Windows Agent Interface

 < Day Day Up > 

When the CSA is installed on a Windows operating system, you need to be familiar with a few visual GUI components such as the tray icon, the system tray options menu, and the user GUI. Other topics discussed in this section regarding the agent software are audible notifications, the Windows Programs menu, local directories and tools, user interaction, and stopping the agent service.

Windows Agent Tray Icon

The CSA tray icon is represented by a red flag that resides in the system tray (lower-right corner of the Windows taskbar). This icon remains motionless until an agent rule is triggered, in which case it begins to wave. As a local alerting mechanism, the agent flag waves to get the attention of the local user.

Another local alerting mechanism enabled by default is the balloon message feature. Balloon messages are messages that pop up just above the system tray when an agent policy rule is locally triggered. Although these visual alerts might prove useful for some users, others might find them distracting; therefore, you can hide them from the user. You can also hide them for other reasons, such as an administrative policy that forbids user interaction with local security mechanisms.

NOTE

You cannot disable pop-up messages on an agent using central policy because this notification mechanism is a local configuration option only. Another way to disable pop-up messages on the client is to add the following registry key to the agent machine:

HKEY_CURRENT_USER\Software\Okena\Cisco Security Agent\

key="BalloonPopupsDisabled"=dword:00000001


Windows System Tray Options Menu

The system tray options menu is accessible by right-clicking the system tray flag icon, as shown in Figure 7-1. When it opens, the following shortcut and configuration options display:

  • Open Agent Panel Selecting this launches the local user agent control panel GUI.

  • Disable Balloon Messages Selecting this option prevents balloon messages from popping up when a rule is triggered. This option is replaced with the Enable Balloon Messages option once selected.

  • Security This option has four possible selections available: Off, Low, Medium, and High. Off suspends the agent rules until the user comes back to select any of the other security levels. Low, Medium, and High provide varying levels of security completely controlled and configured as per the CSA MC rule definitions for these levels. These are the same levels you can manually adjust from within the agent GUI System Security screen discussed later in this chapter.

  • About This option opens a new window with the agent build number. This window proves useful when attempting to locate the exact version of the agent running on a local system.

  • Exit This option closes the CSA taskbar icon. To re-enable the icon, choose Start > Programs > Cisco Security Agent.

Figure 7-1. Agent System Tray Options Menu


NOTE

Closing the icon on the taskbar does not suspend security, but only makes the icon disappear.


The CSA User GUI

The CSA GUI, also called the Agent Control Panel, might have different options available depending on the policy definition for the local agent. Double-clicking the red flag icon in the system tray opens the control panel for viewing and manipulating the agent.

The Agent Control Panel is divided into the following three sections:

  • The navigation panel, which is on the left side of the window

  • The main portion to the right of the navigation panel, where configurable options and displayed settings are shown

  • The security level, which is listed in the lower-right corner of the window

The following sections describe the navigation panel options so that you can discover what a fully capable local agent GUI screen can provide.

Windows Agent Status

When you open the agent GUI, the top-level status screen displays, as shown in Figure 7-2. This screen provides basic information regarding agent health. The following information displays:

  • Host Name The fully qualified domain name of the local host.

  • Management Center The fully qualified domain name of the CSA MC, because it must be reachable via DNS resolution.

  • Registration Date The date and time the agent initially registered with the CSA MC and began using one of the licenses on the MC.

  • Last Poll Time The date and time of the last poll. This could have been a scheduled or a manual poll.

  • Last Download Time The date and time of the last policy and configuration download.

  • Software Update Whether a software update is pending for this agent.

  • Network Admission Control (NAC) Posture Results The posture token received as part of the Cisco NAC posture assessment.

  • Poll for New Configuration Click this button to initiate a manual poll.

Figure 7-2. Status Screen


NOTE

If the agent is a member of multiple groups, the shortest polling interval is used.


The Status screen provides three suboptions:

  • Messages

  • User Query Results

  • Contact Information

The next sections describe these suboptions in greater detail.

Windows Agent Status > Messages

The Messages suboption enables the local user to view the list of denied system actions that have occurred as of the last reboot. This information proves useful when troubleshooting the local agent, particularly when the CSA MC is unreachable.

As shown in Figure 7-3, you can also open the local security log file by clicking the View Log button. This log provides more detailed information about what has occurred on the local agent as a result of the implemented policy. The Purge Log button enables you to clear the local log file, but not the entries in the Messages window.

Figure 7-3. Available Agent Installation Kits


Windows Agent Status > User Query Responses

The User Query Responses suboption maintains the list of cached responses from the local agent. A response is cached locally if a rule is triggered that had the Don t Ask Again check box enabled and the user chose Yes, No, or Terminate when prompted along with checking that check box. By checking Don't Ask Again, the user can cut down on the amount of interaction required with the agent such that the agent can auto-respond by using the cached information.

Responses can be cached for set time intervals, such as an hour in duration, or permanently remembered. Permanently remembered responses remain cached even through reboots, whereas the timed cached entries do not remain through a reboot.

To clear a permanent response from the User Query Responses window, as shown in Figure 7-4, click the Clear button after choosing the permanent responses you want to clear. You can also clear all temporarily cached responses by just clicking the Clear button without specifically choosing any responses. You can also clear all cached entries for a specific agent in the architecture from the Diagnostics window available from the Host Settings page in the CSA MC if that is required.

Figure 7-4. User Query Responses Screen


NOTE

Cached entries are for the current user only. Systems that are used by more than one person might ask the same query to each person until cached for all users.


Windows Agent Status > Contact Information

The Contact Information suboption is a simple form, as shown in Figure 7-5. This form enables the local user to enter information such as name, telephone number, e-mail address, and location. This information is transmitted to the CSA MC to aid in troubleshooting.

Figure 7-5. Agent Contact Information Screen


Windows Agent System Security

The System Security screen shown in Figure 7-6 is an interactive screen that enables the user to control how some local rules are enforced. Users on protected systems can use this particular screen to temporarily weaken the desired endpoint security. This screen need not be provided to all users or might possibly only be provided dependent on user or system state, such as to administrators and users who are out of the office.

Figure 7-6. System Security Screen


At the top of the System Security screen is the Security Level slide bar. Users can set the bar to four possible levels: Off, Low, Medium, and High. These levels correspond to system state levels, as defined in the CSA MC, that affect whether a rule is enforced at that moment in time. Security levels do not necessarily turn off rules, but could change the rule to a query rather than implicit deny.

The security levels of Low, Medium, and High affect the agent according to the administratively defined security policies and states on the CSA MC. These levels do not correspond to generic security assignments but personalized enterprise policy-level definitions. The Off security level always disables the security agent.

NOTE

It might prove beneficial to provide the slider bar to a user who is currently out of the office so that the user can temporarily lower the security level to install needed software. Users in the office should always have local support staff available to install software and therefore should not need to lower the security level themselves.


In the next portion of the screen, you see the Network Lock check box. The network lock, if enabled, prevents all new inbound and outbound network attempts other than those that were already in progress prior to enabling the lock. When enforced, the network lock prevents new network connections regardless of whether another rule permits the network connectivity attempted. You can manually enable the network lock by checking the box, or it can be enabled automatically by setting the timer associated with the Network Lock check box. After a certain number of minutes of network inactivity, the lock is automatically enabled. To disable the network lock, you must uncheck the check box or reboot the system.

The final button on this screen is the Resume button. As discussed in Chapter 4, the agent can detect installation programs and can temporarily lower the security of the system to specifically allow the particular installation to occur without the agent interfering. In some cases, such as the installation abnormally terminating, the agent cannot see the installation completion, and the lowered security setting associated with the install executable is not removed. To manually remove the lowered security policy and let the agent know that the installation has completed, you can click the Resume button to alert the agent.

Windows Agent System Security > Untrusted Applications

The Untrusted Applications screen displayed in Figure 7-7 provides a list of applications that were downloaded to the system that the user chose not to trust as downloaded content. If you choose to later trust this application, you can come to this screen in the Agent Control Panel GUI and delete the application from the untrusted list.

Figure 7-7. Untrusted Applications Screen


Local Firewall Settings

By providing the Local Firewall Settings screen to a user, you enable the user to use the agent as a personal firewall. Without this screen, which is shown in Figure 7-8, all network access control rules are still in place. This screen enables you to locally define which applications have permissions on your system and which permissions are allowed. Firewall permissions are allowed for applications when the user answers a query message as to whether they should be permitted.

Figure 7-8. Local Firewall Settings Screen


NOTE

The local firewall settings do not override centrally defined policies. For applications to have permissions, both the central and local policies must permit them.


After the personal firewall has been enabled, users can place the personal firewall in Learning Mode. In Learning Mode, the CSA watches the interactive system to build the local permissions database. Four types of permissions can be assigned to any application:

  • E-mail network permissions

  • HTTP network permissions

  • Network client permissions

  • Network server permissions

Within each type of permission assigned, the application can be either permitted or denied that permission. The icon representing each action appears next to the application in the list.

After an application has been assigned a local permission, you cannot directly change it, but rather must delete it from the list and answer the next associated query appropriately as it is re-added to the list.

NOTE

Local firewall settings are ignored if the agent is in Test Mode.


The File Protection screen shown in Figure 7-9 enables the local user to protect local files and directories from being accessed over the network. This protection is very similar to what can be provided by centralized policies within the CSA MC. In certain cases, the local user might be aware of local files that are not being protected by centrally defined file access control policies. When you add a file or directory to this list, any network attempt to access this asset results in a query so that you may only provide access when it is necessary to do so.

Figure 7-9. File Protection Screen


To protect directories and files, you must use the correct syntax. If you name the specific path and file, such as c:\directory1\directory2\filename.txt, that file is protected. To protect all files in a directory and all subdirectories, use the ** wildcard (for example, c:\directory1\** to protect all files in directory1 and all subdirectories). To protect just the named directory files but not the subdirectory files, use the * wildcard (for example, c:\directory1\directory2\*).

To protect a specific filename no matter where it resides, just name that file outright (for example, filename.txt) .

CSA Audible Notifications

CSA can provide a sound notification if certain actions take place. To configure the sounds associated with these events, you must make the necessary changes in the Sounds and Audio Devices Control Panel window, as shown in Figure 7-10. By default, no audible notifications are preset, and these settings are not globally available via the CSA MC. The following is the complete list of events that can be tied to audible notifications:

  • Agent window opens

  • Dynamic configuration update

  • Flag flapping

  • New configuration download

  • Query pop-up appears

  • Query pop-up closes

  • Query timeout warning

Figure 7-10. Audible Notifications Configuration


Windows Programs Menu

Upon installation, CSA places some links into the Programs list on the Start menu. From here, you have the following options:

  • Cisco Security Agent You can select this to restart the taskbar GUI (red flag) if you have previously exited.

  • Perform Diagnostics You can select Perform Diagnostics to cause the agent to gather useful diagnostic information and bundle it into a csa-diagnostics.zip file, which will be placed in the Cisco Systems\CSAgent\log directory. The following useful information is bundled in this file:

    • Agent.bundle This text file includes agent version, registration ID, CSA MC name and IP, HTTP/HTTPS ports, and so on.

    • Agent.rul This is the rule file (not plain text readable).

    • Agent.state This is like Agent.bundle plus SID, UID, and some other Status screen and contact information.

    • Agent.var This file contains some local CSA variables and query information.

    • Arp.txt This file contains local ARP table entries.

    • CSAgent-Install.txt This is the installation log file.

    • Csalog.txt This file includes information about what has happened on the system regarding agent operation.

    • Driver_install.txt This log file contains information about the installation of the system drivers. This will only include time stamps and information of the related events that occurred during original agent installation.

    • Env_vars.txt This includes the local environment variables.

    • Ipconfig.txt This file contains a text capture of a locally executed ipconfig from the local agent.

    • Nbtstat.txt This file contains a text capture of a locally executed nbtstat from the local agent.

    • Netstat.txt This file contains a text capture of a locally executed netstat from the local agent.

    • RTR files This contains all policy interaction that occurs on the local system regardless of whether the agent sends an event to the CSA MC. These files prove very useful when troubleshooting local policy interaction. To read the RTR file contents, you must use the RTRFORMAT.exe program located in the local bin directory to create an ASCII-readable output from the original binary file. These files are going to prove most useful when identifying rules that prevent actions that are required for successful application and system usage that are specifically set on the CSA MC not to log events. Although the prevented action does not display in the centrally correlated event log on the CSA MC, the action displays in the RTR files.

      Note

      To write RTR file content in a readable format to a TXT file, you need to retrieve the RTR file you want to view to the system on which you will view the files. Then, to create the TXT file, enter the following command:

      Rtrformat.exe rtrfilename > textfile.txt

      You can now open the text file in your favorite editor for viewing.


    • Routes.txt This file contains a text capture of a locally executed route print command that displays the IP routing table of this system.

    • RuleEngine.state This diagnostic file is not plain text readable.

    • Sslca This is the SSL certificate file.

    • Sysvars.cf This contains CSA-specific control variables that TAC may have you edit during certain troubleshooting procedures.

  • Reset the Agent You can set the local agent settings back to factory default, except for firewall and file protection settings. For firewall and file protection settings, resetting the agent does not clear the entries, but disables them (because a default agent would not normally be enabled).

  • Uninstall the Agent You can uninstall the agent using this menu option. To uninstall the agent, you must have the ability to stop the agent service, but this ability might not be available to all users based on the centrally defined policy.

CSA Local Directories and Tools

The CSA default installation directory is C:\Program Files\Cisco Systems\CSAgent. There are a number of directories here, but most notable are the log and bin directories. The log directory includes many local log files, which can prove very useful in troubleshooting a specific agent. Remember, you can get most of the log information as well as other great information about the current system by running the Agent Diagnostic tool.

The other directory that a technician may use is the bin directory. The bin directory contains the necessary agent EXE and DLL files and some other tools you might need to use from time to time. An example of a tool in this directory is getcom.exe. This particular tool checks for all COM objects on the system and places them in an ASCII text file for you to peruse when creating COM rules in the CSA MC.

CSA User Interaction

If you permit the user to interact with the local security agent GUI, the user should under-stand how to answer the common queries that will pop up when rules are triggered. When a query rule is triggered, the user is presented with some options regarding the question at hand, such as whether downloaded content should be allowed to execute. The user could be given the following options:

  • Terminate Denies access to the resource and attempts to stop the process

  • Deny Denies access to the resource

  • Allow Allows access to the resource

Along with the preceding options, the user may be given the ability to check the Don t Ask Again check box, which would locally cache the response for future queries. After selecting the option that is deemed appropriate, the user may be prompted with a query challenge response. A query challenge response is an additional pop-up box that the user receives that asks the user to type a multiletter response exactly as it is presented to them in the onscreen image, as shown in Figure 7-11. This is an option made available to CSA MC administrators who are concerned that an automated client-side application might attempt to choose an undesirable option in place of the default action that would result if the user were not at the machine at the time of the query.

Figure 7-11. Query Challenge Response


Stopping a CSA Agent

There are three ways to stop CSA from protecting the local system:

  • Disable agent from systems tray Right-clicking the red flag icon and selecting Suspend Security halts all agent protections until it is re-enabled.

  • Sliding bar security setting to Off Within the Agent Control Panel GUI, sliding the bar to Off disables agent protective mechanisms until the bar is moved back to any of the other three settings (Low, Medium, High).

  • Stopping the agent service If a user has the ability to stop the agent service either via the Windows Control Panel > Administrative Tools > Services menu or via the command line using net stop cisco security agent, the user could stop the agent from protecting the system until the agent service is restarted.

It is important that the appropriate policies be in place such that the agent cannot be stopped inappropriately, which would result in an unprotected system. It is also important to remember that in certain cases stopping the agent might be a valid action, such as when a local technician is troubleshooting a problem on the system. System and user states are a great way to control when and how the agent protective rules are implemented.

     < Day Day Up > 


    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net