This document provides information on the most frequently asked questions (FAQ) related to the Cisco Secure Desktop (CSD).
Cisco Secure Desktop seeks to minimize the risks posed by the use of remote devices in order to establish a Cisco clientless SSL VPN or AnyConnect Client session.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
A. CSD comprises several components:
Host Scan (Basic and Advanced with remediation capabilities)
Host emulation detection
Refer toCSD Configuration Guide for more information.
Q. Where can I find a compability matrix of OSes, Browsers, ASA versions, SSL VPN components supported by CSD?
A. Refer to Cisco ASA 5500 Series VPN Compatibility Reference for more information.
A. The CSD configuration is stored on the flash under sdesktop/data.xml file.
A. No. CSD only interoperates with Clientless SSL VPN and Anyconnect 2.x.
A. Yes. PreLogin checks for Machine Certificates was implemented in CSD 3.2.1 (CSCsj35249).
Q. If the Secure vault is used, how does interaction occur between it and the real desktop? For example, can files be moved between the two or is it only into the vault?
A. The file system is virtualized. Inside the vault you can see essential local files such as program files and windows, but files within the vault cannot be moved outside.
Note: One exception to this is the use of certain email applications such as Outlook, Outlook Express, Eudora and Lotus Notes that operate as they do on the client PC. These applications are not generally found in the public domain.
A. Yes, but the data is encrypted and is removed once the vault is uninstalled and is not visible if the key is removed.
A. Yes. If the shared network folders exist as part of the Network Neighborhood on the client PC, then they also appear on the Secure Desktop Network Neighborhood.
Q. When a file is created or amended within the Secure Desktop space, can it be saved to a Network Neighborhood if a network connection through SSL VPN or IPsec exists ?
A. As outlined in the documentation, locations are identified when the criteria of the different locations are checked with the use of the priority of top to bottom as displayed in the windows location pane. The first location that meets the criteria is used as the connection location. Cisco suggests the use of a location with no criteria as the last location so that it becomes the default if no other locations with criteria are matched.
A. Yes, You can still install CSD even if both Active X and Java are not detected on the client PC.
A. No, there are not any restrictions for Cisco Secure Desktop or the SSL VPN Client.
A. Yes. CSA V4.5 now supports and is fully compatible with both CSD and SVC.
A. When a Secure Desktop environment is created, an encrypted file space (the vault) is generated , which starts as a small file space and grows to a max of 2 GB, which depends on what applications are loaded from their default locations whilst operating within the vault.
Q. How does CSD decide what applications to support? Is it just all the applications that are available on the normal desktop? Can this be controlled ?
A. This is detailed in the release notes and cannot be controlled. It does not allow applications to be installed whilst in the SD Vault/space, but uses the default applications under Program Files that are already installed on the client PC. Secure Desktop only supports applications installed in the default location. For increased security only applications installed under the Windows and Program Files directories are accessible under the Secure Desktop. Secure Desktop does not support or allow access to applications not found in these default installation locations.
A. This is a configuration option within the Secure desktop management configuration. The copy/paste buffer (clipboard) is cleared once you switch back to the client PC, if enabled in the configuration.
Restrict Printing on Secure Desktop—Check to prevent the user from printing while the Secure Desktop space is used. For maximum security of sensitive data, check this option.
A. This was not supported in earlier versions (earlier than 184.108.40.206) and detailed in CSCsc12461. The workaround at that time was to disable DEP in the BIOS as mentioned in the DDTS. As of version 220.127.116.11, this has now been resolved.
A. No, because the CSD component that you want to install depends on result of prelogin policy.
A. CSD v3.3 does support CSD-Vault (sandbox) feature on 32-bit Vista platforms.
See VPN_Compatibility for more details.
Q. What happens if a remote client is connected to secure desktop over WebVPN and they terminate the session like unplugging the network cable from the computer. Will the secure desktop still remove traces of the file? I believe a similar scenario would be if the machine is powered off in the middle of the session, is the file accessible then?
A. The data remains encrypted/inaccessible and then is erased the next time Cisco Secure Desktop is launched. If you use a cache cleaner, the data is wiped out the next time you logon.
Q. Are the new versions of CSD 3.2.x , which shipped with ASA version 8.0.2.x, backwards-compatible with ASA version 7.1.x/7.2.x?
A. The new version of Cisco Secure Desktop 3.2.x is not backwards compatible with older ASA 7.1.x/7.2.x.
A. CSD 3.2 for ASA 8.0.2.x supports ONLY Cache Cleaner on Vista , 32-bit machines. Secure Vault support on Vista is for future consideration (CSD v3.3) .
Update—CSD v3.3 does support CSD-Vault (sandbox) feature on 32-bit Vista platforms.
A. CSD 3.2 Advanced Endpoint Assessment does not allow the checking of multiple versions of an Antivirus, Personal Firewall or AntiSpyware program. CSD 3.2.1 does have the ability to check for multiple Antivirus, Personal Firewall or AntiSpyware programs with the use of the Dynamic Access Policy with the Endpoint Assessment feature.
Note: CSD 3.2.1, ASDM6.0.3/ASA 8.0.3, which FCSed in November 2007 , includes this capability (CSCsk71239) .
A. The current design does not allow for CSD to control CD drives.
Q. How susceptible is the CSD secure vault to threats from the host operating system while running CSD? Is it a case of the vault in effect that keeps all bad things at bay, or is the use of the normal desktop on the host just as vulnerable? The posture check is relied upon in order to mitigate against some of these issues.
A. CSD concept is to not leave anything behind. The CSD vault is for storage of session data such as cached web pages created during the vpn session. The vault is encrypted for protection. It is not supposed to be a type of virus protection device.
Q. How do I position CCA NAC appliance versus CSD + Adv Endpoint Assessment in ASA 8.0? It seems like the posture check functionality is similar. Does CCA offer any significant advantages over 8.0 for VPN users?
A. CSD provides posture check and limited remediation, while CCA can actually support a more sophisticated and complete remediation process. This is key if the VPN user is a full-time telecommuter, for instance, that is not that tech savy and requires instruction on the next steps that are necessary without bogging down the internal support department. That can also lead to a reduction in support costs and increased productivity if you want to extrapolate the possibilities.
A. Not currently as of v8.0.3. CSD is globably enabled on the ASA for all group-policies before Authentication/Authorization takes place. The main reason why Cisco Secure Desktop was loaded pre-login is to offer protection over the login process itself, especially when static credentials are in use.
A. When Secure Desktop is installed, it can be uninstalled manually or automatically when a session is closed. An option is available in the CSD Manager > Secure Desktop General in order to do this automatically.
A. The latest information is always visible inside of ASDM. You can also extract secinsp_<VERSION>_av.xml, secinsp_<VERSION>_as.xml and secinsp_<VERSION>_fw.xml from the current CSD package (as a ZIP) and search for Product_ID attribute.
These checks are updated with every release and as such, it is impossible for the documentation to keep up with the list.
A. Search for Allow_port and Block_port attribute value for each product.v= implemented x= not implemented
A. The CSD installation with Java already installed and most basic host scanning operations do not require administrative privileges. Operations such as enabling a FW process, do not work without administrative privilege, of course. Do not expect it to be scanned for files that it does not have privilege for which to scan; for example, if you are limited user, you cannot detect /users/administrator/mydocuments/file.txt. Key stroke logger requires administrative privileges.
Q. Are any of the CSD features such as Host Scan, Cache Cleaner, and Vault supported on 64-bit platforms?
A. No. CSD only supports 32-bit platforms.
A. No. Prelogin policy checks rely on CSD being enabled.
A. The checks are IP Address (Source IP range), Certificate, Registry, File and OS.
A. In ASDM there is currently no button/knob to delete all Prelogin policies. You can only delete them indidually. There is an enhancement request CSCsq91629 in order to be able to do this.
On the ASA CLI, you can complete these steps in order to clear all Prelogin policies and set CSD configuration to default.
- #delete sdesktop/data.xml
- Then you must Exit and restart ASDM for the change to take affect.
Q. Are the CSD Prelogin certificate checks PKI-validated or does it only check for the presence of the certificates on the endpoint host?
A. The certificate checks verifies only that the certificate is present on the endpoint host, and not whether the certificate is PKI-validated.
A. Only Windows.
A. No. CSD specific policies cannot be set through Radius/LDAP .
A. CSD 3.2.1 now supports Port Scanning on the endpoint PC (Windows, MAC, Linux) and was implemented in CSCsj44999. Dynamic Access Policies (DAP) can enforce the endpoint.device.port attribute in policy.
A. Here is a a list of DAP Endpoint Selection attribute categories as of 8.0.3.x:
Device such as Hostname, Mac Address, Port Number, and Privacy Protection
Q. What is this CSD token seen within the DAP debugs (DAP_TRACE: DAP_add_CSD: csd_token = [71F16BEE51C8B569360F9BF0]) ?
A. ASA creates unique random numbers and assigns them to HostScans so it can distinguish one HostScan from another. HostScan happens before the login when no SSL VPN session exists. HostScan does not send CSD token in the scan file. The token is used to attach the scan data to the ASA SSL VPN session.
A. When Anyconnect is launched in SBL mode, only hostscan is performed by CSD regardless of what prelogin policy dictates,unless there is no location match, in which case CSD launch fails.
Q. What is the recommended way to update the CSD file without the deletion of the PreLogin policy (Locations) configuration?
A. Upgrate a new CSD image, which keeps all settings intact, except upgrades from CSD 3.1.1 to 3.2 or later.
Q. I face issues when I access Citrix ICA client using Java versions 1.6.10,1.6.11,and 1.6.12. Why does the connection fail as soon as the client connects to the Citrix remote desktop while using CSD?
A. In JRE6 Update 10 and later, Java starts differently from standard practice .Refer to Introducing Java SE 6 update 10 for more information on Java update 10.
The Secure Desktop Vault browser freezes if you open a website that contains a Java applet, and JRE Update 10 or later is installed on the computer. This problem occurs only if you have checked the Restrict application usage to the web browser only option present in Secure Desktop Manager > <policy_name> > Secure Desktop Settings. The default setting is unchecked. You can do one of these options in order to make Java applets functional on Secure Desktop:
Add these lines to the text box under the checked attribute Restrict application usage to the web browser only:
Uncheck Restrict application usage to the web browser only checkbox. This resolves the issue.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.