cynapspro
 Endpoint Data Protection 2010
                               User Guide




Cynapspro Endpoint Data Protection
...
2 cynapspro Endpoint Data Protection – User Guide



Table of Content
General Information....................................
3 cynapspro Endpoint Data Protection – User Guide



     Import Permissions ................................................
4 cynapspro Endpoint Data Protection – User Guide



  Rights Management ....................................................
5 cynapspro Endpoint Data Protection – User Guide



  Components for the Creation of a cynapspro Rights File ...............
6 cynapspro Endpoint Data Protection – User Guide




General Information
For the administration of the cynapspro Server, ...
7 cynapspro Endpoint Data Protection – User Guide



cynapspro Admin Tool
          The cynapspro Admin Tool is used to co...
8 cynapspro Endpoint Data Protection – User Guide



Before uninstalling the old cynapspro server, just assign a higher pr...
9 cynapspro Endpoint Data Protection – User Guide



weeks, to be sure that all clients have received the update. Use "Upd...
10 cynapspro Endpoint Data Protection – User Guide



Import the information using the following command line
<Installatio...
11 cynapspro Endpoint Data Protection – User Guide




If you would you like to access an older log file or open multiple ...
12 cynapspro Endpoint Data Protection – User Guide



If not all administrators should be allowed to access the logging of...
13 cynapspro Endpoint Data Protection – User Guide




In order to start a manual update or an installation from the Conso...
14 cynapspro Endpoint Data Protection – User Guide



Ticket System
Cynapspro offers a ticket system, which enables users ...
15 cynapspro Endpoint Data Protection – User Guide



When a mass storage device is accessed for the first time, the warni...
16 cynapspro Endpoint Data Protection – User Guide




Directory Service Structure
Active Directory/ NDS Synchronization
A...
17 cynapspro Endpoint Data Protection – User Guide




    Active Directory Synchronization – Scheduler

Users and groups ...
18 cynapspro Endpoint Data Protection – User Guide




Synchronization Log
The synchronization log tells you whether a syn...
19 cynapspro Endpoint Data Protection – User Guide



The user initially has the default rights that you have defined unde...
20 cynapspro Endpoint Data Protection – User Guide




Integration of Third Party Systems
You already have a system where ...
21 cynapspro Endpoint Data Protection – User Guide




Administration
Change Requests
The ticketing system enables you to ...
22 cynapspro Endpoint Data Protection – User Guide




Go to Administration > Administrator – Tools > Mail notifications. ...
23 cynapspro Endpoint Data Protection – User Guide



   -   License Management
   -   Client Settings
   -   Change Reque...
24 cynapspro Endpoint Data Protection – User Guide




In the administrators’ area, all OUs, groups and users are shown in...
25 cynapspro Endpoint Data Protection – User Guide




DevicePro
Rights Management
Access Management

Access management is...
26 cynapspro Endpoint Data Protection – User Guide



The permission change can be controlled by selecting the Revision ta...
27 cynapspro Endpoint Data Protection – User Guide



If the user needs access to a device that is currently not on the wh...
28 cynapspro Endpoint Data Protection – User Guide




Go to rights management, select a user and click on the User Info o...
29 cynapspro Endpoint Data Protection – User Guide




Now you can see the directory service structure of your computers.
...
30 cynapspro Endpoint Data Protection – User Guide




Go to the directory service tree under rights management. Navigate ...
31 cynapspro Endpoint Data Protection – User Guide



Device White List
For the management of device white lists, DevicePr...
32 cynapspro Endpoint Data Protection – User Guide




When you have selected the computer, click on Insert and a window I...
33 cynapspro Endpoint Data Protection – User Guide




Once the white list has been saved, all devices of the specified de...
34 cynapspro Endpoint Data Protection – User Guide




If you want to register this device for a computer, go to the acces...
35 cynapspro Endpoint Data Protection – User Guide




Click on Save to register the CD / DVD for all users. If you want t...
36 cynapspro Endpoint Data Protection – User Guide



The generated code can now be entered directly by the user in the tr...
37 cynapspro Endpoint Data Protection – User Guide



Reporting & Analysis
You have several reporting options to obtain an...
38 cynapspro Endpoint Data Protection – User Guide




Access Rights Overview - Summary

The Rights Overview - Summary sho...
39 cynapspro Endpoint Data Protection – User Guide




Access Statistics

The access statistics show at what time users ac...
40 cynapspro Endpoint Data Protection – User Guide




cynapspro Agent
The cynapspro tray icon allows you to call up vario...
41 cynapspro Endpoint Data Protection – User Guide




User Rights/ Currently Connected Devices

The client component enab...
42 cynapspro Endpoint Data Protection – User Guide




The user can select the desired device type from a drop-down list a...
43 cynapspro Endpoint Data Protection – User Guide



requested device will be displayed. Select the access scope and a ti...
44 cynapspro Endpoint Data Protection – User Guide



Import Access Rights

If you are currently working on a computer tha...
45 cynapspro Endpoint Data Protection – User Guide




If you want to synchronize the directory on a scheduled basis, you ...
46 cynapspro Endpoint Data Protection – User Guide



Instructions
Go to the Management Console and select the menu item D...
47 cynapspro Endpoint Data Protection – User Guide



Once the computer has been selected, click on Insert and select the ...
48 cynapspro Endpoint Data Protection – User Guide



File Access Log

         Suppose a virus has infiltrated your corpo...
49 cynapspro Endpoint Data Protection – User Guide




ApplicationPro
Introduction
ApplicationPro protects your clients wi...
50 cynapspro Endpoint Data Protection – User Guide



Learning Mode
The learning mode is a so-called "non-blocking mode." ...
51 cynapspro Endpoint Data Protection – User Guide




Select one or more programs you want to assign to a package and cli...
52 cynapspro Endpoint Data Protection – User Guide



To create a new role, click New Role. Name the role and assign the a...
53 cynapspro Endpoint Data Protection – User Guide




Instructions
You will find the learning mode under Rights Managemen...
54 cynapspro Endpoint Data Protection – User Guide




CryptionPro
Overview
CryptionPro ensures that...
       unauthorize...
55 cynapspro Endpoint Data Protection – User Guide



You then select the functions that should be made available to users...
56 cynapspro Endpoint Data Protection – User Guide




CryptionPro Group Management
Create group affiliations under Crypti...
57 cynapspro Endpoint Data Protection – User Guide



User Configuration
Next, you activate the product for the employees ...
58 cynapspro Endpoint Data Protection – User Guide



selects the menu item Encryption. He then activates mobile encryptio...
59 cynapspro Endpoint Data Protection – User Guide



In the window below, you activate the checkbox Common encryption and...
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
cynapspro endpoint data protection -  user guide
Upcoming SlideShare
Loading in …5
×

cynapspro endpoint data protection - user guide

764 views

Published on

User Guide of cynapspro Endpoint Data Protection 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
764
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

cynapspro endpoint data protection - user guide

  1. 1. cynapspro Endpoint Data Protection 2010 User Guide Cynapspro Endpoint Data Protection DevicePro prevents data loss by controlling all kinds of ports and external storage devices. CryptionPro protects your company data by efficiently encrypting data stored on external devices. CryptionPro HDD protects confidential data through automatic and efficient hdd encryption. ApplicationPro controls the use of applications based on a white list or black list. ErasePro ensures that files are securely and permanently deleted. PowerPro cuts energy costs and reports suspicious activity. Last Update: May 25, 2010
  2. 2. 2 cynapspro Endpoint Data Protection – User Guide Table of Content General Information..................................................................................................... 6 The cynapspro Management Console: ......................................................................... 6 Change Hostname/ Port ......................................................................................... 6 Change Language .................................................................................................. 6 cynapspro Admin Tool ............................................................................................... 7 Database Settings ................................................................................................. 7 Directory Service Settings ...................................................................................... 7 cynapspro Server Settings ...................................................................................... 7 Log Level ............................................................................................................. 7 Server Management ................................................................................................. 7 Server Relocation .................................................................................................. 8 Database Maintenance .............................................................................................. 9 Merging of Two Databases ...................................................................................... 9 License Management .............................................................................................. 10 Log File Management .............................................................................................. 10 Log Files of the cynapspro Agent ........................................................................... 10 Audit Logs .......................................................................................................... 11 cynapspro Client .................................................................................................... 12 General Information ............................................................................................ 12 Generate an MSI Packet for the Client .................................................................... 12 Installation/ Update of the Agents ......................................................................... 12 Ticket System ........................................................................................................ 14 Custom Error Messages ........................................................................................... 14 Directory Service Structure ......................................................................................... 16 Active Directory/ NDS Synchronization ...................................................................... 16 Active Directory Synchronization – Scheduler.......................................................... 17 Management of Domain Controller ......................................................................... 17 Mange your own Directory ....................................................................................... 18 Inheritance of Group Rights ..................................................................................... 18 Integration of Third Party Systems .............................................................................. 20 Administration .......................................................................................................... 21 Change Requests.................................................................................................... 21 Mail Notifications .................................................................................................... 21 Administrative Roles ............................................................................................... 22 Administrators and Access Scope ............................................................................. 23 DevicePro ................................................................................................................. 25 Rights Management ................................................................................................ 25 Access Management ............................................................................................ 25 Activate/Deactivate Users or Computers ................................................................. 27 User Information ................................................................................................. 27
  3. 3. 3 cynapspro Endpoint Data Protection – User Guide Import Permissions .............................................................................................. 28 Combining Computers and Users ........................................................................... 28 Computer Rights ................................................................................................. 29 Precedence in case of Conflicting Rights ................................................................. 30 Device White List .................................................................................................... 31 White listing Device Types .................................................................................... 31 White listing Individual Devices ............................................................................. 31 Media Release ..................................................................................................... 34 Challenge Response to obtain Access to Individual Devices ....................................... 35 Content Header Filter .............................................................................................. 36 Reporting & Analysis ............................................................................................... 37 Access Rights Changes Not Yet Transmitted ............................................................ 37 Active/Inactive Users ........................................................................................... 37 Analysis of Rights Changes ................................................................................... 37 Access Rights Analysis ......................................................................................... 37 Access Rights Overview - Details ........................................................................... 37 Access Rights Overview - Summary ....................................................................... 38 Deviations from Default Rights .............................................................................. 38 One-Time or Temporary Permissions ..................................................................... 38 Audit Log............................................................................................................... 38 Blocked Access.................................................................................................... 38 Access Statistics .................................................................................................. 39 cynapspro Agent .................................................................................................... 40 User Rights/ Currently Connected Devices .............................................................. 41 Request Access Rights ......................................................................................... 41 Challenge Response for the Release of Individual Devices ......................................... 42 Enter Unblocking Code ......................................................................................... 43 Login As ............................................................................................................. 43 Import Access Rights ........................................................................................... 44 Solution Scenarios .................................................................................................. 44 No Connection to the Server ................................................................................. 44 Getting Started after the Installation ..................................................................... 44 View Already Installed Computers ......................................................................... 45 Restrict Access to Company-Owned Devices ........................................................... 45 Assign Specific Devices to Selected Users ............................................................... 46 Blocking File Types .............................................................................................. 47 Change Access Permissions Offline ........................................................................ 47 File Access Log .................................................................................................... 48 Administrator with different Access Levels .............................................................. 48 ApplicationPro ........................................................................................................... 49 Introduction ........................................................................................................... 49
  4. 4. 4 cynapspro Endpoint Data Protection – User Guide Rights Management ................................................................................................ 49 Learning Mode ....................................................................................................... 50 Managing ApplicationPro with the Learning Mode ..................................................... 50 Management of Programs ..................................................................................... 51 Management of Roles ........................................................................................... 51 ApplicationPro Settings ........................................................................................... 52 Trusted Objects ................................................................................................... 52 Solution Scenarios for ApplicationPro ........................................................................ 52 Quick White Listing of Applications ........................................................................ 52 White Listing Many Programs for Many Users .......................................................... 53 CryptionPro .............................................................................................................. 54 Overview ............................................................................................................... 54 Encryption Options ................................................................................................. 54 Key Management ................................................................................................... 55 CryptionPro Group Management ............................................................................... 56 CryptionPro Mobile (global settings) .......................................................................... 56 Device Blacklist ...................................................................................................... 56 Unencrypted File Transfer ........................................................................................ 56 User Configuration .................................................................................................. 57 CryptionPro Mobile (Client Software) ......................................................................... 57 Solution Scenarios for (CryptionPro) ......................................................................... 58 Automatic Encryption for All Users ......................................................................... 58 Save Without Encryption ...................................................................................... 59 CryptionPro HDD 2010 ............................................................................................... 60 Default Settings ..................................................................................................... 60 Pre-Boot Authentication ....................................................................................... 60 PBA Settings ....................................................................................................... 61 Full Disk Encryption ............................................................................................. 61 Installation Settings ............................................................................................. 62 Installation and Management ................................................................................ 63 ErasePro................................................................................................................... 65 User Management .................................................................................................. 65 Secure Deletion of Files ........................................................................................... 66 PowerPro .................................................................................................................. 67 Profile Management ................................................................................................ 67 Computer Settings.................................................................................................. 67 Scheduler .............................................................................................................. 68 Exceptions for Important Programs ........................................................................... 68 User Rights ............................................................................................................ 68 Settings ................................................................................................................ 69 Appendix .................................................................................................................. 70
  5. 5. 5 cynapspro Endpoint Data Protection – User Guide Components for the Creation of a cynapspro Rights File .............................................. 70 Change Device Port ............................................................................................. 70 Change Device Type ............................................................................................ 70 White Listed Device Types .................................................................................... 71 Component for White Listing a Unique Device ............................................................ 72 White List a PDA for All Users: .............................................................................. 72 Use Cases ............................................................................................................. 73 Define User or Computer Rights for a Port .............................................................. 73 Change access rights of a Computer for 2 Ports and 2 Device Types .......................... 73 Add 2 Devices of Different Device Types to the white list of Device Models ................. 74 Remove Device from the Device Model White List .................................................... 74 Add a PDA to the Global White List ........................................................................ 74 Remove a User from a Unique Device White List...................................................... 74 Useful Command Lines ............................................................................................ 75 Start AD/NDS/LDAP Synchronization...................................................................... 75 Automatically Activate All Users ............................................................................ 75 Change License File ............................................................................................. 75 Define the First Network Drive Letter ..................................................................... 75 Client Rollout using the cynapspro Server ............................................................... 75 Client Update using the cynapspro Server .............................................................. 75 Automatic Deletion of Log Files ............................................................................. 75 Changing the Domain Controller Information .......................................................... 76 Changing the Path for the XML Interface ................................................................ 76 Import and Export Settings from Server to Server ................................................... 76 Copyright ................................................................................................................. 77
  6. 6. 6 cynapspro Endpoint Data Protection – User Guide General Information For the administration of the cynapspro Server, there are two tools available: The cynapspro Management Console: The cynapspro Management Console is the central interface for controlling all cynapspro functions. The Management Console can be accessed from any location, i.e. each administrator can run it from his work station. The cynapspro 2010 Management Console can be accessed via the start menu: > All Programs > cynapspro GmbH Change Hostname/ Port You can run the Management Console from any workstation. Just copy the exe-file to a network drive or directly to your computer. Enter the hostname or the port when prompted. Go to the toolbar and select File> cynapspro server if you want to log on to a different server and / or change the settings. Change Language In order to change the language in the Management Console, go to Tools > Options in the toolbar menu. There are the two languages offered German and English.
  7. 7. 7 cynapspro Endpoint Data Protection – User Guide cynapspro Admin Tool The cynapspro Admin Tool is used to configure or check the server settings. After successful installation of the cynapspro server, you can use the cynapspro admin tool to verify and change server or database settings. By default, the tool is installed at C:Program Filescynapspro GmbHDevicePro 2010 and can be accessed using > All Programs > DevicePro 2010. Database Settings Click on the button Validate to test the connection to the specified database. cynapspro solutions need a user with database administrator rights (DB Owner) to access the database. Directory Service Settings A prerequisite for the synchronization of the directory structure is that the specified user holds the necessary access rights (List Contents, Read All Properties). Enter in the field domain controller the hostname of the directory service server. Click on the button Validate to test the connection. cynapspro Server Settings Two ports are used by default to manage the communication between cynapspro server and client components. Define the client-server XmlRpcPort and the server-client Notification port. The client-server XmlRpcPort is used by clients to connect to the server (default: 6005). The server-client notification XmlRpcPort serves to notify the clients about changes made to their rights on the server (default: 6006). Log Level The server services as well as the agent permanently log all activities. The level of detail can be defined with the following options being available: - Operating Mode: Errors only - Administration Mode: Detailed - Debug Mode: Very detailed Server Management You can run multiple cynapspro servers, for example to ensure safeguarding against failure. When installing an additional server, specify the same database in the installation routine. You will then see all cynapspro servers under server management. You can now define whether the client should randomly select a server to sign on or whether a specific sequence should be applied. The server management is also recommended when you plan a move of the cynapspro server.
  8. 8. 8 cynapspro Endpoint Data Protection – User Guide Before uninstalling the old cynapspro server, just assign a higher priority to the new cynapspro server to ensure uninterrupted service. Server Relocation You have bought new hardware or other circumstances require that you move the cynapspro server to a new machine. This one is no problem at all, if the current IP address and / or the server name will also be used for the new server. The cynapspro agents will then automatically find the new server. If the IP address and server name will be different, you can move the cynapspro server component as follows. You can use one of the following two methods to relocate the cynapspro server: 1) You install the new cynapspro server with access to the old/new database (you define the SQL server during the installation or afterwards via the Admin Tool.)  Now open the Management Console on the old server and go to Administration > Server Management. You can now prioritize the new server as higher than the old one. All clients will now log on to the new server. 2) You install the new cynapspro server with access to the old/new database (you define the SQL server during the installation or afterwards via the Admin Tool.)  Start the new Sever, go to Administration > Generate MSI package for the clients and generate a new MSI package (do not forget to define the default settings for clients).  Use "Open folder" to go directly to the directory. Copy the new MSI package into the MSI directory of the old server and run an update of the agents from the old server. The old server now distributes the server information of the new server to the clients, which will then all log onto the new server. In both cases, it is possible that not all clients are online and get the update. Thus, they would still report to the old server. It is best to leave the old server running for about two
  9. 9. 9 cynapspro Endpoint Data Protection – User Guide weeks, to be sure that all clients have received the update. Use "Update of the Agents" on the old server and look up "Inactive" to see how many and which clients have been offline and have therefore not received the update. Database Maintenance If you use cynapspro Endpoint Data Protection solutions over a prolonged period of time or in larger environments, the DevicePro database that is stored in your SQL Server can significantly grow in volume. To keep this database volume low, you can archive the data generated through logging and auditing, or delete duplicate records. To evaluate duplicates, please click on Analyze. You can now see how many duplicate records have been entered under logging and auditing. You can Delete these duplicates to minimize the database without losing data. If the volume of the database is still too large, you can archive old records into files that can still be evaluated later. Select the time period that should be used for each file, define the path to the archive and whether you want the archiving to be done automatically or manually. Merging of Two Databases If you have installed several cynapspro servers in different environments and you want to bring them together now, you need to proceed as follows. Connect to the cynapspro server, which you want to eliminate. Export the database information in a file (txt format) with the following command from the command line: <Installation Path>DpAdmin Tool.exe /exportACL "<path><filename>.txt" Then connect to the cynapspro server you want to keep.
  10. 10. 10 cynapspro Endpoint Data Protection – User Guide Import the information using the following command line <Installation Path>DpAdmin Tool.exe /importACL "<Path><filename>.txt" The user information is tied to the user name (e.g. AD account name). Thus, no complications arise, if the SID has changed. License Management Here you can see your number of licenses you have purchased, the actual number of active users, as well as all add-ons that have been activated with your license. If you want to activate additional licenses or add-ons, such as logging, ApplicationPro, CryptionPro, etc. you only need a new Lic file. Open it with the Browse button and click Confirm. The new licenses and add-ons will be activated immediately. Log File Management By default, cynapspro saves its log files in the LOG folder of the installation directory. You can change the path of the log files as you see fit. You can also change the degree of detail of the logs by selecting one of three radio buttons. The operation mode is a very basic logging, the administration mode creates fairly detailed log file and the debug mode provides very detailed logging. You also have the option to compress log files. If you need support, these compressed files are very helpful to our support workers. Select the time period as well as the components. Now click on compress and open the folder. Send this file along with the error description to our support (support@cynapspro.com). Log Files of the cynapspro Agent To check the log file of a user’s agent, go to rights management. Just click with the right mouse button on the corresponding user. The context menu has the menu option Log files of the agent. There are three choices. Choice number One: You can view the latest log by clicking on Current. The current file opens in the editor as log format.
  11. 11. 11 cynapspro Endpoint Data Protection – User Guide If you would you like to access an older log file or open multiple logs of that user, you should select choice number Two: You can now select the desired log file(s) from a list. After clicking on the selected log file, it will open in Notepad. You can now check the activities of the user. You can also Delete older or all log files in the cynapspro Management Console. Audit Logs Go to the audit administration to enable or disable audit logs.
  12. 12. 12 cynapspro Endpoint Data Protection – User Guide If not all administrators should be allowed to access the logging of all users, or if access should only be possible together with a representative of the workers’ council or the management, you can restrict access by depositing up to two passwords. Access to the audit logs will only be granted if both passwords have been entered. cynapspro Client General Information By installing the cynapspro client component, a kernel filter driver is installed on the Windows system. The task of the kernel filter driver is to monitor the rights that have been allocated to the user or computer. The use of the kernel filter driver has the advantage that all rights remain valid and effective when the computer is offline. Furthermore, the kernel filter driver ensures a much higher security and prevents incompatibilities and problems. The cynapspro client component should be installed on each workstation. Generate an MSI Packet for the Client Here you can generate an MSI package for the installation of the cynapspro 2010 agents. The settings for the package will be automatically copied from the current cynapspro 2010 Server. Optionally, you can generate the MSI package so that the tray icon is hidden in Windows. To ensure an optimal offline support, we recommend not hiding the tray icon. By activating the checkbox Prevent Service Stop the MSI package will be generated in such a way, that even users with administrative rights can no longer stop the service that is used for communication between server and client. The password protection for the uninstall is designed to prevent users with administrative rights from removing the cynapspro 2010 agent. If you have a low bandwidth in your network, you can increase the Timeout on the client. By default, a timeout of 12 seconds has been defined. If you have computers connected over WLAN or UMTS / GPRS to the corporate network, you can use Rights for communication devices to specify that a radio connection will not blocked until the computer is restarted. Installation/ Update of the Agents To help you manage version updates, you can update or install cynapspro agents directly from the Management Console. For the installation you need to define under Settings - Installation a domain user with the appropriate privileges for the installation (e.g. admin@domain.local). Under Settings – Update, you have two options. You can initiate the update manually or have the update run automatically each time the server is updated.
  13. 13. 13 cynapspro Endpoint Data Protection – User Guide In order to start a manual update or an installation from the Console, go to Administration > Installation > Update of the agents, select the desired systems and click on the Install/Update. An automatic update is started, if you got to Download Settings, activate automatically and then confirm the setting. You can also have the updates roll out according to a time schedule by activating Schedule. If you want to rename the MSI file, please activate Allow name changes. This setting is recommended if the installation is done with the help of a software distribution solution or from a network drive. To obtain an overview over all clients that have not yet been equipped with the cynapspro agent, just select under View Only computers without an Agent. If the installation has not been carried out properly via the Management Console, please check whether the MSI was transferred to the client under C:Temp. If this is not the case, please check your firewall settings. If the MSI is located under C:Temp but could not be executed remotely, you need to make the following Group Policy changes: Computer ConfigurationAdministrative TemplatesNetworkNetworkConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound remote administration exception Computer ConfigurationAdministrative TemplatesNetworkNetworkConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound remote administration exception
  14. 14. 14 cynapspro Endpoint Data Protection – User Guide Ticket System Cynapspro offers a ticket system, which enables users to send access rights requests to the administrator. If you do not want users to use this feature, you can deactivate the checkbox Allow access change requests in the client settings. Users then can no longer apply for any access changes using the ticket system. You can also specify the network drive letter assignment, which specifies from which drive letter onwards external storage devices can be expected. If you set the first network drive letter, you can prevent that an external storage device may have the same drive letter as a network drive. On click is enough, to avoid one of the most common support cases in companies. Custom Error Messages Custom error messages allow you to create your own message to the user in case an access violation is prevented. The message will appear as a popup above the system clock. Go to Administration > Client Management > Custom error Messages. You start with choosing one of the two languages offered: German and English. To change the default message to your liking, just double-click on the access violation. For example, click on no access, enter the appropriate message and press OK. Optionally you can add the parameter #DeviceType at any point in your message; if you want the user to know which device type is locked. If you want to allow users access to external storage, but also draw attention to the dangers of these devices, you can use security warnings.
  15. 15. 15 cynapspro Endpoint Data Protection – User Guide When a mass storage device is accessed for the first time, the warning you have defined will appear. The user needs to confirm once that he has read and understood the warning. Only after confirmation of the security warning, access to the external storage devices will be allowed. The process will be registered in the log file.
  16. 16. 16 cynapspro Endpoint Data Protection – User Guide Directory Service Structure Active Directory/ NDS Synchronization Active Directory / NDS synchronization allows you to copy users and groups from your existing directory service into the cynapspro database. The synchronization of the cynapspro server with the Directory Service will read the complete structure from the directory and copy it to the cynapspro database. There will be no schema extensions or other modifications in the directory service. All relevant data will just be copied. Before you start the first synchronization, it is possible to set default permissions for the users. This is useful, as you do not need to manually define rights for every new user. Go to Rights Management> Specific Users> Default Rights (New user). To start the synchronization, go to AD and NDS synchronization, and click the Start button. If you have enabled some groups and want new users of these groups to be activated immediately, just activate the checkbox Automatically activate new users. You can choose OUs or groups you want to synchronize in the left window. Thus you don’t need to synchronize the entire directory service every time.
  17. 17. 17 cynapspro Endpoint Data Protection – User Guide Active Directory Synchronization – Scheduler Users and groups are frequently created or deleted. So that the Directory Service doeas not have to be synchronized manually with every change, there is the function of automatic synchronization. The scheduler (scheduler dt) enables you to activate such automatic synchronization of the directory structure. You can set the times and days of the week as well as time intervals. Click Confirm to activate your settings. Management of Domain Controller If you have multiple domain controllers (DC) and want to synchronize all OUs, groups and users of the DC, you can enter additional DC. The Primary Domain Controller was specified during the installation. Go to Secondary Domain Controllers and add additional DCs, by clicking on Insert and entering the required data. Then click Confirm.
  18. 18. 18 cynapspro Endpoint Data Protection – User Guide Synchronization Log The synchronization log tells you whether a synchronization was successful or whether it has failed. Users that No longer Exist in the directory service If users, computers, groups or OUs are deleted from the directory service, you will see them after the synchronization under Not Available Users. In order to remove them from the database, just make your selection and click Delete. The audit record of past user activities will, however, not be deleted. Mange your own Directory You can also manage users in cynapspro without Active Directory or Novell eDirectory. As soon as an MSI package is installed on a computer, you can find the computer and all registered users under Unordered. For a better overview, you can create your own OUs. Just click with the mouse button on the domain / workgroup and select Insert Organizational Unit. Users can then be moved to the previously created OUs. Select the user you want to move, press the right mouse button and choose Move To. Inheritance of Group Rights Managing users through groups reduce your administrative overhead. By default, all users are excluded from inheritance. If you want users to automatically inherit permissions, go to rights management and activate the checkbox in the column IA (inheritance active). You can also activate inheritance in the context menu of the user by selecting Activate Inheritance.
  19. 19. 19 cynapspro Endpoint Data Protection – User Guide The user initially has the default rights that you have defined under specific user. If you want the user to automatically have the rights of the parent group, go AD synchronization and define inheritance settings. This is where you determine how the inheritance rules should be applied. You can create your own groups in the cynapspro management Console, so that you do not have to create groups in AD / NDS. Go to DevicePro group management. In the directory service tree, select the parent OU and pull up the context menu with the right mouse button. Select Insert DevicePro group. Then rename the group you have just created and assign the respective user using group members (right panel).
  20. 20. 20 cynapspro Endpoint Data Protection – User Guide Integration of Third Party Systems You already have a system where you manage all user or rights changes and you want that changes will be automatically transferred to the cynapspro database? In order to support our customers, we have developed rights management via third party software. All your changes can be saved as an XML file that will automatically be read by our web service and trigger the respective changes in the cynapspro database. Just define in the cynapspro Management Console the path where you want to store the XML files. Go to Administration > Integration with other systems. Define the path to your XML files under Folder for data import. The other two paths will be created automatically. However, if you want to use a different folder, just click Browse. If you now place an XML file in the folder for data import, the file will be processed immediately. If the file was read successfully, it is automatically moved to the folder Success. If the XML file contains errors, it is automatically moved to the folder Fail. In addition to the folder structure, the cynapspro server informs you about the status of the import process. If the XML file was processed successfully, you will see that this XML file has the status "Success". If the XML command cannot be read, you receive the message "Failed" and a return value "error text" with the error message status = "Failed", which is again written in this XML file. The third party system this receives a feedback confirming success or an indication why the import had failed. Please refer to the components listed in the appendix that explain how to create a cynapspro rights file.
  21. 21. 21 cynapspro Endpoint Data Protection – User Guide Administration Change Requests The ticketing system enables you to record change requests from users and to directly apply the requested changes with a right mouse-click. The user just needs to open the tray icon with a right mouse-click to open the function Request Changes. The window cynapspro - Request access rights will open. The user can select the required device from a drop-down list and add the desired access scope. He transfers his selection with Insert to the List of Access Rights Requests. The user can then add an explanation or comment to justify his request before he submits the list to the administrator. The administrator immediately receives a message in the Management Console about the change request. He can then immediately assign the requested rights or got to rights management in order to review the user’s current rights. This allows you to determine whether the requested changes are accepted or need to be adjusted. Any changes will be effective immediately for the user. Mail Notifications Under Mail Notifications, you can define one or more email addresses for receiving alerts via the Management Console or emails with change requests from users.
  22. 22. 22 cynapspro Endpoint Data Protection – User Guide Go to Administration > Administrator – Tools > Mail notifications. Here you can enable email notifications, and enter one or more email addresses that will receive a notification in case of change requests. Click on Insert, select the event that shall trigger an email and enter the corresponding email address. Next, you can enter the name of the default sender, the SMTP Server and the SMTP server port (default: 25). The settings will become effective after you have clicked on Confirm. Administrative Roles cynapspro 2010 allows administrators to assign different admin rights to administrators by using a role model. For the administrative roles, you can define the respective global and scope-specific operations administrators can execute. The global roles specify whether the administrator can see or change the following operations: - Default Rights - Content Header Filter - Audit Log - Create MSI Packets for the Client - Manage Log Files - Administrative Roles - Administrators & Areas
  23. 23. 23 cynapspro Endpoint Data Protection – User Guide - License Management - Client Settings - Change Requests - ApplicationPro - Synchronization - Scheduler All these functions are global and cannot be limited to individual users or groups. In the scope-specific roles, you can assign the following administrator rights: - Rights Management - Revision - Release of device types - Administrative Release - User-defined release - Logging - ApplicationPro (Rights Management & Learning Mode) - Reports (Rights that have not been updated, Rights Management Analysis , Rights Analysis, Rights Overview, Audit Logs) You can assign these rights according to your requirements to OUs, groups or a specific user. Administrators and Access Scope Supervisors generally have all the rights. Administrators have specific roles and areas assigned. Go to the Administrators tab and click on a user to see which administrative roles have been allocated to him. There are two tabs, called Global and Scope-specific. - Under Scope-specific, you can assign to the administrator all administrative roles with the scope ranging from the entire infrastructure down to the user level. Thus department heads may manage the rights of their employees. - Under Global, you can assign to the administrator the previously created global roles.
  24. 24. 24 cynapspro Endpoint Data Protection – User Guide In the administrators’ area, all OUs, groups and users are shown in three different colors: - Red: The administrator does not have administrative roles in these OUs, groups and users. - Grey: Some elements of the Directory are managed by this administrator. - Green: All Child OUs, groups and users are managed by this administrator.
  25. 25. 25 cynapspro Endpoint Data Protection – User Guide DevicePro Rights Management Access Management Access management is based on your directory service. On the left side you see the OUs, groups and folders. Click on an OU, and you will see in the upper right window the groups and users contained in it. First select the respective users, computers or groups manually or use the search function in the directory service structure. In the lower part of the right window you can now manage their access. All appliances and ports are displayed here. Select the desired device and activate the selection by pressing the right mouse button. The following access settings are available: - No Access - Read Access - Full Access - Scheduled Access After making a selection, you assign the changes with Save. The amended access rights will become effective immediately. Neither a reboot nor a new logon of the user is required. If the computer with the client component is not online, the change will be assigned at the next logon.
  26. 26. 26 cynapspro Endpoint Data Protection – User Guide The permission change can be controlled by selecting the Revision tab. You can see here whether and what rights were assigned when, to whom and by whom and which assignment process had been used. By pressing the Emergency button, all user rights will be set to "No access” Time Segment Scheme – Scheduled Access Permissions Assign access rights for days of the week and hours of the day. One-Time Access Permission You can assign temporary access rights using One-Off Access Permissions. When the assigned time has elapsed, permissions will be reset to their previous state. Generate Unblocking Code This feature allows you to support a user who is offline. The unblocking code can be used to assign access rights. Access permission for entire devices types To generate an unblocking code for an entire device type, please go to the appropriate user, right-click the desired device type. Select Generate Unblocking Code from the context. Select the access scope and, where appropriate, the access period and then click on generate. The generated code can now be entered directly by the user using the tray icon of the client component via the function enter activation code. This code is only valid for the user it has been generated for and it can only be used once.
  27. 27. 27 cynapspro Endpoint Data Protection – User Guide If the user needs access to a device that is currently not on the white list (released devices), this can be bypassed by activating the checkbox "ignore white list”. Activate/Deactivate Users or Computers Access permissions only apply to users / computers set to active. Once the user or computer is set to inactive, neither the rights for access management, nor the device release does apply. To activate or deactivate a user or the group, use a right mouse-click to pull up the context menu. Only after activation of a user or computer for the corresponding module (DevicePro, ApplicationPro or CryptionPro), is a license consumed. You can activate or deactivate all modules at a time, if you use Activate All or Deactivate All. User Information The button User Info takes you to a complete overview of all rights and settings for the selected user.
  28. 28. 28 cynapspro Endpoint Data Protection – User Guide Go to rights management, select a user and click on the User Info or go directly to the appropriate user and use a right mouse-click to select User Info. A window will open with the appropriate privileges and settings of the user. You now have the option of printing these rights or to save them as a csv file for analysis. Import Permissions If you are currently working on a computer that is not connected to the company network, but you still want to change user permissions, you can export the user rights from the Management Console and import them into the agent. For now, you configure the permissions of the corresponding user. Then you use a right mouse-click on the user in the cynapspro Management Console. Select Export rights and save the dpa file. After you have made the dpa file available to the user, he can use a right mouse-click on the cynapspro Tray icon and select the option Import rights. He can now select his dpa file. After saving, the changed rights will be effective. Combining Computers and Users If you want a user to have different rights on one or more computers, you can make the appropriate adjustments under rights management. Use a right mouse-click on the corresponding user. The context menu shows the option assign computer.
  29. 29. 29 cynapspro Endpoint Data Protection – User Guide Now you can see the directory service structure of your computers. Select the desired computer and move it to the right window. Confirm your selection with OK. Now you can see that there is a computer assigned to the user. Under user management, you can see all users that have computers assigned. Select one of these computers and assign the appropriate rights under access management. You can assign several computers to a user with each computer having different access permissions. Computer Rights You can also assign access rights to one or more computers, regardless of which users are logged on.
  30. 30. 30 cynapspro Endpoint Data Protection – User Guide Go to the directory service tree under rights management. Navigate to the tab Computers and select the desired computer. Use the right mouse button to activate the machine for DevicePro, ApplicationPro or logging. Then you can assign the requested rights under access management. cynapspro first checks the rights of the computer. If there are no restrictions, it checks restrictions for the combination of computer and user. If there are no such restrictions, the access rights of the user apply. Precedence in case of Conflicting Rights You may wonder which rights take precedence if you have assigned different rights for the computer and the user. DevicePro first checks the computer rights. If there are no rights restrictions, DevicePro next checks rights restrictions for the combination of computer and user. If there are not restrictions there, the user rights will apply.
  31. 31. 31 cynapspro Endpoint Data Protection – User Guide Device White List For the management of device white lists, DevicePro differentiates between device types. The following options are available: - White listed Device Types o Only listed device types can be used. All other device types will be blocked. - White list of individual Devices o White listing individual devices allows access to devices with a specific serial number, regardless of what rights have been assigned to the user. - Media Release o The media release allows access to specific CDs or DVDs. White listing Device Types This is the vendor-specific device type, which you can share on your network. All devices of this model (e.g. Kingston Data Traveler Model X) and the respective device type (USB mass storage) will be authorized. This device white list complements the access management of the individual user. Once device model has been white listed for a device type, all other device models of that device type will be blocked. You can add any device that is currently connected or has been connected at some time to the list of approved devices. Select the one or several clients to which the desired device(s) has/have been connected. The clients can be filtered by using the host name or the name of the user who is logged on to the workstation. If you have made your selection, press the Insert button at the top. A window with a selection of the device appears. They can now be added to the white list. By deactivating the checkbox Only show available devices, list will show all devices that have ever been connected. Select any desired device and use Insert to add it to the device white list. Use the comment field to better organize the white listed devices and their origin. White listing Individual Devices External devices that show in the white list of individual devices always have the desired access rights, regardless of the access permissions of the logged on user. Go to the device white list and click on Individual Device. You can set access permissions for individual devices for users and / or computers.
  32. 32. 32 cynapspro Endpoint Data Protection – User Guide When you have selected the computer, click on Insert and a window Insert New Device opens. You will now see all devices that are connected at the moment. If you want to add a device that is not currently connected, but had previously been connected, just deactivate the checkbox Only show available devices. Select one or more devices from the list. In the window Insert New Device, there is a column labeled Unique. If you activate the checkbox, the device has the same serial number on all ports. It can then be connected without any problems at all ports and you always have full access to it. If the manufacturer has not assigned a unique serial number to the device, you can connect the devices to multiple ports to register and enable the respective serial numbers. By default, you can register devices in the white list with Hardware ID and serial number of the manufacturer. In a few cases, the manufacturer does not have consistent serial numbers assigned to its devices. Each time one of these devices is plugged in, Windows generated a serial number. For these devices, we recommend to register the device for the white list using the Volume ID. If you want to register a device model, you can do so using the Hardware ID or the name of that device model. You can define whether you want to register a device using the Hardware ID + serial number, Hardware ID, Volume ID or the name.
  33. 33. 33 cynapspro Endpoint Data Protection – User Guide Once the white list has been saved, all devices of the specified device model can immediately be used by all users. You have the following three options to register a specific device. If you want to register this device for individual users, go to the access management for users and click Insert. You can thus define that a user always has read or write access to this specific USB stick, no matter where he logs on.
  34. 34. 34 cynapspro Endpoint Data Protection – User Guide If you want to register this device for a computer, go to the access management for computers and click Insert. Select the desired computer and confirm with OK. The access level can then be changes under Rights. Each user on that computer now has read access or full access to the specified device. You can also register a device for a user-computer combination. Go to the registered device, select the desired user and continue with Assign computer. Select the respective computer and click OK. The access level can then be changed under Rights. Media Release With the media release, you register a certain CD / DVD for the company, an OU or a single employee. The media is identified by a hash value that is calculated in the background. The media release can be found in the menu under white list > media. Select from the List of cynapspro agents a computer that is running the CD / DVD. Click on Insert and select the disk that you want to share. If you want to share a disk that is currently not connected, just deactivate Only show available devices. Click on Insert to confirm your selection.
  35. 35. 35 cynapspro Endpoint Data Protection – User Guide Click on Save to register the CD / DVD for all users. If you want to register the media for specific OUs or users only, or only in combination with specific computers, go to the access management > Insert and select the desired OUs or users. To assign a user-computer combination, you select the user, click on Assign computer and confirm your selection with OK. Challenge Response to obtain Access to Individual Devices The Challenge Response method allows you to grant offline user access to individual devices. This is done in cooperation with the user. The user opens his cynapspro agent. Under Actual Devices, the user sees a list of all devices currently connected to his computer. He now uses a right mouse-click on the desired device and selects Generate request code. The administrator now enters the request code in the Management Console. He goes to the user and selects Device Release / Challenge Response Release. Information about the requested device will be displayed. Select the access scope and a time period (optional) and click on Generate.
  36. 36. 36 cynapspro Endpoint Data Protection – User Guide The generated code can now be entered directly by the user in the tray icon of his client component using the function Enter activation code. This code applies only to that individual user and can only be used once. Content Header Filter Content Header Filter are used to create filters used to prevent the reading, writing or copying of certain files or file types on external devices. Files with the specified name, extension or size will be blocked when the blacklist option has been used. Alternatively, you can manage the Content Header Filter list as a white list. In this case, only the files and file types you have specified can be accessed. You can use the Content Header Filter globally for the whole company or for specific users only. For a global deployment, just activate the checkbox in the column global. If you want to use the filter for individual users or groups, select the object under rights management administrative rights and insert the filter in the tab Content Filter. For example, you can create a filter, which generally blocks all mp3 files with more than 100 bytes and the file Joke.exe. You only need to perform the following steps: - Insert a new filter in the filter definition window. By double-clicking on the filter, you can rename it. If you want the filter to apply to all users, just click on Global. - Now click on Insert under rule definition to create a new rule. - Under Name, enter * (anything). Under Extension, enter mp3; under Size Min (smallest size) enter 100 bytes. Now all mp3 files with more than 100 bytes are blocked on external devices. - For locking the Joke.exe, you simply enter under Name the word joke and under Extension you enter exe.
  37. 37. 37 cynapspro Endpoint Data Protection – User Guide Reporting & Analysis You have several reporting options to obtain an overview over user access rights. The scope of all reports can be adjusted to show either the complete directory structure or only a specific part of it. If you are looking for information from a specific OU or group only, you select it from the tree before calling up the report. Activate Display immediately if you want all query results to be displayed automatically. You won’t need to click on Display every time. Access Rights Changes Not Yet Transmitted Sometimes it happens that a user has not registered on the network for some time. In case his permissions have been changed during that time, the changes will not have been transmitted. The report shows all users for whom this is the case. Active/Inactive Users You can check here which users have already been activated and which users are not yet protected by cynapspro. Analysis of Rights Changes Here you can check which administrator has assigned which rights, when and to whom. Access Rights Analysis If you want to verify which user has certain rights to a device type, just click on the device type in the rights analysis with a right mouse-click and select the access type. Click on Display. You can now see all user that have the default access rights for these devices. You may also combine of several device types for this report. Access Rights Overview - Details This overview report shows which access permissions have been assigned to which users. Click on the desired device type and click on Display. You will see an overview over all users and their access permissions for this device type.
  38. 38. 38 cynapspro Endpoint Data Protection – User Guide Access Rights Overview - Summary The Rights Overview - Summary shows the distribution of access permissions in percentages. Select the Device, the desired View and click on Display. You now have an overview on how often the various levels of access have been assigned in your network for the device type you have selected. You can choose between the following views: - Table - Pie Chart - Bar Chart Deviations from Default Rights This report shows users with access rights that deviate from a new user. This report thus shows which users have been customized. One-Time or Temporary Permissions This report shows which users which users currently have temporarily amended rights. Audit Log The audit log records when and where users have read, copied, written or deleted files. Blocked Access Under blocked access, you have an overview over all blocked access attempts, i.e. you can track which users could not access a device when and why.
  39. 39. 39 cynapspro Endpoint Data Protection – User Guide Access Statistics The access statistics show at what time users accessed an external storage device.
  40. 40. 40 cynapspro Endpoint Data Protection – User Guide cynapspro Agent The cynapspro tray icon allows you to call up various functions with a double-click.
  41. 41. 41 cynapspro Endpoint Data Protection – User Guide User Rights/ Currently Connected Devices The client component enables the user to check his various access rights. Furthermore, the user sees all currently connected devices and the related rights under Actual Devices. Request Access Rights The user can request additional access rights using the function Access query in the cynapspro agent menu.
  42. 42. 42 cynapspro Endpoint Data Protection – User Guide The user can select the desired device type from a drop-down list and send an access request. The user can request several types of access at the same time. He selects the device type and clicks on Insert to add the device to his List of access rights to request. The user can then add an explanation or comment before sending this list off to the administrator using the Send button. The administrator will immediately get a message about this change request in the Management Console under Administration or by email. Challenge Response for the Release of Individual Devices The Challenge Response method allows you to grant offline user access to individual devices. This is done in cooperation with the user. The user opens his cynapspro agent. Under Actual Devices, the user sees a list of all devices currently connected to his computer. He now uses a right mouse-click on the desired device and selects Generate request code. The administrator now enters the request code in the Management Console. He goes to the user and selects Device Release / Challenge Response Release. Information about the
  43. 43. 43 cynapspro Endpoint Data Protection – User Guide requested device will be displayed. Select the access scope and a time period (optional) and click on Generate. The generated code can now be entered directly by the user in the tray icon of his client component using the function Enter activation code. This code applies only to that individual user and can only be used once. Enter Unblocking Code If an employee is not working within the company network, but wants to have his rights changed, then this is possible using an activation code. Under rights management, you can generate an unblocking code for users or groups to unlock devices. Then employee can then enter this code in his cynapspro agent and will immediate have the appropriate permissions assigned. Login As If you want to do some work on a computer where another user is already logged on, e.g. to perform some administrative functions, you can login using the cynapspro agent and you will immediately have your usual access rights. There is no need for the other Windows user to log off. To use the Login As function, just double-click on the cynapspro tray icon. Go to Change rights and select choose Login as… and a Login Windows will appear. Enter the appropriate username and password. The rights of that user will now apply on this machine. To hand back to the currently logged on Windows user so that his access rights will again apply, just use the context menu of the cynapspro tray icon to log out.
  44. 44. 44 cynapspro Endpoint Data Protection – User Guide Import Access Rights If you are currently working on a computer that is not tied to the company network, but you want to change the user rights anyway, so you can export the user rights from the Management Console and import then using the cynapspro agent. In a first step, you configure the permissions of the corresponding user. Then click on the user in the cynapspro Management Console using a right mouse-click. Select Export rights and save the dpa-file. To import the dpa-file, double-click on the cynapspro tray icon. Go to the menu item Change rights and select Import rights... Select the dpa-file of the user. After saving the changed rights are immediately valid. Solution Scenarios No Connection to the Server The installation was completed without problems. However, the Management Console cannot "Connect" to the server. Make sure all settings are stored properly by checking them in the cynapspro Admin Tool. If all settings are correct, please check the firewall settings and change the authentication method. Instructions The cynapspro Admin Tool can be found in the start menu at Start > Program Files > CynapsPro GmbH > DevicePro 2010. Test all database settings, as well as the directory service settings by using the button Check Validate. If necessary, adjust the settings that were made. If there is still no "Connect" to the server possible, please check whether the specified ports are activated in your firewall. If the connection still fails, change the authentication method and / or check whether the specified user has the required rights. Getting Started after the Installation You have completed the installation successfully and want to use cynapspro to manage your endpoints. The first users or groups from your Active Directory / NDS shall now be provided with certain access privileges. In a first step you configure the default permissions, and then you start the synchronization of AD / NDS. Next you activate the first users or groups. Then you create the MSI client package and install it on the workstations. Instructions Open the Management Console and got to rights management. In the specific user group, you will see the menu item default rights (new users). Open this window to define the default permissions for new users. Use a right mouse-click on a device type and define the access level. Then click on Confirm. When you have configured all device types, you can start the synchronization from AD / NDS. Go to the menu item AD synchronization. Click on the Start button to automatically start the synchronization. All users and groups are copied from the existing AD / NDS into the cynapspro database.
  45. 45. 45 cynapspro Endpoint Data Protection – User Guide If you want to synchronize the directory on a scheduled basis, you need to create a synchronization job in the Scheduler. If you want to immediately activate newly created users, you need to enable Automatically activate new users in the active groups. If you have not enabled Automatically activate new users in the active groups before the first synchronization, the default permissions will not apply for any of the users. Navigate to rights management and activate the desired users and groups with a right mouse-click for access permissions to become effective. After activating users and groups, you should install the cynapspro agent on the workstations. Go to administration. Under client management you will see the menu item Generate MSI package for the client. Select the path where you want to save the package and click Generate. If you don’t want users to be able to see their access rights, to request access rights or to enter an unblocking code when offline, you should activate Hide tray icon. If you want to prevent users from stopping the cynapspro service, you should activate the corresponding checkbox. After generating the package you now run the MSI file on the workstations. You will find three Bat-files at the location you have specified. You install the software agent by running DBAgentSetup.msi or by starting the install.bat file. If you prefer to install the agent using the command line, type in the following command: msiexec /i C:DeviceproMSIDBAgentSetup.msi View Already Installed Computers You would like to know which machines have already been equipped with the cynapspro agent. Go to Update of the Agents to view all clients that have already been installed or filter for clients without an agent. Instructions Go to Administration / Update of the Agents and use the selection next to View. Select only computers without an agent to view all computers not yet quipped with a cynapspro agent. If you want to see any previously installed agents, select All Agents and click on Inactive in order to see computer that are turned off. Restrict Access to Company-Owned Devices You have successfully assigned all rights and have complete control over who can use which external devices. You now want to make sure that only company-owned and approved devices are used. Employees should certainly be able to work with company USB sticks, but they should not be allowed to bring their private devices. The same goes for digital cameras. Usually there is only a limited number of device models in circulation in a company. You can now create a white list of manufacturers and models, which may be used in the company. All other device models will be blocked, even if the employee has the rights to use this device type.
  46. 46. 46 cynapspro Endpoint Data Protection – User Guide Instructions Go to the Management Console and select the menu item Device White List. You can select from 3 types of device releases. - White list of Device Models - Unique Devices - Media Select the item White list of Device Models. In the right hand window, you see all white listed device types. The name is taken from Windows and corresponds to the name in the Device Manager. If you want to add more device models, you do not need to do this manually. It is sufficient for a device of the desired model to be connected to a computer in the network. Select this computer. If there are many computers online, use the filter to limit the selection. Once the computer has been selected, click on Insert. The computer will be scanned and all connected devices will be grouped by device type. Select all the device types that you want to white list and confirm with OK. The selected device types are added to the list and once you have saved the changes, they can be used by all users. Changes are immediately distributed to all computers that are online using a push method. All other computers will receive the latest white list next time they are started. When selecting a computer in order to inert its devices, you can choose between devices that are currently connected or any devices that have ever been connected to this computer. You can also select multiple or all computers that are online. You will then see all the devices used in the company. This saves time and you even get a mini-inventory. Assign Specific Devices to Selected Users In case that allowing in-house devices is not considered save enough, you may want to specify exactly which person can use which devices. You can monitor the device models, as well the rights individual devices. These can be distinguished by serial numbers, if the manufacturer has assigned a unique serial number. Then we can allow user X to use a specific camera or USB stick, all other devices will be blocked, even if they are of the same model and the same manufacturer. Instructions Go to the Management Console and select the menu item Device White List. Select Unique Devices. Select the desired workstation from the list of cynapspro agents. In a larger infrastructure, you can use the filter to search for the desired computer.
  47. 47. 47 cynapspro Endpoint Data Protection – User Guide Once the computer has been selected, click on Insert and select the devices you want to have white listed. Next you specify the users and groups, which should have access to the white listed devices only. Blocking File Types Your staff should not be allowed to open just any files. You can block all files of a specific type or only allow files with a limited amount of data. The Content Header Filter allows you to determine exactly which file types and sizes users should be allowed to access. This is where you define rules that can be assigned to users. Instructions Go to the Management Console > Administration and select the menu item Advanced Settings. This is where you define rules for the Content Header Filter. To create a new filter, click on the button Insert next to filter definition. A filter called New Filter is created. To add new file types to the New Filter, go to rule definition and click on Insert. Give the new rule a name and type in the extension column the file extension (e.g. *.exe). The columns Size min and Size max can be used to specify the minimum and maximum size of the blocked file type. Click in the filter definition on Global, if you want this rule to be effective for all users. If you want to assign this rule to certain users or groups only, then go to rights management and select the respective users or groups. Under the tab Content Header Filter you can then assign the rule by clicking on Insert. Change Access Permissions Offline If an employee is working outside the company network and needs his access rights changed, then this is possible via an activation code. Go to rights management and create a code to unblock devices for the user or group. The user will then enter the code in his cynapspro agent to have the new access rights assigned. Changes will be effective immediately. Instructions Go to rights management in the Management Console. Go to the group or user and make a right mouse-click on the desired device type. In the context menu select Generate unlocking code. Define the access level and its validity (temporary or permanent). Then click on the button Generate. If a white list has been generated for this device model and if the desired device is not on the white list, you need to check Ignore white list. Transmit to the user the generated code. He can then enter the code using the cynapspro agent. For this he makes a right mouse-click on the cynapspro tray icon, goes to the menu point Change rights and selects Enter unblocking code. Once the code has been successfully entered, the new rights will be effective immediately.
  48. 48. 48 cynapspro Endpoint Data Protection – User Guide File Access Log Suppose a virus has infiltrated your corporate network or confidential data was passed on to third parties. You want to understand now or prove who is responsible. The log file includes records of who access which file at what time. You can filter the data by defining a time period or file name. Instructions Go to the Management Console and select Audit from the Summary menu. Select the desired group or user or the whole tree. Then define the filter rules. You now have access to all logged activities in your company network. If you have the shadow box activated, you need to enter the required passwords before you can check up on user activities. Administrator with different Access Levels You have multiple locations or departments and you do not want all administrators to have access to all levels or settings. There are two types of administrators for cynapspro solutions. o Supervisors (All administrative rights) o Administrators (Allocated administrative rights) Create administrative roles and assign them to the administrators for certain areas (OUs, groups, users). Instructions Go to the Management Console > Administration and you will see two menu items: Administrative Roles and Administrators & Scopes. First, you define the administrative roles. Click on Global, if you want to create roles for management of the cynapspro server. If you want to create roles for managing users and groups, click on Scope-specific. Add a role and determine what information an administrator with this role may see and what kind of changes he may make. Then go to the menu item Administrators & Scopes. Click on the administrators tab and assign the role to one of the administrators listed. Under Scope-specific you can even select groups or individual users, for which the administrator should be responsible. In the administrators’ area, all OUs, groups and users are shown in three different colors: - Red: The administrator does not have administrative roles in these OUs, groups and users. - Grey: Some elements of the Directory are managed by this administrator. - Green: All Child OUs, groups and users are managed by this administrator.
  49. 49. 49 cynapspro Endpoint Data Protection – User Guide ApplicationPro Introduction ApplicationPro protects your clients with an application access control that uses the black list or white list method. You determine which user gets access to selected applications - all other programs are blocked. ApplicationPro automatically assigns a hash value to a program. Thus, a user can log on to all computers of the company and always get the same program permissions. Thanks to this technology, users cannot rename files by obtaining unauthorized access to programs. This will ensure, for example, that no unauthorized software (e.g. viruses, Trojans, games, joke programs ...) can be installed or run on company computers. The management of ApplicationPro is greatly facilitated by the learning mode. This function records all programs an employee or group use during their daily routine. Those applications will then be reviewed and white listed. Rights Management Before you start with the user management of ApplicationPro, you should activate this product. Just use a right mouse-click on the user, then click Activate / Deactivate and select ApplicationPro. If a user is deactivated, he will be allowed to use all programs. Once a user is activated, he will have programs assigned and all other applications will be blocked. After installation or upgrade of the client component, it is recommended to restart the computer. If you haven’t assigned a program packet to the user, he will be able to access al programs. Go to access management and look for the tab ApplicationPro. This tab contains the following options: Save Confirm the settings you have just made. The rights changes will be immediately pushed to the agent. Insert Role Assign a previously created role definition to a user. Roles may contain several program packages and are used for simplification and clarity. Insert Package Assign a previously created package to a user. Packages consist of one or more selected applications. Delete Remove roles and packages from a user or group. Role Definition Link that takes you to the role administration. Start Learning Mode Recording of programs accessed by a user or group of users. User Programs Result list of the learning mode. Recorded applications can easily be assigned to packages.
  50. 50. 50 cynapspro Endpoint Data Protection – User Guide Learning Mode The learning mode is a so-called "non-blocking mode." This means that all programs can be started during the time period in which the learning mode is activated. The learning mode records all programs that are accessed by the user and applies not only to the user-faced applications, but also to the programs running in the background. A hash value is created, which can be used to add certain applications to a custom package. These packages can then be assigned to one or more users. Managing ApplicationPro with the Learning Mode To start recording the programs accessed by a user, mark the user in the top part of the right window and click on Start learning mode in the window below. Select the time period for the learning mode. The learning mode can be started and ended manually or you can use a scheduler. After completion of the learning mode, you will see under user programs all applications that have been executed by the user, whether consciously in the foreground or hidden in the background. You will see in the results which path had been used to run an application.
  51. 51. 51 cynapspro Endpoint Data Protection – User Guide Select one or more programs you want to assign to a package and click on save. If you already have created packages, you can add the selected programs to them. You can also create a new package for these applications. Confirm the settings with OK. You can now create additional packages or close the results window. In order to assign the software package to a user, click on Insert package. Select the appropriate package and click OK. Save your changes and the cynapspro agent will immediately be notified and put them to effect. From now on, all unauthorized applications will be blocked. If an application has been overlooked during the recording process, you can start the learning mode again to release all programs for its duration. Add the newly recorded program to an existing package or to a new one and assign it to the user. Management of Programs In the navigation pane of the Management Console, you will find the ApplicationPro program management. Here you can create and edit software packages. To create a package, go to New Package. You can add programs from your computer to the package definition. When you add an application, its hash value will immediately be detected. This hash value is identical for this program on every workstation. Individual packages can be grouped in folders. They can be assigned to a folder or only linked to it using the button New Link. Thus a program may be part of several packages, even though it is stored only once Management of Roles Under ApplicationPro you will see the menu item Role Management. Here you can combine software packages and package folder into roles. Using roles helps maintain clarity and facilitates an efficient management of ApplicationPro.
  52. 52. 52 cynapspro Endpoint Data Protection – User Guide To create a new role, click New Role. Name the role and assign the appropriate programs and roles using the buttons Add Program / Insert role. Note: If you insert a role, the parent role will include all the programs of the child role. ApplicationPro Settings In the ApplicationPro settings, you can decide whether you want to use the white list or the blacklist method. The white list method ensures that users can only access those programs that have been explicitly assigned to them. The blacklist method only blocks those programs that have been assigned to the user. All other programs are allowed. Trusted Objects Here you can define various directories as trusted objects. Users are allowed to run all applications they contain, regardless of any blocking rules defined under application control. Solution Scenarios for ApplicationPro Quick White Listing of Applications You have assigned selected applications to a user. The user gets back to you and asks to be granted access to another program as soon as possible. Start the learning mode. By running the learning mode, all applications will be immediately released while it is running. You can then stop the learning mode and add the appropriate program to the user’s package.
  53. 53. 53 cynapspro Endpoint Data Protection – User Guide Instructions You will find the learning mode under Rights Management. Go to the user and select the tab ApplicationPro. You will see the button Start Learning Mode. Define the duration of the learning mode. During this time the user has access to all applications. After the user has run his programs, stop the learning mode by clicking on the button Stop Learning Mode. Note: Only program starts are recorded by the learning mode. If applications are already running when the learning mode is started, they will not be recorded. If you want to allow the user to continue using the program, click on the button user programs. Select the appropriate program and add it to one of the packages assigned to the user. White Listing Many Programs for Many Users You have already created several software packages and want every user of a division to be able to access these same applications. Of course you want to do this with as little effort as possible. Specify roles that include multiple packages or other roles. These roles can be assigned to the users. Instructions Go to the Management Console and select ApplicationPro from the left hand navigation. There you select the roles. Create a new role with the button New role. This role can for example be named after a department. Then you can use Insert package to assign software packages to this role. If you have already defined subordinate roles, you can add them to the new role using Insert role. Assign the newly created role to the users under rights management, where you select the tab ApplicationPro. Note: Only program starts are recorded by the learning mode. If applications are already running when the learning mode is started, they will not be recorded.
  54. 54. 54 cynapspro Endpoint Data Protection – User Guide CryptionPro Overview CryptionPro ensures that... unauthorized persons cannot read your data. the loss of an external storage device is not a security risk. data stored on external devices is automatically encrypted in the background. you can access your encrypted data anytime and everywhere. CryptionPro encrypts your data in the background. For all read and write operations on and to external storage media, files are automatically encrypted or decrypted without requiring any user activity. Users continue to work as before and all data remain readable throughout the company, no matter which user logs on to which computer. If someone tries to read the data from the external storage when it is connected to a computer without the CryptionPro client or at a computer outside of the company network, the files will not be readable and thus the damage caused by the loss of an external storage device is limited to the hardware costs. Optionally, you can also save unencrypted data to an external storage media, for example if you want to give it to a customer. Encryption Options The preconditions for the use of CryptionPro consist of a valid license and an installed cynapspro server and client. Go to the menu item Encryption > Encryption Options and Activate encryption.
  55. 55. 55 cynapspro Endpoint Data Protection – User Guide You then select the functions that should be made available to users: - Without encryption Users are allowed to copy files without encryption on disks. Under Settings for unencrypted file transfer, you write a security message that will be displayed after the user has activated the unencrypted file transfer. This message appears after the activation via the cynapspro agent as a popup. Activate Unencrypted files auditing as a security measure. This allows you to review und Unencrypted file transfer all non-encrypted files that were copied to external storage media. You also need to specify after which time interval without activity, the encryption should be automatically reactivated. This option is an assurance against employee forgetting to reactivate encryption after they have completed their unencrypted file transfer. - Common encryption On all computers in your company with a cynapspro agent, all files can always be read and written by each employee, the decryption takes place in the background. - Group encryption Create group affiliations under CryptionPro Group management. If a user is in the same group as the employee who created a file, or in the parent group, the file will be automatically decrypted in the background. All other users of your directory service will not be able to decrypt the file. Exception: Files can be decrypted with the appropriate password using CryptionPro Mobile. - Individual encryption Only the user who encrypts a file can decrypt it again. All other users can not decrypt this file. Exception: Files can be decrypted with the appropriate password using CryptionPro Mobile. - Mobile encryption Allows the use of CryptionPro Mobile. If this option is assigned to a user, the activation of CryptionPro Mobile via the cynapspro agent facilitates the decryption of files outside the company network. An .exe-file is automatically copied to the USB stick, which decrypts files on any computer if the appropriate password is provided. In addition CryptionPro Mobile can also encrypt files outside the company network. Furthermore, you can decide which encryption method you want to sue. There are currently two methods available: Triple-DES and AES Unfortunately, encryption with AES is not available on Windows 2000 computers. If you have this operating system in use, the Triple DES method will be the right choice for you. For all companies using Windows XP, Windows Vista or Windows 7, AES is recommended as a better and safer method. Key Management For each installation, a new key is created for CryptionPro. To ensure that you can export your data with the old key even after a server crash, you should export the key under key management. After a server crash you can import the key after when the new installation has been completed. Furthermore, you have the option to generate a master key. The master key will make it possible to decrypt files which cannot be decrypted by the client. Please note that this information must be stored securely and must be protected from unauthorized access.
  56. 56. 56 cynapspro Endpoint Data Protection – User Guide CryptionPro Group Management Create group affiliations under CryptionPro Group management. If a user is in the same group as the employee who created a file, or in the parent group, the file will be automatically decrypted in the background. All other users of your directory service will not be able to decrypt the file. Exception: Files can be decrypted with the appropriate password using CryptionPro Mobile. CryptionPro Mobile (global settings) Define your password policy, which will be taken into account when creating the password via the cynapspro agent. Determine whether all unencrypted data stored on the hard disk should automatically be deleted or only deleted after confirmation when you close CryptionPro Mobile. Define whether a file can be decrypted on the same and / or other storage media. Define if the source file may be permanently decryptable, or whether a copy can be created. Device Blacklist You can exclude certain devices from the encryption. These devices can be stored on the blacklist of devices. Unencrypted File Transfer Activate Unencrypted files auditing as a security measure. This allows you to review und Unencrypted file transfer all non-encrypted files that were copied to external storage media.
  57. 57. 57 cynapspro Endpoint Data Protection – User Guide User Configuration Next, you activate the product for the employees who will use CryptionPro. Go to rights management and use a right mouse-click on the user, then click Activate / Deactivate and select CryptionPro. A green check mark in the column CP signals the activation of the product. You can decide for every user which encryption options should be available to him: - Without encryption Allows the users to copy files without encryption on disks. Under Settings for unencrypted file transfer, you write a security message that will be displayed after the user has activated the unencrypted file transfer. This message appears after the activation via the cynapspro agent as a popup. Activate Unencrypted files auditing as a security measure. This allows you to review und Unencrypted file transfer all non-encrypted files that were copied to external storage media. You also need to specify after which time interval without activity, the encryption should be automatically reactivated. This option is an assurance against employee forgetting to reactivate encryption after they have completed their unencrypted file transfer. - Common encryption On all computers in your company with a cynapspro agent, all files can always be read and written by each employee, the decryption takes place in the background. - Group encryption Create group affiliations under CryptionPro Group management. If a user is in the same group as the employee who created a file, or in the parent group, the file will be automatically decrypted in the background. All other users of your directory service will not be able to decrypt the file. Exception: Files can be decrypted with the appropriate password using CryptionPro Mobile. - Individual encryption Only the user who encrypts a file can decrypt it again. All other users can not decrypt this file. Exception: Files can be decrypted with the appropriate password using CryptionPro Mobile. - Mobile encryption Allows the use of CryptionPro Mobile. If this option is assigned to a user, the activation of CryptionPro Mobile via the cynapspro agent facilitates the decryption of files outside the company network. An .exe-file is automatically copied to the USB stick, which decrypts files on any computer if the appropriate password is provided. In addition CryptionPro Mobile can also encrypt files outside the company network. If only one option has been activated for a user, it will be applied automatically. If several options have been activated, he may decide via the tray icon whether the next file should be encrypted or not. To do so, he makes a double-click on the tray icon and selects the menu item Encryption. Important: Even if a user has both the options "Common Encryption" and "Without Encryption" activated, he will be able read both encrypted and unencrypted files. This setting only has an effect if he wants to save or copy data to an external storage media. If CryptionPro was not activated for the user, he will not be able to read encrypted files. However, as soon as he gets activated for CryptionPro, he will be able to edit all the "common" encrypted files as normal. CryptionPro Mobile (Client Software) If the option mobile encryption is activated for a user with, the user can decrypt and encrypt files outside the company network. To do so, he makes a double-click on the tray icon and
  58. 58. 58 cynapspro Endpoint Data Protection – User Guide selects the menu item Encryption. He then activates mobile encryption and enters the password to be used for CryptionPro Mobile. From that moment on, the file cryptionpromobile.exe will automatically be copied on any USB device to which data is saved or copied. Users just need to start CryptionPro Mobile on the USB device and enter a password. They can now decrypt an encrypt files anywhere and anytime. Depending on the settings that were made in the Management Console, you will receive a message when closing CryptioPro Mobile asking you if you want to encrypt the unencrypted files, or if you want to delete the local copies of files. If you choose Yes, CryptioPro Mobile encrypts the current file and displays the next. If you choose Yes for all, CryptioPro Mobile will go through the whole USB device to encrypt the remaining unencrypted files before exiting. If you choose No, CryptioPro Mobile leave the current file unencrypted and displays the next. If you choose No for all, CryptioPro Mobile will not encrypt any data an exist. If you don’t want to exists the program yet, select Cancel. If you want to delete decrypted data from the computer hard disk (if you open a file on an external hard disk, Windows automatically creates a temporary copy of the file on the computer) while working, just answer the following question with Yes. If you select No, the data will remain in temp folder on the computer hard disk machine. Solution Scenarios for (CryptionPro) Automatic Encryption for All Users You want to make sure that all files are always encrypted, but can be read and edited everywhere in the company. There is no reason to leave any data unencrypted data. But it is also important that users don’t have to be trained and that their work is not negatively impacted. Activate CryptionPro for all users and enable the option "Common encryption" only. Instructions Go to the Management Console > rights management. Select the desired user, group or OU and all users assigned to this group or OU or will appear in the top part of the right hand window. Use a right mouse-click on the user(s), then click Activate / Deactivate and select CryptionPro.
  59. 59. 59 cynapspro Endpoint Data Protection – User Guide In the window below, you activate the checkbox Common encryption and Save you changes." From now on everything the user writes or copies to external storage devices will automatically be encrypted, without him needing to do something. When accessed, the files are automatically decrypted in the background and can be read everywhere in the company. Save Without Encryption You want to ensure that a user, who is used to providing data to customers on a USB device, can continue doing so. He needs to be able to write or copy data without encryption without being trained and without additional effort. Activate CryptionPro for this user and enable the option "Without encryption" only. Instructions Go to the Management Console > rights management. Select the desired user and use a right mouse-click. Click on Activate / Deactivate and select CryptionPro. In the window below, you activate the checkbox Without encryption and Save you changes." From now on, everything the user writes or copies to external storage media will automatically be saved without encryption. The files can be accessed and read everywhere, both within the company and outside. Although the user only has the option Without encryption activated, he is able to read all encrypted files in the company network.

×