Information security tools and where tar

Foreword

Greetings dear habravchan.
At Habrahabr, references to information protection tools (GIS) against unauthorized access (unauthorized access) are quite rare, according to search. For example, on Dallas's request, I received 26 topics and 2 questions, of all this, only one topic mentioned exactly SZI from the Dallas Lock NSD of the St. Petersburg company CONFIDENT, LLC . By other means the picture is similar. In this post I would like to share the experience of using such tools and the most frequent mistakes / misunderstandings when working with them.

Basic tools

In our company, customers are offered three options for software and hardware information protection:

• Secret Net from Security Code
• NT Guard from SPC "Module"
• The previously mentioned Dallas Lock

All products are approximately equal in characteristics (especially with the introduction of Dallas Lock's control of USB devices in version 7.7), the question of using a specific tool is solved either on the basis of the possibility of installation in the target system or on the basis of the level of relationships with suppliers.

Under the possibility of installation, I understand the differences in the SZI architecture and the requirements for the presence of hardware. For example, Dallas Lock (or NT Guard) intercepts computer control at boot time, preventing the operating system from starting until the user enters a password and does not provide an identifier. The difference in the implementation of this mechanism - NT Guard for this uses a PCI expansion card that needs to be installed inside the PC (in new versions this is not necessary, in version 2.5 it was also announced, but it did not work it was easier to use another GIS). Accordingly, for example, the Dallas Lock was placed on a laptop - the entire implementation of trusted boot was completely software.
')
Under the level of relationships with suppliers should read "the possible percentage of resale." Recently, it has been possible to convince the authorities in the points “quality of technical support”, “ease of use”.

Application

Almost all orders require certification of local automated workplaces (AWP). Accordingly, network versions of security software rarely get touch are used. In standalone versions, everything is simple - Secret Net is the favorite, for a very convenient, simple and clear setting - full integration into the Windows components (console equipment), clear access control. In second place, NT Guardian - the setting is more complicated and the mechanism of mandatory access control is somewhat unclear to users. Dallas Lock, regarding version 7.5, was rarely used because of the lack of control of USB devices. With the advent of version 7.7, the situation will change - not least because of the pricing policy.

In the network version (respectively, we consider only Secret Net and Dallas Lock) the situation is the opposite. And less simple. On the one hand, the convenience of the Secret Net settings has not gone away. Yes, and embedding in Active Directory, work through the mechanisms of the OS is quite simple and straightforward. On the other hand, all the capabilities of the network version (specifically, the Security Server, in Secret Net terminology) consist in collecting logs remotely, while the security administrator's workstation in Dallas Lock allows remote manipulation of all the security settings of each connected client. Often this is a decisive factor in choosing GIS. Once I had to listen to a lot of surprise and frustration from the customer’s administrator when he saw his updated patrimony. Unfortunately, the customer was tied to Informzaschit and it was impossible to purchase the “Confident” product.

Problems

Many errors arise simply due to negligence or lack of understanding of the principles of operation of a particular GIS. It is clear that the certificate / guide will save the father of Russian democracy will help in resolving the situation, but it is often easier to call the integrator of the defense system. Naturally, the problem will be fixed - but time is lost. Both customer and integrator. I want to share my personal experience, which may help in resolving the most typical user complaints.

Let's start.

Secret net

Favorite - he is always a favorite

Many problems arise because of ignorance of the almost fundamental property of the installed DSS — all folders created in the file system are always unclassified, and files with the current level of session secrecy, which can be checked in the pop-up window:


Often there is a problem of inoperability office suite (Word, Excel). By the way, do not forget that with OpenOffice.org GIS does not work. Errors can be very different, but the reason for all of them is that the folders necessary for carrying out official operations were not properly configured on the basis of access control. A complete list of folders is given in the documentation, and specific problems can always be diagnosed through the Secret Net magazine — information about any program actions appears in the journal. When assigning mandatory labels to files and folders, it should be remembered that the heading of the folder should be as valid as possible for a particular workstation, since Secret Net allows you to store any files in the folders not higher than the heading of the folder. Accordingly, if Microsoft Word is running in a secret session, in order to write autosave files, it needs to be classified as secret on a specific folder.

There are situations when installing software in a mode other than “no secret”. Of course, it is worth rewriting and choosing a non-secret session to make it work:


In the case when it is permissible to use USB flash drives on an automated workplace, it may be impossible to copy large amounts of data sorted into folders. Here everything is the same - the newly created folder has become unclassified, and the files are automatically received by the current fretboard. If the use of flash drives is prohibited, then when trying to connect such a PC is blocked - the selected two parameters, set to “hard”, are responsible for this:


If users constantly complain about slow computer operation, and Kaspersky Anti-Virus is used in an organization, it is worth checking the version - often version 6.0.3 is incompatible with SecretNet 5.x. This is how the brakes will disappear:


And finally - a small tweaking can greatly facilitate the lives of users and save their nerves, if you look at the registry branch HKLM \ System \ CurrentControlSet \ Services \ SNMC5xx \ Params (for 5.x versions), where you can find two string parameters - MessageBoxSuppression (and the second one is ByDir), where file extensions or folders are specified for which no dialog boxes will be displayed on increasing the privacy category of the resource.

NT Guard

For this, SZI problems are much rarer (at least among our clients), which may indicate a more user-friendly protection mechanism.

Misunderstanding in the case of this software is associated with the need to choose the level of secrecy of each application separately and the inability to delegate any rights to the standard conductor. Accordingly, if there are prescribed USB-flash disks on the automated workplace and they are secret, an attempt to open them with a guide will result in an access error. You must select the installed file manager by selecting when you start the neck of admission, corresponding to the secrecy of the flash drive.

Also, if when you open a Word / Excel document, the privacy secrecy selection window first appears, and then the window of the corresponding editor without the requested document expands - this is normal. Re-open the file using the office application itself.

Dallas lock

As in the case of the Guardian, there were very few errors - the passwords did not fit, the “privacy category” parameter disappeared from the login window and the e-ID binding error.

The first error is related to the possible use of two passwords - for Dallas Lock and Windows, you can set different, including accidentally (for example, changing the password by the administrator). In such a case, after downloading the Windows Welcome window, enter the Dallas Lock password and clicking "OK" in the UI and OS password mismatch dialog, enter the Windows user password and tick "Use in Dallas Lock".

The second is related to the session's selection bar hidden by default. It happens, users forget about it - and then complain that they cannot even get into folders marked with chipboard.

The electronic identifier may not be attached if this operation is done for the administrator, or if the token being used is not suitable for the version. So, in version 7.5, eToken 64k with the eToken RTE driver is applicable. Long-time eToken PKI is not suitable, as well as eToken 72k Java, for example.

Afterword

I hope this post will be useful for the community or just informative. Thanks for attention!