Skip to main content

PARTNERS

Operation

Content Control on Windows servers

This topic provides information on the Content Control module installed on Windows Server machines.

Important

Content Control on Windows servers requires Bitdefender Endpoint Security Tools 7.5.1.177 or later.

Recommendations and performance impact

The Content Control module monitors on Windows Server machines, by design, only the user session traffic. That means non-user sessions such as services running on the server (“session 0”) are ignored. However, for servers with high end-user traffic, there are effects on performance. In this context, take into account the following considerations:

  • The actual performance level depends on usage patterns. You have to scale up the resources on virtual machines depending on the workload type and according to the Microsoft recommendations. Please estimate the usage as close to reality as possible. For details and best practices, refer to Virtual machine sizing guidelines and to Remote Desktop workloads.

  • Test the feature in a controlled environment to understand the effect on your specific environment. Use simulation tools to test the deployment and make sure the system is responsive and resilient. Test different workloads to avoid surprises.

  • In general, you should expect to see around 60% performance reduction in multi-session environments, such as servers that are used by multiple users simultaneously by remove desktop services.

  • Keep in mind that a Windows server has one active policy at any time. Therefore, avoid user-based assignment policies for users expected to operate the systems in multi-session environments.

Installing Content Control on Windows servers

The following procedures describe how to install the Content Control module on managed and unmanaged servers, respectively, using the options in GravityZone Control Center.

Managed Windows servers

To install Content Control on managed Windows Server machines, you need to use the Reconfigure client task to add this module to the already installed Bitdefender Endpoint Security Tools (BEST) agent.

  1. In GravityZone Control Center, go to the Network page on the left-side menu.

  2. Select the target Windows servers.

  3. Select Tasks in the action toolbar, and then the Reconfigure client option.

  4. In the configuration page, under Modules, select Add and Network Protection > Content Control.

  5. Under Scheduler, select when the installation to take place. The task will attempt to run at the specified intervals until it completes successfully.

  6. Click Save.

You can view the task status on the Network > Tasks page.

Unmanaged Windows servers

To install Content Control on unmanaged Windows Server machines, you need to deploy a Bitdefender Endpoint Security Tools package that has this module included.

  1. In GravityZone Control Center, go to the Network > Packages page on the left-side menu.

  2. In the action toolbar, click Add to create a new installation package, or select an existing package and edit it.

  3. In the package configuration page, under Modules, select Network Protection > Content Control and any other module you want to include.

  4. Configure the other installations settings.

  5. Click Save.

  6. Choose one of these ways to deploy the package:

    • Download the kit from the Packages page and install it on the target systems manually.

    • Go to the Network page and use the Install task to deploy the package remotely.

For details on configuring and deploying the package, refer to the GravityZone documentation.

Content Control on Citrix Virtual Apps and Desktops

As part of Content Control on Windows servers, GravityZone supports this module with the Citrix Virtual Apps and Desktops service. Citrix uses Windows Server machines to run virtual applications and remote desktops, therefore all Bitdefender capabilities are working as expected.

When you open a virtual app published in Citrix StoreFront, that app runs in a new dedicated session, for which Content Control scans the traffic.

Regarding Citrix virtual desktops running Windows Server, Content Control scans them the same way as physical servers, monitoring only the traffic from interactive sessions.

Due to the Virtual Apps and Desktops service architecture, you need to install Bitdefender Endpoint Security Tools (BEST) only on the master server. The instances generated from the master server will mirror BEST functionality, including Content Control, without the agent being actually deployed on them.

citrix-environments.png

For details on setting up Virtual Apps and Desktops, refer to Citrix documentation.

For details on installing Bitdefender Endpoint Security Tools, refer to GravityZone documentation.

Deploying Network Attack Defense on Windows servers

On Windows servers, Network Attack Defense detects and prevents RDP brute-force attacks by scanning incoming connections on the RDP ports to identify authentication anomalies. Network Attack Defense also scans web traffic when used with Content Control.

Read more about Network Attack Defense.

To deploy Network Attack Defense, you need to do all settings in GravityZone Control Center.

Installing Network Attack Defense on managed Windows servers

These instructions address the scenario where Bitdefender Endpoint Security Tools (BEST) is already installed on Windows Server machines. You need to run a Reconfigure client task in Network to deploy the new module.

  1. Go to the Network page on the left-side menu.

  2. Select the target Windows servers.

  3. Select the Tasks > Reconfigure client option in the action toolbar, at the upper side of the table.

    The configuration page is displayed.

  4. Under Modules, select Add and then the Network Attack Defense module. The Network Protection check box is also selected as Network Attack Defense is one of its components.

  5. Under Schedule, select the time interval at which the task should run.

    The tasks will attempt to run at the specified interval until it completes successfully.

  6. Click Save.

For details on configuring and using the Reconfigure client task, refer to this topic.

Installing Network Attack Defense on unmanaged Windows servers

These instructions address the scenario where Bitdefender Endpoint Security Tools (BEST) is not installed on the target Windows Server machines. You need to create an installation package that includes the new module and deploy it on the target Windows servers.

  1. Go to the Network > Packages page on the left-side menu.

  2. In the action toolbar, click Add to create a new installation package, or select an existing package and edit it.

    The package configuration page is displayed.

  3. Under Modules, select Network Attack Defense and any other module you want to include.

  4. Configure the other installations settings.

  5. Click Save.

Next, you can choose one of these ways to deploy the package:

  • Download the kit file from the Network > Packages page and install it on the target systems manually.

  • Go to the Network page and use the Install task to deploy the package remotely.

For details on configuring and deploying an installation package in GravityZone, refer to this topic.

Blocking or allowing specific websites with Content Control

This section describes how to block or allow specific websites with Content Control in GravityZone.

To change website access permissions:

  1. Log in to GravityZone web console.

  2. Navigate to Policies and select your applied policy.

    14489_1.png

  3. In Content Control section go to Web.

  4. Enable Web Access Control by selecting the check mark.

  5. Click Settings to open Web Control Settings.

    14489_2.png

  6. Go to Exclusions to configure website access permissions.

  7. Enter your URL and select Block or Allow in the neighboring field.

  8. Click Save.

    14489_3.png

    Note

    Make sure that the Scan SSL option from the Traffic section in Content Control is checked, otherwise https websites will continue being blocked after excluding them from Web Access Control.

    Important

    In case Content Control does not block websites, make sure you clear the browser's cache on endpoints. If no traffic is made and the content is served locally, the security agent has nothing to scan.

Web Categories in GravityZone Content Control

Web Categories Filter dynamically filters access to websites based on their content. You can use the Web Categories Filter for defining exclusions to the selected Web Access Control action (Allow or Block) for entire web categories (such as Games, Mature Content or Online Networks).

You can define web rules to explicitly block or allow certain web addresses, overriding the existing Web Access Control settings. Users will be able, for example, to access a specific webpage also when the web browsing is blocked by Web Access Control.

To access and manage web categories, follow these steps:

  1. Log in to GravityZone Control Center.

  2. Go to Policies and click to add a new one, or edit an existing policy.

  3. In the policy settings, go to Network Protection and choose Content Control.

  4. Enable Web Access Control and click Settings.

  5. Click the Categories tab and enable Web Categories Filter.

  6. To define a custom filter, select Custom.

  7. Click Web Rules to expand the categories section.

  8. Find the category that you want in the list and select the desired action from the drop-down menu.

  9. Save your changes and then save the policy.

68630_1.png

You can find all the available web categories, along with their descriptions and examples, listed below:

Category

Description

Examples

Web Proxy

This category covers web sites which provide web proxy service, that, through a web application, allow the user to spoof his identification data for anonymous browsing, to access prohibited content, to avoid company monitoring or to avoid certain imposed constraints (location constraints).

http://www.hidemyass.com

Software Piracy

This category covers the following types of websites:

  • Peer-to-peer websites (BitTorrent, eMule, DC++);

  • Tracker websites known as distribution channels for copyrighted content without holders' consent;

  • Pirated commercial software websites and discussion boards;

  • Webistes providing cracks, keys generators and serial numbers for illegal software use.

http://www.keygenguru.com

Tabloids

This category covers soft pornography and celebrity gossip sites. They are often associated with a printed publication of the same type.

http://www.thesun.co.uk/

Hate/Violence/Racism/Illegal Drugs

This category covers the following types of websites:

  • Discussing religious or sex discrimination;

  • Discussing or promoting aggressive sports, violence and xenophobic content;

  • Belonging to terrorist organizations;

  • Promoting violence, terrorism, bombs, and anarchy;

  • Containing graphical violence;

  • Promoting or hosting discussions about the use of illegal drugs.

http://rotten.com/

Gambling

This category covers the following types of websites:

  • 'Online casino' or 'online lottery' websites, typically requiring a payment before the user can gamble for money in online roulette, poker, blackjack or similar games. Some are legitimate, meaning there is a chance to win, but others are fraudulent and trick users into sending their money with no chance to win

  • 'Beating tips and cheats' websites which describe 'working' ways to make money on gambling and online lottery websites

http://www.bet365.com

Medicine/Alcohol/Cigars

This category covers websites discussing, or selling (legal), medical drugs or paraphernalia, alcohol or tobacco products.

Note that illegal drugs are covered in the Hate/Violence/Racism/Illegal/Drugs category.

https://www.cigaraficionado.com/

Online Shopping

This category covers online stores, meaning web sites which sell goods or services online, and also the webpages on the regular sites which ask for the credit card information, allowing detection of hidden, unknown or illegal online stores.

http://www.bestbuy.com

Online Payment

This category covers websites that offer users online payment services.

https://www.paypal.com/

Photos/Videos

This category covers photo-sharing websites whose primary purpose is to let users upload and share photos or videos.

http://www.flickr.com http://www.youtube.com

Social Networks

This category covers the social network websites. They are focused on user communities and allow users to communicate by sharing messages and other types of digital content.

www.facebook.com http://www.myspace.com

Online Dating

This category covers websites offering free or paid online dating services, and also webpages containing dating ads.

http://www.match.com

IM

This category covers instant messaging and chat websites, allowing users to chat in real time.

It will also detect websites where instant messaging software is embedded or can be downloaded.

http://www.pidgin.im/

News

This category covers websites which provide both text and video news. It includes both global and local news websites.

http://www.cnn.com

Pornography

This category covers websites containing explicit erotic and pornographic material. It includes both paid and free web sites which provide pictures, stories and videos. It can also detect pornographic content on mixed content websites.

http://www.redtube.com

Mature Content

This category covers web sites which contain sexually explicit information either of medical or scientific nature, such as sexually transmitted diseases, websites with nude art, intimate lingerie or swimsuit content along with websites that contain sexual education information.

https://fhm.com

Religious

This category covers websites dedicated to or describing one or more religions, sects or cults.

It also covers discussion forums related to one or multiple religions along with occult practices.

http://www.scientology.org/

Games

This category websites providing games and game presentations and reviews.

This category does not cover official game companies' websites, game discussions websites or websites where non-online games can be downloaded.

http://www.flashgames247.com

Suicide

This category covers websites that offer, detail, promote, or advocate suggestions, instructions, descriptions or methods on how to commit suicide.

https://www.mydeath-mydecision.org.uk/

Health

This category covers the following types of websites:

  • Associated with medical institutions;

  • Related to disease prevention and treatment;

  • Offering information or products about weight loss, diets, steroids, anabolic or HGH products;

  • Providing information on plastic surgery;

  • About body piercing or tattoos;

  • Promoting or hosting discussions about the use of illegal drugs;

Note that websites containing sexual health topics are categorized under Mature Content.

http://www.steroidsrx.com/

Violent Cartoons

This category covers websites and discussion forums that refer to cartoons which may be inappropiate for mirrors due to violence, explicit language or sexual content.

http://www.bleachportal.net

Blogs

This category covers personal websites as well as all types of blogs: individual, group and even company ones.

A blog is a journal published on the World Wide Web consisting of entries ("posts"), typically displayed in reverse chronological order so the most recent post appears first.

http://www.bleachportal.net

File Sharing

This category covers websites that allow the user to share and/or store files online.

http://www.filehosting.org/

Web Mail

This category covers websites that describe or provide mail services.

http://www.gmail.com

Weapons

This category covers websites that present guns, related to gun or ammunition purchasing, manufacturing and usage, about hunting resources along with air-soft and melee weapons.

http://www.thegunsource.com/

Hacking

This category covers websites that contain software/information on how to crack/hack accounts on the Internet, as well as information on exploits that help users gain control of another person's computer.

This category contains - but is not limited to - Facebook, Yahoo, Twitter or Gmail account hacking.

http://passwordhacking.net/

Scams

This category covers all types of fraudulent web pages involved in identity theft, credit card fraud, advance fee fraud, employment scams, conference fraud, money loan, pay per click, piracy, lottery, and so on.

These types of websites impersonate hotels, banks, law firms, shops, online casinos, rental and escrow firms, and have small lifespans.

N/A

Narcotics

This category covers websites referring to narcotics, such as recreational drugs, psychoactive drugs and dissociative drugs, as well as forums and message boards discussing their use, production and consumption.

http://www.worldofseeds.eu/

Online Photo

This category covers photo-sharing websites whose primary purpose is to let users upload and share photos.

http://www.flickr.com

Search Engines

This category covers websites designed for searching out information within the World Wide Web.

http://www.google.com

Ads

This category covers websites that promote or sell services or products.

http://www.advertising.com

Advice

This category covers websites that allow the users to ask for advice or ask questions on various topics.

http://ask.com

Banks

This category covers banking websites and internet banking services.

https://www.bankofamerica.com

Business

This category covers websites that offer information about available services and products to gain profit.

http://www.microsoft.com

Computers and Software

This category covers the following types of websites: Software, Technical information, Blogs or code discussion groups.

http://stackoverflow.com

Education

This category covers websites with educational content, encyclopedias or dictionaries.

http://www.wikipedia.org

Entertainment

This category covers websites offering information about: Music or music festivals, Movies, Art, Poetry.

http://imdb.com

Government

This category covers websites that contain information or news for local, state, and national governments or related agencies.

http://www.fbi.gov

Hobbies

This category covers websites that contain information or discussions on recreations and hobbies.

http://www.allaboutdogsshow.co.uk

Hosting

This category covers hosting providers and services that offer users the possibility to upload files for general or limited access.

http://hostgator.com

Job Search

This category covers websites that provide job listings and employer reviews.

http://www.careerbuilder.com

Portals

This category covers websites that offer information from multiple sources and provide access to other services, such as e-mail, forums or search engines.

http://www.yahoo.com

Radio Music

This category covers websites that stream audio content.

http://8tracks.com

Sports

This category covers websites about sporting events or virtual sports, including news, scores, and statistics.

http://www.cbssports.com

Time Wasters

This category covers websites containing general information on which users tend to spend a lot of time.

http://www.reddit.com

Travel

This category covers websites that allow the users to book or plan trips, holidays or flights.

These types of websites can also contain travel tips, destination information, and other renting services

http://www.tripadvisor.com

Network Attack Defense: SSH PKI authentication on endpoint outbound connections

Network Attack Defense protection for SSH uses a modified version of libssh to proxy client connections to the product, which then connects to the remote server. Client-product and product-remote server connections are only established at the transport layer.

Before accepting connections, the proxy initializes its server by loading the SSH keys in /opt/bitdefender-security-tools/etc/ssh.

It tries ssh_host_rsa_key, ssh_host_ed25518_key and finally ssh_host_ecdsa_key.

The first one that is found will be used. However, if none is found, a completely new pair of keys is automatically generated and the RSA one is used.

The directory layout of /opt/bitdefender-security-tools/etc/ssh is a copy of the one found on VMware ESXi (5.0 and later). Additionally, for each user in /opt/bitdefender-security-tools/etc/ssh/keys-$user, besides the private keys, an authorized_keys file can be configured. This will be required if the proxy manages to authenticate to the remote host using one of the user private keys.

Check the following directory contents example:

# ls -lR etc/ssh/
etc/ssh/:
total 24
drwxr-xr-x. 2 root bitdefender   58 Oct 11 15:47 keys-root
drwxr-xr-x. 2 root bitdefender   58 Oct 11 15:50 keys-test
-rw-------. 1 root bitdefender  241 Oct  6 02:42 ssh_host_ecdsa_key
-rw-------. 1 root bitdefender  180 Oct  6 02:42 ssh_host_ecdsa_key.pub
-rw-------. 1 root bitdefender  395 Oct  6 02:42 ssh_host_ed25519_key
-rw-------. 1 root bitdefender  100 Oct  6 02:42 ssh_host_ed25519_key.pub
-rw-------. 1 root bitdefender 3272 Oct  6 02:42 ssh_host_rsa_key
-rw-------. 1 root bitdefender  744 Oct  6 02:42 ssh_host_rsa_key.pub

etc/ssh/keys-root:
total 12
-rw-------. 1 root bitdefender  400 Oct 11 15:47 authorized_keys
-rw-------. 1 root bitdefender 1679 Oct 22  2021 id_rsa
-rw-------. 1 root bitdefender  400 Oct 22  2021 id_rsa.pub

etc/ssh/keys-test:
total 12
-rw-------. 1 root bitdefender  400 Oct 11 15:50 authorized_keys
-rw-------. 1 root bitdefender 1679 Oct 11 15:50 id_rsa
-rw-------. 1 root bitdefender  400 Oct 11 15:50 id_rsa.pub

The authentication flow is as follows:

  • The proxy advertises the none authentication method to the client in order to capture the user name.

  • The proxy initializes the connection to the remote server.

  • The proxy loads all private keys found in /etc/ssh/keys-$user (if any).

  • If none of the user’s private keys could be used to authenticate to the remote server or if the PKI authentication with the client failed, the proxy enters MITM mode in order to give the client the chance to try password authentication directly.

Configuring authentication with SSH Keys when Network Attack Defense is enabled

When installing Bitdefender Endpoint Security Tools for Linux with Network Attack Defense and SSH/SCP protocol support enabled, the following steps will be needed if PKI is used:

  • Move all personal keys into /opt/bitdefender-security-tools/etc/ssh/keys-$user , where $user is the one with which you authenticate to the remote server (not necessarily your current user).

  • Generate a new personal key-pair using ssh-keygen and install the public key in /opt/bitdefender-security-tools/etc/ssh/keys-$user/authorized_keys.

In this section: