drivelock security as a service managed endpoint protection clo… · drivelock security as a...

DriveLock Security as a Service

Managed Endpoint Protection

Cloud Configuration Overview – Version 2019.1

DriveLock SE 2019

DriveLock Cloud Configuration Overview 2019.1

17-Jun-2019 12:06:58 / v.99© 2019 DriveLock SE. All rights reserved. of 69

Content

DriveLock Security as a ServiceManaged Endpoint Protection

Cloud Configuration Overview – Version 2019.1ContentScope of this documentDrives

SettingsShadowing configurationRemovable Drive locking

Floppy disk drivesCD-ROM drivesUSB bus connected drivesFirewire (1394) bus connected drivesSD card drives (SD-bus)Other removable drivesNetwork drives and sharesWebDAV-based network drivesWindows Terminal Services (RDP) client drive mappingsCitrix XenDesktop (XenApp, ICA) client drive mappings

File filter templatesFile type definitionsFile type groups

DevicesDevice class locking

Controllers and Ports1394 (Firewire) controllersBluetooth transmitters / radiosInfrared interfacesParallel ports (LPT)PCMCIA controllersSerial ports (COM)USB controllers

DevicesBiometric devicesDebugging and software protection devices (WinUSB, ADB)ePassport reader devicesExternal display adaptersHuman Interface DevicesIEC 61883 (AVC) bus devicesIn-circuit emulator devicesMedia Center Extender devicesMedia player / Portable devicesModemsNetwork adaptersPCMCIA and Flash memory devicesPrintersScanners and camerasSecure Digital host controllersSensor devicesSideShow devicesSmartcard readersSound, video and game controllersTape drivesVirtualization devices (VMWare)

SmartphonesApple devicesOther mobile devices

Network profilesSettings

Agent end-user appearanceTaskbar notification area settings

ApplicationsSettingsApplication rules

Publisher certificate rulesSpecial rulesOther rules



File name or path rulesEncryption

SettingsDriveLock Encryption 2-Go

SettingsContainer password recoveryEnforce encryption

DriveLock File ProtectionSettingsEncrypted folder recoveryEnforce encryption

BitLocker ManagementEncryption certificatesPre-boot authentication settingsHarddisk encryption settings

Security awarenessSettings

Security awareness user interface settingsCustom usage policy texts and options

CampaignsContent

Systems managementSettings

Hardware and software inventoryClient compliance reporting settings

Self-Service groupsGlossary



Scope of this document

This document describes the available settings for policy configuration.



Drives Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices / Locking Drives

Settings Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices / Locking Drives / Configuring Drive Locking InBasic Configuration Mode

Property Value Comment

Audit drive insertion / removal /locking

Enabled

Disabled

Unlock drives when service is stopped(only Windows 2000 and XP)

Enabled

Disabled

Always allow access to administrators Enabled

Disabled

Users and groups who can format andeject removable media

E.g. NT-AUTORITÄT\Authentifizierte Benutzer

Custom user notification messages Enabled

Disabled

Drive locking message Drive %DRV% was added to this computer and this drive will be controlledbased on company policy. You may not be able to access data on the drive.

Message when computer restart isneeded before drive can be usedagain

Because of a system error drive %DRV% may not function correctly until thecomputer is restarted.

Temporary unlocking message -unlock until specific time

Default

Temporary unlocking message -unlock for number of minutes

Default

Message when CD/DVD burningattempt is blocked

Writing to CDs or DVDs on drive %DRV% is denied by company policy. Youwill not be able to record data to any CD or DVD media.

Message when drive is attached anduser has read-only access

Drive %DRV% was added to this computer and this drive will be controlledbased on company policy. You do not have write access to this drive.

File blocked by content filteringmessage

The file "%PATH%" was blocked because of company policy: %REASON%.

Disable floppy disk drives polling(turn off clicking sound)

Enabled

Disabled

Media change polling interval 250 msecO O 500 msec (recommended for VMWare)

1000 msecO 1500 msecO 3000 msecO

Monitor volumes without mount point Enabled

Disabled

Lock unencrypted drives whenencryption is enforced but notlicensed

Enabled

Disabled



Block access when filter drivercommunication is interrupted

Enabled

Disabled

Activate enforced encryption whenusers are connected using RemoteDesktop (RDP)

Enabled

Disabled

Disable all DriveLock File Protectioncomponents

Enabled

Disabled

Ignore system threads whencontrolling drives

Enabled

Disabled

Ignore kernel mode access whencontrolling drives

Enabled

Disabled

Do not change current drive statuswhen a network changes is detected

Enabled

Disabled

Do not change current drive statuswhen the configuration is refreshed

Enabled

Disabled

Shadowing configuration Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices / Locking Drives / Configuring Advanced DriveLocking Settings / Monitoring Data Transfers by Using Shadowing / Configuring Global Shadowing Settings


Location for storing shadowed fileson client

O Default (Stores shadow files under C:\ProgramData)Fixed locationO

Storage limitations Shadow files up to ___ KB size

Shadow only copies ___ KB of the file

Do not use more than ___ MB of local disk space

Local storage clean-up settings Run clean-up every ___ minutes

O Delete oldest files first Delete largest files firstO Do not delete, lock drives when local storage is fullO

Delete files older than ___ days

Upload shadowed files to centrallocation

O Do not upload filesFile shareO

Upload files every ___ minutes

Create a local shared folder on clients Enabled

Disabled

Do not delete local files afteruploading to central location

Enabled

Disabled

Exclude selected processes fromshadowing and auditing

Enabled

Disabled



Processes to exclude from shadowingand auditing

Administrator-selected application (.EXE file)

Predefined application

Panda Antivirus

Avira Antivir

Kaspersky Antivirus

McAfee Virus Scan

TrendMicro OfficeScan

Sophos AntiVirus

Symantec Client Security

F-Secure Antivirus

Also exclude selected processes fromfile filtering

Enabled

Disabled

Also exclude child processes fromshadowing, auditing and/or filtering

Enabled

Disabled

Exclude selected users fromshadowing and auditing

Enabled

Disabled

Users to exclude from shadowing andauditing

NT-AUTHORITÄT\SYSTEM

Also exclude selected users from filefiltering

Enabled

Disabled

Removable Drive locking Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices / Locking Drives / Configuring Drive Locking InBasic Configuration Mode / Enabling Drive Locking

Floppy disk drives Back to top


Lock status O AllowDeny (lock) for all usersO Deny (lock), but allow access for defined users and groupsO

E.g. NT-AUTORITÄT\Authentifizierte Benutzer (Read / write)

Filter files read from or written todrives of this type

Filter files read from or written to drives of this type

Audit and shadow files read from or written to drives of this type

Filter / audit / shadow files using template

Default Filter (All files R/W)

Default Filter (All files Read only)

Allow access as configured only to selected subfolders

Folder path: ________________________



Messages Display custom message in user notification

User notification message to display when access is denied:_______________________________

Also display message when access is granted

Display no message when this rule is activated

Do not generate audit events when this rule is activated

Awareness O Do not show usage policy or security awareness campaignUse settings configured under “Removable drive locking”O Show usage policy (to be accepted by users)O

Launch self-service unlock after accepting usage policy

O Do not require password for accepting usage policyRequire fixed password for accepting usage policyO Require Windows password for accepting usage policyO

Allow authorized user login

O Show security awareness campaign ________________________

Commands Run program when drive is connected and lockedCommand line: ________________________________________

Run as the currently logged-on user

Run program when drive is connected and not lockedCommand line: ________________________________________


Run program when drive is disconnectedCommand line: ________________________________________


CD-ROM drives Back to top











Folder path: ________________________








Encryption Require drive to be encrypted

Do not automatically mount encrypted media






CD/DVD Blocking options Disable soft blocking (do not hide CD/DVD writing capabilities)

Do not display user notification messages

Disable Windows XP built-in CD writing (regardless of permissions)

CD/DVD User/support staff notification Change hardware revision information to "Lock" when CD/DVD writing isdenied

Change hardware vendor information

CD/DVD Compatibility Do not filter CD/DVD-write operations (do not block CD burning)

Do not intercept low-level hardware drivers







USB bus connected drives Back to top













Folder path: ________________________







Automatically encrypt unencrypted media

Encrypt on first write attempt (allow unencrypted read access)

Strict checking for encrypted media (no non-DriveLock files allowed)




Drive letters When a drive is connected, assign the first unused drive letter in list:

A:

B:

C:

D:

E:

F:

G:

H:

I:

J:

K:

L:

M:

N:

O:

P:

Q:

R:

S:

T:

U:

V:

W:

X:

Y:

Z:














Firewire (1394) bus connected drives Back to top











Folder path: ________________________














A:

B:

C:

D:

E:

F:

G:

H:

I:

J:

K:

L:

M:

N:

O:

P:

Q:

R:

S:

T:

U:

V:

W:

X:

Y:

Z:














SD card drives (SD-bus) Back to top











Folder path: ________________________














A:

B:

C:

D:

E:

F:

G:

H:

I:

J:

K:

L:

M:

N:

O:

P:

Q:

R:

S:

T:

U:

V:

W:

X:

Y:

Z:














Other removable drives Back to top











Folder path: ________________________














A:

B:

C:

D:

E:

F:

G:

H:

I:

J:

K:

L:

M:

N:

O:

P:

Q:

R:

S:

T:

U:

V:

W:

X:

Y:

Z:














Network drives and shares Back to top











Folder path: ________________________

WebDAV-based network drives Back to top











Folder path: ________________________



Windows Terminal Services (RDP) client drive mappings Back to top











Folder path: ________________________






Citrix XenDesktop (XenApp, ICA) client drive mappings Back to top











Folder path: ________________________






File filter templates Back to top



Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices / Locking Drives / Configuring Advanced DriveLocking Settings /Creating File Filters


Template description

Comment

When reading files O Allow all filesAllow only selected extensionsO Do not allow selected extensionsO

Use the same settings when writing files

Block files which are not content-scanned

File extensions to filter when readingfiles

See file types and file type groups below

When writing files Use the same settings as when reading files

O Allow all filesAllow only selected extensionsO Do not allow selected extensionsO

Block files which are not content-scanned

File extensions to filter when readingfiles

See file types and file type groups below

Audit files O NoneAll filesO Read from removable mediaO Written to removable mediaO

Audit conditions O AllSuccess (access allowed)O Failure (access denied)O

Shadowing settings O NoneAll filesO Files read from removable mediaO Files written to removable mediaO

Shadow only selected file extensions

Do not shadow selected file extensions (exception list)___________________________________

Exceptions Exclude selected processes from shadowing and auditing

Also exclude selected processes from file filtering

Also exclude child processes from shadowing, auditing and/orfiltering

Exclude selected users from shadowing and auditing

Also exclude selected users from file filtering

Exclude selected folders fromfiltering, shadowing and auditing

Enabled

Disabled

________________________________________

Exclude selected files from filtering,shadowing and auditing

Enabled

Disabled

________________________________________



Other options When reading, deny access to files larger than ___ KB

When writing, deny access to files larger than ___ KB

Archives When reading, scan archives

Block nested archives

Block password-protected archives

When writing, scan archives

Block nested archives

Block password-protected archives

Computer exceptions O Rule is active on any computerRule is active only on selected computersO Rule is active on all computers, except the ones selectedO

Network exceptions O Rule is active in any network locationRule is active only in selected network locationsO Rule is active on all networks, except the ones selectedO

User exceptions O Rule is active for all users and groupsRule is active only for selected users and groupsO Rule is active for all users and groups, except the ones selectedO

File type definitions Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices / Locking Drives / Configuring Advanced DriveLocking Settings /Creating File Filters / Defining File Types

ACCDB, ACCDE, ACCDT, ACCDR, ACE, AI, AIF, ANI, APK, ARC, ARJ, ASF, AVI, AX, BMP, BUP, BKF, CBR, CDR, CHM, CPL, CRX,DBF, DEB, DIVX, DLL, DMG, DOC, DOT, DSS, DWG, DVX, EPUB, EXE, FLT, FLV, FON, GADGET, GDOC, GDRAW, GIF, GSHEET,GSLIDES, GZ, GZIP, HEIC, HEIF, ICO, IFO, IND, INDD, ITL, JAR, JFIF, JPE, JPEG, JPG, LHA, LZH, M4P, M4A, M4V, MDB, MDE,MDI, MID, MIDI, MK3D, MKA, MKS, MKV, MPG, MPEG, MPP, MSG, MSI, MSP, MSM, NUMBERS, OCX, ODM, ODP, ODT, OGG,ONE, OST, OTF, OTP, OTT, PAGES, PDF, PIF, PNG, PPS, PPT, PPZ, PS, PSD, PSP, PSPIMAGE, PST, RAR, RM, RPM, RTF, SCR,SITX, SNP, SWF, SYS, TAR, TGZ, THM, TTF, VHD, VHDX, VOB, VSD, VXD, WAV, WEBM, WIZ, WMA, WMF, WMV,VDX, VMSN, WPD, WPS, XAR, XIP, XLA, XLR, XLS, XLT, XPI, XPS, ZIP, ZIPX, 386, 3G2, 3GP, 7Z

File type groups Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices / Locking Drives / Configuring Advanced DriveLocking Settings /Creating File Filters / Defining File Type Groups


Archives 7Z, ACE, ARJ, CAB, CBR, DEB, GZ, GZIP, LZH, JAR, PKG, RAR, RPM,SITX, TAR, Z, ZIP, ZIPX, XAR

Audio files MP3, M4P, M4A, WMA, WAV, MID, AAC, AIF, MPA, WAV, WMA, OGG

CAD files DWG, DXF

Certificate files CER, CRT, DER, P7B, P7C, P12, PFX, PEM

Database files ACCDB, MDB, MDF, DBF

Disk image files BIN, CUE, DMG, ISO, TOAST

Executables EXE, SCR, PIF, DLL, BAT, CMD, COM, JS, SYS, VS, VBS, PS1, OCX, JSE,VBE, CPX, XPI, APK, GADGET, JAR, WSF, SQL

Font files FON, OTF, TTF

Images AI, EPS, PS, SVG, CMX, BMP, GIF, HEIC, HEIF, JPG, JPEG, PNG, PSD,PSP, PSPIMAGE, TGA, THM, TIF, TIFF



Office documents DOC, DOCX, DOT, DOTX, DOCM, XLR, XLS, XLSX, PPT, PPTX, PPS,PPSX, PDF, MPP, RTF, XPS, KEY, NUMBERS, RPT, MSG, ODT, PAGES,PD, PS, TT, ODM, EPUB, PST, OST, GDOC, GDRAW, GSHEET, GSLIDES,ODP, OTP, POTX, IND, INDD, TMP, .

Temporary files TMP, TEMP, .

Text documents TXT, LOG

Video files 3G2, 3GP, AVI, FLV, M4V, MKV, MOV, MP4, MPG, MPEG, MPG2, RM, SWF,VOB, IFO, BUP, WMV, DVX, DIVX

Virtual disks VMDK, VMSN, VHD, VHDX

Devices Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices /Locking Devices

Device class locking Back to top

Reference: DriveLock Admin Guide 2019.1 / Locking Drives and Devices /Locking Devices / Configuring Advanced DeviceLocking Settings / Enabling Device Locking

Controllers and Ports Back to top

1394 (Firewire) controllers Back to top


Enable controlling devices of thisdevice class

Enabled

Disabled

Default action when a device of thisclass is connected and no whitelistrule is present

O Block deviceAllow deviceO

Machine-learning: Learn devicesduring installation, allow thesedevices and block any deviceconnected later

Enabled

Disabled

Audit device events for devices of thistype

Enabled

Disabled

Do not show user notifications fordevices of this type

Enabled

Disabled

Disabled locked devices in devicemanager

Enabled

Disabled

Do not lock system devices of thistype

Enabled

Disabled

Do not restart these devices whenanother user logs on

Enabled

Disabled








Bluetooth transmitters / radios Back to top



Enabled

Disabled


O Block deviceAllow deviceO


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








Infrared interfaces Back to top



Enabled

Disabled


O Block deviceO Allow device


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Parallel ports (LPT) Back to top




PCMCIA controllers Back to top





Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Serial ports (COM) Back to top


Lock status O Allow O Deny (lock) for all usersO Deny (lock), but allow access for defined users and groups


Ignore COM port devices Hardware ID: __________________________

USB controllers Back to top



Enabled

Disabled






Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Devices Back to top

Biometric devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Debugging and software protection devices (WinUSB, ADB) Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








ePassport reader devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








External display adapters Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Human Interface Devices Back to top



Enabled

Disabled




Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






IEC 61883 (AVC) bus devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled




Enabled

Disabled






In-circuit emulator devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








Media Center Extender devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








Media player / Portable devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Modems Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Network adapters Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








PCMCIA and Flash memory devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








Printers Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Scanners and cameras Back to top



Enabled

Disabled




Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Secure Digital host controllers Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled




Enabled

Disabled






Sensor devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








SideShow devices Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








Smartcard readers Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Sound, video and game controllers Back to top



Enabled

Disabled




Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled






Tape drives Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled




Enabled

Disabled






Virtualization devices (VMWare) Back to top



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled








Smartphones Back to top

Apple devices Back to top

Property - Apple devices Value Comment

Lock status O Allow O Deny (lock) for all usersO Deny (lock), but allow access for defined users and groups


Filter/Shadow Filter files read from or written to drives of this type






Folder path: ________________________

iTunes Always block selected synchronisation types

Music

Videos

Pictures

Applications

Audio books

eBooks (and PDF files)

Contacts

Calendars

Mail accounts

Bookmarks

Notes

Audit all transferred files and data

Audit system files and objects













Other mobile devices Back to top

Android devicesWindows Mobile handheld devices and SmartphonesPalm OS handheld devices and SmartphonesBlackBerry devicesMobile phones



Enabled

Disabled




Enabled

Disabled


Enabled

Disabled


Enabled

Disabled


Enabled

Disabled



Filter/Shadow Filter files read from or written to drives of this type






Folder path: ________________________






Network profiles Back to top

Reference: DriveLock Admin Guide 2019.1 / Configuring Network Locations and Profiles



Disable Wi-Fi connections whencomputer is connected to LAN

Enabled

Disabled

Agent end-user appearance Back to top


Allow users to configure personalnetworking profiles

Enabled

Disabled

Taskbar notification area settings Back to top


User notification type O Display balloon messageDisplay popup windowO NoneO

Display notification area icon Enabled

Disabled



Play sound when a message isdisplayed

Enabled

Disabled

Display messages for 10 - 30 seconds

Applications Back to top

Reference: DriveLock Admin Guide 2019.1 / DriveLock Application Control / Smart AppGuard



Scanning and blocking mode O OffAudit only, including DLLsO Autid onlyO Whitelist, including DLLs (simulate)O Whitelist (simulate)O WhitelistO , including DLLsWhitelistO BlacklistO , including DLLs (simulate)Blacklist (simulate)O Blacklist, including DLLsO BlacklistO

Hash algorithm to use for hash-basedrules

O MD5SHA-1O SHA-224O SHA-256O SHA-384O SHA-512O

Application control caching (cachingof rule matching results)

Enabled

Disabled

Upload local whitelist to DES Enabled

Disabled

Always audit application execution(independent of blocking mode)

Enabled

Disabled

Custom user notification messages Enabled

Disabled

Application locking message (%EXE% replaced by program path and file):

___________________________________________________________

Local whitelist and predictivewhitelisting

Enabled local whitelist

Enable predictive whitelisting

Enable predictions based on publisher certificates

Path excluded from hash generationfor executed files

Set to configured list:

___________________________________________________________

Directories that are learned for thelocal whitelist

Set to configured list:

___________________________________________________________



Application rules Back to top

Reference: DriveLock Admin Guide 2019.1 / DriveLock Application Control / Smart AppGuard / Configuring ApplicationRules

Publisher certificate rules Back to top


Rule type O WhitelistBlacklistO

Rule name

Comment

Certificate subject E.g. CN=Microsoft Corporation, OU=AOC, O=Microsoft Corporation,L=Redmond, S=Washington, C=US (wildcards allowed)

Certificate issuer E.g. CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond,S=Washington, C=US (wildcards allowed)

Certificate unique ID type O Do not checkSerial numberO ThumbprintO

Certificate unique ID

Executable description * (wildcards allowed)

Executable version comparison O Do not checkand aboveO and belowO exactO

Rule is active for O EveryoneSelected users and groupsO






Show security awareness campaign Enabled

Context specific campaign: ____________________________________

Disabled

App updates Trusted process

Automatic learning: add all executable files written by this executable tothe local hash database

Ask for user approval before executing the process

Rule is active during selected hours O No restriction (Any time)During selected days and hours: O Monday - Sunday | 0 - 24






Special rules Back to top


Rule type Whitelist

Rule name

Comment

Rule is selected when O Program file is part of Windows operating system

Include additional operating system add-ons

O Program file is part of DriveLockProgram file is part of .NET FrameworkO Automatic updates are being installedO Program file detail information cannot be extractedO Any program is startedO

Ask for user approval before executing the processs

Rule is active for O EveryoneSelected users and groupsO








Disabled

Rule is active during selected hours O No restriction (Any time)O During selected days and hours: Monday - Sunday | 0 - 24






Other rules Back to top

File name or path rules Back to top


Rule type O WhitelistO Blacklist

Description

Path e.g. C:\Program Files (x86)C:\Program Files\C:\Windows

Comment

Check for text in directory or processname

Enabled

Disabled

Template is active for O EveryoneSelected users and groupsO








Disabled

App updates Trusted process

Automatic learning: add all executable files written by this executable tothe local hash database

Ask for user approval before executing the process

Rule is active during selected hours O No restriction (Any time)O During selected days and hours: Monday - Sunday | 0 - 24




Encryption Back to top

Reference: DriveLock Admin Guide 2019.1 / Configuring DriveLock Encryption





Available encryption methods forremovable drives

O Container based and file basedFile based (DriveLock File Protection)O Container based (DriveLock Encryption 2-Go)O

Enforced encryption method forremovable media

O DriveLock Encryption 2-Go (container-based)DriveLock File Protection (file- and folder-based)O Let the user decideO

Allow selection of "Access volume without encryption"

Show usage policy before unlocking the volume

Allow selection of "No access to volume"

Show all licensed types of encryption in drive context menu

DriveLock Encryption 2-Go Back to top

Reference: DriveLock Admin Guide 2019.1 / DriveLock Encryption 2-Go



Encryption algorithm to be used forencrypted drives

O AESBlowfishO CAST5O Triple DESO TwofishO SerpentO AES (FIPS-mode)O Triple DES (FIPS-mode)O

Password hash algorithm to be usedfor encrypted drives

O RIPEMD-160SHA-1O WhirlpoolO SHA-1O (FIPS-mode)SHA-256O (FIPS-mode)SHA-512O (FIPS-mode)

Method to securely delete files O DoD 5220.22-M (USA)Peter Gutmann algorithmO Bruce Schneier algorithmO BSI VSITR (Germany)O Royal Canadian Mounted Police DSXO DoD 5220.22-M ECE (USA)O Random dataO

Encrypted drive file system O FAT

O NTFS

Encrypted drive cluster size O 1 KB2 KBO 4 KBO 8 KBO 16 KBO 32 KBO 64 KBO



Minimum required passwordcomplexity for encrypted drives

O Use password policy (see setting "Password complexity policy" below)Very strong (equivalent to a cryptographic key with more than 251 bits inO

length)StrongO (equivalent to a cryptographic key with 191 - 250 bits in length)MediumO (equivalent to a cryptographic key with 101 - 190 bits in length)WeakO (equivalent to a cryptographic key with 51 - 100 bits in length)

Available drive letters for mountingencrypted drives

A:

B:

C:

D:

E:

F:

G:

H:

I:

J:

K:

L:

M:

N:

O:

P:

Q:

R:

S:

T:

U:

V:

W:

X:

Y:

Z:



Enforce drive letter when mountingencrypted drives

O A:B:O C:O D:O E:O F:O G:O H:O I:O J:O K:O L:O M:O N:O O:O P:O Q:O R:O S:O T:O U:O V:O W:O X:O Y:O Z:O

No history for mounted volumes Enabled

Disabled

Do not allow running or copying of theDriveLock Mobile Encryption

Enabled

Disabled

Available context menus in WindowsExplorer

Context menu for .DLV files:

Mount drive

Unmount drive

Change password

Context menu for encrypted drives:

Unmount drive

Change password

Recover (enforced encryption)

Mount (enforced encryption)

Encrypt (enforced encryption)

Context menu for all files:

Securely delete

Context menu for all folders:

Securely delete

Context menu for all CD/DVD recorders:

Record encrypted media

Start menu configuration O No Start menu entriesStart | Programs | DriveLock Encryption 2-GoO Start | Programs | EncryptionO Start | Programs | DriveLockO Start | ProgramsO Start menuO



Available Start menu items Manage encrypted volumes

Unmount encrypted drive

Change encrypted volume password

Create encrypted volume

Mount encrypted volume


Copy DriveLock Mobile Encryption

Recover encrypted volume

Help

Menu items available from taskbaricon

Manage encrypted volumes








Help

Password complexity policy Minimum password length ___ characters (default 8)

___ lower case (default 1)

___ upper case (default 1)

___ numbers (default 1)

___ special (default 1)

Treat numbers as special characters

Encrypted volume password recoverymethods

Offline (Helpdesk)

Online (Certificates on client)

User contact information for offlinecontainer recovery

Allow quick format of encryptedcontainers

Enabled

Disabled

Only allow use of encryptedcontainers created with currentDriveLock license

Enabled

Disabled

Do not allow opening encryptedcontainers with DriveLock MobileEncryption

Enabled

Disabled

Do not automatically upgradeDriveLock Mobile Encryption to newerversion during enforced encryption

Enabled

Disabled

Enforcment of FIPS 140-2-validatedcryptography

O On (disable non-FIPS cryptography)OnO OffO



Container access lockout policy Prevent access to container (lock out) after access attempts with invalidpassword

Number of invalid attempt: ___

Lock access for ___ minutes or

Lock out indefinitely (container recovery can still reset the password)

Enabled extend functions for "Changepassword"

Allow removal of administrative password

Allow removal of user password

Allow setting user password if administrative password is present

Order of menu items in taskbar icon Manage encrypted volumes








Help

Bring all dialogs to top-most position Enabled

Disabled

Encrypted container password savingoptions

Allow saving passwords when creating a container

Force saving passwords when creating a container (requires "Allow")

Allow saving passwords when mounting a container

Force saving passwords when mounting a container (requires "Allow")

Restrict size of encrypted containers ___ MB (default 200 MB)

Enforced encryption: Time untilre-detection of same device is allowed

O none1 minO 3 minO 5 minO 10 minO

Do not show estimated remaining timein progress dialogs

Enabled

Disabled

Container password recovery Back to top


Set administrative password(optional)

Enabled (you will be contacted by DriveLock Cloud Operations to set thepassword)

Disabled

Do not automatically use this password when a user mounts encryptedcontainers

Certificate-based container recovery O Create new certificate (you will be contacted by DriveLock Cloud Operationsto set the password for the certificate)

Select existing certificateO



Add recovery information to existing containers that do not containrecovery information

No offline recovery - do not upload recovery information to DES

Enforce encryption Back to top


Password settings Mount or create encrypted drives using these settings:

O Use administrative password, don't prompt userPrompt user for encryption passwordO

Attempt to mount using administrative password first

Disable any administrative password for new containers

Users can disable administrative password for new containers

Disk space usage O Use entire drive for encrypted containers

Fill any remaining empty space on drives

Leave empty space of ___ KB

O Leave unencrytped space on drives

___ MB

___ percent of drive

Maximum size of encrypted container ___ MB

Encryption algorithm O AESBlowfishO CAST5O Triple DESO TwofishO SerpentO AES (FIPS-mode)O Triple DES (FIPS-mode)O

Hash algorithm O RIPEMD-160SHA-1O WhirlpoolO SHA-1 (FIPS-mode)O SHA-256 (FIPS-mode)O SHA-512 (FIPS-mode)O

File system O FATNTFSO

Cluster size O 1 KB2 KBO 4 KBO 8 KBO 16 KBO 32 KBO 64 KBO

Volume label

Perform quick-format (do not encryptcomplete container)

Enabled

Disabled



Volume creation Preserve existing data (move existing data into encrypted container)

Copy DriveLock Mobile Encryption to unencrypted portion

Copy Mac OS X version

Create auto run file (AUTORUN.INF)

Use customized auto run settings

Use custom local temporary folder during volume creation

Hide encrypted container file

Automatically refomat drives larger than 4 GB

Perform quick-format

Format to NTFS instead of exFAT

Let user decide about reformatting

DriveLock File Protection Back to top

Reference: DriveLock Admin Guide 2019.1 / DriveLock File Protection



Encryption algorithm to be used forencrypted folders

O AESO BlowfishO CAST5O Triple DESO TwofishO SerpentO AES (FIPS-mode)O Triple DES (FIPS-mode)

Password hash algorithm to be usedfor encrypted folders

O RIPEMD-160O SHA-1O WhirlpoolO SHA-1 (FIPS-mode)O SHA-256 (FIPS-mode)O SHA-512 (FIPS-mode)

Format of user display names O [Last name], [First name][First name] O [Last name][Last name], [First name] ([Department])O [First name] O [Last name] ([Department])Custom valueO

Access to encrypted files in lockedfolders

O DenyAllow for administratorsO

Interval between checks for certificaterevocation

O 1 hour2 hoursO 3 hoursO 6 hoursO 10 hoursO 12O hours24O hours48O hoursAlwaysO

Start menu configuration O No Start menu entriesStart | Programs | DriveLock File ProtectionO Start | Programs | EncryptionO Start | Programs | DriveLockO Start | ProgramsO Start menuO



Available Start menu items Create encrypted folder

Create encrypted cloud storage folder

Manage certificate

Mount encrypted folder

Unmount encrypted folder

Copy encrypted folder

Move encrypted folder

Decrypt encrypted folder

Recover encrypted folder

Change encrypted folder password


Help

Menu items available from taskbaricon

Create encrypted folder


Manage certificate









Help

Available context menus in WindowsExplorer

Context menu for all folders:



Encrypted folder users and properties



Rename encrypted folder

Delete encrypted folder

Encrypt folder

Encrypted folder recovery methods Offline (Helpdesk)

Online (Certificates on client)

User contact information forencrypted folder recovery

Minimum required passwordcomplexity for encrypted folders

O Use password policy (see setting "Password complexity policy" below)O Very strong (equivalent to a cryptographic key with more than 251 bits inlength)O Strong (equivalent to a cryptographic key with 191 - 250 bits in length)O Medium (equivalent to a cryptographic key with 101 - 190 bits in length)O Weak (equivalent to a cryptographic key with 51 - 100 bits in length)



Password complexity policy Minimum password length ___ characters (default 8)






Files and paths excepted fromencrypted folder autoregistration

Backup process names (access toencrypted data)

Do not show popup messages forautomatic folder mounting

Enabled

Disabled

Automatic mount of encrypted folders O OffFully automatic only, do not show wizardO On (show wizard if needed)O

Order of menu items in taskbar icon Create encrypted folder







Manage certificate


Help

Encrypted container password savingoptions

O Allow savingAllow saving, current session onlyO Allow saving, save by defaultO Allow saving when from another userO Allow saving, current session only, save by defaultO Do not allow savingO Always save (do not ask user)O Always saveO , current session only (do not ask user)

Drive types, where creation ofencrypted folders is allowed

Fixed drives

Network drives

Removable drives

Other drives

Paths excepted from creatingencrypted folders

TBD

Bring all dialogs to top-most position Enabled

Disabled

Drive types, where to check forunencrypted files after successfulmount

Fixed drives

Network drives

Removable drives

Other drives



Agent user interface settings Use LDAP users instead of Active Directory users (enable LDAPconnector)

Do not hide DriveLock File Protectionconfiguration database files

Enabled

Disabled

Do not allow running or copying of theDriveLock Mobile Encryption

Enabled

Disabled

DriveLock Mobile Encryption: Savechanged files without confirmation

Enabled

Disabled

Enforced encryption: Time untilre-detection of same device is allowed

noneO O 1 min

3 minO 5O min10O min

Initial encryption: Secure deletion oftemporary files

O DoD 5220.22-M (USA)Peter Gutmann algorithmO Bruce Schneier algorithmO BSI VSITR (Germany)O Royal Canadian Mounted Police DSXO DoD 5220.22-M ECE (USA)O Random dataO

Do not attach DriveLock FileProtection driver to network drives

Enabled

Disabled

Do not show estimated remaining timein progress dialogs

Enabled

Disabled

Encrypted folder recovery Back to top


Certificate-based folder recovery O Create new certificate (you will be contacted by DriveLock Cloud Operationsto set the password for the certificate)

Select existing certificateO

Add recovery information to existing folders

No offline recovery - do not upload recovery information to DES

Enforce encryption Back to top


Password settings Mount or create encrypted folders using these settings:

O Use company certificate, don't prompt userPrompt user for encryption passwordO

Attempt to mount using firstcompany certificate

Disable any for new folderscompany certificate

Users can disable for new folderscompany certificate



Encryption algorithm O AESAES (FIPS-mode)O IDEAO Triple DESO Triple DES (FIPS-mode)O

Hash algorithm O RIPEMD-160SHA-1O SHA-1 (FIPS-mode)O SHA-256 (FIPS-mode)O SHA-512 (FIPS-mode)O WhirlpoolO

Folder structure O Encrypt root folderCreate encrypted folderO

Create additional folder for unencrypted data (folder name:______________)

Create additional personal, encrypted folder without companycertificate ( : ______________)folder name

Existing data Preserve existing data (any data will be deleted when this option is notselected)

O Move to and encrypt data in encrypted folderMove to and encrypt data in additional personal folder without company O

certificateMove data to additional folder for unencrypted data O Leave data as is (no move, no encryption) O

Options Copy DriveLock Mobile Encryption (stays unencrypted)

Copy Mac OS X version

Create auto run file (AUTORUN.INF)

Use customized auto run settings

BitLocker Management Back to top

Reference: DriveLock BitLocker Management Guide 2019.1

Encryption certificates Back to top


Emergency logon and data recoverycertificates

O Create new certificate (you will be contacted by DriveLock Cloud Operationsto set the password for the certificate)

Import existing certificateO

Pre-boot authentication settings Back to top


Pre-boot authentication type O No pre-boot authentication (requires active TPM)BitLocker pre-boot authentication (BitLocker password)O

Automatically unlock all datapartitions

Enabled

Disabled

Password options User cannot change password

User must change password



Password complexity requirements Minimum password length ___ characters (default 8)






Harddisk encryption settings Back to top


Encrypt local hard disks on Agentcomputers

Enabled

Disabled

Encryption algorithm priority (firstelement has highest priority)

AES (256 bit key length)AES-XTS (256 bit key length)AES (128 bit key length)AES-XTS (128 bit key length)AES with Elephant diffuser (256 bit key length)AES with Elephant diffuser (128 bit key length)Hardware encryption

Configure encryption settings perdrive

Enabled (specify encryption algorithm for each drive)

C: _______________

D: _______________

E: _______________

F: _______________

G: _______________

H: _______________

I: _______________

J: _______________

K: _______________

L: _______________

M: _______________

N: _______________

O: _______________

P: _______________

Q: _______________

R: _______________

S: _______________

T: _______________

U: _______________

V: _______________

W: _______________

X: _______________

Y: _______________

Z: _______________

Disabled



Initial encryption Encrypt only used disk space (fast initial encryption)

Manage existing BitLocker environment

Display warning when disks are not fully encrypted

Installation protection On configuration changes, delay decryption by ____ days

Security awareness Back to top

Reference: DriveLock Security Awareness Manual 2019.1


Security awareness user interface settings Back to top


Make window stay on top of all otherwindows during display

Enabled

Disabled

Open window in full screen mode Enabled

Disabled

Ignore full screen settings oncampaign level

Enabled

Disabled

Show custom texts for acknowledgingof campaigns

Enabled

Text on checkbox: ___________________________________Text on button: ______________________________________Custom window title: __________________________________

Disabled

Custom usage policy texts and options Back to top


Display custom content Enabled

Disabled

O Load usage policy text from file (text or RTF formatted - provide file)Usage policy text (%NAME% will be replaced with device name)O

Caption text

Buttons Accept:

Decline: __________________________________

Show on each Agent per user ___ times per session

Play video Enabled (provide file)

Do not enable the Accept button until the video finished playing

User can pause / stop the video while it is playing

Disabled

Enable the Accept button after ___ seconds



Campaigns Back to top

Reference: DriveLock Security Awareness Manual 2019.1 / Creating security awareness campaigns

Content Back to top


Content type Built-in image

Image

PDF file

RTF file

Security awareness package (select predefined content below)

Text

URL (web content)

Video file



Security awareness package Access control (Security flash)

Be careful with information (Micro learning)

Bring your own device (Security flash)

Business and personal use of Internet, email and social media (Microlearning)

Clear desk, screen & office (Security flash)

Cyber Security for Executives (Training (demo))

Cyber security (Skill test)

Cyber security (Training)

EU General Data Protection Regulation (GDPR) (Skill test)

EU General Data Protection Regulation (GDPR) (Training)

How is information classified (Micro learning)

Information classification (Security flash)

Information classification (Training)

Information classification (Skill test)

Introduction Program: Information Security (Skill test)

Introduction Program: Information Security (Training)

Know who you are dealing with (Micro learning)

Malware (Skill test)

Malware (Training)

Mobile Devices (Skill test)

Mobile Devices (Training)

Phishing (Training)

Phishing (Skill test)

Phishing (Security flash)

Report information security incidents (Micro learning)

Report security incidents (Security flash)

Risk Management (Training)

Risk Management (Skill test)

Secure your mobile devices (Micro learning)

Security Awareness for IT Professionals (Skill test)

Security Awareness for IT Professionals (Training)

Social engineering (Skill test)

Social engineering (Training)

Social engineering (Security flash)

Social media & working in the cloud (Security flash)

Strong passwords (Security flash)

The new way of working (Skill test)

The new way of working (Training)

Use of passwords (Micro learning)

Work securely outside the office (Micro learning)

Working in public places (Security flash)

Working in the cloud (Skill test)

Working in the cloud (Training)



Priority O 1 (highest)2O 3O 4O 5O 6O 7O 8O 9O 10O

Language Language Neutral

Show content for ... seconds beforeallowing acknowledgement or otherfunctions

___

User must acknowledge Enabled

Disabled

Automatically show awarenessinformation after a user logs on

Enabled

Disabled

Allow users to page through availablecontent

Enabled

Disabled

Show custom texts for acknowledgingof campaign elements

Enabled

Disabled

Trigger O independent of an eventwhen a user logs onO if used in rules (application rule must be defined)O

Show campaign max. ... times ___

Recurrence O every time the event occursonce per dayO once per weekO once per monthO once per yearO once every ___ daysO




Systems management Back to top

Reference: DriveLock Admin Guide 2019.1 / Systems management


Hardware and software inventory Back to top




Collection of inventory data Enabled

Disabled

Collect device information Enabled

Disabled

Collect drive information Enabled

Disabled

Collect installed software information Enabled

Disabled

Collect patch and hotfix information Enabled

Disabled

Inventory starts O When the Agent service starts (not recommended)O Every ___ days

Every ___ weeksO O On demand

Start at fixed time Enabled ___:___:___

Disabled

Client compliance reporting settings Back to top

Windows Update

Verify Windows Update status

Verfiy Windows Update is enabled and running

Verfiy last successful update not older than ___ days

Verfiy no more than ___ available updates

Windows Firewall Verfiy Windows firewall enabled and running

Verfiy Windows Security Center At least one product of the following product types must be:

Firewall

Installed

Running

Up to date

Antivirus

Installed

Running

Up to date

Anti-Spyware

Installed

Running

Up to date

Self-Service groups Back to top

Reference: DriveLock Admin Guide 2019.1 / Systems management / Self-service groups




Description DriveLock Cloud Base

Comment

Rule unique identifier 33a3d20b-b388-4b73-9372-68091fd23176

Users able to manage computers NT-AUTORITÄT\Authentifizierte Benutzer

Computers manageable by users < Local computer >

Glossary Back to top

AD Active Directory

ALF Application Launch Filter

AV Anti-Virus

CSP Centrally Stored Policy

DB Data Base

DCC DriveLock Control Center

DES DriveLock Enterprise Service

DL DriveLock

DLV Extension for DriveLock Encrypted File-Containers (DriveLock Volume)

DMC DriveLock Management Console

FDE Full Disk Encryption

FFE File & Folder Encryption

MMC See DMC

MSSP Managed Security Service Provider



SecaaS Security as a Service

SOT Security Operations Team

VM Virtual Machine

VPN Virtual Private Network



Copyright

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwisenoted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depictedherein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, orevent is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user.

© 2019 DriveLock SE. All rights reserved.

DriveLock and others are either registered trademarks or trademarks of DriveLock SE or its subsidiaries in the United States and/or othercountries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Back to top

drivelock security as a service managed endpoint protection clo… · drivelock security as a...

Documents