100% found this document useful (1 vote)
113 views28 pages

DLP 15-5 PI LabGuide 200114

Laboratorio dlp instalacion

Uploaded by

John Corrales
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
113 views28 pages

DLP 15-5 PI LabGuide 200114

Laboratorio dlp instalacion

Uploaded by

John Corrales
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Symantec Data Loss Prevention 15.

5
Planning and Implementation
Lab Guide
Copyright © 2020 Broadcom Inc. All rights reserved. Symantec and the Symantec Logo are trademarks or
registered trademarks of Broadcom Inc. or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.
THIS PUBLICATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS
AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR
INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR
USE OF THIS PUBLICATION. THE INFORMATION CONTAINED HEREIN IS SUBJECT TO CHANGE WITHOUT
NOTICE.
No part of the contents of this book may be reproduced or transmitted in any form or by any means
without the written permission of the publisher.
Student Guide revision: 200114

Broadcom Inc.
World Headquarters
1320 Ridder Park Drive
San Jose, California
95131
United States
http://www.broadcom.com

Lead Subject Matter Technical Contributors and


Course Developers
Experts Reviewers
Ken Baldwin John Gruhn Carlos Aragon
Ryan Hollitz Willian Castro
Jim Martin Jesse Gonzales
John Gruhn
Ryan Hollitz
Boon Hing Khoo
Jim Martin
Charles McLendon
Charlie Sadaka
Pieter van der Westhuizen

Train. Certify. Succeed.


Learn more about Symantec certifications here:
https://go.symantec.com/certification

2 Symantec Data Loss Prevention 15.5 Planning and Implementation Lab Guide
Copyright © 2020 Broadcom. All Rights Reserved
Table of Contents
Symantec Data Loss Prevention 15.5 Planning and Implementation
Lab Guide

Overview of Lab Environment ....................................................................................... 5

Installing Symantec Data Loss Prevention ..................................................................... 7


Exercise 1: Install the Enforce Server in a three-tier Symantec DLP environment .................................. 8

Exercise 2: Install a detection server in a three-tier Symantec DLP environment ................................. 13

Exercise 3: Install an OCR Server ........................................................................................................... 18

Exercise 4: Install an Endpoint Agent ..................................................................................................... 21

Exercise 5: Test the Symantec DLP deployment .................................................................................... 25

Table of Contents 3
Copyright © 2020 Broadcom. All Rights Reserved
4 Symantec Data Loss Prevention 15.5 Planning and Implementation Lab Guide
Copyright © 2020 Broadcom. All Rights Reserved
Overview of Lab Environment
The exercises in this lab guide use the following systems.

System Name Username Password


WS-Enforce example\Administrator train
WC-Endpoint example\Administrator train
WS-DetectionServer example\Administrator train
WS-OCR example\Administrator train

At different points in the lab exercises, you will be asked to log in to these lab virtual machines (VMs). For
clarity, each exercise will indicate which VM you should be using with headers that look like this:

Change to: WS-Enforce

Note: If you are prompted to install Windows Updates when using any of the provided VMs, it is
recommended that you simply close the Windows Update dialog without running the updates.
Updates are not needed for the lab exercises and will only cause delays in using the lab
environment.

Symantec Data Loss Prevention 15.5 Planning and Implementation Lab Guide 5
Copyright © 2020 Broadcom. All Rights Reserved
6 Overview of Lab Environment
Copyright © 2020 Broadcom. All Rights Reserved
Installing Symantec Data Loss Prevention
In this lab, you will install the following Symantec DLP products in a three-tier environment:
• Enforce Server
• Detection server
• OCR Server
• Endpoint Agent
You will also generate an Endpoint Prevent incident to verify that your Symantec DLP installation is working
properly.

Installing Symantec Data Loss Prevention 7


Copyright © 2020 Broadcom. All Rights Reserved
Exercise 1: Install the Enforce Server in a three-tier Symantec DLP
environment

Estimated exercise time:


45 minutes

Steps:
Install the Java Runtime Environment (JRE) software

Log in to: WS-Enforce

1. Log in to the WS-Enforce VM using the following credentials:


Username: example\Administrator
Password: train

2. In the Windows System Tray, right-click the Symantec Endpoint Protection icon and select Disable
Symantec Endpoint Protection.

Note: You can ignore the message “Product error requires attention” that is displayed when you disable
Symantec Endpoint Protection.

3. Using Windows File Explorer, navigate to:


C:\DLPDownloadHome\Symantec_DLP_15.5_Platform_Win-IN_15.5.0.17018
\DLP\15.5\New_Installs\x64\Release

4. Double-click the ServerJRE.msi file.

5. When the “Open File - Security Warning” prompt is displayed, click Run.

6. At the “Symantec Data Loss Prevention Server JRE Setup Wizard” Welcome screen, click Next.

7. Place a mark in the I accept the terms in the License Agreement check box and click Next.

8. Click Next to accept the default Destination Folder.

9. Click Install.

10. When the installation process is completed, click Finish.

Install the Enforce Server software


1. Double-click the EnforceServer.msi file.

2. When the “Open File - Security Warning” prompt is displayed, click Run.

8 Exercise 1: Install the Enforce Server in a three-tier Symantec DLP environment


Copyright © 2020 Broadcom. All Rights Reserved
3. At the “Symantec Data Loss Prevention 15.5 Enforce Server Setup Wizard” Welcome screen, click Next.

4. Place a mark in the I accept the terms in the License Agreement check box and click Next.

5. Click Next to accept the default Enforce Server Destination Folder.

6. Click Next to accept the default JRE Directory.

7. On the “FIPS Cryptography Mode” screen, accept the default selection of “Disabled” and click Next to
continue.

8. On the “Service User > Select Service User Type” screen, leave the default option of New Users
selected and click Next.

9. On the “Service User > Create a New Service User” screen, leave the Username set to “SymantecDLP,”
and in the Password and Confirm Password fields, type the following password: Tra1n!ng

10. Click Next.

11. On the “Oracle Database” screen, do the following:


a. In the Host field, type: 10.10.2.40
b. Leave the Port set to 1521, and leave the Service Name and Username set to protect.
c. In the Password field, type: protect
d. Click Next.

12. On the “Enforce Administrator Password” screen, enter the following in the Password and Confirm
Password fields: Tra1n!ng

13. Click Next.

14. On the “External Storage” screen, do the following:


a. Select External Storage and click Next.
b. Click Browse, then browse to and select the following folder: E:\DLPExtStorage
c. Click Select Folder.
d. Click Next.

15. On the “Additional Locale” screen, click Next.

16. Click Install.

17. If a “Files in Use” dialog is displayed during the installation process, select the option Close the
applications and attempt to restart them and click OK.

Note: In the Virtual Academy lab environment, the installation process should take about 15 minutes.
18. When the installation is complete, click Finish.

Note: After the installation has finished, it might take 10 minutes or more before the Enforce Server
becomes responsive enough to log in to the Enforce administration console.

Installing Symantec Data Loss Prevention 9


Copyright © 2020 Broadcom. All Rights Reserved
Perform post-installation tasks
1. In the Windows System Tray, right-click the Symantec Endpoint Protection icon and select Enable
Symantec Endpoint Protection.

2. Verify that all the Symantec DLP services are running.


a. Right-click the Windows Start button and select Computer Management.
b. In the left pane of the “Computer Management” window, expand Services and Applications.
c. Select Services.
d. In the middle pane, scroll down until you see the “Symantec DLP” Services and verify that the
following services are in a “Running” state:
Symantec DLP Detection Server Controller Service
Symantec DLP Incident Persister Service
Symantec DLP Manager Service
Symantec DLP Notifier Service

3. Close the “Computer Management” window.

4. Launch the Firefox web browser.

5. In the Firefox address field, enter the following URL:


https://enforce.example.com/ProtectManager/Logon
A warning message is displayed because Firefox does not trust the Enforce Server certificate.

6. To bypass the warning screen, click Advanced and click Accept the Risk and Continue.

7. Log in to the Enforce administration console using the following credentials:


Login: Administrator
Password: Tra1n!ng

Note: To make it easier to log on to the Enforce administration console in later lab exercises, add a
bookmark for the login page to Firefox’s Bookmarks Toolbar.

8. On the “End User License Agreement” page, do the following:


a. In the Name field, type: DLP Admin
b. In the Title field, type: DLP Administrator
c. In the Company field, type: Example
d. Click I Accept.

9. Apply Symantec DLP licenses.


a. In the Enforce administration console’s menu bar, click System > Settings > General.
b. Click Configure.
c. In the “License” section, click Browse.

10 Exercise 1: Install the Enforce Server in a three-tier Symantec DLP environment


Copyright © 2020 Broadcom. All Rights Reserved
d. As directed by your instructor, browse to and select the Symantec DLP Enterprise Suite license file,
then click Open.
The expectation is that your instructor has placed the required license files in
C:\DLPDownloadHome on your WS-Enforce VM. The Enterprise Suite license file should be the
larger (3 KB) of the two .slf license files placed in the DLPDownloadHome folder.
e. In the “Process Control” section (directly below the “License” section), select the Advanced
Process Control option.
Enabling Advanced Process Control enables you to see the status of the individual processes of the
Enforce Server and detection servers on the “Server / Detector Detail” page of the Enforce
administration console.
f. Scroll back up to the top of the page and click Save.
g. Click Configure.
h. In the “License” section, click Browse.
i. As directed by your instructor, browse to and select the license file for the Symantec DLP Sensitive
Image Recognition Addon, then click Open.
If your instructor has placed the required license files in C:\DLPDownloadHome on your WS-
Enforce VM, the Sensitive Image Recognition license file should be the smaller (2 KB) of the two
.slf license files placed in the DLPDownloadHome folder.
j. Click Save.
The following Symantec DLP products should now show up as licensed in the “License” section:
Network Monitor
Network Discover
Network Protect
Network Prevent for Email
Network Prevent for Web
Endpoint Prevent
Endpoint Discover
DLP Sensitive Image Recognition

10. Verify that the Enforce Server is running by going to System > Servers and Detector > Overview.

11. View the status of the individual Enforce Server processes by clicking the Enforce Server name in the
“Servers and Detectors” list.

12. Install the Health Care Solution Pack.


a. Close Firefox.
b. Stop the Symantec DLP Manager Service.
i. Right-click the Windows Start button and select Computer Management.
ii. Expand the Services and Applications item in the left pane of the Computer Management
console and select Services.
iii. Locate and right-click the Symantec DLP Manager Service in the center pane and click Stop.
c. Right-click the Windows Start button and select Command Prompt (Admin).

Installing Symantec Data Loss Prevention 11


Copyright © 2020 Broadcom. All Rights Reserved
d. At the command prompt, type:
cd “C:\Program Files\Symantec\DataLossPrevention\EnforceServer
\15.5\Protect\bin”
e. Install the Solution Pack by entering the following command:
SolutionPackInstaller.exe import
“C:\DLPDownloadHome\Symantec_DLP_15.5_Solution_Packs\DLP\15.5
\Solution_Packs\Health_Care_v15.5.vsp”
The installation process should only take 1-2 minutes. The process is complete when the message
“The Solution Pack install is complete” is displayed and you are returned to the Command Prompt
line.
f. Re-start the Symantec DLP Manager Service by going back into the middle pane of the Computer
Management console, right-clicking Symantec DLP Manager Service, and clicking Start.
g. Verify that the Solution Pack was successfully installed.
i. Wait 5-10 minutes for the Symantec DLP Manager Service to fully load, then launch Firefox
and log back in to the Enforce administration console as the Administrator user.
ii. Navigate to Manage > Policies > Policy List and verify that an assortment of policies now
appears in this list.
iii. Navigate to Manage > Policies > Response Rules and view the response rules that were added
as part of the Health Care Solution Pack installation.

End of exercise

12 Exercise 1: Install the Enforce Server in a three-tier Symantec DLP environment


Copyright © 2020 Broadcom. All Rights Reserved
Exercise 2: Install a detection server in a three-tier Symantec DLP
environment

Estimated exercise time:


25 minutes

Steps:

Install the detection server software

Log in to: WS-DetectionServer

1. Log in to the WS-DetectionServer VM using the following credentials:


Username: example\Administrator
Password: train

2. In the Windows System Tray, right-click the Symantec Endpoint Protection icon and select Disable
Symantec Endpoint Protection.

3. Double-click the DLPDownloadHome (ENFORCE) shortcut on the desktop.

4. In the Windows Security dialog that appears, enter the following credentials to access the shared
folder on the Enforce Server:
Username: example\Administrator
Password: train

5. Navigate to the following folder:


Symantec_DLP_15.5_Platform_Win-IN_15.5.0.17018\DLP\15.5\Third_Party
\WinPcap

6. Open a second File Explorer window by clicking File > Open new window in the first File Explorer
window.

7. In the second File Explorer window, navigate to the C:\temp directory on the WS-DetectionServer
machine.

8. From the first File Explorer window (where the contents of the WinPcap folder are displayed) drag the
WinPcap_4_1_3.exe file to the C:\temp directory in the second File Explorer window.

Installing Symantec Data Loss Prevention 13


Copyright © 2020 Broadcom. All Rights Reserved
9. In the first File Explorer window, navigate back out to the
Symantec_DLP_15.5_Platform_Win-IN_15.5.0.17018\DLP\15.5\New_Installs
\x64\Release folder and copy the ServerJRE.msi and DetectionServer.msi files to the
C:\temp directory in the second File Explorer window.

10. Close the first File Explorer window where the contents of the \Release folder are displayed.

11. Install WinPcap 4.1.3.


a. Double-click the WinPcap_4_1_3.exe file in the C:\temp folder.
b. In the “Open File - Security Warning” dialog, click Run.
c. Click through the WinPcap 4.1.3 Setup Wizard, accepting all default settings, to install WinPcap.

12. Install the Symantec DLP Server Java Runtime Environment software.
a. Double-click the ServerJRE.msi file.
b. In the “Open File - Security Warning” dialog, click Run.
c. Click through the Symantec Data Loss Prevention Server JRE Setup Wizard, accepting the license
agreement and all default settings.

13. Install the Symantec DLP detection server software.


a. Double-click the DetectionServer.msi file.
b. In the “Open File - Security Warning” dialog, click Run.
c. On the “Welcome” screen of the Symantec Data Loss Prevention 15.5 Detection Server Setup
Wizard, click Next.
d. Place a mark in the I accept the terms in the License Agreement check box and click Next.
e. Click Next to accept the default Symantec DLP Detection Server Destination Folder location.
f. Click Next to accept the default JRE Directory location.
g. Leave the FIPS Cryptography Mode set to Disabled and click Next.
h. On the “Service User” screen, select Existing Users and click Next.
Under normal circumstances, you would select New Users on this screen, but in the Virtual
Academy VM environment for this course, a “SymantecDLP” domain user exists in Active Directory
(a side effect of installing the Enforce Server software on the Domain Controller/Active Directory
Server). Consequently, selecting New Users on this screen results in an error because the
Detection Server Setup Wizard detects the existing “SymantecDLP” domain user in Active
Directory.
i. On the “Service User” screen, leave the Username set to SymantecDLP and type the following
in the Password field: Train!ng
j. Click Next.
k. On the “Update User” screen, leave the Username set to SymantecDLPUpdate and type the
following in the Password field: Tra1n!ng
l. On the “Server Bindings” screen, do the following:
i. In the Host field, type the IP address of the WS-DetectionServer VM: 10.10.2.50

14 Exercise 2: Install a detection server in a three-tier Symantec DLP environment


Copyright © 2020 Broadcom. All Rights Reserved
ii. Leave the Port set to 8100.
iii. Click Next.
m. Click Install.
The installation process should only take a couple of minutes.
n. Click Finish.

Perform post-installation tasks


1. In the Windows System Tray, right-click the Symantec Endpoint Protection icon and select Enable
Symantec Endpoint Protection.

2. Verify that the “Symantec DLP Detection Server Service” is running.


a. Right-click the Windows Start button and select Computer Management.
b. Expand the Services and Applications item in the left pane of the Computer Management console
and select Services.
c. Locate the Symantec DLP Detection Server Service and verify that its status is “Running”.
d. Close the Computer Management console.

Register the detection server with Enforce

Change to: WS-Enforce

1. Log in to the WS-Enforce VM using the following credentials:


Username: example\Administrator
Password: train

2. Launch Firefox and go to the Enforce administration console URL:


https://enforce.example.com

3. Log in to the Enforce administration console using the following credentials:


Username: Administrator
Password: Tra1n!ng

4. From the Enforce console menu bar, navigate to System > Servers and Detectors > Overview.

5. Click Add Server > Software Server.


For this lab exercise, the detection server that was just installed will be registered with Enforce as a
Network Monitor Server.

6. On the “Add a Server” page, select Network Monitor and click Next.

7. In the Name field, type: NetMon

8. In the Host field, type the IP address of the WS-DetectionServer VM: 10.10.2.50

Installing Symantec Data Loss Prevention 15


Copyright © 2020 Broadcom. All Rights Reserved
9. On the “Packet Capture” tab, place a mark in the HTTP check box.

10. Click Save.

11. Wait until the “Server / Detector Detail” page is displayed, then in the upper right corner of the Enforce
administration console, click the Refresh button ( ) repeatedly until all the Network Monitor
Server’s processes show as “Running”.

12. Click Done.

Create unique security certificates for Enforce/detection server communications


1. Still on the WS-Enforce VM, right-click the Windows Start button and select Command Prompt
(Admin).

2. At the command prompt, change to the Symantec DLP “bin” directory:


cd "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\bin"

3. Create a new folder named generated_keys inside the bin folder:


mkdir generated_keys

4. Enter the following command to generate the Enforce and detection server certificates:
sslkeytool -genkey -dir=.\generated_keys
The following certificate files are created in the generated_keys folder:
enforce.<date and time certificate was generated>.sslKeyStore
monitor.<date and time certificate was generated>.sslKeyStore

5. Move the “enforce” certificate file to the following location on the Enforce Server:
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\keystore

CAUTION! Notice that the correct path to the keystore destination is through the hidden
ProgramData folder, not the Program Files folder. To show hidden
folders, click the View tab in a File Explorer window and select the option
Hidden items.

6. Move the “monitor” certificate file to the C:\DLPDownloadHome folder.

7. Restart the “Symantec DLP Detection Server Controller Service”.


a. Right-click the Windows Start button and select Computer Management.
b. In the left pane of the “Computer Management” window, expand Services and Applications.
c. Select Services.
d. In the middle pane, locate the Symantec DLP Detection Server Controller Service, right-click the
service, and select Restart.

16 Exercise 2: Install a detection server in a three-tier Symantec DLP environment


Copyright © 2020 Broadcom. All Rights Reserved
Change to: WS-DetectionServer

8. On the WS-DetectionServer VM, double-click the DLPDownloadHome (Enforce) shortcut on the


desktop.

9. Right-click the “monitor” certificate file and select Cut.

10. Navigate to the following location on the WS-DetectionServer VM:


C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\keystore

CAUTION! Notice that the correct path to the keystore destination is through the hidden
ProgramData folder, not the Program Files folder.

11. Right-click inside the keystore folder and select Paste.

12. Go into the Windows Computer Management console and restart the “Symantec DLP Detection Server
Service”.
a. Right-click the Windows Start button and select Computer Management.
b. In the left pane of the “Computer Management” window, expand Services and Applications.
c. Select Services.
d. In the middle pane, locate the Symantec DLP Detection Server Service, right-click the service, and
select Restart.

Change to: WS-Enforce

13. On the WS-Enforce VM, verify that Symantec DLP is using the new certificates.
a. Log in to the Enforce administration console as the Administrator user.
b. Go to System > Servers and Detectors > Events.
c. Look for event code 2710, “Using user generated certificate” to verify that the new certificates are
in use.

End of exercise

Installing Symantec Data Loss Prevention 17


Copyright © 2020 Broadcom. All Rights Reserved
Exercise 3: Install an OCR Server

Estimated exercise time:


12 minutes

Steps:

Install the OCR Server software

Log in to: WS-OCR

1. Log in to the WS-OCR VM using the following credentials:


Username: example\Administrator
Password: train

2. Double-click the DLPDownloadHome (ENFORCE) shortcut on the desktop.

3. In the Windows Security dialog that appears, enter the following credentials to access the shared
folder on the Enforce Server:
Username: example\Administrator
Password: train

4. Navigate to the following folder:


Symantec_DLP_1.0_OCR_Server_15.5.0.17015\DLP\OCR\1.0

5. Right-click the OCRServerInstaller64.exe file and select Copy.

6. Go into the C:\temp folder on the OCR Server VM, then right-click inside the folder and select Paste.

7. Double-click the OCRServerInstaller64.exe file.

8. In the “Open File - Security Warning” dialog, click Run.

9. On the “Welcome” screen of the Symantec DLP OCR Server Setup Wizard, click Next.

10. Click Next to accept the default Symantec DLP OCR Server destination directory.
The OCR Server software is installed. It should take only a minute or two to complete the installation
process.

11. Click Finish.

18 Exercise 3: Install an OCR Server


Copyright © 2020 Broadcom. All Rights Reserved
Perform post-installation tasks
1. Verify that the “Symantec DLP OCR Server” service is running.
a. Right-click the Windows Start button and select Computer Management.
b. In the left pane of the “Computer Management” window, expand Services and Applications.
c. Select Services.
d. In the middle pane, locate the Symantec DLP OCR Server service and verify that its status is
“Running”.
If the Symantec DLP OCR Server service is not running, right-click the service and select Start.
e. Close the Computer Management window.

2. Open the ocrserver.log file (located at C:\SymantecDLPOCR\Protect\logs) and make


sure the last line of the log reads “OCR Server started.”

3. Modify the OCR.properties file to reflect the CPU resources available on the OCR Server.
a. Open the OCR.properties file (located at C:\SymantecDLPOCR\Protect\config) in
Notepad.
b. Scroll down to the num.ocr.workers line (the last line of the file) and change its value to
equal the number of logical CPU cores on the WS-OCR VM, which in this case is 2:
num.ocr.workers = 2
c. Locate the server.tomcat.max-threads setting and change its value to equal the value of
the num.ocr.workers settings plus 1:
server.tomcat.max-threads = 3
d. Save the changes to the OCR.properties file and close Notepad.

4. Restart the OCR Server VM.

Create and assign an OCR configuration in the Enforce administration console

Change to: WS-Enforce

1. Log in to the WS-Enforce VM using the following credentials:


Username: example\Administrator
Password: train

2. Launch Firefox and go to the Enforce administration console URL:


https://enforce.example.com

3. Log in to the Enforce administration console using the following credentials:


Username: Administrator
Password: Tra1n!ng

4. In the Enforce console, go to System > Settings > OCR Engine Configuration.

Installing Symantec Data Loss Prevention 19


Copyright © 2020 Broadcom. All Rights Reserved
5. Click Add OCR Engine Configuration.

6. In the Name field, type: OCRServer01

7. In the OCR server hostname field, type: ocr.example.com

8. Under the “Supported Languages” section, in the “Available Languages” list, click the “plus” sign to the
left of the English item to add it to the “Selected Language(s)” list.

9. Scroll back up to the top of the page and click Save.

10. Assign the OCR engine configuration to the Network Monitor Server.
a. Go to System > Servers and Detectors > Overview.
b. In the “Servers and Detectors” list, click the NetMon server name.
c. Click Configure.
d. On the “Configure Server” page, click the OCR Engine tab.
e. From the OCR Engine Configuration drop-down list, select OCRServer01.
f. Click Save.
g. In the “General” group box, on the “Status” line, click recycle to restart the Network Monitor
Server.
h. When you are prompted “Are you sure you want to recycle the server?”, click OK.

i. Click the Enforce console’s Refresh button ( ) repeatedly until all the Network Monitor Server’s
processes show as “Running”.
j. Click Done.

End of exercise

20 Exercise 3: Install an OCR Server


Copyright © 2020 Broadcom. All Rights Reserved
Exercise 4: Install an Endpoint Agent

Estimated exercise time:


17 minutes

Steps:
In preparation for this lab exercise, it is necessary to re-purpose the Network Monitor detection server as
an Endpoint Server (or to be more precise, an Endpoint Prevent Server). To do this, perform the following
steps:

Log in to: WS-Enforce

1. Log in to the WS-Enforce VM using the following credentials:


Username: example\Administrator
Password: train

2. Launch Firefox and go to the Enforce administration console URL:


https://enforce.example.com

3. Log in to the Enforce administration console using the following credentials:


Username: Administrator
Password: Tra1n!ng

4. In the Enforce console, go to System > Servers and Detectors > Overview.

5. In the “Servers and Detectors” list, click the NetMon server name.

6. Click Configure.

7. Under the “General” section, in the Name field, replace the existing contents with the following text:
EndpointSrv

8. Click the OCR Engine tab.

9. From the OCR Engine Configuration drop-down list, select -- None --.
The reason for having you perform this step is to remind you that OCR detection is not supported on
the Endpoint Server or Agent.

10. Click Save.

11. Click Server Settings.

Installing Symantec Data Loss Prevention 21


Copyright © 2020 Broadcom. All Rights Reserved
12. In the BoxMonitor.Channels field, replace the existing contents with the following text: Endpoint

13. Click Save.

14. In the “General” group box, on the “Status” line, click recycle.

15. When you are prompted “Are you sure you want to recycle the server?”, click OK.

16. Click Done.

17. In the “Servers and Detectors” list, verify that the Endpoint server’s “Type” shows up as “Endpoint.”

18. Click the Enforce console’s Refresh button ( ) repeatedly until the Endpoint server’s status is shown
as “Running”.

Create an Agent installer package


1. In the Enforce administration console, go to System > Agents > Agent Packaging.

2. From the Select the agent version drop-down list, select Version 15.1 and later.

3. Under “Select one or more agent installers,” to the right of the Windows 64-bit row, click Browse.

4. Browse to the following location:


C:\DLPDownloadHome\Symantec_DLP_15.5_Agent_Win-IN_b\DLP\15.5\Endpoint
\Win\x64

5. Select AgentInstallers-x64_15_5.zip and click Open.

6. Specify DLP Agent settings.


a. In the Endpoint Server Host field, type: 10.10.2.50
b. In the Tools Password and Re-enter Tools Password fields, type: Tra1n!ng

7. Scroll to the bottom of the page and click Generate Installer Packages.

8. When the “Opening AgentInstaller_Win64.zip” dialog is displayed, select Save File and click OK.

9. Open a File Explorer window, then in the “Quick access” list, click Downloads.

10. Right-click the AgentInstaller_Win64.zip file and select Cut.

11. Navigate to the C:\DLPDownloadHome folder.

12. Right-click inside the DLPDownloadHome folder and select Paste.

22 Exercise 4: Install an Endpoint Agent


Copyright © 2020 Broadcom. All Rights Reserved
Manually install the Agent on an endpoint

Change to: WC-Endpoint

1. Log in to the WC-Endpoint VM using the following credentials:


Username: example\Administrator
Password: train

2. Double-click the DLPDownloadHome (ENFORCE) shortcut on the desktop.

3. If a Windows Security dialog is displayed, enter the following credentials to access the shared folder on
the Enforce Server:
Username: example\Administrator
Password: train

4. Right-click the AgentInstaller_Win64.zip file and select Copy.

5. Go into the C:\temp folder on the WC-Endpoint VM, then right-click inside the folder and select
Paste.

6. Right-click the AgentInstaller_Win64.zip file and select Extract All.

7. Click Extract.

8. Right-click the Windows Start button and select Windows PowerShell (Admin).

9. At the PowerShell prompt, enter: cmd.exe

10. Change to the extracted AgentInstaller_Win64 folder:


cd C:\temp\AgentInstaller_Win64

11. Enter the following command: install_agent.bat


The Agent installation process should only take a minute or two. The installation is complete when the
command prompt line is displayed again.

Verify the Agent installation


1. In File Explorer on the Endpoint VM, navigate to the root of the C: drive and open the
installAgent.log file in Notepad.
If the Agent installation was successful, you will see a message 21 lines up from the last full line of text
in the log file that reads “Installation operation completed successfully.”

2. Close the installAgent.log file.

Installing Symantec Data Loss Prevention 23


Copyright © 2020 Broadcom. All Rights Reserved
Verify the Agent is reporting to the Endpoint Server

Change to: WS-Enforce

1. On the WS-Enforce VM, log back in to the Enforce administration console if the console has timed out.

2. Go to System > Agents > Overview.


If the newly installed Agent is successfully reporting in to the Endpoint Server, the “Total number of
agents” should be “1”, and a green circle with a white checkmark above the text “OK” and the number
“1” should be displayed.

3. Click the OK link to view details about the Agent, including endpoint Machine Name, assigned Agent
Group and Agent Configuration, Connection Status, the Endpoint Server the Agent is reporting to,
endpoint IP Address, Agent software Version, and more.

4. Click the ENDPOINT link in the Machine Name column to view the Agent events that have occurred
from the time the Agent began reporting to the Endpoint Server.

End of exercise

24 Exercise 4: Install an Endpoint Agent


Copyright © 2020 Broadcom. All Rights Reserved
Exercise 5: Test the Symantec DLP deployment
In this exercise, you test your Symantec DLP installation to verify that sensitive information is being
detected and that associated incidents are created. You will define a test policy, response rule, and Agent
Configuration to detect and block an attempt to copy a file containing credit card information from an
endpoint computer to a network share. You will then verify that an incident was captured for this event.

Estimated exercise time:


25 minutes

Steps:

Define a test response rule, policy, and Agent Configuration

Log in to: WS-Enforce

1. Log in to the WS-Enforce VM using the following credentials:


Username: example\Administrator
Password: train

2. Launch Firefox and go to the Enforce administration console URL:


https://enforce.example.com

3. Log in to the Enforce administration console using the following credentials:


Username: Administrator
Password: Tra1n!ng

4. In the Enforce console, click Manage > Policies > Response Rules.

5. Click Add Response Rule.

6. Select Automated Response and click Next.

7. In the Rule Name field, type: Block Copy to Network Share

8. From the Actions drop-down list, select Endpoint > Prevent: Block.

9. Click Add Action.

10. Take a moment to review the blocking message that the endpoint user will see, along with the
justification options the user will be offered. Notice that you can edit the blocking message and control
which justification options are available to the user.

Installing Symantec Data Loss Prevention 25


Copyright © 2020 Broadcom. All Rights Reserved
11. Scroll back up to the top of the page and click Save.

12. Go to Manage > Policies > Policy List.

13. Place a mark in the check box at the top of the policy list’s left-most column.

14. Click Suspend to suspend all active policies.

15. Click OK when you are asked to confirm that you want to suspend the selected policies.

16. After all the existing policies show a red circle with a diagonal white line in the “Status” column
(indicating they are suspended), click New.

17. Select Add a blank policy and click Next.

18. In the Name field, type: CC Info

19. From the Policy Group drop-down list, select Confidential Data Protection.

20. On the Detection tab, click Add Rule.

21. In the “Content” section, select Content Matches Data Identifier, and from the adjacent drop-down
list, select Financial > Credit Card Number.

22. Click Next.

23. In the Rule Name field, type: Detect CC Numbers

24. Leave all the “Severity” and “Conditions” settings at their defaults and click OK.

25. Click the Response tab.

26. From the <choose response rule> drop-down list, select Block Copy to Network Share.

27. Click Add Response Rule.

28. Click Save.

29. Make sure that the “CC Info” policy shows a green circle in its “Status” column, indicating it is active.

30. Go to System > Agents > Agent Configuration.

31. In the Agent Configuration list, click *Default Configuration.

32. On the “Channels” tab, under the “Enable Monitoring” section, place a mark in the Network Shares >
Copy to Share check box.

33. Click the Advanced Settings tab.

26 Exercise 5: Test the Symantec DLP deployment


Copyright © 2020 Broadcom. All Rights Reserved
34. Change the following Advanced Settings to reduce the amount of time you have to wait for the test
Endpoint incident to be reported:

Advanced Setting Default value Change to:


EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int 270 10

EndpointCommunications.IDLE_TIMEOUT_IN_SECONDS.int 30 0

ServerCommunicator.CONNECT_POLLING_INTERVAL_SECONDS.int 900 15

CAUTION! Although reducing the values of these Agent Advanced Settings causes Endpoint
incidents to be reported more quickly in testing, you should NOT change these
settings in a production DLP environment; doing so will significantly increase the
load on Endpoint Servers and decrease the number of Agents that each Endpoint
Server can support. If you change these settings as part of testing, remember to
set them back to their defaults and apply the updated Agent Configuration
before you put your DLP environment into production.

35. Scroll up to the top of the page and click Save.

36. Click Apply Configuration.

37. Place a mark in the check box to the left of the “Default Group” item.

38. Click Update Configuration.

39. Click OK to confirm that you want to update the configuration of the “Default Group”.

40. Wait 15 minutes for the updated Agent Configuration to be pushed to the WC-Endpoint VM.

Attempt to copy sensitive information from the endpoint computer to a network share

Change to: WC-Endpoint

1. On the WC-Endpoint VM, open a File Explorer window and go into the following folder:
C:\Doc_Repository

2. In the File Explorer window, click File > Open New Window.

3. In the “Quick Access” list of the second File Explorer window you just opened, click
DLPDownloadHome.
This is the network share on the WS-Enforce VM from which you have been copying installation files to
the various VMs used in the labs.

Installing Symantec Data Loss Prevention 27


Copyright © 2020 Broadcom. All Rights Reserved
4. Position the two open File Explorer windows so that you can see the contents of the
Doc_Repository folder on the WC-Endpoint VM to the left and the contents of the
DLPDownloadHome share on the WS-Enforce VM to the right.

5. Drag the Customer Records.xlsx file from the Doc_Repository folder to the
DLPDownloadHome share.

6. In the “Blocked” dialog that appears, select the option My manager approved this transfer of data and
click OK.
Notice that the Customer Records.xlsx file is not copied to the network share.

Change to: WS-Enforce

1. If the Enforce administration console has timed out, log back in to the console as the Administrator
user.

2. Go to Incidents > Endpoint.


Incident ID 00000001 should be displayed. If no incident is displayed, click the Enforce console’s
Refresh button ( ) repeatedly until the incident appears.

3. Inspect the incident details by clicking the 00000001 link in the incident’s “ID / Policy” column.

In conclusion, the fact that Symantec DLP is able to detect sensitive information and generate incidents
indicates that your Symantec DLP deployment is working properly.

End of exercise

28 Exercise 5: Test the Symantec DLP deployment


Copyright © 2020 Broadcom. All Rights Reserved

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy