DLP 15-5 PI LabGuide 200114
DLP 15-5 PI LabGuide 200114
5
Planning and Implementation
Lab Guide
Copyright © 2020 Broadcom Inc. All rights reserved. Symantec and the Symantec Logo are trademarks or
registered trademarks of Broadcom Inc. or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
THIS PUBLICATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS
AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR
USE OF THIS PUBLICATION. THE INFORMATION CONTAINED HEREIN IS SUBJECT TO CHANGE WITHOUT
NOTICE.
No part of the contents of this book may be reproduced or transmitted in any form or by any means
without the written permission of the publisher.
Student Guide revision: 200114
Broadcom Inc.
World Headquarters
1320 Ridder Park Drive
San Jose, California
95131
United States
http://www.broadcom.com
2 Symantec Data Loss Prevention 15.5 Planning and Implementation Lab Guide
Copyright © 2020 Broadcom. All Rights Reserved
Table of Contents
Symantec Data Loss Prevention 15.5 Planning and Implementation
Lab Guide
Table of Contents 3
Copyright © 2020 Broadcom. All Rights Reserved
4 Symantec Data Loss Prevention 15.5 Planning and Implementation Lab Guide
Copyright © 2020 Broadcom. All Rights Reserved
Overview of Lab Environment
The exercises in this lab guide use the following systems.
At different points in the lab exercises, you will be asked to log in to these lab virtual machines (VMs). For
clarity, each exercise will indicate which VM you should be using with headers that look like this:
Note: If you are prompted to install Windows Updates when using any of the provided VMs, it is
recommended that you simply close the Windows Update dialog without running the updates.
Updates are not needed for the lab exercises and will only cause delays in using the lab
environment.
Symantec Data Loss Prevention 15.5 Planning and Implementation Lab Guide 5
Copyright © 2020 Broadcom. All Rights Reserved
6 Overview of Lab Environment
Copyright © 2020 Broadcom. All Rights Reserved
Installing Symantec Data Loss Prevention
In this lab, you will install the following Symantec DLP products in a three-tier environment:
• Enforce Server
• Detection server
• OCR Server
• Endpoint Agent
You will also generate an Endpoint Prevent incident to verify that your Symantec DLP installation is working
properly.
Steps:
Install the Java Runtime Environment (JRE) software
2. In the Windows System Tray, right-click the Symantec Endpoint Protection icon and select Disable
Symantec Endpoint Protection.
Note: You can ignore the message “Product error requires attention” that is displayed when you disable
Symantec Endpoint Protection.
5. When the “Open File - Security Warning” prompt is displayed, click Run.
6. At the “Symantec Data Loss Prevention Server JRE Setup Wizard” Welcome screen, click Next.
7. Place a mark in the I accept the terms in the License Agreement check box and click Next.
9. Click Install.
2. When the “Open File - Security Warning” prompt is displayed, click Run.
4. Place a mark in the I accept the terms in the License Agreement check box and click Next.
7. On the “FIPS Cryptography Mode” screen, accept the default selection of “Disabled” and click Next to
continue.
8. On the “Service User > Select Service User Type” screen, leave the default option of New Users
selected and click Next.
9. On the “Service User > Create a New Service User” screen, leave the Username set to “SymantecDLP,”
and in the Password and Confirm Password fields, type the following password: Tra1n!ng
12. On the “Enforce Administrator Password” screen, enter the following in the Password and Confirm
Password fields: Tra1n!ng
17. If a “Files in Use” dialog is displayed during the installation process, select the option Close the
applications and attempt to restart them and click OK.
Note: In the Virtual Academy lab environment, the installation process should take about 15 minutes.
18. When the installation is complete, click Finish.
Note: After the installation has finished, it might take 10 minutes or more before the Enforce Server
becomes responsive enough to log in to the Enforce administration console.
6. To bypass the warning screen, click Advanced and click Accept the Risk and Continue.
Note: To make it easier to log on to the Enforce administration console in later lab exercises, add a
bookmark for the login page to Firefox’s Bookmarks Toolbar.
10. Verify that the Enforce Server is running by going to System > Servers and Detector > Overview.
11. View the status of the individual Enforce Server processes by clicking the Enforce Server name in the
“Servers and Detectors” list.
End of exercise
Steps:
2. In the Windows System Tray, right-click the Symantec Endpoint Protection icon and select Disable
Symantec Endpoint Protection.
4. In the Windows Security dialog that appears, enter the following credentials to access the shared
folder on the Enforce Server:
Username: example\Administrator
Password: train
6. Open a second File Explorer window by clicking File > Open new window in the first File Explorer
window.
7. In the second File Explorer window, navigate to the C:\temp directory on the WS-DetectionServer
machine.
8. From the first File Explorer window (where the contents of the WinPcap folder are displayed) drag the
WinPcap_4_1_3.exe file to the C:\temp directory in the second File Explorer window.
10. Close the first File Explorer window where the contents of the \Release folder are displayed.
12. Install the Symantec DLP Server Java Runtime Environment software.
a. Double-click the ServerJRE.msi file.
b. In the “Open File - Security Warning” dialog, click Run.
c. Click through the Symantec Data Loss Prevention Server JRE Setup Wizard, accepting the license
agreement and all default settings.
4. From the Enforce console menu bar, navigate to System > Servers and Detectors > Overview.
6. On the “Add a Server” page, select Network Monitor and click Next.
8. In the Host field, type the IP address of the WS-DetectionServer VM: 10.10.2.50
11. Wait until the “Server / Detector Detail” page is displayed, then in the upper right corner of the Enforce
administration console, click the Refresh button ( ) repeatedly until all the Network Monitor
Server’s processes show as “Running”.
4. Enter the following command to generate the Enforce and detection server certificates:
sslkeytool -genkey -dir=.\generated_keys
The following certificate files are created in the generated_keys folder:
enforce.<date and time certificate was generated>.sslKeyStore
monitor.<date and time certificate was generated>.sslKeyStore
5. Move the “enforce” certificate file to the following location on the Enforce Server:
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\keystore
CAUTION! Notice that the correct path to the keystore destination is through the hidden
ProgramData folder, not the Program Files folder. To show hidden
folders, click the View tab in a File Explorer window and select the option
Hidden items.
CAUTION! Notice that the correct path to the keystore destination is through the hidden
ProgramData folder, not the Program Files folder.
12. Go into the Windows Computer Management console and restart the “Symantec DLP Detection Server
Service”.
a. Right-click the Windows Start button and select Computer Management.
b. In the left pane of the “Computer Management” window, expand Services and Applications.
c. Select Services.
d. In the middle pane, locate the Symantec DLP Detection Server Service, right-click the service, and
select Restart.
13. On the WS-Enforce VM, verify that Symantec DLP is using the new certificates.
a. Log in to the Enforce administration console as the Administrator user.
b. Go to System > Servers and Detectors > Events.
c. Look for event code 2710, “Using user generated certificate” to verify that the new certificates are
in use.
End of exercise
Steps:
3. In the Windows Security dialog that appears, enter the following credentials to access the shared
folder on the Enforce Server:
Username: example\Administrator
Password: train
6. Go into the C:\temp folder on the OCR Server VM, then right-click inside the folder and select Paste.
9. On the “Welcome” screen of the Symantec DLP OCR Server Setup Wizard, click Next.
10. Click Next to accept the default Symantec DLP OCR Server destination directory.
The OCR Server software is installed. It should take only a minute or two to complete the installation
process.
3. Modify the OCR.properties file to reflect the CPU resources available on the OCR Server.
a. Open the OCR.properties file (located at C:\SymantecDLPOCR\Protect\config) in
Notepad.
b. Scroll down to the num.ocr.workers line (the last line of the file) and change its value to
equal the number of logical CPU cores on the WS-OCR VM, which in this case is 2:
num.ocr.workers = 2
c. Locate the server.tomcat.max-threads setting and change its value to equal the value of
the num.ocr.workers settings plus 1:
server.tomcat.max-threads = 3
d. Save the changes to the OCR.properties file and close Notepad.
4. In the Enforce console, go to System > Settings > OCR Engine Configuration.
8. Under the “Supported Languages” section, in the “Available Languages” list, click the “plus” sign to the
left of the English item to add it to the “Selected Language(s)” list.
10. Assign the OCR engine configuration to the Network Monitor Server.
a. Go to System > Servers and Detectors > Overview.
b. In the “Servers and Detectors” list, click the NetMon server name.
c. Click Configure.
d. On the “Configure Server” page, click the OCR Engine tab.
e. From the OCR Engine Configuration drop-down list, select OCRServer01.
f. Click Save.
g. In the “General” group box, on the “Status” line, click recycle to restart the Network Monitor
Server.
h. When you are prompted “Are you sure you want to recycle the server?”, click OK.
i. Click the Enforce console’s Refresh button ( ) repeatedly until all the Network Monitor Server’s
processes show as “Running”.
j. Click Done.
End of exercise
Steps:
In preparation for this lab exercise, it is necessary to re-purpose the Network Monitor detection server as
an Endpoint Server (or to be more precise, an Endpoint Prevent Server). To do this, perform the following
steps:
4. In the Enforce console, go to System > Servers and Detectors > Overview.
5. In the “Servers and Detectors” list, click the NetMon server name.
6. Click Configure.
7. Under the “General” section, in the Name field, replace the existing contents with the following text:
EndpointSrv
9. From the OCR Engine Configuration drop-down list, select -- None --.
The reason for having you perform this step is to remind you that OCR detection is not supported on
the Endpoint Server or Agent.
14. In the “General” group box, on the “Status” line, click recycle.
15. When you are prompted “Are you sure you want to recycle the server?”, click OK.
17. In the “Servers and Detectors” list, verify that the Endpoint server’s “Type” shows up as “Endpoint.”
18. Click the Enforce console’s Refresh button ( ) repeatedly until the Endpoint server’s status is shown
as “Running”.
2. From the Select the agent version drop-down list, select Version 15.1 and later.
3. Under “Select one or more agent installers,” to the right of the Windows 64-bit row, click Browse.
7. Scroll to the bottom of the page and click Generate Installer Packages.
8. When the “Opening AgentInstaller_Win64.zip” dialog is displayed, select Save File and click OK.
9. Open a File Explorer window, then in the “Quick access” list, click Downloads.
3. If a Windows Security dialog is displayed, enter the following credentials to access the shared folder on
the Enforce Server:
Username: example\Administrator
Password: train
5. Go into the C:\temp folder on the WC-Endpoint VM, then right-click inside the folder and select
Paste.
7. Click Extract.
8. Right-click the Windows Start button and select Windows PowerShell (Admin).
1. On the WS-Enforce VM, log back in to the Enforce administration console if the console has timed out.
3. Click the OK link to view details about the Agent, including endpoint Machine Name, assigned Agent
Group and Agent Configuration, Connection Status, the Endpoint Server the Agent is reporting to,
endpoint IP Address, Agent software Version, and more.
4. Click the ENDPOINT link in the Machine Name column to view the Agent events that have occurred
from the time the Agent began reporting to the Endpoint Server.
End of exercise
Steps:
4. In the Enforce console, click Manage > Policies > Response Rules.
8. From the Actions drop-down list, select Endpoint > Prevent: Block.
10. Take a moment to review the blocking message that the endpoint user will see, along with the
justification options the user will be offered. Notice that you can edit the blocking message and control
which justification options are available to the user.
13. Place a mark in the check box at the top of the policy list’s left-most column.
15. Click OK when you are asked to confirm that you want to suspend the selected policies.
16. After all the existing policies show a red circle with a diagonal white line in the “Status” column
(indicating they are suspended), click New.
19. From the Policy Group drop-down list, select Confidential Data Protection.
21. In the “Content” section, select Content Matches Data Identifier, and from the adjacent drop-down
list, select Financial > Credit Card Number.
24. Leave all the “Severity” and “Conditions” settings at their defaults and click OK.
26. From the <choose response rule> drop-down list, select Block Copy to Network Share.
29. Make sure that the “CC Info” policy shows a green circle in its “Status” column, indicating it is active.
32. On the “Channels” tab, under the “Enable Monitoring” section, place a mark in the Network Shares >
Copy to Share check box.
EndpointCommunications.IDLE_TIMEOUT_IN_SECONDS.int 30 0
ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int 900 15
CAUTION! Although reducing the values of these Agent Advanced Settings causes Endpoint
incidents to be reported more quickly in testing, you should NOT change these
settings in a production DLP environment; doing so will significantly increase the
load on Endpoint Servers and decrease the number of Agents that each Endpoint
Server can support. If you change these settings as part of testing, remember to
set them back to their defaults and apply the updated Agent Configuration
before you put your DLP environment into production.
37. Place a mark in the check box to the left of the “Default Group” item.
39. Click OK to confirm that you want to update the configuration of the “Default Group”.
40. Wait 15 minutes for the updated Agent Configuration to be pushed to the WC-Endpoint VM.
Attempt to copy sensitive information from the endpoint computer to a network share
1. On the WC-Endpoint VM, open a File Explorer window and go into the following folder:
C:\Doc_Repository
2. In the File Explorer window, click File > Open New Window.
3. In the “Quick Access” list of the second File Explorer window you just opened, click
DLPDownloadHome.
This is the network share on the WS-Enforce VM from which you have been copying installation files to
the various VMs used in the labs.
5. Drag the Customer Records.xlsx file from the Doc_Repository folder to the
DLPDownloadHome share.
6. In the “Blocked” dialog that appears, select the option My manager approved this transfer of data and
click OK.
Notice that the Customer Records.xlsx file is not copied to the network share.
1. If the Enforce administration console has timed out, log back in to the console as the Administrator
user.
3. Inspect the incident details by clicking the 00000001 link in the incident’s “ID / Policy” column.
In conclusion, the fact that Symantec DLP is able to detect sensitive information and generate incidents
indicates that your Symantec DLP deployment is working properly.
End of exercise