Identity Finder - Creating and Using Policies

Guide to creating and using Policies in the Identity Finder Console for endpoint management.

Overview

Because of the large number of configuration options available, policies are an extremely flexible way to manage many endpoints from a single source. At the same time, it is easy to overlook important settings and can be quite time consuming to create a policy from scratch. Because of this, IT Security has created three baseline policies that when used together provide a complete, optimized configuration for scanning of Social Security Numbers, the first focus of the Restricted Data Discovery project. Departmental IT administrators are welcome to use these policies for configuring endpoints and will only need to setup a scan schedule. Administrators wanting more control over their endpoints can choose to use some or none of the IT Security baseline policies and create new policies.

NOTE: This guide will not attempt to explain every policy setting that can be configured. Settings that have been deemed critical to the function of the Identity Finder client and those that are non-critical but used commonly will be discussed. Administrators are encouraged to explore the available options using the Console's built-in help window. When viewing a policy's settings, the help window for a particular setting can be accessed by double-clicking the setting name and navigating to the "Explain" tab.


Contents


IT Security Baseline Policies

IT Security has already create three policies to provide a baseline experience for administrators wishing to be fully configured from first installation. The three policies and their functions are described below:

  • _0Base - This policy defines the most basic client and Console communication settings and disables commonly unused services.
  • _1LocationsAndIdents - This policy defines the locations on the computer to search, as well as the Identity Types that will be searched for.
  • _2OptimzedExp - This policy tweaks the default configuration to increase the speed of scans and further narrows the scope of the scans.
These three policies were designed to work best when used together, but administrators wanting more control can use some or none of these policies. Because each policy builds on the previous policy, administrators can choose to use:
  1. Only _0Base
  2. _0Base and _1LocationsAndIdents
  3. _0Base, _1LocationsAndIdents and _2OptimizedExp
  4. None
If you would like to use these policies, please contact the Help Desk for assistance. Please see the below descriptions for additional details about these policies, and use the "Explain" window in the Settings view to learn in detail what each setting does:

_0Base

This policy defines basic client behavior and necessary client-Console communication settings. Many settings in this policy are overridden in the _1LocationsAndIdents and _2OptimizedExp policies, but a notable exception is the Profile Password requirement. Profile passwords are required and must comply with UW-Madison's password requirements.

_1LocationsAndIdents

This policy defines the locations to search and the Identity Types to search for. The locations to search include:

  • The entire computer, except common system-only directories
  • Browsers: Internet Explorer and Firefox
  • Cloud directories: Dropbox, Microsoft OneDrive, Box, Google Drive, Amazon Cloud Drive
  • Email: Outlook and Thunderbird email attachments
The Social Security Numbers Identity Type has been explicitly enabled in this policy, but no other Identity Types have been enabled or disabled. This means that end users will be able to enable or disable these types through the client. The _2OptimizedExp policy, described below, builds off of this policy by explicitly disabling all other types. Also disabled is the Endpoint Watcher feature, which prompts the user to scan removable media (e.g., a flash drive) upon the device's insertion.

_2OptimizedExp

This policy is used to narrow the scope of the searches as much as possible. To this end, the only Identity Type enabled is Social Security Numbers, and all other Identity Types have been explicitly disabled, meaning the end user will not be able to enable these from within the client. Additionally, the "Quarantine" action is disabled. Quarantine is used to copy the identified location to a new location on the machine, securely deleting the original. Because there is no mechanism to ensure the security of the location, IT Security does not recommend using the Quarantine action. Finally, the extra tools provided by Identity Finder, such as Password Vault and System Cleanup, are disabled. These tools are unnecessary for the needs of the Restricted Data Discovery project.

Scheduling Scans with the IT Security Baseline Policies

To help provide a higher degree of flexibility to each department, the IT Security baseline policies do not define any sort of scan schedule. Below is a step-by-step guide to creating a Scheduled Task policy that can be used in conjunction with the IT Security baseline policies to do automated scanning of your endpoints. This guide assumes you have chosen to use all three IT Security policies--additional policy settings will need to be configured if you have chosen to use only the _0Base or _0Base and _1LocationsAndIdents policies.

First, navigate to the "Policies" tab of the Identity Finder Console.


Next, click the "Create" button from the "Policy" drop down button.


You will be taken to the "Policy" tab of the Policy Wizard. You will specify a name for your policy, add an optional description, and choose the policy type. While descriptions are optional, it is good practice to include a brief description of the policy's intent for other administrators who may view it in the future. Choose "Scheduled Task" as the policy type, and uncheck the "Specify settings to be used during the tasks specified in this policy" check box.

IT Security recommends you use the "TagName - Policy Title" format when naming your policy. While you may only see the three IT Security baseline policies in your policy list, there are in fact dozens--if not hundreds--of policies in the Policy List, all hidden from your Console Role. Because of this, simply naming your policy "Automated Scan every 6 mo." or "2015 One-time scan" does not provide sufficient information for identifying which policies belong to who and what policies are still in use. IT Security will periodically remove policies which do not provide sufficient identification information in their titles without warning.



After clicking "Next", you'll be taken to the "Schedule" tab. You will add a Scheduled Task by clicking "Add" in the ribbon. An example schedule is shown below. Click "OK" to save your task. After adding your Scheduled Task(s), click "Next" to go to the "Endpoints" tab.


The "Endpoints" tab allows you to select one or more tags to which this policy will be applied. Because machines on our network move around very often, only apply a policy to a Simple tag. If a machine from another department connects to your network in the IP space represented by a dynamic tag, there is a good chance that the machine will apply your policy if it is defined on the dynamic tag. Simple tags are denoted with the computer  icon and dynamic tags with the <>  icon. You can apply your policy to individual machines by expanding the tag groups with the triangle button.


Clicking "Finish" will create your policy. Congratulations! Once your endpoints receive their policy changes, they will be ready to perform the scan(s) and you can begin remediation once results start coming in.


Create a New Policy

To create a new policy, first navigate to the "Policies" tab of the Identity Finder Console.


Next, click the "Create" button from the Policy drop down button.


You will be taken to the "Policy" tab of the Policy Wizard. You will specify a name for your policy, add an optional description, and choose the policy type. While descriptions are optional, it is good practice to include a brief description of the policy's intent for other administrators who may view it in the future. Policy types are described below.


Policy Types

The Identity Finder Console allows you to create three types of policies: "System", "User Default" and "Scheduled Task":

  • System - Settings defined in a System policy will apply to all scans, including scans scheduled in the Console and on-demand scans started through the client. These settings cannot be changed by the end-user through the client. Caution must be taken when defining a System policy to avoid confusion and frustration from your users. You can optionally allow System settings to be overridden by settings defined in Scheduled Task policies by checking the "Allow settings specified in Scheduled Task policies to take precedence over settings in this policy" check box presented in the Policy Wizard, or by clicking the policy name in the Policy List and checking the check box in the main view.
  • User Default - Settings defined in a User Default policy take place of the default application settings on your endpoints. These settings can be changed by end-users from within the client. You can optionally reset any changes made by end-users by checking the "At the start of each interactive session, reset an changes made by the end-user to the settings defined in this policy" check box.
  • Scheduled Task - Scheduled Task policies differ from System and User Default policies in the sense that they are very self-contained. Settings defined in a Scheduled Task policy will only apply to that particular scheduled task. This allows for a high degree of flexibility when creating automated scans because settings can be enabled or disabled for a single type of scan. It is important to note that settings defined in a System policy are considered authoritative by default. To allow a Scheduled Task policy to override settings defined in a System policy, you must check the "Allow settings specified in Scheduled Task policies to take precedence over settings in this policy" check box in your System policy.


Clicking "Next" will take you to the "Templates" tab of the Wizard. To continue creating a new policy, simply leave the "New Policy" radio button selected and click "Next" again.

The "Endpoints" tab allows you to select one or more tags to which this policy will be applied. Because machines on our network move around very often, only apply a policy to a Simple tag. If a machine from another department connects to your network in the IP space represented by a dynamic tag, there is a good chance that the machine will apply your policy if it is defined on the dynamic tag. Simple tags are denoted with the computer  icon and dynamic tags with the <>  icon. You can apply your policy to individual machines by expanding the tag groups with the triangle button.


Clicking "Next" will take you to the "Results" tab. This is where you will specify how your endpoint's matches and locations are sent to the Console. IT Security does not recommend sending the complete match string to the Console and instead sends just the last four characters. Not sending the full match string can pose some challenges with identifying false positives, but this is often not an issue when the full path of the location is included, which IT Security recommends sending.


The "Next" button will take you to the "Identities" tab. Each identity type can have one of three states: explicitly enabled, explicitly disabled and not included in the policy. Identity types that are explicitly enabled with have a green check mark in their check boxes and those that are explicitly disabled with have a red "X" in their check boxes. Identity types not included in the policy will have nothing in their check boxes. If your intent is to tightly control what your users can and cannot search for, it is very important to explicitly enable or disable identity types. While settings defined in a System policy cannot be changed by the end user, this is not the case for identity types that are not included in a policy. For example, if you wanted to create a policy that only searched for Social Security Numbers, you would have to explicitly enable the Social Security Number type and explicitly disable all other types. If the other types are not explicitly disabled, an end user could turn on these identity types from within the client. While the focus of the Restricted Data Discovery project is with Social Security Numbers, you are free to enable or disable other types as you see fit.

In this example, the policy will always search for Social Security Numbers and never search for passwords. All other types can be enabled or disabled by the end user from the client.


Clicking "Next" for a final time will take you to the "Locations" tab. By default, many of the location types will be included in your search. The most important of these is the "Files" type, which specifies 1) that Identity Finder should search files and 2) the scope of the file search. The scope of the file search can either be "Computer", "Documents" or "Custom".

  • Computer - The entire system will be searched, including additional internal and external disks, and system directories. Because file permissions will differ depending on their locations, it is best to run "Computer" scans with the system account, rather than the locally logged on user's account.
  • Documents - Unlike the name suggests, "Documents" will scan the currently logged on user's entire user profile, not just their Documents/My Documents folders. On a Windows machine, this translates to the %USERPROFILE% environment variable and includes %APPDATA%. Additionally, redirection will be followed for files and folders in the My Documents and Desktop folders. On a Mac, "Documents" is equivalent to $HOME, which includes ~/Library/.
  • Custom - When using "Custom", the scan will only search the folders that you have specified. These folders can be added by using the "Add" button in the ribbon after selecting the "Custom" type from the drop down menu.
Identity Finder has the ability to search compressed files, emails and browsers too. Compressed and archived file types that Identity Finder can search include zip, 7z and tar (gzip and bzip2), among others. It can also search all major internet browsers. While it is very important that "Files" is enabled, you can choose whether or not emails or browsers will be searched. In the below example, only local emails will be searched and the user will have the option to enable or disable browser searching.



Clicking "Finish" will create your policy and make it active on your endpoints. Should you want to make any more changes, you can do so by clicking on your policy's name in the Policy List and then choosing the group that you would like to edit. Please note that any changes you make to your policy will be applied by your endpoints at their next polling interval. You can avoid this behavior by putting your policy in Edit Mode.

You now have a few options for further refining your policy. Your policy will look similar to the following when expanded in the "Policy List":


Settings

After clicking on the Settings option, your view will display a table similar to the following image:


Folders can be expanded by clicking on the triangle next to the icon. Because settings are nested into logical groups, settings are written in text using the convention OuterFolder\InnerFolder\SettingName, much like file paths or registry settings on a Windows machine. Common settings are explained below:

  • Console\enable - This setting tells the client to send match and log data to the Console. This setting must be set to "Enable" for Console-based endpoint administration.
  • Console\matchTypes - This setting specifies the types of matches (e.g., SSN, CCN, Telephone Number) that will be imported by the Console. Your endpoints can scan for any type of match but only those types enabled by this setting will be visible from the Console.
  • Console\previewLength - This setting specifies the number of characters before and after the identity match that should be sent to the Console. It is not recommended to send previews to the Console.
  • Console\sendLocation - This setting specifies that the Console should import the location (file path) of a potential match.
  • Settings\Locations\Files\EnableFiles - This setting turns on file search. If this setting is set to "Disable File search" (the default), Identity Finder will run but not search anything. It is therefore very important that this setting is set to "Enable File search".
To edit a setting or review its function, double click on the setting's row in the Settings view.



After double clicking the row, a new window will open, allowing you to change the setting or view a detailed explanation of its function in the "Explain" tab.



When a setting has been explicitly set by a user, the setting name will appear in green text. Similarly, folders that contain settings which have been set by the user will also be displayed in green text.



Search Locations

The Search Locations group expands into five subcategories: Custom Folders, Remote Machines, Databases, Websites and OnlyFind Identities. These subcategories are explained below.

  • Custom Folders - Used for including folders outside the scope of your standard search locations or excluding folders that are in your search's scope.
  • Remote Machines - Used for including machines in your search that are not part of your search's scope (e.g., not part of your tag).
  • Databases - Used for including database servers in your scans. Flat databases, like Microsoft Access databases, do not need to be added here.
  • Websites - Used for including remote websites in your scans.
  • OnlyFind Identities - Used for including OnlyFind Identities in your scans.
New items can be added to these groups by using the "Add" button on the ribbon. Items added to these groups will appear similar to the following example of a location being excluded from a search using Custom Folders:


Scheduled Tasks

The Scheduled Tasks group is where you can schedule one-time or recurring scans based on the settings of the policy. To create a new Scheduled Task, click the "Add" button on the ribbon. The "Add New Task" window will appear.

The options for "Run this search as this user:" are defined below:

  • Local System Account - This will run the scan in the background as the root or administrator user of the machine. Because the scan is being run as a super user, the scan will be able to search files not owned by the current user (e.g., system files).
  • Locally Logged on User (Interactive) - This will run the scan with the permissions of the currently logged on user and the scan window will open automatically.
  • Locally Logged on User (Background) - This will run the scan with the permission of the currently logged on user and the scan window will not be visible to the user.
The user context (Locally Logged on User vs. System Account) used for your scans has important implications beyond just file access. Identity Finder will attempt to update remediation actions taken on a location, but this can only happen if Identity Finder is used in the same context as the previous scan. For example, consider a file "A" that was identified as containing a potential match with a scan using the System account. No action was taken on this file through Identity Finder, but after the scan completed, a user deleted this file outside of Identity Finder. If the next scan is run using one of the Locally Logged on User contexts, Identity Finder will not be able to update this file's action to "No longer exists", because results are saved only under the context of the scan that originally produced this result (in this case, the System context). This means that file "A" will still be listed as an unprotected match in the Console, despite the file no longer existing on the system. Therefore, to reduce the amount of cleanup you will need to do later, you should consider running all scans as the same context. Please note that scans initiated interactively through the client are run as the Locally Logged on User context.

Global Ignore Lists

The Global Ignore Lists group allows you to select which Global Ignore Lists will be applied to your policy. If your Role has any Global Ignore Lists defined, you can enable or disable them by checking or unchecking the check box next to the list name.

Permissions

The Permissions group allows you to set View and Edit permissions on your policy for different Roles in the Console. In general, no other Role should need View or Edit permissions on your policies, but you should edit your permissions to give View and Edit permissions to your Role. If you are part of multiple Roles and would like to share a policy between your Roles, you would grant permissions to those Roles from this screen. This is done by checking the appropriate check boxes, as shown below:


Edit Mode

Putting your policy in Edit Mode allows you to make changes to your policy without those changes being applied by your endpoints. Upon leaving Edit Mode your endpoints will receive the changes at their next polling interval and your policy will be applied the next time the "Update Policy States" service job runs. This service job runs once every hour and until this job completes your endpoints will be listed as "Pending Confirmation" and/or "Pending Update". For a description of these states, please see "Why is my endpoint's 'Policy State' not changing?" NOTE: Because changes are not applied to your endpoints when in Edit Mode, it is very important to be aware of its state. Your policy will display the "Edit Mode" icon in the Policy List when Edit Mode is turned on:




Keywords:"identity finder" identity finder policy policies console endpoint manage management   Doc ID:43602
Owner:Andy S.Group:Office of Campus Information Security
Created:2014-09-18 09:22 CDTUpdated:2015-02-18 16:49 CDT
Sites:DoIT Help Desk, Office of Campus Information Security
Feedback:  1   0