Release Notes ============= Contents: 1. What’s New 2. Notes on Encryption 3. Creating Encrypted Media 4. The Client and Personal Firewalls 5. Using IIS on Windows 2003 Server 6. Best Practice Guide 7. Valid Trustee Lists 8. Remote Administration 9. Audit Log Database Backup and Restore 10. Warning about Missing Msxml2.dll File 11. Programs may fail when you remove MSDE 2000 12. Enabling and Disabling of Communication Port Devices 13. Apache Web Server is now included 14. How to make sure the IIS Default Web Site is started 15. How to force the install of Apache Web Server 16. Issues with Eccentric Group Membership 17. Reboot required after updating Client Service 18. Bluetooth access may lag when users are switched 19. Disabled devices do not report connection events 20. Supported screen resolutions 21. Japanese Epsom Multi Function printer, model PX-A620 22. Multifunction printers are showing multiple connection results 23. MSI client installer installs over existing client without any warning messages 24. Apache Web Server cannot be installed to a path with unicode characters 25. Installing on a Domain Controller 26. Vista and hibernation mode 27. Reboot required on Vista after policy change for Windows Mobile Devices 28. Cannot install multiple copies of the database on to one SQL server 29. No Device connection data is logged for PDAs on Vista 30. Foreign or untrusted domain users do not show Implicit Via Group Permissions 31. Fast User switching on Windows XP 32. A reboot may be required for software controlled devices to correctly apply a denied policy 33. Smart Phones may not be enumerated. 34. Policy change to Read Only for Floppy drives on Windows 2000 35. Database backup paths 36. Client Deployment share 37. Blocking an iPod Touch 38. Blocking devices on multiple OS's 39. Fast User switching and Temporary Access on Vista Appendix A: Smart Phones Supported 1. What’s New ------------- - Support for Microsoft Windows Vista - Policy Customizer improvements - The ability to add additional licenses - An Evaluation 'nag' screen 2. Notes on Encryption ---------------------- Encrypted devices must be large enough to support the FAT32 file system. Devices smaller than 64MB are therefore not encryptable. After an "Encrypted Format" function, existing unencrypted data may still be recoverable from the device. You are therefore advised to ensure that any sensitive unencrypted data that exists on a device is overwritten. 3. Creating Encrypted Media --------------------------- Encrypted media can be created from the Tools applet that is installed as part of the Client. Before a device can be encrypted the following must be true: 1. The device must be recognized as a USB Flash Disk 2. The device must be large enough to support the FAT32 file system (64MB and above) 3. The user must be permitted to format removable media. Note that non-admin users are often denied this privilege and will therefore need to be granted it via your network’s group policy. 4. The Client and Personal Firewalls ------------------------------------ Users with a Personal Firewall installed may see a prompt similar to the following when the client is first deployed: Application attempting to access the Network Product Name: Not available Application Name: msiosrv.exe Application Path: c:\windows\system32\msiosrv.exe Vendor Name: Not Available Version: 4.0 Depending on the Firewall software you have installed, it may be possible to pre-configure the Firewall to avoid the prompt being displayed. Please refer to your Firewall Software’s documentation for details on how to achieve this. 5. Using IIS on Windows 2003 Server ----------------------------------- This section applies if you wish to use Microsoft IIS for Client/Server communication. If you disable IIS then Apache Web Server will be installed and used instead. Windows 2003 Server Internet Information Services (IIS 6.0) does not, by default, have the WebDAV World-Wide-Web service installed and activated. The Client Service requires that the WebDAV service is installed and activated before device connection audit data can be uploaded to the Audit Log Database. To install and activate the WebDAV service, do the following: 1. Open Add/Remove Programs from the Control Panel 2. Select Add/Remove Windows Components 3. Double-click Application Server 4. Double-click Internet Information Services 5. Double-click World Wide Web Service 6. Make sure WebDAV Publishing is checked 7. Click OK and complete the wizard 8. Open IIS Manager (Administrative Tools: Internet Information Services) 9. Select the Web Service Extensions folder under the local computer 10. Ensure WebDAV has status "Allowed" Please note that the IIS server used should only be visible to your internal network. If you want to make use of the Dynamic Activity Monitor feature, you will also have to do the following to activate the DWMonitor IIS Extension: 1. From the 'Administrative Tools' menu, select 'Internet Information Services (IIS) Manager'. 2. In the tree view on the left, expand the node for the local machine, and then select the 'Web Services Extensions' node. 3. In the tabbed 'Web Services Extensions' page on the right, make sure the 'Extended' tab is selected. 4. In the 'Web Services Extensions' page, locate the list of tasks, and select the 'Add a new Web Service extension...' task. 5. In the 'New Web Services Extension' dialog, enter DWMonitorServer as the Extension Name. 6. In the 'New Web Services Extension' dialog, select the 'Add...' button. 7. In the 'Add file' dialog, select the 'Browse...' button, and browse to the location of your DWMonitorServer.dll file. This will be in the "Monitor" subfolder off your main installation folder in the Program Files folder. Select the DWMonitorServer.dll file, ensure the 'Add file' dialog displays the correct pathname for it, then select the 'OK' button. 8. In the 'New Web Services Extension' dialog, confirm that DWMonitorServer.dll is now in the list of required files. 9. In the 'New Web Services Extension' dialog, check the 'Set extension status to allowed' checkbox, then select the 'OK' button. 10. In the 'Web Services Extensions' page, confirm that you now have a Web Service Extension named DWMonitorServer and that its Status is Allowed. 11. Exit from Internet Information Services (IIS) Manager. 6. Best Practice Guide ---------------------- A "Best Practice" guide is available via the following URL: http://www.marshal.com/software/EndPoint_Security/EndPointSecurity_BestPractice_46.pdf This document provides some hints and tips on installing and using the product. 7. Valid Trustee Lists ---------------------- The Control Center will no-longer allow you to create trustee lists that contain the following entries: Deny Builtin\Administrators Deny Builtin\Users Deny \Everyone Denying any of these groups results in critical system accounts being denied access. Please note that users and groups who are not included in a trustee list are implicitly denied access. The Deny setting is included to maintain compatibility with the Windows security model and should be used sparingly. 8. Remote Administration ------------------------ The Control Center is designed to be run on a remote computer by mapping a drive to the installation folder and launching AdminApp.exe directly from the mapped drive. Before it can run, the Control Center will prompt you to install a COM DLL on to the local computer. This DLL is required for access to the Audit Log Database and must be installed locally. The Control Center will close if you choose not to install it. 9. Audit Log Database Backup and Restore ----------------------------------------- Any user who has access to the Control Center will be able to create backups of the Audit Log Database. To restore a backup, the Control Center user must be a member of the SQL Server’s System Administrators Role (Group). A restore cannot proceed while other users or processes are accessing the Audit Log Database. 10. Warning about Missing Msxml2.dll File ---------------------------------------- If, during the installation process, you selected to install the MSDE SQL Runtime and then saw a warning message about the file msxml2.dll, then please refer to the Microsoft Knowledge Base Article 823490. The URL for this article is as follows: http://support.microsoft.com/default.aspx?scid=kb;en-us;823490 You will need to install the Hot-fix described in the above article before Device Connection Data can be successfully added to the Audit Log Database. 11. Programs may fail when you remove MSDE 2000 ----------------------------------------------- If you uninstalled the MSDE SQL Runtime and then saw a warning message about "Failed to load msxmlsql.dll" when running a program that connects to another instance, then please refer to the Microsoft Knowledge Base Article 918767. The URL for this article is as follows: http://support.microsoft.com/kb/918767 12. Enabling and Disabling of Communication Port Devices -------------------------------------------------------- The communication port devices Bluetooth, Infra Red, and WiFi are controlled by disabling matching hardware devices in the Windows Device Manager. "Scanner Like" Digital Cameras are also controlled in this way. If such a device is detected as disabled and the current logged in user is authorized to use the device, then the device will re-enable . If this behavior is undesirable, it can be switched off by adding the line to the section of the Policy.xml file. 13. Apache Web Server is now included ------------------------------------- If the server computer does not have Microsoft IIS installed, or if the IIS Default Web Site is not started, then the installer will install and configure Apache Web Server to enable the http based client/server communications channel. If IIS is available then this will continue to be used (See the next two sections for more information on how to control the use of IIS and Apache). 14. How to make sure the IIS Default Web Site is started -------------------------------------------------------- If MS IIS is installed on your computer, it can be used to enable the Client/Server communications channel. Alternatively Apache Web Server can be installed and used. IIS will only be used if the Default Web Site is started. To check the Default Web Site is started, do the following: From the Windows Control Panel, select Administrative Tools then Internet Information Services. In the Tree Control, expand the local computer then Default Web Sites Select Default Web Site Select the Action Menu and check that the Start Menu Item is greyed out (disabled). If the Start Menu Item is active then select it to start the Default Web Site. 15. How to force the install of Apache Web Server ---------------------------------------------------------------- You can force the installation of Apache Web Server by adding the following lines to the Setup.ini file that can be found alongside the main installation Setup.exe file: [Config] ForceApache=1 ApachePort=1234 The ApachePort setting will cause Apache to listen on IP port 1234 or any other port you choose. The default is 80, or 8080 if an existing Apache installation is present. 16. Issues with Eccentric Group Membership ------------------------------------------ Specifying group membership for a user that is outside the normal accepted practice for Windows networks can sometimes lead to unexpected results (for example a user being denied access to a device but logged as allowed, or vice versa). This behaviour has been observed when users are not members of the standard Domain Users group but belong to groups that are themselves members of built-in local groups (e.g. Builtin\Users & Builtin\Administrators). 17. Reboot required after updating Client Service ------------------------------------------------- When upgrading the client service a reboot of the client computer may be required before all new client functionality is available (for example file access logging). The reboot is to ensure the latest client device drivers are correctly installed and running. 18. Bluetooth access may lag when users are switched ---------------------------------------------------- If users with different permissions to access Bluetooth devices share the same computer then switching between users can result in the new user inheriting the permissions of the previous user until the device is disconnected and reconnected. 19. Disabled devices do not report connection events ---------------------------------------------------- Devices that are controlled by enabling or disabling them in Windows Device Manager (for example Bluetooth, Infra Red, WiFi) will generate a connection event the first time they are connected. If the device is then disabled as a result of the policy in force, connecting the device a second (or subsequent) time will not generate an event. This is because Windows itself does not generate events for devices once they are disabled in the Windows Device Manager. For the same reason, the client user will also not see policy enforcement pop-ups for these devices once they have been disabled. 20. Supported screen resolutions -------------------------------- The following are the minimum screen resolutions for the standard system font sizes: +-------------------------+---------------------+ | Font size | Minimum Resolution | +-------------------------+---------------------+ | Normal Size (90 DPI) | 1024x768 | | Large Size (120 DPI) | 1152x864 | +-------------------------+---------------------+ Resolutions and font size combinations below those defined in the table above may not display correctly. 21. Japanese Epsom Multi Function printer, model PX-A620 -------------------------------------------------------- This device does not register as a USB device and appears not to register with a VID/PID when it is connected after the correct software has been installed. It shows in the imported hardware screen as [Image] [Epsom PX-A620] and [Printer] [Epsom PX-A620]. To block this device from printing, the standard Image class must be blocked, as well as any custom class that may have been created for this printer. 22. Multifunction printers are showing multiple connection results ------------------------------------------------------------------ Multifuntion printers are showing multiple connections - for example the Canon MP460 shows as a USB connection, Printer and Scanner and a Digital Camera. The multiple connections can lead to unexpected results when blocking device classes - for example blocking Printers and Scanners can cause the Canon printer to only show as an authorised USB and an unauthorised Printer/Scanner. The device classes that the device shows in are dictated by Windows, therefore it is suggested that the most efficient method of dealing with these devices is through the policy customiser tool. 23. MSI client installer installs over existing client without any warning messages ----------------------------------------------------------------------------------- If you deploy the client using the MSI installer, it will install over an existing client without any warnings. This is by design so that it can be used in remote deployment software. 24. Apache Web Server cannot be installed to a path with unicode characters --------------------------------------------------------------------------- The Apache Web Servers' configuration file is unable to handle folder names that have non ascii characters in them i.e. Japanese characters 25. Installing on a Domain Controller ------------------------------------ You cannot install on a domain controller for the following reasons: 1. There are issues looking up Account SIDs' which can cause false positives. 2. Microsoft recommend that a DC should not have SQL Server installed on it. http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec04.mspx 3. If issues arise on an installation on a Domain Controller, then whole network may be affected whilst the issue is resolved. 26. Vista and hibernation mode ------------------------------ When trying to deploy to a Vista machine that has hibernated you will get an error code 11010 - Connection failed. When in hibernation mode all network communication is suspended and it will not be possible to deploy until that machine is woken up. 27. Reboot required on Vista after policy change for Windows Mobile Devices --------------------------------------------------------------------------- If the policy for PocketPC & Windows Mobile devices changes from open to closed, new policy settings won't take effect until the client is rebooted. These devices are controlled by Windows Mobile Center software which is inbuilt into the Operating System. As the Operating System is running when the policy changes, it needs a reboot of Operating System for the changes to apply. 28. Cannot install multiple copies of the database on to one SQL server ----------------------------------------------------------------------- Currently the product does not support creating multiple databases on one SQL server, if you want to install multiple databases on one machine create a seperate SQL server instance for each database, 29. No Device connection data is logged for PDAs on Vista --------------------------------------------------------- On Vista, PDAs and other Windows mobile devices are not enumerated as storage device this is a change from previous Windows OS's, this means a new drive letter does not appear when they are connected. It is only when a storage device is connected that connection data is logged. 30. Foreign or untrusted domain users do not show Implicit Via Group Permissions -------------------------------------------------------------------------------- If you enter a user that is not in a trusted domain then the "Implicit Via Group" can not be filled in as the user is unable to be resolved to any groups. There is a workaround, create an authenticated connection to the remote domain controller. This can be done with the following command net use \\server /user:domain\administrator Then enter the users password. Once this is done the control centre needs to be restarted, and the users of that foreign domain will show their implicit permissions. 31. Fast User switching on Windows XP ------------------------------------- If two or more users log on to PC running Windows XP then the audit log data only returns the first logged on user. Windows XP does not update the currently logged on user. This issue is not an issue when a computer is logged onto a domain as Fast User Switching is disabled for domain machines. 32. A reboot may be required for software controlled devices to correctly apply a denied policy ----------------------------------------------------------------------------------------------- Devices that are controlled via software may require a reboot if that software is running when the policy is applied, either when the client is deployed or the policy is updated i.e. CD burning software. 33. Newer Smart Phones may not be enumerated -------------------------------------------- Some new smart phones will only be enumerated when the correct connection mode on the phone is selected. 34. Policy change to Read Only for Floppy drives on Windows 2000 ---------------------------------------------------------------- If the policy is changes to read only for Floppy drives, when it is applied on a Windows 2000 machine that does not have a disk in the drive then the previous policy is maintained until the user either reboots or logs off and re logs on. 35. Database backup paths ------------------------- The path for the backup of the database should be entered as a local path to the SQL server. This path is not validated as the SQL server can be remote and it is not possible to validate a remote path. 36. Client Deployment share --------------------------- By default the client will be deployed to the C: drive using the C$ share, to change this on the deployment dialog click the Advanced button to open the Advanced settings dialog where the share can be changed. 37. Blocking an iPod Touch -------------------------- The iPod Touch is recognised as a "Windows Portable Media Player" not an MP3 player, so to block this device you need to block the "Windows Portable Media Player" class. 38. Blocking devices on multiple OS's ------------------------------------- When you want to block a device you need to test that device on all OS's that it will be used with. It is possible for a device to recognised in different device classes depending on the OS, this has been seen with MP3 players being recognised as a "Diskette" device on an old OS but as an "MP3 Player" on a later OS. 39. Fast User switching and Temporary Access on Vista ----------------------------------------------------- When granting Temporary access to a Vista client and then you fast user switch to another user, the temporary access is revoked for both users even when switched back to the original user that the temporary access was granted for. Appendix A: Smart Phones Supported ================================== The Smart Phone class has been tested with the following phones: Sony Ericsson P900i Sony Ericsson W900i Sony Ericsson W800i Sony Ericsson K750i Nokia 9300 Nokia 9500 Nokia 6230 Nokia 6280 Nokia N90 Nokia 7270 Nokia 5140i Motorola V3 RAZR Motorola L7 SLVR Motorola U6 PEBL Samsung D600 Samsung SGH-E770 Phones that use similar synchronization software to the above will also have access blocked, but connection events may not be recorded in the Device Connection Audit Log. Marshal Software January 2010