Sign in today to find solutions:

Forgot your password?

Don't have an account? Sign up

 
Cisco Secure Desktop Configuration
Guide
for Cisco ASA 5500 Series Administrators
Software Release 3.1.1
October 2006
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-8607-02

Summary of Contents

  • Page 1

    Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators Software Release 3.1.1 October 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-8607-02...

  • Page 2

    OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...

  • Page 3

    Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Product Alerts and Field Notices Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity...

  • Page 4: Table Of Contents

    Configuring Keystroke Logger for a Location 5-19 Configuring Cache Cleaner for a Location 5-22 Configuring Secure Desktop General for a Location 5-23 Configuring Secure Desktop Settings for a Location 5-25 Configuring Secure Desktop Browser for a Location 5-27 Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 5

    Networking and Firewall Questions Does the Secure Desktop or Cache Cleaner detect a second network card for location determination? I am using a personal firewall. What application must I “Allow” to access the network? Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 6

    Contents N D E X Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 7

    Written for network managers and administrators, this guide describes how to install, configure, and enable Cisco Secure Desktop (CSD) on a Cisco ASA 5500 Series security appliance to provide a safe computing environment through which clients can connect from a variety of locations.

  • Page 8

    Cisco ASA 5500 Series Hardware Installation Guide • Migrating to ASA for VPN 3000 Concentrator Series Administrators Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for the ASA 5510, ASA • 5520, and ASA 5540 Cisco Security Appliance Command Line Configuration Guide •...

  • Page 9

    The Product Documentation DVD is a library of technical product documentation on a portable medium. The DVD enables you to access installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the HTML documentation and some of the PDF files found on the Cisco website at this URL: http://www.cisco.com/univercd/home/home.htm...

  • Page 10

    We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.

  • Page 11

    Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field Notices. You can receive Cisco Product Alerts and Cisco Field Notices by using the Product Alert Tool on Cisco.com. This tool enables you to create a profile and choose those products for which you want to receive information.

  • Page 12

    Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

  • Page 13

    Information about Cisco products, technologies, and network solutions is available from various online and printed sources. The Cisco Online Subscription Center is the website where you can sign up for a variety of • Cisco e-mail newsletters and other communications. Create a profile and then select the subscriptions that you would like to receive.

  • Page 14

    About This Guide Obtaining Additional Publications and Information World-class networking training is available from Cisco. You can view current offerings at • this URL: http://www.cisco.com/en/US/learning/index.html Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 15

    Note You do not need to boot the security appliance after you install the CSD software. Install or upgrade the Cisco Secure Desktop (CSD) software as follows: Use your Internet browser to access the following URL and download the Step 1 securedesktop_asa_<n>_<n>*.pkg file to any location on your PC:...

  • Page 16

    Installing or Upgrading the CSD Software Figure 1-1 CSD Manager Not Installed Click the “Cisco Secure Desktop” link. Step 4 ASDM opens the Configuration > VPN > WebVPN > CSD Setup pane (Figure 1-2). Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 17

    ASDM opens the Upload Image dialog box. Click Browse Local to prepare to select the file on your local PC. Step 6 The Selected File Path dialog box displays the contents of the latest, local folder you accessed (Figure 1-3). Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 18

    ASDM closes the Select File Path dialog box and displays the file in the Local File Path field. Click Browse Flash to specify the target directory for the file. Step 8 The Browse Flash Dialog box displays the contents of the flash card (Figure 1-4). Step 9 Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 19

    Step 13 ASDM closes the dialog box, transfers a copy of the file to the flash card, and removes the text from the fields in the Upload Image dialog box. Click Close. Step 14 Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 20

    Click Yes unless you want to keep the previous version. Step 16 ASDM closes the dialog box, revealing the installed image in the Secure Desktop Image field. Refer to “Enabling and Disabling CSD” to continue. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 21

    F1-asa1(config-webvpn)# show disk all -#- --length-- -----date/time------ path 6 8543616 Nov 02 2005 08:25:36 PDM 9 6414336 Nov 02 2005 08:49:50 cdisk.bin 10 4634 Sep 17 2004 15:32:48 first-backup 11 4096 Sep 21 2004 10:55:02 fsck-2451 Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 22

    CSD • For example, F1-asa1(config-webvpn)# csd enable F1-asa1(config-webvpn)# Enter write memory to save the running configuration. Step 6 For example, F1-asa1(config-webvpn)# F1-asa1(config-webvpn)# write memory Building configuration... Cryptochecksum: 71fa1950 45b7f82f 12b4e7c1 934111bb Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 23

    The CSD Setup pane opens (Figure 2-1). Figure 2-1 CSD Setup (Enable/Disable) The Secure Desktop Image field displays the image (and version) that is currently installed. The Note Enable Secure Desktop check box indicates whether CSD is enabled. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 24

    Chapter 2 Enabling and Disabling CSD Using ASDM to Enable or Disable CSD Check or uncheck Enable Secure Desktop and click Apply. Step 2 ASDM enables or disables CSD. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 25

    C H A P T E R Introduction The following sections describe the capabilities of Cisco Secure Desktop (CSD), introduce the Cisco Secure Desktop Manager (CSDM) interface, and describe how to save configuration changes: CSD Capabilities • Navigation • •...

  • Page 26

    DHCP-assigned IP addresses within a corporate address range connect from the Work location. After you create a location, you can configure the VPN Feature Policy, Keystroke Logger, Cache Cleaner, and Secure Desktop features for that location. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 27

    (Locations apply to Microsoft Windows users only.) As an administrator, you specify the criteria to match the client to the location. Eligible matching criteria include certificate name and authority, IP address range, and local file or registry requirements. Each location also contains a set of Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 28

    Secure Desktop and Cache Cleaner launch only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications the scan identifies. Cisco Secure Desktop may be unable to detect every potentially malicious keystroke logger, including but not limited to hardware keystroke logging devices.

  • Page 29

    To save the running CSD configuration to the data.xml file, click Apply All. • To overwrite all settings in the running CSD configuration with those stored in the data.xml file, • click Reset All. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 30

    Chapter 3 Introduction Saving and Resetting the Running CSD Configuration Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 31

    In addition, because it is physically impossible to ensure 100 percent removal of all data sent to a remote system, organizations may use Cisco Secure Desktop to minimize access to trusted assets. Cisco Secure Desktop Configuration Guide...

  • Page 32: Work, Home

    “Insecure” location. To change the order of the evaluation, choose a location name and click Move Up or Move Down. Click Apply All to save the running CSD configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 33

    Click the name Home in the menu on the left. Step 1 Check Enable identification using certificate criteria. Step 2 Complete the Issued to and Issued By fields of the certificate. Step 3 Check Secure Desktop next to “Use Module.” Step 4 Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 34: Insecure

    See the option descriptions in “Configuring Cache Cleaner for a Location” for more information about the settings on this pane. Step 4 Click Secure Desktop General under “Home.” The Secure Desktop General pane appears (Figure 4-1). Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 35: Home, Work

    The Cache Cleaner pane appears. Step 2 Check Launch cleanup upon inactivity timeout. When checked, this option forces a timeout if the user leaves the computer without logging out. Set Timeout after to 5 minutes. Step 3 Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 36

    Check Anti-spyware and choose the antispyware software. Step 6 Check Firewall and choose the firewall software. Step 7 Check OS and choose 2000 SP4, XP no SP, XP SP1, and XP SP2. Step 8 Click OK. Step 9 Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 37

    Step 10 Click OK. Step 11 See the option descriptions in “Configuring a VPN Feature Policy for a Location” for more information. Click Apply All to save the running CSD configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 38

    See the option descriptions in “Setting Up CSD for Macintosh and Linux Clients” for more information about the settings in this window. Click Apply All to save the running CSD configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 39: Creating Windows Locations

    Examine the Windows Location attribute descriptions to plan a configuration that meets the security requirements of your network. Click Windows Location Settings in the menu on the left to define the location-based settings (also called adaptive policies) for CSD. Figure 5-1 shows the default settings. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 40

    PC does not match any of the configured locations criteria. In the interest of security, we recommend that you do not check this option. By default, this attribute is unchecked. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 41: Defining Location Criteria

    By default, this attribute is unchecked. Defining Location Criteria To configure the settings for a location, click the location name in the menu on the left. The Identification for <Location> pane appears (Figure 5-2). Figure 5-2 Identification for <Location> Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 42: Location Module

    Cache Cleaner—Check if you want to require the Cache Cleaner to be present on the remote client • as a criterion for assigning this location entry. Both Secure Desktop and Cache Cleaner—Leave unchecked to let CSD apply the configured • feature policy. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 43: Certificate Criteria, Using A Certificate File To Specify Certificate Criteria

    “O” for organization unit name, and “E” for e-mail address. Type the value of one of these subordinate fields in the Issued To field on the Identification for <Location> pane to match it against the Issuer field of the certificate. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 44: Using A Signed File To Specify Certificate Criteria

    Value in the Subject field that matches the value you specified in the “Issued By” field • • Value in the Issuer field that matches the value you specified in the “Issued To” field Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 45

    Add to enter one or more IP address ranges. CSD checks the IP addresses of remote client PCs trying to connect. If a client has an address within the specified range, CSD assigns the properties of the location to the remote client. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 46: Registry And File Criteria

    As you do so, it becomes a double, horizontal arrow. Drag the arrow to the left or right to expose the contents of the column. Refer to the section that identifies the type of criteria you would like to configure: Registry Criteria • • File Criteria Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 47: Registry Criteria

    Click one radio button from the following list and assign the associated values: Step 2 Exists—Click if the mere presence of the named registry key on the remote client PC is sufficient • to match the location you are configuring. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 48

    String value menu—Choose one of the following options to specify the relationship of the String value of the registry key to the value to be entered to the right: contains – – differs – matches Cisco Secure Desktop Configuration Guide 5-10 OL-8607-02...

  • Page 49: File Criteria

    Step 1 • Entry Path—Enter the directory path of the file required to be present on or absent from the client system. Note Refer to the subsequent attribute descriptions for examples File paths. Cisco Secure Desktop Configuration Guide 5-11 OL-8607-02...

  • Page 50

    Checksum equals to field. The Compute CRC32 Checksum dialog box opens (Figure 5-6). Figure 5-6 Compute CRC32 Checksum Retrieve the checksum as follows: Click Browse and choose the file on which to calculate the checksum. Cisco Secure Desktop Configuration Guide 5-12 OL-8607-02...

  • Page 51: Configuring A Group-based Policy For A Location

    Configure a group-based VPN feature-based policy as follows: Click VPN Feature Policy under the name of the location you are configuring in the menu on the left. Step 1 The Group-Based Policy tab opens (Figure 5-7). Cisco Secure Desktop Configuration Guide 5-13 OL-8607-02...

  • Page 52

    With this option set, CSDM dims the attributes in the Criteria area. If you click this radio button, you cannot change other settings on this tab. Cisco Secure Desktop Configuration Guide 5-14 OL-8607-02...

  • Page 53

    The security categories are as follows: Cisco Secure Desktop Configuration Guide 5-15 OL-8607-02...

  • Page 54: Location

    File access—Permits the use of the Secure Desktop to access files on a remote server. • Port forwarding—Permits the use of the Secure Desktop to connect a client application installed on • the local PC to the TCP/IP port of a peer application on a remote server. Cisco Secure Desktop Configuration Guide 5-16 OL-8607-02...

  • Page 55

    If set, CSDM dims the attributes in the Criteria area. If you click this radio button, you cannot change other settings on this tab; your configuration of a VPN policy for this feature ends at this step. Cisco Secure Desktop Configuration Guide 5-17 OL-8607-02...

  • Page 56

    CSDM includes this two such fields, one above the Anti-Virus window and the other above the Anti-Spyware window. For each enabled security category you check, click one of the options or control-click multiple options. Step 7 Cisco Secure Desktop Configuration Guide 5-18 OL-8607-02...

  • Page 57: Configuring Keystroke Logger For A Location

    By default, System Detection does not scan for keystroke loggers. Configure scanning for keystroke loggers as follows: Click Keystroke Logger under the name of the location you are configuring in the menu on the left. Step 1 The Keystroke Logger window opens (Figure 5-9). Cisco Secure Desktop Configuration Guide 5-19 OL-8607-02...

  • Page 58

    Otherwise, the user must terminate the session. Unchecking this attribute deactivates but does not delete the contents of the “List of Safe Note Modules” window. Cisco Secure Desktop Configuration Guide 5-20 OL-8607-02...

  • Page 59

    CSDM closes the dialog box and lists the entry in the List of Safe Modules window. To remove a program from the list, click the entry in the “Path of safe modules” list, then click Note Delete. Click Apply All to save the configuration changes. Step 6 Cisco Secure Desktop Configuration Guide 5-21 OL-8607-02...

  • Page 60: Configuring Cache Cleaner For A Location

    Clean the whole cache in addition to the current session cache (IE only)—Check to remove data • from the Internet Explorer cache upon activation, including files generated before the client’s CSD session began. Cisco Secure Desktop Configuration Guide 5-22 OL-8607-02...

  • Page 61: Configuring Secure Desktop General For A Location

    OK to let CSD continue processing. (The Cisco Secure Tunneling Client is not one of those applications; it is accessible on both the local desktop and the CSD.) Unchecking this attribute minimizes the potential security risk posed by a user who...

  • Page 62

    CSD from enforcing prevention of desktop switching, even if you disable this feature. You can configure both the Secure Desktop component of CSD and Cisco SSL VPN Client (SVC) to run simultaneously on client PCs. If you check this attribute, the SVC connection becomes available to both.

  • Page 63: Configuring Secure Desktop Settings For A Location

    Do not encrypt files on removable drives—Check to prevent the user from saving encrypted files • onto portable drives while on the Secure Desktop. The Secure Desktop Manager dims this attribute if you check the previous attribute. Cisco Secure Desktop Configuration Guide 5-25 OL-8607-02...

  • Page 64

    Deleting transparent or nontransparent files from outside of Outlook, such as from a Windows Explorer window, during a Secure Desktop session removes the file only from the Secure Desktop. Click Apply All to save the running CSD configuration. Cisco Secure Desktop Configuration Guide 5-26 OL-8607-02...

  • Page 65: Configuring Secure Desktop Browser For A Location

    To modify a URL, choose it, click Edit, type the new URL in the dialog box, then click Edit. • To remove a folder or a URL, choose it and click Delete. • Click Apply All to save the running CSD configuration. Note Cisco Secure Desktop Configuration Guide 5-27 OL-8607-02...

  • Page 66

    Chapter 5 Setting Up CSD for Microsoft Windows Clients Configuring the Secure Desktop for Clients that Match Location Criteria Cisco Secure Desktop Configuration Guide 5-28 OL-8607-02...

  • Page 67

    CSD environment. • File Access—Check to let the remote user use the Secure Desktop to access files on a remote server. Click Apply All to save the running configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 68

    Chapter 6 Setting Up CSD for Microsoft Windows CE Clients Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 69

    The Mac and Linux Cache Cleaner pane appears (Figure 7-1). Figure 7-1 Cache Cleaner — Mac and Linux Cache Cleaner This pane lets you configure both the Cache Cleaner and VPN feature policy for all Mac and Linux Note clients. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 70

    Port Forwarding—Check to permit the use of the Secure Desktop to connect a client application • installed on the local PC to the TCP/IP port of a peer application on a remote server. Click Apply All to save the running configuration to the flash device. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 71

    When you modify the settings in the Secure Desktop Manager, you must deploy those settings by clicking the Apply All button in CSDM. The settings take effect the next time that a user starts either the Cache Cleaner application or the Secure Desktop application. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 72

    Vault or erases it from the disk. Also, CSD uninstalls the Secure Desktop software if you configure it to do so. Do Macintosh and Linux have a timeout setting? Yes, you can set a time-out for the Macintosh & Linux Cache Cleaner. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 73

    Once you have downloaded and installed the Secure Desktop, it appears as an entry in the Start menu. Users who want to reuse the Vault can click Start > Programs > Cisco Secure Desktop and enter the password with which they protected the Vault.

  • Page 74

    – Anonymizer AntiSpyware – Which personal firewall applications does System Detection support? The personal firewall applications that System Detection checks for includes: Cisco Security Agent (4.0 to 4.5) – – Internet Connection Firewall (ICF) (Windows XP to XP SP2) –...

  • Page 75

    To launch Java using the Microsoft Virtual Machine: Scripting > Active scripting > Enable • Scripting > Scripting of Java applets > Enable • ActiveX controls and plug-ins > Download signed ActiveX controls > Enable • Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 76

    No, they detect only the IP address of the first network card. I am using a personal firewall. What application must I “Allow” to access the network? You must allow the program main.exe to access the network. Cisco Secure Desktop Configuration Guide OL-8607-02...

  • Page 77

    Disable access to network drives and network folders, attribute 5-25 Cache Cleaner Disable access to removable drives and removable folders, description attribute 5-25 FAQs Disable Cancel button when cleaning, attribute 5-22 Location Module, attribute 5-15, 5-18 Cisco Secure Desktop Configuration Guide IN-7 OL-8607-02...

  • Page 78

    Exists, criterion for a registry key or file HKEY_LOCAL_MACHINE 5-9, 5-10, 5-11 HKEY_USERS home location, example configuration 4-2, 5-1 Home Page, attribute 5-27 FAQs A-1 to A-6 host integrity See System Detection fast user switching favorites 5-27 Cisco Secure Desktop Configuration Guide IN-8 OL-8607-02...

  • Page 79

    Launch hidden URL after installation, attribute operating systems 5-16, 5-18 5-22 Launch hidden URL upon Secure Desktop closing, attribute 5-24 Let user reset timeout, attribute Linux Panda AntiVirus List of Safe Modules, pane 5-20 password Cisco Secure Desktop Configuration Guide IN-9 OL-8607-02...

  • Page 80

    3-4, 5-27 Linux Cache Cleaner, when settings apply Macintosh configuring Timeout after, attribute 5-22, 5-24, 7-2 description transparent e-mail 5-26 encryption type Triple DES FAQs A-3, A-5 tutorial 4-1 to 4-3 force uninstall 5-24 Cisco Secure Desktop Configuration Guide IN-10 OL-8607-02...

  • Page 81

    Web browsing Windows installation failure success 5-16 Windows CE, menu option Windows Location Settings examples menu option 3-2, 5-1 Windows operating systems and service packs work, example configuration 4-2, 5-1 ZoneAlarm Personal Firewall Cisco Secure Desktop Configuration Guide IN-11 OL-8607-02...

  • Page 82

    Index Cisco Secure Desktop Configuration Guide IN-12 OL-8607-02...

Comments to this Manuals

Symbols: 0

Latest comments:

×

Select the desired size and copy embed code

Copy your embed code and put on your site: