This technote describes the steps necessary to establish a Secure Envelope. First order of the day is to make sure everybody’s on the same page in regards to what a Secure Envelope really is: An example might serve well: We have a company who runs an application which contains very sensitive information. It is the wish of the company to have two goals fulfilled:
a) Implement two-factor security for accessing this particular application.
b) Ensure that no sensitive material can be transmitted out of the company while this application is active.
The following technote will describe in detail how this can be accomplished. For the experienced PowerFuse administrator, there is a quick hands-on checklist in Appendix B at the end of this document.
In order to get the most out of this document, it is recommended that the executing consultant or integrator is familiar with RES PowerFuse technology and terminology. If concepts such as Workspaces, PowerZones are not familiar, it is advised to consult with a RES Certified Administrator or partner in order to implement this in a production environment.
In order to build a proof of concept, it is necessary to have a USB drive/stick at your disposal. If you are building the environment inside a virtual machine environment, you must enable USB port support. The environment, in which this lab was built, consisted of 2 VM’s. The first environment hosts a DC and the PowerFuse SQL database. The other VM contains a Windows XP SP2 with PowerFuse 2008 Standard or Enterprise installed, connected to the domain and DB on the first VM. Note: PowerFuse Express also supports USB security, but lacks some of the features necessary to complete this lab.
What we want to accomplish specifically:
Effectively what we want to build, is a system that allows one application to run when a USB stick is inserted, and will actively kill and disable certain others at that moment. Once the USB drive is removed, the reverse should happen: The secure application is killed and disabled and the communication applications are enabled again. In this exercise we are going to use Mspaint as our secure application, and IE, Outlook Express and MSN messenger as our communication apps we need to disable when the secure envelope is active.
In order to accomplish these items, the steps outlined in this document will need to be taken.
Note1: This technology brief only describes what is possible by using PowerFuse together with readily available resources in the Windows operating systems. There are many ways to change/expand this scenario to suit almost any customer requirements. An example is somebody who needed session recording to start when the Secure Envelope environment was initialized. While neither Windows nor PowerFuse presently caters for such functionality, there are several other vendors who provide solutions for such needs.
Note2: No software or data is required to be written to the USB stick.
How to configure it:
The following seven steps detail how to setup a secure envelope which will enable a dummy app, in this case Mspaint when a certain USB stick is inserted. It will also kill applications such as IE, email and messengers when the USB stick is inserted.
1) Define a Powerzone which will recognize the USB stick:
You start launching the RES Console and navigate to the Configuration Management|PowerZones node.
Here you create a new Powerzone with the Add button. Use the following steps to create the secure envelope.
- Give the PowerZone a descriptive name, such as Secure Envelope etc.
- Go to the Rules tab. Add the rule USB storage device serial number. See example below:
When you select this rule type, you will get the following dialogue box:
It is important to note the following:
When you hit the browse […] button above, the console will scan for USB devices currently plugged in locally on the machine where the console is running. This means you can’t initially plug the USB drive into your PowerFuse enabled client machine, and then pick up the serial number on a different machine running the console. In the current PowerFuse 2008 SR3 it is still necessary to have the USB stick and console on the same computer in order to grab the serial number.
A final note on USB stick triggered PowerZones. If you want, you could set the requirement that that two or more USB sticks must be inserted to enable the PowerZone you can do this. Think Nuclear Submarine security, where the captain and the XO each have a key. You can do something similar here, just by using an additional key and the Ampersand (&) operator. The result would look like this:
2) Define a Non-Secure Workspace
Once the PowerZone is in place, the next step is to define a Workspace. We need this workspace to define when certain applications are allowed. In our scenario, they should be allowed when the USB drive is NOT inserted. However, the USB PowerZone we’ve just created in step 1 defines when the USB drive IS inserted. In order to inverse the logic so it applies to application access, we need to pipe the PowerZone through a workspace where we have the option to inverse it. We do the following:
- Go to Configuration Management|Workspace Containers, Hit the Add button and give the new workspace a logical name such as Non-Secure, and describe it for what it is: A workspace which is outside the secure sandbox. Applications which should not be present inside the secure envelope should be assigned to this workspace
- In the Computer Control Tab, you need to select the option , as this Workspace really has nothing to do with what computer we are referencing.
- In the Access Control Tab, you will need to specify a Location, using the bottom half of the dialog box. When you hit the Add button, you get the dialog shown on the right here. This is where you select the PowerZone you created in the previous step. See image below next point.
- Finally for creating this PowerZone, you will need to set the checkmark for Apply settings when selected PowerZone is NOT applicable, as shown below. This negates the logic as we discussed earlier.
3) Define the secure application
This is the secure application which you want to give access to. In this example we are going to use Mspaint.exe to simulate the application. The configuration items below do not exclude other items, i.e. If you need to configure additional PowerLaunch tasks and/or User Preferences in order to make the secure application work as desired, you should still set them up after configuring the following The steps to be performed in specific are:
- Create an application in the Application Management node. Use MSPaint.exe as the executable for this lab.
- While editing the application, go to Properties|Settings, and select the options listed on the right.
These are the reasons for the checkmarks above: First of all, we probably do not want to advertise the presence of the secured application to the users who are never going to have it. Second we disable the popup “You have received new applications” since we are going to notify the users ourselves. Third, we disallow Autolaunch as the secured app should not come online without a conscious effort on the user’s behalf. Finally we prompt the user for extra password authentication, to fulfil the customers need for two factor authentication.
- Assign the application to the secured PowerZone. This is done in the Access Control|Location field when editing the application. Assigning the app to the PowerZone will ensure that it is only available when the USB drive has been inserted. Do NOT assign this application to the Not-Secure workspace
- Assign whatever users, group(s) and OU’s which should be allowed to run this application in the first place. This is done in Access Control|Identity
- Optionally assign a certain timeframe in which this application is available. This is done in Access Control|Time
Finally, let’s presume that later down the road; we get a requirement that the application must only be available at a given physical location. It is a logical assumption that one can just add another PowerZone to the application in the Access Control|Location section. However, that will not work.
The reason is that when adding PowerZones for an application in the Access Control|Location section, the only available logical operator is OR. This means that if you combined the Secure Envelope with a Secure Location PowerZone, just logging on inside the secure location would be enough to enable the app for the user, which is not what we want. In order to enable the required AND logic between two PowerZones on an application, you can use either of the following two approaches.
- Edit the Secure Envelope PowerZone and add the locations as you desire, effectively building the rules of the two PowerZones into one. This is the easy way, but perhaps less flexible for future needs.
- The other way is to create a Workspace which again either provides a list of secure computers, or is defined by a PowerZone in the Access Control tab of that workspace.
4) Enable refresh on USB event
In here you want to select this option:
This will ensure that every time you insert a USB device or remove it, PowerFuse will refresh the session. Please note the following two items:
- You may have to log off and log back on any current session before this takes effect
- In a virtual environment, it may take a little longer than usual for the USB device to map through to the VM.
5) Create a notification Application
This step is strictly not necessary, but quite useful to ensure that the user is notified that a new situation is at hand. This would be here that you notify the user that access has been suspended to communication apps and perhaps even the session is being recorded.
- Create a new application. Call it Secure Envelope Notification, for example.
- Do not enter any command lines, this is not necessary
- If you want to restrict this message only to be shown for certain users entering the secure envelope environment, you can select them in the access control section
- In the Properties|Settings part of the application, it is advisable to set the following settings shown here on the right:
- In the Properties|Notifications tab, a message similar to the following example could be displayed. Remember, all available properties for current user in Active directory can be displayed using the $adinfo() function:
Note: The above message refers to that we are recording screens and keystrokes. This is however not a current capability within PowerFuse 2008. There are several software suites out there which will do this though, an example is Citrix Smart Auditor.
- Finally, you will need to note the applications ID number as you will need this later in Step 7. You will find it on the Properties|General tabs of the application, as shown here:
6) Define the Non-secure apps
At this point, we want to configure what applications should be removed from the user’s workspace, once the Secure Envelope has been activated. In most cases we are dealing with applications such as email clients, web browsers and messengers.
- Select and edit an application which should be disabled in the Secure Envelope.
- On the application configuration matrix, select Workspace Control in the left hand side, and chose the workspace you created in Step 2
- Note: You are likely to set yourself up for undesired results (such as the applications not being removed when you expect them to) if you start combining the Non-Secure workspace with other workspaces.
7) Executing external tasks
In order to make everything work as specified, we need to add 3 external PowerLaunch tasks to the PowerFuse environment. These tasks have the following purposes:
- Kill the non-secure applications when entering the Secure Envelope
- Kill the secure application when exiting the Secure Envelope
- Run the notification app when entering the Secure Envelope (this task is optional)
In the RES Management Console, go to Configuration Management|PowerLaunch|External Tasks. Define a new external task that looks something like this:
We use the built in taskkill.exe which is available natively in Windows XP and upwards. Below is a description of the used parameters. Otherwise see taskkill.exe /? for more info.
/t : Tree kill all child processes of the specified apps
/f : Force kill (do not ask nicely to save and close, just nuke the app)
/im : Image name - name of the processes. Wildcards (*) can be used.
Normally external tasks are executed at logon, but by setting the Run Task value to ‘At Refresh’ we ensure that this task only is considered to run when a refresh occurs (such as one triggered by a USB drive insert). As we don’t want to clutter the desktop with unsightly command boxes, we chose to run hidden also.
Last but most important: This external task must be assigned to the Secure Envelope PowerZone on the Access control tab.
The second external task which you must configure has the purpose of killing the secured application once the USB drive is removed. This is done by inverting the logic on the Powerzone. First configure the external task so it looks like this:
In the example above, we use mspaint.exe for demonstration as mentioned previously. The second, and very important step, is to assign the Powerzone correctly to the secure application.
On the Access Control tab, you must select your Secure Envelope PowerZone in the Location section, just like you did in Step 2. It is also important that you invert the Powerzone, by selecting the Apply settings when selected PowerZone is NOT applicable. The result should look like the screenshot here on the right. There should be a red marking on the PowerZone icon to indicate the selection logic has been reversed.
We need to do this in a special way, in order to make PowerFuse launch the notification upon a refresh.
We do this by using the PowerFuse executable which is responsible for launching other applications. This executable is pwrgate.exe. As shown above, configure a new external task. The number 44 should be replaced with the actual application ID which your notification app has in your own installation. This is the number you noted in step 5.
Finally, assign the external task you’ve just created, to the Secure Envelope PowerZone.
This concludes the lab of setting up a secure envelope around an application.
Appendix A: Additional points to consider for further enhancements
- You can modify the first external task defined in Step 7 to also kill the desktop entirely. Just add a /IM explorer.exe. In order for this to work, you will also need to launch the secured application yourself by another external task, utilizing the pwrgate.exe <appid> command. You would also need to re-launch explorer.exe when you pull the USB drive
- If you are setting up this lab in a virtual machine environment, make sure that your VM supports virtual USB remapping. Second, by experience it is not recommended to quickly insert and remove USB devices in such an environment, as it may have a tendency to lock things up in the virtual environment manager, i.e. you will have to reboot everything to get your USB drives enabled in the environment. Third, on some older VMware 5x environments, it has been experienced that on a bad day your USB drive could get it’s MBR+FAT wiped! So in short to test this, use a USB stick without any valuable data on it.
- There are plenty of areas where this environment can be improved and tweaked. For example one could perhaps change the wallpaper when entering/leaving the secured envelope. Another improvement could be temporarily disabling the clipboard, providing a method is available for this. Finally the method in this document uses only the features available in RES PowerFuse. One could easily execute machine specific tasks by utilizing the integration with RES Wisdom.
Appendix B: Quick Reference
This section is specifically written for those with plenty to do and even less time to do it in. The following bullet list will describe what to do, presuming you’re already familiar with PowerFuse.
- Create a Powerzone for the USB stick. Call it Secure Envelope
- Create a Workspace. Call it Non-Secure In the workspace’s access control, specify the PowerZone created in the previous step. Make sure to set the “Apply settings when selected PowerZone is NOT applicable” option.
- Configure the secure application. Put in the following settings: a) Do not list in PowerHelp b) Do Not show in “New Applications” c) AutoLaunch by user not allowed d) Use extra password verification (optional)
- Assign the secure application to the Secure Envelope PowerZone
- Optionally assign PowerHours to the secure application too.
- In the Advanced Configuration node, enable Refresh Start Menu on USB Drive Change
- Create an empty application which has a notification attached.
- Change the settings on the notify app to enable a) Do not list in PowerHelp b) Do Not show in “New Applications” c) Hide application. Note down the application ID on the notify app
- Assign the applications to be killed to the Non-Secure Workspace. Make sure they are not assigned to other workspaces.
- Setup PowerLaunch external task to kill non secure apps when USB stick is inserted. Check the box for Run Hidden option and change the setting for Run Task to Refresh. If you’re proofreading and miss this sentence, you’re not paying attention to detail. Use the command taskkill.exe /t /f /im process1.exe /im process2.exe /im processN.exe to kill the necessary apps.
- Assign the external task above to the Secure Envelope PowerZone.
- Setup PowerLaunch external task to kill the secure app when leaving the Secure Envelope. Again check the box for Run Hidden option and change the setting for Run Task to Refresh. Use the taskkill.exe as specified above to kill the relevant process(es).
- Assign the external task above to the Secure Envelope PowerZone, when it is NOT available
- Setup PowerLaunch external task to run the notify app. Use the command “%programfiles%RES PowerFusepwrgate.exe” <notify app ID>
- Assign the external task to launch the notification, to the Secure Envelope PowerZone
You can ofcourse just cut to the chase and download the buildingblock from the PowerFuse BuildingBlock Archive. (it’s on it’s way!)