Beruflich Dokumente
Kultur Dokumente
COPYRIGHT
Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
Installation Guide
Contents
Preface
About this guide . . . . . . Audience . . . . . . Conventions . . . . . Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5 5 5 6
13
. 13 . 15 15 . 16 . 18 . 20 . 21 23 . 24 . 24 24
Post-installation tasks
Initialize the DLP Policy console . . . . . . . . . . . . . . . . Upgrade the license . . . . . . . . . . . . . . . . . . . . . Initialize the McAfee DLP Monitor . . . . . . . . . . . . . . . Check in the McAfee DLP Endpoint package to ePolicy Orchestrator . . Deploying McAfee DLP Endpoint . . . . . . . . . . . . . . . . Define a default rule . . . . . . . . . . . . . . . . . Deploy McAfee DLP Endpoint with ePolicy Orchestrator . . . . Verify the installation . . . . . . . . . . . . . . . . . Uninstalling McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
25 27 28 29 30 30 31 32 32
33
. 33 . . 34 . . 34 . . 35
37
Create and define McAfee DLP administrators . . . . . . . . . . . . . . . . . . . . . . 37 Create and define permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 DLP permission set options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Installation Guide
Contents
41
41 44 45 45
Index
47
Installation Guide
Preface
Detailed information for installation, verification, and configuration of McAfee DLP Endpoint software. This guide provides the necessary information for installing McAfee Data Loss Prevention Endpoint software. It provides detailed steps and verification of the installation process. This guide demonstrates how to configure the recommended architecture, and when completed the user will have a fully functional McAfee DLP Endpoint software implementation that is properly configured. McAfee DLP Endpoint software is very flexible in meeting a variety of implementation architectures. We recognize that many configuration possibilities exist, and that the recommended architecture represents only one path. Contents About this guide Finding product documentation
Audience
McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Security officers People who determine sensitive and confidential data, and define the corporate policy that protects the company's intellectual property.
Conventions
This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path
Code
Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website.
Installation Guide
Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product.
Installation Guide
McAfee Data Loss Prevention Endpoint (McAfee DLP Endpoint) software protects enterprises from the risk associated with unauthorized transfer of data from within or outside the organization. McAfee DLP Endpoint software is a content-based endpoint solution that inspects enterprise users actions concerning sensitive content in their own work environment, their computers. It uses advanced discovery technology as well as predefined dictionaries to identify this content, and incorporates device management and encryption for additional layers of control. McAfee DLP Endpoint software prevents transmission of sensitive data from desktops and laptops, whether or not they are connected to the enterprise network It protects against data loss regardless of the format in which data is stored or manipulated. McAfee Device Control software incorporates the device management functionality of McAfee DLP Endpoint software in a simpler package which is sold separately. It prevents unauthorized use of removable media devices, the most widespread and costly source of data loss in many companies today. McAfee DLP Endpoint software is administered from the McAfee ePolicy Orchestrator (McAfee ePO) management console. Contents Recommended installation Choosing a McAfee DLP configuration Backward-compatible installation
Installation Guide
Recommended installation
The recommended installation for McAfee Data Loss Prevention Endpoint software version 9.x is on a single server together with McAfee ePO and the McAfee ePO database. The McAfee DLP WCF service can be installed on a separate server from the McAfee ePO database.
Figure 1-1
The recommended architecture includes: McAfee ePO server Hosts the embedded interfaces, (McAfee DLP Monitor and McAfee DLP Endpoint policy console) and communicates with the McAfee Agents. McAfee ePO Reports A list of McAfee DLP Endpoint Events within the ePolicy Orchestrator reporting service. McAfee DLP WCF (Windows Communication Foundation) Service Communicates between ePolicy Orchestrator and McAfee DLP Endpointpolicy console to distribute policies, and with the McAfee DLP Monitor
Installation Guide
About McAfee Data Loss Prevention Endpoint software Choosing a McAfee DLP configuration
McAfee ePO Event Parser Communicates with the McAfee Agent and stores event information in a database. DLP Event Parser Collects McAfee DLP Endpoint events from the ePolicy Orchestrator Event Parser and stores them in tables in the SQL database. ePO database Communicates with the ePolicy Orchestrator Policy Distributor to distribute policies, and with the McAfee DLP Event Parser to collect events and evidence.
Administrator workstation Accesses ePolicy Orchestrator, McAfee DLP Monitor, and McAfee DLP Endpoint policy console in a browser through the McAfee DLP WCF service. Managed workstation Applies the security policies using the following software: McAfee DLP Endpoint A McAfee Agent plug-in that provides the DLP processes. McAfee Agent Provides the communication channel between the McAfee ePO server and the McAfee DLP Endpoint.
Installation Guide
About McAfee Data Loss Prevention Endpoint software Choosing a McAfee DLP configuration
Table 1-1 Feature comparison of software versions (continued) Feature Dictionaries Registered Documents Repositories Text Patterns Definitions Application Definitions Document Properties Email Destinations File Extension Definitions File Server Definitions Network Definitions Printer Definitions Tags and Categories Yes Yes No Yes No No No Yes Content categories and groups only Web Destinations Whitelist Repository Device Management Device Classes Device Definitions Device Rules Whitelisted Applications Policy Assignment User Assignment Groups Privileged Users RM and Encryption RM Servers RM Policies Encryption Keys Rules Classification Rules Discovery Rules Yes No Yes Yes No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Content categories, tags, and groups Yes Yes McAfee Device Control software Yes Yes Yes McAfee DLP Endpoint software Yes Yes Yes
10
Installation Guide
Table 1-1 Feature comparison of software versions (continued) Feature Protection Rules McAfee Device Control software Yes Removable Storage Protection only McAfee DLP Endpoint software Yes Application File Access Protection Clipboard Protection Email Destinations Protection File System Protection Network Communication Protection Tagging Rules No Yes PDF/Imagewriter Protection Printing Protection Removable Storage Protection Screen Capture Protection Web Post Protection
Backward-compatible installation
To allow an orderly upgrade in large enterprises that have deployed previous versions of McAfee DLP Endpoint in their production environment, an option exists to deploy backward-compatible policies to computers still running the older agents. Host DLP Agent 3.0 Patch 1 is the earliest version supported by this feature. Enterprises running earlier versions must upgrade to Host DLP Agent 3.0 Patch 1 or later before upgrading to McAfee DLP Endpoint 9.2. McAfee DLP Endpoint version 9.2 utilizes a standardized XML policy format, introduced in Version 9.0. This format is more intuitive, and facilitates integration with other ePolicy Orchestrator applications. As a result, the backward compatibility option that allows communication with both old and new agents has five levels: No compatibility (all endpoints are version 9.2) McAfee DLP Endpoint Agent 9.1 and later McAfee DLP Endpoint Agent 9.0 and later
The compatibility option "DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3.x agents.
McAfee DLP Endpoint Agent 3.0 and later McAfee DLP Endpoint Agent 3.5 or current version
DLP Agent 2.2 Patch 4 is no longer supported. The agent compatibility option is selected during the McAfee DLP Endpoint policy console initialization.
Installation Guide
11
Prepare your environment and install McAfee DLP Endpoint software in ePolicy Orchestrator. Contents Verify system requirements Configure the server Install McAfee ePolicy Orchestrator Installing McAfee DLP WCF service Before you install the extension Install the McAfee Data Loss Prevention Endpoint extension Working in a cluster environment
Installation Guide
13
The following operating system software is supported: Table 2-2 Operating systems supported Computer type Servers Software Windows 2003 Server Standard (SE) SP1 or later 32- or 64-bit Windows 2003 Enterprise (EE) SP1 or later 32- or 64-bit Windows 2008 Server Enterprise 32- or 64-bit Managed workstations Windows XP Professional SP1 or later 32-bit Windows Vista SP1 or later 32-bit only Windows 7 32- or 64-bit Windows 2003 Server 32- or 64-bit Windows 2008 Server 32-bit Windows 2008 Server R2 64-bit
The user installing McAfee DLP Endpoint software on the servers must be a member of the local administrators group. The following software is required on the server running the McAfee DLP Endpoint policy console and McAfee DLP Monitor: Table 2-3 Server software requirements Software McAfee ePolicy Orchestrator Version 4.0 Patch 7 or later 4.5 Patch 4 or later 4.6 McAfee Agent 4.0 Patch 3 or later 4.5 Patch 3 or later 4.6 McAfee ePO Help System download the McAfee DLP Endpoint 9.2 Help extension.
There is no Help for McAfee DLP Endpoint version 9.2 in McAfee ePolicy Orchestrator 4.0 because the Help System for McAfee ePO 4.0 is EOL and cannot be updated.
Microsoft .NET
3.5 or 3.5 SP 1
Agent handlers on remote servers no longer require the .NET Framework.
The McAfee DLP Endpoint software version 9.2 package includes the following: McAfee Data Loss Prevention Endpoint (McAfee Agent plugin) McAfee DLP Windows Communication Foundation (DLP WCF) McAfee DLP Endpoint extension (contains the components installed through ePolicy Orchestrator) McAfee DLP Help Desk Tool
14
Installation Guide
5 6
Verify that Microsoft .NET Framework 3.5 SP1 is installed. Set the server to a static IP address.
We recommend using a subnet separate from your company's production network for initial testing. If you are setting up a production environment, set the servers static IP address within that range.
Installation Guide
15
Install McAfee DLP Endpoint software Installing McAfee DLP WCF service
Pay attention to the following points when installing ePolicy Orchestrator: 1 In the McAfee ePO installation wizard, use the following settings. Installation wizard screen Installation Options Setup Requirements Setting Select Install Server and Console When installing on Windows 2003 Server, we recommend using the SQL Server 2005 Express installer included in the McAfee ePO installer. Another configuration option is to create an ePolicy Orchestrator instance on an existing SQL Server 2005 or 2008 server and select it. This is the preferred option when installing on Windows 2008 Server.
After verification that you want to install the software, the SQL installation continues without user input. If prompted to install SQL Server 2005 Backward Compatibility, you must install it.
We recommend using a SQL Server account. If preferred, an NT account can also be used.
During the installation, you might see a warning about trusted sites. Write down the recommended additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add them later.
16
Installation Guide
Install McAfee DLP Endpoint software Installing McAfee DLP WCF service
Installation Guide
17
Install McAfee DLP Endpoint software Installing McAfee DLP WCF service
7 8
18
Installation Guide
Install McAfee DLP Endpoint software Installing McAfee DLP WCF service
Under User Mapping, define the database role memberships by selecting the db_owner and public checkboxes.
10 Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the logon user name. 11 On the Securables page, click Add. Select Specific objects, and click OK. 12 In the Select Objects dialog box, click Object Types and select Databases. Click OK. 13 Click Browse. Select [ePO4_SERVER] and click OK twice. 14 If you do not see all six effective permissions, browse the Explicit Permissions list to locate and Grant them. Click OK. Repeat steps 7-11 to verify the Effective Permissions. 15 Click OK.
Add the logged on user to the Microsoft SQL database as a Windows or SQL user, according to which form of authorization you plan to use. Log out of ePolicy Orchestrator. Task 1 Browse to and run the McAfee DLP WCFServiceInstaller.msi installer. Verify that the McAfee DLP Windows Communication Foundation service installer version matches the McAfee DLP Endpoint software version you are installing. 2 In step 4 of the installation wizard (WCF Service Settings), do the following: a b Use the default WCF Server Port value. If you must change the server port, consult your McAfee representative for instructions. We recommend setting up a group or groups in Windows Active Directory with the names of users authorized to log on to the database. You must change the default Web Access Authorized Groups entry from Everyone to a group or user with authorized access, as described in WCF installation options. If you are using the confidential data redaction feature, select Obfuscate Sensitive Data in RSS Feed.
c 3
In step 5 of the installation wizard (Microsoft SQL Database) do the following: a b Review the defaults for Database Server and Database Name. Type other values if necessary. Select Windows Authentication or SQL Authentication and fill in the associated fields.
Installation Guide
19
Install McAfee DLP Endpoint software Before you install the extension
20
Installation Guide
Install McAfee DLP Endpoint software Before you install the extension
3 4
Click the Security tab, then click Advanced. On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritable permissions. A confirmation message explains the effect this change will have on the folder.
Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated except administrators.
Setting permissions for administrators is required for the whitelist folder. It is optional for the evidence folder, but can be added as a security precaution. Alternately, you can add permissions only for those administrators who deploy policies.
Double-click Administrators entry to open the Permission Entry dialog box. Change the Apply onto option to This folder, subfolders and files. Click OK.
Installation Guide
21
Install McAfee DLP Endpoint software Before you install the extension
7 8
Click Add to select an object type. In the Enter the object name to select text box, type Domain Computers, then click OK to display the Permission Entry dialog box. In the Allow column, select: Create Files/Write Data and Create Folders/Append Data for the evidence folder. List Folder/Read Data for the whitelist folder.
Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers. 10 Click OK twice to close the dialog box.
4 5
Select the Security tab, then click Advanced. On the Permissions tab, deselect the Include inheritable permissions from the object's parent option. A confirmation message explains the effect this change will have on the folder.
Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated.
7 8
Click Add to select an object type. In the Enter the object name to select text box, type Domain Computers, then click OK. The Permission Entry dialog box is displayed.
In the Allow column, select: Create Files/Write Data and Create Folders/Append Data for the evidence folder. List Folder/Read Data for the whitelist folder.
Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers. 10 Click Add again to select an object type.
22
Installation Guide
Install McAfee DLP Endpoint software Install the McAfee Data Loss Prevention Endpoint extension
11 In the Enter the object name to select text box, type Administrators, then click OK to display the Permission Entry dialog box. Set the required permissions.
Adding administrators is required for the whitelist folder. It is optional for the evidence folder, but can be added as a security precaution. Alternately, you can add permissions only for those administrators who deploy policies.
Task 1 2 In ePolicy Orchestrator, select Menu | Software | Extensions, then click Install Extension. Browse to and select the McAfee DLP Endpoint .zip file (..\HDLP_Extension_9_2_0_xxx.zip). Click Open, then OK. The installation dialog box displays the file parameters to verify that you are installing the correct extension. 3 Click OK. The extension is installed. The following applications are installed: 4 McAfee DLP Endpoint policy console (in ePolicy Orchestrator | Data Protection) McAfee DLP Monitor (in ePolicy Orchestrator | Data Protection) DLP Event Parser
Click Install Extension again, Browse to and select the Help .zip file (...help_dlp_920.zip). Click Open, then OK.
This file contains the McAfee DLP Endpoint extension to the ePO Help system.
Click OK.
Installation Guide
23
24
Installation Guide
Post-installation tasks
Several steps are needed to complete the McAfee Data Loss Prevention Endpoint software installation. You must configure the McAfee DLP Endpoint policy console and McAfee DLP Monitor, install McAfee DLP Endpoint software on the managed computers, deploy a test policy, and verify the installation. Contents Initialize the DLP Policy console Upgrade the license Initialize the McAfee DLP Monitor Check in the McAfee DLP Endpoint package to ePolicy Orchestrator Deploying McAfee DLP Endpoint
The McAfee DLP Endpoint Management Tools installer and McAfee DLP Endpoint policy console initialization wizard use ActiveX technology. To prevent the installer from being blocked, verify that the following are enabled in Internet Explorer Tools | Internet Options | Security | Custom level: Automatic prompting for ActiveX controls Download signed ActiveX controls
Task 1 In the ePolicy Orchestrator console, select Menu | Data Protection | DLP Policy. The McAfee DLP Endpoint Management Tools installer runs and, after a brief delay, the Welcome screen of the DLP Management Tools Setup wizard appears. Complete the steps in the wizard. 2 After the McAfee DLP Endpoint Management Tools installation has completed, the McAfee DLP Endpoint policy console begins loading. If you have an existing policy, you are prompted to convert it to the new XML format. Click Convert and skip to step 4. If no previous policy exists, the message DLP global policy is unavailable. Loading default policy appears. Click OK to continue. When the message Agent configuration is unavailable. Loading a default agent. appears, click OK. When the McAfee DLP Endpoint policy console First Time Initialization wizard appears, complete the following steps:
3 4 5
Installation Guide
25
Option Description 1 of 8 2 of 8 Click Next. By default, the file system discovery crawler places sensitive files in quarantine. Though we do not recommend it, you can delete these files instead by selecting the Support discovery delete option.
This option is not available until you update to the full McAfee Data Loss Prevention Endpoint software installation.
For troubleshooting, when you need to review an easily readable version of the policy, select Generate verbose policy. For most installations, we recommend leaving these checkboxes unselected. In very large organizations where the rollout of McAfee DLP Endpoint 9.2 is staged over time, earlier versions of the plug-in need to coexist. Select the appropriate Backward compatibility mode: No compatibility (all endpoints are version 9.2) McAfee DLP Endpoint Agent 9.1 and later McAfee DLP Endpoint Agent 9.0 and later McAfee DLP Endpoint Agent 3.0 and later
The compatibility option McAfee DLP Endpoint Agent 3.0.5 or current version refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3 endpoints.
DLP Agent 2.2 Patch 4 is no longer supported. Select your directory access protocol: Microsoft Active Directory or OpenLDap. When using Microsoft AD in very large organizations where search times could be excessive, select Restrict AD searches to default domain. If you are not using WCF: Deselect Deploy policy to reporting database. This prevents rule names deploying to the McAfee DLP tables in the McAfee ePO database. If you are using WCF and deselect this option, the McAfee DLP Monitor displays rule GUIDs, not rule names. Configure the McAfee DLP Endpoint policy console WCF service path. For the standard installation, accept the default. Click Test Connection to verify. To change the sign in credentials, click Update DB Credentials. The WCF Database Connection Settings dialog box opens for editing. When you have completed all changes, click Next. 3 of 8 . Type user names, or click Add to search for user names (optional). Click Next.
We recommend creating a role-based group such as DLP Manual Tagging Users, and using the group when configuring Access Control. This step is not available when installing McAfee Device Control
4 of 8
Type a password and confirmation (required). McAfee DLP Endpoint software version 9.2 requires strong passwords, that is, at least 8 characters with at least one each uppercase, lower case, digit, and special character (symbol). If you are upgrading, this is not implemented until you change a password.
26
Installation Guide
Option Description If you don't want endpoint key generation events reported to the database, deselect the checkbox. If you want to use short challenge/response (8 digits instead of 16), select the checkbox. See the McAfee Data Loss Prevention Endpoint Product Guide for more information on Agent bypass. Click Next. 5 of 8 Browse to the Whitelist storage share, then click Next. The UNC whitelist path is required to apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot be changed in the Initialization wizard. Modify the default notification messages (optional). Select each event type in turn, and type the message in the text box. Click Next. Browse to the evidence storage share and click Next. The evidence storage path is required to apply the policy to ePolicy Orchestrator. Set the required Evidence Replication option. See the Release notes: New Features for more information on this option. Click Next. Click Finish.
6 of 8 7 of 8
8 of 8 6
The Initialization Wizard dialog box appears with the message, Apply initial configuration? If you have not skipped any required steps, you can click Yes and apply the initial policy. If you have skipped required steps, click No to complete the initialization.
A password and the evidence storage share are required to complete initialization. The other steps indicated as required are necessary to complete the policy. They can be skipped during initialization and completed at a later time. If you did not apply the policy, select File | Save to save the policy to a file.
Click Finish.
Installation Guide
27
4 5 6 7 8
Click OK to close the message box, and click Close to close the Update License window, then log off ePolicy Orchestrator. Log on to ePolicy Orchestrator to complete the upgrade. From the Agent Configuration menu, select Edit Global Agent Configuration. Go to the File Tracking tab and select Device Control and full content protection. Go to the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Service modules are selected. Select the remaining modules you require to enable them and click OK.
Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slow its operation unnecessarily.
The policy changes are applied to ePolicy Orchestrator. 10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.
28
Installation Guide
Post-installation tasks Check in the McAfee DLP Endpoint package to ePolicy Orchestrator
2 3
Click OK. For a standard installation, accept the default. For a backward-compatible installation, type the WCF service address in the dialog box, then click OK.
Review the details on the screen, then click Save. The package is added to the master repository.
Installation Guide
29
f 2
Create a protection rule: a b c d In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select Protection Rules. Right-click in the Protection Rules window and select Add New | Removable Storage Protection Rule. Double-click the rule icon to modify the rule. Click through to step 2 of the rule creation wizard and add the Email Category created when creating the classification rule in the Included column.
30
Installation Guide
e f 3
Click through to step 7 of the rule creation wizard. Select Monitor, then click Finish. Right-click the rule icon and select Enable.
On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no errors. If you receive errors, they probably come from improper initialization, such as not specifying an evidence folder or override password. You can re-run the initialization from the Tools menu to correct this.
If you select a level under My Organization, the right-hand pane displays the available workstations. You can also deploy McAfee DLP Endpoint to individual workstations. 3 Click the Assigned Client Tasks tab. Under Actions, select New Client Task Assignment. The Client Task Builder wizard opens. 4 5 In the Product field select McAfee Agent . In the Task Type field select Product Deployment. Click Create New Task. In the Name field, type a suitable name, for example, Install DLP Endpoint. Typing a description is optional. In the Products and Components field, select Data Loss Prevention 9.2.0.x. The Action field automatically resets to Install. Click Save. Change the Schedule type to Run immediately. Click Next. Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduled for the next time the McAfee Agent updates the policy. To force the installation to take place immediately, issue an agent wake-up call.
6 7 8 9
10 After McAfee DLP Endpoint has been deployed, restart the managed computers.
Installation Guide
31
This task describes the local uninstall option. Task 1 In the McAfee DLP Endpoint policy console select Tools | Generate Agent Uninstall Key. This step can also be performed with the McAfee DLP Help Desk tool, using the Generate Uninstall Key tab. 2 3 4 5 Fill in the user information in Step 1. Type in the uninstall challenge code. (Step 2) Type the agent override key password or select Use password from current policy. (Step 3) Click Generate Key to create the uninstall key for the user. This Release Code is sent to the user to enter into the request bypass dialog box.
32
Installation Guide
Microsoft System Management Server (SMS) packages can be used for deployment of McAfee DLP Endpoint software in cases where deployment with ePolicy Orchestrator is either unfeasible or not desired. Microsoft Systems Management Server (SMS) provides a comprehensive solution for deploying and managing applications and operating systems on Windows desktops and servers. The following tasks assume working in the Microsoft SMS 2003 environment. Contents Create Create Create Create an installation package the advertisement the SMS uninstall package an SMS uninstall package to run from a command line
Installation Guide
33
Deploying McAfee Data Loss Prevention Endpoint software with SMS Create the advertisement
In the Command Line text box, type the McAfee DLP command line executable, for example:
msiexec /I DLPAgentInstaller.msi /qn /forcerestart
. The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file.
We recommend restarting the managed computer after McAfee DLP Endpoint package installation. To enable this option use the /forcerestart parameter. To enable the installation log use /log <LogFile>
10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down list. Click OK.
Verify that Run with Administrative Rights is selected. McAfee Data Loss Prevention Endpoint software setup requires administrator rights to complete installation successfully.
34
Installation Guide
Deploying McAfee Data Loss Prevention Endpoint software with SMS Create an SMS uninstall package to run from a command line
On the Distribution Settings tab, select High from the Sending Priority drop-down list, and click OK. The package appears under the Packages node of the site tree.
6 7 8 9
Expand the new package under the Packages node. Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want to be the distribution points for this package, then click Finish. Right-click Programs and select New | Program. Type the program name. In the Command Line text box, type the DLP command line executable, for example:
msiexec /x DLPAgentInstaller.msi /qn /forcerestart
The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file. 10 On the Environment tab, select Whether or not a user is logged on from the Program can run drop-down list. Click OK.
b c
Installation Guide
35
We recommend creating specific administrator roles and permissions in ePolicy Orchestrator for McAfee DLP Endpoint policy console and McAfee DLP Monitor. These roles include creating and saving policies, viewing (but not changing) policies, generating override, uninstall, and quarantine release keys, viewing the McAfee DLP Monitor, and revealing sensitive fields in the monitor.
Sensitive data redaction and the McAfee DLP Monitor permission sets
To meet the legal demand in some markets to protect confidential information in all circumstances, McAfee DLP Endpoint software offers a data redaction feature. Fields in the McAfee DLP Monitor containing confidential information are encrypted to prevent unauthorized viewing. The feature is designed with a "double key" release. This means that to use the feature, you must create two permission sets: one to view the monitor and another to view the encrypted fields. Both roles are required to use the feature. Contents Create and define McAfee DLP administrators Create and define permission sets DLP permission set options
Click Save.
Installation Guide
37
4 5 6
Click Save. In the Data Loss Prevention field for the new permission set, click Edit. Select the required permissions and click Save.
Figure B-1 Editing a permission set for McAfee DLP Endpoint To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.
38
Installation Guide
Table B-1 Option definitions (continued) Option User cannot view DLP Monitor User can view DLP Monitor Definition User is not a monitor administrator User has full policy administrator permissions. Use this option if you are not using the sensitive data redaction feature.
Installation Guide
39
Upgrade installation is similar to first-time installation, but several points must be considered. Contents Upgrading issues Phased upgrade Upgrade McAfee DLP Endpoint software Restore the policy after upgrade
Upgrading issues
Upgrading the software has consequences in ePolicy Orchestrator and in the McAfee DLP Endpoint software setup. You must also upgrade the McAfee DLP WCF service.
Event parser
After upgrading the McAfee DLP Endpoint software suite in ePolicy Orchestrator, you must restart the McAfee Event Parser using Administrative Tools | Services.
Installation Guide
41
Backward compatibility
McAfee DLP Endpoint software version 9.2 contains several changes that make policies incompatible with earlier versions of the McAfee DLP Endpoint agent. In large enterprises, upgrading McAfee DLP Endpoint on all workstation nodes can take several weeks or even months. The McAfee DLP Endpoint policy console version 9.2 initialization has a backward compatibility option that, when selected, allows communication with both old and new agents. Backward compatibility can be set to "no compatibility" (McAfee DLP Endpoint 9.2 only), Host DLP Agent 9.1 and later, Host DLP Agent 9.0 and later, or Host DLP Agent 3.0 or later.
The compatibility option "Host DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless you specifically know that you are using this hotfix, choose Host DLP Agent 3.0 compatibility for all version 3 agents.
Unsupported items
If the policy contains any of the following when backward compatibility mode is selected, the policy fails to be applied to McAfee ePolicy Orchestrator. These unsupported items are cumulative, that is, the McAfee Data Loss Prevention Endpoint 9.1 and above section lists Version 9.2 features not supported in Version 9.1. For compatibility with Version 3.0 endpoints, all three sections apply.
42
Installation Guide
Table C-1 Items unsupported in backward-compatible mode Compatibility mode Unsupported items McAfee Data Loss An application file access, email, file system, removable storage, or web Prevention Endpoint post protection rule contains a document property definition containing a 9.1 and above File Name property. backward compatibility mode An application file access protection rule contains a Store Evidence action. A discovery or protection rule contains a Content Category or Tag Group. An application file access protection rule contains a file type definition. A policy contains an email storage discovery rule. A clipboard rule restricts pasting into all applications. McAfee Data Loss An application definition uses the executable file hash. Prevention Endpoint A classification or tagging rule uses the AND operator for dictionaries or 9.0 and above backward compatibility text patterns. mode A discovery rule has the Tag action selected. An email protection rule contains a subject text pattern (bypass keyword). A file system or removable storage protection rule has an attachment type (encryption type) selected. A file system, PDF / IMAGEWRITER, printer, or removable storage rule has the Request justification action selected. A protection rule or discovery rule has Microsoft Rights Management or unsupported attachment type selected. A tagging rule contains a dictionary. A tagging rule contains header / footer definitions. McAfee Data Loss An application file access, email, file system, removable storage, or web Prevention Endpoint post protection rule contains a document property definition. 3.0 and above backward compatibility A discovery rule contains a document property definition with unsupported mode properties. Version 3.0 only supports the Date Created and Date Modified properties. An email or web post protection rule, or a discovery rule, contains an Adobe RM encryption definition. A discovery rule contains an Apply RM Policy action. Removable storage file access rules are enabled. Hit-highlighting is selected on the Evidence tab in the Agent Configuration.
Installation Guide
43
upgrade McAfee DLP Endpoint, ePolicy Orchestrator notices that the names of the sample queries are already used, and installs the samples in My Queries instead. However, to use a query in a Dashboard, it must be a public query.
Phased upgrade
Successful upgrading to McAfee Data Loss Prevention Endpoint software version 9.2 from an earlier version requires following a phased procedure that takes into account many variables. It also has certain prerequisites that must be met.
Backup the current DLP policy. Saving the policy to disk allows you to convert the policy to the new format for reuse. You can back up the policy from the McAfee DLP Endpoint policy console. The Save As option on the File menu saves the policy in .opg format. Save the agent configuration and computer assignment groups. You can save the agent configuration and computer assignment groups from the McAfee ePolicy Orchestrator System | Policy Catalog page. Select the product (Data Loss Prevention x.x.0.0) and the category (Computers Assignment Group or Agent Configuration) from the drop-down lists, and Edit the selection. From the Edit page, you can select Save to File and specify a destination for the backup file.
Install .NET framework on the server hosting the Windows Communication Foundation (DLP-WCF) service. Verify the .NET version installed in C:\Windows\Microsoft.NET\Framework. If necessary, install Microsoft .NET 3.5 Patch 1.
44
Installation Guide
Task 1 In ePolicy Orchestrator, select Software | Extensions. Click Install Extension, then click Browse and select the McAfee DLP Endpoint policy manager .zip file (..\HDLP_Extension_9_2_0_xxx.zip). Click Open, then click OK twice. If you are installing without removing the previous extension, you see a warning that the new extension will replace the existing one. Click OK. The extension is installed, and appears in the extension list. 2 Install Extension again, Browse and select the Help .zip file (..\help_dlp_920.zip). Click Open, then click OK. The installation dialog box warns you that you will replace the existing Help system. Click OK.
This file contains the McAfee DLP Endpoint extension to the ePolicy Orchestrator Help system.
Log out of ePolicy Orchestrator, then log back in. New features not supported by the previous installed version might not work if you do not do this.
Installation Guide
45
Task 1 Restore the policy a b c d e 2 Open the McAfee DLP Endpoint policy console, select File | Open, and browse to the location where you saved the backup of the previous DLP policy. When prompted, click Convert to convert it. On the Verify WCF Service Path screen, click Test Connection to verify that WCF is correctly configured. Select Tools | Options and verify in the Backward compatibility mode section that the required version is selected. Click Apply to save the policy to McAfee ePolicy Orchestrator.
Restore the computer assignment groups a b c d In ePolicy Orchestrator select Policy | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policies from the Product drop-down list. Select Computers Assignment Group from the Category drop-down list. Type a name and create a computers assignment group. Click Load from file and browse to the computers assignment group backup file.
Restore the agent configurations a b c d In ePolicy Orchestrator select System | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policies from the Product drop-down list. Select Agent Configuration from the Category drop-down list. Type a name and create an agent configuration. Click Load from file and browse to the agent configuration backup file.
46
Installation Guide
Index
A
about this guide 5 administrators, defining 37
event parser, when upgrading 41 evidence folder 20 evidence folder, configuring on Windows Server 2003 21 evidence folder, configuring on Windows Server 2008 22
B
backward compatibility 11, 25, 41
F
feature comparison 9
C
cluster environment preparing 24 cluster installation testing 24 clusters, using DLP software in a cluster environment 24 command line uninstall 35 components, Data Loss Prevention (diagram) 8 computer assignments, when upgrading 41 configuration, server 15 conventions and icons used in this guide 5
H
hardware requirements 13
L
license, Device Control and DLP 27
M
McAfee ServicePortal, accessing 6 Microsoft SQL, adding a user 18 Microsoft SQL, installing 19 monitor, initializing 28
D
default rule, defining 30 Device Control, feature comparison 9 DLP administrators, defining 37 DLP endpoint checking in to ePolicy Orchestrator 29 DLP Endpoint deploying 31 deploying with SMS 33 deployment verification 32 uninstall with SMS 34 uninstalling 32 DLP Help extension, installing 23 DLP Monitor, initializing 28 DLP Policy console, installing 23 documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5
P
permission set options 38 permission sets, defining 38 phased upgrade 44 policy, initializing 25 policy, restoring after upgrade 45
Q
queries, when upgrading 41
R
redaction 19, 37 roles and permissions 20
S
server configuration 15 server software requirements 13 ServicePortal, finding product documentation 6 SMS advertisements 34 SMS installation package, creating 33 SMS uninstall package, command line 35 SMS uninstall package, creating 34
E
ePolicy Orchestrator installing 15
Installation Guide
47
Index
W
WCF, installation options 16 WCF, installing 19 WCF, troubleshooting 20 WCF, when upgrading 41 whitelist folder 20 whitelist folder, configuring on Windows Server 2003 21 whitelist folder, configuring on Windows Server 2008 22
T
Technical Support, finding product information 6
U
uninstalling DLP Endpoint 32 upgrade (task description) 45 upgrade, phased 44 upgrade, unsupported items 41
V
verifying the installation 32
48
Installation Guide
00