ADMINISTRATION HANDS-ON

Page 2 About the Hands-On This hands-on section is structured in a way that allows you to work independently, but still giving you the possibility to consult step-by- step instructions. Each given task will be divided into two sections Actual Task Conditions, goals and short instructions Allowing you to work independently Detailed instructions (step-by-step work through) In case you can not come up with own solutions

Page 3 Real Infrastructure Environment Policy Manager and Console on single computer One managed host (AVCS 6) F-Secure AVCS 6 F-Secure PMS / PMC Root Update Server

Page 4 Imaginary Infrastructure During this hands-on we will create an imaginary infrastructure 2 offices (Helsinki and Munich) 3 imaginary workstations (Helsinki: wks02 / Munich: wks03 and wks04) 1 real workstation in Helsinki (wks01) 1 file server in each office (Helsinki: filesrv01 / Munich: filesrv02) 1 DNS server in each office (Helsinki: dnssrv01 / Munich: dnssrv02) Subsidiary Munich Headquarters Helsinki wks03wks04wksXXwks02 AVCS 6 filesrv02dnssrv02 filesrv01dnssrv01PMS/PMC

Page 5 Tasks Overview Task 1: Creating a domain structure Task 2: Updating point applications Task 3: Creating autoregistration import rules Task 4: Managing policies on multiple levels Task 5: Configuring Apache Server Task 6: Working with reports Task 7: Troubleshooting scenario

Page 6 Task 1: Creating The Domain Structure Servers Place DNS Server and File Server in both sites In which site sub-domain do you place them? Helsinki FILESRV01 (IP: , Windows 2003 Server) DNSSRV01 (IP: , Windows 2000 Server) Munich FILESRV02 (IP: , Windows 2003 Server) DNSSRV02 (IP: , Windows 2000 Server) => Task continues on next page

Page 7 Task 1: Creating The Domain Structure Workstations Now create the 3 imaginary hosts and place them into the Development sub-domain of each site Helsinki WKS02 (WINS name: wks02, Windows NT 4.0) Munich WKS03 (WINS name: wks03, Windows XP Pro) WKS04 (WINS name: wks04, Windows XP Pro) => After you have completed this task, continue on page 13

Page 8 Creating the Domain Structure Step-By-Step Walk Through Create two domains, “Finland” and “Germany” Select the root domain, F-Secure Choose Edit/New Policy Domain… from the menu (or right-click the root)

Page 9 Further Structure The Sub-Domains Level 2 Create the “Helsinki” domain Level 3 Create domains “Servers/HEL” and “Workstations/HEL” Level 4 Servers/HEL: Create domains “FileServers/HEL” and “DirectoryServers/HEL” Workstations/HEL: Create domains “Accounting/HEL”, “CustomerSupport/HEL” and “Development/HEL” Apply the same structure to the German domain

Page 10 Creating The File Servers Add file servers in both sites in the “FileServers/XX” domain Helsinki: FILESRV01 (IP address ) Munich: FILESRV02 (IP address )

Page 11 Creating The DNS Servers Add DNS servers in both sites in the “DirectoryServers/XX” domain Identity type: Primary IP address Helsinki: DNSSRV01 (IP address , Alias: dnssrv01) Munich: DNSSRV02 (IP address , Alias: dnssrv02)

Page 12 Creating The Workstations Now create the 3 new hosts and place them into the Development sub-domain of each site Helsinki WKS02 (WINS name: wks02, Windows NT 4.0) Munich WKS03 (WINS name: wks03, Windows XP Pro) WKS04 (WINS name: wks04, Windows XP Pro)

Page 13 Task 2: Point Application Update During the installation hands-on, you were instructed to install AVCS 6 without HTTP scanning Now it’s time to update Web Traffic Scanning to your host What installation method should be used? Intelligent installation (a.k.a push installation) Policy based installation => Change to next page, once you decided on the installation method

Page 14 Task 2: Point Application Update Since FSMA is already installed on your host, it is best to use a policy based installation to upgrade your host Configure the policy based installation package as follows Application Selection: Include Web Traffic Scanning Autoregistration Properties: Add a custom property Property Name: Development/HEL Property Value: 1 => After completing this task, continue on page 28

Page 15 Policy Based Installation Walk Through Start by choosing the version to install Choose “Reinstall 6.x)

Page 16 Policy Based Installation Walk Through F-Secure installation wizard opens Click “Next”

Page 17 Policy Based Installation Walk Through Accept the prefilled keycode Click “Next”

Page 18 Policy Based Installation Walk Through Mark Web Traffic Scanning Click “Next”

Page 19 Policy Based Installation Walk Through Accept the default language “English” Click “Next”

Page 20 Policy Based Installation Walk Through Check the prefilled PMS server URL and correct if necessary Click “Next”

Page 21 Policy Based Installation Walk Through Add the following custom property Property Name: Development/HEL Property Value: 1

Page 22 Policy Based Installation Walk Through Choose “Uninstall conflicting products” (default) Click “Next”

Page 23 Policy Based Installation Walk Through Accept prefilled restart options from last distribution Click “Finish”

Page 24 Policy Based Installation Walk Through Wait while the installation package is created This step might take some minutes (depending on your system) Do not press “Cancel” After completion, distribute the policies!

Page 25 Policy Based Installation Walk Through F-Secure Setup will start and reinstall AVCS 6.x to your computer Wait until the Reboot message appears on your screen Reboot the computer and change back to the PMC

Page 26 Installation Checkup Once the computer is rebooted, the policy based installation progress should show a successful installation Most common failure reasons are wrong key codes or insufficient disk space on the host (see setup error on screenshot)

Page 27 Installation Checkup Open the AVCS advanced user interface and check, if the Web Traffic Scanning is installed Default setting is “disabled”

Page 28 Task 3 Create An Autoregistration Import Rule Start by forcing a new host autoregistration by deleting wks01 from the policy domain After deleting, distribute the policies! Your task is now to create an autoregistration import rule which places the wks01 to the “Development/HEL” sub-domain Create a rule using the custom properties as as an import criteria Test the rule…. did it work? => After completing this task, continue on page 33

Page 29 Autoregistration Import Rule Creation Walk Through Start the autoregistration wizard Click “Import autoregistered hosts”

Page 30 Autoregistration Import Rule Creation Walk Through Check if the deleted host has already sent the autoregistration request If yes, the autoregistration request will be included in the custom property Do not import the host now, since we first have to create the import rule!

Page 31 Autoregistration Import Rule Creation Walk Through Change the active tab to “Import Rules” Press “Add” to create a new rule Select the target domain level (Development/HEL) Press “OK”

Page 32 Autoregistration Import Rule Creation Walk Through Add a custom property Uncheck all other property fields for better understanding Enter the custom property name (Development/HEL) Confirm with “OK”

Page 33 Autoregistration Import Rule Creation Walk Through Your autoregistration import rule is ready Press import to apply the rule Your host should be placed in the “Development/HEL” sub-domain Rename the host to wks01 to match the course binder examples (Domain/Host properties, WINS Name)

Page 34 Task 4 Managing Policies On Multiple Levels Change to Anti-Virus Mode (View menu) Define the following policy settings on different levels Accounting/HEL Real-time Scanning/File Scanning/Action on infection: “Disinfect Automatically” Host level (wks01) Activate “Scan network drives” => Task continues on the next page

Page 35 Task 4 Managing Policies On Multiple Levels Now, move host wks01 to the sub-domain “Accounting/HEL” Check the real-time file scanning settings. Did the setting inheritance from the parent domain (Accounting/HEL) work? If not, what do you think is the reason? => Change to next page, once you have the answers

Page 36 Task 4 Managing Policies On Multiple Levels Settings defined on the host level will never be overwritten by parent domain settings Try to change the policies as follows (as easy as possible) Disable “Scan network drives” for the whole F-Secure domain Enable “Scan network drives” only for the sub-domain “Development/HEL” Move the host wks01 back to sub-domain “Development/HEL” Check the real-time file scanning settings. Did the inheritance work now and why? Call the instructor and present your solution => After you completed this task, continue on page 40

Page 37 Managing Policies On Multiple Levels Walk Through After you copied the host wks01 to the domain “Accounting/HEL”, the settings are as follows “Action on infection” is inherited from the parent domain Reason: The setting has not been defined on the host level, therefore the inheritance works “Scan network drives” is not inherited! Reason: The setting has been defined on the host level, therefore no inheritance

Page 38 Managing Policies On Multiple Levels Walk Through Instructions, how to disable network drive scanning for the whole policy domain Mark the root domain (F-Secure) Right-click “Scan network drives” Choose “Force value” (confirm with “Yes”) Check the file scanning settings on the host wks01 All settings should be gray, since they are inherited from the root domain

Page 39 Managing Policies On Multiple Levels Walk Through Finally, activate network drive scanning for the domain “Development/HEL” Mark “Development/HEL” Enable “Scan network drives” and force the value Distribute the policies! Copy the host wks01 back to sub-domain “Development/HEL” Now, the inheritance will work, since we have no settings defined on the host level

Page 40 Task 5: Configuring Apache Server By default, Policy Manager Server administration connection are limited to the local computer Web reporting module access is by default not limited! You will now change the Apache configuration Remove admin module access limitation (allow connections from everywhere) Restrict web reporting module to allow connections from the local computer and from your managed host => If you completed the configuration, continue on page 44

Page 41 Apache Server Configuration Walk Through Browse to the apache configuration file (httpd.conf) Open the file with WordPad (open with)

Page 42 Apache Server Configuration Walk Through Configure the httpd.conf as follows Apache Admin Module Replace “Listen :8080” with “Listen 8080” Web Reporting Module No access limitation defined (by default) Create an access list, like shown on the screenshot (replace with your real host IP) Save the settings and close the file

Page 43 Apache Server Configuration Walk Through Close your Policy Manager Console and restart the Policy Manager Server service

Page 44 Apache Server Configuration Checkup After you finished the Apache configuration, close the Policy Manager Console and inform the instructor to test your solution Don’t forget to restart the Policy Manager Server service! After the instructor tested your system and gives you the OK, re-open your console Is there anything unusual happening?

Page 45 Apache Server Signs For Data Integrity Problems Yes, the instructor has opened your console with a different key-pair, therefore you get a key change notification at console startup You can reassign the original keys

Page 46 Apache Server Signs For Data Integrity Problems Take a look at the alerts. Are there any unusual entries? Also check your managed host. Anything strange there?

Page 47 Apache Server Signs For Data Integrity Problems The instructor has resigned your policy domain with a different key and distributed the policies Changes have not passed the signature verification on the hosts, the policy has been rejected! Redistribute the policies with your keys, and everything should be back to normal

Page 48 Policy Manager provides you both with automatic status reports (e.g. virus alerts) and built in reporting tools Policy Manager Reporting Tools Web Reporting Graphical reporting system (available through web browser) Embedded reporting Textual reporting (available only from console) Working with Reports

Page 49 Open Web Reporting on your managed host. Try to answer the following questions 1.What is the latest alert reported by your host? Can you explain the reason for this alert? 2.What is the UID (Unique Identifier) of your host? 3.When did the host last connect to the server? 4.What version of Automatic Update Agent (AUA) is installed on your host? 5.What’s the percentage of hosts with real-time protection? Task 6 Using Web Reporting => After you have completed this task, continue on page 55

Page 50 Question 1: What is the latest alert reported by your host? Answer: Failed signature check on host wks01 Reason: The policy domain has been resigned with different keys Using Web Reporting Walk Through

Page 51 Question 2: What is the UID of your host? Answer: Host Properties/Detailed Host Properties/UID Using Web Reporting Walk Through

Page 52 Question 3: When did the host last connect to the server? Answer: Host Properties/Update Details/Latest Connection to Server Using Web Reporting Walk Through

Page 53 Question 4: What version of AUA is installed on your host? Answer: Installed Software/Automatic Update Agent/Version Using Web Reporting Walk Through

Page 54 Question 5: What’s the percentage of hosts with real-time protection? Answer: Only 13 % of your policy domain have enabled real-time scanning Using Web Reporting Walk Through

Page 55 One of the most common troubleshooting cases is that managed hosts cannot reach the Policy Manager Server You will now create a scenario where your host will receive a wrong server address. As soon as the new policy will be fetched by the host, its connection to the server will be lost Choose ”Development/HEL” and assign a wrong server URL Distribute the policies Task 7: Troubleshooting Scenario => Task continues on next page

Page 56 Make sure the client fetched the new policy Check the local GUI (advanced interface) The new (wrong) server address should be visible and locked Task 7: Troubleshooting Scenario => Task continues on next page

Page 57 Let’s try to change the server address directly from the policy.bpf Stop the F-Secure Management Agent (net stop fsma) Open c:\program files\f-secure\common\policy.bpf with WordPad Search the address and change it back to the correct address Save the changes and restart FSMA Did the changes succeed? If not, what’s the reason? Task 7: Troubleshooting Scenario => Task continues on next page

Page 58 Your change did not pass the signature verification DAAS system has successfully blocked the unauthorized change of the base policy file What next? Did you reach a dead end? Try to come up with a solution, without reinstalling the host with a push installation Task 7: Troubleshooting Scenario => After completing this task, continue on page 61

Page 59 Change back to the Policy Manager Console Mark “Development/HEL” and correct the server address Distribute the policies Mark host wks01 and export the policy manually Save the policy to c:\ root Troubleshooting Scenarion Solution Walk Through

Page 60 Change to the managed host Create a network share to the PMS (map \\ \c$) Open the local user interface Choose Central Management Press “Import policy manually” Troubleshooting Scenarion Solution Walk Through

Page 61 After you have imported the new policy manually, try to connect to the server, the connection should be successfull Troubleshooting Scenarion Solution Connection Testing

Page 62 Hands-On Completed That was it! You have now completed the whole hands-on section. Next on the agenda: the Certification Exam