Table Of Contents
Configuring Cisco Secure Desktop for Microsoft Windows Computers
Understanding Prelogin Prolicies
Configuring the Prelogin Assessment
Checking for a Registry Key
Checking for a File
Checking for a Certificate
Checking for the Windows Version
Checking for an IP Address
Modifying the Prelogin Assessment Configuration
Assigning Settings to a Prelogin Policy
Configuring Secure Session and Cache Cleaner
Configuring Keystroke Logger and Host Emulator Scanning
Configuring Cache Cleaner
Configuring Secure Desktop (Secure Session) General
Configuring Secure Desktop (Secure Session) Settings
Configuring the Secure Session Browser
Configuring Host Scan
Configuring Basic Host Scan Entries
Adding a File Check to the Basic Host Scan
Adding a Registry Key Check to the Basic Host Scan
Adding a Process Check to the Basic Host Scan
Enabling and Disabling Host Scan Extensions
Configuring Advanced Endpoint Assessment
Configuring Personal Firewall Rules
Configuring a Dynamic Access Policy
Configuring Cisco Secure Desktop for Microsoft Windows Computers
See the following sections to configure Cisco Secure Desktop for remote PCs running Microsoft Windows:
•
Understanding Prelogin Prolicies
•Configuring the Prelogin Assessment
•Assigning Settings to a Prelogin Policy
•Configuring Secure Session and Cache Cleaner
•Configuring Host Scan
•Configuring a Dynamic Access Policy
Understanding Prelogin Prolicies
Secure Desktop Manager lets you specify the checks to be performed between the time the user establishes a connection with the security appliance and the time the user enters the login credentials. These checks determine whether to assign a prelogin policy or whether to display a "Login Denied" message for the remote user. The settings of the matched prelogin policy determine whether Secure Session or Cache Cleaner loads. The application of a prelogin policy to a dynamic access policy (DAP) determines the access rights and restrictions placed on the connection.
To view the prelogin assessments present in the configuration, choose Secure Desktop Manager > Windows Locations Settings.
Figure 3-1 shows the default prelogin assessment configuration, including the default prelogin policy named "Default."
Figure 3-1 Default Elements in the Windows Location Settings Pane
By default, the Windows Location Settings pane displays the following elements:
•Start—Displayed in blue, this node provides a visual indication of the beginning of the sequence of checks to be performed. You cannot edit the start node.
•Line—Provides a visual indication of the conditional relationship of the node to its left and the one that follows. You cannot move or remove a line.
•Plus sign—Click to insert a prelogin check between the two nodes on either side of the line. Secure Desktop Manager lets you insert the following types of checks:
–Registry—Lets you detect the presence or absence of a registry key.
–File—Lets you specify the presence or absence of a particular file, its version, and its checksum.
–Certificate—Lets you specify the issuer of a certificate and one certificate attribute and value to match.
For each additional attribute of a single certificate that you want to match, create another prelogin check that species that attribute and value.
–Windows Version—Creates two login checks; Windows 2000, XP, and Vista; and Win 9x (for Windows 98). The editor inserts a Failure line and Login Denied end node for remote connections that fail both operating system checks.
–IP Address—Lets you specify an IP address range or subnet mask.
•Default Location Type—Displayed in green, this end node assigns the prelogin policy named "Default." By default, Cisco Secure Desktop assigns this profile to every remote computer running Windows Vista, XP, and 2000.
If you insert a check before an end node, Secure Desktop Manager automatically assigns at least one instance of each of the following:
•Success tag to the line leading from the new check to the prelogin policy that is already present.
•Failure tag to a second line leading from the new check to a "Login Denied" node. This node, displayed in red, signifies that a "Login Denied" message appears; Cisco Secure Desktop denies the user access to the security appliance.
You can change the name or type of any node except for the Start node. You can change an end node following a Success tag to a Login Denied node, and the end node following a Failure tag to a prelogin policy. You can also change either type of end node to a subsequence node. Displayed in blue, this node indicates a continuation to another blue node vertically aligned under the Start node. To assign a subsequence to a set of conditions, click an end node, then click Subsequence. You must assign a unique name to each subsequence you create. Secure Desktop Manager assigns the name to both instances of the subsequence node-the one at the end of the branch-and the one at the beginning of the new branch. To reuse a subsequence, type the name of the subsequence that is already present when you are changing an end node to a subsequence node.
You can rename any prelogin policy, including the one named "Default." To do so, return to the Windows Location Settings pane and click the "Default" node. Replace the text in the Label field with a name for a prelogin policy that is meaningful to you. For example, you may want to rename it "Secure" to indicate the profile applies to corporate PCs (that is, those that meet the most stringent requirements, as determined by the checks to be inserted). Secure Desktop Manager automatically renames the node in the associated menu.You can then adjust the settings for the prelogin policy accordingly.
Configuring the Prelogin Assessment
When a remote PC attempts to establish a remote VPN connection, Cisco Secure Desktop automatically checks for the conditions you configure, and assigns the attribute settings of the prelogin policy associated with the result of the checks to the connection, or issues a Login Denied message.
Use the following sections to configure a prelogin assessment to be downloaded to the remote PC:
•Checking for a Registry Key
•Checking for a File
•Checking for a Certificate
•Checking for the Windows Version
•Checking for an IP Address
•Modifying the Prelogin Assessment Configuration
Checking for a Registry Key
Insert a check for a specific registry key on the remote host as follows:
Step 1 Choose Windows Location Settings.
Step 2 Determine the position of the registry check to be inserted and click the associated plus sign.
A window prompts you for the type of check to be inserted.
Step 3 Choose Registry Check and click Add.
Secure Desktop Manager inserts the Registry Check node into the window and opens the Registry Check window (Figure 3-2).
Figure 3-2 Add Registry Check
Tip You can use the value types to be specified in this window as a guide to set up one or more criteria within the remote PC to match those specified for this prelogin policy. For example, you can add a DWORD (double word, an unsigned 32-bit integer) value or string value to a registry key on a remote PC to qualify it for the prelogin policy you are configuring.
Step 4 Assign values to the mandatory attributes in the Registry Check window as follows:
•Key Path menu—Choose the hive, the initial directory path to a registry key. The options are as follows:
Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.
•Key Path field—Enter the name of the registry key required to be present on or absent from the remote PC.
Note Refer to the subsequent attribute descriptions for examples of Entry Path strings.
Step 5 Click one radio button from the following list and assign the associated values:
•Exists—Click if the mere presence of the named registry key on the remote PC is sufficient to match the prelogin policy you are configuring.
EXAMPLE Click Exists if you want to require the following registry key to be present to match a criterion for assigning a prelogin policy:
HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>
•Does not exist—Click if the absence of the named registry key from the remote PC is sufficient to match the prelogin policy you are configuring.
EXAMPLE Click Does not exist if you want to require the following registry key to be absent to match a criterion for assigning a prelogin policy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<Evil_SpyWare>
•DWORD value radio button—Click if the registry key includes a "Dword" ("double word," a 32-bit integer) and you want to specify its value as a criterion.
"DWORD" refers to the attribute in the Add/Edit Registry Criterion dialog box. "Dword" refers to the attribute as it appears in the registry key.
Note Use the regedit application, accessed on the Windows command line, to view the Dword value of a registry key, or use it to add a Dword value to the registry key to satisfy the requirement you are configuring.
•DWORD value menu—Choose an option (<, <=, =, >, or >=) to specify the relationship of the Dword value of the registry key to the value to be entered to the right.
•DWORD value field—Enter a decimal to compare with the Dword value of the registry key on the remote PC.
EXAMPLE Choose greater than or equal to and enter a decimal if you want to require that the following protective software application meet a minimum version requirement:
HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Version
•String value radio button—Click if the registry key includes a string and you want to specify its value as a criterion.
Note Use the regedit application, accessed on the Windows command line, to view the String value of a registry key, or use it to add a String value to the registry key to satisfy the requirement you are configuring.
•String value menu—Choose one of the following options to specify the relationship of the String value of the registry key to the value to be entered to the right:
–contains
–matches
–differs
•String value field—Enter a string to compare with the String value of the registry key on the remote PC.
EXAMPLE Choose matches and enter Active if you want to ensure the following protective software application is active:
HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>\Status
Case sensitive—Check to require the String value of the registry key on the remote PC to match the case used in the String value field to satisfy the criterion.
Step 6 Click Update.
Checking for a File
The file criterion prelogin check lets you specify that a certain file must or must not exist to be eligible for the associated prelogin policy. For example, you might want to use a file prelogin check to ensure a corporate file is present or one or more peer-to-peer file-sharing programs containing malware are not present before assigning a prelogin policy.
Use the following procedure to insert a prelogin assessment for files on the remote PC:
Step 1 Choose Windows Location Settings.
Step 2 Determine the position of the file check to be inserted and click the associated plus sign.
A window prompts you for the type of check to be inserted.
Step 3 Choose File Check and click Add.
Secure Desktop Manager inserts the File Check node into the window and opens the File Check window (Figure 3-3).
Figure 3-3 File Check
Step 4 Assign a value to the following mandatory attribute:
•File Path—Enter the directory path to the file.
For example,
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
Step 5 Click one of the following mandatory radio buttons:
•Exists—Click if the file must be present on the remote PC.
•Does not exist—Click if the file must be absent from the remote PC, then go to Step 7.
Step 6 Use the following attributes if you want to specify the file version.
•Version check box—Check if you want to specify the version of the file as a criterion. Use this criterion to require that a specific application is or is not a particular version.
Note To display the version of an .exe file, use Windows Explorer to right-click the file, choose Properties, and click the Version tab.
•Version drop-down list—Choose an option (<, <=, =, >, or >=) to specify the relationship of the version of the file to the string to be entered to the right.
•Version field—Type a string to compare with the version of the file on the remote PC.
•Checksum check box—Check to specify a checksum to authenticate the file named in the Path field.
•Checksum field—Enter a checksum in hexadecimal format, beginning with 0x, or click Compute CRC32 Checksum to calculate the checksum of a file stored locally and insert the value in this field.
The Compute CRC32 Checksum dialog box opens (Figure 3-4).
Figure 3-4 Compute CRC32 Checksum
Retrieve the checksum as follows:
a. Click Browse and choose the file on which to calculate the checksum.
The field at the top of the Compute CRC32 Checksum dialog box displays the path to the file you chose.
b. Click Calculate.
The field at the bottom of the Compute CRC32 Checksum dialog box displays the checksum in hexadecimal format.
c. Click OK.
The Compute CRC32 Checksum dialog box closes and the hexadecimal value appears in the Checksum field.
Step 7 Click Update in the File Check window.
Checking for a Certificate
Note This procedure describes how to view certificate fields and values on computers running Microsoft Windows and use this data to add a certificate check to a prelogin assessment. Use these instructions only as a guideline if you are adding a check for certificates on Macintosh and Linux computers.
Insert a check for a specific certificate on the remote host as follows:
Step 1 Use Table 3-1 to prepare to identify the attribute and value to require, and to identify the issuer of the certificate. This table contains three procedures. Use the procedure in the column associated with the certificate you want to require.
•Column 1 shows how to view the values if you have a certificate file (such as one with a .cer or .pfx file extension).
•Column 2 shows how to view the values if you have a signed file (that is, the file is not a certificate file, but contains a certificate).
•Column 3 shows how to view the values if you have neither a certificate file nor a signed file.
Table 3-1 Viewing Certificate Attributes and Values
Certificate File
|
Signed File
|
Your Store (your PC)
|
A. Double-click the certificate.
|
A. Right click the file and choose Properties.
|
A. Open the Control Panel.
|
B. Click the Details tab.
|
B. Click the Digital Signatures tab (which appears only if the file is signed).
|
B. Choose Internet Options.
|
—
|
C. Click Details.
|
C. Click the Content tab.
|
—
|
D. Click View Certificate.
|
D. Click Certificates.
|
—
|
E. Click the Details tab.
|
E. Choose a certificate and click View.
|
—
|
—
|
F. Click the Details tab.
|
Step 2 Go to the Secure Desktop Manager menu on ASDM and choose Windows Location Settings.
Step 3 Determine the position of the certificate check to be inserted and click the associated plus sign.
A window prompts you for the type of check to be inserted.
Step 4 Choose Certificate Check and click Add.
Secure Desktop Manager inserts the Certificate Check node into the window and opens the Certificate Check window (Figure 3-5).
Figure 3-5 Add Certificate Check
•Using the untitled drop-down list, choose the certificate attribute for which you want to specify a value to match to the certificate on the remote host.
Note Insert more than one certificate check if you want to require more than one attribute value match.
The options name the attributes in the Field column of the Details tab, as follows:
–Issued To
–Common Name
–Given Name
–Surname
–Country
–Locality
–State or Province
–Street Address
–Organization
–Organizational Unit
–Title
–Description
–Business Category
–Postal Address
–Postal Code
–Member
–Owner
–Role Occupant
–Initials
–Dn Qualifier
–Domain Component
Step 5 Copy the string from the Value column to the right of the attribute name on the Details tab to the unnamed text box in the ASDM Add Certificate window.
Step 6 Copy the string from the Value column to the right of Issuer on the Details tab to the Issuer text box in the ASDM Add Certificate window.
Step 7 Click Update.
Checking for the Windows Version
The prelogin assessment includes a check for the version of Windows running on a remote PC attempting to establish a VPN connection. When the user attempts to connect, however, Cisco Secure Desktop automatically checks for the Windows version, regardless of whether you insert a Windows version prelogin check. If the prelogin policy assigned to the connection has Secure Desktop (Secure Session) enabled and if the remote PC is running Windows 2000 or XP, it installs Secure Session, regardless of whether you insert a Windows version prelogin check. If the prelogin policy has Secure Desktop enabled and the operating system is Windows 98, or Vista, Windows Cache Cleaner runs instead because Secure Desktop supports only Windows 2000 and XP. Therefore, you should make sure the Cache Cleaner settings are appropriate for a prelogin policy on which you have configured Secure Desktop to install.
Although Cisco Secure Desktop automatically checks for the version of Windows, you may want to insert a Windows Version prelogin check as a condition for applying a prelogin policy.
Use the following procedure to insert a Windows version check:
Step 1 Choose Windows Location Settings.
Step 2 Determine the position of the Windows check to be inserted and click the associated plus sign.
A window prompts you for the type of check to be inserted.
Step 3 Choose Windows Version Check and click Add.
Secure Desktop Manager inserts the Windows Version check node into the diagram (Figure 3-6).
Figure 3-6 Windows Version Check
If you wish, you can click any Login Denied node to change it to a prelogin policy or a subsequence node.
Checking for an IP Address
You can insert a check for the IP address of a remote host attempting a VPN connection, into the prelogin assessment. If the IP address is within the number range or the range specified by the subnet mask you enter, the remote host passes the check; otherwise, it fails. For example, PCs connecting from within a workplace LAN on a 10.x.x.x network behind a NAT device are an unlikely risk for exposing confidential information. For these PCs, you might set up a prelogin policy named Secure that is specified by IP addresses on the 10.x.x.x network, and disable the prelogin policy settings that enable the installation of Cache Cleaner and Secure Session.
Note If the PC has more than one IP address, Cisco Secure Desktop uses only the first address detected.
Use the following procedure to check for an IP address as part of a prelogin assessment:
Step 1 Choose Windows Location Settings.
Step 2 Determine the position of the IP address check to be inserted and click the associated plus sign.
A window prompts you for the type of check to be inserted.
Step 3 Choose File Check and click Add.
Step 4 Select IP Address Check and click Add.
Secure Desktop Manager inserts the IP Address Check node and opens the IP address check window below the diagram (Figure 3-7).
Figure 3-7 IP Address Check
Step 5 Choose one of the following options to indicate the type of IP address check:
•Click Range and enter the IP address in the Network Address field, leaving a 0 in one or more of the left-most fields to indicate the range.
•Click Mask and enter the subnet mask in the Network Mask field, leaving a 0 in one or more of the left-most fields to indicate the range.
Step 6 Click Update.
Modifying the Prelogin Assessment Configuration
You can modify any node in the Windows Location Settings window except for the Start and Windows Version nodes. You can delete any node except for the Start and end nodes. To modify or delete a node window, click the node. Make the changes as needed and click Update, or click Delete to remove the node from the configuration.
To insert a prelogin check, click the plus sign located in the position where you want to insert the check. Secure Desktop Manager inserts the window that lets you specify the check you want to select. After doing so, click Add. Use the instructions in the previous section to set the attributes in the check type window and click Update.
To change the type and name of any end node, double click the end node, click Login Denied, Location, or Subsequence to change the node type, type the name of the node in the Label field if it is of type Location or Subsequence, and click Update.
Assigning Settings to a Prelogin Policy
To view the settings assigned to a prelogin policy, note its name in the green end node of the Windows Location Settings pane, then click the menu with the same name in the Secure Desktop Manager menu. The Location Settings pane opens (Figure 3-8).
Figure 3-8 Location Settings
This pane lets you specify a remote installation module to install on any remote computer that matches the prelogin policy criteria.
Check one of the following:
•Secure Desktop—To install Secure Session on the remote PC.
Note If you check Secure Desktop and configure Secure Desktop settings, you should still configure the Cache Cleaner as well. The Cache Cleaner serves as a fall-back security solution for Windows 98 and Vista, which Secure Session does not support.
•Cache Cleaner—To install Cache Cleaner on the remote PC.
•Neither Secure Desktop nor Cache Cleaner—Uncheck both options if the PC is secure (for example, if the PC is a corporate computer) or you do not want either module to load.
Configuring Secure Session and Cache Cleaner
Refer to the following sections to define the Cisco Secure Desktop experience for PCs that match the criteria defined for a specific prelogin policy:
•Configuring Keystroke Logger and Host Emulator Scanning
•Configuring Cache Cleaner
•Configuring Secure Desktop (Secure Session) General
•Configuring Secure Desktop (Secure Session) Settings
•Configuring the Secure Session Browser
Configuring Keystroke Logger and Host Emulator Scanning
Keystroke logger scanning is disabled by default for each prelogin policy. If you enable scanning and a scan detects unapproved keystroke loggers, neither Secure Session nor Cache Cleaner launches. Alternatively, the keystroke logger scanning configuration lets you determine whether the user can interactively approve of applications the scan identifies. It also lets you create an exception list which lists applications to ignore when scanning for keystroke loggers.
Host emulation detection is also disabled by default for each prelogin policy. If you enable host emulation detection and a scan determines that the remote operating system is running over virtualization software, neither Secure Session nor Cache Cleaner launches. Alternatively, you can configure Cisco Secure Desktop to alert the user about the host emulator and let the user opt to prevent Secure Session or Cache Cleaner from installing.
Configure scanning for keystroke loggers as follows:
Step 1 Click Keystroke Logger & Safety Checks under the name of the prelogin policy you are configuring in the menu on the left.
The Keystroke Logger window opens (Figure 3-9).
Figure 3-9 Keystroke Logger Window
The "List of Safe Modules" window lists the paths to program applications on the remote PC that have keystroke logging capabilities, but are safe to use, as determined by the administrator. Such programs, such as Corel (previously Jasc) Paint Shop Pro, typically invoke functions when the user presses particular keystroke combinations from within another application.
Step 2 Check Check for keystroke loggers to scan for a keystroke logging application on the remote PC and make sure one is not running, before installing Secure Session.
By default, this attribute is not checked, and the other attributes and buttons are grayed out. If you check this attribute, the "Force admin control on list of safe modules" attribute becomes active.
Step 3 Check Force admin control on list of safe modules to give yourself control over which key loggers are exempt from scanning, or uncheck it to give the remote user this control.
If you check this attribute, the Add button become active.
Uncheck this attribute if you want to give the remote user the right to determine if any detected keystroke logger is safe. If this attribute is unchecked, Cisco Secure Desktop lists the keystroke loggers discovered on the remote PC. To access Secure Session, the user must insert a check next to all of the keystroke loggers in the list to indicate they are safe. Otherwise, the user must terminate the session.
Note Unchecking this attribute deactivates but does not delete the contents of the "List of Safe Modules" window.
Step 4 Click Add to specify a module as safe, or choose an entry in the List of Safe Modules window and click Edit if you want to modify its path.
Cisco Secure Desktop Manager opens the Input dialog box (Figure 3-10).
Figure 3-10 Input (for Keystroke Logger)
Step 5 Type the path and name of the module or application in the Please enter module path field, then click OK.
Cisco Secure Desktop Manager closes the dialog box and lists the entry in the List of Safe Modules window.
Note To remove a program from the list, click the entry in the "Path of safe modules" list, then click Delete.
Step 6 Check Check for host emulation if you want to determine whether the operating system is running over virtualization software, such as VMWare.
Step 7 Check Always deny access if running within emulation to prevent Secure Session or Cache Cleaner from installing if Cisco Secure Desktop detects that the operating system is running over virtualization software. Uncheck this attribute to alert the user about the host emulation software and let the user opt to prevent Secure Session or Cache Cleaner from installing.
Step 8 Click Apply All to save the configuration changes.
Configuring Cache Cleaner
Cache Cleaner attempts to disable or erase data that a user downloaded, inserted, or created in the browser, including cached files, configuration changes, cached browser information, passwords entered, and auto-completed information. Cache Cleaner for Windows supports the following:
•WebLaunch of Cisco AnyConnect on a PC running Windows 2000 or XP.
•Clientless (browser-based) SSL VPN connections with Microsoft Internet Explorer 5.0 or later on Windows Vista, XP, and 2000.
Cache Cleaner does not support the standalone startup of AnyConnect Client from any computer.
For each prelogin policy for which either Secure Desktop (Secure Session) or Cache Cleaner is enabled, click Cache Cleaner under the profile you are configuring. The Cache Cleaner pane appears. Figure 3-11 shows the default settings.
Figure 3-11 Cache Cleaner for Windows
This window lets you configure the Cache Cleaner for the associated prelogin policy. Check the following fields as required by your security policy:
•Launch hidden URL after installation—Check to use a URL for administrative purposes, hidden from the remote PC, so that you know that the user has the Cache Cleaner installed. For example, you could place a cookie file on the user's PC, and later check for the presence of that cookie.
•Hidden URL—Type the URL to use for administrative purposes, if you checked "Launch hidden URL after installation."
•Show success message at the end of successful installation—Check to display a dialog box on the remote PC informing the user when the Cache Cleaner installation is successful.
•Launch cleanup upon timeout based on inactivity—Check to set a specific timeout period after which the cleanup begins.
•Timeout after—Choose the number of minutes (1, 2, 5, 10, 15, 30, or 60) to set the timeout period if you checked the "Launch cleanup upon timeout based on inactivity" attribute. This attribute is the inactivity timer. Its default value is 5.
•Launch cleanup upon closing of all browser instances—Check to clean up the cache when all browser windows are closed.
•Clean the whole cache in addition to the current session cache (IE only)—Check to remove data from the Internet Explorer cache. Upon activation, Cache Cleaner attempts to remove the files generated, browsing history, and typed fields and passwords retained before the session began.
•Secure Delete—Upon termination, Cache Cleaner performs a U.S. Department of Defense (DoD) sanitation algorithm to clean the browser cache. Choose the number of times to perform this cleanup task. The default setting is 3 passes. Following the completion of the task the number of times specified, Secure Session removes the pointer to the file.
Note Click Apply All to save the running Cisco Secure Desktop configuration.
Configuring Secure Desktop (Secure Session) General
Click Secure Desktop General under the prelogin policy name to enable or disable the Secure Session features and customize the user experience.
The Secure Desktop General pane appears. Figure 3-12 shows the default settings.
Figure 3-12 Secure Desktop General
Check the following attributes to configure the general Secure Session settings for the prelogin policy you are configuring, as required by your security policy:
•Enable switching between Secure Desktop and Local Desktop—We strongly recommend that you check this attribute to let users switch between Secure Session and the untrusted desktop. Called desktop switching, this feature provides users with the flexibility they might need to respond to a prompt from another application requiring an OK to let Secure Session continue processing. Unchecking this attribute minimizes the potential security risk posed by a user who leaves traces on the untrusted desktop. Thus, you might choose to uncheck this option if the security risk is a bigger issue than the deployment advantages of the alternative. Operating System limitations may prevent Secure Session from enforcing prevention of desktop switching, even if you disable this feature.
You can configure both Secure Session and Cisco SSL VPN Client (SVC) to run simultaneously on remote PCs. If you check this attribute, the SVC connection becomes available to both.
•Enable Vault Reuse—Check to allow users to close Secure Session and open it again at a later time. Secure Session becomes a persistent desktop that is available from one session to the next. If you enable this option, users must enter a password (up to 127 characters in length) to restart Secure Session. This option is useful if users are running Secure Session on PCs that are likely to be reused; for example, a home PC. When a user closes Secure Session, it does not self-destruct. If you do not enable this option, Secure Session automatically self-destructs upon termination.
If unchecked, this attribute activates the following two attributes.
•Suggest application uninstall upon Secure Desktop closing—Check to prompt the user and recommend that Secure Session be uninstalled when it closes. In contrast to the option below, the user has the choice to refuse the uninstallation.
Note Checking this option uninstalls Secure Session from the remote PC when the user session closes, so leave this option disabled if access to the Secure Session is important.
•Force application uninstall upon Secure Desktop closing—Check if you do not want to leave Secure Session on untrusted PCs after users finish using it. Secure Session uninstalls when it closes.
Note Checking this option uninstalls Secure Session from the remote PC when the session closes, so leave this option disabled if access to Secure Session is important.
•Enable Secure Desktop inactivity timeout—Check to close Secure Session automatically after a period of inactivity.
Secure Session detects inactivity and closes to avoid leaving anything behind.
If checked, this attribute activates the following attribute.
•Timeout After—Choose the number of minutes (1, 2, 5, 10, 15, 30, or 60) to set the timeout period if you checked the "Enable Secure Desktop inactivity timeout" attribute. This attribute is the associated inactivity timer.
•Open following web page after Secure Desktop closes—Check this box and enter a URL in the field to make Secure Session automatically open a web page when it closes.
•Secure Delete—Secure Session encrypts and writes itself to the remote PC disk. Upon termination, it performs a U.S. Department of Defense (DoD) sanitation algorithm. Choose the number of times to perform this cleanup task. The default setting is 3 passes. Following the completion of the task the number of times specified, Secure Session removes the pointer to the file.
Note Click Apply All to save the running Cisco Secure Desktop configuration.
Configuring Secure Desktop (Secure Session) Settings
Click Secure Desktop Settings under the prelogin policy name to place restrictions on Secure Session.
The Secure Desktop Settings pane appears. Figure 3-13 shows the default settings.
Figure 3-13 Secure Desktop Settings
Check the boxes to apply the associated restrictions. The restrictions are as follows:
•Restrict application usage to the web browser only—Check to let only the originating browser run on Secure Session. If you choose this option, the browser that initiated the connection (Internet Explorer, Netscape, Firefox, etc.) is the only browser permitted to run. Choosing this option limits the user's ability to use other applications, but increases the level of security.
•Disable access to network drives and network folders—Check to prevent the user from accessing network resources and network drives while running Secure Session. The network resources are those that use the Server Message Block (SMB) client/server, request-response protocol to share such resources as files, printers, and APIs. For maximum security, we recommend that you check this attribute. If you do, Secure Desktop Manager dims the following attribute.
•Do not encrypt files on network drives—Check to let the user save files to network drives. Secure Session does not encrypt the files and leaves the files behind after the session ends. If you uncheck "Disable access to network drives and network folders" and this attribute, Secure Session encrypts the files the user saves to network drives, then removes them upon Secure Session termination. Secure Desktop Manager dims this attribute if you check the previous attribute.
•Disable access to removable drives and removable folders—Check to prevent the user from accessing portable drives while running Secure Session. Otherwise, the user can save files to a removable drive and remove the drive before closing the session. After closing the session, the user could forget to take the removable drive. For maximum security, we recommend that you check this attribute. If you do, Secure Desktop Manager dims the next attribute.
This attribute applies only to the drives that Microsoft names "Removable" in the Windows Explorer "My Computer" window.
•Do not encrypt files on removable drives—Check to let the user save files to portable drives that Microsoft names "Removable" in the Windows Explorer "My Computer" window. Secure Session does not encrypt the files and leaves the files behind after the session ends. If you uncheck both "Disable access to removable drives and removable folders" and this attribute, Secure Session encrypts the files the user saves to portable drives, then removes them upon session termination. Secure Desktop Manager dims this attribute if you check the previous attribute.
•Disable registry modification—Check to prevent the user from modifying the registry from within Secure Session. For maximum security, we recommend that you check this attribute.
•Disable command prompt access—Check to prevent the user from running the DOS command prompt from within Secure Session. For maximum security, we recommend that you check this attribute.
•Disable printing—Check to prevent the user from printing while using Secure Session. For maximum security of sensitive data, check this option.
•Allow email applications to work transparently—Check to let the user open e-mail while on Secure Session and to prevent it from deleting e-mail upon the termination of the session. The use of the term transparent means that Secure Session handles e-mail the same way that the local desktop handles it. Transparent handling works for the following e-mail applications:
–Microsoft Outlook Express
–Microsoft Outlook
–Eudora
–Lotus Notes
If this attribute is checked and the remote user uses an e-mail application to save an attachment to the "My Documents" folder, it is visible from both Secure Session and the local desktop. Similarly, deleting such a file from within the e-mail application running over Secure Session removes the file from both desktops.
Note Deleting transparent or nontransparent files from outside of Outlook, such as from a Windows Explorer window, while in a Secure Session removes the file only from Secure Session.
Click Apply All to save the running Cisco Secure Desktop configuration.
Configuring the Secure Session Browser
Click Secure Desktop Browser under the prelogin policy name to specify the Home Page to which the browser connects when the remote user establishes a Secure Session. This option also lets you specify the folders and URLs that populate the Bookmarks or Favorites menu during the Secure Session.
The Secure Desktop Browser pane appears. Figure 3-14 shows the default settings.
Figure 3-14 Secure Desktop Browser
For the duration of the Secure Session, the browser does not list the user's bookmarks or favorites. It lists only the ones shown in this pane.
Configure the Secure Desktop Browser as follows:
Step 1 Type the URL of the page that you want to open when the remote user establishes a Secure Session, into the Home Page field.
The Customized Bookmarks pane lists the folders and URLs that populate the browser Bookmarks or Favorites menu.
Step 2 Use the following guidelines to add, modify, and delete entries in the Customized Bookmarks pane:
•To add a folder, select the folder to contain it, click Add Folder, type the new folder in the dialog box, then click OK.
•To add a bookmark to the list, select the folder to contain it, click Add Bookmark, type the URL in the dialog box, then click OK.
•To modify a URL, select it, click Edit, type the new URL in the dialog box, then click Edit.
•To remove a folder or a URL, select it and click Delete.
Note Click Apply All to save the running Cisco Secure Desktop configuration.
Configuring Host Scan
The Secure Desktop Manager > Host Scan window shown in Figure 3-15 lets you do the following:
•To configure and view the registry entries, filenames, and process names for which to scan, see "Configuring Basic Host Scan Entries."
•To enable or disable scanning for antispyware, antivirus, and personal firewall applications and updates, see "Enabling and Disabling Host Scan Extensions."
•To configure enforcement of the antispyware, antivirus, and personal firewall applications and updates of your choice, see "Configuring Advanced Endpoint Assessment" and "Configuring Personal Firewall Rules." This option requires an Advanced Endpoint Assessment license.
Figure 3-15 Host Scan
Note Regardless of whether you have an Advanced Endpoint Assessment license, you can use ASDM to configure Dynamic Access Policies for making policy decisions based on the scan results.
Configuring Basic Host Scan Entries
You can specify a set of registry entries, filenames, and process names, collectively called a basic host scan. The host scan, which includes the basic host scan and the endpoint assessment, or advanced, endpoint assessment; occurs after the prelogin assessment but before the assignment of a DAP. Following the basic host scan, the security appliance uses the login credentials, the host scan results, prelogin policy, and other criteria you configure to assign a DAP.
See the sections that name the types of basic host scan entries you would like to configure:
•Adding a File Check to the Basic Host Scan
•Adding a Registry Key Check to the Basic Host Scan
•Adding a Process Check to the Basic Host Scan
Adding a File Check to the Basic Host Scan
Add a check for a specific file to the basic host scan as follows:
Step 1 Choose Secure Desktop Manager > Host Scan.
The Host Scan pane opens (Figure 3-15).
Step 2 Click Add > File Scan.
The Add File Scan pane opens (Figure 3-16).
Figure 3-16 Add File Scan
Step 3 Assign values to the following attributes:
•Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.
For example,
•File Path—Enter the directory path to the file.
For example,
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
Step 4 Click OK.
ASDM closes the Add File Scan window and inserts the entry into the Basic Host Scan table.
Adding a Registry Key Check to the Basic Host Scan
Add a check for a specific registry key to the basic host scan as follows:
Step 1 Choose Secure Desktop Manager > Host Scan.
The Host Scan pane opens (Figure 3-15).
Step 2 Click Add > Registry Scan.
The Add Registry Scan pane opens (Figure 3-17).
Figure 3-17 Add Registry Scan
Step 3 Assign values to the following attributes:
•Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.
For example,
•Entry Path menu—Choose the hive, the initial directory path to the registry key. The options are as follows:
Each string references a registry base that stores different information. The HKEY_LOCAL_MACHINE\ path is the most commonly used one because it contains the machine-specific registry files.
•Entry Path field—Enter the name of the registry key.
For example,
SOFTWARE\CISCO SYSTEMS\SECURE DESKTOP\(Default)
Step 4 Click OK.
ASDM closes the Add Registry Scan window and inserts the entry into the Basic Host Scan table.
Adding a Process Check to the Basic Host Scan
Add a check for a specific process to the basic host scan as follows:
Step 1 Choose Secure Desktop Manager > Host Scan.
The Host Scan pane opens (Figure 3-15).
Step 2 Click Add > Process Scan.
The Add Process Scan pane opens (Figure 3-18).
Figure 3-18 Add Process Scan
Step 3 Assign values to the following attributes:
•Endpoint ID—Enter a unique and meaningful string to serve as an index to this entry. After completing the Host Scan configuration, specify the same index when you assign this entry as an endpoint attribute when configuring a DAP. The string is case-sensitive.
For example,
•Process Name—Enter the name of the process. You can display it in Microsoft Windows by opening the Windows Task Manager window and clicking the Processes tab.
For example,
Step 4 Click OK.
ASDM closes the Add Process Scan window and inserts the entry into the Basic Host Scan table.
Enabling and Disabling Host Scan Extensions
You can configure a scan for antivirus, personal firewall, and antispyware applications and updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, Cisco Secure Desktop loads the endpoint assessment checks and reports the results back to the security appliance for use in assigning a DAP.
To enable or disable Host Scan Extensions,
Step 1 Choose Secure Desktop Manager > Host Scan.
The Host Scan window opens (Figure 3-15).
Step 2 Check one of the following options in the Host Extensions area of the Host Scan window:
•Endpoint Assessment—If you check this option the remote PC scans for a large collection of antivirus, antispyware, and personal firewall applications, and associated updates.
•Advanced Endpoint Assessment—This option is present only if the configuration includes a key for an Advanced Endpoint Assessment license. It includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant PCs to meet the version requirements you specify. To turn on this option after acquiring a key from Cisco, choose Device Management > System Image/Configuration > Activation Key, enter the key in the New Activation Key field, and click Update Activation Key.
When you check this option, Secure Desktop Manager inserts a check mark next to both options.
To disable the host scan extensions, uncheck both options in the Host Extensions area of the Host Scan window.
Configuring Advanced Endpoint Assessment
Advanced Endpoint Assessment lets you configure an attempt to update noncompliant PCs to meet the version requirements you specify.
To configure Advanced Endpoint Assessment,
Step 1 Choose Secure Desktop Manager > Host Scan.
The Host Scan window opens (Figure 3-15).
Step 2 Check or click Advanced Endpoint Assessment.
If this option is unavailable, you need to get an Advanced Endpoint Assessment license and enter the key, as described in the previous section. Otherwise, Secure Desktop Manager activates the Configure button.
Step 3 Click Configure.
The Advanced Endpoint Assessment window displays the configuration settings. Figure 3-19 shows the default settings in this window.
Figure 3-19 Advanced Endpoint Assessment
Note You must check an Enforce button to activate the corresponding drop-down lists of companies and applications. Secure Desktop Manager activates attributes and buttons in response to a selection only if the application supports the attributes and button functions. For example, you can click Add to add a personal firewall rule only if the selected personal firewall application supports rules.
Step 4 Use the descriptions of the attributes in the Antivirus area if you want to attempt to update noncompliant PCs with an antivirus application:
•Enforce Antivirus checkbox—Check to attempt to force an update of the application to be selected.
•Enforce Antivirus drop-down list—Select the company that produces the antivirus application.
•(Unnamed) drop-down list—When you select the company, this list displays the versions of antivirus applications that this company supports and that Host Scan supports. Select the version you want to require on the remote host.
•Force File System Protection—(Enabled only if the selected antivirus application supports this feature) Check to turn on ongoing background scanning by the antivirus application. The application checks files as they are received and blocks access to files that are likely to contain viruses.
•Force Virus Definitions Update—Check to require the remote host to check for a virus definitions update for the selected application. If you check this option, you must specify the number of days.
•if not updated in last— Enter the age in days of the last update that triggers a new update.
Step 5 Use the descriptions of the attributes in the Personal Firewall area if you want to attempt to update noncompliant PCs with a personal firewall application.
•Enforce Personal Firewall checkbox—Check to attempt to enable the application to be selected.
•Enforce Personal Firewall drop-down list—Select the company that produces the personal firewall application.
•(Unnamed) drop-down list—When you select the company, this list displays the versions of personal firewall applications that this company supports and that Host Scan supports. Select the version you want to require on the remote host.
•Firewall Action—The contents of this drop-down list depend on the options available to the selected personal firewall. Select None, Force Enable to enable the firewall, or Force Disable to disable the firewall.
•Rules—This table is available only if the selected personal firewall supports rules. It lets you specify applications and ports for which the firewall allows or blocks ports or applications. See "Configuring Personal Firewall Rules" to set the attributes in the Add or Edit window.
Step 6 Use the descriptions of the attributes in the Antispyware area if you want to attempt to update noncompliant PCs with an antispyware application.
•Enforce Antispyware checkbox—Check to attempt to force an update of the application to be selected.
•Enforce Antispyware drop-down list—Select the company that produces the antispyware application.
•(Unnamed) drop-down list—When you select the company, this list displays the versions of antispyware applications that this company supports and that Host Scan supports. Select the version you want to require on the remote host.
•Force Spyware Definitions Update—Check to require the remote host to check for a spyware definitions update for the selected application. If you check this option, you must specify the number of days.
•if not updated in last— Enter the age in days of the last update that triggers a new update.
Step 7 Click OK.
Configuring Personal Firewall Rules
Personal firewall rules let you specify applications and ports for the firewall to allow or block. The Add, Edit, and Delete buttons next to the Rules table in the Advanced Endpoint Assessment window (Figure 3-19) are active only if the selected personal firewall supports rules. For example, the applications that appear under the Internet Security Systems, Inc. option support personal firewall rules.
If you configure Advance Endpoint Assessment as described in the previous section and click Add or Edit next to the Rules table, the Add or Edit Rule window opens (Figure 3-20).
Figure 3-20 Add Personal Firewall Rule
To set the attributes in the Add or Edit Rule window,
Step 1 Use the following attribute description to select the rule.
•Rule—Choose the action of this rule. The options are ALLOW Application, BLOCK Application, ALLOW Port, and Block Port.
Step 2 Go to the Application area and set the following attributes if you selected ALLOW Application or BLOCK Application.
•Name—Enter the full file name and extension of the application to be allowed or blocked.
•Full path—Enter the entire path to the application file.
Step 3 Go to the Port area and set the following attributes if you selected ALLOW Port or BLOCK Port.
•Protocol—Select the protocols to be allowed or blocked. The options are Any, UDP, and TCP.
•Port—Enter the port number to be allowed or blocked.
Step 4 Click OK.
Repeat this procedure for each personal firewall rule you want to configure.
Configuring a Dynamic Access Policy
You can use a match of a prelogin policy, Basic Host Scan entry, Host Scan Extension, or any combination of these and any other policy attributes to assign access rights and restrictions. At minimum, configure dynamic access policies (DAP) to assign to each prelogin policy and Basic Host Scan entry.
Configure DAPs as follows:
Step 1 Choose Configuration > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit.
The Add or Edit Dynamic Policy window opens (Figure 3-21).
Figure 3-21 Add Dynamic Access Policy
Step 2 Name the policy and assign a priority to the policy using the fields near the top of the window.
Step 3 Select the ANY, ALL, or NONE option in the drop-down list on the left side of the Selection Criteria area.
Step 4 Click the Add button on the left to specify AAA attribute type and values, then click OK. Repeat for each AAA attribute to use for this DAP.
Step 5 Move the mouse to the right of the Endpoint Attribute table and click Add.
The Add Endpoint Attribute window opens (Figure 3-22).
Figure 3-22 Add Endpoint Attribute
Note If the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked and you select Antispyware, Antivirus, or Personal Firewall, ASDM populates the Vendor ID and Vendor Description drop-down menus. Otherwise, it shows blank fields next to the Vendor ID and Vendor Description attribute names.
Step 6 Choose one or more of the methods in Table 3-2 to match the endpoint:
Table 3-2 Endpoint Attribute Types Associated with Cisco Secure Desktop
To Match this Secure Desktop Manager object
|
Select this Endpoint Attribute Type
|
And do this
|
Prelogin policy present in the Secure Desktop Manager > Windows Location Settings pane
|
Policy
|
Enter the name of the prelogin policy in the Policy field.
|
File specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane
|
File
|
Select the Endpoint ID that matches the Basic Host Scan file entry ID from the drop-down list.
|
Process specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane
|
Process
|
Select the Endpoint ID that matches the Basic Host Scan process entry ID from the drop-down list.
|
Registry key specified in the Basic Host Scan table in the Secure Desktop Manager > Host Scan pane
|
Registry
|
Select the Endpoint ID that matches the Basic Host Scan registry entry ID from the drop-down list.
|
Antispyware application of interest, applicable only if the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked.
|
Antispyware
|
Select the options in the Vendor ID and Vendor Description drop-down lists.
|
Antivirus application of interest, applicable only if the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked.
|
Antivirus
|
Select the options in the Vendor ID and Vendor Description drop-down lists.
|
Personal firewall application of interest, applicable only if the Endpoint Assessment or Advanced Endpoint Assessment option on the Secure Desktop Manager > Host Scan pane is checked.
|
Personal Firewall
|
Select the options in the Vendor ID and Vendor Description drop-down lists.
|
Step 7 Click OK.
The Add or Edit Endpoint Attribute window closes, leaving the Add or Edit Dynamic Policy window open.
Step 8 Complete the configuration of any other endpoint attributes to specify any other criteria you want to use to identify the remote access devices for which the DAP applies.
Step 9 Set the access policy attributes in the tabs at the bottom of the window to provide access rights and restrictions, then click OK.
