaner

The following sections describe how to enable or disable Secure Desktop (Vault) and Cache Cleaner for each endpoint profile and how to configure scanning for keystroke loggers:

Enabling or Disabling Secure Desktop and Cache Cleaner

Configuring Keystroke Logger Scanning

Enabling or Disabling Secure Desktop and Cache Cleaner

Click the name of a prelogin policy in the Secure Desktop menu. The Privacy Protection pane opens. Figure 4-13 shows the default settings for each endpoint profile.

Figure 4-13 Privacy Protection

This window lets you specify whether to run Secure Desktop (Vault) or Cache Cleaner on the remote desktops of computers that match the criteria associated with the selected profile. Configure Privacy Protection for each of your prelogin policies.


Note If you check Secure Desktop, make sure that both the Secure Desktop and Cache Cleaner settings are appropriate for this policy. Cache Cleaner serves as a fall-back security solution for operating systems that Secure Desktop does not support.


See Table 4-1 to check or uncheck Secure Desktop or Cache Cleaner.

Table 4-1 Privacy Protection—Example Values

Action and Attribute
Endpoint Profile
Secure
Home
Public

Check Secure Desktop?

No

Yes

Check Cache Cleaner?

No

Yes


Configuring Keystroke Logger Scanning

By default, keystroke logger scanning is disabled. Keep it disabled for the Secure endpoint profile. Configure scanning for keystroke loggers once for the Home endpoint profile and once for the Public profile, as follows:


Step 1 Click Keystroke Logger & Safety Checks under the name of the prelogin policy you are configuring in the menu on the left.

The Keystroke Logger window opens (Figure 4-14).

Figure 4-14 Keystroke Logger & Safety Checks

See Table 4-2 to check the attributes in this window.

Table 4-2 Keystroke Logger & Safety Checks—Example Values

Action and Attribute
Endpoint Profile
Secure
Home
Public

Check for keystroke loggers

No

Yes

Yes

Check Force Admin control on list of safe module?

No

Yes

Populate List of Save Modules?

Yes

Check for host emulation?

No

Yes

Yes

Check Always deny access if running within emulation?

Yes


Step 2 Check Check for keystroke loggers to scan for a keystroke logging application on the remote PC and make sure one is not running, before creating the Secure Desktop space on the remote client.

By default, this attribute is not checked, and the other attributes and buttons are grayed out. If you check this attribute, the "Force admin control on list of safe modules" attribute becomes active.

Step 3 Check Force admin control on list of safe modules to specify which key loggers are exempt from scanning, or uncheck it to let the remote user decide.

If you check this attribute, the Add button become active.

Uncheck this attribute if you want to give the remote user the right to determine if any detected keystroke logger is safe. If this attribute is unchecked, the CSD installer lists the keystroke loggers discovered on the client computer. To access Secure Desktop, the user must insert a check next to all of the keystroke loggers in the list to indicate they are safe. Otherwise, the user must terminate the session.


Note Unchecking this attribute deactivates but does not delete the contents of the "List of Safe Modules" window.


Step 4 Click Add to specify a module as safe, or choose an entry in the List of Safe Modules window and click Edit if you want to modify its path.

Secure Desktop Manager opens the Input dialog box.

Step 5 Type the path and name of the module or application in the Please enter module path field, then click OK.

Secure Desktop Manager closes the dialog box and lists the entry in the List of Safe Modules window.


Note To remove a program from the list, click the entry in the "Path of safe modules" list, then click Delete.



Assigning a DAP for Each Endpoint Profile


Note These instructions assume you have followed the instructions in the previous sections of this tutorial.


Configure a dynamic access policy (DAP) to support an endpoint profile as follows:


Step 1 Choose Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit.

The Add or Edit Dynamic Policy window opens (Figure 4-15).

Figure 4-15 Add Dynamic Access Policy

Step 2 Use the Policy Name field at the top of the window to name the DAP.

Step 3 Move the mouse to the right of the Endpoint Attribute table and click Add.

The Add Endpoint Attribute window opens (Figure 4-16).

Figure 4-16 Add Endpoint Attribute

Step 4 Select Policy from the drop-down list next to Endpoint Attribute Type.

Step 5 Select the name of the prelogin policy from the drop-down list.

Step 6 Click OK.

The Add or Edit Endpoint Attribute window closes, leaving the Add or Edit Dynamic Policy window open.

Step 7 For each entry in the Basic HostScan table (Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan), add an entry in the Endpoint Attribute table. Click Add to the right of the Endpoint Attribute table. Select the type (Registry Scan, File Scan, or Process Scan) next to the Endpoint Attribute Type attribute, select the entry in the Endpoint ID box, and click OK.

Step 8 For each antispyware, antivirus, and personal firewall application you would like to require as part of the DAP, click Add to the right of the Endpoint Attribute table. Select the type (Antispyware, Antivirus, or Personal Firewall) next to the Endpoint Attribute Type attribute, select the company and application, and click OK.

Step 9 Set the attribute values in the tabs at the bottom of the Add Dynamic Access Policy window to configure access rights and restrictions, then click OK.