DriveLock Control Center User Guide
© 2013 CenterTools Software GmbH
Manual DriveLock by CenterTools Software GmbH
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. CenterTools and DriveLock and others are either registered trademarks or trademarks of CenterTools GmbH or its subsidiaries in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Juli 2013
DriveLock Control Center User Guide
3
Table of Contents Part I
Document Conventions
6
Part II
Using the DriveLock Control Center
8
1 Navigating ................................................................................................................................... the DriveLock Control Center 8 Custom izing .......................................................................................................................................................... the DriveLock Control Center 10 Using Keyboard .......................................................................................................................................................... Com m ands and Shortcuts 10
2 Using ................................................................................................................................... the Home View 10 3 Working ................................................................................................................................... with Anonymized Data 12
Part III
Event Reports
19
1 Viewing ................................................................................................................................... Reports 19 Custom izing .......................................................................................................................................................... Report Colum ns 20 Sorting Report .......................................................................................................................................................... Data 21 Grouping.......................................................................................................................................................... Report Data 21 Changing.......................................................................................................................................................... the Report Tim e Range 22 Filtering Report .......................................................................................................................................................... Data 23 Dynam ic Filtering .......................................................................................................................................................... 24 Updating Report .......................................................................................................................................................... Data 26
2 Printing ................................................................................................................................... and Exporting Report Data 26 Form atting .......................................................................................................................................................... Pages and Using Print Preview 26 Page Setup ......................................................................................................................................................... 27 Navigation ......................................................................................................................................................... 28 Adjusting ......................................................................................................................................................... the Print Preview 28 Formatting ......................................................................................................................................................... the Page Background 28 Printing a.......................................................................................................................................................... Report 29 Exporting.......................................................................................................................................................... Report Data 30
3 Saving ................................................................................................................................... and Publishing Reports 31 Saving a Report .......................................................................................................................................................... 31 Publishing .......................................................................................................................................................... a Report 31 Using Saved .......................................................................................................................................................... Reports 32
4 Managing ................................................................................................................................... and Planning Reports 32 Using Labels .......................................................................................................................................................... 33 Configuring .......................................................................................................................................................... Report Perm issions 34 Configuring .......................................................................................................................................................... Autom atic Report Generation 35
Part IV
Statistical Reports
38
1 Creation ................................................................................................................................... of Statistical Reports 38 Selection.......................................................................................................................................................... of a tim e period for the data range 39 Selection.......................................................................................................................................................... of fields 40 Using the.......................................................................................................................................................... control elem ents 40 Selection.......................................................................................................................................................... of totals fields 40 Adaption .......................................................................................................................................................... of the graphics 41
2 Printing ................................................................................................................................... and Exporting Statistical Reports 41 3 Reusing ................................................................................................................................... Statistical Reports 42 4 Automated ................................................................................................................................... Statistical Reports 43
© 2013 CenterTools Software GmbH
DriveLock Control Center User Guide
Part V
4
47
Performing Forensic Analysis
1 Starting ................................................................................................................................... a Forensic Analysis 47 2 Printing ................................................................................................................................... and Exporting Forensics Reports 50 3 Managing ................................................................................................................................... Permissions for Forensics Reports 50
Part VI
53
Inventory and Asset Management
1 Prerequisites ................................................................................................................................... 53 2 Using ................................................................................................................................... Inventory Data 54 View ing Inventory .......................................................................................................................................................... Data 54 Adding Warranty .......................................................................................................................................................... and Maintenance Inform ation 57
60
Part VII Performing Helpdesk Tasks
1 Viewing ................................................................................................................................... Computer Information 60 Using Predefined .......................................................................................................................................................... Filters 61 Deleting Com .......................................................................................................................................................... puters 62
2 Performing ................................................................................................................................... Remote Control Tasks 62 Connecting .......................................................................................................................................................... to a Com puter 63 Managing.......................................................................................................................................................... Com puters 64 Recovering .......................................................................................................................................................... encrypted drives and folders 64 Install Agent .......................................................................................................................................................... 65
Part VIII Configuring the DriveLock Control Center
67
1 Configuring ................................................................................................................................... a Server Connection 67 2 Configuring ................................................................................................................................... Global DCC Settings 67 Configuring .......................................................................................................................................................... the User Interface Language 67 Configuring .......................................................................................................................................................... the Paper Size for Reports 67 Configuring .......................................................................................................................................................... Even Transfer Settings 68 Configuring .......................................................................................................................................................... Agent Com m unications 69
3 Configuring ................................................................................................................................... User Permissions 69 4 Selecting ................................................................................................................................... a Tenant 70
© 2013 CenterTools Software GmbH
Part
I Document Conventions
Document Conventions
1
6
Document Conventions
Throughout this document the following conventions and symbols are used to emphasize important points that you should read carefully, or menus, items or buttons you need to click or select. Caution: This format means that you should be careful to avoid unwanted results, such as potential damage to operating system functionality or loss of data
Hint: Useful additional information that might help you save time. Italics represent fields, menu commands, and cross-references. Bold type represents a button that you need to click. A fixed-width typeface represents messages or commands typed at a command prompt. A plus sign between two keyboard keys means that you must press those keys at the same time. For example, ALT+R means that you must hold down the ALT key while you press R. A comma between two or more keys means that you must press them consecutively. For example ‘ALT, R, U’ means that you must first press the Alt key, then the R key, and finally the U key.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Part
II Using the DriveLock Control Center
Using the DriveLock Control Center
2
8
Using the DriveLock Control Center
You can use the DriveLock Control Center (DCC) to view the health status of computers in your network, create reports and investigate incidents. The DCC communicates directly with the DriveLock Enterprise Service, which retrieves information reported by DriveLock Agents from the database server where it stores this data. You can install and run the DCC on the server where the DriveLock Enterprise Service is running or on one or more administrative workstations.
2.1
Navigating the DriveLock Control Center
This section contains information about how to get started using the DriveLock Control Center (DCC). It also describes how to accomplish common tasks in the DCC and how to navigate its user interface. The DCC contains three main tabs, Start, Settings and Options. The Start tab is where you perform all common tasks, including monitoring, reporting, forensics and helpdesk tasks. On the Options tab you configure various settings for the overall operations of the DCC, including permissions, language and others. When you open the DCC, the Start tab is displayed.
Below the Start tab, one or more ribbons are displayed that let you perform the functions that are available in the current view. Ribbons are divided into sections, each of which contains buttons for performing actions that are related to tasks. The DCC only displays the ribbons that apply to the current view.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
9
The Views ribbon, which is always displayed, lets you switch between DCC areas that correspond to common administration tasks: Home: View the overall health of your DriveLock environment, including operational statistics and DriveLock Agent status. Helpdesk : View information about the status of DriveLock Agents, licensing status and encryption recovery. Forensics: Perform in-depth analysis of DriveLock events to investigate security issues. For example, you can search for all flash drives that a user plugged into a computer and then investigate which other computers these flash drives were used on. Reports: Create reports about various types of activity that is monitored by DriveLock. You can also print reports, export report data and save report definitions for future use. You can also configure reports to be automatically created and distributed via e-mail. Inventory: View a summary of the devices that are connected to computers and software that is installed on computers. In addition the Start tab includes important information about your environment and statistics about DriveLock operations. Each of the views will be explained in more detail in this manual. When you open a new view, for example when you create a report, it is displayed in a new page below the ribbon bar.
To move to one of the tabs, click the tab. To close a tab, first select the tab and then click the
button at the
top right corner of the tab. To view information about the DCC version, click the
button at the top left of the window and then click
About.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
2.1.1
10
Customizing the DriveLock Control Center
You can customize the user interface of the DCC to adjust to the way you work and to provide easy access to commonly used commands. As you use the DCC you may find that you frequently use certain commands. To quickly gain access to these commands, you can add them to the Quick Access Toolbar. To add a command to this toolbar, right-click the command button on a ribbon and then click Add to Quick Access Toolbar. These commands are shown in the Quick Access Toolbar, which is displayed at the top of the DCC window by default.
Clicking a button on the Quick Access Toolbar performs the same task as clicking the corresponding button on a ribbon. To remove a command from the Quick Access Toolbar, right-click the command button and then click Remove from Quick Access Toolbar. By default the Quick Access Toolbar is displayed above the ribbon; to display it below the ribbon instead, click the button and then click Show Quick Access Toolbar Below the Ribbon. To move the Quick Access Toolbar to the top of the screen again, click Show Quick Access Toolbar Above the Ribbon. You can temporarily minimize the ribbon to allocate more space to the contents of the current tab. To minimize the ribbon, right-click a tab or a ribbon name, such as Views and then click Minimize the Ribbon. To temporarily view minimized ribbons, click the current tab, such as Start or Options. Once you click a command on the ribbon, it is minimized again. To stop minimizing the ribbon, right-click a tab or a ribbon name, and then click Minimize the Ribbon.
2.1.2
Using Keyboard Commands and Shortcuts
You can use keyboard commands to access many functions on the ribbon.
When you press the ALT key on your keyboard, the DriveLock Control Center displays the keyboard shortcut for each command on the ribbon next to the command. For example, you can press ALT-O to access the Options tab. You can quickly close an open view, such as a report, by clicking the view with the middle mouse button. To display the Find panel in a regular report or a forensic report, press CTRL-S.
2.2
Using the Home View
The DCC Home view displays overview information that corresponds to various DriveLock functional areas. Several of these areas contain subcategories. To view relevant information, on the left side of the screen, first click the functional area and then click the subcategory. For example to view statistics about blocked drives,
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
11
first click Device Control, and then click Drive.
The Home view can display information about the following functional areas: Overview: View information about licensing, the status of DriveLock Agents and general statistics about computers, event messages, inventory collection, licenses and users in your environment. This area also contains several subcategories that can give you an overview of current issues that may need your attention, such as outdated virus definitions, incompletely encrypted disks and other potential problems. Antivirus: View information about the status of antivirus signature distribution, infections, quarantined files and statistics about virus activity over time. Device control: View information about which drives, devices and files have been most often and most recently blocked. Application control: View information about which applications have been most often and most recently blocked. Encryption: View information about the status of Full Disk Encryption on computers in your environment, information about drives and containers that are encrypted using mobile media encryption (Encryption 2Go) and information about encrypted files and folders (File Protection).
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
12
On many graphs and tables on the Home view you can click an item, such as a drive or device, to open a new forensic view where you can further research information associated with this item.
2.3
Working with Anonymized Data
In some jurisdictions, such as Germany, the use and storage of personally identifiable data is tightly regulated. Regulations and legal requirements may also apply to such data when it could be used for surveillance of user activities. To enable organizations to comply with privacy laws, the DriveLock Control Center includes functionality that can prevent an administrator or company management from using event data to track the activities of specific users. The DriveLock Control Center uses permissions to control who can view and create reports and forensic analyses. In addition, the DriveLock Agent can anonymize user and computer names in event data that it sends to the DriveLock Enterprise Service. This is done by encrypting these fields in events. The DriveLock Control Center displays anonymized data in the user and computer name columns as “Encrypted”.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
13
When using anonymous event reporting, administrators can use event data without any restrictions but they cannot connect specific events with a user or a user’s computer. To allow authorized personnel to audit anonymized event data, they can use a wizard to temporarily suspend event data anonymizing.
To start the wizard, click the Decrypt personal data button on the ribbon.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
14
Click Next to continue.
You need to provide all certificates that were specified in the DriveLock policy to be used for anonymous data encryption. The order in which you add the certificates does not matter. The wizard can read the certificates and their associated private keys from a file (*.pfx / *.p12), a smartcard or token, or the current user’s Windows certificate store. If a certificate is stored on a smartcard or token, put the smartcard into the reader or plug in the token before you click Smart card / Certificate store.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
15
Select the certificate. If the certificate and private key are stored in a file, click File.
Select the appropriate file.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
16
You need to type the password that is used to control access to the certificate’s private key.
Click OK to confirm the selection.
If your DriveLock policy contains multiple certificates, repeat the procedure until all required certificates have been added. After adding all certificates, click Next. The wizard attempts to decrypt some samples of the existing anonymized data using the certificates you provided. If some or all of the data cannot be decrypted, the wizard displays a warning. You can select to close the wizard or return to the certificate selection page and specify different certificates. If the wizard was able to decrypt anonymized data, the DriveLock Control Center displays user names and computer names instead of “Encrypted”. In addition, the Decrypt personal data button on the ribbon changes.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Using the DriveLock Control Center
17
The DriveLock Control Center continues to display decrypted data until you click the Stop decryption button or until you close the DriveLock Control Center.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Part
III Event Reports
Event Reports
3
19
Event Reports
The DriveLock Control Center provides an extensive reporting environment that lets administrators easily discover endpoint activity trends and create printed reports that document this activity or send these reports via e-mail. Event reports are reports, which display selected events in form of a table. Use these reports to answer questions like: Which type of malware was found on which computers and when was it found? Which users have accepted usage policies and when did they accept it? Which USB drives have been locked on which computers? If you need to answer questions related to a specific time range and the number of occurrences (for example: "How many malware of which type was found within the last 3 months?" or "How many users have accepted or declined our usage policy within the last 2 months?") use should use statistic reports instead. You find more information about statistic reports and how to use them in the chapter "Statistic Reports".
3.1
Viewing Reports
To view a report, on the Views ribbon click the Report button. The Open Report window opens, displaying all available reports. To quickly view one of the five most recently opened reports, click the arrow below the Report button and then select the report.
On the left side of the screen you can filter the reports that are displayed by selecting the publication level and report labels. The following publication levels are available: All: Displays all available reports. Built-in: Displays only reports that are included with the DCC by default. The All Events report displays all events in the DCC database. Other reports only display events in a single category.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
20
Personal: Custom reports that you saved for your own use. Published: Custom reports that a DCC administrator saved and made available to other administrators. You or another administrator may have also assigned a label to easily keep track of reports. To view only reports that have been assigned a label, on the left side of the window, select Labels and then click the label by which you want to filter reports. To view a report, select it and then, on the ribbon, click Open.
When you view a report, the DCC displays one row for each event. In addition to the data in this row, you can view additional information about the currently selected event at the bottom of the report tab.
3.1.1
Customizing Report Columns
When viewing a report you can change which columns are displayed, the width of each column and the order in which the columns are displayed. To control which of the available columns are displayed in the current report, perform one of the following actions: To display or hide a column, click the Columns button on the Sort/Group ribbon and then click the column name. Right-click the header of any column, and then click Column Chooser to display the Customization dialog box. To hide a column, drag and drop its header from the report to the Customization dialog box. To display a hidden column, drag its header from the Customization dialog box to the header row of the report. To close the Customization dialog box, click the button at its top right corner. To remove a column from the current layout, right-click the column header and then click Remove This Column. To change the width of a column, perform one of the following actions:
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
21
Click and drag the right border of a column heading. To change the width of a column to match the width of the data in it, right-click the column header and then click Best Fit. To change the width of all columns to match the width of the data in them, right-click any column header and then click Best Fit (all columns). To change the order in which columns are displayed, drag column headers to the left or the right. Columns are displayed in the resulting order.
3.1.2
Sorting Report Data
To sort report data based on the values in one of the columns, perform one of the following actions: On the Sort/Group ribbon, click the Sort button and then click the column to use for sorting. Click the header of the column to use for sorting. Right-click the header of the column to use for sorting, and then click Sort Ascending or Sort Descending. An arrow in the column header indicates that the data is sorted based on the values of that column. The direction of the arrow indicates whether the sort order is ascending or descending.
When events are sorted based on the values in a column and you then select the same column for sorting again, the sort order toggles between ascending and descending. To remove the current sort order, right-click the header of the column that is used for sorting and then click Clear Sorting.
3.1.3
Grouping Report Data
To consolidate a large number of events in a report you can group them according to criteria that you define. Grouping creates a consolidated view where events with identical values in a column are grouped together. For example, you can group event data by the Event Type. Once you have grouped data, you can expand or collapse each group to control the amount of details that is displayed in the report. To group report data based on the values in a column, perform one of the following actions: On the Sort/Group ribbon, click the Group button and then click the column to use for grouping. Right-click the header of the column to use for grouping, and then click Group by this column. Drag and drop the header of the column to use for grouping to the Group By box, which is the dark blue box above the column headers.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
22
You can customize DCC report tabs to control whether the Group By box is displayed. To toggle the display of this box, right-click a column header, and then click Show / Hide Group By Box. To create a multi-level outline, repeat the process. For example, to group all events by Event Type and to further group them according to the computer where they were generated, fist group by Event Type and then group by Computer. The Group by box displays the current grouping hierarchy. To expand the contents of a group, click the group, click the
button to the left of the group. To collapse the contents of a
button. To expand all groups, right-click a column header in the Group by box, and then
click Full Expand. To collapse all groups, right-click a column header in the Group by box, and then click Full Collapse. To remove grouping, perform one of the following actions: On the Report ribbon, click the Group button and then click a column that is currently used for grouping Right-click a column header in the Group By box, and then click Ungroup. Drag and drop a column header that is currently used for grouping from the Group By box to the header row of the report.
3.1.4
Changing the Report Time Range
Selecting a time range for events to be included in the report is a quick way to filter data so only the most recent events are displayed. By default only events for the last 5 days are displayed. To change the time range for which events are included in the report, on the Time range ribbon, click the Range button and then move the slider to the desired time range.
To set specific start and end dates, on the Time range ribbon, click the Start/end button and then type the start and end dates. If you frequently need to view reports covering a different period than the default, you can change the time
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
23
range and then save the report. When you open the saved report, it automatically contains events covering the selected time range. For more information about saved reports, refer to the section “Saving a Report”.
3.1.5
Filtering Report Data
The DCC contains rich data filtering capabilities that you can use to control which data is displayed in a report. You can define both simple filter conditions and detailed logical expressions. To create a custom filter, on the Filter ribbon, click the Editor button. You can use the Filter Editor to define one or more conditions using standard logical expressions. Only events that match your filter expressions are displayed.
To create a filter condition, perform the following steps in the Filter Editor: Click the (+) button.
In the new filter condition, click [Type] and then click the name of a column to be evaluated for the filter. Click Equals and then click one of the displayed expressions. Which expressions are available depends on the column’s data type. Examples of expressions include Equals, Is greater than, Is less than, Contains, Begins with and Ends with. Click and then select or type the value to be includes in the expression. Depending on the data type of the column, you can select from a list, a calendar or type a value. By default, when you add multiple conditions, the Filter Panel combines them with an And operator. This means that only events that match all conditions are displayed. To change the operator type, click And and then click of the following operators: And: Only events that match all of the conditions are displayed.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
24
Or: Events that match any of the conditions are displayed. Not And: Only events that match none of the conditions are displayed. Not Or: Events that don’t match at least one of the conditions are displayed. To add additional conditions to a filter expression, click an operator and then click Add Condition. To enable complex filtering, you can group and nest filter conditions. For example, to create a filter that displays all Warning and Error during April 2010, create the following groups of conditions: Type equals Warning or Type equals Error. Date is greater than July 3, 2011 and Date is less than July 30, 2011. Combine the two previous groups of conditions with an And operator.
To add a new group, click an existing operator, such as And or Or, and then click Add Group. A new group is displayed at an indented level below the current operator. The new group initially contains an empty filter condition. You can change the operator for the group, edit the filter condition or add additional conditions to the group. The DCC always evaluates the conditions in each group at the lowest level of the outline. The results from each group are then evaluated using the operator at the next higher level. The events that are displayed are the result of the entire logical expression. To remove a single condition, click the (x) button to the right of the condition. To remove a group, click the operator for the group and then click the (x) button to the right of the group operator. Alternatively, click the group operator and then click Remove Group. To clear all conditions, click the top-level operator and then click Clear All. To remove a filter from a report view, on the Filter ribbon, click the No filter button.
3.1.6
Dynamic Filtering
You can dynamically filter reports by directly typing your filter criteria. The first line in a report (highlighted in the graphic using a red line) is used to enter filter criteria.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
25
By default the filter line is not displayed. To display it, click the Filter button and then click Auto filter row. To disable the display, perform this step again. For example, to find all events with an Event ID of 243, in the event-ID filter field, type “243”. The report is automatically filtered to only display the matching events. To further filter events by user, in the user filter field, type a user name. The filter result only contains events with an Event ID of 243 generated by the user you specified. Instead of typing filter criteria you can also select from existing data in the report by clicking the Filter button (highlighted in the graphic using a red line) in the top right corner of the column label and then selecting an existing value.
To select a data range, click the Filter button in the top right corner of the Date / Time column label. The DCC displays a dialog box that lets you select a specific day or a predefined date range.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
26
To select a custom date range, click and drag the range, or click the first date in the range, press the Shift key and then click the last date in the range.
3.1.7
Updating Report Data
Event data may change while you view a report. For example, clients may have sent new events to the DCC after you opened a report view. To update the current report with the most recent data, on the Report ribbon, click the Refresh button.
3.2
Printing and Exporting Report Data
You can use the DCC to print data customize the formatting of printed pages. If you need to save the report data for further processing or future reference, you can export the report data to a file in one of several formats. You can also send a file containing exported data as an e-mail attachment to one or more recipients. Both the print and export functions are described in this chapter. To start the process of exporting or printing data, on the Report ribbon, click the Print Preview button. The DCC displays a preview of the printout or data to be exported.
3.2.1
Formatting Pages and Using Print Preview
To customize the layout, you use the buttons on the Actions ribbon.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
3.2.1.1
27
Page Setup
Click the Header/Footer button to open the Header and Footer dialog box.
Type the text to be displayed on the left side, the center and the right side of the header and footer lines in the appropriate fields. Using the controls at the top of the dialog box, you can change the font and change the vertical alignment of each section (top, center or bottom). Use the buttons at the left to insert any of the following placeholders that the DC will replace with the current data when the report is printed or saved: Prints the page number Prints the total number of pages (Page # of ##) Prints the current date Prints the current time (hh:mm) Prints the name of the current user Click the Scale button to configure the scaling parameters. Use scaling to adjust the data to fit on one or more pages. You can also use scaling to enlarge the content on the page for easier viewing.
Click the Margins button to change the paper margins. Select one of the pre-configured margin sizes or click Custom Margins to define other settings. You can also adjust the margins by dragging the four dotted lines in the print preview window. Click the Orientation button to toggle the paper orientation between Portrait and Landscape. Click the Size button to change the paper size.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
3.2.1.2
28
Navigation
To find text in the print preview, click the Find button. The Find dialog box appears.
After selecting any required search options, click Find next, to highlight the next occurrence of the search text in the print preview. 3.2.1.3
Adjusting the Print Preview
You can adjust the size at which the print preview is displayed on your screen, display only part of a page or display one or more pages at the same time. Use the Zoom Out and Zoom In buttons to change the display size, or click the Zoom button to select the magnification setting or to display two pages at the same time. You can also use the slider at the bottom of the screen to quickly change the magnification level. To display more than two pages at the same time, click the Many Pages button, and then select the desired number of pages. To toggle between the current magnification and displaying an entire page, click the Magnifier button
and
then click anywhere in the page preview. Use the Hand button
to enable dragging the page around your screen to view a different part of the page
without using the scroll bars. When you are done using the Hand or Magnifier tools, click the Mouse Pointer button
to resume normal
mouse behavior. 3.2.1.4
Formatting the Page Background
To change the overall appearance of a printed report you can set the page background color. You can also add a watermark that is displayed as a background on all report pages. Watermarks are most commonly used for corporate branding or to highlight the status of a document, such as “Confidential” or “Draft”. You can use either a graphic or formatted text for a watermark. To change the page color, click the Page Color button and then select a color. You can select from the following color types: Custom: Appropriate for printing. Web: Appropriate for display in a Web browser or printing. System: Appropriate for on-screen display or printing. To create a watermark that will be displayed on each page, click the Watermark button. The Watermark dialog box appears.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
29
To use text as a watermark, in the Watermark dialog box, select the Text Watermark tab. In the Text box, select from a list of common watermarks or type the text watermark. Next, select the desired text placement, formatting and pages on which the watermark will be displayed. The preview picture shows how the watermark will appear on the page. To use a picture as a watermark, in the Watermark dialog box, select the Picture Watermark tab.
To select the image to be used as a watermark, click Load image and then select a graphics file. Next, select the desired picture placement, formatting and pages on which the watermark will be displayed. The preview picture shows how the watermark will appear on the page.
3.2.2
Printing a Report
To print a report, use one of the two print buttons.
Click the Print button to select a printer and specify print options. Click the Quick Print button to send the document to the default printer using the current print settings.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
3.2.3
30
Exporting Report Data
Instead of printing the data in a report you can export the data for further analysis and formatting in another program, to refer to the data later or to share the report data with others. Some of the available file formats ignore page settings that you may have configured, such as headers, footers and watermarks. You can export data in the following file formats: Portable Document Format (PDF) Web Page (HTML) Single File Web Page (MHT) Rich text format (RTF) Excel (XLS) Excel 2007 (XLSX) Character separated values text (CSV) Plain text (TXT) Image (BMP, EMF, WMF, GIF, JPG, PNG, TIFF) Click the arrow on the Export to (
) button to display a menu and then select the desired format. The
Export Options dialog appears. The options available in this dialog box depend on the export format you selected.
In the Export Options dialog box, select any of the available formatting choices, type a document name and then click OK. In the Save dialog box, specify a folder and file name to save your file to and then click Save.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
31
When the DCC has finished saving the file you are prompted whether you want to immediately open the file using the default program associated with the file type. To generate a file containing in one of the export formats and send it to a recipient by e-mail, click the arrow next to the E-mail as (
)button. After you select the formatting choices and save the file, you will be
prompted for the recipient’s e-mail address and the DCC will send the report file as an attachment to the recipient. To send a report by e-mail, an e-mail program needs to be installed on your computer and your Windows user profile needs to contain an e-mail profile. To return to the Report view, click the Close Print Preview button.
3.3
Saving and Publishing Reports
You can save reports so you can use them again at a later time. This includes all elements of the report, such as filters, sorting criteria and formatting. You can also publish a saved report definition so other DriveLock Control Center users can use it.
3.3.1
Saving a Report
To save a report definition that includes your customized settings, on a report tab , click the Save button on the Report ribbon and then click Save as. Type a report name and, optionally, a comment, and then click OK. To save changes to an existing report definition, click the Save button and then click Save.
3.3.2
Publishing a Report
To share a saved report with other users and allow them to use it you must publish the report. To publish a saved report, on the Report ribbon click the Save button and then click Publish.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
3.3.3
32
Using Saved Reports
To view a report you previously saved, on the Views ribbon click the Report button. The Open Report window opens, displaying all available reports. In the left pane, click Personal to display all reports you saved. Select a report and then click Open to view the report.
3.4
Managing and Planning Reports
To change the properties or access permissions of a saved or published report, on the Views ribbon click the arrow below the Report button and then click Manage.
The Open Report window opens, displaying all available reports.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
33
To delete a saved or published report, select the report and then click the Delete ( ) button on the ribbon.
3.4.1
Using Labels
To categorize reports and provide easy access to them, you can assign labels to reports, for example “Monthly Reports” or “Drive Activity Reports”. You can view all reports with the same label by selecting the label on the Open Report tab. You can also assign multiple labels to the same report. The DCC contains the built-in labels All, Built-in, Published and Personal. You can’t modify these built-in labels but you can create and modify your own personal labels. To view the currently defined labels, click the Labels section on the left side of the Open Report tab.
To create a new label, on the Open Report tab, on the Label ribbon, click the New (
) button.
Type the name of the label and then click OK. To delete a label, select the Labels section on the left side of the screen, click the label and then click the Delete ( then click the Edit (
) button. To edit a label, select the label and
) button. The Properties dialog box appears.
To assign a label to a report, first select a report. On the left side click Labels. A list of your labels appears on the right. You can assign one or more labels to a report by selecting the label’s checkbox. To remove a label from a report, clear the label.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
3.4.2
34
Configuring Report Permissions
To control who can use a report or make changes to it you can assign permissions to reports. To do this, select a report and then click Permissions.
You can grant or deny permissions to any user or group that has been added to the DriveLock Control Center. Click the buttons Add user and Remove user to change the list of users and groups that are assigned permissions to the report. Then select the appropriate Allow and Deny checkboxes to grant or deny the
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
35
following permissions to each of these users or groups: Full: Can make changes to the label name and permissions, can view the label permissions and the label itself. Change: Can make changes to the label name. Read: Can view the label permissions.
3.4.3
Configuring Automatic Report Generation
You can configure any saved report, to be automatically generated. The DriveLock Enterprise Service generates such reports at the times you specify and sends them as PDF attachments via e-mail or saves them in a shared folder. This provides easy access to information that needs to be reviewed regularly without the need to use the DCC to create a report. To configure automatic report generation, you first need to create a custom report because the built-in reports cannot be automatically generated. For example to create a report that only contains locked drives, you would first open the built-in Drives report, add a filter for Event ID Equals 115 and then save the customized report view under a new name, such as Lock ed Drives. To create a schedule for the creation of the custom report, perform the following steps: On the ribbon, click the Start tab. On the ribbon, click the lower part of the Report button, and then click Manage. To only display report views that you created, click Personal or Published. Select the report you want to publish. On the ribbon, in the Schedule area, click New. The configuration window for the new schedule opens. In the Name field, type a name for the report, such as “Daily report for the security office”. Configure the frequency of the report generation: One time: The report will be created only once at the time you configure. Hourly: The report will be created at an interval of several hours, for example every 4 hours. Daily: The report will be generated at an interval of several days, for example every 7 days at the configured time. Optionally you can add a Description to the report to help you keep track of its contents or purpose. In the File type field, select the file format for the report. To automatically send generated reports to an e-mail recipient, perform the following steps: Under Recipient, select E-mail. Click Add. Type a valid e-mail address. Click OK. Repeat the preceding steps to add additional recipients. To remove a recipient, select the e-mail address and then click Delete.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Event Reports
36
To test whether reports can be successfully sent to the addresses you configured, click Test email. DriveLock will send a simple test message to the e-mail address. To enable the sending of reports you need to configure the DriveLock Enterprise Service to use an SMTP server. For information about how to configure the DES server, refer to the DriveLock Administration Manual. To save the automatically generated report in a folder, perform the following steps: Under Recipient, select File. Click … to select a folder or type the name of the folder to save the file in. To enable the saving of reports to a folder, the DriveLock Enterprise Service must be able to access the folder and the account under which the DriveLock Enterprise Service runs needs write permissions to the folder.
The number of events in a single saved report is limited to 100,000. To save a schedule and to activate it, click OK. You can also temporarily deactivate a schedule without deleting it. To deactivate a schedule, perform the following procedure: On the ribbon, click the Start tab. On the ribbon, click the lower part of the Report button, and then click Manage. To only display report views that you created, click Personal or Published. Select the report with the schedule you want to deactivate. On the ribbon, in the Schedule area, click Edit. The configuration window for the schedule opens. Deselect the Enabled checkbox. Click OK to save the change.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Part
IV Statistical Reports
Statistical Reports
4
38
Statistical Reports
Statistical reports enable the analysis of DriveLock events over a given period of time and/or based on the number of events. Hereby it is also possible to compare time frames with each other, and to detect changes. Statistical Reports can be used, for example, to answer the following questions: How many malicious programs of which type were detected within the last 3 months? How many users have accepted or declined the usage policy within the last two months? How many USB sticks were blocked within the past 6 months? Fundamentally, the statistical reports are similar to pivot tables in Microsoft Excel. As in Excel, you are able to create graphics based on the determined values in different representation modes to visualize the data in a graphical manner. The DriveLock Control Center hereby offers you nearly the same flexibility as Excel, without the need to invest the comprehensive effort required for the creation of pivot tables. Statistical reports can therefore be used for the following purposes: Analysis of changes over a given period of time Identification of trends Detection of deviations within a time frame Comparison of two or more time frames, for example, a year, quarter, month or week Just as with event reports, the settings that were made for a statistical report (e.g. filters, sorting, graphical depiction used, time period etc.) can also be saved. It is also possible to configure the automatic generation of statistical reports based on stored reports and a time schedule, whereas the automatic sending or provision of this report as well as the event report can also be configured. For this, please also refer to: Creation of Statistical Reports Printing and Exporting Statistical Reports Reusing Statistical Reports Automatic Setup of Statistical Reports
4.1
Creation of Statistical Reports
The DriveLock Control Center already contains pre-defined statistical queries that can be opened as a report. These queries are always displayed in the form of a pivot table (lower section) and the corresponding graphical depiction (upper section). The pivot table is hereby always structured in the same manner and contains the following four sections:
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Statistical Reports
39
Field selection: The fields shown here can be used for the grouping on the X or Y axis. Grouping X-axis: The pivot table groups the data according to the fields specified on the X-axis and the therein contained datasets in the horizontal direction. In the default statistics, the time is commonly used as the criteria (hour, day, month, year). Grouping Y-axis: The pivot table groups the data according to the fields specified on the Y-axis and the therein contained datasets in the vertical direction. Here, each of the predefined statistics has a different field than the standard criteria. Sum: The sum fields contain the number of elements for the fields specified on the X and Y axis. The table can be customized to suit your preferences and requirements, with the help of various control elements, the fields themselves as well as drag & drop functions. The graphical depiction is hereby adopted in accordance with the selected (highlighted) totals fields. For this, the following functions can be used: Grouping according to one or more fields (sub groups) Sorting of the order Filtering according to specified datasets within a field Summarization of certain time periods (years, months, days) The utilization of the statistics will now be described in detail below: Selection of a time period for the data range Selection of fields Using the control elements Selection of the totals fields Adaption of the graphics
4.1.1
Selection of a time period for the data range
The selected time period determines the data which will be read from the database and used for the statistics. The selection of a time period for the data range is performed as follows: If you intend to view data for a specific range (e.g. one month), click on Range in the main menu Actions and set the desired timeframe with the slider on the right next to it. There you will have the following time periods available for selection: 1 day, 1 week, 2 weeks, 1 month, 3 months, 6 months
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Statistical Reports
40
If you want to display all the statistical data contained in the database without specifying a time, then move the slider all the way to the right (timeframe All). If you want to analyze a specific date range, then click on Start / End in the main menu Actions. Subsequently, a date can either be directly entered into the date fields or a date can be selected from the displayed calendar within the calendar dialogue (right arrow).
4.1.2
Selection of fields
The fields are used to group data sets, either horizontally or vertically. Hereby, each field contains one or more matching dataset. The time field is a special feature, which is automatically divided into different time periods, which however can not be separated and used as individual fields. The fields can be utilized in the following manner: To add a grouping, drag a new field from the field selection area and drop it onto the desired axis. The two arrows hereby indicate at which position the new field will be added. To change the order of the grouping, drag the field from the respective axis from its current position and drop it at the desired position. Here, two arrows will again indicate the new position. To remove a grouping, simply drag & drop the desired field from the respective axis into the field selection area.
4.1.3
Using the control elements
With the help of various control elements, the sorting can be changed, time frames grouped or respectively a hiding or visibility as well as the filters defined. The control elements can be utilized in the following manner: To change the sorting order, click the completed triangular symbol
. Depending on whether the
sorting is ascending or descending, the triangle will be facing up or down. To hide sub-groups and to aggregate the totals data, click on the arrow-like triangular symbol
. If, for
example, you click on this symbol in the field Month, the data is automatically summarized according to the months and the subgroups Week, Day and possibly Hour will be hidden. To display the sub-groups again and to remove the summarization, click the icon
.
If you don't want to use all of the datasets of a field for the grouping, then move the mouse pointer over the respective field. A filter symbol
will appear in the right corner next to the sorting symbol which
will change the color when you hover over it with the mouse. A click on the filter icon
will
then display a pop-up menu, in which you can select the desired datasets. The icons which are hereby shown at the top will help you with the selection (select all, select only one, invert current selection).
4.1.4
Selection of totals fields
The data to be used for the graphical representation in the upper part, is determined by the currently selected totals fields in the bottom area. This allows you to quickly and easily select specific data ranges or hide others without having to set any filters. Hereby, please note that this selection is not saved when you want to reuse a statistical report. For this, please use the data filtering, which is accessible through the appropriate control
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Statistical Reports
41
comment. The selection of the totals fields for the graphical display (several alternatives are possible) is performed as follows: With the mouse, click into one of the totals fields, hold down the left mouse button and drag the mouse pointer over the other totals fields you want to select. The selected totals fields will be highlighted in blue. Click on one of the datasets of a field (X or Y axis) you wish to select with the mouse. Hereby, all totals fields of the respective column or row will now be selected and highlighted in blue. Click on one of the datasets of a field (X or Y axis) you wish to select, hold down the left mouse button and then drag the mouse over the other datasets you want to select. Hereby, all totals fields of the respective column or row will now be selected and highlighted in blue. As soon as you alter the selection of the totals fields, the graphical depiction will be updated automatically.
4.1.5
Adaption of the graphics
The graphical display in the upper area cannot just be changed through a selection of the totals fields. There is also a selection of six different chart types (bars simple and stacked, lines simple and stacked, planes stacked and pie chart) available. The following describes how to customize the graphical display: To change the display chart type, in the main menu in the Actions in the section Diagram click on the icon of the desired type. Using the arrows on the right next to it, a switching can be performed to the three icons which are currently not displayed. The graphics will then automatically adjust to the new type. To quickly swap the two axes in the pivot table, click on Swap in the main menu Actions. Especially in the pie chart representation a swap of the X and Y axis can make sense in order to obtain the desired view. Especially for Pie charts the time axis should be the Y axis.
4.2
Printing and Exporting Statistical Reports
Statistical reports can be printed or saved as a file. For this, click on the Print preview item in the Actions ribbon within a report. The DriveLock Control Center will then display a preview of the printout or the data to be exported in a new tab. Statistical reports are always displayed as a two-sided document. The first page contains the graphic, the second page the appropriate graphics data in a tabular form. The Actions ribbon now contains all the buttons and menu options for the print preview. To print a report, click on one of the two print buttons. Click on the Print button to select a printer and the print options. Click on the Print immediately button to send the document to the default printer with the current print settings. For a statistical report, the background can be changed with a watermark in the same way as it can for the Event report. A watermark, which will be printed on every page can be created with a click on the Watermark button. The Watermark dialog window will then open. The here appearing settings are described in the section Page Formatting the Page Background Formatting (in Event reports).
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Statistical Reports
42
Instead of printing the data of a report, it can also be exported into other programs for the further analysis and formatting, which will enable a linking to the data or the sharing of the report with others at a later point in time.
Some of the available file formats ignore any previously set page options, such as headers, footers and watermarks. The data can be exported in the following file formats: Portable Document Format (PDF) Web page (HTML) Single File Web Page (MHT) Rich Text Format (RTF) Excel (XLS) Excel 2007 (XLSX) Comma-separated text file (CSV) Plain text (TXT) Image (BMP, EMF, WMF, GIF, JPG, PNG, TIFF) Click on the arrow of the Export to button to display a menu with the different file formats, from which the desired format can be selected. The Export dialog will then open. The options which are available in the dialog box depend on the selected export format. In the export options, fill in the required metadata, specify a document name and click on OK. In the Save as dialog, select the destination folder and file name, then click on Save. Once the DriveLock Control Center has completed the save operation, you will be asked if you want to open the file with the default viewer for the respective document type. As opposed to other reports, it is not possible to manually send statistical reports via e-mail. However, for this you are able to use automated statistical reports. To return to the report view, close the tab with the print preview.
4.3
Reusing Statistical Reports
To save the current report settings, click on the Save button in the Report ribbon and there select Save as. Specify a report name and optionally a comment, then confirm by clicking on OK. To save changes for an existing statistical report, click on the Save button and select Save. To share a saved report with other users and grant them access, it must first be published. To publish a saved report, click on the Save button in the Report ribbon and then select Publish. To publish a report, it must initially be saved once. To open a saved statistical report, click on Statistics (upper section) in the Start ribbon. In the new tab that will then open click on, for example, Personal and select the report on the right side with a double-click on.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Statistical Reports
43
To open a report that another user published, click on Published, select the respective report on the right side and then click on Open. To delete a saved or published report, select the respective report and click on Delete. To control which users have access to a published statistical report or the authorization to change it, select the appropriate report and then on the lower right side click on the Permissions button. Click on the buttons Add user and Remove user to change the users and groups that should have access. Select the respective Allow and Deny checkboxes for each user and group, to grant individual users and groups the following permissions: Full: Can modify the report definition and permissions Change: Can modify the report definition Read: Can open the report To categorize the statistical reports and to facilitate an access to them, so-called labels, such as "Monthly reports" or “Drive activities” can be assigned to them. In the Open Report dialog you can display all reports with the same assigned label by selecting the previously defined label. It is also possible to assign multiple labels to a report. The DriveLock Control Center contains the predefined labels All, Installed, Published and Personal that can not be changed. But you are able to create and change your own personal labels. To create a new label, click on the button New. Enter the name of the label and click OK. To delete a label, select the label and click on the button Delete. To edit the name of a label, select the label and click on the button Edit. The labels can now be assigned to a report. For this, click on Publication level on the lower left side. If you now select the desired report and click on Label at the lower right, you will see the available labels on the upper right and can set or delete the assignment through the respective checking or unchecking.
4.4
Automated Statistical Reports
To change the properties of a saved or published report, or to change its access permissions, click on the upper area of the Statistics button in the Start menu bar. Now the window for the management of the statistical reports will open. Every previously saved statistical report can also be created automatically. Hereby, the desired format is generated at a predetermined point in time and either sent to a recipient as an e-mail by the DriveLock Enterprise Service or saved to a specified directory (e.g. on a share). Through this, people can regularly and automatically be provided with a statistical report, without the need for an access to the DriveLock Control Center. To schedule an automated report, an individual report must initially be created, because the predefined reports can not be used for a scheduled operation. To now create a schedule for a statistical report, proceed as follows: Select the Start tab in the menu bar. Click the top area of the Statistics menu. To only display the own reports in the middle area, click on Personal or Published under the publication level.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Statistical Reports
44
Select the desired saved statistical report. On the menu bar, click on the New button in the Schedule area. This will open the configuration window for a new schedule.
Specify a name for the schedule, for example: "Monthly report to the Data Protection Officer" and enter it into the Name field. Set the time window at which the report is to be created. The following options are available: o Once: The report is only created once at the specified time o Hourly: The report is created at the specified hourly intervals (e.g. every 4 hours) o Daily: The report is created at the specified daily intervals (e.g. every 7 days) Optional: Enter a meaningful description into the Description text box of this schedule. Select the desired file format in the File Type area. To automatically send the generated file via e-mail to one or more recipients, execute the following steps: o In the Recipient area select the option eMail o Click on Add. o Enter a valid email address. o Click on OK. o Repeat these steps to add more recipients. o To delete a recipient, first select him from the list and subsequently click on Remove. o To check the specified eMail address, select it and then click on Test eMail. This will cause a simple test e-mail to be sent to this address. In order for automatic reports to be sent, an SMTP server must be setup on the DriveLock Enterprise Service. For more information, please refer to the DriveLock Administration Manual.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Statistical Reports
45
To save the automatically generated file into a folder, execute the following steps: o In the Recipient area select the option File. o Now click on "..." to select an existing directory using the file selection dialog. o or o Directly enter the path to the directory into the input field. In order for an automatically generated file to be saved to the specified folder, it must be accessible through the DriveLock Enterprise Service and the account under which the DriveLock Enterprise Service is running must have the appropriate write permissions.
Due to technical reasons, the number of events contained in a file is limited to 100,000 events and for email to 2,500 events. To accept the settings for the schedule and activate it, click on OK. You can also disable an existing schedule without deleting the settings: Select the Start tab in the menu bar. Click the bottom area of the Report menu and select Manage from the submenu. To only display the own reports in the middle area, click on Personal or Published under the publication level. Select the desired saved report. On the menu bar, click on the Change button in the Schedule area. This will open the configuration window for the respective schedule. Uncheck the "Active" option. Click on OK to save the changes.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Part
V Performing Forensic Analysis
Performing Forensic Analysis
5
47
Performing Forensic Analysis
The DriveLock Control Center contains powerful analysis functionality that lets you perform forensic analysis of event data that has been recorded by DriveLock Agents. You can use this forensic analysis to quickly find relevant information about the security of your endpoints. For example, you can use DCC forensics to see which flash drives a user plugged into a computer and then investigate on which other computers these flash drives were used. Another example of forensic analysis is to find out which files were ever copied to a specific flash drive and who copied the files. Unlike reports, you cannot save, publish or schedule forensic analysis. Performing forensic analysis is similar to creating reports, but you also have access to tools that allow you to drill down into the report data and gather additional information about specific events in the report and to discover patterns. In effect, forensic analysis lets you create additional detailed reports about underlying and related events of an existing report.
5.1
Starting a Forensic Analysis
To start a forensic analysis, on the Start ribbon, on the Start ribbon, click the Forensics button. The Forensics window opens where you can select the starting point of your forensic analysis, such as drives or users
Forensics reports can be assigned labels. To view only those with a specific label, click Labels and then select the appropriate label. To open a forensic analysis, select the type, such as Networks or Software and then click Open.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Forensic Analysis
48
Most of the functions for reports, such as filtering, grouping and sorting are also available for forensic analysis. For details about this functionality, refer to the section Viewing Reports. When you select an event in a forensic analysis view you can easily view all available information about the event in the Detail window at the bottom of the window.
To view additional information about one or more events in a forensic analysis view, you can drill down into the data. Drilling down means viewing additional information about selected entities. For example, you can drill down into a drive that is displayed to view all file events that are associated with the drive.
Several options are available when drilling down: New Forensic Analysis: Starts a new forensic analysis that is based on the current selection. Clear: Removes all filters Current selection: Combines the current selection with additional categories. For example you could view all computers on which the currently selected drives have been used.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Forensic Analysis
49
Data field (such as Vendor/Product): Uses only the selected data field for drilling down and ignores further detail. For example, when selecting Vendor/Product, serial numbers of drivers are ignored for the next drill-down step. To start a drilldown, select an item in the current forensics results, select the item and then on the Drilldown ribbon, click Current Selection.
A list of entities to which you can drill down is displayed. The number of results available for each entity is displayed in parentheses. Click the entity type to which you want to drill down. The DCC displays the results of the drilldown.
The new forensic analysis view displays event information about the new data category, containing only data for the events you selected in the previous step. The navigation pane on the left side of the screen displays an outline containing the selected events and the drill-down actions you performed to get to the current view. You can perform multiple drilldown steps to further narrow down the results. For example, the following drilldown results represent a single file access.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Forensic Analysis
50
To start a new forensic analysis based on the currently displayed results, on the Drill down tab, click the New Forensic button.
5.2
Printing and Exporting Forensics Reports
The process for printing and exporting forensic analysis results is identical to printing and exporting regular reports. For more information about these tasks, refer to the section Printing and Exporting Report Data.
5.3
Managing Permissions for Forensics Reports
To control who can use a forensics report you can assign permissions to them. To do this, select a forensics report and then click Permissions.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Forensic Analysis
51
You can grant or deny permissions to any user or group that has been added to the DriveLock Control Center. Click the buttons Add user and Remove user to change the list of users and groups that are assigned permissions to the report. Then select the appropriate Allow and Deny checkboxes to grant or deny the following permissions to each of these users or groups: Full: Can make changes to the label name and permissions, view the label permissions and view the label itself. Change: Can make changes to the label name. Read: Can view the label permissions.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Part
VI Inventory and Asset Management
Inventory and Asset Management
6
53
Inventory and Asset Management
You can use the inventory an asset management functionality of DriveLock to create a complete inventory of hardware and software in your organization. For example, you can compare such software inventory data with the purchase information for software to ensure that installed software is correctly licensed. Because a software inventory report can tell you reliably on how many computers any software is installed, you will know whether you need to buy additional licenses. When software licensing is no longer based on guesses you could save money by not buying more licenses than you need and you don’t have to fear the results of a software audit.
6.1
Prerequisites
Inventory functionality is included in all DriveLock editions that include Application Control functionality. Because inventory collection is performed by DriveLock Agents you need to activate this functionality in the DriveLock policy that is applied to Agents. The configuration settings can be found in the following policy section: “Global configuration -> Settings -> Collection of inventory data”.
Once you have enabled inventory collection you can select what information is collected and customize the schedule at which inventory collection is performed. The default interval is 30 days.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Inventory and Asset Management
54
For more information about inventory collection, refer to the chapter „Configuring Hardware and Software Inventory” in the DriveLock Administration manual.
6.2
Using Inventory Data
You can use the inventory data to easily view hardware and software that is used in your organization and to track warranty and maintenance data for your assets.
6.2.1
Viewing Inventory Data
To view inventory data, on the Views ribbon, click the Inventory button and then select the type of inventory you want to view.
A window displaying your organization’s software or hardware inventory is displayed.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Inventory and Asset Management
55
Inventory views are divided into three areas: The left section contains the initial entity of the inventory view The middle section contains the drill-down entities you selected on the left side. The right side contains additional detailed information about the selected elements that were collected by DriveLock Agents.
To sort the items in the left or middle sections alphabetically, click the Sort button on the ribbon and the select the entity to sort or click on the column header. To find specific entities or to filter the display, click the Find button on the ribbon.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Inventory and Asset Management
56
Type the text to search for or to filter by and then click Find to display only items that contain the text you typed. Inventory views provide only limited analysis and forensics functionality. For more detailed analysis, click the New Forensic Analysis button to create a forensics view that supplements the inventory functionality. Information on the right side is also organized hierarchically.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Inventory and Asset Management
57
Use the arrows on the left of the display to collapse or expand details.
6.2.2
Adding Warranty and Maintenance Information
You can add warranty and maintenance information to the Computer and Software entities.
When you enter warranty and maintenance expiration dates, DriveLock can automatically alert you when these
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Inventory and Asset Management
58
dates approach.
To configure notifications, on the ribbon click Notifications.
In the Warranty notification window you activate or deactivate notifications, set a lead time and specify recipients. Click Test e-mail to confirm that the DriveLock Enterprise Service is correctly configured to send email notifications. You can also select whether the DriveLock Enterprise Service will send notification e-mails when no warranty expiration has been specified. Notifications require that your DriveLock Enterprise Service is configured to send e-mail. For more information on how to perform this configuration using the DriveLock Management Console, refer to the DriveLock Administration Manual.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Part
VII Performing Helpdesk Tasks
Performing Helpdesk Tasks
7
60
Performing Helpdesk Tasks
The Helpdesk area of the DriveLock Control Center provides access to common helpdesk tasks. You can view information about the status of DriveLock Agents, Agent licensing, the status of recovery data, and perform remote control functions. To perform a helpdesk task, on the Start ribbon click the Helpdesk button. The DriveLock Management Console must be installed on the computer where you perform helpdesk tasks. If the DriveLock Management Console is not installed, a warning message appears and helpdesk functions are not available.
7.1
Viewing Computer Information
The Helpdesk view displays a list of all computers that have reported events to the DCC.
In the Helpdesk view you can use many of the same sorting, filtering, formatting and printing options that are available for reports. In addition you can select from several pre-defined filters to quickly find computers that may not be functioning correctly. By default, the Helpdesk tab only displays the most commonly used columns. To add additional columns, right-click a column header and then click Column Chooser.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Helpdesk Tasks
61
Add or remove columns by dragging them from the Column Chooser dialog box to the header row. Remove columns by dragging the header to the Column Chooser.
7.1.1
Using Predefined Filters
The Helpdesk ribbon contains several predefined filters to help you find computers that need attention. To make effective use of these filters, you need to first add all computers in your network to the DriveLock Enterprise Service (DES).
When activating your license by using the DriveLock Management Console, select the option to send information about which computers are licensed to the DES. This will enable you to identify licensed computers that don‘t have the DriveLock Agent installed. You can find additional information about using the DriveLock Management Console to monitor Agents in the DriveLock Administration manual. The predefined filters are: License - No Agent: Computers that are licensed to run DriveLock, but the DriveLock Agent is not installed License - No encryption license: Computers that are licensed to run DriveLock, but the license does not cover removable media encryption (Encryption 2-Go) FDE – Not installed: Computers where Full Disk Encryption is not installed
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Helpdesk Tasks
62
FDE – Encrypted: Computers with fully encrypted hard drives FDE – Recovery not possible: Computers with FDE where recovery is not possible, for example because recovery data was not saved to a central location To use a predefined filter, on the Filter ribbon, click the Filter button, point to License or FDE and then click the appropriate filter. To define a custom filter, click Editor. Do display a blank top row for dynamic filtering, click Auto filter row.
7.1.2
Deleting Computers
The Helpdesk view displays all computers that have reported events or that you have added to the DES. When you remove computers from your DriveLock environment and you don’t want these computers to appear in Helpdesk views any longer, you can deactivate them in the DriveLock database. This will remove them from Helpdesk views without removing them from the database.
To remove a computer from the Helpdesk view, select the computer and then on the Computer ribbon, click Delete.
7.2
Performing Remote Control Tasks
You can perform many of the same Agent remote control tasks, such as temporary unlocking, that can be performed in the DriveLock Management Console. Details of these tasks are described in the DriveLock Administration manual.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Helpdesk Tasks
63
When the DriveLock Control Center has established a connection with a computer, the remote control tasks that are available for the compute are displayed on the right side. Click the corresponding links to perform these tasks.
7.2.1
Connecting to a Computer
Before you can perform remote control tasks on a computer running the DriveLock Agent you must connect to the computer. To establish the connection, in the Helpdesk view, right-click the computer in a list and then click Connect to computer.
You can also type the name of a computer name in the To field on the Computer ribbon and then click Connect.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Helpdesk Tasks
64
To end a connection, select the computer and then on the Computer ribbon, click Disconnect.
7.2.2
Managing Computers
You can perform many of the same Agent remote control tasks, such as temporary unlocking, that can be performed in the DriveLock Management Console. Details of these tasks are described in the chapter “Using Agent Remote Control” of the DriveLock Administration manual. Starting with DriveLock 7.2, recovery functionality for encrypted containers (Encryption 2-Go) and folders (DriveLock Drive Protection) has been combined into a single task area and can be performed in this manner only by using the DriveLock Control Center. The following section, “Recovering Encrypted Drives and Folders” describes this functionality in detail.
7.2.3
Recovering encrypted drives and folders
Recovery may become necessary when a user has lost access to encrypted drives or folders because of forgetting a password or losing access to a certificate’s private key. Administrators or helpdesk personnel can perform an offline recovery operation in conjunction with the user that uses a challenge/response mechanism to restore access. The challenge/response mechanism validates both the challenge (request code) that DriveLock creates for the user and the corresponding response code that is generated by the person performing the recovery. Only when both codes are valid for the drive or folder to be recovered, can access to the data be restored (for example enabling the user to select a new encryption password). The user generates the challenge code using a wizard and provides this code to an administrator. The administrator checks that the request code is valid and then generates a response code that is in turn validated by the wizard running on the client computer. The administrator’s part of the recovery process is identical for encrypted drives and folders. To perform offline recovery, an administrator needs to perform the following steps: On the ribbon, click the Start tab. Click Helpdesk. The Helpdesk window opens. In the Recovery area, click File Protection & Encryption 2-Go. The recovery wizard starts. Click Next. Type the challenge code that was provided by the user. Click Next. The wizard tries to locate the challenge code in the DriveLock database. If recovery data exists in the database, you are prompted to select the appropriate recovery certificate.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Performing Helpdesk Tasks
65
To access the private key of a recovery certificate that is stored in a file, click Certificate file (PFX) and then select the file. If the certificate is stored in your local certificate store or on a smart card, click Smart card / Certificate store. You will be prompted to provide the password or PIN that is used to protect access to the private key. When the password or PIN has been validated, a response code is generated and displayed. Provide this response code to the user who then will enter it into the recovery wizard on the client computer. Click Next. Click Finish.
7.2.4
Install Agent
With Install Agent, you can initiate a manual Push-Installation (first or repair installation) of the DriveLock Agent on any connected PC. If Automated Push-Installation is configured, also designated PCs will be shown in the PC list and can be selected to start the installation via right mouse click. The administration and execution of the Push-Installation is described in detail in chapter „Push-Installation of DriveLock “ in the Manual DriveLock Administration.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Part
VIII Configuring the DriveLock Control Center
Configuring the DriveLock Control Center
8
67
Configuring the DriveLock Control Center
You can configure the connection the DCC Management Console uses to connect to the DriveLock Enterprise Service, the user interface language for the DCC Management Console and permission for accessing the different components of the DCC. You access these functions from the Options tab.
8.1
Configuring a Server Connection
To configure, which server the DriveLock Control Center connects to, on the Options tab, click the DES button.
In the Settings dialog box, type the DNS or NetBIOS name of the DCC server and the port the server uses for connections from the DCC Management Console. The default port for management console connections is 6067.
8.2
Configuring Global DCC Settings
In the global settings for the DriveLock Control Center you configure the user interface language, the paper format for printing reports, settings for transmitting DriveLock Control Center events and Agent communications parameters.
8.2.1
Configuring the User Interface Language
To change the user language for the DriveLock Control Center, click the General button and then click Language. Select from the available user interface languages. Currently English and German are available.
8.2.2
Configuring the Paper Size for Reports
To change the user language for the DriveLock Control Center, click the General button and then click Paper size. Select the paper format\ to be used for reports. Currently the Letter and A4 paper sizes are available.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Configuring the DriveLock Control Center
8.2.3
68
Configuring Even Transfer Settings
In this area you configure where events that are generated by the DriveLock Control Center are sent to. You can select from the following options: Send events to the Windows Event Viewer Send events to the DriveLock Enterprise Service Data anonymization To save events in the Windows Event Viewer, perform the following procedure: On the ribbon, click Settings. Click General and then click Event settings. Click Log messages to Windows Event Viewer and then select from the following options: Log to Application event log: Events are saved to the standard Windows Application log. Log to DriveLock event log: Events are saved to a separate DriveLock log. Log to custom event log: Events are saved to a separate event log. Type the name to give to the log. Click OK. To transmit events to the DriveLock Enterprise Service, perform the following procedure: On the ribbon, click Settings. Click General and then click Event settings. Click Log events to DriveLock Enterprise Service. Optional: In multi-tenant environments with multiple DriveLock Enterprise Service servers you can specify the tenant that the user is associated with. To do this, click Non-standard tenant name and then select the appropriate tenant. Click OK. To transmit events to the DriveLock Enterprise Service after anonymizing user or computer names, perform the following procedure: On the ribbon, click Settings. Click General and then click Event settings. Click Log events anonymously to DriveLock Enterprise Service. Select one or both of the following options: Do not store user information in events Do not store computer information in events Click OK.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Configuring the DriveLock Control Center
8.2.4
69
Configuring Agent Communications
You can configure the port that the DriveLock Control Center uses to connect to clients when you perform Agent remote control tasks. You can also change the interval at which the DriveLock Agent contacts the DriveLock Enterprise Service. The DriveLock Control Center uses this information to determine whether an Agent is currently running and to detect Agents that have not contacted the DriveLock Enterprise Service for an extended time. To configure the communications port, perform the following procedure: On the ribbon, click Settings. Double-click Agent port and then type the port to use. The default is TCP port 6064 (port 6065 for connections using HTTPS). To configure the Agent contact interval, perform the following procedure: On the ribbon, click Settings. Double-click Alive time and then type the communications interval used by DriveLock Agents in seconds. The default is 7200 seconds.
8.3
Configuring User Permissions
To limit the scope of administration, you can define access permissions for the components of the DriveLock Control Center. For example, you can ensure that helpdesk personnel only have access to helpdesk tasks but not to reports or forensics. You can define separate permissions to the Configuration, Reporting, Helpdesk and Forensics components. To configure which components of the DCC users can access, on the Options ribbon, click the Security button.
To change the permissions, click the Add and Remove buttons to change the users and groups that are assigned permissions. For each user and group, select the appropriate Allow and Deny checkboxes to grant
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
Configuring the DriveLock Control Center
70
or deny the following permissions for one of the components to each user or group: Full: Can view and use the component, including making changes and changing permissions. Change: Can make changes to items in the component, for example create reports. Read: Can view items in the component, for example view reports. If your DES database contains data for multiple tenants, such as different customers or autonomous departments, you can configure permissions for users to view data only for some of these tenants. To give a user or group permissions to view data for a tenant, under Tenant, first select the checkbox for the tenant name and then select the checkboxes for appropriate permissions. The default tenant name in all DriveLock installations is root. All Agents are associated with this tenant when you have not defined any other tenant names.
8.4
Selecting a Tenant
When you have configured multiple tenants in your DriveLock database, you can only view data of the tenant or tenants for which you have been granted permissions. Also, you can only view data for one tenant at a time. Data from multiple tenants is never displayed at the same time. If your DriveLock database contains multiple tenants and you have been assigned permissions for more than one of them, the Tenant button appears on the Options tab. Click this button to view data of another tenant.
DriveLock Control Center User Guide
7.3
© 2013 CenterTools Software GmbH
