0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
15 Ansichten111 Seiten
Policy Patrol is a registered trademark of Red Earth Software (r) All product names referenced in this documentation belong to the respective companies.
Policy Patrol is a registered trademark of Red Earth Software (r) All product names referenced in this documentation belong to the respective companies.
Policy Patrol is a registered trademark of Red Earth Software (r) All product names referenced in this documentation belong to the respective companies.
MANUAL Policy Pat rol Web Version 1.0 This manual, and the software described in this manual, are copyrighted. No part of this manual or the described software may be copied, reproduced, translated or reduced to any electronic medium or machine- readable form without the prior written consent of Red Earth Software except that you may make one copy of the program solely for back-up purposes.
Policy Patrol
is a registered trademark of Red Earth Software
. All product names referenced in this
documentation belong to the respective companies.
Copyright 2001-2006 by Red Earth Software. All rights reserved.
i Table of Cont ent s Introduction ............................................... 5 Why is web filtering necessary?.................................5 Policy Patrol Web.....................................................5 Policy Patrol features ...............................................6 How Policy Patrol addresses web threats ....................6 What makes Policy Patrol unique? .............................6 About the Policy Patrol range ....................................7 Pre-installation........................................... 9 System requirements...............................................9 Gathering necessary information ...............................9 Configure Authentication in ISA Server.....................10 Remove existing cache...........................................12 Installation............................................... 14 Installation ...........................................................14 Policy Patrol Configuration Wizard ...........................17 Import users from Active Directory......................19 Import users from an NT domain ........................20 Import users from a text file...............................20 Policy Patrol Services .............................................21 Remote administration...........................................21 Users & quotas ......................................... 25 Licensing users .....................................................25 Import users from Active Directory......................25 Import users from an NT domain ........................26 Import users from a text file...............................26 Setting bandwidth limits ....................................28 Setting time limits.............................................28 Editing user quotas ................................................28 Monitoring user quotas...........................................29 Configuring quota rules ..........................................30 How quotas are calculated ......................................31 User security............................................. 33 User access rights..................................................33 Component rights ..................................................35 Folder rights .........................................................36 Inheritance of folder rights .................................37 Configuring rules....................................... 39 Configuring a new rule ...........................................39 Configuring a Web Page rule ...................................40 Step 1. Rule Type..............................................40 Step 2. Rule Users.............................................40 Step 3. Rule Traffic & Protocols ...........................40 Step 4. Rule Conditions......................................41 Step 5. Rule Exceptions .....................................46 Step 6. Rule Actions ..........................................46 Step 7. Rule Scheduling .....................................49 Step 8. Rule Name ............................................50 Configuring a File rule ............................................50 Step 1. Rule Type..............................................50 Step 2. Rule Users.............................................50 Step 3. Rule Traffic & Protocols ...........................51 Step 4. Rule Conditions......................................51
C O N T E N T S
i i Step 5. Rule Exceptions .....................................55 Step 6. Rule Actions ..........................................55 Step 7. Rule Scheduling.....................................58 Step 8. Rule Name ............................................58 Configuring a Quota rule ........................................58 Step 1. Rule Type .............................................58 Step 2. Rule Users ............................................59 Step 3. Rule Conditions......................................59 Step 4. Rule Exceptions .....................................60 Step 5. Rule Actions ..........................................60 Step 7. Rule Scheduling.....................................62 Step 8. Rule Name ............................................62 Editing existing rules..............................................62 Copying rules........................................................63 Ordering rules.......................................................63 Creating Filters ......................................... 65 Creating a Word/Phrase filter ..................................65 Case sensitivity.................................................66 Score ..............................................................66 Multiple count...................................................66 Apply when ......................................................66 Import/Export ..................................................67 Remove duplicates ............................................67 Creating a File filter ...............................................67 Creating an IP filter ...............................................68 Editing filters ........................................................69 Copying filters.......................................................70 Creating Templates................................... 71 Creating an Email notification template ....................71 Creating a Tag template.........................................73 Editing templates ..................................................74 Copying templates.................................................74 Fields...................................................................74 User fields........................................................74 Web page fields ................................................75 File fields .........................................................75 Quota fields......................................................75 Date/Time fields................................................75 Other fields ......................................................76 HTML Block pages ..................................... 79 Creating block pages..............................................79 Sample block pages ...............................................79 Blocked access page ..............................................79 Creating schedules.................................... 81 Create a schedule ..................................................81 Editing a schedule..................................................82 Copying a schedule................................................82 URL categories .......................................... 83 Creating a URL category .........................................83 Setting bandwidth limits.....................................84 Setting time limits.............................................85 Editing categories ..................................................85 Monitoring................................................. 87 Bandwidth monitoring ............................................87 Session monitoring ................................................87 Instantly block access for users...........................88 Monitoring permissions...........................................88 Virus checking........................................... 91 Kaspersky TM Anti-Virus ...........................................91 Configure Kaspersky TM Anti-Virus.............................92 Copying your Kaspersky key ...................................93 Advanced options...................................... 95 System configuration .............................................95 System notifications ..........................................95 Bandwidth........................................................96 Caching............................................................96 System Parameters................................................97 Sample rules ............................................. 98 Sample rules.........................................................98 File rules ..........................................................98
C O N T E N T S
i i i Quota rules ......................................................99 Web page rules............................................... 100 Troubleshooting...................................... 103 Knowledge Base.................................................. 103 Policy Patrol Web is not filtering anything........... 103 Policy Patrol Web has suddenly stopped working. 103 Will my anti-virus or backup software interfere with Policy Patrol Web?........................................... 103 My anti-virus settings display unkown ............... 104 The email notification is not sent....................... 104 Network message did not pop up ...................... 104 Merge field is not working ................................ 104 My rule that searches for words/phrases never triggers.......................................................... 104 I cannot enable my rule................................... 104 Why are the times in Sessions and Quotas not always the same? ........................................... 104 How can I copy the Policy Patrol configuration to another machine? ........................................... 104 Support Wizard ................................................... 105 Contacting Red Earth Software.............................. 106
5 Int roduct ion olicy Patrol Web is a comprehensive web filtering tool that helps companies regulate and optimize their Internet resources by avoiding inappropriate browsing, illegal downloads, non-productive surfing, virus outbreaks and confidentiality leaks. Why is web filt ering necessary? By blocking undesirable websites, controlling file downloads and applying user quotas, Policy Patrol Web helps companies regulate and optimize the usage of their Internet resources. Policy Patrol includes a powerful rules wizard that allows you to create customized user-based web filtering rules by specifying conditions, exceptions and actions. Real-time monitoring allows administrators to see who is currently online and which websites they are visiting. If necessary, user sessions can be blocked in real-time. In addition, advanced user permissions allow Administrators to delegate quota and rule management to other designated users. Business benefits of using Policy Patrol Web: Save bandwidth Avoid congestion Protect work environment Improve productivity Ensure compliance Stop confidentiality breaches Avoid illegal downloads Policy Pat rol Web Policy Patrol Web is an add-on for Microsoft ISA Server 2000/2004 and filters all traffic going through ISA Server. Chapter 1 P
I N T R O D U C T I O N
6 Policy Pat rol feat ures Policy Patrol Web offers the following features: URL checking Web access management Web content filtering File checking Anti-virus Quota management Real-time monitoring Spyware blocking How Policy Pat rol addresses web t hreat s Although the Internet empowers users to work more efficiently and to quickly find information needed for their jobs, providing employees with Internet access also comes with certain dangers. Policy Patrol addresses the following threats arising from employees accessing the Internet: Web t hr eat PPW Lost productivity
Network congestion
Hostile work environment
Damage to reputation
Confidentiality breaches
Regulatory compliancy
Illegal downloads
Growing storage space
Security hole
What makes Policy Pat rol unique? Policy Patrol distinguishes itself from other web filtering products by offering unmatched flexibility in configuring rules based on users, conditions, exceptions, and actions. In addition to the usual filtering capabilities, Policy Patrol Web offers more unique features such as time and bandwidth quota management and real-time monitoring. Finally, the product offers enterprise level security by allowing administrators to set individual user permissions for viewing and creating rules, templates and filters and for viewing and optionally ending online user sessions.
I N T R O D U C T I O N
7 About t he Policy Pat rol range The Policy Patrol suite of products is designed to help companies optimize and regulate their email, web and IM usage. In combination with sound Internet and messaging policies, Policy Patrol helps protect companies from a range of threats such as legal liability, lost productivity, damage to reputation, regulatory compliancy, confidentiality breaches and more. Policy Patrol is used by companies such as Nissan, USA.net, Targus, Canadian Pacific Railway, Lotto, Fujitsu Services (Central Government customer), Daewoo and many more. The following Policy Patrol editions are available: Policy Patrol Email, Policy Patrol Web and Policy Patrol IM.
9 Pre-inst allat ion his chapter describes the system requirements for Policy Patrol Web and any necessary preparations that you need to make prior to installing the software. Syst em requirement s Policy Patrol requires the following to be installed: Windows 2000 Server/Advanced Server or Windows Server 2003 Microsoft ISA Server 2000/2004 Microsoft .NET Framework 1.1 (If you do not have this installed you can download Policy Patrol including the .NET Framework or download the Microsoft .NET Framework from the Microsoft website: http://msdn.microsoft.com/netframework/technologyinfo/howtoget/). We recommend using at least a Pentium IV with a 3 GHz processor and 500 MB RAM. Gat hering necessary informat ion Before proceeding to install and configure Policy Patrol, make sure you have the following information: Name or IP address of your mail server Bandwidth upload/download capacity Chapter 2 T
P R E - I N S T A L L A T I O N
10 Configure Aut hent icat ion in ISA Server For Policy Patrol Web to work you must have integrated authentication enabled in Microsoft ISA Server (this is because Policy Patrol uses integrated authentication to identify users and apply rules). To check whether this has been configured, follow the next steps: If you have ISA Server 2000: 1. Open up Microsoft ISA Server > ISA Management and go to Server and Arrays > <server name> > Properties. Select the Outgoing Web Requests tab. Make sure the option Ask unauthenticated users for identification is ticked.
2. Click on your server in the Identification list and select Edit. Make sure that Integrated is selected as the authentication method.
3. To check whether authentication is working, go to Monitoring > Sessions. Now open up a browser and go to a website. In the Sessions list you should see the user name displayed as follows: DOMAIN\UserName. If you see Anonymous instead of the user name,
P R E - I N S T A L L A T I O N
11 this means that authentication is not working. Check steps 1 and 2 above again. If you have ISA Server 2004: 1. Open up Microsoft Internet Security and Acceleration Server 2004, go to Configuration > Networks and double-click on Internal. Go to the Web Proxy Tab. Make sure that the options Enable Web proxy clients and Enable HTTP are ticked.
2. Click on the Authentication button. Make sure the method Integrated is selected and the option Require all users to authenticate is ticked.
P R E - I N S T A L L A T I O N
12
3. To check whether authentication is working, go to Monitoring > Sessions. Now open up a browser and go to a website. In the Sessions list you should see the user name displayed as follows: DOMAIN\UserName. If you see Anonymous instead of the user name, this means that authentication is not working. Check steps 1 and 2 above again. Not e Policy Patrol Web will not filter any traffic if ISA Server is not configured for integrated authentication. In addition, Policy Patrol Web can only filter web requests from web browsers that support integrated authentication, such as Internet Explorer, Netscape and Mozilla Firefox. Remove exist ing cache Before you begin using Policy Patrol Web, you must delete the users cached files on the client. If you do not remove the client cache, the cached web pages will not be content checked by Policy Patrol Web since they will be read from the cache and will not pass through Microsoft ISA Server. You only need to do this once when you install Policy Patrol Web. Once the program is installed, client caching will be automatically blocked from the server. To remove the cache on the client machine: 1. Open Windows Explorer.
P R E - I N S T A L L A T I O N
13 2. Go to Tools > Internet Options. 3. In the General Tab > Temporary Internet Files, click on the button Delete Files.
4. A message will pop up. Tick the option Delete all offline content and click OK. All cached web pages will now be deleted.
By default Policy Patrol will block caching of HTML pages, so you will only have to remove the cache on the client machine once. However if you wish to block all client caching (including images) you can change this setting in the System Configuration. For more information, consult the chapter Advanced options.
14 Inst allat ion his chapter describes the steps for installing Policy Patrol. It also discusses the different steps of the Policy Patrol Configuration Wizard and the Policy Patrol services. Inst allat ion Not e Policy Patrol Web must be installed on the same machine as Microsoft ISA Server. Follow the next steps to install Policy Patrol Web on the Microsoft ISA Server machine: 1. Double-click on PPW.exe. The Install Program will start up. If you do not have Microsoft .NET Framework 1.1 installed (and the Policy Patrol download did not include it), the installation program will ask you to install it first. To download the Microsoft .NET Framework, go to http://msdn.microsoft.com/netframework/technologyinfo/howtoget/ or download Policy Patrol including the .NET Framework from http://www.policypatrol.com/. 2. In the Welcome screen, click Next. 3. Read the License Agreement and select I accept the license agreement. Click Next. Chapter 3 T
I N S T A L L A T I O N
15
4. Enter your user name and organization name. If you want anyone who is logged on to the computer to be able to access Policy Patrol, select Anyone who uses this computer. If you only wish yourself to be able to access the program, select Only for me (user name). Click Next.
5. Select the destination folder for the Policy Patrol installation. By default the program is installed in C:\Program Files\Red Earth Software\Policy Patrol Web. If you wish to change the location, click Browse and select another folder. When you are ready, click Next.
I N S T A L L A T I O N
16 6. Select the installation type. If you select Complete, the complete program will be installed. If you only wish to install the Administration console (for remote administration), select Admin console. Click Next to continue.
7. Enter a user name and password for the Anti-virus Updater (scheduled task). The account must have Administrative rights and the user name must be entered in the following format: DOMAIN\UserName.
8. Alternatively, you can click on the Browse button and select a server and user account. Click Next.
9. Confirm that you wish to proceed with the installation by clicking Next. 10. Policy Patrol will now start copying the files. When Policy Patrol is ready, click Finish to exit the wizard.
I N S T A L L A T I O N
17 Policy Pat rol Configurat ion Wizard After installation, the Policy Patrol Configuration Wizard will start up and guide you through the following steps: 1. In the welcome screen, click Next. 2. Enter your license type. If you are evaluating, leave Policy Patrol Web 30-day evaluation enabled. If you have purchased Policy Patrol, select I already have a Policy Patrol Web serial number and enter your serial number in the dialog. You can also enter your serial number after installation in the Policy Patrol Administration console > <Server> > Security > Licenses. When you are ready, click Next.
3. Configure System Notifications. System Notifications are used to inform Administrators of licensing issues. In addition, the recipient addresses are used as the Administrator address(es) when configuring email notifications. Enter the name or IP address of your mail server. Leave the Port on 25 unless you know that the mail server is using another port. In the From: field, enter the sender of the email. In the To:, Cc: and Bcc: fields, enter the recipients for the system notifications. To check whether you have entered the settings correctly, click on the Test button. A test message will now be sent to the email addresses you specified. When you are ready, click Next.
I N S T A L L A T I O N
18
4. Specify bandwidth capacity. Select your total upload bandwidth and total download bandwidth. These numbers are used to display real-time bandwidth usage in Monitoring. When you are ready, click Next.
5. Configure URL categories. These categories can be used in rules and for quota limits. You can also create and edit categories later in the Administration console. Note that the Uncategorized category will always be listed and cannot be removed. To create a new category, click Add. The Category wizard will start up. Enter the URLs in the list. Click Next. Now select the default quota settings for the category. These settings will be applied to all users unless you specifically change the quota settings for the user(s) from Users & quotas in the Administration console. You can configure a bandwidth limit and time limit. For more information on quota limits, please consult chapter 4 Users & Quotas. Click Next. Enter a name and description for the Category. Click Finish. If you wish to create more categories, click Add again. When you are ready, click Next.
I N S T A L L A T I O N
19
6. Select users. Select the users you wish to license and monitor web traffic for. Click Add to add users to the list. The User wizard will start up. You can either enter the user name, email address and manager email address, or you can click on the Import button in the toolbar to import users.
The Import user wizard will start up. Select to import users from the Active Directory, NT Domain or Text file: Import users from Act ive Direct ory To import users from the Active Directory, follow the next steps: Select Active Directory and click Next. Browse to the folder that contains your users. The available users will appear. Select which users you wish to license by selecting the users in the list and clicking >. The selected users will appear in the right pane. To select all users click >>. If you wish to remove a user, you can select the user in the Selected users list and click <. To remove all users click <<. Click Finish.
I N S T A L L A T I O N
20
The User Wizard will automatically retrieve the user name, email address and any configured managers for the selected users from the Active Directory. If you wish to make any changes or enter manager email addresses for users, you can do so here. Manager email addresses are used for notifications in rules. If you wish to remove any users from the list, select the users and press Delete. When you are ready, click Next. Import users from an NT domain To import users from an NT domain follow the next steps: Select NT domain and click Next. The available users will be listed in the left pane. To automatically generate email addresses (to be used for notifications), tick the checkbox Auto generate email addresses and enter your email domain, for instance company.com. For each user that you select, the User wizard will enter the email address in the following format: UserName@EmailDomain. Select which users you wish to license by selecting the users in the list and clicking >. The selected users will appear in the right pane. To select all users click >>. If you wish to remove a user, you can select the user in the Selected users list and click <. To remove all users click <<. Click Finish. If you selected to auto generate email addresses, the User Wizard will now display the selected users with their email addresses. If you did not select to auto generate email addresses and you wish to make use of email notifications, you must enter an email address for each user. Furthermore, if you wish to make use of manager email notifications, you must enter the email address of the user managers. If you wish to remove any users from the list, select the users and press Delete. When you are ready, click Next. Import users from a t ext file To import users from a text file, follow the next steps: Select Text file and click Next.
I N S T A L L A T I O N
21 Select the text file you wish to use and click Open. The users in the text file must be in the following format: Domain\User name,Email address,Manager email address (where email address and manager email address are optional), e.g. Domain\John Doe,john_doe@company.com,Manager@company.com. Each user must be entered on a separate line and there should not be any spaces behind the commas. The available users will be listed in the left pane. Select which users you wish to license by selecting the users in the list and clicking >. The selected users will appear in the right pane. To select all users click >>. If you wish to remove a user, you can select the user in the Selected users list and click <. To remove all users click <<. Click Finish. If your text file did not include email addresses and you wish to make use of email notifications, you must enter the email address for each user. If you wish to make use of manager email notifications, you must enter a manager email address for each user. If you wish to remove any users from the list, select the users and press Delete. When you are ready, click Next. 7. Configuration complete. Click Finish to exit the configuration wizard. You can now continue to configure Policy Patrol from the Administration console. Policy Pat rol Services Policy Patrol Web installs a number of services on the machine: Policy Patrol Web Data Manager (if you stop this service you will no longer be able to access the Policy Patrol Administration console) Policy Patrol Web Remote Manager (this service enables remote administration) Remot e administ rat ion If you wish to administer Policy Patrol from a remote machine, you can install only the Administration console on the remote machine and connect to the server with Policy Patrol installed. If you have more than one Policy Patrol installation, you will be able to connect to each installation from the same machine. Requirements for the remote machine: Windows 2000 Professional/Server/Advanced Server, Windows Server 2003 or Windows XP Professional. Microsoft .NET Framework 1.1 (If you do not have this installed you can download Policy Patrol including the .NET Framework)
I N S T A L L A T I O N
22 To install the Policy Patrol Administration console on a remote machine, follow the next steps: 1. Double-click on PPW.exe. The Install Program will start up. If you do not have Microsoft .NET Framework 1.1 installed (and the Policy Patrol download did not include it), the installation program will ask you to install it first. To download the Microsoft .NET Framework, go to http://msdn.microsoft.com/netframework/technologyinfo/howtoget/ or download Policy Patrol including the .NET Framework from http://www.policypatrol.com/. 2. In the Welcome screen, click Next. 3. Read the License Agreement and select I accept the license agreement. Click Next.
4. Enter your user name and organization name. If you want anyone who is logged on to the computer to be able to access Policy Patrol, select Anyone who uses this computer. If you only wish yourself to be able to access the program, select Only for me (user name). Click Next.
5. Select the destination folder for the Policy Patrol installation. By default the program is installed in C:\Program Files\Red Earth Software\Policy
I N S T A L L A T I O N
23 Patrol Web. If you wish to change the location, click Browse and select another folder. When you are ready, click Next.
6. Select Admin console as the installation type. Click Next to continue.
7. Select which version of Microsoft ISA Server you installed Policy Patrol Web on. Click Next.
I N S T A L L A T I O N
24 8. Confirm that you wish to proceed with the installation by clicking Next. 9. Policy Patrol will now start copying the files. When Policy Patrol is ready, click Finish to exit the wizard. To start configuring Policy Patrol, go to Start > Programs > Policy Patrol Web > Administration. Select <server name> and click Connect. To connect to the Policy Patrol Web installation: 1. Click on Add installation. 2. Enter the installation name and the computer name or IP address of the Policy Patrol installation. Click OK.
3. Select the newly added installation from the list and click Connect. Not e When managing Policy Patrol remotely, you will have to enter the path to folders (instead of browsing) and you will not be able to enter or change serial numbers or run the support wizard.
25 Users & quot as his chapter describes how to select licensed users and apply time and bandwidth quotas to URL categories. In addition it describes how to monitor and manage user quotas. Licensing users Policy Patrol user licensing is extremely flexible in that it allows you to only license the users that you wish to create rules for. The Policy Patrol configuration wizard has already licensed the users you selected. If you wish to add more users, go to Users & quotas and click on Add. The User Wizard will start up and guide you through the following steps: 1. Select users: You can either manually enter your users by entering a user name, email address and manager email address. Alternatively you can import users from Active Directory, an NT domain or a text file. Import users from Act ive Direct ory To import users from the Active Directory, follow the next steps: Click on the Import button in the toolbar. Select Active Directory and click Next. Browse to the folder that contains your users. The available users will appear. Select which users you wish to license by selecting the users in the list and clicking >. The selected users will appear in the right pane. To select all users click >>. If you wish to remove a user, you can select the user in the Selected users list and click <. To remove all users click <<. Click Finish. Chapter 4 T
U S E R S A N D Q U O T A S
26
The User Wizard will automatically retrieve the user name, email address and any configured managers for the selected users from the Active Directory. If you wish to make any changes or enter manager email addresses for users, you can do so here. Manager email addresses are used for notifications in rules. If you wish to remove any users from the list, select the users and press Delete. When you are ready, click Next. Import users from an NT domain To import users from an NT domain follow the next steps: Click on the Import button in the toolbar. Select NT domain and click Next. The available users will be listed in the left pane. To automatically generate email addresses (to be used for notifications), tick the checkbox Auto generate email addresses and enter your email domain, for instance company. com. For each user that you select, the User wizard will enter the email address in the following format: UserName@EmailDomain. Select which users you wish to license by selecting the users in the list and clicking >. The selected users will appear in the right pane. To select all users click >>. If you wish to remove a user, you can select the user in the Selected users list and click <. To remove all users click <<. Click Finish. If you selected to auto generate email addresses, the User Wizard will now display the selected users with their email addresses. If you did not select to auto generate email addresses and you wish to make use of email notifications, you must enter an email address for each user. Furthermore, if you wish to make use of manager email notifications, you must enter the email address of the user managers. If you wish to remove any users from the list, select the users and press Delete. When you are ready, click Next. Import users from a t ext file To import users from a text file, follow the next steps:
U S E R S A N D Q U O T A S
27 Click on the Import button in the toolbar. Select Text file and click Next. Select the text file you wish to use and click Open. The users in the text file must be in the following format: Domain\User name,Email address,Manager email address (where email address and manager email address are optional), e.g. Domain\John Doe,john_doe@company.com,Manager@company.com. Each user must be entered on a separate line and there should not be any spaces behind the commas. The available users will be listed in the left pane. Select which users you wish to license by selecting the users in the list and clicking >. The selected users will appear in the right pane. To select all users click >>. If you wish to remove a user, you can select the user in the Selected users list and click <. To remove all users click <<. Click Finish. If your text file did not include email addresses and you wish to make use of email notifications, you must enter the email address for each user. If you wish to make use of manager email notifications, you must enter a manager email address for each user. If you wish to remove any users from the list, select the users and press Delete. When you are ready, click Next. 2. User quotas: You will be able to select bandwidth and time quota limits for the selected user(s) for each configured URL category. If you later want to change the quota settings for particular users, you can do this from the user properties (see paragraph Editing user quotas).
U S E R S A N D Q U O T A S
28 Not e The category Uncategorized includes all websites that have not been included in a URL category. Set t ing bandwidt h limit s If you wish to set a bandwidth limit for the category, tick the checkbox Use bandwidth limit next to the appropriate category. Enter the amount of KB or MB you wish to limit the bandwidth usage to. By creating a quota rule you can specify what should happen if the limit is reached (see later in this chapter). Optionally you can specify a bandwidth warning level in KB or MB. The bandwidth warning level can for instance be used to inform the user that their bandwidth limit will soon be reached or to notify a manager or administrator. Finally, select a daily or weekly bandwidth interval. If you select a daily interval, the bandwidth usage will be counted per day. If you select a weekly interval the bandwidth usage will be counted per week. For instance, if you wish to limit the bandwidth usage of the Sports & News category to 250 KB per user per day, select Use bandwidth limit and enter 250 KB. Select per day as the bandwidth interval. Set t ing t ime limit s If you wish to set a time limit for the category, tick the checkbox Use time limit next to the appropriate category. Enter the number of hours and minutes you wish to limit the browsing time to. By creating a quota rule you can specify what should happen if the limit is reached (see later in this chapter). Optionally you can specify a time warning level in hours and minutes. The time warning level can for instance be used to inform the user that their time limit will soon be reached or to notify a manager or administrator. Finally, select a daily or weekly time interval. If you select a daily interval, the time usage will be counted per day. If you select a weekly interval the time usage will be counted per week. For instance, if you wish to limit the time usage of the Web email category to 30 minutes per user a week, select Use time limit and enter 00.30. Select per week as the time interval. Edit ing user quot as If you want to edit quota limits for an existing user, select the user in the list and click Properties. Go to the User quotas tab and make the appropriate changes. When you are done, click OK.
U S E R S A N D Q U O T A S
29
If you wish to make the same changes for several users, select the appropriate users by using the SHIFT or CTRL key and click on the Properties button. Go to the User quotas tab. Any changes you make will be applied to all the selected users.
Monit oring user quot as By clicking on the + sign next to each user, you will be able to see the amount of bandwidth and time used for each category and any configured bandwidth and time limits. The bandwidth and time usage are shown per day or per week as is specified in the interval. If no limits have been set, the usage is shown using the interval that is specified in the Category Properties > Quotas > Interval. The color of the circle preceding the category indicates whether the quota limit has been reached: Green circle: No quota limits have been reached.
U S E R S A N D Q U O T A S
30 Yellow circle: Quota warning level has been reached. Red circle: Quota limit has been reached. Not e Quota usage is shown with a 3 minute delay. This means that when a user browses to a web page, the quota usage will only appear after 3 minutes. Tip Even if you do not want to apply quotas to users, you can still monitor quotas to obtain useful information about your users browsing activities. Configuring quot a rules By configuring a quota rule you can specify what should happen if a quota is reached. For instance you can send a notification message or you can block further browsing and display an HTML page. To do so, follow the next steps: 1. Go to Rules > <folder> and click New. 2. Select Quota rule and click Next. 3. Select the users you wish to apply the rule to. You can optionally exclude IP addresses. Click Next. 4. In Conditions, select Trigger rule if following conditions are met. Expand user quotas and select one of the following options: Quota warning level is reached or Quota limit is reached.
U S E R S A N D Q U O T A S
31
5. Enter any exceptions if applicable. Click Next. 6. Select a primary action: Allow access, Block access or Redirect to URL. If you select to block access, a sample HTML block page will be shown. For more information on how to customize this page, consult the paragraph Blocked access page in Chapter 9. If you wish to send an email notification, click on Notifications and select Email notification. Click on the link in the description and select the recipients of the notification and the appropriate notification template. When you are ready, click Next. 7. Specify any scheduling options if you wish. Click Next. 8. Enter a name and description for the rule and click Finish. How quot as are calculat ed Bandwidth quotas are calculated using the actual bandwidth download/upload figures from Microsoft ISA Server. Time quotas are calculated by adding up the total time for each user session. A user session starts when the user connects to a website or downloads/uploads a file and ends if there has been inactivity for more than 5 minutes. If the user then starts browsing again after 5 minutes, a new session is started.
33 User securit y olicy Patrol security is implemented at three levels; user access rights, component rights and folder rights. This chapter discusses how all three security levels can be implemented. User access right s When you connect to a Policy Patrol installation, you will be asked for log on credentials. You can log on with the current credentials or specify another user name and password.
By default only the members of the Administrator group are allowed to connect to Policy Patrol installations. To define which users have access rights, follow the next steps: 1. Select <server name>, expand Security and click on User security. Chapter 5 P
U S E R S E C U R I T Y
34
2. To add a user with access rights to Policy Patrol, click on Add. Select the users you wish to add and click OK. To remove a user from the list, select the user and click Remove. 3. To give the user Administrator rights, select the user and tick the check box Administrator rights. The user icon will now include a small lock to indicate that it has administrative rights. Policy Patrol Administrators have full access to all components and folders and cannot be denied any permissions. It is strongly recommended to make at least one user an Administrator so that this user will always be able to access all options in Policy Patrol. Not e If you wish to grant a user from another domain access rights, you can right- click in the Security list and select Add other. This will allow you to specify a user by entering the user name in DOMAIN\Username format.
U S E R S E C U R I T Y
35 Component right s Now that you have set the access rights to the Administration console, you can specify which Policy Patrol components (i.e. tree nodes) each user has access to. By default, each user has access to all components. To change the access rights for a certain component, follow the next steps: 1. Right-click the component (for instance Rules) and choose Component properties
2. Go to the Security tab. By default the (Everyone) group has full access to the component. To change permissions, select the group and change the Allow/Deny permissions. The following rights can be applied: Ri ght Desc r i pt i on View View items Create Create new items Edit Edit existing items Delete Delete items Folder owner Change folder permissions
If you only wish certain users to have rights to the component, click on Add and select the user(s) with the permissions. Select Allow or Deny for the relevant rights. Then select Everyone and click Deny for all rights. If you wish all users to have access to the component apart from a couple of exceptions, click on Add and select the users to be denied access. Select the user(s) and tick the Deny check boxes. A Folder owner has the right to change the component permissions for the component. Therefore, if you wish to deny permissions for a user, you must also select Deny for the Folder owner right.
U S E R S E C U R I T Y
36 Remember that each component needs to have at least one Folder owner and that Administrators cannot be denied any permissions. When you have finished editing permissions, click OK. Not e The permissions in the monitoring component differ slightly from the other components. Therefore permissions in the Monitoring component are discussed in the chapter Monitoring. Folder right s Policy Patrol makes use of folders for structuring purposes and to provide the possibility of controlling user access and rights to different folders. Policy Patrol includes a number of sample folders but you can also create your own folders. To create a new folder, right-click the component and choose New folder If you wish to create a subfolder, you must right-click on the parent folder and choose the option New folder By default all users are given full rights to all folders. To change the permissions for a folder, follow the next steps: 1. Right-click the folder and select Folder properties.
2. Go to the Security tab. By default the (Everyone) group has full access to the folder. To change permissions, select the group and change the Allow/Deny permissions. The following rights can be applied: Ri ght Desc r i pt i on View View items
If you only wish certain users to have rights to the folder, click on Add and select the user(s) with the permissions. Select Allow or Deny for the relevant rights. Then select Everyone and click Deny for all rights. If you wish all users to have access to the folder apart from a couple of exceptions, click on Add and select the users to be denied access. Select the user(s) and tick the Deny check boxes. A Folder owner has the right to change the folder permissions for the folder. Therefore, if you wish to deny permissions for a user, you must also select Deny for the Folder owner right. Remember that each folder needs to have at least one Folder owner and that Administrators cannot be denied any permissions. Inherit ance of folder right s If you create a subfolder, the subfolder will inherit the permissions of the top folder. If you edit the rights for a folder that contains subfolders, the same changes will be applied to the subfolders. Not e Policy Patrol Administrators have full rights to all components and folders and cannot be denied any permissions. If you wish to block access for a user with Administrator rights, you must first remove the Administrator rights for the user in <server name> > Security > User security.
39 Configuring rules olicy Patrol Web includes a powerful rules wizard that allows you to specify users, conditions, exceptions and actions. This chapter describes how to configure your rules in Policy Patrol. Configuring a new rule To configure a new rule, go to Rules and select the folder in which you wish to create your rule. If you wish to create a new folder, right-click on Rules and select New folder In the folder click on the New button. Not e Remember that you must first select a folder before you can create a new rule. The rules wizard will appear. In the Welcome screen, click Next. The rules wizard will now ask you which type of rule you wish to create. There are three types of rules: Web page rule (content checks http and https pages) File rule (checks ftp and http file downloads and http uploads) Quota rule (applies when quota warning levels/limits are reached) Each type of rule is described in the paragraphs below. ? Info The wizard is divided into two panes. The rule options are displayed in the top pane. Each time you select an option, a description of it is placed in the Chapter 6 P
C O N F I G U R I N G R U L E S 40 bottom pane. If you still need to set a certain value, the description will include a red link. Click on this link to configure the respective option. Once a value is set, the link color will change to blue. If you have not yet set all values when you click finish to create your rule, a warning will pop up. You will still be able to create the rule, but the rule will not be enabled until you set all values. Configuring a Web Page rule Go to Rules > <folder> and click New. The rules wizard will guide you through the following steps: St ep 1. Rule Type Select Web page rule and click Next. St ep 2. Rule Users To apply the rule globally, select All users. To apply the rule to certain users, select Users listed below and click Add Select the users for the rule and click OK. To remove users, select the user(s) and click Remove. If you wish to add IP address exceptions click on Exclude and enter the IP address(es) to exclude in Start IP. If you wish to enter an IP range, enter a Start and End IP. Click OK. When you are ready click Next.
St ep 3. Rule Traffic & Prot ocols Select whether you wish to filter http:// or https:// pages. You can only select one protocol per rule since the conditions differ for each protocol. Http:// rules can include content and URL conditions, but https:// rules can only include URL conditions. Click Next.
C O N F I G U R I N G R U L E S 41
St ep 4. Rule Condit ions Here you must specify which conditions should be met for the rule to trigger. If the rule should trigger for all web pages (for instance if you just want to block access at certain times of the day), leave No conditions selected and click Next. If the rule should only trigger for certain web pages, select Trigger rule if following conditions are met (for instance if you want to block access to certain URL categories or to web pages that contain certain words). If any of the conditions must be met, select Match any of the conditions. For instance, if you wish to block web pages with streamed or active content, select this option. If all the conditions must be met, select Match all of the conditions. Select this option if for instance you wish to block access to pages that contain offensive words and are included in a selected URL category. If you selected to filter http:// in step 3 the following conditions are available:
C O N F I G U R I N G R U L E S 42
URL IP address exists in filter: This condition checks whether the IP address exists in a filter. To prevent users from bypassing the filter, Policy Patrol will also check URLs by converting the URL to an IP address by way of a reverse DNS lookup. Click on the filter link in the description. Browse to the appropriate folder, select the IP filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK. URL is from category: This condition checks whether the URL is listed in a category. To prevent users from bypassing the filter, Policy Patrol will also check IP addresses by converting the IP address to a URL using a reverse DNS lookup. Click on the category link in the description. Select the category and press the > button. The category will now appear in the right pane. Repeat this for all the categories you want to check (you can select multiple categories by using the SHIFT key). If you wish to create a new category for the rule, click New. If you wish to view the properties of the selected category, click Properties. When you are ready, click OK. URL is IP address: Select this option if you wish to check whether a user is entering an IP address instead of a URL in the browser address bar.
C O N F I G U R I N G R U L E S 43 Word/phrase from URL exists in filter: Select this option if you wish to check for the presence of words in the URL. Click on the filter link in the description. Browse to the appropriate folder, select the Word/phrase filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK. Web page Word/phrase from web page exists in filter: Select this option if you wish to check for the presence of words in a web page. Click on the filter link in the description. Browse to the appropriate folder, select the Word/phrase filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. If you want to check for HTML tags, tick the option Check HTML tags. If you do not check this option, Policy Patrol Web will remove the HTML tags before searching for words and phrases. When you are ready, click OK.
Not e Since checking for words/phrases is processor intensive, it is better to order these rules below other rules based on URL conditions or categories. Web page has streamed content: Select this option if you wish to check for the presence of streamed content in a web page.
C O N F I G U R I N G R U L E S 44 Web page has active content: This option checks for the presence of active content in a web page. Click on the active content link in the description. Specify which active content must be filtered: ActiveX content is present: Select this option to check for ActiveX content. ActiveX can potentially include malicious content (Depending on the security settings most web browsers warn when ActiveX is being downloaded and will allow the user to specify whether to install and run the ActiveX Control). Java content is present: Select this option to check for the presence of Java code (Depending on the security setting most web browsers warn when Java code is being downloaded and will allow the user to specify whether to install and run the Java application). Java Script content is present: Select this option to check for Java script embedded in a web page. Be careful when selecting this option since Java Script is used in many websites. VB Script content is present: Select this option to check for VB Script embedded in a web page. Web page contains virus or spyware: This option checks whether the web page contains a virus or spyware, including Pornware, Adware and Riskware. Click on the virus or spyware link and select whether you wish to check for known and/or suspected viruses or spyware. Note that this option requires a license for the Kaspersky Anti-Virus add-on.
If you selected to filter https:// in step 3, the following conditions are available:
C O N F I G U R I N G R U L E S 45
URL IP address exists in filter: This condition checks whether the IP address exists in a filter. To prevent users from bypassing the filter, Policy Patrol will also check URLs by converting the URL to an IP address by way of a reverse DNS lookup. Click on the filter link in the description. Browse to the appropriate folder, select the IP filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK. URL is from category: This condition checks whether the URL is listed in a category. To prevent users from bypassing the filter, Policy Patrol will also check IP addresses by converting the IP address to a URL using a reverse DNS lookup. Click on the category link in the description. Select the category and press the > button. The category will now appear in the right pane. Repeat this for all the categories you want to check (you can select multiple categories by using the SHIFT key). If you wish to create a new category for the rule, click New. If you wish to view the properties of the selected category, click Properties. When you are ready, click OK.
C O N F I G U R I N G R U L E S 46 Not e When checking an https:// URL, Policy Patrol can only retrieve the top domain.
URL is IP address: Select this option if you wish to check whether a user is entering an IP address instead of a URL in the browser address bar. Word/phrase from URL exists in filter: Select this option if you wish to check for the presence of words in the URL. Click on the filter link in the description. Browse to the appropriate folder, select the Word/phrase filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK. When you are ready specifying the conditions to be met, click Next. St ep 5. Rule Except ions If the rule has no exceptions, leave the option No exceptions enabled. To specify exceptions, select Do not trigger rule if following exceptions are met. The options will now be the same as in step 4. Exceptions can for instance be useful if you never want to block access to certain sites (e.g. your own site and other trusted sites required for work purposes). If any of the exceptions must be met, select Match any of the exceptions. For instance, if you wish to exclude web pages with streamed or active content, select this option. If all the conditions must be met, select Match all of the exceptions. Select this option if for instance you wish to exclude pages that contain offensive words and are included in a selected URL category. When you are ready specifying exceptions, click Next. St ep 6. Rule Act ions Policy Patrol includes two different types of actions: primary and secondary actions. The primary actions are mutually exclusive, i.e. you can only choose
C O N F I G U R I N G R U L E S 47 one primary action. Secondary actions are additional actions and are not mutually exclusive. Therefore you can configure as many secondary actions as you wish.
Primary actions Three primary actions are available: 1. Allow Access: This option will provide access to the web page as normal. 2. Block Access: This option will block access to the web site. Optionally you can configure an HTML page to be shown (only available if you selected http:// as the protocol). This page could for instance inform the user why they are not allowed to view the particular web page. To configure a page to be shown, click on the link do not display HTML page and select Show the following HTML page. Click on , select the HTML file and click Open. For more information on how to create HTML pages, please consult the chapter HTML block pages. 3. Redirect to URL: Select this option to redirect the browser to an alternative web page. The user will be redirected to this page once every minute. Click on the URL link in the description and enter the URL to guide users to (there is no need to enter http://). For instance, you might want to redirect users to a web page on your Intranet. Secondary actions The following secondary actions are available: Notifications Send email notification: Select this option if you wish Policy Patrol to send an email notification message. Click on the email notification link
C O N F I G U R I N G R U L E S 48 in the description and enter or select a From: address. If you wish a display name to appear in the notification message, enter display name <email address>, for instance: "J ohn Doe" <J ohn. Doe@company. com>.
Now specify who should receive the notification (user, manager, administrator, or other) and select the template to be used for each recipient by clicking on the button. Note that the managers email address is specified in Users & Quotas (Select User > Properties). If you wish to use a new template, click New. If you wish to see the properties of the template, click Properties.
Not e This option requires your mail server settings to be specified in <server name> > Advanced > System configuration > System notifications tab. If you wish to send a notification externally, you must allow the Policy Patrol machine to send out email (relay) via your mail server.
C O N F I G U R I N G R U L E S 49 Send network message: Select this option to send a network message. Click on the network message link in the description. If you want to send a message to the user that triggered the rule, select Send message to user and click on to select a template. If you want to send a message to specified users, select Send message to following user(s), enter the user name or IP address of the computer(s) you wish to send a network message to and click on to select a template. If you want to enter multiple IP addresses you can separate them by a semi-colon (;).
1. Categories & filters Add URL to category: Select this option if you wish Policy Patrol to add the URL of the web page to a URL category. Click on the category link in the description and select the category that you wish to add the URL to. If you wish to create a new category, click New. If you wish to see the properties of the category, click Properties. Select whether you wish to add the top domain (i.e. www.cnn.com), the domain and sub domains (i.e. www.cnn.com/sports) or the complete path (i.e. www.cnn.com/sports/newsitem3455.htm).
Add IP to filter: Select this option if you wish Policy Patrol to add the IP address to an IP filter. Click on the filter link in the description and select the IP filter to add the IP address to. If you wish to create a new filter, click New. If you wish to see the properties of the filter, click Properties. St ep 7. Rule Scheduling A rule can be scheduled to run on certain days, times, and dates. If you do not wish to schedule the rule, select No scheduling and click Next. If you wish to schedule the rule, select Use the following schedule and select the schedule
C O N F I G U R I N G R U L E S 50 from the drop down list. If you wish to create a new schedule, click New. If you wish to see the properties of a schedule, click Properties. For more information on how to create schedules, please consult the chapter Creating Schedules.
Tip It can be useful to schedule a rule if for instance you wish to allow access to certain websites during non-working hours and lunch breaks, but not during working hours. St ep 8. Rule Name In the final step, enter a name for the rule and any comments. Uncheck the Enable this rule box if you do not want the rule to be enabled right away. Click Finish to create the rule. Configuring a File rule Go to Rules > <folder> and click New. The rules wizard will guide you through the following steps: St ep 1. Rule Type Select File rule and click Next. St ep 2. Rule Users To apply the rule globally, select All users. To apply the rule to certain users, select Users listed below and click Add Select the users for the rule and click OK. To remove users, select the user(s) and click Remove. If you wish to
C O N F I G U R I N G R U L E S 51 add IP address exceptions click on Exclude and enter the IP address(es) to exclude in Start IP. If you wish to enter an IP range, enter a Start and End IP. Click OK. When you are ready click Next.
St ep 3. Rule Traffic & Prot ocols Select whether you wish to filter http:// and/or ftp:// traffic. Next, specify whether you wish to check Upload and/or Download traffic. Note that for the ftp protocol you can only filter download traffic. Click Next.
St ep 4. Rule Condit ions Here you must specify which conditions should be met for the rule to trigger. If the rule should trigger for all files (for instance if you want to block access at certain times of the day), leave No conditions selected and click Next. If the rule should only trigger for certain files, select Trigger rule if following conditions are met (for instance if you only wish to block files or a certain type or size).
C O N F I G U R I N G R U L E S 52 If any of the conditions must be met, select Match any of the conditions. For instance, if you wish to check file downloads/uploads of a certain type or size. If all the conditions must be met, select Match all of the conditions. Select this option if, for instance, you wish to block file downloads from certain URL categories.
URL IP address exists in filter: This condition checks whether the IP address exists in a filter. To prevent users from bypassing the filter, Policy Patrol will also check URLs by converting the URL to an IP address by way of a reverse DNS lookup. Click on the filter link in the description. Browse to the appropriate folder, select the IP filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK. URL is from category: This condition checks whether the URL is listed in a category. To prevent users from bypassing the filter, Policy Patrol will also check IP addresses by converting the IP address to a URL using a reverse DNS lookup. Click on the category link in the description. Select the category and press the > button. The category will now appear in the right pane. Repeat this for all the categories you want to check (you can select multiple categories by using the SHIFT key). If you wish to create a new category for the rule, click New. If you wish to view the properties of the selected category, click Properties. When you are ready, click OK.
C O N F I G U R I N G R U L E S 53 URL is IP address: Select this option if you wish to check whether a user is entering an IP address instead of a URL in the browser address bar. Word/phrase from URL exists in filter: Select this option if you wish to check for the presence of words in the URL. Click on the filter link in the description. Browse to the appropriate folder, select the Word/phrase filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK. File File name/type exists in filter: This option checks whether a file name or type exists in a filter. Click on the filter link in the description. Browse to the appropriate folder, select the File filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK.
File is of size: Select this option to check the size of a file. Click on the size link in the description and specify whether the file should be greater than, less than, between or not between certain values.
C O N F I G U R I N G R U L E S 54
File contains virus or spyware: This option checks whether the file contains a virus or spyware, including Pornware, Adware and Riskware. Click on the virus or spyware link and select whether you wish to check for known and/or suspected viruses or spyware. Note that this option requires a license for the Kaspersky Anti-Virus add- on.
File is spoofed: By checking this condition Policy Patrol will check whether the file has been changed to disguise the actual file format. Note that this option is only available for http:// and ftp:// downloads, not for http:// uploads. You can select three options: Multiple extensions: Sometimes files that contain viruses are given double extensions, for instance vi r us. t xt . exe. If you check this option, Policy Patrol will check for files with multiple extensions. CLSID extension: Some viruses are spread by giving files CLSID extensions. This makes the file seem to be of a different or unknown file format, but when opened will activate a predetermined application. For instance, a virus executable could be named vi r us. t xt and given a CLSID extension. This will make the file look like a txt file (although the icon will be for an unknown file format). However, when the user double-clicks on the file the program will execute. If you tick this option, Policy Patrol will check for files that have been given a CLSID extension. Binary text file: Some files might be disguised as text files to avoid being blocked by filters. For instance, pictures could be renamed as a .txt file. In this case the text files will not contain text, but binary code. By checking this option, Policy Patrol will check whether text files contain binary code.
C O N F I G U R I N G R U L E S 55
File contains word/phrase from filter: Select this option if you wish to check for the presence of words in a file (Policy Patrol can check text and html files). Click on the filter link in the description. Browse to the appropriate folder, select the Word/phrase filter and press the > button. The filter will now appear in the right pane. Repeat this for all the filters you wish to check (you can select multiple filters by using the SHIFT key). If you wish to create a new filter for the rule, click New. If you wish to view the properties of the selected filter, click Properties. When you are ready, click OK. When you are ready specifying the conditions to be met, click Next. St ep 5. Rule Except ions If the rule has no exceptions, leave the option No exceptions enabled. To specify exceptions, select Do not trigger rule if following exceptions are met. The options will now be the same as in step 4. Exceptions can for instance be useful if you never want to block file uploads or downloads to and from certain sites (e.g. your own site and other trusted sites required for work purposes). If any of the exceptions must be met, select Match any of the exceptions. For instance, if you wish to exclude file downloads/uploads of a certain type or size. If all the exceptions must be met, select Match all of the exceptions. Select this option if, for instance, you wish to exclude file downloads from certain URL categories. When you are ready specifying exceptions, click Next. St ep 6. Rule Act ions Policy Patrol includes two different types of actions: primary and secondary actions. The primary actions are mutually exclusive, i.e. you can only choose one primary action. Secondary actions are additional actions and are not mutually exclusive. Therefore you can configure as many secondary actions as you wish.
C O N F I G U R I N G R U L E S 56
Primary actions Three primary actions are available: 1. Allow Access: This option will provide access to the file as normal. 2. Block Access: This option will block access to the file. The file will start downloading until it reaches 50% and then the file download will be aborted. The saved file will not be valid since it will not be complete. Not e Policy Patrol Web implements a trickle download approach so as not to interfere with the users downloading experience. When half of the file is downloaded, Policy Patrol checks whether the file meets the conditions of any configured rules and applies the rules accordingly. 3. Redirect to URL: Select this option to redirect the browser to an alternative web page. Click on the URL link in the description and enter the URL to guide users to (there is no need to enter http://). For instance, you might want to redirect users to a web page on your Intranet. Secondary actions The following secondary actions are available: Notifications
C O N F I G U R I N G R U L E S 57 Send email notification: Select this option if you wish Policy Patrol to send an email notification message. Click on the email notification link in the description and enter or select a From: address. If you wish a display name to appear in the notification message, enter display name <email address>, for instance "J ohn Doe" <J ohn. Doe@company. com>. Now specify who should receive the notification (user, manager, administrator, or other) and select the template to be used for each recipient. Note that the managers email address is specified in Users & Quotas (Select user > Properties). If you wish to use a new template, click New. If you wish to see the properties of the template, click Properties. Not e This option requires your mail server settings to be specified in <server name> > Advanced > System configuration > System notifications tab. If you wish to send a notification externally, you must allow the Policy Patrol machine to send out email (relay) via your mail server. Send network message: Select this option to send a network message. Click on the network message link in the description. If you want to send a message to the user that triggered the rule, select Send message to user and click on to select a template. If you want to send a message to specified users, select Send message to following user(s), enter the user name or IP address of the computer(s) you wish to send a network message to and click on to select a template. If you want to enter multiple IP addresses you can separate them by a semi-colon (;).
2. Categories & filters Add URL to category: Select this option if you wish Policy Patrol to add the URL to a URL category. Click on the category link in the description and select the category that you wish to add the URL to. If you wish to create a new category, click New. If you wish to see the
C O N F I G U R I N G R U L E S 58 properties of the category, click Properties. Select whether you wish to add the top domain (i.e. www.cnn.com), the domain and sub domains (i.e. www.cnn.com/sports) or the complete path (i.e. www.cnn.com/sports/newsitem3455.htm).
Add IP to filter: Select this option if you wish Policy Patrol to add the IP address to an IP filter. Click on the filter link in the description and select the IP filter to add the IP address to. If you wish to create a new filter, click New. If you wish to see the properties of the filter, click Properties. St ep 7. Rule Scheduling A rule can be scheduled to run on certain days, times, and dates. If you do not wish to schedule the rule, select No scheduling and click Next. If you wish to schedule the rule, select Use the following schedule and select the schedule from the drop down list. If you wish to create a new schedule, click New. If you wish to see the properties of a schedule, click Properties. For more information on how to create schedules, please consult the chapter Creating Schedules. Tip It can be useful to schedule a rule if for instance you wish to block large file uploads and downloads during business hours. St ep 8. Rule Name In the final step, enter a name for the rule and any comments. Uncheck the Enable this rule box if you do not want the rule to be enabled right away. Click Finish to create the rule.
Configuring a Quot a rule Go to Rules > <folder> and click New. The rules wizard will guide you through the following steps: St ep 1. Rule Type Select Quota rule and click Next.
C O N F I G U R I N G R U L E S 59 St ep 2. Rule Users To apply the rule globally, select All users. To apply the rule to certain users, select Users listed below and click Add Select the users for the rule and click OK. To remove users, select the user(s) and click Remove. If you wish to add IP address exceptions click on Exclude and enter the IP address(es) to exclude in Start IP. If you wish to enter an IP range, enter a Start and End IP. Click OK. When you are ready click Next.
St ep 3. Rule Condit ions Here you must specify which conditions should be met for the rule to trigger. If the rule should always trigger, leave No conditions selected and click Next. If the rule should only trigger in certain circumstances, select Trigger rule if following conditions are met. If any of the conditions must be met, select Match any of the conditions. If all the conditions must be met, select Match all of the conditions.
User quotas
C O N F I G U R I N G R U L E S 60 Quota warning level is reached: Select this option to trigger the rule when the user reaches his/her quota warning level. If the user has both a bandwidth and time warning level configured, the rule will trigger when the first warning level is reached. Quota limit is reached: Select this option to trigger the rule when the user reaches his/her quota limit. If the user has both a bandwidth and time limit configured, the rule will trigger when the first limit is reached. St ep 4. Rule Except ions If the rule has no exceptions, leave the option No exceptions enabled. To specify exceptions, select Do not trigger rule if following exceptions are met. The options will now be the same as in step 3. When you are ready specifying exceptions, click Next. St ep 5. Rule Act ions Policy Patrol includes two different types of actions: primary and secondary actions. The primary actions are mutually exclusive, i.e. you can only choose one primary action. Secondary actions are additional actions and are not mutually exclusive. Therefore you can configure as many secondary actions as you wish.
Primary actions Three primary actions are available: 1. Allow Access: This option will provide access to the web page as normal. 2. Block Access: This option will block access to the web site. Optionally you can configure an HTML page to be shown. This page could for instance inform the user why they are not allowed to view the particular web page. To configure a page to be shown, click on the link do not display HTML
C O N F I G U R I N G R U L E S 61 page and select Show the following HTML page. Click on , select the HTML file and click Open. For more information on how to create HTML pages, please consult the chapter HTML block pages. 3. Redirect to URL: Select this option to redirect the browser to an alternative web page. Click on the URL link in the description and enter the URL to guide users to (there is no need to enter http://). For instance, you might want to redirect users to a web page on your Intranet. Secondary actions The following secondary actions are available: Notifications Send email notification: Select this option if you wish Policy Patrol to send an email notification message. Click on the email notification link in the description and enter or select a From: address. If you wish a display name to appear in the notification message, enter display name <email address>, for instance "J ohn Doe" <J ohn. Doe@company. com>. Now specify who should receive the notification (user, manager, administrator, or other) and select the template to be used for each recipient. Note that the managers email address is specified in Users & Quotas (Select user > Properties). If you wish to use a new template, click New. If you wish to see the properties of the template, click Properties.
Not e This option requires your mail server settings to be specified in <server name> > Advanced > System configuration > System notifications tab. If you wish to send a notification externally, you must allow the Policy Patrol machine to send out email. (relay) via your mail server.
C O N F I G U R I N G R U L E S 62 Send network message: Select this option to send a network message. Click on the network message link in the description. If you want to send a message to the user that triggered the rule, select Send message to user and click on to select a template. If you want to send a message to specified users, select Send message to following user(s), enter the user name or IP address of the computer(s) you wish to send a network message to and click on to select a template. If you want to enter multiple IP addresses you can separate them by a semi-colon (;).
St ep 7. Rule Scheduling A rule can be scheduled to run on certain days, times, and dates. If you do not wish to schedule the rule, select No scheduling and click Next. If you wish to schedule the rule, select Use the following schedule and select the schedule from the drop down list. If you wish to create a new schedule, click New. For more information on how to create schedules, please consult the chapter Creating Schedules. St ep 8. Rule Name In the final step, enter a name for the rule and any comments. Uncheck the Enable this rule box if you do not want the rule to be enabled right away. Click Finish to create the rule. Not e Remember that you must order quota limit rules above quota warning rules (see paragraph below on how to order rules). Otherwise only the warning rule will trigger, and the limit rule will never trigger. Edit ing exist ing rules To edit an existing rule, go to Rules, select the appropriate folder and select the rule to be edited. Then click on the Properties button. A dialog with several tabs will appear. Make the changes in the appropriate tabs. If you want to change the name of a rule, right-click the rule in the list and select Rename.
C O N F I G U R I N G R U L E S 63 When you are ready changing the name, press [Enter]. Rules can be moved by right-clicking the rule and selecting Move.
Copying rules To copy an existing rule, right-click the rule and select Duplicate. The rule will now be duplicated. The name will be displayed as follows: Copy of <original rule name>. Ordering rules Policy Patrol allows you to order rules. To change the order of rules, go to Rules > Rule ordering. Select the rule in the list and press the Move up or Move down button.
The way in which rules are ordered can be important for processing speed. For instance, it is quicker for Policy Patrol to check a list of IP addresses or URLs than it is to check for words in a web page. Therefore it makes more sense to order fast rules above slow rules.
C O N F I G U R I N G R U L E S 64 To help you order rules efficiently, consider the speed of the rule by checking the following: Is the rule user-based? A user-based rule is slower to process than a global rule. Does the rule have conditions? In general, URL conditions and categories are fast to process. Searching for words in a web page or file is slower than searching for words in the file name or URL. However, the speed will also depend on the size of the filters. Since Policy Patrol Web stops processing further rules once a rule has triggered, the order of rules can also influence the action taken. For instance, if you have a quota rule that sends an email notification when the warning limit is reached, and another rule that blocks access when the quota limit is reached, you must order the quota limit rule above the warning rule. If you did not order the quota limit rule above the quota warning rule, only the warning rule will trigger since it will always trigger before the limit rule (presuming that the quota warning limit is always lower than the actual quota limit).
65 Creat ing Filt ers ilters are lists of values that Policy Patrol must check for. Policy Patrol Web includes Word/Phrase, File and IP filters. This chapter explains how to create each type of Policy Patrol filter. Creat ing a Word/Phrase filt er Word/Phrase filters contain lists of words and phrases that Policy Patrol must check for. The program includes a number of sample Word/Phrase filters. You can edit these sample filters, or create your own filters. To create your own Word/Phrase filter: 1. Go to Filters, select the appropriate folder and click New. 2. When asked which type of filter you wish to create, select Word/Phrase Filter. Click Next. 3. Enter the word(s) or phrases to be included in the filter. You can use the wildcards ? and *, where ? stands for any single character, and * stands for any number of characters. However, note that you cannot start or end a word with the * wildcard. The following options are available:
Chapter 7 F
C R E A T I N G F I L T E R S 66 Case sensit ivit y For each word you can specify whether it should be case sensitive or not. If you check the Case sensitive option, this means that Policy Patrol will only check for the word in the same case. Score If you wish to use word score, tick the option Enable word score. In Threshold, enter the total word score threshold that should be met in order to trigger the rule. Now enter the individual scores for each word. For instance, if you specify that the word score threshold is 10, and you enter the words porn and sex and assign each word a score of 5, both words must be found in the web page in order for the rule to trigger. You can also apply a negative word score. For instance, this might be useful to eliminate some words that can be used innocently. For instance you might assign the word breast a word score of 5, and assign the words baby or chicken a minus 5 score. If you do not wish to use word score in the filter, uncheck Enable word score. Not e Remember that if you enable word score you must enter a threshold value greater than 0. If you leave the threshold set to 0, the rule will never trigger since a threshold of 0 is considered invalid. Mult iple count If you wish every instance of the word to be counted, check the box Multiple count. For example, if this box is enabled and you browse to a web page that contains the word erotic three times, and you applied a word score of 5 to this word, the total word score would be 15. If you did not check this box, the word will only be counted once and the total score would be 5. Apply when You can select whether to apply when Whole word(s) are matched or when Whole or part of word(s) are matched. The first option allows you to specify more precisely which words must trigger a rule. For instance, if you select that Whole or part of word(s) are matched and you enter the word sex in the filter, this will also include the words Sussex and sextant. If you select Whole word(s) are matched, the rule will trigger on the word sex but not on Middlesex.
C R E A T I N G F I L T E R S 67 Not e The options Whole word(s) are matched and Whole or part of word(s) are matched do not apply when checking URLs since a word in a URL never starts with or is never followed by a space. Therefore, the option Whole or part of word(s) are matched will always apply when checking for words in URLs. Import /Export You can import lists from .txt files by clicking on Import, browsing to the appropriate file and clicking Open. The format should be as follows: Word[TAB]Case sensitive[TAB]Regular expression[TAB]Score[TAB]Multiple count. The word/phrase and score values must be entered. For the other options, either 0 or 1 must be entered. For instance, if you wish to add the non-case sensitive word porn with a word score of 5 and multiple count, you must enter it in the text file as follows: por n 0 0 5 1. For every word or phrase you need to start a new line. If you import words or phrases from more than one file, the additional words or phrases will be added to the list. If you have two lists with some common words, Policy Patrol will not add the common words twice, but will only add the additional ones. To export the words in the filter, click Export, enter a file name and select OK. Remove duplicat es If you wish to remove duplicates in the filter, click on the remove duplicates button in the toolbar. When you are ready adding words, click Next. 4. Enter a name for the filter and a description. When you are done, click Finish to create the filter. Creat ing a File filt er File filters include names and types of files that Policy Patrol must check for. Policy Patrol includes a number of sample file filters. You can edit these sample filters, or create your own filters. To create a new File filter: 1. Go to Filters, select the appropriate folder and click New. 2. When asked which type of filter you wish to create, select File Filter. Click Next.
C R E A T I N G F I L T E R S 68
3. Enter the file names or extensions for the filter. You can choose to enter an extension, the exact file name or only enter a word that must be found in the file name. When entering the data you can make use of the wildcards * and ?, where * stands for any amount of characters and ? stands for one character. To enter an extension, place a * in front of the extension, .e.g *. exe for executable files. If you wish to search for file names no matter which extension they have, enter the name followed by .*, e.g. r eadme. *. This will find the files readme.exe, readme.doc and readme.txt. If you want to search for files that include a certain word, you can do so by entering the word in between *. For instance, if you enter *pr i ce* in the filter, this will apply to the files pricelist.doc and ukpricelist.htm. If you want to include all files, enter *. *. Note that the entries are not case sensitive. You can import lists from .txt files by clicking on Import, browsing to the appropriate file and clicking Open. In the text file to import, each entry should be on a separate line. To export the entries click Export, enter a file name and select OK. When you are ready adding file names and extensions, click Next. 4. Enter a name for the filter and a description. When you are done, click Finish to create the filter. Creat ing an IP filt er IP filters contain lists of IP addresses and IP address ranges to check for. To create a new IP address filter: 1. Go to Filters, select the appropriate folder and click New. 2. When asked which type of filter you wish to create, select IP Filter. Click Next.
C R E A T I N G F I L T E R S 69
3. Enter the IP addresses in the list. You can enter a single IP address by only entering a Start IP. If you wish to check for an IP address range, enter a Start and End IP address. You can import lists from .txt files by clicking on Import, browsing to the appropriate file and clicking Open. In the text file to import, each IP address/IP address range should be entered on a separate line as follows: Start IP,End IP. So for a single IP address, this would be 10. 0. 0. 10. For an IP address range, this would be 10. 0. 0. 10, 10. 0. 0. 15. To export the filter, click Export, enter a file name and select OK. If you want to remove double entries in the filter, click on Remove duplicates. When you are ready, click Next. 4. Enter a name for the filter and a description. When you are done, click Finish to create the filter. Edit ing filt ers To edit an existing filter, select the filter and click Properties. A tabbed dialog will appear. You will be able to add or delete entries and change the description for the filter. The Modified tab will show when and who made the last changes to the filter. If you edit a filter that is already being used in a rule, the filter will automatically be updated for the rule. You can change the filter name by right- clicking on the filter in the list and selecting Rename. When you have changed the name, press [Enter]. Filters can be moved by right-clicking and selecting Move. To remove a filter, right-click the filter and select Remove. Remember that you cannot delete any filters that are being used in a rule.
C R E A T I N G F I L T E R S 70 Not e If you rename a filter that has already been configured for a rule, the rule will continue to work for the filter, but the filter name in the description will still be the old name. To update the filter name, you need to open the rule properties and open the dialog where the filter is selected. Click OK to save the new name in the rule. Copying filt ers To copy an existing filter, right-click the filter and select Duplicate. The filter will now be duplicated. The name will be displayed as follows: Copy of <original filter name>.
71
Creat ing Templat es emplates are pre-configured texts that can be used in Policy Patrol rules. The program includes two types of templates: Email notifications and Tags. This chapter explains how to create each type of Policy Patrol template. Creat ing an Email not ificat ion t emplat e Notification templates are used for sending email notification messages. Policy Patrol includes a number of sample notification templates. You can edit these sample templates or create your own. To create a new Notification template: 1. Go to Templates, select the appropriate folder and click New. 2. When asked which type of template you wish to create, select Email notification Template. Click Next. 3. Enter the subject for the notification email. You can include fields in the subject by clicking on the Insert Field button to the right the subject line. For more information on available fields, see the Fields paragraph. Chapter 8 T
C R E A T I N G T E M P L A T E S 72
The notification message body can be in plain text, HTML or both. Select both if you are not sure whether the recipient can read HTML messages. Although nowadays most clients can read HTML, there are still some older clients that can only read plain text emails. If you select both, make sure that text is entered in both tabs. To copy text from one tab to the other, click on the Copy to.. button on the far right of the toolbar. When you select the Plain text tab, all formatting options will be disabled. You can insert fields in the body of the message by clicking on the Insert Field icon in the toolbar and selecting the relevant field. The text can be formatted by selecting font type, size or color and applying bold, italicized or underlined styles. To add a link, click on the Insert link button. In URL: enter the URL to link to. Enter the text to be displayed in Title and enter the description in Description.
You can insert gif and jpeg pictures by clicking on the Insert image button. In Image file, enter the path to the picture (Remember that the picture must reside on the local Policy Patrol machine). In Alt, enter the text that you wish to appear as a tool tip. If you want a border to be applied to the image, set a border width.
C R E A T I N G T E M P L A T E S 73
If you wish to add HTML tags, for instance to add tables or bullets, you can edit the HTML source by clicking on the View HTML source button. To add an attachment to the notification, click on Add. Select the attachment and click Select. You can import texts from .txt and .html documents by clicking Import. Similarly, you can export the text to a .txt or .html file by clicking Export. When you are ready, click Next. 4. Enter the template name and a description. Click Finish to create the template. Creat ing a Tag t emplat e Tags are used for network messages and event log descriptions. Policy Patrol includes a number of sample tags. You can edit these sample templates or create your own. To create your own Tag template: 1. Go to Templates, select the appropriate folder and click New. 2. When asked which type of template you wish to create, select Tag Template. Click Next.
C R E A T I N G T E M P L A T E S 74 3. Enter the text for the tag. You can also use fields by clicking on the Insert field button. For more information on the available fields, see the Fields paragraph. Click Next. 4. Enter the template name and a description. Click Finish to create the template. Edit ing t emplat es To edit an existing template, select the template and click Properties. A tabbed dialog will now appear. You will be able to edit the template and change the description. The Modified tab will show when and who made the last changes to the template. To rename a template, right-click on the name in the list and select Rename. When you have changed the name, press [Enter]. Templates can be moved by right clicking the template and selecting Move. To remove a template, right-click the template and select Remove. Remember that you cannot delete any templates that are being used in a rule. Not e If you rename a template that has already been configured for a rule, the rule will continue to work for the template, but the template name in the description will still be the old name. To update the template name, you need to open the rule properties and open the dialog where the template is selected. Click OK to save the new name in the rule. Copying t emplat es To copy an existing template, right-click the template and select Duplicate. The template will now be duplicated. The name will be displayed as follows: Copy of <original template name>. Fields Policy Patrol includes User, Web page, Quota, Date/time and Other fields. Each type of field is described below. User fields User fields relate to the user(s) that trigger the rule. Below is a list of available user fields. Fi el d Desc r i pt i on
C R E A T I N G T E M P L A T E S 75 User name Name of the user User domain Domain for the user User IP address IP address of the user
Web page fields Web page fields relate to the web page that triggers the rule. Below is a list of available web page fields. Fi el d Desc r i pt i on Category Category of the web page URL URL of the web page
File fields File fields include information about the file that triggers the rule. Fi el d Desc r i pt i on File name The name of the file File size The size of the file
Quot a fields Quota fields relate to the quota settings for the user(s). Below is a list of available Quota fields. Fi el d Desc r i pt i on Time limit Time limit specified Time remaining Time remaining until limit is reached Time used Time used until present Time limit (warning) Time warning level specified Time remaining (warning) Time remaining until warning is reached Time interval Selected time interval Bandwidth limit Bandwidth limit specified Bandwidth remaining Bandwidth remaining until limit is reached Bandwidth used Bandwidth used until present Bandwidth limit (warning) Bandwidth warning level specified Bandwidth remaining (warning) Bandwidth remaining until warning is reached Bandwidth interval Selected bandwidth interval
Dat e/Time fields These fields relate to the date and time the message was sent. Below is a list of available Date/Time fields. Fi el d Desc r i pt i on
C R E A T I N G T E M P L A T E S 76 Time Time that the message was sent. Date sent Date the message was sent. By default the date is entered in the default format of the Policy Patrol machine. To change the format, see table below.
To change the date field format, enter the date mask in between the square brackets after the field. For instance, if you enter %[]Date[MMMM d, yyyy]%, the date will be displayed as February 9, 2004. Mask Meani ng d Day of the month with no leading zero for single digit days dd Day of the month with leading zero for single digit days ddd Day of the week as three-letter abbreviation, i.e. Mon dddd Day of the week as its full name, i.e. Monday M Month as digits with no leading zero for single-digit months MM Month as digits with leading zero for single-digit months MMM Month as three letter abbreviation, i.e. Jan MMMM Month as its full name, i.e. January y Year as last two digits without leading zero, i.e. 4 yy Year as last two digits with leading zero, i.e. 04 yyyy Year represented by full four digits
Ot her fields Below is a list of other fields. Fi el d Desc r i pt i on Rule triggered Name of the rule that triggered Words triggered If a word/phrase condition triggered the rule, this field lists the words found including their score.
Tip If you are not sure whether a field will exist in every instance, you can specify a field prefix that will only be entered if the field is replaced. For instance, if you wish to specify a website category but not each website is categorized, you could enter the prefix in between the first square brackets of the field as follows: %[Prefix]Field name[]%. For instance: %[Website category:]Category[]%. This will mean that the text Website category: will only be added if the website is categorized. It is also possible to specify a default value in case a field does not exist. For instance, if a web site is not categorized you could enter Not categorized. To do this, you must enter the default value in between the last
C R E A T I N G T E M P L A T E S 77 square brackets of the field as follows: %[]Field name[Default value]%. For example: %[]Category[Not categorized]%. Note that you cannot enter fields as a prefix or default value.
79 HTML Block pages lock pages are HTML pages that can be displayed when access to a web page is forbidden. Optionally, block pages can contain merge fields such as user, web page, quota, date and other fields. Creat ing block pages An HTML block page can be created in any HTML editor. Optionally the page can include merge fields. For a description of available fields, consult the Fields paragraph in Chapter 8. Remember that the field names must be entered in the web page as follows: %[]Field name[]%. HTML block pages must be saved in \Program Files\Red Earth Software\Policy Patrol Web\Processor\HTML templates. Sample block pages Policy Patrol includes a number of sample block pages that you can use or edit to include your own company messages. The sample pages can be found in \Program Files\Red Earth Software\Policy Patrol Web\Processor\HTML templates. Blocked access page When a user is denied access from the Monitoring node, the HTML block page Blocked-access.htm will appear. If you wish to customize this page, you can edit the page from \Program Files\Red Earth Software\Policy Patrol Web\Processor\HTML templates. Note that this HTML page cannot contain any merge fields and that you cannot rename the file. Chapter 9 B
81 Creat ing schedules his chapter discusses how to create schedules that can be used to enable rules at certain times of the day or on certain dates. This can be useful to for instance apply different rules during working hours than non-working hours. Creat e a schedule To create a new schedule: 1. Click New. The Schedule wizard will appear. 2. Specify the schedule settings. If you wish to include certain days and times of the week, select the option Specify days of the week and select the days and hours the schedule must include. The selected hours will be displayed in blue. If you wish to specify half hours and quarter hours, select the Half hour or Quarter hour option from the Interval drop-down box. Note that the number that you select is when the schedule begins, e.g. if you select full hour and specify 8 until 13, the schedule will run from 8.00 until 14.00.
Chapter 10 T
C R E A T I N G S C H E D U L E S 82 To apply a schedule on certain dates, select Specify date (range). Specify whether the schedule must apply when the date equals, is after, is before, is between or is not between specific date(s). Enter the appropriate date(s). If you select after or before, the rule will not run on the actual date selected, but after or before it. For instance, if you select that a schedule must apply after January 1 st , it will start on January 2 nd . If you select before January 1 st , the schedule will apply on any date before, but not including January 1 st . If you select between or not between, the schedule will apply/not apply between and including the dates selected. For example, if you configure a schedule and select is not between January 1 st
and January 3 rd , it will not run on January 1 st , January 2 nd and January 3 rd . If you create a schedule and select is between January 1 st and January 3 rd , it will apply on January 1 st , January 2 nd and January 3 rd . If you wish the schedule to apply on the same dates each year, select Ignore year. 3. Enter a name and description for the Schedule. Click Finish. Edit ing a schedule To edit an existing schedule, select the schedule in the list and click Properties. Make the appropriate changes and click OK. To rename a schedule, right click the schedule and click Rename. Make the changes and press [Enter]. To remove a schedule, right-click the schedule and select Remove. Remember that you cannot delete any schedules that are being used in a rule.
Copying a schedule To copy an existing schedule, right-click the schedule and select Duplicate. The schedule will now be duplicated. The name will be displayed as follows: Copy of <original schedule name>.
83 URL cat egories olicy Patrol includes URL categories that allow you to create lists of URLs. This chapter explains how to create the categories and how to edit them. Creat ing a URL cat egory To create a new category, follow the next steps: 1. Go to URL Categories > <Folder> and click New. 2. Enter the URLs that you wish to include in the category. You can include a domain (www.company.com), a sub domain (www.company.com/news) or a complete path to a page (www.company.com/news/article5074.htm). There is no need to enter http:// in front of the entries. You can use a * wild card, but not the ? wild card, since a ? can occur in a URL. The * wild card stands for any number of characters, so for instance if you wish to check for shopping.msn.com, travel.msn.com as well as www.msn.com, you must enter *. msn. com. If you wish to check for www.google.com, www.google.co.uk and www.google.de, you must enter www.google.*. Note that you cannot include more than one * wildcard per entry. You can import URLs from .txt files by clicking on the Import button in the toolbar. Each URL must be entered on a separate line. To export your URLs click on the Export button. To remove duplicates click on the Remove duplicates button. When you are ready, click Next. Chapter 11 P
U R L C A T E G O R I E S 84
3. Specify the default quota settings for the category. These will be applied to all (new) users. If you wish to set different limits for different users, you can do so from Users & Quotas > select user(s) > Properties. For more information on how to do this, see Chapter 4 Editing user quotas.
Set t ing bandwidt h limit s If you wish to set a bandwidth limit for the category, tick the checkbox Use bandwidth limit. Enter the amount of KB or MB you wish to limit the bandwidth usage to. By creating a quota rule you can specify what should happen if the limit is reached (see Chapter 4 Configuring quota rules). Optionally you can specify a bandwidth warning level in KB or MB. The bandwidth warning level can for instance be used to inform the user that their bandwidth limit will soon be reached or to notify a manager or administrator. Finally, select a daily or weekly bandwidth interval. If you select a daily interval, the bandwidth usage will be counted per day. If you select a weekly interval the bandwidth usage will be counted per week. For instance, if you wish to limit the bandwidth usage of the Sports & News category to 250 KB per user per day, select Use bandwidth limit and enter 250 KB. Select per day as the bandwidth interval.
U R L C A T E G O R I E S 85 Set t ing t ime limit s If you wish to set a time limit for the category, tick the checkbox Use time limit. Enter the number of hours and minutes you wish to limit the browsing time to. By creating a quota rule you can specify what should happen if the limit is reached (see Chapter 4 Configuring quota rules). Optionally you can specify a time warning level in hours and minutes. The time warning level can for instance be used to inform the user that their time limit will soon be reached or to notify a manager or administrator. Finally, select a daily or weekly time interval. If you select a daily interval, the time usage will be counted per day. If you select a weekly interval the time usage will be counted per week. For instance, if you wish to limit the time usage of the Web email category to 30 minutes per user a week, select Use time limit and enter 00.30. Select per week as the time interval. Select the interval that should be applied when a user has no quota limits set. Since the bandwidth and time usage is displayed for all users in Monitoring, this interval will be used to display the usage for users and categories without quotas. 4. Enter a category name and description and click Finish. Not e The category Uncategorized includes all websites that are not included in a custom URL filter. Note that this category cannot be deleted. Edit ing cat egories To edit an existing category, select the category in the list and click Properties. A dialog with four tabs will appear. In the first tab you will be able to change the contents of the category. You will see a column behind the entries called Added by Web filter. If the entry was automatically added by a Policy Patrol Web rule, this box will be checked. Note that you cannot check or uncheck this box yourself. In the second tab (Default quota settings) you will be able to change the default quota settings. If you make a change in the quota settings for the category, you will be asked whether you wish to apply the change for all users. Remember that if you configured different quota limits for particular users, these will be overwritten if you click Yes. The third tab (Description) will include the description of the category. The fourth tab (Modified) will show when and who made the last changes to the category. When you are ready, and click OK.
U R L C A T E G O R I E S 86
87 Monit oring onitoring allows you to gain real-time insight into users online sessions and the amount of bandwidth being consumed. Policy Patrol also allows you to immediately terminate a user session if necessary. Bandwidt h monit oring Policy Patrol allows you to check bandwidth usage in real-time. Two pie charts will display the total amount of used and unused bandwidth for uploading and downloading. Remember that to calculate the free bandwidth you must enter your total upload and download bandwidth in <server name> > Advanced > System Configuration > Bandwidth Tab. Session monit oring Session monitoring allows you to gain real-time insight into users current online sessions. For each user currently online, Policy Patrol will show the User name, last visited URL, Category, bandwidth used and time online since the start of the session. If you click on the plus sign next to the user, the program will display the last 10 URLs visited during the session as well as the respective time and bandwidth usage. Not e Sessions and last visited URLs are shown with a 3 minute delay. This means that when a user starts up a new web browsing session the user will only appear in the list after 3 minutes.
Chapter 12 M
M O N I T O R I N G
88
Inst ant ly block access for users If you wish to instantly block access for a user, select the user and click Block access. You will be able to specify for how long you wish to block Internet access. When access is blocked a block page will be shown. To customize the block page, you can edit the HTML page Blocked-access.htm in \Program Files\Red Earth Software\Policy Patrol Web\Processor\HTML templates\Blocked- access.htm.
Not e If an https:// page or file download is blocked, no block page will be shown. Monit oring permissions Policy Patrol allows you to specify which users have the right to view other users sessions, and whether they have the permissions to temporarily block access to the Internet. By default, each user has full access to the Monitoring component. To change the access rights for a certain component, follow the next steps:
M O N I T O R I N G
89 1. Right-click the Monitoring component and choose Component properties 2. Go to the Security tab. By default the (Everyone) group has full access to the component. To change permissions, select the group and change the Allow/Deny permissions. The following rights can be applied: Ri ght Desc r i pt i on View View sessions Create Not applicable Edit Block access Delete Not applicable Folder owner Change folder permissions
If you only wish certain users to have rights to Monitoring, click on Add and select the user(s) with the permissions. Select Allow or Deny for the relevant rights. Then select Everyone and click Deny for all rights. If you wish all users to have access to the component apart from a couple of exceptions, click on Add and select the users to be denied access. Select the user(s) and tick the Deny check boxes. A Folder owner has the right to change the component permissions for the component. Therefore, if you wish to deny permissions for a user, you must also select Deny for the Folder owner right. Remember that each component needs to have at least one Folder owner and that Administrators cannot be denied any permissions. When you have finished editing permissions, click OK.
91 Virus checking olicy Patrol Web offers an additional anti-virus module that you can use to scan web pages and files for viruses. In addition, it can detect and block Spyware, including Riskware, Pornware and Adware. Kaspersky TM Ant i-Virus Kaspersky Anti-Virus detects and removes known viruses, even if they are included in compressed, encrypted or archived files. Furthermore, Kaspersky Anti-Virus includes a sophisticated Code Analyzer that detects harmful instructions in a code and can therefore block viruses, email exploits and malicious scripts & macros even if they are still unknown. The Code Analyzer has proven to be up to 92% effective. Kaspersky Labs is one of the world's leading developers of data-security software and its virus database is updated twice daily. This ensures that with Kaspersky Anti-Virus even the newest viruses can be neutralized quickly. For more information about Kaspersky labs, visit their website at: http://www.kaspersky.com. Chapter 13 P
V I R U S C H E C K I N G 92
Configure Kaspersky TM Ant i-Virus Open the Policy Patrol Administration console and select the Kaspersky Anti virus node. The license expiry date will be listed as well as the date and time that the anti-virus engine was last updated. Note that the settings will show unknown until you have browsed to a website at least once. By default, Kaspersky updates are scheduled to run daily at 8 pm. To change the scheduling of the updater, click on the Schedule button (Note that this option is only available on the Policy Patrol machine itself, not when connecting remotely). Select the Schedule tab and make the necessary changes. Click OK.
V I R U S C H E C K I N G 93
Once Kaspersky is installed, Policy Patrol will start scanning all web pages and files for viruses. However, you will still need to configure a rule that specifies what should be done when a virus is detected. Copying your Kaspersky key If you have purchased the Kaspersky Anti-virus module, you will receive your key via email. You must copy this key to C:\Program Files\Red Earth Software\Policy Patrol Web\Processor\av\Kaspersky\klav.
95 Advanced opt ions olicy Patrol Web includes some advanced options that can be configured in System Configuration and System Parameters. This chapter explains the different settings available. Syst em configurat ion System configuration options are found in <server name> > Advanced > System configuration. The following tabs are available: Syst em not ificat ions In this tab you must specify your mail server and system notifications options. The mail server settings will also be used for email notifications. Enter or select your mail server and enter the SMTP Port. By default the Port is 25. In the From: field, enter the sender of the email. In the To:, Cc: and Bcc: fields, enter the recipients for the system notifications. For internal recipients you can also click on and select the recipient from the user list. The recipient addresses entered here will also be taken as the Administrator address(es) when configuring notifications. To test whether the settings are correct, click on the Test button. A test message will be sent.
Chapter 14 P
A D V A N C E D O P T I O N S
96 Bandwidt h In this tab you must specify your companys total upload and download bandwidth. These figures are used for monitoring general bandwidth usage.
Caching Here you can select the caching options. You can select Block client caching of HTML pages (recommended) or Block all client caching i.e. HTML pages and images (only recommended for fast Internet connections).
Not e Caching for HTML pages must always be disabled. This is because otherwise some Policy Patrol rules might not be applied since the pages have already been cached and will not be filtered by Policy Patrol.
A D V A N C E D O P T I O N S
97 Syst em Paramet ers Policy Patrol system parameters are similar to registry keys and must not be changed unless you are asked to do so by Policy Patrol technical support staff.
98 Sample rules olicy Patrol includes several sample rules to help you enforce your Internet usage policy as soon as possible. The sample rules are included in the Rules > Sample rules folder. Sample rules The program includes a number of sample web filtering rules. To view the rules, go to Rules > Sample Rules. By default all sample rules are disabled, so to start filtering web traffic you must first select the rule in the list, right-click and choose Enable. Sample rules are applied to all users. To apply rules to selected users, double-click on the rule, go to the Users tab and select the users that the rule should apply to. Some rules use a sample block page. These pages can be edited and customized in any HTML editor. The sample block pages are located in \Program Files\Red Earth Software\Policy Patrol Web\Processor\HTML templates. The rules are sorted in three sub folders: File, Quota and Web page: File rules Block dangerous file downloads: This rule blocks potentially dangerous http and ftp file downloads and sends a network message and an email notification to the user. Remember that you must enter a correct From: address in notifications, by double-clicking on the rule and clicking on the user link in the description. You must also enter your company name in the email notification Block dangerous file downloads. Block downloaded files with viruses or spyware: This rule blocks http and ftp file downloads that contain viruses or spyware and sends a network message and an email notification to the user. Remember that you must enter a correct From: address in notifications, by double-clicking on the rule and clicking on the user link in the description. You must also enter your company name in the email notification Virus or Spyware found in file. Chapter 15 P
S A M P L E R U L E S 99
Block large file downloads: This rule blocks http and ftp file downloads that are larger than 5 MB and sends a network message and an email notification to the user. Remember that you must enter a correct From: address in notifications, by double-clicking on the rule and clicking on the user link in the description. You must also enter your company name in the email notification Large file download blocked. Quot a rules Block access when quota limit is reached: This rule blocks access when the users quota limit is reached and sends an email notification to the user. The rule is scheduled to run only during business hours (8.00-18.00), so that after business hours web browsing is not limited. If you want to change the business hours schedule, you can do so from Schedules. Remember that you must enter a correct From: address in notifications, by double- clicking on the rule and clicking on the user link in the description. You must also enter your company name in the email notification Quota limit has been reached. Note that this rule should be ordered above the quota rule Network message when quota warning is reached, otherwise this rule will never trigger (since the warning will always be reached before the limit). To set the rule order, select the Rules component and click on Rule order.
S A M P L E R U L E S 100 Network message when quota warning is reached: This rule sends a network message to the user when the quota warning level is reached. The rule is scheduled to run only during business hours (8.00-18.00), so that after business hours web browsing is not limited. If you want to change the business hours schedule, you can do so from Schedules. Web page rules Block access to http:// web mail sites: This rule blocks access to http:// URLs listed in the web mail URL category and shows an HTML block page. Please contact technical support (support@redearthsoftware.com) for a sample web mail URL category filter. Block access to https:// web mail sites: This rule blocks access to https:// URLs listed in the web mail URL category and sends a network message and email notification to the user. Please contact technical support (support@redearthsoftware.com) for a sample web mail URL category filter. Remember to add the company name in the template Web mail site blocked. Block access to inappropriate URL category: This rule blocks access to all web sites with URLs in the inappropriate URL category and sends an email notification to the user and Administrator. The inappropriate URL category is automatically filled by the rule Block access to inappropriate websites. Remember that you must enter a correct From: address in notifications, by double-clicking on the rule and clicking on the user, administrator(s) link in the description. You must also enter your company name in the email notifications Inappropriate website blocked (user) and Inappropriate website from URL category (Admin).
Block access to inappropriate websites: This rule blocks access to websites that contain words in the URL or Web page from the Porn, Gambling, Violence or Racist filters. In addition it sends an email notification to the user and Administrator and adds the URL to the Inappropriate URL
S A M P L E R U L E S 101 category. Remember that you must enter a correct From: address in notifications, by double-clicking on the rule and clicking on the user, administrator(s) link in the description. You must also enter your company name in the email notifications Inappropriate website blocked (user) and Inappropriate website blocked (Admin). Block access to job websites: This rule blocks access to websites that contain words in the URL or Web page from the Jobs filter. Block access to sites with viruses or spyware: This rule blocks all web pages that contain viruses or spyware and sends an email notification to the user. Remember that you must enter a correct From: address in notifications, by double-clicking on the rule and clicking on the user link in the description. You must also enter your company name in the email notification Virus or Spyware found in web page. Block non-business sites during working hours: This rule blocks access during working hours to websites that contain words in the URL or Web page from the Shopping, Sports, Financial, Travel or News filters, with the exception of white listed URLs. In addition it adds the URL to the Non- business URL category. You can enter white listed URLs by going to URL categories and selecting the properties for the White list category. The rule is scheduled to run only during business hours (8.00-18.00), so that after business hours web browsing is not limited. If you want to change the business hours schedule, you can do so from Schedules. Only allow access to white listed URLs: This rule blocks access to all web pages unless they are listed in the URL category White list. To enter white listed URLs go to URL categories, select the properties for the White list category and enter the URLs.
Regulate access to Non-business URL category: This rule blocks access during working hours to all web sites with URLs in the Non-business URL category, except those listed in the white list. The Non-business URL category is automatically filled by the rule Block non-business sites during working hours.
S A M P L E R U L E S 102 You can enter white listed URLs by going to URL categories and selecting the properties for the White list category. The rule is scheduled to run only during business hours (8.00-18.00), so that after business hours web browsing is not limited. If you want to change the business hours schedule, you can do so from Schedules.
103 Troubleshoot ing his chapter deals with Policy Patrol troubleshooting. If you have a problem you can consult the Policy Patrol online knowledge base, run the Policy Patrol Web Support Wizard. Knowledge Base If you have a question or problem with Policy Patrol you can consult our extensive online knowledge base at http://www.policypatrol.com/kb.asp. Some of the questions and answers are listed below. If you do not find your answer, please send an email to support@redearthsoftware.com. Policy Pat rol Web is not filt ering anyt hing 1. Have you configured integrated authentication in ISA Server? See Chapter 2 for instructions on how to do this. 2. Have you removed the cache on the client before using Policy Patrol Web? If you do not remove the cache, Policy Patrol will not be able to filter any pages in the cache. You only need to do this once when you install Policy Patrol Web. Once the program is installed, client caching will be automatically blocked from the server. 3. Is your Policy Patrol license still valid? Check this from <server name> > Security > Licenses. Policy Pat rol Web has suddenly st opped working Policy Patrol Web will automatically stop working when memory usage is more than 90% and the available free physical memory is less than 80 MB. As soon as the resources are available again Policy Patrol Web will start filtering web traffic. Will my ant i-virus or backup soft ware int erfere wit h Policy Pat rol Web? No, as long as you do not scan or backup the \Program Files\Red Earth Software\Policy Patrol Web\Server\Data directory since this will cause the program to function improperly. Chapter 16 T
T R O U B L E S H O O T I N G 104 My ant i-virus set t ings display unkown The Kaspersky anti-virus settings will only be displayed after you have browsed to at least one website. The email not ificat ion is not sent Have you configured your mail server settings in <server name> > Advanced > System configuration > System notifications? If it is an external email address; have you allowed the Policy Patrol Web machine to relay mail through your mail server? Note that an identical email notification email to the same user is only sent once per minute. Net work message did not pop up Note that an identical network message to the same user is only sent once per minute. Merge field is not working Check the field in the Template to see whether you might have applied formatting to part of the field. If you dont select the whole field this will cause the fields not to be replaced. My rule t hat searches for words/phrases never t riggers Check whether you have enabled word score in the selected Word/Phrase filter, and have left the word score threshold in the filter at 0. In this case the rule will never trigger since a threshold of 0 is considered invalid. I cannot enable my rule This happens when you still need to configure one or more option(s). Open the rule properties and click on the red links in the description to select the required options. Why are t he t imes in Sessions and Quot as not always t he same? The time counters in Sessions and Users & Quotas are refreshed at an interval of 3 minutes. The intervals do not run at the same time, which means that the quotas and sessions can display different times. Also, if there is no browsing for 5 minutes, the session is closed. If you start browsing again, a new session is opened and time is counted from 0 again. The quota time figure however, will add the new session time to the time that was already used. How can I copy t he Policy Pat rol configurat ion t o anot her machine? 1. Stop the Policy Patrol Data Manager service on the source installation (make sure that the Policy Patrol Administration console is closed) by going to Start > Settings > Control Panel > Administrative Tools > Services. Select Policy Patrol Data Manager and click Stop. 2. Stop the Web Proxy in Microsoft ISA Server on the source installation by going to Start > Run > enter cmd and click OK. If you have ISA Server 2000 enter: net st op w3pr oxy [Enter]. If you have ISA Server 2004 enter: net st op f wsr v [Enter]. 3. Copy the files starting with PPWF_ in \Program Files\Red Earth Software\Policy Patrol Web\Server\Data.
T R O U B L E S H O O T I N G 105 4. On the destination machine, stop the Policy Patrol Data Manager service (make sure that the Policy Patrol Administration console is closed) by going to Start > Settings > Control Panel > Administrative Tools > Services. Select Policy Patrol Data Manager and click Stop. 5. Stop the Web Proxy in Microsoft ISA Server on the destination machine by going to Start > Run > enter cmd and click OK. If you have ISA Server 2000 enter: net st op w3pr oxy [Enter]. If you have ISA Server 2004 enter: net st op f wsr v [Enter]. 6. Paste the previously copied files to the \Program Files\Red Earth Software\Policy Patrol Web\Server\Data directory on the destination machine. 7. Restart the Policy Patrol Data Manager service on both machines by going to Start > Settings > Control Panel > Administrative Tools > Services. Select Policy Patrol Data Manager and click Start. 8. Restart the Web proxy in Microsoft ISA Server on both machines by going to Start > Run > enter cmd and click OK. If you have ISA Server 2000 enter: net st ar t w3pr oxy [Enter]. If you have ISA Server 2004 enter: net st ar t f wsr v [Enter]. The destination machine will now have the same configuration as the source machine. Support Wizard If you are experiencing a problem with Policy Patrol Web, you can use the Policy Patrol Support Wizard to gather all the relevant information and send a message to Red Earth Software technical support. To run the Support Wizard:
1. Go to Help > Support Wizard. The Support Wizard will start up. 2. In the welcome screen, click Next. 3. Enter your contact details and a problem description. Try to describe the problem as accurately as possible, providing any information that could be useful for troubleshooting the problem.
T R O U B L E S H O O T I N G 106
4. Next, Policy Patrol will gather your configuration files and send your support request off to Red Earth Software technical support. Click Finish to exit the wizard. Not e The support wizard can only be run from the server, not from a remote administration console. Cont act ing Red Eart h Soft ware If you require any assistance, please contact us at one of the following offices:
Red Earth Software, Inc. Red Earth Software (UK) Ltd 4906 El Camino Real, Ste 209 20 Market Place Los Altos, CA 94022-1444 Kingston-upon-Thames United States Surrey KT1 1JP Toll-free: 1-800-921-8215 United Kingdom Phone: (650) 967 1011 Tel: +44-(0)20-8605 9074 Fax: (650) 887 0470 Fax: +44-(0)20-8605 9075 Sales: sales@redearthsoftware.com Sales: sales@redearthsoftware.co.uk Support: support@redearthsoftware.com Support: support@redearthsoftware.co.uk
Red Earth Software Ltd Sonic House, Suite 301 43 Artemidos Avenue 6025 Larnaca Cyprus Tel: +357-24 828515 Fax: +357-24-828516 Sales: sales@redearthsoftware.com Support: support@redearthsoftware.com
T R O U B L E S H O O T I N G 107
Policy Patrol
is a registered trademark of Red Earth Software
. Copyright 2001- 2006 by Red Earth Software.
108
Index
A Actions 46, 55, 60 Active content 44 Active Directory 19, 20, 25, 26 Administrator address(es) 17, 95 Authentication 10, 11, 12, 104 B Bandwidth limit 18, 28, 84 Bandwidth monitoring 87 Binary text file 54 Bold 72 C Caching 96 Case sensitive 66, 67, 68 Client cache 12 CLSID extension 54 Component rights 33 Conditions 41, 51, 59 Configuration Wizard 17 D Date/Time fields 75 Default value 76, 77 E Exceptions 40, 46, 51, 55, 59, 60 Export 67, 68, 69, 73 F FAQs 104 Field prefix 76 File conditions 53 File Filter 67 File name 67, 68 File rule 50 File size 53 Folder owner 35, 36, 37, 89 Folder rights 33 Font color 72 Font size 72 Font type 72 Frequently asked questions 104 Ftp 51 H HTML block page 79 HTML source 73 Http 40 Https 40 I Import 67, 68, 69, 73 Insert Field 71, 72 Insert image 72 Installation 14 IP filter 68 Italics 72 K Kaspersky 91
I N D E X 109 Knowledge Base 104 M Match all of the conditions 41, 52, 59 Match any of the conditions 41, 52, 59 Microsoft .NET Framework 9, 21 Monitoring permissions 88 Move 63, 69, 74 Multiple count 66 Multiple extensions 54 N Network message 49, 57, 62 Notification message 47, 48, 57, 61, 71, 72, 73 NT domain 20, 25, 26 O Ordering rules 63 Other fields 76 P Primary actions 46, 47, 55, 56, 60 Q Quota fields 75 Quota rule 58 R Redirect URL 47, 56, 61 Regular Expression 67 Remote administration 21 Remove duplicates 67, 83 Rename 62, 69, 74 S Schedules 81 Secondary actions 46, 47, 55, 56, 60, 61 Services 21 Session monitoring 87 Spoofed file 54 Streamed content 43 System Configuration 95 System Notifications 17 System requirements 9 T Tag 74 Tag template 73 Templates 71, 74 Time limit 18, 28, 60, 85 U Underline 72 URL categories 25, 41, 52, 83 URL conditions 40, 43, 64 User access rights 33 User fields 74 User quotas 28 Users 25, 40, 50, 51, 59 V Virus 54 W Web page fields 75 Web page rule 40 Whole or part of word(s) are matched 66, 67 Whole word(s) are matched 66, 67 Windows 2000 9, 21 Word score 66, 67, 105 Word score threshold 105 Word/Phrase filter 65, 105