Dlp 920 Ig Endpt-epo46 en-us

Installation Guide

McAfee® Data Loss Prevention 9.2SoftwareFor Use with ePolicy Orchestrator® 4.6.0 Software

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or byany means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee® Data Loss Prevention 9.2 Software Installation Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 About McAfee Data Loss Prevention Endpoint software 7Recommended installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Choosing a McAfee DLP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 9Backward-compatible installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Install McAfee DLP Endpoint software 13Verify system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Configure the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Install McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . 15Installing McAfee DLP WCF service . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Install the McAfee DLP WCF service . . . . . . . . . . . . . . . . . . . . . . . 18Before you install the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating and configuring repository folders . . . . . . . . . . . . . . . . . . . . 21Install the McAfee Data Loss Prevention Endpoint extension . . . . . . . . . . . . . . . . 23Working in a cluster environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Prepare the cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Test the cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3 Post-installation tasks 25Initialize the DLP Policy console . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Upgrade the license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Initialize the McAfee DLP Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Check in the McAfee DLP Endpoint package to ePolicy Orchestrator . . . . . . . . . . . . . . 29Deploying McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Define a default rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Deploy McAfee DLP Endpoint with ePolicy Orchestrator . . . . . . . . . . . . . . . . 31Verify the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Uninstalling McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . 32

A Deploying McAfee Data Loss Prevention Endpoint software with SMS 33Create an installation package . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Create the advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Create the SMS uninstall package . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Create an SMS uninstall package to run from a command line . . . . . . . . . . . . . . . . 35

B Users and permission sets 37Create and define McAfee DLP administrators . . . . . . . . . . . . . . . . . . . . . . 37Create and define permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 38DLP permission set options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

McAfee® Data Loss Prevention 9.2 Software Installation Guide 3

C Installing a version upgrade 41Upgrading issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Phased upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Upgrade McAfee DLP Endpoint software . . . . . . . . . . . . . . . . . . . . . . . . . 45Restore the policy after upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Index 47

Contents


Preface

Detailed information for installation, verification, and configuration of McAfee DLP Endpoint software.

This guide provides the necessary information for installing McAfee® Data Loss Prevention Endpointsoftware. It provides detailed steps and verification of the installation process. This guidedemonstrates how to configure the recommended architecture, and when completed the user will havea fully functional McAfee DLP Endpoint software implementation that is properly configured.

McAfee DLP Endpoint software is very flexible in meeting a variety of implementation architectures.We recognize that many configuration possibilities exist, and that the recommended architecturerepresents only one path.

Contents

About this guide Finding product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Security officers — People who determine sensitive and confidential data, and define thecorporate policy that protects the company's intellectual property.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.


Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFinding product documentation


http://mysupport.mcafee.com

1 About McAfee Data Loss PreventionEndpoint software

McAfee® Data Loss Prevention Endpoint (McAfee DLP Endpoint) software protects enterprises from therisk associated with unauthorized transfer of data from within or outside the organization.

McAfee DLP Endpoint software is a content-based endpoint solution that inspects enterprise users’actions concerning sensitive content in their own work environment, their computers. It usesadvanced discovery technology as well as predefined dictionaries to identify this content, andincorporates device management and encryption for additional layers of control.

McAfee DLP Endpoint software prevents transmission of sensitive data from desktops and laptops,whether or not they are connected to the enterprise network It protects against data loss regardless ofthe format in which data is stored or manipulated.

McAfee® Device Control software incorporates the device management functionality of McAfee DLPEndpoint software in a simpler package which is sold separately. It prevents unauthorized use ofremovable media devices, the most widespread and costly source of data loss in many companies today.

McAfee DLP Endpoint software is administered from the McAfee® ePolicy Orchestrator® (McAfee ePO™)management console.

Contents

Recommended installation Choosing a McAfee DLP configuration Backward-compatible installation

1


Recommended installationThe recommended installation for McAfee Data Loss Prevention Endpoint software version 9.x is on asingle server together with McAfee ePO and the McAfee ePO database. The McAfee DLP WCF servicecan be installed on a separate server from the McAfee ePO database.

Figure 1-1 McAfee DLP Endpoint components and relationships

The recommended architecture includes:

• McAfee ePO server — Hosts the embedded interfaces, (McAfee DLP Monitor and McAfee DLPEndpoint policy console) and communicates with the McAfee Agents.

• McAfee ePO Reports — A list of McAfee DLP Endpoint Events within the ePolicy Orchestratorreporting service.

• McAfee DLP WCF (Windows Communication Foundation) Service — Communicatesbetween ePolicy Orchestrator and McAfee DLP Endpointpolicy console to distribute policies, andwith the McAfee DLP Monitor

1 About McAfee Data Loss Prevention Endpoint softwareRecommended installation


• McAfee ePO Event Parser — Communicates with the McAfee Agent and stores eventinformation in a database.

• DLP Event Parser — Collects McAfee DLP Endpoint events from the ePolicy Orchestrator EventParser and stores them in tables in the SQL database.

• ePO database — Communicates with the ePolicy Orchestrator Policy Distributor to distributepolicies, and with the McAfee DLP Event Parser to collect events and evidence.

• Administrator workstation — Accesses ePolicy Orchestrator, McAfee DLP Monitor, and McAfeeDLP Endpoint policy console in a browser through the McAfee DLP WCF service.

• Managed workstation — Applies the security policies using the following software:

• McAfee DLP Endpoint — A McAfee Agent plug-in that provides the DLP processes.

• McAfee Agent — Provides the communication channel between the McAfee ePO server and theMcAfee DLP Endpoint.

Choosing a McAfee DLP configurationClassifying corporate information into different data loss prevention categories is a key step indeploying and administering McAfee Data Loss Prevention Endpoint software. While guidelines andbest practices exist, the ideal schema is dependent on your enterprise goals and needs, and is uniquefor each installation. Choosing between the two DLP configurations — McAfee Device Control and fullMcAfee Data Loss Prevention Endpoint — is the first step in determining how those needs will be met.

Because it might be difficult to determine in advance exactly what your unique needs are, werecommend initial deployment to a sample group of 15 to 20 users for a trial period of about a month.During this trial, no data is classified, and a policy is created to monitor, not block, transactions. Themonitoring data helps the security officers make good decisions about where and how to classifycorporate data. The policies created from this information should be tested on a larger test group (or,in the case of very large companies, on a series of successively larger groups) before being deployedto the entire enterprise.

McAfee Device Control vs McAfee DLP Endpoint

McAfee Device Control software prevents unauthorized use of removable media devices. Full McAfeeDLP Endpoint software gives you a complete set of tools to inspect enterprise users’ actionsconcerning sensitive content anywhere on their computers. The default installation is for McAfeeDevice Control software; upgrading is done by changing the licensing. Many organizations begin withdevice control, as removable media represent the most widespread and costly source of data loss, andupgrade as their needs become better defined.

The following table compares the features.

Table 1-1 Feature comparison of software versions

Feature McAfee DeviceControl software

McAfee DLP Endpoint software

Applications

Enterprise Applications List Yes Yes

Database Administration

Database Administration Yes Yes

Database Statistics Yes Yes

Content Based Definitions

About McAfee Data Loss Prevention Endpoint softwareChoosing a McAfee DLP configuration 1


Table 1-1 Feature comparison of software versions (continued)



Dictionaries Yes Yes

Registered DocumentsRepositories

Yes Yes

Text Patterns Yes Yes

Definitions

Application Definitions Yes Yes

Document Properties Yes Yes

Email Destinations No Yes

File Extension Definitions Yes Yes

File Server Definitions No Yes

Network Definitions No Yes

Printer Definitions No Yes

Tags and Categories Yes

Content categoriesand groups only

Yes

Content categories, tags, and groups

Web Destinations No Yes

Whitelist Repository Yes Yes

Device Management

Device Classes Yes Yes

Device Definitions Yes Yes

Device Rules Yes Yes

Whitelisted Applications Yes Yes

Policy Assignment

User Assignment Groups Yes Yes

Privileged Users Yes Yes

RM and Encryption

RM Servers No Yes

RM Policies No Yes

Encryption Keys Yes Yes

Rules

Classification Rules Yes Yes

Discovery Rules No Yes

1 About McAfee Data Loss Prevention Endpoint softwareChoosing a McAfee DLP configuration


Table 1-1 Feature comparison of software versions (continued)



Protection Rules Yes

Removable StorageProtection only

Yes

• Application FileAccess Protection

• PDF/ImagewriterProtection

• Clipboard Protection • PrintingProtection

• Email DestinationsProtection

• RemovableStorageProtection

• File SystemProtection

• Screen CaptureProtection

• NetworkCommunicationProtection

• Web PostProtection

Tagging Rules No Yes

Backward-compatible installationTo allow an orderly upgrade in large enterprises that have deployed previous versions of McAfee DLPEndpoint in their production environment, an option exists to deploy backward-compatible policies tocomputers still running the older agents.

Host DLP Agent 3.0 Patch 1 is the earliest version supported by this feature. Enterprises runningearlier versions must upgrade to Host DLP Agent 3.0 Patch 1 or later before upgrading to McAfee DLPEndpoint 9.2.

McAfee DLP Endpoint version 9.2 utilizes a standardized XML policy format, introduced in Version 9.0.This format is more intuitive, and facilitates integration with other ePolicy Orchestrator applications. Asa result, the backward compatibility option that allows communication with both old and new agentshas five levels:

• No compatibility (all endpoints are version 9.2) • McAfee DLP Endpoint Agent 3.0 and later

• McAfee DLP Endpoint Agent 9.1 and later • McAfee DLP Endpoint Agent 3.5 orcurrent version

• McAfee DLP Endpoint Agent 9.0 and later

The compatibility option "DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless youspecifically know that you are using this hotfix, choose DLP Agent 3.0 compatibility for all version 3.xagents.

DLP Agent 2.2 Patch 4 is no longer supported.

The agent compatibility option is selected during the McAfee DLP Endpoint policy console initialization.

About McAfee Data Loss Prevention Endpoint softwareBackward-compatible installation 1


2 Install McAfee DLP Endpoint software

Prepare your environment and install McAfee DLP Endpoint software in ePolicy Orchestrator.

Contents

Verify system requirements Configure the server Install McAfee ePolicy Orchestrator Installing McAfee DLP WCF service Before you install the extension Install the McAfee Data Loss Prevention Endpoint extension Working in a cluster environment

Verify system requirements The following hardware is recommended for running McAfee DLP Endpoint software version 9.2.

Table 2-1 Hardware requirements

Hardware type Specifications

Servers • CPU: Intel Pentium IV 2.8 GHz or higher

• RAM:

• 512 MB minimum for McAfee Device Control software only (1 GBrecommended)

• 1 GB minimum for full McAfee DLP Endpoint software (2 GB recommended)

• Hard Disk: 80 GB minimum

Managedworkstations

• CPU: Pentium III 1 GHz or higher

• RAM:

• 256 MB minimum for McAfee Device Control software (1 GB recommended)

• 512 MB minimum for full McAfee DLP Endpoint software (1 GB recommended)

• Hard Disk: 200 MB minimum free disk space

Network 100 Mbit LAN serving all workstations and the McAfee ePO server

• Endpoint computers must be able to access port 8731 on the server runningthe WCF Service.

• Administrators running the Event Monitor must be able to access TCP port8731 on the server running the WCF Service.

2


The following operating system software is supported:

Table 2-2 Operating systems supported

Computer type Software

Servers • Windows®

2003 Server Standard (SE) SP1 or later 32- or 64-bit

• Windows 2003 Enterprise (EE) SP1 or later 32- or 64-bit

• Windows 2008 Server Enterprise 32- or 64-bit

Managedworkstations

• Windows XP Professional SP1 or later32-bit

• Windows 2003 Server 32- or64-bit

• Windows Vista SP1 or later 32-bit only • Windows 2008 Server 32-bit

• Windows 7 32- or 64-bit • Windows 2008 Server R2 64-bit

Servers are supported for McAfee Device Control software only.

The user installing McAfee DLP Endpoint software on the servers must be a member of the localadministrators group.

The following software is required on the server running the McAfee DLP Endpoint policy console andMcAfee DLP Monitor:

Table 2-3 Server software requirements

Software Version

McAfee ePolicyOrchestrator

• 4.0 Patch 7 or later


• 4.6

McAfee Agent • 4.0 Patch 3 or later


• 4.6

McAfee ePO Help System download the McAfee DLP Endpoint 9.2 Help extension.

There is no Help for McAfee DLP Endpoint version 9.2 in McAfee ePolicyOrchestrator 4.0 because the Help System for McAfee ePO 4.0 is EOLand cannot be updated.

Microsoft .NET 3.5 or 3.5 SP 1

Agent handlers on remote servers no longer require the .NET Framework.

Microsoft SQL Server 2005 or 2008, Advanced Express or Enterprise, 32- or 64-bit

The McAfee DLP Endpoint software version 9.2 package includes the following:

• McAfee Data Loss Prevention Endpoint (McAfee Agent plugin)

• McAfee DLP Windows Communication Foundation (DLP WCF)

• McAfee DLP Endpoint extension (contains the components installed through ePolicy Orchestrator)

• McAfee DLP Help Desk Tool

2 Install McAfee DLP Endpoint softwareVerify system requirements


Configure the serverBasic configuration of the McAfee DLP Endpoint server includes setting the security configuration andverifying the .NET installation.

Verify that the server meets the minimum system requirements.

Task

1 Install Microsoft Windows Server 2003 SP1 or Windows Server 2008. See the SystemRequirements for supported Windows systems.

2 Install Windows Installer 3.0 (Windows 2003) or 4.5 (Windows 2008) and restart the system.Install all Microsoft Windows Service Packs.

3 Run Windows Update and install all updates.

4 Disable Microsoft Internet Explorer’s Enhanced Security Configuration Window Component.

• In Windows 2003, open the Windows Control Panel then select Add/Remove Windows Components.

• In Windows 2008, open the Server Manager then select Configure IE ESC in the SecurityInformation section.

This Microsoft product can hinder proper installation of McAfee DLP Endpoint components. Disable itbefore installation, then reconfigure it after installation if it is required.

5 Verify that Microsoft .NET Framework 3.5 SP1 is installed.

6 Set the server to a static IP address.

We recommend using a subnet separate from your company's production network for initial testing.If you are setting up a production environment, set the server’s static IP address within that range.

Install McAfee ePolicy OrchestratorMcAfee Data Loss Prevention Endpoint software version 9.2 can be installed in McAfee ePolicyOrchestrator 4.0, 4.5, or 4.6. There are a few precautions you should be aware of.

Read the McAfee ePolicy Orchestrator Installation Guide and Release Notes to familiarize yourself withall installation issues.

Some of the installation scripts require the NETWORK SERVICE account to have write permission for theC:\Windows\Temp folder. In secure systems, this folder might be locked down. In that case, you musttemporarily change the permissions for this folder. Otherwise, the installation fails. We recommendcompleting all software installations before resetting the permissions.

Install McAfee DLP Endpoint softwareConfigure the server 2


Pay attention to the following points when installing ePolicy Orchestrator:

1 In the McAfee ePO installation wizard, use the following settings.

Installation wizardscreen

Setting

InstallationOptions

Select Install Server and Console

SetupRequirements

When installing on Windows 2003 Server, we recommend using the SQLServer 2005 Express installer included in the McAfee ePO installer.

Another configuration option is to create an ePolicy Orchestrator instanceon an existing SQL Server 2005 or 2008 server and select it. This is thepreferred option when installing on Windows 2008 Server.

After verification that you want to install the software, the SQL installationcontinues without user input. If prompted to install SQL Server 2005Backward Compatibility, you must install it.

Database ServerAccount

We recommend using a SQL Server account. If preferred, an NT accountcan also be used.

2 During the installation, you might see a warning about trusted sites. Write down the recommendedadditions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to addthem later.

Installing McAfee DLP WCF serviceThe McAfee DLP Windows Communication Foundation (WCF) service is used to communicate betweenMcAfee ePolicy Orchestrator, McAfee Data Loss Prevention Endpoint, and the McAfee DLP Monitor. InMcAfee Total Protection for Data Loss Prevention, it is not used to communicate with ePolicyOrchestrator or with the McAfee DLP Monitor.

Web access authorized groups

When installing the McAfee DLP WCF service, you are asked to specify the Web Access Authorized Groups(WAAG). We recommend setting up a group or groups in Windows Active Directory or Open LDAP withthe names of users authorized to log on to the database.

When the McAfee DLP Endpoint policy console attempts to connect to WCF, it impersonates the loggedon user. After the user name is authenticated, WCF checks to see if the user is a member of the WAAGbefore connecting to the database.

2 Install McAfee DLP Endpoint softwareInstalling McAfee DLP WCF service


WCF service installation options

There are two basic options for installing the Windows Communication Foundation (WCF) service: onthe same server as the McAfee ePO (SQL) database (local installation) or on a separate server (remoteinstallation). Where McAfee ePolicy Orchestrator is installed, together with its database or on aseparate server, is not relevant to this discussion; only the relative locations of WCF and the database.

Figure 2-1 WCF installation options

Option 1: Installing WCF locally

When installing WCF on the same server as the McAfee DLP Endpoint database, you can use Windowsauthentication or SQL authentication. The option is selected on the WCF service installation wizard.The selected authentication applies only to the connection between WCF and the database. Theconnection between the administration workstation and WCF always uses Windows authentication. Ifyou have selected Windows authentication, and the logged on user is a member of the WAAG,connection to the database proceeds without further checking.

The user must be defined in the SQL database. See Adding a user in SQL Server.

Option 2: Installing WCF remotely

When installing WCF on a separate server from the McAfee DLP Endpoint database, you can now useWindows authentication or SQL authentication. The former limitation to only SQL authentication hasbeen eliminated. The description of the connection details are the same as in local installation.

Install McAfee DLP Endpoint softwareInstalling McAfee DLP WCF service 2


Install the McAfee DLP WCF serviceThere are two steps to installing the McAfee DLP WCF service. When the installation is complete, youcan troubleshoot the installation to resolve problems.

Before you begin

Before installing the McAfee DLP WCF service, create a user in Microsoft SQL server. Youmust do this even if you are going to use Windows authentication.

Tasks

• Add a user in Microsoft SQL Server on page 18To use either Windows or SQL authentication with WCF and with the ePolicy Orchestratordatabase, an authorized user must be defined in the Microsoft SQL database. Theauthorized user can be a Windows user or a SQL user. Typically, an account with theminimal permissions to run WCF is created.

• Run the McAfee DLP WCF installer on page 19The McAfee DLP Windows Communication Foundation (WCF) service is used tocommunicate between ePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLPMonitor.

Add a user in Microsoft SQL ServerTo use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator database, anauthorized user must be defined in the Microsoft SQL database. The authorized user can be a Windowsuser or a SQL user. Typically, an account with the minimal permissions to run WCF is created.

To use either Windows or SQL authentication with WCF and with the ePolicy Orchestrator database, anauthorized user must be defined in the Microsoft SQL database. The authorized user can be a Windowsuser or a SQL user. Typically, an account with the minimal permissions to run WCF is created. Use thistask to create such an account.

To perform this task, you must have Microsoft SQL Server Management Studio installed. If you areusing Microsoft SQL Server Express, you should install the Express version of Management Studio. Theadministrator performing the task should have system administrator rights on the servers involved.

Task

1 Open SQL Server Management Studio (Express) and connect to the EPOSERVER instance.

2 In the Object Explorer, right-click the database name and select Properties.

3 On the Security page, select either Window Authentication mode or SQL Server and Windows Authentication mode,according to which type of authentication you want to use. Click OK.

4 Navigate to Security | Logins. Right-click in the Logins page, and select New Login.

5 On the General page of the Login Properties dialog box, select SQL Server authentication or Windowsauthentication and type a logon name. Set the default database to ePO4_SERVER. Enforcing a passwordpolicy is optional.

6 On the General page of the Login Properties dialog box, select SQL Server authentication and type thelogon name ndlpuser and a password. Set the default database to ePO4_SERVER and the defaultlanguage to English. Click OK.

7 On the Server Roles page, select the sysadmin checkbox.

8 On the User Mapping page of the Login Properties dialog box, in the Users mapped to this login section,select ePO4_SERVER and verify that the new logon user is listed in the User column and that public ischecked in the database role membership section. Click OK.

2 Install McAfee DLP Endpoint softwareInstalling McAfee DLP WCF service


9 Under User Mapping, define the database role memberships by selecting the db_owner and publiccheckboxes.

10 Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the logon user name.

11 On the Securables page, click Add. Select Specific objects, and click OK.

12 In the Select Objects dialog box, click Object Types and select Databases. Click OK.

13 Click Browse. Select [ePO4_SERVER] and click OK twice.

14 If you do not see all six effective permissions, browse the Explicit Permissions list to locate and Grantthem. Click OK. Repeat steps 7-11 to verify the Effective Permissions.

15 Click OK.

Run the McAfee DLP WCF installerThe McAfee DLP Windows Communication Foundation (WCF) service is used to communicate betweenePolicy Orchestrator, McAfee DLP Endpoint, and the McAfee DLP Monitor.

When installing or upgrading McAfee DLP Endpoint software, you must upgrade the McAfee DLPWindows Communication Foundation service to the latest version. Failure to upgrade McAfee DLP WCFcan lead to errors when trying to save the global policy to the reporting database or update databasecredentials. To prevent this, the new version checks the client and server versions and displays an errormessage if they don't match.

Add the logged on user to the Microsoft SQL database as a Windows or SQL user, according to whichform of authorization you plan to use. Log out of ePolicy Orchestrator.

Task

1 Browse to and run the McAfee DLP WCFServiceInstaller.msi installer.

Verify that the McAfee DLP Windows Communication Foundation service installer version matchesthe McAfee DLP Endpoint software version you are installing.

2 In step 4 of the installation wizard (WCF Service Settings), do the following:

a Use the default WCF Server Port value. If you must change the server port, consult your McAfeerepresentative for instructions.

b We recommend setting up a group or groups in Windows Active Directory with the names ofusers authorized to log on to the database. You must change the default Web Access AuthorizedGroups entry from Everyone to a group or user with authorized access, as described in WCFinstallation options.

c If you are using the confidential data redaction feature, select Obfuscate Sensitive Data in RSS Feed.

3 In step 5 of the installation wizard (Microsoft SQL Database) do the following:

a Review the defaults for Database Server and Database Name. Type other values if necessary.

b Select Windows Authentication or SQL Authentication and fill in the associated fields.

4 Click Finish to complete the installation.

Install McAfee DLP Endpoint softwareInstalling McAfee DLP WCF service 2


Troubleshoot the McAfee DLP WCF serviceAfter installation of the McAfee DLP WCF service and installation of the McAfee DLP Endpoint policyconsole, use the troubleshooter to verify the installation.

To troubleshoot the McAfee DLP WCF service, use the browser page http://localhost:8731/DLPWCF/Admin/Testing.

Do not run this test page before installing the McAfee DLP Endpoint software suite in McAfee ePolicyOrchestrator. The tests will fail if the McAfee DLP Endpoint database is not yet installed.

Figure 2-2 The McAfee DLP WCF service testing page

Before you install the extensionBefore you begin installation of McAfee DLP Endpoint software, prepare your system as described below.

Two folders and network shares must be created, and their properties and security settings must beconfigured appropriately. The folders do not need to be on the same computer as the McAfee DLPEndpoint Database server, but it is usually convenient to put them there.

We suggest the following folder paths, folder names, and share names, but you can create others asappropriate for your environment.

• c:\dlp_resources\

• c:\dlp_resources\evidence

• c:\dlp_resources\whitelist

• Evidence folder — Certain protection rules allow for storing evidence, so you must designate, inadvance, a place to put it. If, for example, an email is blocked, a copy of the email is placed in theEvidence folder.

• Whitelist folder — Text fingerprints to be ignored by the DLP Endpoint are placed in a whitelistrepository folder. An example is boilerplate text such as disclaimers or copyright. McAfee DLPEndpoint software saves time by skipping these chunks of text that are known to not includesensitive content.

2 Install McAfee DLP Endpoint softwareBefore you install the extension


Roles and permissions

Consider the administrator roles you need to manage the system, and create the necessary userprofiles. Roles such as McAfee DLP administrators, policy makers, monitor viewers, manual taggers,and others may be necessary, depending on the size of the system and how centralized you wantcontrol to be. The system can be modified at any time, so the list does not have to be comprehensive.

See also Create and define permission sets on page 38Create and define McAfee DLP administrators on page 37

Creating and configuring repository foldersMcAfee Data Loss Prevention Endpoint software requires certain repository folders on the server.These folders must be created and configured before running the installer.

Tasks

• Configure folders on Windows 2003 Server on page 21Configuration of the repository folders on Windows 2003 Server requires specific securitysettings.

• Configure folders on Windows 2008 Server on page 22Configuration of the repository folders on Windows 2008 Server requires specific securitysettings.

Configure folders on Windows 2003 ServerConfiguration of the repository folders on Windows 2003 Server requires specific security settings.

Before you begin

Create the evidence and whitelist folders, as described in Before you install the extension.

Both folder are configured in the same manner. Repeat this task for each folder.

Task

1 Right-click the evidence / whitelist folder and select Sharing and Security.

2 In the dialog box that appears, select Share this folder. Modify Share name to evidence$ / whitelist$.

The $ ensures that the share is hidden.

3 Click the Security tab, then click Advanced.

4 On the Permissions tab of the Advanced Security Settings for evidence dialog box, deselect Allow inheritablepermissions.

A confirmation message explains the effect this change will have on the folder.

5 Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows allpermissions eliminated except administrators.

Setting permissions for administrators is required for the whitelist folder. It is optional for theevidence folder, but can be added as a security precaution. Alternately, you can add permissionsonly for those administrators who deploy policies.

6 Double-click Administrators entry to open the Permission Entry dialog box. Change the Apply onto option toThis folder, subfolders and files. Click OK.

Install McAfee DLP Endpoint softwareBefore you install the extension 2


7 Click Add to select an object type.

8 In the Enter the object name to select text box, type Domain Computers, then click OK to display thePermission Entry dialog box.

9 In the Allow column, select:

• Create Files/Write Data and Create Folders/Append Data for the evidence folder.

• List Folder/Read Data for the whitelist folder.

Verify that the Apply onto option says This folder, subfolders and files, then click OK.

The Advanced Security Settings dialog box now includes Domain Computers.

10 Click OK twice to close the dialog box.

Configure folders on Windows 2008 ServerConfiguration of the repository folders on Windows 2008 Server requires specific security settings.

Before you begin

Create the evidence and whitelist folders, as described in Before you install the extension.

Both folder are configured in the same manner. Repeat this task for each folder.

Task

1 Right-click the evidence / whitelist folder and select Permissions.

2 Select the Sharing tab, then click Advanced sharing. Select the Share this folder option and click Apply.

3 Add the share name evidence$ / whitelist$.

The $ ensures that the share is hidden.

4 Select the Security tab, then click Advanced.

5 On the Permissions tab, deselect the Include inheritable permissions from the object's parent option.

A confirmation message explains the effect this change will have on the folder.

6 Click Remove.

The Permissions tab on the Advanced Security Settings dialog box shows all permissions eliminated.

7 Click Add to select an object type.

8 In the Enter the object name to select text box, type Domain Computers, then click OK.

The Permission Entry dialog box is displayed.

9 In the Allow column, select:

• Create Files/Write Data and Create Folders/Append Data for the evidence folder.

• List Folder/Read Data for the whitelist folder.

Verify that the Apply onto option says This folder, subfolders and files, then click OK.

The Advanced Security Settings dialog box now includes Domain Computers.

10 Click Add again to select an object type.

2 Install McAfee DLP Endpoint softwareBefore you install the extension


11 In the Enter the object name to select text box, type Administrators, then click OK to display thePermission Entry dialog box. Set the required permissions.

Adding administrators is required for the whitelist folder. It is optional for the evidence folder, butcan be added as a security precaution. Alternately, you can add permissions only for thoseadministrators who deploy policies.

12 Click OK twice to close the dialog box.

Install the McAfee Data Loss Prevention Endpoint extensionThe McAfee DLP Endpoint software extension and the Help module are installed in ePolicy Orchestrator.

Before you begin

If you are using McAfee ePolicy Orchestrator 4.6, navigate to Menu | Software | Software Managerto view, download, and install the McAfee Data Loss Prevention software and Help modules.>

Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the InternetExplorer security settings.

The default installation is a 90-day license for McAfee Device Control software. If you purchased alicense for full McAfee Data Loss Prevention Endpoint software, you must upgrade the license after youcomplete the installation.

Task

1 In ePolicy Orchestrator, select Menu | Software | Extensions, then click Install Extension.

2 Browse to and select the McAfee DLP Endpoint .zip file (..\HDLP_Extension_9_2_0_xxx.zip). ClickOpen, then OK.

The installation dialog box displays the file parameters to verify that you are installing the correctextension.

3 Click OK. The extension is installed.

The following applications are installed:

• McAfee DLP Endpoint policy console (in ePolicy Orchestrator | Data Protection)

• McAfee DLP Monitor (in ePolicy Orchestrator | Data Protection)

• DLP Event Parser

4 Click Install Extension again, Browse to and select the Help .zip file (...help_dlp_920.zip). Click Open,then OK.

This file contains the McAfee DLP Endpoint extension to the ePO Help system.

5 Click OK.

Install McAfee DLP Endpoint softwareInstall the McAfee Data Loss Prevention Endpoint extension 2


Working in a cluster environmentMcAfee DLP Endpoint 9.2 software provides high availability for environments running ePolicyOrchestrator 4.5 or ePolicy Orchestrator 4.6 in a cluster.

We recommend cluster installation on a Microsoft Win 2008 Server with Failover Clustering role.Installation on other operating systems has not been tested and is not currently supported.

Prepare the cluster Before running McAfee DLP Endpoint software in a cluster environment ensure the following.

• Microsoft Failover Clustering is set up and running on a cluster of two or more servers.

• Two separate drives are configured for clustering: a Quorum drive and a Data drive.

• There is a supported database server (SQL 2005 or SQL 2008) in the network.

• ePolicy Orchestrator is set up according to the cluster installation section in the McAfee ePolicyOrchestrator 4.6 Installation Guide. The guide can be found at: https://kc.mcafee.com/resources/sites/mcafee/content/live/product_documentation/22000/pd22974/en_us/epo_460_install_guide_en-us.pdf.

Test the clusterCluster installations should be tested before use.

When the McAfee Data Loss Prevention Endpoint 9.2 cluster is set up and online, use this task toensure that DLP functions in a failover situation.

Task

1 Restart the system functioning as the active node.

The passive node automatically becomes the active node.

2 Log on to McAfee ePolicy Orchestrator, open Data Protection | DLP Policy and click Apply to apply the policy.

If the apply policy screen finishes successfully you can conclude that the DLP cluster has continuedto function during the failover.

2 Install McAfee DLP Endpoint softwareWorking in a cluster environment


https://kc.mcafee.com/resources/sites/mcafee/content/live/product_documentation/22000/pd22974/en_us/epo_460_install_guide_en-us.pdf



3 Post-installation tasks

Several steps are needed to complete the McAfee Data Loss Prevention Endpoint software installation.You must configure the McAfee DLP Endpoint policy console and McAfee DLP Monitor, install McAfeeDLP Endpoint software on the managed computers, deploy a test policy, and verify the installation.

Contents

Initialize the DLP Policy console Upgrade the license Initialize the McAfee DLP Monitor Check in the McAfee DLP Endpoint package to ePolicy Orchestrator Deploying McAfee DLP Endpoint

Initialize the DLP Policy consoleThe first time you open the McAfee Data Loss Prevention Endpoint policy console, a wizard runs forfirst-time initialization.

The wizard can be run at any time by selecting Initialization Wizard from the Tools menu in the McAfee DLPEndpoint policy console.

The McAfee DLP Endpoint Management Tools installer and McAfee DLP Endpoint policy consoleinitialization wizard use ActiveX technology. To prevent the installer from being blocked, verify that thefollowing are enabled in Internet Explorer Tools | Internet Options | Security | Custom level:

• Automatic prompting for ActiveX controls

• Download signed ActiveX controls

Task

1 In the ePolicy Orchestrator console, select Menu | Data Protection | DLP Policy.

The McAfee DLP Endpoint Management Tools installer runs and, after a brief delay, the Welcomescreen of the DLP Management Tools Setup wizard appears. Complete the steps in the wizard.

2 After the McAfee DLP Endpoint Management Tools installation has completed, the McAfee DLPEndpoint policy console begins loading. If you have an existing policy, you are prompted to convertit to the new XML format. Click Convert and skip to step 4.

3 If no previous policy exists, the message DLP global policy is unavailable. Loading default policy appears. ClickOK to continue.

4 When the message Agent configuration is unavailable. Loading a default agent. appears, click OK.

5 When the McAfee DLP Endpoint policy console First Time Initialization wizard appears, complete thefollowing steps:

3


Option Description

1 of 8 Click Next.

2 of 8 By default, the file system discovery crawler places sensitive files in quarantine. Thoughwe do not recommend it, you can delete these files instead by selecting the Supportdiscovery delete option.

This option is not available until you update to the full McAfee Data Loss PreventionEndpoint software installation.

For troubleshooting, when you need to review an easily readable version of the policy,select Generate verbose policy. For most installations, we recommend leaving thesecheckboxes unselected.

In very large organizations where the rollout of McAfee DLP Endpoint 9.2 is staged overtime, earlier versions of the plug-in need to coexist. Select the appropriate Backwardcompatibility mode:

• No compatibility (all endpoints are version 9.2)




The compatibility option McAfee DLP Endpoint Agent 3.0.5 or current version refers to aspecific hotfix. Unless you specifically know that you are using this hotfix, choose DLPAgent 3.0 compatibility for all version 3 endpoints.

DLP Agent 2.2 Patch 4 is no longer supported.

Select your directory access protocol: Microsoft Active Directory or OpenLDap. Whenusing Microsoft AD in very large organizations where search times could be excessive,select Restrict AD searches to default domain.

If you are not using WCF: Deselect Deploy policy to reporting database. This prevents rulenames deploying to the McAfee DLP tables in the McAfee ePO database. If you are usingWCF and deselect this option, the McAfee DLP Monitor displays rule GUIDs, not rule names.

Configure the McAfee DLP Endpoint policy console WCF service path. For the standardinstallation, accept the default. Click Test Connection to verify. To change the sign incredentials, click Update DB Credentials. The WCF Database Connection Settings dialog boxopens for editing.

When you have completed all changes, click Next.

3 of 8This step is not available when installing McAfee Device Control

.

Type user names, or click Add to search for user names (optional). Click Next.

We recommend creating a role-based group such as DLP Manual Tagging Users, andusing the group when configuring Access Control.

4 of 8 Type a password and confirmation (required). McAfee DLP Endpoint software version9.2 requires strong passwords, that is, at least 8 characters with at least one eachuppercase, lower case, digit, and special character (symbol). If you are upgrading, this isnot implemented until you change a password.

3 Post-installation tasksInitialize the DLP Policy console


Option Description

If you don't want endpoint key generation events reported to the database, deselect thecheckbox. If you want to use short challenge/response (8 digits instead of 16), select thecheckbox.

See the McAfee Data Loss Prevention Endpoint Product Guide for more information onAgent bypass.

Click Next.

5 of 8 Browse to the Whitelist storage share, then click Next. The UNC whitelist path is requiredto apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot bechanged in the Initialization wizard.

6 of 8 Modify the default notification messages (optional). Select each event type in turn, andtype the message in the text box. Click Next.

7 of 8 Browse to the evidence storage share and click Next. The evidence storage path isrequired to apply the policy to ePolicy Orchestrator. Set the required Evidence Replicationoption. See the Release notes: New Features for more information on this option. ClickNext.

8 of 8 Click Finish.

6 The Initialization Wizard dialog box appears with the message, Apply initial configuration?

• If you have not skipped any required steps, you can click Yes and apply the initial policy.

• If you have skipped required steps, click No to complete the initialization.

A password and the evidence storage share are required to complete initialization. The other stepsindicated as required are necessary to complete the policy. They can be skipped during initializationand completed at a later time. If you did not apply the policy, select File | Save to save the policy to afile.

7 Click Finish.

Upgrade the licenseMcAfee DLP Endpoint software comes in two versions, McAfee Device Control and full McAfee DataLoss Prevention Endpoint with two licensing options for each, 90-day trial and unlimited. The defaultinstallation is McAfee Device Control with a 90-day trial license.

Before you begin

Before starting this task, purchase your upgrade license and get an activation key fromyour McAfee sales representative.

Task

1 On the McAfee DLP Endpoint policy console menu bar, select Help | Update License.

The View and Update License window displays the current (default) activation key and expiration date.

2 Click Update.

3 Type or paste the Activation Key in the text box and click Apply.

A warning that you must log on again for the change to take effect appears.

Post-installation tasksUpgrade the license 3


4 Click OK to close the message box, and click Close to close the Update License window, then log offePolicy Orchestrator.

5 Log on to ePolicy Orchestrator to complete the upgrade.

6 From the Agent Configuration menu, select Edit Global Agent Configuration.

7 Go to the File Tracking tab and select Device Control and full content protection.

8 Go to the Miscellaneous tab. Only the Agent Popup service, Device Blocking, and Reporting Servicemodules are selected. Select the remaining modules you require to enable them and click OK.

Do not enable modules you don't use. They increase the McAfee DLP Endpoint agent size and slowits operation unnecessarily.

9 On the Toolbar, click .

The policy changes are applied to ePolicy Orchestrator.

10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.

Initialize the McAfee DLP MonitorThe McAfee Data Loss Prevention Monitor must be initialized before it can be used. This consists ofverifying the connection to the McAfee DLP WCF service and setting the options.

Task

1 In McAfee ePolicy Orchestrator, select Menu | Data Protection | DLP Monitor.

The first time you select DLP Monitor, a warning window requests the WCF server path.

3 Post-installation tasksInitialize the McAfee DLP Monitor


2 Click OK.

3 For a standard installation, accept the default. For a backward-compatible installation, type theWCF service address in the dialog box, then click OK.

Figure 3-1 Initializing the McAfee DLP Monitor

Check in the McAfee DLP Endpoint package to ePolicyOrchestrator

Any enterprise computer with data protected by McAfee software must have the McAfee Agentinstalled, making it a managed computer. To add data loss protection, you must also deploy theMcAfee DLP Endpoint plug-in for McAfee Agent. The installation can be performed using the ePolicyOrchestrator infrastructure.

Task

1 On the McAfee ePolicy Orchestrator console, select Menu | Software | Master Repository.

2 In the Master Repository, select Actions | Check In Package.

3 Select package type Product or Update (.ZIP), browse to ..\HDLP_Agent_9_2_0_xxx.zip, then click Next.The Check in Package page appears.

If you are upgrading, you are prompted that the product already exists. Click OK. The new packagereplaces the old one.

4 Review the details on the screen, then click Save.

The package is added to the master repository.

Post-installation tasksCheck in the McAfee DLP Endpoint package to ePolicy Orchestrator 3


Deploying McAfee DLP EndpointThe final stage of McAfee DLP Endpoint software installation is to define a policy, deploy McAfee DLPEndpoint agents to the managed computers, and verify the installation.

Tasks

• Define a default rule on page 30To verify that the McAfee DLP Endpoint software has been deployed properly, werecommend defining a default rule before deploying to the managed computers.

• Deploy McAfee DLP Endpoint with ePolicy Orchestrator on page 31Before policies can be applied, McAfee DLP Endpoint must be deployed to the endpointcomputers by ePolicy Orchestrator.

• Verify the installation on page 32After installing McAfee DLP Endpoint software, you should verify the installation in theMcAfee DLP Monitor.

• Uninstalling McAfee DLP Endpoint on page 32McAfee Data Loss Prevention Endpoint software is protected from unauthorized removal.There are two methods of authorized removal.

Define a default ruleTo verify that the McAfee DLP Endpoint software has been deployed properly, we recommend defininga default rule before deploying to the managed computers.

The rule described is an example of a simple rule that can be used to test the system.

Task

1 Create a classification rule:

a In the McAfee DLP Endpoint policy console navigation pane under Content Protection, selectClassification Rules.

b Right-click in the Classification Rules window and select Add New | Content Classification Rule. Rename therule "Email Classification Rule".

c Double-click the rule icon to modify the rule.

d In step 1 of the rule creation wizard, select either of the options (ANY or ALL) then scroll downthe text patterns list and select Email Address. Click Next three times, skipping to step 4.

e In step 4 of the rule creation wizard, click Add New to create a new category. Name it EmailCategory, click OK to accept the new category, then click Finish.

f Right-click the rule icon and select Enable.

2 Create a protection rule:

a In the McAfee DLP Endpoint policy console navigation pane under Content Protection, select ProtectionRules.

b Right-click in the Protection Rules window and select Add New | Removable Storage Protection Rule.

c Double-click the rule icon to modify the rule.

d Click through to step 2 of the rule creation wizard and add the Email Category created whencreating the classification rule in the Included column.

3 Post-installation tasksDeploying McAfee DLP Endpoint


e Click through to step 7 of the rule creation wizard. Select Monitor, then click Finish.

f Right-click the rule icon and select Enable.

3 On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no errors.

If you receive errors, they probably come from improper initialization, such as not specifying anevidence folder or override password. You can re-run the initialization from the Tools menu tocorrect this.

4 On the Toolbar, click . The policy is applied to McAfee ePolicy Orchestrator.

Deploy McAfee DLP Endpoint with ePolicy OrchestratorBefore policies can be applied, McAfee DLP Endpoint must be deployed to the endpoint computers byePolicy Orchestrator.

Before you begin

McAfee Agent 4.6 or later must be installed in ePolicy Orchestrator and deployed to thetarget computers before McAfee DLP Endpoint is deployed. Consult the McAfee ePolicyOrchestrator documentation on how to verify this, and how to install it if necessary.

Task

1 In ePolicy Orchestrator select Menu | System Tree.

2 In the System Tree, select the level at which to deploy McAfee DLP Endpoint.

Leaving the level at My Organization deploys to all workstations managed by McAfee ePolicyOrchestrator.

If you select a level under My Organization, the right-hand pane displays the availableworkstations. You can also deploy McAfee DLP Endpoint to individual workstations.

3 Click the Assigned Client Tasks tab. Under Actions, select New Client Task Assignment.

The Client Task Builder wizard opens.

4 In the Product field select McAfee Agent . In the Task Type field select Product Deployment. Click CreateNew Task.

5 In the Name field, type a suitable name, for example, Install DLP Endpoint. Typing a descriptionis optional.

6 In the Products and Components field, select Data Loss Prevention 9.2.0.x. The Action field automatically resetsto Install.

7 Click Save.

8 Change the Schedule type to Run immediately. Click Next.

9 Review the task summary. When you are satisfied that it is correct, click Save. The task is scheduledfor the next time the McAfee Agent updates the policy. To force the installation to take placeimmediately, issue an agent wake-up call.

10 After McAfee DLP Endpoint has been deployed, restart the managed computers.

Post-installation tasksDeploying McAfee DLP Endpoint 3


Verify the installationAfter installing McAfee DLP Endpoint software, you should verify the installation in the McAfee DLPMonitor.

Task

1 Select Menu | Data Protection | DLP Monitor.

The McAfee DLP Monitor opens with a list of events, which should include Agent Installation Events.

2 Verify the McAfee DLP Endpoint installation and apply the policy enforcement by using thecmdagent.exe /s command. See the McAfee ePolicy Orchestrator McAfee Agent documentationfor more information.

Uninstalling McAfee DLP Endpoint McAfee Data Loss Prevention Endpoint software is protected from unauthorized removal. There aretwo methods of authorized removal.

• Network uninstall from ePolicy Orchestrator, performed by the McAfee ePO administrator.

• Local uninstall using Windows Add or Remove Programs. This method requires a challenge-response keyobtained from the McAfee DLP Administrator.

This task describes the local uninstall option.

Task

1 In the McAfee DLP Endpoint policy console select Tools | Generate Agent Uninstall Key.

This step can also be performed with the McAfee DLP Help Desk tool, using the Generate Uninstall Keytab.

2 Fill in the user information in Step 1.

3 Type in the uninstall challenge code. (Step 2)

4 Type the agent override key password or select Use password from current policy. (Step 3)

5 Click Generate Key to create the uninstall key for the user.

This Release Code is sent to the user to enter into the request bypass dialog box.

3 Post-installation tasksDeploying McAfee DLP Endpoint


A Deploying McAfee Data Loss PreventionEndpoint software with SMS

Microsoft System Management Server (SMS) packages can be used for deployment of McAfee DLPEndpoint software in cases where deployment with ePolicy Orchestrator is either unfeasible or notdesired.

Microsoft Systems Management Server (SMS) provides a comprehensive solution for deploying andmanaging applications and operating systems on Windows desktops and servers. The following tasksassume working in the Microsoft SMS 2003 environment.

Contents

Create an installation package Create the advertisement Create the SMS uninstall package Create an SMS uninstall package to run from a command line

Create an installation packageCreate a package for installing McAfee Data Loss Prevention Endpoint software with Microsoft SystemsManagement Server. This procedure does not require ePolicy Orchestrator.

Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). The package can be downloadedfrom: http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647.

Task

1 In the Systems Management Server console, right-click Packages and select New | Package.

2 On the General tab, type the Package Name (required), and the Version, Publisher and Language (optional).

3 On the Data Source tab, select This Package Contains Source Files, then click Set.

4 In the Set Source Directory window under Source Directory Location, select the type of connection to theset-up files in the source directory. Type the source directory path in the text box and click OK.

5 On the Distribution Settings tab, select High from the Sending Priority drop-down list, and click OK.

The package appears under the Packages node of the site tree.

6 Expand the new package under the Packages node.

7 Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want tobe the distribution points for this package, then click Finish.

8 Right-click Programs and select New | Program. Type the application name.


http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647

http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647

9 In the Command Line text box, type the McAfee DLP command line executable, for example:

msiexec /I DLPAgentInstaller.msi /qn /forcerestart

.

The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file.

We recommend restarting the managed computer after McAfee DLP Endpoint package installation.To enable this option use the

/forcerestart

parameter. To enable the installation log use

/log <LogFile>

10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down list. ClickOK.

Verify that Run with Administrative Rights is selected. McAfee Data Loss Prevention Endpoint softwaresetup requires administrator rights to complete installation successfully.

Create the advertisementSMS packages need to be "advertised." This creates the SMS package advertisement.

Task

1 In the Systems Management Server console, right-click Advertisements and select New | Advertisement.Type the advertisement name.

2 From the Package drop-down list, select the McAfee DLP package name.

3 From the Program drop-down list, select the McAfee DLP application name.

4 Click Browse and select the collection that the McAfee DLP installation package should apply to, thenclick OK.

5 On the Schedule tab, confirm the time that the advertisement is offered, specify if the advertisementshould expire, and when. Click OK.

Create the SMS uninstall packageCreate a package for uninstalling McAfee Data Loss Prevention Endpoint software with MicrosoftSystems Management Server. This procedure does not require ePolicy Orchestrator.

Task



3 On the Data Source tab, select This Package Contains Source Files, then click Set.

4 In the Set Source Directory window under Source Directory Location, select the type of connection to theset-up files in the source directory. Type the source directory path in the text box and click OK.

A Deploying McAfee Data Loss Prevention Endpoint software with SMSCreate the advertisement


5 On the Distribution Settings tab, select High from the Sending Priority drop-down list, and click OK.

The package appears under the Packages node of the site tree.

6 Expand the new package under the Packages node.

7 Right-click Distribution Points and select New | Distribution Point. Select the server or servers you want tobe the distribution points for this package, then click Finish.

8 Right-click Programs and select New | Program. Type the program name.

9 In the Command Line text box, type the DLP command line executable, for example:

msiexec /x DLPAgentInstaller.msi /qn /forcerestart

The .msi file name is extracted manually from the DLPAgentInstaller.x86.exe file.

10 On the Environment tab, select Whether or not a user is logged on from the Program can run drop-down list.Click OK.

Create an SMS uninstall package to run from a command lineCreate a package for uninstalling McAfee Data Loss Prevention Endpoint software that runs from acommand line.

Task



3 On the Data Source tab, deselect This Package Contains Source Files, then click Set.

4 Locate the UninstallString for McAfee DLP Agent.

a In the registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.

b Click through the entries to find DisplayName: McAfee DLP Agent.

c Copy the uninstall string, for example:

MsiExec.exe /X{287AAE25-B0F4-4E9E-A7FD-8EA81FF635E1}

5 To uninstall, use the command line:

<uninstall string>/qn/forcestart

Deploying McAfee Data Loss Prevention Endpoint software with SMSCreate an SMS uninstall package to run from a command line A


B Users and permission sets

We recommend creating specific administrator roles and permissions in ePolicy Orchestrator forMcAfee DLP Endpoint policy console and McAfee DLP Monitor. These roles include creating and savingpolicies, viewing (but not changing) policies, generating override, uninstall, and quarantine releasekeys, viewing the McAfee DLP Monitor, and revealing sensitive fields in the monitor.

Sensitive data redaction and the McAfee DLP Monitor permission sets

To meet the legal demand in some markets to protect confidential information in all circumstances,McAfee DLP Endpoint software offers a data redaction feature. Fields in the McAfee DLP Monitorcontaining confidential information are encrypted to prevent unauthorized viewing. The feature isdesigned with a "double key" release. This means that to use the feature, you must create twopermission sets: one to view the monitor and another to view the encrypted fields. Both roles arerequired to use the feature.

Contents

Create and define McAfee DLP administrators Create and define permission sets DLP permission set options

Create and define McAfee DLP administratorsCreates and defines a McAfee DLP administrator in McAfee ePolicy Orchestrator. Administrative userscan be created either before or after the permission sets assigned to them.

Task

For option definitions, click ? in the interface.

1 In McAfee ePolicy Orchestrator, select Menu | User Management | Users.

2 Click New User.

3 Type a user name and specify logon status, authentication type, and permission sets.

We recommend creating user groups related to the role, for example DLP Quarantine Administrator.

The order of creating users and permission sets is not critical. If you create users first, user namesappear in the permission set form and you can attach them to the set. If you create permission setsfirst, the permission set names appear in the user form and you can attach the user to them.

4 Click Save.


Create and define permission setsCreates and defines a DLP administrator permission set in McAfee ePolicy Orchestrator Permission setsare useful for defining different administrative roles in McAfee DLP Endpoint software.

Task

For option definitions, click ? in the interface.

1 In McAfee ePolicy Orchestrator, select Menu | User Management | Permission Sets.

2 Click New Permission Set.

3 Type a name for the set and select users.

The order of creating users and permission sets is not critical. If you create users first, user namesappear in the permission set form and you can attach them to the set. If you create permission setsfirst, the permission set names appear in the user form and you can attach the user to them.

4 Click Save.

5 In the Data Loss Prevention field for the new permission set, click Edit.

6 Select the required permissions and click Save.

Figure B-1 Editing a permission set for McAfee DLP Endpoint

To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.

DLP permission set optionsPermission set options are designed to give granular control over administrator roles.

While the division of roles is generally optional, if you are using the sensitive data redaction feature,you must create separate permission sets for the monitor viewer and the administrator who can revealthe encrypted data.

Table B-1 Option definitions

Option Definition

User cannot view policies. User is not a policy administrator.

User can only generate Agent Override,Agent Uninstall, and Agent QuarantineRelease keys.

User administrator role is limited to override, uninstall,and release keys.

User can only view policies. User can review but not edit policies.

User can view and save policies. User has full policy administrator permissions.

B Users and permission setsCreate and define permission sets


Table B-1 Option definitions (continued)

Option Definition

User cannot view DLP Monitor User is not a monitor administrator

User can view DLP Monitor User has full policy administrator permissions. Use thisoption if you are not using the sensitive data redactionfeature.

Users and permission setsDLP permission set options B


C Installing a version upgrade

Upgrade installation is similar to first-time installation, but several points must be considered.

Contents

Upgrading issues Phased upgrade Upgrade McAfee DLP Endpoint software Restore the policy after upgrade

Upgrading issuesUpgrading the software has consequences in ePolicy Orchestrator and in the McAfee DLP Endpointsoftware setup. You must also upgrade the McAfee DLP WCF service.

Event parser

After upgrading the McAfee DLP Endpoint software suite in ePolicy Orchestrator, you must restart theMcAfee Event Parser using Administrative Tools | Services.

Figure C-1 Restarting the event parser


McAfee DLP WCF upgrade

The defaults for Database Server and Database Name may not be correct. In particular, ePO4Servermight not be the name of the SQL database instance. If necessary, use the SQL Server ConfigurationManager to determine the database name.

You must upgrade the McAfee DLP Windows Communication Foundation service to the latest version.Failure to do so produces an error message when trying to save the global policy to the reportingdatabase or updating database credentials.

Backward compatibility

McAfee DLP Endpoint software version 9.2 contains several changes that make policies incompatiblewith earlier versions of the McAfee DLP Endpoint agent. In large enterprises, upgrading McAfee DLPEndpoint on all workstation nodes can take several weeks or even months.

The McAfee DLP Endpoint policy console version 9.2 initialization has a backward compatibility optionthat, when selected, allows communication with both old and new agents. Backward compatibility canbe set to "no compatibility" (McAfee DLP Endpoint 9.2 only), Host DLP Agent 9.1 and later, Host DLPAgent 9.0 and later, or Host DLP Agent 3.0 or later.

The compatibility option "Host DLP Agent 3.0.5 or current version" refers to a specific hotfix. Unless youspecifically know that you are using this hotfix, choose Host DLP Agent 3.0 compatibility for all version 3agents.

Host DLP Agent 2.2 Patch 4 is no longer supported.

Unsupported items

If the policy contains any of the following when backward compatibility mode is selected, the policyfails to be applied to McAfee ePolicy Orchestrator. These unsupported items are cumulative, that is,the McAfee Data Loss Prevention Endpoint 9.1 and above section lists Version 9.2 features notsupported in Version 9.1. For compatibility with Version 3.0 endpoints, all three sections apply.

C Installing a version upgradeUpgrading issues


Table C-1 Items unsupported in backward-compatible mode

Compatibility mode Unsupported items

McAfee Data LossPrevention Endpoint9.1 and abovebackward compatibilitymode

• An application file access, email, file system, removable storage, or webpost protection rule contains a document property definition containing aFile Name property.

• An application file access protection rule contains a Store Evidence action.

• A discovery or protection rule contains a Content Category or Tag Group.

• An application file access protection rule contains a file type definition.

• A policy contains an email storage discovery rule.

• A clipboard rule restricts pasting into all applications.


• An application definition uses the executable file hash.

• A classification or tagging rule uses the AND operator for dictionaries ortext patterns.

• A discovery rule has the Tag action selected.

• An email protection rule contains a subject text pattern (bypass keyword).

• A file system or removable storage protection rule has an attachment type(encryption type) selected.

• A file system, PDF / IMAGEWRITER, printer, or removable storage rule hasthe Request justification action selected.

• A protection rule or discovery rule has Microsoft Rights Management orunsupported attachment type selected.

• A tagging rule contains a dictionary.

• A tagging rule contains header / footer definitions.


• An application file access, email, file system, removable storage, or webpost protection rule contains a document property definition.

• A discovery rule contains a document property definition with unsupportedproperties. Version 3.0 only supports the Date Created and Date Modifiedproperties.

• An email or web post protection rule, or a discovery rule, contains anAdobe RM encryption definition.

• A discovery rule contains an Apply RM Policy action.

• Removable storage file access rules are enabled.

• Hit-highlighting is selected on the Evidence tab in the Agent Configuration.

Queries and computer assignmentsQueries and Dashboards are saved when you upgrade McAfee DLP Endpoint software, as long as youuse the recommended procedure. If you remove the existing Data Loss Prevention extension beforeinstalling the new one, all queries and Dashboards are lost.

To customize a sample query, we recommend using the Duplicate option, to rename the query beforechanging it. To use the new sample queries in My Queries in a Dashboard, use the Make Public option. If apublic query exists with the same name, remove or rename the public query first.

ePolicy Orchestrator requires all query names to be unique. The first time you install McAfee DLPEndpoint software in ePolicy Orchestrator, the sample queries are installed as Public Queries. To viewthis, select Reporting | Queries, and scroll down the queries on the left side of the screen. When you

Installing a version upgradeUpgrading issues C


upgrade McAfee DLP Endpoint, ePolicy Orchestrator notices that the names of the sample queries arealready used, and installs the samples in My Queries instead. However, to use a query in a Dashboard, itmust be a public query.

Phased upgradeSuccessful upgrading to McAfee Data Loss Prevention Endpoint software version 9.2 from an earlierversion requires following a phased procedure that takes into account many variables. It also hascertain prerequisites that must be met.

Before you begin

Before beginning an upgrade, you must do the following:

• Verify that all computers are ready for the upgrade. You can check the clinet version ofcomputers in the network on the DLP: Status Summary dashboard in McAfee ePolicy Orchestrator.Look on the DLP: Agent version report to make sure that all product versions are McAfee DLP 3.0 Patch1 or later.

Upgrade all agents to McAfee Data Loss Prevention 3.0 Patch 1 or later. Earlier agent versions arenot supported.

• Backup the current DLP policy. Saving the policy to disk allows you to convert the policy to thenew format for reuse. You can back up the policy from the McAfee DLP Endpoint policy console. TheSave As option on the File menu saves the policy in .opg format.

• Save the agent configuration and computer assignment groups. You can save the agentconfiguration and computer assignment groups from the McAfee ePolicy Orchestrator System | PolicyCatalog page. Select the product (Data Loss Prevention x.x.0.0) and the category (Computers Assignment Groupor Agent Configuration) from the drop-down lists, and Edit the selection. From the Edit page, you canselect Save to File and specify a destination for the backup file.

Figure C-2 Saving the agent configuration

• Install .NET framework on the server hosting the Windows Communication Foundation(DLP-WCF) service. Verify the .NET version installed in C:\Windows\Microsoft.NET\Framework. Ifnecessary, install Microsoft .NET 3.5 Patch 1.

C Installing a version upgradePhased upgrade


Upgrade McAfee DLP Endpoint softwareUpgrading an earlier version of McAfee DLP Endpoint software to version 9.2 in ePolicy Orchestrator issimilar to a clean install.

Before you begin

• Uninstall the McAfee DLP Endpoint Management Tools from the Windows Control Panel.

• Uninstall the McAfee DLP WCF service.

• Update the McAfee DLP WCF service. The version of this service you use must match thesoftware extension version.

• When downloading the files from the McAfee download site for McAfee DLP Endpointsoftware, follow the link to the download page for ePolicy Orchestrator Help, anddownload the latest Help .zip file.

• Log out of ePolicy Orchestrator and close the browser window. (Step 1 cannot becompleted without doing this.)

If you want to be able to view previous events in the McAfee DLP Monitor, do not remove the existingMcAfee DLP Endpoint extension in ePolicy Orchestrator. Removing the extension removes all eventsfrom the DLP Database.

Task

1 In ePolicy Orchestrator, select Software | Extensions. Click Install Extension, then click Browse and selectthe McAfee DLP Endpoint policy manager .zip file (..\HDLP_Extension_9_2_0_xxx.zip). Click Open,then click OK twice.

If you are installing without removing the previous extension, you see a warning that the newextension will replace the existing one. Click OK.

The extension is installed, and appears in the extension list.

2 Install Extension again, Browse and select the Help .zip file (..\help_dlp_920.zip). Click Open, then clickOK. The installation dialog box warns you that you will replace the existing Help system. Click OK.

This file contains the McAfee DLP Endpoint extension to the ePolicy Orchestrator Help system.

Log out of ePolicy Orchestrator, then log back in. New features not supported by the previous installedversion might not work if you do not do this.

Restore the policy after upgradeAfter upgrading the McAfee DLP Endpoint software, you must restore the DLP policy, computerassignment groups, and agent configurations from your previous installation.

Install and initialize the McAfee DLP Endpoint policy console. See the sections Upgrade McAfee DataLoss Prevention Endpoint software and Initialize the McAfee DLP Endpoint Policy console in thismanual. When you have completed the basic installation, continue with this task:

Installing a version upgradeUpgrade McAfee DLP Endpoint software C


Task

1 Restore the policy

a Open the McAfee DLP Endpoint policy console, select File | Open, and browse to the locationwhere you saved the backup of the previous DLP policy.

b When prompted, click Convert to convert it.

c On the Verify WCF Service Path screen, click Test Connection to verify that WCF is correctlyconfigured.

d Select Tools | Options and verify in the Backward compatibility mode section that the required version isselected.

e Click Apply to save the policy to McAfee ePolicy Orchestrator.

2 Restore the computer assignment groups

a In ePolicy Orchestrator select Policy | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policiesfrom the Product drop-down list.

b Select Computers Assignment Group from the Category drop-down list.

c Type a name and create a computers assignment group.

d Click Load from file and browse to the computers assignment group backup file.

Figure C-3 Restoring the computers assignment group settings

3 Restore the agent configurations

a In ePolicy Orchestrator select System | Policy Catalog. Select Data Loss Prevention 9.2.0.0 policiesfrom the Product drop-down list.

b Select Agent Configuration from the Category drop-down list.

c Type a name and create an agent configuration.

d Click Load from file and browse to the agent configuration backup file.

C Installing a version upgradeRestore the policy after upgrade


Index

A

about this guide 5administrators, defining 37

B

backward compatibility 11, 25, 41

C

cluster environmentpreparing 24

cluster installationtesting 24

clusters, using DLP software in a cluster environment 24

command line uninstall 35

components, Data Loss Prevention (diagram) 8computer assignments, when upgrading 41

configuration, server 15

conventions and icons used in this guide 5

D

default rule, defining 30

Device Control, feature comparison 9DLP administrators, defining 37

DLP endpointchecking in to ePolicy Orchestrator 29

DLP Endpointdeploying 31

deploying with SMS 33

deployment verification 32

uninstall with SMS 34

uninstalling 32

DLP Help extension, installing 23

DLP Monitor, initializing 28

DLP Policy console, installing 23

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

E

ePolicy Orchestratorinstalling 15

event parser, when upgrading 41

evidence folder 20

evidence folder, configuring on Windows Server 2003 21

evidence folder, configuring on Windows Server 2008 22

F

feature comparison 9

H

hardware requirements 13

L

license, Device Control and DLP 27

M

McAfee ServicePortal, accessing 6Microsoft SQL, adding a user 18

Microsoft SQL, installing 19

monitor, initializing 28

P

permission set options 38

permission sets, defining 38

phased upgrade 44

policy, initializing 25

policy, restoring after upgrade 45

Q

queries, when upgrading 41

R

redaction 19, 37

roles and permissions 20

S

server configuration 15

server software requirements 13

ServicePortal, finding product documentation 6SMS advertisements 34

SMS installation package, creating 33

SMS uninstall package, command line 35

SMS uninstall package, creating 34


supported operating systems 13

system requirements 13

T

Technical Support, finding product information 6

U

uninstalling DLP Endpoint 32

upgrade (task description) 45

upgrade, phased 44

upgrade, unsupported items 41

V

verifying the installation 32

W

WCF, installation options 16

WCF, installing 19

WCF, troubleshooting 20

WCF, when upgrading 41

whitelist folder 20

whitelist folder, configuring on Windows Server 2003 21

whitelist folder, configuring on Windows Server 2008 22

Index


Dlp 920 Ig Endpt-epo46 en-us

Documents

Transcript of Dlp 920 Ig Endpt-epo46 en-us