SafeGuard Easy Administrator help

SafeGuard Easy Administrator help
SafeGuard Easy
Administrator help
Product version: 7
Document date: December 2014
Contents
1 About Sophos SafeGuard (SafeGuard Easy) 7.0.....................................................................6
1.1 SafeGuard Policy Editor..............................................................................................9
1.2 Sophos SafeGuard on endpoints..............................................................................10
2 Getting started........................................................................................................................12
2.1 Deployment strategy.................................................................................................12
2.2 Download installers...................................................................................................13
2.3 Language settings....................................................................................................13
2.4 Compatibility with other SafeGuard products...........................................................14
2.5 Security best practices ............................................................................................14
3 Installation..............................................................................................................................17
3.1 Prepare for installation..............................................................................................17
3.2 Install the SafeGuard Policy Editor...........................................................................18
3.3 Carrying out first-time configuration in SafeGuard Policy Editor...............................18
3.4 Setting up Sophos SafeGuard on endpoints............................................................24
3.5 Configure additional instances of SafeGuard Policy Editor......................................34
4 Log on to the SafeGuard Policy Editor...................................................................................36
5 Licenses.................................................................................................................................37
5.1 Token licenses..........................................................................................................37
5.2 Import licenses.........................................................................................................37
6 Working with policies..............................................................................................................39
6.1 Create policies..........................................................................................................39
6.2 Edit policy settings....................................................................................................39
6.3 Policy groups............................................................................................................40
6.4 Back up policies and policy groups...........................................................................42
6.5 Restore policies and policy groups...........................................................................42
7 Working with configuration packages.....................................................................................43
7.1 Publish policies to a configuration package..............................................................43
7.2 Distribute configuration packages.............................................................................44
8 Exporting the company and security officer certificates.........................................................45
8.1 Export the company certificate ................................................................................45
8.2 Export the security officer certificate........................................................................45
9 Company Certificate Change Orders.....................................................................................46
2
9.1 Replace the company certificate..............................................................................46
9.2 Managing Company Certificate Change Orders.......................................................47
10 Change algorithm for self-signed certificates.......................................................................48
11 Check the database integrity................................................................................................50
12 User types and administrative access to endpoints.............................................................51
12.1 Service account lists for Windows logon.................................................................52
12.2 POA users for SafeGuard POA logon.....................................................................56
13 SafeGuard Power-on Authentication (POA).........................................................................60
13.1 Logon delay............................................................................................................60
13.2 Configuring the SafeGuard Power-on Authentication.............................................61
13.3 Supported Hotkeys in SafeGuard Power-on Authentication...................................65
13.4 Disabled SafeGuard POA and Lenovo Rescue and Recovery...............................67
14 Default policies.....................................................................................................................68
14.1 Available default policies.........................................................................................68
15 Policy Settings......................................................................................................................73
15.1 General settings......................................................................................................73
15.2 Authentication.........................................................................................................77
15.3 Create forbidden PIN lists for use in policies..........................................................83
15.4 Syntax rules for PINs..............................................................................................84
15.5 Create forbidden password list for use in policies...................................................87
15.6 Syntax rules for passwords.....................................................................................87
15.7 Passphrase rules for SafeGuard Data Exchange...................................................90
15.8 Device Protection....................................................................................................92
15.9 Specific machine settings - basic settings..............................................................96
15.10 Logging...............................................................................................................102
16 Disk encryption...................................................................................................................103
16.1 SafeGuard full disk encryption..............................................................................103
16.2 BitLocker Drive Encryption...................................................................................106
17 SafeGuard Data Exchange.................................................................................................115
17.1 Local Keys............................................................................................................115
17.2 Media passphrase................................................................................................115
17.3 Configure trusted and ignored applications for SafeGuard Data Exchange.........116
17.4 Configure ignored devices for SafeGuard Data Exchange...................................117
17.5 Configure persistent encryption for SafeGuard Data Exchange...........................118
17.6 Tracking files accessed on removable media........................................................118
18 Cloud Storage.....................................................................................................................120
3
18.1 Requirements for Cloud Storage vendor software................................................120
18.2 Create Cloud Storage Definitions (CSDs)............................................................120
18.3 Create a device protection policy with a Cloud Storage Definition target.............127
18.4 Tracking files accessed in cloud storage...............................................................128
19 Sophos SafeGuard and self-encrypting, Opal-compliant hard drives.................................129
19.1 How does Sophos SafeGuard integrate Opal-compliant hard drives?.................129
19.2 Enhancement of Opal-compliant hard drives with Sophos SafeGuard.................129
19.3 Encryption of Opal-compliant hard drives.............................................................129
19.4 Lock Opal-compliant hard drives..........................................................................130
19.5 Enable users to unlock Opal-compliant hard drives..............................................130
19.6 Logging of events for endpoints with Opal-compliant hard drives........................130
20 Secure Wake on LAN (WOL)..............................................................................................131
20.1 Secure Wake on LAN example.............................................................................131
21 Tokens and smartcards......................................................................................................133
21.1 Token types...........................................................................................................133
21.2 Components.........................................................................................................133
21.3 Configure non-cryptographic token use................................................................135
21.4 Preparing for token use........................................................................................136
21.5 Configuring token logon mode..............................................................................137
21.6 Further token settings...........................................................................................138
22 Recovery options................................................................................................................139
23 Recovery with Local Self Help............................................................................................140
23.1 Define Local Self Help settings in a policy............................................................140
23.2 Define questions...................................................................................................141
23.3 Define the number of questions to be answered..................................................141
23.4 Use the template...................................................................................................142
23.5 Import question themes........................................................................................142
23.6 Create a new question theme and add questions................................................143
23.7 Edit question themes............................................................................................143
23.8 Delete question themes........................................................................................144
23.9 Register welcome texts.........................................................................................144
24 Recovery with Challenge/Response...................................................................................145
24.1 Challenge/Response workflow.............................................................................145
24.2 Launch the Recovery Wizard ...............................................................................146
24.3 Recovery types ....................................................................................................146
24.4 Recovering a password with Challenge/Response ..............................................146
4
24.5 Regaining access to encrypted data with Challenge/Response ..........................149
25 Recovery for BitLocker.......................................................................................................157
25.1 Response for BitLocker encrypted Sophos SafeGuard Clients - UEFI
endpoints..................................................................................................................157
25.2 Recovery key for BitLocker encrypted Sophos SafeGuard Clients - BIOS
endpoints..................................................................................................................157
26 System Recovery for SafeGuard full disk encryption.........................................................159
26.1 Recover data by starting from an external medium..............................................159
26.2 Corrupted MBR.....................................................................................................159
26.3 Volumes................................................................................................................160
26.4 Set up WinPE for Sophos SafeGuard...................................................................160
27 Restore a Sophos SafeGuard Database............................................................................162
27.1 Restore a database configuration by reinstalling the SafeGuard Policy Editor.....162
28 Restore a corrupt SafeGuard Policy Editor installation.......................................................163
29 About uninstallation............................................................................................................164
29.1 Uninstallation best practice...................................................................................164
29.2 Uninstalling Sophos SafeGuard encryption software...........................................164
29.3 Sophos Tamper Protection....................................................................................166
30 Technical support................................................................................................................167
31 Legal notices......................................................................................................................168
5
SafeGuard Easy
1 About Sophos SafeGuard (SafeGuard
Easy) 7.0
Sophos SafeGuard provides powerful data protection through encryption and additional logon
authentication.
This version of Sophos SafeGuard (SafeGuard Easy) supports Windows 7 and Windows 8 on
endpoints with BIOS or UEFI.
■
For BIOS platforms you can choose between Sophos SafeGuard full disk encryption and
BitLocker encryption managed by Sophos SafeGuard. The BIOS version comes with the
BitLocker native recovery mechanism.
Note: If SafeGuard Power-on Authentication or SafeGuard full disk encryption is mentioned
in this manual, it refers to Windows 7 BIOS endpoints only.
■
For UEFI platforms, use BitLocker managed by Sophos SafeGuard (SafeGuard Easy) for disk
encryption. For these endpoints Sophos SafeGuard offers enhanced Challenge/Response
capabilities. For details on the supported UEFI versions and restrictions to SafeGuard BitLocker
Challenge/Response support, please see the Release Notes at
http://downloads.sophos.com/readmes/readsgeasy_7_eng.html.
Note: Whenever the description only refers to UEFI, it is mentioned explicitly.
The table shows which components are available.
Windows 7 BIOS
SafeGuard full disk
encryption with SafeGuard
Power-on Authentication
(POA)
BitLocker with pre-boot
authentication (PBA)
managed by SafeGuard
YES
YES
Windows 7 UEFI
YES
Windows 8 BIOS
YES
Windows 8 UEFI
YES
Windows 8.1 BIOS
YES
Windows 8.1 UEFI
YES
SafeGuard C/R recovery
for BitLocker pre-boot
authentication (PBA)
YES
YES
YES
Note: SafeGuard C/R recovery for BitLocker pre-boot authentication (PBA) is only available
on 64-bit systems.
6
Administrator help
SafeGuard full disk encryption with SafeGuard Power-on Authentication (POA) is the Sophos
module for encrypting volumes on endpoints. It comes with a Sophos implemented pre-boot
authentication named SafeGuard Power-on Authentication (POA) which supports logon options
like smartcard and fingerprint and a Challenge/Response mechanism for recovery.
BitLocker with pre-boot authentication (PBA) managed by SafeGuard is the component that
enables and manages the BitLocker encryption engine and the BitLocker pre-boot authentication.
It is available for BIOS and UEFI platforms:
■
The UEFI version additionally offers a SafeGuard Challenge/Response mechanism for BitLocker
recovery in case users forget their PINs. The UEFI version can be used when certain platform
requirements are met. For example the UEFI version must be 2.3.1. For details, see the
Release Notes.
■
The BIOS version does not offer the recovery enhancements by the SafeGuard Challenge /
Response mechanism and serves also as fallback option in case the requirements for the
UEFI version are not met. The Sophos installer checks whether the requirements are met,
and if not automatically installs the BitLocker version without Challenge/Response
Sophos SafeGuard (SafeGuard Easy) uses a policy-based encryption strategy to protect information
on endpoints.
Administration is carried out with the SafeGuard Policy Editor, which is used to create and manage
security policies and to provide recovery functions. Policies are deployed to endpoints in
configuration packages. On the user side, the main security functions are data encryption and
protection against unauthorized access. Sophos SafeGuard can be seamlessly integrated into
the user's normal environment and is easy and intuitive to use. The Sophos SafeGuard
authentication system, SafeGuard Power-on Authentication (POA), provides powerful access
protection and offers user-friendly support when recovering credentials.
Sophos SafeGuard components
Sophos SafeGuard consists of the following components:
7
SafeGuard Easy
Component
Description
SafeGuard Policy Editor
Sophos SafeGuard management tool used to create encryption
and authentication policies.
The SafeGuard Policy Editor creates a default policy during
first-time configuration.
The SafeGuard Policy Editor also provides recovery functions to
allow users to regain access to their computers, if they have
forgotten their password, for example.
Sophos SafeGuard Database
Sophos SafeGuard Database holds all policy settings for the
endpoints.
Sophos SafeGuard software on
endpoints
Encryption software on endpoints.
Product names
The following product names are used in this help:
8
Product name
Description
Sophos SafeGuard Easy (SGE)
Sophos SafeGuard standalone encryption software. From versions
5.x, SafeGuard Policy Editor is used for policy configuration and
helpdesk tasks.
Sophos SafeGuard Disk Encryption
(SDE) up to 5.60
Sophos SafeGuard standalone encryption software available with
the Endpoint Security and Data Protection (ESDP) bundle up to
version 10.
Sophos Disk Encryption 5.61
Managed full disk encryption through Sophos Enterprise Console
5.1 and above.
SafeGuard Enterprise
Comprehensive, modular SafeGuard encryption suite with central,
role-based management that protects data on endpoints from
being read or changed by unauthorized persons.
Sophos Enterprise Console
Sophos console that manages and updates Sophos security
software. With version 5.1 it also manages encryption on endpoints
(Sophos Disk Encryption 5.61).
Administrator help
1.1 SafeGuard Policy Editor
The SafeGuard Policy Editor is the management console for Sophos SafeGuard protected
endpoints.
The SafeGuard Policy Editor is installed on the computer that you want to use to carry out
administrative tasks. As a security officer, you use the SafeGuard Policy Editor to manage Sophos
SafeGuard policies and to create configuration settings for endpoints. You publish policies and
settings into configuration packages to deploy them on endpoints. Several configuration packages
can be created, and distributed using third party mechanisms. You distribute the packages when
you install the Sophos SafeGuard encryption software.You can deploy further packages to change
the settings on endpoints later.
The SafeGuard Policy Editor also provides recovery functions to regain access to endpoints, if
users have for example forgotten their password.
Features
The SafeGuard Policy Editor offers the following:
■
Default configuration: During first-time configuration, the SafeGuard Policy Editor automatically
creates a default policy with preconfigured, recommended policies for endpoints. You can
customize the default policy to your requirements.
■
Administrative access options: The administrative access options service accounts and
POA users provide access for post-installation and administrative tasks on endpoints.
■
Encryption keys: An automatically generated machine key is used for SafeGuard Device
Encryption (volume-based encryption). Keys generated locally on the endpoint will be used
for SafeGuard Data Exchange (file-based encryption).
9
SafeGuard Easy
■
Local Self Help: For recovery of forgotten passwords, Sophos SafeGuard offers the convenient
recovery option Local Self Help. Local Self Help enables users to recover their password
without the assistance of a helpdesk.
■
Challenge/Response with helpdesk assistance:
Challenge/Response with helpdesk assistance can be requested by a user if a password has
been forgotten or typed in incorrectly too often. It can also be used to recover data if the
SafeGuard POA is corrupted. Challenge/Response is based on specific key recovery files that
are automatically generated when Sophos SafeGuard is installed on the endpoint.
Database
The Sophos SafeGuard policies are stored in an SQL database on the administrator's computer.
You are prompted to install Microsoft SQL Server 2012 Express during the SafeGuard Policy
Editor installation if an existing SQL server instance is unavailable. For this purpose, Microsoft
SQL 2012 Express is included in your product delivery.
Migration
You can easily migrate to the SafeGuard Enterprise suite with central management to make use
of the full functionality of SafeGuard Enterprise.
Logging
Events for Sophos SafeGuard protected computers are logged in the Windows Event Viewer.
How does the SafeGuard Policy Editor differ from the SafeGuard
Management Center?
The SafeGuard Management Center has a central management server and offers enhanced
management functionalities, including:
■
Active Directory import with user and domain management.
■
Central logging.
■
Definable administrative roles.
The SafeGuard Management Center is available with SafeGuard Enterprise.
Note: In the SafeGuard Management Center, you can also define settings and create configuration
packages for Sophos SafeGuard endpoints that do not have any connection to a SafeGuard
Enterprise Server.
1.2 Sophos SafeGuard on endpoints
Data encryption and protection against unauthorized access are the main security functions of
Sophos SafeGuard. Sophos SafeGuard can be seamlessly integrated into the user's normal
environment and is easy and intuitive to use. The Sophos SafeGuard authentication system,
10
Administrator help
SafeGuard Power-on Authentication (POA), provides the necessary access protection and offers
user-friendly support when recovering credentials.
Supported features
Note: Availability of features depends on the respective license.
■
SafeGuard full disk encryption
Ensures that all data on the specified volumes (including boot volume, hard drive, partitions)
is transparently encrypted (boot files, swapfiles, idle files/hibernation files, temporary files and
directory information etc.) without the user having to change normal operating procedures or
to consider security.
■
SafeGuard Power-on Authentication
User logon is performed immediately after switching on the computer. After successful logon
at SafeGuard Power-on Authentication, users are automatically logged on to the operating
system.
■
SafeGuard Data Exchange
SafeGuard Data Exchange allows users to encrypt data stored on removable media that are
connected to their computers, and exchange it with other users. All encryption and decryption
processes are run transparently and involve minimum user interaction.
■
SafeGuard Cloud Storage
SafeGuard Cloud Storage offers file-based encryption of data stored in the cloud. It does not
change the way users work with data stored in the cloud. Local copies of cloud data are
encrypted transparently and remains encrypted when stored in the cloud.
11
SafeGuard Easy
2 Getting started
This section explains how to prepare for your Sophos SafeGuard installation successfully.
2.1 Deployment strategy
Before you deploy Sophos SafeGuard on endpoints, we recommend that you define a deployment
strategy.
The following options should be considered.
Policies
Sophos SafeGuard offers the following options:
■
Default policy
Sophos SafeGuard offers a default policy with pre-defined encryption and authentication
settings for quick and easy policy deployment. During first-time configuration in SafeGuard
Policy Editor, the default policy is automatically created.
For details on the default policy and the settings defined, see Default policies (page 68).
■
Defining your own policies
If the default policy does not cover all your specific requirements, you can edit it or define your
own policies in the SafeGuard Policy Editor.
For details on creating policies, see Working with policies (page 39). For details on deploying
policies to endpoints, see Working with configuration packages (page 43).
For a detailed description of all available policies and settings, see Policy Settings (page 73).
Administrative access options
Sophos SafeGuard uses two types of accounts to enable users to log on to endpoints and carry
out administrative tasks after Sophos SafeGuard has been installed.
■
Service accounts for Windows logon
With service accounts, users (for example rollout operators, members of the IT team) can log
on to Windows on endpoints after the installation of Sophos SafeGuard without activating the
SafeGuard Power-on Authentication and without being added as users to the computers.
Service account lists are assigned to endpoints in policies. They should be assigned in the
first Sophos SafeGuard configuration package you create for the configuration of the endpoints.
Service account lists can be updated by creating a new configuration package and deploying
it to the endpoints before activation of the SafeGuard POA.
For further information, see Service account lists for Windows logon (page 52).
12
Administrator help
■
POA users for SafeGuard POA logon
POA users are predefined local accounts that enable users (for example members of the IT
team) to log on to endpoints to perform administrative tasks after the SafeGuard POA has
been activated. POA users enable SafeGuard POA logon, there is no automatic logon to
Windows.
You can create POA users in the SafeGuard Policy Editor, group them in POA groups, and
assign groups to endpoints using Sophos SafeGuard configuration packages.
For further information, see POA users for SafeGuard POA logon (page 56).
Recovery options
For situations requiring recovery (for example, forgotten passwords), Sophos SafeGuard offers
two recovery options:
■
Logon recovery using Local Self Help
Local Self Help enables users who have forgotten their password to log on to their computers
without the assistance of a helpdesk. To regain access to their computer, they simply answer
a predefined number of questions in the SafeGuard Power-on Authentication.
In the default policy, Local Self Help is enabled and configured by default. If you do not use
the default configuration, you have to enable Local Self Help in a policy and define the questions
to be answered by the end user.
For further information, see Recovery with Local Self Help (page 140).
■
Recovery using Challenge/Response
The Challenge/Response recovery mechanism is a secure and efficient logon recovery system
that helps users who cannot log on to their computers or access encrypted data. For
Challenge/Response, the assistance of a helpdesk is required.
In the default policy, Challenge/Response is enabled by default. If you do not use the default
configuration, you have to enable Challenge/Response in a policy. For data recovery using
Challenge/Response, you need to create specific files called Virtual Clients in the SafeGuard
Policy Editor beforehand.
For further information, see Recovery with Challenge/Response (page 145) and Create a Virtual
Client (page 150).
2.2 Download installers
1. Using the web address and download credentials provided by your system administrator, go
to the Sophos website and download the installers and documentation.
2. Store them in a location where you can access them for installation.
2.3 Language settings
The language settings for the SafeGuard Policy Editor and Sophos SafeGuard encryption software
on the endpoints are as follows:
13
SafeGuard Easy
SafeGuard Policy Editor
You can set the language of the SafeGuard Policy Editor as follows:
■
In SafeGuard Policy Editor, click menu Tools > Options > General. Select Use user defined
language and select an available language. English, German, French and Japanese are
provided.
■
Restart the SafeGuard Policy Editor. It is displayed in the selected language.
Sophos SafeGuard on endpoints
You set the language of Sophos SafeGuard on endpoints in a policy of the type General Settings
in the SafeGuard Policy Editor, setting Customization > Language used on client:
■
If the language of the operating system is selected, Sophos SafeGuard uses the language
setting of the operating system. If the operating system language is not available in Sophos
SafeGuard, the Sophos SafeGuard language defaults to English.
■
If one of the available languages is selected, Sophos SafeGuard functions are displayed in
the selected language on the endpoint.
2.4 Compatibility with other SafeGuard products
This section describes the compatibility of Sophos SafeGuard 7.0 with other SafeGuard products.
Compatibility with SafeGuard LAN Crypt
SafeGuard LAN Crypt 3.90 and Sophos SafeGuard 7.0 can coexist on one endpoint.
Older versions of SafeGuard LAN Crypt are no longer supported. They cannot coexist with Sophos
SafeGuard 7.0 on one endpoint.
Compatibility with SafeGuard PrivateDisk
Sophos SafeGuard 7.0 and the standalone products SafeGuard PrivateDisk 3 can coexist on the
same computer.
Compatibility with SafeGuard RemovableMedia
SafeGuard RemovableMedia and Sophos SafeGuard cannot coexist on the same computer.
SafeGuard RemovableMedia has reached end of life and support was discontinued.
2.5 Security best practices
Sophos SafeGuard provides powerful data protection through encryption and additional logon
authentication.
14
Administrator help
By following the simple steps described here, you can mitigate risks and keep your company's
data secure and protected at all times and avoid putting company data at risk.
Avoid sleep mode
On Sophos SafeGuard protected endpoints, encryption keys might be accessible to attackers in
certain sleep modes where the endpoint's operating system is not shut down properly and
background processes are not terminated. Protection is enhanced when the operating system is
always shut down or hibernated properly.
Train users accordingly or consider centrally disabling sleep mode on endpoints that are unattended
or not in use:
■
Avoid sleep (stand-by/suspend) mode as well as hybrid sleep mode on Windows. Hybrid sleep
mode combines hibernation and sleep. Setting an additional password prompt after resume
does not provide full protection.
■
Avoid locking desktops and switching off monitors or closing laptop lids as modes of protection
when not followed by a proper shut down or hibernation. Setting an additional password prompt
after resume does not provide sufficient protection.
■
Always shut down or hibernate computers. SafeGuard Power-on Authentication is always
activated the next time the computer is used, thus providing full protection.
Note: It is important that the hibernation file resides on an encrypted volume. Typically it
resides on C:\.
You can configure the appropriate power management settings centrally using Group Policy
Objects or locally through the Power Options dialog on the computer's Control Panel System
Control. Set the Sleep button action to Hibernate or Shut down.
Implement a strong password policy
Implement a strong password policy and force password changes at regular intervals, particularly
for computer logon.
Passwords should not be shared with anyone nor written down.
Train users to choose strong passwords. A strong password follows these rules:
■
It is long enough to be secure: A minimum of 10 characters is recommended.
■
It contains a mixture of letters (upper and lower case), numbers and special characters/symbols.
■
It does not contain a commonly used word or name.
■
It is hard to guess but easy for remember and type accurately.
Do not disable SafeGuard Power-on Authentication
SafeGuard Power-on Authentication provides additional logon protection on the endpoint. With
SafeGuard full disk encryption, it is installed and enabled by default. For full protection, do not
disable it. More information can be found in
http://www.sophos.com/en-us/support/knowledgebase/110282.aspx
15
SafeGuard Easy
Protect against code injection
Code injection, for example DLL pre-loading attacks might be possible when an attacker is able
to place malicious code, for example executables, in directories that may be searched for legitimate
code by the Sophos SafeGuard encryption software. To mitigate this threat:
■
Install middleware loaded by the encryption software, for example token middleware in
directories that are inaccessible to external attackers. These are typically all sub-folders of the
Windows and Program Files directories.
■
The PATH environment variable should not contain components that point to folders accessible
to external attackers (see above).
■
Regular users should not have administrative rights.
Encryption best practices
■
Ensure that all drives have a drive letter assigned.
Only drives that have a drive letter assigned are considered for disk encryption/decryption.
Consequently, drives without a drive letter assigned may be abused to leak confidential data
in plaintext.
To mitigate this threat: Do not allow users to change drive letter assignments. Set their user
rights accordingly. Regular Windows users do not have this right by default.
■
Apply Fast Initial Encryption cautiously.
Sophos SafeGuard offers Fast Initial Encryption to reduce the time for initial encryption of
volumes by only accessing the space that is actually in use. This mode leads to a less secure
state if a volume has been in use before it was encrypted with Sophos SafeGuard. Due to
their architecture, Solid State Disks (SSD) are affected even more than regular hard disks.
This mode is disabled by default.
■
Only use algorithm AES-256 for data encryption.
■
Prevent uninstallation.
To provide extra protection for endpoints you can prevent local uninstallation of Sophos
SafeGuard in a Specific Machine Settings policy. Set Uninstallation allowed to No and
deploy the policy on the endpoints. Uninstallation attempts are cancelled and the unauthorized
attempts are logged.
If you use a demo version, you should not activate this policy setting or in any case deactivate
it before the demo version expires.
Apply Sophos Tamper Protection to endpoints using Sophos Endpoint Security and Control,
see Sophos Tamper Protection (page 166).
16
Administrator help
3 Installation
Setting up Sophos SafeGuard involves the following:
Task
Installation package/tool
1
Install the SafeGuard Policy Editor on the
administrator computer.
SGNPolicyEditor.msi
2
Carry out first-time configuration in the
SafeGuard Policy Editor Configuration Wizard
SafeGuard Policy Editor automatically creating
a default policy.
3
Customize a copy of the default policy or
create further new policies.
SafeGuard Policy Editor Policies navigation area
4
Publish the policies into configuration
package(s).
SafeGuard Policy Editor Configuration Package Tool
5
On the endpoints, install the pre-installation SGxClientPreinstall.msi
package that provides necessary requirements
for successful installation of the current
encryption software.
6
Install the client installation package on the
endpoints:
SGNClient.msi
Install the configuration package(s) on the
endpoints.
Generated <configpackage>.msi
7
SGNClient_x64.msi (for Windows 64-bit operating
systems)
3.1 Prepare for installation
Before you deploy Sophos SafeGuard, we recommend that you prepare as follows.
■
Make sure that you have Windows administrator rights.
■
.NET Framework 4 must be installed. It is provided in the Sophos SafeGuard product delivery.
■
If you want to install Microsoft SQL Server 2012 Express Edition automatically during SafeGuard
Policy Editor installation, you also need to make sure that Microsoft Windows Installer 4.5 is
installed.
17
SafeGuard Easy
■
For hardware and software requirements, service packs and disk space required during
installation as well as for effective operation, see the current release notes version on the
Sophos SafeGuard release notes landing page
http://www.sophos.com/en-us/support/knowledgebase/112776.aspx.
3.2 Install the SafeGuard Policy Editor
Before you start:
■
You must have prepared for installation.
■
If you want to use an existing Microsoft SQL database server, you need the necessary SQL
access rights and account data.
To deploy the encryption software on the endpoints, first install SafeGuard Policy Editor on an
administrator's computer. You can also do the first time installation on a Windows server. Later,
you can install it on multiple administrator computers, all connecting to the central Sophos
SafeGuard Database on the server. The same account is used to access each instance of
SafeGuard Policy Editor.
1. Log on to the computer as an administrator.
2. From the product's install folder, double-click SGNPolicyEditor.msi. A wizard guides you through
installation. Accept the default options.
You may be prompted to install Microsoft SQL Server 2012 Express during the SafeGuard
Policy Editor installation, if no SQL database instance is available. It is included in your product
delivery.Your Windows credentials are then used for the SQL user account. An SQL database
instance is necessary to store Sophos SafeGuard policy settings.
The SafeGuard Policy Editor is installed. You now carry out first-time configuration within the
SafeGuard Policy Editor.
Note: The SafeGuard Policy Editor cannot be operated in a terminal server environment.
3.3 Carrying out first-time configuration in SafeGuard Policy
Editor
Make sure that you have Windows administrator rights.
The SafeGuard Policy Editor first-time configuration provides comfortable assistance for quick
and easy Sophos SafeGuard implementation:
18
■
A default policy with pre-defined encryption and authentication settings is automatically created
to implement a company-wide security policy on endpoints.
■
All necessary requirements for the IT helpdesk to carry out recovery tasks are provided.
■
The necessary certificates and the connection to the database to store Sophos SafeGuard
data are created.
Administrator help
To start first-time configuration:
1. After installation, start the SafeGuard Policy Editor from the Start menu. The Configuration
Wizard is launched and guides you through the necessary steps.
2. On the Welcome page, click Next.
3.3.1 Creating the database connection
A database is used to store all Sophos SafeGuard encryption policies and settings.
1. On the Database page, do one of the following:
■
For a first time installation, under Database, select Create a new database.
■
For an additional installation or to reuse a previously created database, for example to
enable helpdesk staff to carry out Challenge/Response, select the respective database
from the Database list. All databases available on the currently connected database server
are displayed.
The corresponding settings are displayed under Database settings. You might need to edit
them: Click Change and edit the settings to your needs. For further information, see Configure
the database connection settings (page 19).
2. Click Next.
The connection to the database server is established.
3.3.1.1 Configure the database connection settings
1. In Database Connection under Database Server, select the respective SQL database server
from the list. All database servers available on your computer or network are displayed. (The
list is updated every 12 minutes.)
2. Under Database on Server, select the respective database to be used.
3. Select Use SSL to secure the connection to this database server with SSL. However, SSL
encryption requires a working SSL environment on the computer on which the selected SQL
database resides, which you have to set up in advance.
4. Under Authentication, select the type of authentication to be used to access the database:
■
Select Use Windows NT Authentication to use your Windows credentials.
Note: Use this type when your computer is part of a domain.
■
Select Use SQL Server Authentication to access the database with your SQL credentials.
You are prompted to enter and confirm them. Where necessary, you can obtain this
information from your SQL administrator.
Note: Use this type of authentication when your computer is not part of a domain. With
SQL authentication an upgrade to the SafeGuard Management Center can be easily
achieved later. Make sure that you select Use SSL to secure the connection to and from
the database server when you choose this type of authentication.
5. Click Check connection. If the authentication to the SQL database has been successful, a
corresponding success message is displayed.
6. Click OK to return to the Database page.
19
SafeGuard Easy
3.3.2 Create the security officer certificate (new database)
Carry out this step when you have created a new database. In a first time installation and when
you use a new database, a security officer certificate is created for authentication purposes. Only
one account is created per installation. As security officer, you access the SafeGuard Policy Editor
to create Sophos SafeGuard policies and configure the encryption software for the end users.
To create the security officer certificate:
1. On the Security Officer page, the security officer name (the current user name) is already
displayed.
2. Enter and confirm a password that you need to access the SafeGuard Policy Editor.
Keep this password in a safe place. If you lose it, you are not able to access SafeGuard Policy
Editor. Access to the account is needed to enable the IT helpdesk to carry out recovery tasks.
3. Click Next.
The security officer certificate is created and stored in the certificate store. Next create the company
certificate.
3.3.3 Import the security officer certificate (existing database)
Carry out this step when you use an existing database. When you use an existing database, the
security officer certificate needs to be imported. Only certificates generated by the SafeGuard
Policy Editor may be imported. Certificates created by a PKI (for example Verisign) are not allowed
to be imported.
To import the security officer certificate:
1. On the Security Officer page, click Import.
2. Browse for the required certificate and confirm with Open.
3. Enter the password for the selected key file that you have used to authenticate at the SafeGuard
Policy Editor.
4. Click Yes.
5. Enter and confirm a password for authenticating at SafeGuard Policy Editor.
6. Click Next and then Finish.
Configuration when using an existing database is completed. The remaining configuration steps
are only needed when you use a new database.
20
Administrator help
3.3.4 Create the company certificate
The company certificate is used to secure policy settings in the database and on Sophos SafeGuard
protected endpoints. It is needed to recover a broken database configuration, see Restore a
database configuration by reinstalling the SafeGuard Policy Editor (page 162).
1. On the Company page, enter a Company name. The name is limited to 64 characters. Make
sure that Automatically create certificate is selected.
Note: Created company certificates always expire on December 31, 2199.
For a first time installation and when you have created a new database, Automatically create
certificate is already selected.
Note: Certificates generated by Sophos SafeGuard, such as the company, machine, and
security officer certificates are signed with hash algorithm SHA-256 for enhanced security in
a first-time installation.
If you still need to manage Sophos SafeGuard 6 or earlier endpoints with the SafeGuard Policy
Editor 7.0, you must select SHA-1 under Hash algorithm for generated certificates. For
further information, see Change algorithm for self-signed certificates (page 48).
2. Click Next.
The newly created company certificate is stored in the database and signed with the selected
algorithm. Next back up the certificates.
3.3.5 Back up certificates
To restore a corrupt database or SafeGuard Policy Editor installation the security officer and
company certificates are needed.
To back up the certificates:
1. On the Security officer and company certificate backup page, specify a safe storage
location for the certificate backups. If you save them to the default storage location now, make
sure that you export them to a safe location that can be accessed in cases of recovery, for
example a USB flash drive, right after first-time configuration.
2. Click Next.
The certificates are backed up to the specified location. Next create the recovery key store.
3.3.6 Creating a recovery key store
To enable recovery for endpoints, specific key recovery files are used which need to be acessed
by IT helpdesk staff in cases of recovery. A network share to collect these files, with sufficient
access permissions is created in this step. The key recovery files are encrypted by the company
certificate. Storing them on a network or even an external medium is therefore safe.
21
SafeGuard Easy
Note: The network share must be located on a drive that has been formatted with NTFS. NTFS
allows for setting the access permissions as required.
1. On the Recovery Keys page, click Next to confirm the defaults.
The following is created:
■
A network share where the recovery keys are saved automatically.
■
A default directory on the local computer where the recovery keys are saved automatically.
■
Default permissions for IT helpdesk staff to the network share: all members of the local
administrators group are added to the new Windows group
SafeGuardRecoveryKeyAccess.
In a domain environment, this also includes the domain administrators group. Within the
SafeGuard Policy Editor it is possible to create multiple configuration packages, for example
one package for endpoints within a domain environment and an additional package for
standalone endpoints.
2. To change the defaults:
■
Click [...] next to Local path to change the local storage directory as required.
■
If you clear Create network share, the end user is prompted for a location in which to save
the recovery key files once encryption has been completed.
■
To display or change the group members that have access to the network share, click
Permissions. For further information, see Change permissions for the network share (page
22).
The recovery key store with the relevant permissions is created.
Note: The Sophos SafeGuard software attempts to connect to the network share for about 4
minutes and if unsuccessful, retries to connect to it after each Windows logon until the connection
is established or until the recovery key files are backed up manually.
3.3.6.1 Change permissions for the network share
1. In Network Share Permissions, do either of the following:
■
Click Add local members to add local members with administrative rights for recovery
actions.
■
Click Add global members to add global members with administrative rights for recovery
actions.
2. Click OK.
A group SafeGuardRecoveryKeyAccess is created on the computer which contains all the
members displayed in Network Share Permissions.
The following NTFS permissions are automatically set on the specified local directory:
■
22
Everyone: Create files - The Sophos SafeGuard computer running in the context of the logged
in users is allowed to add files, but cannot browse the directory, delete or read files.
Administrator help
Note: The "Create Files" permission is available in the Advanced Security Settings of a
directory.
■
■
SafeGuardRecoveryKeyAccess: Modify - All users displayed in the Permissions dialog are
allowed to read, delete and add files.
Administrators: Full Control
Sophos SafeGuard also removes permission inheritance on the directory to ensure that the above
permissions are not accidentally overwritten.
The network share SafeGuardRecoveryKeys$ is created with this permission:
■
Everyone: Full Control
Note: The resulting permissions are the intersection between NTFS permissions and share
permissions. As the NTFS permissions are more restrictive, they apply.
If you want to set up a network share manually, we suggest that you use the same permission
settings as described above. In this case, make sure that you disable permission inheritance on
the directory manually.
3.3.7 Import licenses (new database)
A valid license file is needed to run Sophos SafeGuard in a productive environment. If there are
no valid licences available, you cannot create configuration packages for deployment on endpoints.
You obtain the licenses from your sales partner.They must be imported into the Sophos SafeGuard
Database.
You can carry out this step, if you have created a new database. When you use an existing
database, import the licences after first-time configuration is finished.
1. On the License page, do one of the following:
■
To import the licenses now, click [...] to browse for the valid license file. Select the file and
click Open. Click Next. The license file is imported into the Sophos SafeGuard Database
after first-time configuration is completed. You can use the full version and create
configuration packages.
■
To import the licenses later, click Next. You can use SafeGuard Policy Editor, but you
cannot create configuration packages. To use the full version, import the license file after
first-time configuration is completed, see Import licenses (page 37).
3.3.8 Complete first-time configuration
1. Click Finish.
First-time configuration is completed. You have created the following:
■
A default policy to implement a company-wide security policy on the endpoints:
■
SafeGuard Power-on Authentication is enabled.
■
Volume-based encryption for all internal hard disks is enabled.
23
SafeGuard Easy
■
■
The user can recover a forgotten password with Local Self Help by answering predefined
questions.
■
The help desk can recover passwords/access to data using Challenge/Response.
■
File-based encryption is enabled.
All necessary requirements for the IT helpdesk to carry out recovery tasks.
Note: A file containing the configuration settings (Networkshare.xml) and events
(ConfigurationOutput.xml) is stored in the Temp folder.
The SafeGuard Policy Editor starts once the Configuration Wizard has closed. If you have not
imported a valid license file during first-time configuration, import it now for full functionality of all
Sophos SafeGuard components, see Import licenses (page 37).
3.4 Setting up Sophos SafeGuard on endpoints
Sophos SafeGuard encryption software can be seamlessly integrated into the user's normal
environment and is easy and intuitive to use. According to your deployment strategy, endpoints
can be equipped with different Sophos SafeGuard modules and configured to your requirements.
Security officers may carry out installation and configuration locally on the endpoints or as part
of a centralized software distribution. A central install ensures a standardized installation on
multiple computers.
3.4.1 Sophos SafeGuard packages and features
The following table shows the installation packages and features of the Sophos SafeGuard
encryption software on endpoints. You find the installation packages in the Installers folder of
your product delivery.
Note: When the operating system of the endpoint is Windows 64-bit, install the 64-bit variant of
the installation packages (<package name>_x64.msi).
Even if it is possible to only install a subset of features in a first-time installation, we recommend
that you install the complete Sophos SafeGuard full disk encryption package from the start.
24
Package
Content
SGxClientPreinstall.msi
Pre-installation package
SGNClient.msi
SafeGuard client installation package
SGNClient_x64.msi
Provides endpoints with necessary requirements for successful
installation of the current encryption software. For full disk encryption
for internal and external hard disks, Sophos SafeGuard offers the
alternatives SafeGuard volume-based encryption or BitLocker.
Administrator help
Package
Content
SafeGuard volume-based encryption (only Windows 7 BIOS)
SafeGuard full disk encryption. Includes SafeGuard Power-on
Authentication.
Select an installation of type Complete, Typical, Custom.
BitLocker or BitLocker C/R
Sophos SafeGuard manages the Microsoft BitLocker encryption
engine. On UEFI platforms BitLocker pre-boot authentication comes
with a SafeGuard Challenge / Response mechanism whereas the
BIOS version allows the retrieval of the recovery key from the
SafeGuard Policy Editor.
Select installation type Custom.
Data Exchange
SafeGuard Data Exchange: file-based encryption of data on
removable media on all platforms without re-encryption.
Select an installation of type Complete or Custom.
Cloud Storage
File-based encryption of data stored in the cloud. Local copies of
data stored in the cloud are always encrypted transparently. To
send data to or receive data from the cloud, vendor-specific software
must be used.
Select an installation of type Complete or Custom.
3.4.2 Restrictions
Note the restrictions for Sophos SafeGuard on endpoints described in the following sections.
■
Sophos SafeGuard for Windows does not support Apple hardware and cannot be installed in
a Boot Camp environment.
■
If using Intel Advanced Host Controller Interface (AHCI) on the computer, the boot hard disk
must be in Slot 0 or Slot 1. You can insert up to 32 hard disks. Sophos SafeGuard only runs
on the first two slot numbers.
■
SafeGuard full disk encryption for volumes that are located on Dynamic and GUID partition
table (GPT) disks is not supported. Dynamic and GUID partition table (GPT) disks are not
supported. In such cases, the installation is terminated. If such disks are found on the computer
at a later time, they are not supported.
■
The SafeGuard full disk encryption module does not support systems that are equipped with
hard drives attached through a SCSI bus.
25
SafeGuard Easy
■
Fast User switching is not supported.
Remote Desktop Logon
■
Sophos SafeGuard only allows one user session, so when a remote user logs on to the system,
the remote connection attempt will fail unless the currently running session is shut down.
■
Remote logon with token is not supported.
3.4.3 Preparing endpoints
Before you install the encryption software, we recommend that you prepare as follows.
■
A user account must be set up and active on the endpoints.
■
Ensure that you have Windows administrator rights.
■
Create a full backup of the data on the endpoint.
■
Drives to be encrypted must be completely formatted and have a drive letter assigned to them.
■
Sophos provides a hardware configuration file to minimize the risk of conflicts between the
SafeGuard POA and your endpoint hardware. The file is contained in the encryption software
package. We recommend that you install an updated version of this file before any significant
deployment of Sophos SafeGuard. The file is updated on a monthly basis and made available
to download from: http://www.sophos.com/en-us/support/knowledgebase/65700.aspx
You can help us improve hardware compatibility by executing a tool that we provide to collect
hardware relevant information only. The tool is very easy to use. The collected information is
added to the hardware configuration file. For further information, see
http://www.sophos.com/en-us/support/knowledgebase/110285.aspx.
■
Check the hard disk(s) for errors with this command:
chkdsk %drive% /F /V /X
In some cases you might be prompted to restart the computer and run chkdsk again. For
further information, see: http://www.sophos.com/en-us/support/knowledgebase/107081.aspx.
You can check the results (log file) in the Windows Event Viewer under Windows Logs,
Application.
26
■
Use the Windows built-in defrag tool to locate and consolidate fragmented boot files, data
files, and folders on local volumes. For further information, see:
http://www.sophos.com/en-us/support/knowledgebase/109226.aspx.
■
Uninstall third party boot managers, such as PROnetworks Boot Pro and Boot-US.
■
If you have used an imaging/cloning tool, we recommend that you rewrite the MBR. To install
Sophos SafeGuard you need a clean, unique master boot record. By using imaging/cloning
tools the master boot record might no longer be clean.
Administrator help
You can clean the master boot record by starting from a Windows DVD and using the command
FIXMBR within the Windows Recovery Console. For further information, see:
http://www.sophos.com/en-us/support/knowledgebase/108088.aspx
■
If the boot partition on the computer has been converted from FAT to NTFS and the computer
has not been restarted since, restart the computer once. Otherwise the installation might not
be completed successfully.
3.4.3.1 Prepare for Cloud Storage
The Sophos SafeGuard module Cloud Storage offers file-based encryption of data stored in the
cloud.
Cloud Storage makes sure that local copies of cloud data are encrypted transparently and remain
encrypted when stored in the cloud.
The way users work with data stored in the cloud is not changed. The vendor-specific cloud
software remains unaffected and can be used in the same way as before to send data to or receive
data from the cloud.
To prepare endpoints for Cloud Storage:
■
The cloud storage software provided by the vendor must be installed on the endpoints where
you want to install Cloud Storage.
■
The cloud storage software provided by the vendor must have an application or system service
stored on the local file system that synchronizes data between the cloud and the local system.
■
The cloud storage software provided by the vendor must store the synchronized data on the
local file system.
Note: Cloud Storage only encrypts new data stored in the cloud. If data was already stored in
the cloud before installing Cloud Storage, this data is not automatically encrypted. If it is to be
encrypted, users first have to remove it from the cloud and then add it again after Cloud Storage
has been installed.
3.4.3.2 Prepare for a "Modify" installation
If an existing Sophos SafeGuard installation is modified or if features are installed at a later time,
the setup might complain that certain components (for example SafeGuard Removable Media
Manager) are currently in use. This message is caused by the fact that the selected features
share common components that are currently in use and therefore cannot be upgraded
immediately. This message can be ignored since the affected components will be automatically
updated upon restart.
This behavior applies to installation in attended and unattended mode.
3.4.4 Install encryption software and configuration package locally
If you want to carry out a trial installation on an endpoint, it might be useful to install Sophos
SafeGuard locally first.
27
SafeGuard Easy
Prerequisites:
■
Computers must have been prepared for encryption, see Preparing endpoints (page 26).
■
Decide which encryption package and features you need to install.
To install the encryption software locally:
1. Log on to the endpoint as an administrator.
2. Install the latest pre-installation package SGxClientPreinstall.msi that provides the
endpoint with the necessary requirements for a successful installation of the current encryption
software.
3. From the product's install folder, double-click the relevant encryption package (MSI). A wizard
guides you through the necessary steps.
4. In the wizard, accept the defaults on all subsequent dialogs.
Note: In a first-time installation, we recommend that you select a Complete installation from
the start. To only install a subset of features, choose a Custom installation and
activate/deactivate the features you want.
Sophos SafeGuard is installed on the endpoint.
5. In the SafeGuard Policy Editor, configure the encryption software to your requirements:
■
Use the predefined default policy for quick and easy policy deployment automatically created
during first-time configuration in SafeGuard Policy Editor.
■
If the default policy does not cover all your specific requirements, edit it or create your own
policies in the SafeGuard Policy Editor, see Working with policies (page 39).
For example, your deployment strategy might require setting up administrative access to
the endpoint for service staff. In this case you need to define a specific policy and create
a configuration package containing these policies.
6. Publish the policies to a configuration package, see Working with configuration packages
(page 43).
7. Install the relevant configuration package (MSI) on the endpoint.
8. After installation, make sure that the endpoint is restarted twice to activate SafeGuard Power-on
Authentication. The endpoint must be restarted for a third time to perform a backup of the
kernel data on every Windows boot.
Make sure that the endpoint is not put into hibernation, sleep or hybrid sleep mode before the
third restart to successfully complete the kernel backup.
Sophos SafeGuard is installed and configured according to the previously created policies on the
endpoint. See the SafeGuard Easy user help (chapter First logon after Sophos SafeGuard
installation) for the behavior of the endpoint after Sophos SafeGuard installation.
Additional configuration may be required to ensure that the SafeGuard POA functions correctly
on each hardware platform. Most hardware conflict issues can be resolved using the Hotkeys
feature built into the SafeGuard POA. For further information, see Supported Hotkeys in SafeGuard
Power-on Authentication (page 65).
28
Administrator help
3.4.5 Install encryption software and configuration packages with a script
For a central installation, we recommend that you prepare a script using the Windows Installer
component msiexec. Msiexec automatically carries out a pre-configured Sophos SafeGuard
installation. As source and destination for the installation can be specified, a standard installation
on multiple endpoints is provided.
Prerequisites:
■
Endpoints must have been prepared for encryption, see Preparing endpoints (page 26).
■
Decide which encryption package and features you need to install, see Sophos SafeGuard
packages and features (page 24).
To install the encryption software centrally:
1. On the administrator computer, create a folder called Software to use as a central store for
all applications.
2. Use a software deployment tool such as Microsoft System Center Configuration Manager,
IBM Tivoli, or Enteo Netinstall to carry out central installation on the endpoints. Install them in
the order mentioned below.
Note: When carrying out the installation through Active Directory, use a separate group policy
object (GPO) for each package and sort them in the order mentioned below to guarantee a
successful installation.
When the endpoint language is not set to German, additionally do the following: in the Group
Policy Editor, select the respective group object and then Computer Configuration > Software
Settings> Advanced. In the Advanced Deployment Options dialog, select Ignore language
when deploying this package and click OK.
Package
Pre-installation package
SGxClientPreinstall.msi
Description
The mandatory package provides the endpoints with the
necessary requirements for a successful installation of the
current encryption software.
Note:
If this package is not installed, installation of the encryption
software is aborted.
Encryption software installation
package
For a list of available packages, see Sophos SafeGuard
packages and features (page 24).
Configuration package for endpoints Use the configuration package created before in the
SafeGuard Policy Editor. Make sure that you delete all old
configuration packages.
29
SafeGuard Easy
3. Create a script with the commands for the pre-configured installation. The script must list which
features of the encryption software you want to install, see Sophos SafeGuard features
(ADDLOCAL) (page 31). Open a command prompt, and then type the scripting commands.
For the command-line syntax, see Command options for central installation (page 30).
4. Distribute this package to the endpoints using company software distribution mechanisms.
The installation is executed on the endpoints. The endpoints are then ready for use of Sophos
SafeGuard.
5. After installation, make sure that endpoints are restarted twice to activate SafeGuard Power-on
Authentication. Endpoints must be restarted for a third time to perform a backup of the kernel
data on every Windows boot.
Make sure that endpoints are not put into hibernation, sleep or hybrid sleep mode before the
third restart to successfully complete the kernel backup.
Additional configuration may be required to ensure that SafeGuard Power-on Authentication
(POA) functions correctly on each hardware platform. Most hardware conflicts can be resolved
using the Hotkeys built into the SafeGuard POA. Hotkeys can be configured in the SafeGuard
POA after installation or by an additional configuration setting passed to the Windows Installer
command msiexec. For further information, see:
http://www.sophos.com/en-us/support/knowledgebase/107781.aspx
http://www.sophos.com/en-us/support/knowledgebase/107785.aspx
3.4.5.1 Command options for central installation
When you install Sophos SafeGuard on the endpoints centrally, we recommend that you use the
Windows Installer component msiexec. Msiexec is included in Windows. For further information,
see: http://msdn.microsoft.com/en-us/library/aa367988(VS.85).aspx.
Command line syntax
msiexec /i <path+msi package name> /qn ADDLOCAL=ALL | <Features>
<parameter>
The command line syntax consists of:
■
Windows Installer parameters, which, for example log warnings and error messages to a file
during the installation.
■
Sophos SafeGuard features, which are to be installed, for example full disk encryption.
■
Sophos SafeGuard parameters, to specify the installation directory, for example.
Command options
You can select all available options using msiexec.exe at the command prompt. The main options
are described below.
30
Administrator help
Option
Description
/i
Specifies the fact that this is an installation.
/qn
Installs with no user interaction and does not display a user interface.
ADDLOCAL=
Lists the features that are to be installed. If the option is not specified, all
features intended for a standard installation are installed. For list of feature
parameters for the ADDLOCAL option, see Sophos SafeGuard features
(ADDLOCAL) (page 31).
ADDLOCAL=ALL
Under Windows 7 (BIOS) ADDLOCAL=ALL installs the SafeGuard
volume-based encryption and all other available features. Under Windows
8 ADDLOCAL=ALL installs BitLocker support and all other available features.
REBOOT=Force |
NoRestart
Forces or suppresses a restart after installation. If nothing is specified, the
restart is forced after installation.
/L*VX <path + filename>
Logs all warnings and error messages in the specified log file.The parameter
/Le <path + filename> only logs error messages.
Installdir= <directory>
Specifies the directory in which the Sophos SafeGuard encryption software
is to be installed. If no value is specified, the default installation directory
will be <SYSTEM>:\PROGRAM FILES\SOPHOS.
3.4.5.2 Sophos SafeGuard features (ADDLOCAL)
For a central installation, you must define in advance which Sophos SafeGuard features are to
be installed on the endpoints. List the features after typing the option ADDLOCAL in the command.
■
Separate the features by comma, not by space.
■
Observe upper and lower case.
■
If you select a feature, you also need to add all feature parents to the command line.
■
Please note that the names of the features may differ from the corresponding module names.
You find them in the table below in parenthesis.
■
You must list the features Client and CredentialProvider by default.
Note: Even if it is possible to only install a subset of features in a first-time installation, we
recommend that you install the complete Sophos SafeGuard full disk encryption package from
the start.
The following tables list the Sophos SafeGuard features that can be installed on the endpoints.
For further information, see Sophos SafeGuard packages and features (page 24).
31
SafeGuard Easy
Features for SafeGuard full disk encryption
The table lists the available features for the SafeGuard full disk encryption package (SGNClient.msi,
SGNClient_x64.msi) to be listed in the ADDLOCAL option.
Feature Parents
Client
Feature
CredentialProvider
Mandatory. The feature enables logon with the Credential Provider.
Client, BaseEncryption
SectorBasedEncryption (SafeGuard volume-based encryption)
Note: SectorBasedEncryption OR BitLockerSupport can be
specified.
Client, BaseEncryption
BitLockerSupport (BitLocker)
Client, BaseEncryption,
BitLockerSupport
BitLockerSupportCR (BitLocker C/R)
Client
Client
Install BitLocker support with SafeGuard C/R recovery for
BitLocker pre-boot authentication.
SecureDataExchange (Data Exchange)
CloudStorage (Cloud Storage)
Sample command
The command given below has the following effect:
32
■
The endpoints are provided with the necessary requirements for successful installation of the
encryption software.
■
Sophos SafeGuard Power-on Authentication is installed.
■
Sophos SafeGuard volume-based full disk encryption is installed.
■
A log file is created.
■
The configuration package is run.
Administrator help
Example:
msiexec /i F:\Software\SGxClientPreinstall.msi /qn /log
I:\Temp\SGxClientPreinstall.log
msiexec /i F:\Software\SGNClient.msi /qn /l *VX! I:\Temp\SGNClient.log
ADDLOCAL=Client,CredentialProvider,BaseEncryption,SectorBasedEncryption,CloudStorage
msiexec /i F:\Software\SGnConfig.msi /qn /log I:\Temp\SGNConfig.log
3.4.6 FIPS-compliant installation
The FIPS certification describes security requirements for encryption modules. For example
government bodies in the USA and in Canada require FIPS 140-2-certified software for particularly
security-critical information.
Sophos SafeGuard uses FIPS-certified AES algorithms. By default, a new, faster implementation
of the AES algorithms is installed that has not yet been FIPS-certified.
To use the FIPS-certified variant of the AES algorithm, set the FIPS_AES property to 1 when
installing the Sophos SafeGuard encryption software.
This can be done in two ways:
■
Add the property to the command line script:
msiexec /i F:\Software\SGNClient.msi FIPS_AES=1
■
Use a transform.
3.4.7 Installation on endpoints with self-encrypting, Opal-compliant hard
drives
Sophos SafeGuard supports the vendor-independent Opal standard for self-encrypting hard
drives.
To ensure that the support of self-encrypting, Opal-compliant hard drives follows the standard
closely, two types of check are carried out at the installation of the Sophos SafeGuard encryption
software on the endpoints:
■
Functional checks
Functional checks include, among others, checking whether the drive identifies itself as an
"OPAL" hard drive, whether communications properties are correct and whether all Opal
features required for Sophos SafeGuard are supported by the drive.
■
Security checks
33
SafeGuard Easy
Security checks ensure that only Sophos SafeGuard users are registered on the drive and
that only Sophos SafeGuard users own the keys used to software-encrypt non-self-encrypting
drives. If other users are found to be registered at installation, Sophos SafeGuard automatically
tries to disable these users. This is a functionality required by the Opal standard with the
exception of a few default "authorities" which are required to run an Opal system.
Note: The security checks are repeated when an encryption policy for the drive is applied after
successful Opal-mode installation. If they fail, drive management must have been manipulated
outside of Sophos SafeGuard in the meantime. In this case, Sophos SafeGuard does not lock
the Opal hard drive. A corresponding message will be displayed.
If any of these checks fail in an unrecoverable way, installation does not fall back to software-based
encryption. Instead, all volumes on the Opal disk remain unencrypted.
From Sophos SafeGuard version 7 onwards, no Opal checks are performed by default. This
means that, although an Opal drive is present, Sophos SafeGuard will encrypt volumes on this
drive using software-based encryption.
If you want to force Opal checks, use the following command line syntax:
MSIEXEC /i <name_of_selected_client_msi>.msi OPALMODE=0
Note: The Opal HW-encryption mode will be preserved when upgrading a system with an Opal
HDD used in Opal HW-encryption mode from Sophos SafeGuard 6.x to Sophos SafeGuard 7.0.
Some Opal hard drives may have potential security issues. There is no way to automatically
determine which privileges have been assigned to an unknown user/authority that has already
been registered on the drive when Sophos SafeGuard installation/encryption is carried out. If the
drive refuses the command to disable such users, Sophos SafeGuard falls back to software
encryption to ensure maximum security for the Sophos SafeGuard user. As we cannot give any
security guarantees for the hard drives themselves, we have implemented a special installation
switch to enable you to use drives which may have potential security risks at your own discretion.
For a list of hard drives this installation switch is needed for as well as for further information on
supported hard drives, see the SafeGuard Device Encryption: OPAL Support.
Add the property to the command line script:
MSIEXEC /i <name_of_selected_client_msi>.msi
IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1
The internal property of the .msi has the same name, if you want to modify it using a transform.
3.5 Configure additional instances of SafeGuard Policy Editor
The SafeGuard Policy Editor must have been installed on the respective computer.
1. Start the SafeGuard Policy Editor on the computer where you want to use it. The Configuration
Wizard is launched and guides you through the necessary steps.
2. On the Welcome page, click Next.
34
Administrator help
3. On the Database page, under Database, all databases available on the currently connected
database server are displayed . Select the respective database from the list. The corresponding
settings are displayed under Database settings.To change them, click Change, see Configure
the database connection settings (page 19).
4. Click Next.
5. On the Security Officer page, select Import to import the security officer certificate associated
with the selected database. Browse for the required certificate and click Open.
Only certificates generated by the SafeGuard Policy Editor may be imported. Certificates
created by a PKI (for example VeriSign) are not allowed.
6. Enter the password for the certificate store.
7. Click Next and then Finish to complete the SafeGuard Policy Editor Configuration Wizard.
35
SafeGuard Easy
4 Log on to the SafeGuard Policy Editor
1. Start the SafeGuard Policy Editor from the Start menu. A logon dialog is displayed.
2. Enter the security officer credentials defined during first-time configuration and click OK.
The SafeGuard Policy Editor is opened.
Note: Two security officers must not use the same Windows account on the same computer.
Otherwise it is not possible to separate their access rights properly.
36
Administrator help
5 Licenses
To use the Sophos SafeGuard components, valid licenses are required. For token usage, the
appropriate token licences are needed. After purchasing the software, customers receive a license
file with the licenses obtained from their sales partner.
The license file is an .XML file with a signature and contains the following information:
■
Company name
■
Date issued
■
Number of licenses purchased per component or feature (for example SafeGuard Policy Editor,
Sophos SafeGuard Client, Device Encryption)
■
Token license information
■
License expiration date
■
License type (regular for full licenses)
The license file must be imported into the Sophos SafeGuard Database. For further information,
see Import licenses (new database) (page 23) and Import licenses (page 37).
A license is valid if the following applies:
■
The license type is regular.
■
The license has not expired. The license becomes invalid one month after the expiry date.
■
The license file contains at least one SafeGuard Policy Editor license and either one Device
Encryption license or one Data Exchange license.
Note: If you have not imported a valid license or your license has expired, you cannot create
configuration packages for deployment on the endpoint computer. When users log on to endpoints,
a message is displayed indicating that a demo version is used.
5.1 Token licenses
For token or smartcard usage, token licenses are required. If the appropriate licenses are not
available, you cannot create policies for tokens in the SafeGuard Policy Editor.
5.2 Import licenses
To use Sophos SafeGuard in a productive environment, valid licenses are required. If there are
no valid licences available, you cannot create configuration packages for deployment on endpoints.
You receive the license file from your sales partner. It must be imported into the Sophos SafeGuard
37
SafeGuard Easy
Database. For new databases, you can import the license files during first-time configuration, see
Import licenses (new database) (page 23).
To import licenses for existing databases:
1.
2.
3.
4.
5.
Log on to the SafeGuard Policy Editor with the password set during first-time configuration.
In the navigation area, click Users.
In the navigation window on the left-hand side, click the root node.
In the Licenses tab, click Import license file....
Select the license file you want to import and click Open.
The Apply license? dialog is displayed showing the license file contents.
6. Click the Apply license button.
The license file containing the necessary licenses is imported into the Sophos SafeGuard Database.
In the Licenses tab, the imported licenses are displayed. The tab shows the following license
information:
Column
Description
State (icon)
An icon shows the license status (valid, warning error) for
the component or feature in question.
Feature
Shows the licensed component or feature (for example,
the SafeGuard Policy Editor, Sophos SafeGuard Client,
Device Encryption).
Purchased Licenses
Shows the number of licenses purchased for the relevant
component or feature.
Used Licenses
Shows the number of licenses used for the relevant
component of feature.
Expires
Shows the license expiration date.
Type
Shows the license type. For full licenses this is regular.
After you have imported a valid license file, you can create configuration packages for deployment
on endpoints, see Working with configuration packages (page 43).
38
Administrator help
6 Working with policies
The following sections explain how to manage policies, for example how to create, group and
back up policies.
A default policy is automatically created during first-time configuration in SafeGuard Policy Editor,
see Carrying out first-time configuration in SafeGuard Policy Editor (page 18).
For a description of all policy settings available with Sophos SafeGuard, see Default policies
(page 68) and Policy Settings (page 73).
6.1 Create policies
1.
2.
3.
4.
5.
Log on to the SafeGuard Policy Editor with the password set during first-time configuration.
In the navigation area, click Policies.
In the navigation window, right-click Policy Items and select New.
Select the policy type. A dialog for naming the new policy is displayed.
Enter a name and optionally a description for the new policy.
Policies for Device Protection:
When creating a policy for device protection, you must also specify the target for device
protection. Possible targets are:
■
Mass storage (boot volumes/other volumes)
■
Removable media
■
Optical drives
■
Cloud storage
For each target, a separate policy has to be created. Later, you can combine the individual
policies in a policy group named Encryption, for example.
6. Click OK.
The new policy is displayed in the Policies navigation area, below Policy Items on the left. In
the action area on the right, all settings for the selected policy type are displayed and can be
changed.
6.2 Edit policy settings
When you select a policy in the navigation window, you can edit the policy settings in the action
area.
Note:
39
SafeGuard Easy
A red icon in front of a not configured setting indicates that for this policy setting a
value has to be defined. To be able to save the policy, you first have to select a setting
other than not configured.
Setting policy settings to default values
In the toolbar the following icons are available for setting policy settings:
Displays default values for policy settings that have not been configured (setting not
configured).
Sets marked policy setting to not configured.
Sets all policy settings in an area to not configured.
Sets the default value for the marked policy.
Sets all policy settings in an area to the default value.
Differentiating between machine- and user-specific policies
Policy displayed in blue
Policy is applied to machines only, not users.
Policy displayed in black
Policy is applied to machines and users
6.3 Policy groups
Sophos SafeGuard policies need to be combined in policy groups before they can be included in
a configuration package. A policy group may contain different policy types.
40
Administrator help
If you include policies of the same type in a group, the settings are merged automatically. In this
case, you can define priorities for using the settings. The settings of a policy with a higher priority
overwrite the settings of a policy with a lower priority. If an option is set to not configured, the
setting will not be overwritten in a policy of a lower priority.
Note: Overlapping policies assigned to a group might result in incorrect calculation of the priorities.
Ensure that you use disjunctive policy settings.
Exception concerning Device Protection:
Policies for device protection are only merged, if they were defined for the same target (for example,
the boot volume). If they are for different targets, the settings will be added.
6.3.1 Combine policies into groups
Prerequisites:
The individual policies of different types must have been created beforehand.
Sophos SafeGuard policies need to be combined in policy groups before they can be published
to a configuration package. A policy group may contain different policy types.
1. In the SafeGuard Policy Editor navigation area, click Policies.
2. In the navigation window, right-click Policy Groups and select New.
3. Click New Policy Group.
A dialog for naming the policy group is displayed.
4. Enter a unique name and optionally a description for the policy group. Click OK.
The new policy group is displayed in the navigation window under Policy Groups.
5. Select the policy group.
The action area shows all elements required for grouping the policies.
6. To add the policies to the group, drag them from the list of available policies to the policy area.
7. You can define a Priority for each policy by arranging the policies in order using the context
menu.
If you include policies of the same type in a group, the settings are merged automatically. In
this case, you can define priorities for using the settings. The settings of a policy with a higher
priority overwrite the settings of a policy with a lower priority. If an option is set to not
configured, the setting is not overwritten in a policy of a lower priority.
Exception concerning Device Protection:
Policies for device protection are only merged, if they were defined for the same target (for
example, the boot volume). If they are for different targets, the settings are added.
8. On the File menu, click Save.
The policy group now contains the settings of the individual policies. Next publish it to a
configuration package.
41
SafeGuard Easy
6.3.2 Policy grouping results
The result of policy grouping is displayed separately.
To display the result, click the Resulting tab.
■
For each policy type a separate tab is shown.
The settings resulting from combining the individual policies into a group are displayed.
■
For policies for device protection, a tab is shown for each policy target (for example, boot
volumes, drive X etc.).
6.4 Back up policies and policy groups
You can create backups of policies and policy groups as XML files. If necessary, the relevant
policies/policy groups can then be restored from these XML files for editing.
1. In the Policies navigation window, select the policy/policy group under Policy Items or Policy
Groups.
2. Right-click to display the context menu and select Backup Policy.
Note:
The Backup Policy command is also available in the Actions menu.
3. In the Save As dialog, enter a file name and storage location for the backup (XML file). Click
Save.
The backup of the policy/policy group is stored as an XML file in the specified location.
6.5 Restore policies and policy groups
1. In the navigation window, select Policy Items/Policy Groups.
2. Right-click to display the context menu and select Restore Policy.
Note:
The Restore Policy command is also available in the Actions menu.
3. Select the XML file from which the policy/policy group is to be restored and click Open.
The policy/policy group is restored.
42
Administrator help
7 Working with configuration packages
Sophos SafeGuard protected endpoints receive their encryption policies by way of configuration
packages created in the SafeGuard Policy Editor. For successful operation of Sophos SafeGuard
on the endpoints, you need to create a configuration package containing the relevant policy groups
and distribute it to the endpoints.
Whenever you change any policy settings, you have to create new configuration packages and
distribute them to the endpoints.
The following sections explain how to publish policies into configuration packages and distribute
them to the endpoints.
Note: Check your network and computers regularly for old or unused configuration packages
and, for security reasons, make sure that you delete them.
7.1 Publish policies to a configuration package
Note:
Policies are transferred to the endpoints inside a configuration package. After creating a new
policy or editing an existing one, make sure that you carry out the following steps.
To create a configuration package:
1.
2.
3.
4.
In the SafeGuard Policy Editor, select the Configuration Package Tool from the Tools menu.
Click Add Configuration Package.
Enter a name of your choice for the configuration package.
Specify a Policy Group, which must have been created beforehand in the SafeGuard Policy
Editor, to be applied to the computers.
5. Under Key Backup Location, specify a shared network path for storing the key recovery file.
Enter the share path in the following form: \\networkcomputer\, for example
\\mycompany.edu\. If you do not specify a path here, the end user will be prompted to name
a storage location for this file when first logging on to the endpoint after installation.
The key recovery file is needed to enable recovery of Sophos SafeGuard protected endpoints
and is generated on each Sophos SafeGuard protected endpoint.
Note: Make sure that you save this key recovery file at a file location accessible to the helpdesk,
for example a shared network path. Alternatively, the files can be provided to the helpdesk
with different mechanisms. This file is encrypted by the company certificate. It can therefore
be saved to any external media or to the network in order to make it available to the helpdesk
for recovery purposes. It can also be sent by e-mail.
6. Under POA Group, you can select a group of POA users to be assigned to the endpoint. POA
users offer access for administrative tasks on the endpoint after the SafeGuard Power-on
Authentication has been activated. To assign POA users, the POA group must have been
created beforehand in the Users area of the SafeGuard Policy Editor.
7. If required, select CCO. For more information, see Company Certificate Change Orders (page
46).
43
SafeGuard Easy
8. Specify an output path for the configuration package (MSI).
9. Click Create Configuration Package.
The configuration package (MSI) has been created in the specified location. You now need to
distribute this package to the Sophos SafeGuard endpoints.
7.2 Distribute configuration packages
Configuration packages have to be installed on the endpoints after installation of the Sophos
SafeGuard encryption software or after any change in the configuration settings.
Distribute the configuration package using your company software distribution mechanisms or
install it manually on the endpoints.
Note: To change the policy settings for a Sophos SafeGuard protected endpoint, create a new
configuration package including the changed policies and distribute it to the computer.
Note: Installing a configuration package from a previous version on an endpoint that has been
upgraded to the latest version is not supported. If you try to install an older configuration package
over a newer one, the installation is aborted.
For security reasons, delete all old or unused configuration packages.
44
Administrator help
8 Exporting the company and security officer
certificates
In a Sophos SafeGuard installation, the following two items are critical and must be backed up
in a safe location:
■
The company certificate stored in the Sophos SafeGuard Database.
■
The security officer certificate residing in the certificate store of the computer on which the
SafeGuard Policy Editor is installed.
Both certificates can be exported in form of .p12 files to back them up. A corrupted SafeGuard
Policy Editor installation or a corrupted database configuration can be restored by importing the
relevant certificate (.p12 file).
Note: We recommend that you carry out this task right after first-time configuration in the
SafeGuard Policy Editor.
8.1 Export the company certificate
1. On the SafeGuard Policy Editor Tools menu, click Options.
2. Select the Certificates tab and click the Export button in the Company Certificate section.
3. You are prompted to enter a password for securing the exported file. Enter a password, confirm
it and click OK.
4. Enter a file name and storage location for the file and click OK.
The company certificate is exported as a .p12 file to the defined location and can be used for
recovery purposes.
8.2 Export the security officer certificate
To back up the security officer certificate of the logged on officer:
1. On the SafeGuard Policy Editor Tools menu, click Options.
2. Select the Certificates tab and click the Export button in the Certificate of <administrator>
section.
3. You are prompted to enter a password for securing the exported file. Enter a password, confirm
it and click OK.
4. Enter a file name and storage location for the file and click OK.
The security officer certificate of the currently logged on officer is exported as a .p12 file to the
defined location and can be used for recovery purposes.
45
SafeGuard Easy
9 Company Certificate Change Orders
Company Certificate Change Orders (CCOs) are used to move a Sophos SafeGuard standalone
client to a different environment by exchanging the endpoint's company certificate by the company
certificate of the target environment.
Note: Creating CCOs is only allowed for Master Security Officers.
9.1 Replace the company certificate
Replacing the company certificate is necessary when you want to move an endpoint from one
standalone environment to a different one. The endpoint to be moved needs to have the company
certificate of the environment it is to be moved to. Otherwise the client does not accept policies
of the new environment. Since the necessary tasks on both sides can be carried out with the
SafeGuard Management Center as well as SafeGuard Policy Editor, in the following description
the term management tool is used for both.Their range of functions concerning company certificate
replacement is identical.
The following prerequisites must be met:
Decide which is your source and which is your target Management Center/Policy Editor
environment. The source Management Center/Policy Editor is the one you used for creating the
configuration packages for the endpoints that are to be moved. The target Management
Center/Policy Editor is the one the endpoints will be moved to.
To replace the company certificate:
1. In the target management tool, export the company certificate: In the Tools menu, click
Options. Select the Certificates tab and click the Export button under Company Certificate.
Enter and confirm a password for the certificate backup when prompted and select a destination
directory and file name when prompted. The company certificate is exported (cer file).
2. In the source management tool, in the Tools menu, click Options, go to the Certificates tab
and select Create... in the Request section. In the Create CCO dialog, browse for the target
company certificate you exported on the target management tool (step 1). Make sure that it
is the desired certificate. Click Create and select a destination directory and file name for the
.cco file. Confirm that you want to place a Company Certificate Change Order. Please note
that a CCO is not bound to specific endpoints. Using a CCO any client of the source environment
can be moved.
3. In the target management tool, you have to import the CCO created in the source management
tool. In the Tools menu, click Configuration Package Tool and select the CCOs tab. Click
Import.
4. In the Import CCO dialog, select the CCO you created in the source management tool and
enter a CCO name and optionally a description. Click OK.
5. In the target management tool, create a configuration package: In the Tools menu, click
Configuration Package Tool > Standalone client packages and add a new configuration
package. Select the imported CCO from the drop-down menu in the CCO column. Specify a
location under Configuration Package output path. Click Create Configuration package.
The configuration package is created in the specified location.
46
Administrator help
6. Install this configuration package on all endpoints you want to move from the source
environment to the target environment.
9.2 Managing Company Certificate Change Orders
In the SafeGuard Policy Editor, on the Tools menu, click Configuration Package Tool. All created
CCOs are displayed on the CCOs tab.
Detailed information on the selected CCO is displayed in the lower part of the dialog.
The Source company certificate is the company certificate of the environment whose endpoints
you want to move to a different environment.
The Destination company certificate is the company certificate of the environment to which the
endpoints are being moved to.
Below the certificate details, you can see the tasks the selected CCO can be used for.
9.2.1 Import
When creating configuration packages, in order to select the CCO created by a different
management tool to change the company certificate, you must first import it.
Clicking Import... opens a dialog in which you can select and name the CCO. The name you
enter here is displayed on the CCOs tab of the Configuration package Tool.
9.2.2 Export
Using the Export functionality CCOs stored in the database can be exported and are than available
as .cco files.
47
SafeGuard Easy
10 Change algorithm for self-signed
certificates
Prerequisites: All Sophos SafeGuard components must have version 6.1 or later.
Certificates generated by Sophos SafeGuard, such as the company, machine, security officer
and user certificates are signed with hash algorithm SHA-256 by default during the first-time
installation for enhanced security.
When upgrading from Sophos SafeGuard 6 or earlier, hash algorithm SHA-1 is automatically
used for self-signed certificates. You can manually change it to SHA-256 for enhanced security
after the upgrade is completed.
Note: Only change the algorithm to SHA-256 if all Sophos SafeGuard components and endpoints
have been upgraded to the current version. SHA-256 is not supported in mixed environments
where for example Sophos SafeGuard 6 endpoints are managed by the SafeGuard Policy Editor
7.0. If you have a mixed environment, you must not carry out this task and must not change the
algorithm to SHA-256.
Changing the algorithm for self-signed certificates involves the following steps:
■
Changing the hash algorithm.
■
Creating a Certificate Change Order (CCO).
■
Creating a configuration package including the CCO.
■
Restarting the SafeGuard (database) servers.
■
Distributing and deploying the configuration packages on the endpoints.
To change the algorithm for self-signed certificates:
1. In the SafeGuard Policy Editor menu bar, select Tools > Options.
2. On the General tab, under Certificates, select the required algorithm from Hash algorithm
for generated certificates and click OK.
3. On the Certificates tab, under Request, click Update. In Update Company certificate, enter
a name for the CCO and specify a backup path. Enter a password for the P12 file and retype
it. Optionally enter a comment and click Create.
4. Confirm when prompted that this change cannot be reverted and that all configuration packages
created after this company certificate update need this CCO included to work on already
installed endpoints.
5. Confirm when prompted that the update was successful and that a CCO to be included in all
configuration packages has been created. Click OK.
6. On the Tools menu, click Configuration Package Tool.
7. Select the required type of endpoint configuration package: Managed client packages or
Standalone client packages.
8. Click Add Configuration Package and enter a name of your choice for the configuration
package.
9. Select the CCO you created beforehand.
48
Administrator help
10. Make further selections as appropriate.
11. Specify an output path for the configuration package (MSI).
12. Click Create Configuration Package.
The configuration package (MSI) has now been created in the specified directory.
13. Restart all SafeGuard (database) servers.
14. Distribute and deploy this package to the Sophos SafeGuard protected endpoints.
All certificates generated by Sophos SafeGuard are signed with the new algorithm.
49
SafeGuard Easy
11 Check the database integrity
When you log on to the database, database integrity is automatically verified. If this check results
in any errors, the Verify Database Integrity dialog is displayed.
You can also start the database integrity check manually any time after logon and display the
Verify Database Integrity dialog:
1. In the SafeGuard Policy Editor, on the Tools menu, select Database integrity.
2. To check the tables, click Check all or Check selected.
Erroneous tables are marked in the dialog.
3. Click Repair.
Erroneous database tables are repaired.
50
Administrator help
12 User types and administrative access to
endpoints
Note: The following descriptions refer to Windows endpoints protected with Sophos SafeGuard
with SafeGuard Power-on Authentication.
Sophos SafeGuard offers various user types. Their default behavior can be changed, see Policy
Settings (page 73).
■
Owner: The first user to log on to an endpoint after the installation of Sophos SafeGuard is
not just entered as an SGN user, but also as the owner of that endpoint. Provided that the
default settings have not been changed, an owner has the right to enable other users to log
on to the endpoint and become SGN users.
■
SGN user: A "full" SGN user is allowed to log on at the SafeGuard POA, is added to the UMA
(User Machine Assignment) and is provided with a user certificate and a key ring for accessing
encrypted data.
■
SGN Windows user: SGN Windows users are not added to the SafeGuard POA, but have a
key ring for accessing encrypted files, just as SGN users. They are also added to the UMA,
which means that they are allowed to log on to Windows on that endpoint.
■
SGN guest user: SGN guest users are not added to the UMA, are not provided with rights to
log on to the POA, are not assigned a certificate or a key ring and are not saved to the database.
See Specific machine settings - basic settings (page 96) for information on how to prevent
that SGN guest users from logging on to Windows.
Sophos SafeGuard offers two types of accounts to enable users to log on to endpoints and carry
out administrative tasks after Sophos SafeGuard has been installed.
■
Service accounts for Windows logon
With service accounts, users (for example rollout operators, members of the IT team) can log
on (Windows logon) to endpoints after the installation of Sophos SafeGuard without activating
the SafeGuard POA and without being added as users to the computers. Users included on
a service account list are treated as guest users when logging on to the endpoint.
For further information, see Service account lists for Windows logon (page 52).
Note: Service account lists are assigned to endpoints through policies. They should be
assigned in the first Sophos SafeGuard configuration package you create for the configuration
of the endpoint. Service account lists can be updated by creating a new configuration package
and deploying it to the endpoints before activation of the SafeGuard POA.
■
POA users for SafeGuard POA logon
POA users are predefined local accounts that enable users (for example members of the IT
team) to log on to endpoints to perform administrative tasks after the SafeGuard POA has
been activated. POA users are predefined local accounts that are allowed to pass the
POA.There is no automatic logon to Windows.The users logging on with POA user accounts
51
SafeGuard Easy
log on to Windows with their existing Windows accounts. These users are defined in the Users
area of the SafeGuard Policy Editor (user ID and password) and assigned to the endpoints
by means of POA groups included in Sophos SafeGuard configuration packages.
For further information, see POA users for SafeGuard POA logon (page 56).
12.1 Service account lists for Windows logon
Note: Service accounts are only supported for Windows endpoints protected by Sophos SafeGuard
with SafeGuard Power-on Authentication.
A typical scenario for most implementations is that a rollout team installs new computers in an
environment including the installation of Sophos SafeGuard. For installation or verification reasons,
rollout operators may log on to the respective computer before the end user receives the new
machine and is able to activate the SafeGuard Power-on Authentication.
Thus, the scenario may be as follows:
1. Sophos SafeGuard is installed on an endpoint.
2. After restarting the computer, the rollout operator logs on.
3. The rollout operator is added to the SafeGuard POA and the POA becomes active.
When the end user receives the computer, they will not be able to log on to the SafeGuard POA.
The user needs to perform a Challenge/Response procedure.
To ensure that administrative operations on a Sophos SafeGuard protected endpoint do not lead
to an activation of the SafeGuard Power-on Authentication and the addition of rollout operators
as users to the computer, Sophos SafeGuard allows you to create service account lists for
endpoints. The users included in these lists are treated as Sophos SafeGuard guest users.
With service accounts the scenario is as follows:
1. Sophos SafeGuard is installed on an endpoint.
2. After restarting the computer, a rollout operator included on a service account list logs on
(Windows logon).
3. According to the service account list applied to the endpoint the user is identified as a service
account and is treated as a guest user.
The rollout operator is not added to the SafeGuard POA and the POA does not become active.
The end user can log on and activate the SafeGuard POA.
Note: Service Account Lists should be assigned in the first Sophos SafeGuard configuration
package you create for the configuration of the endpoints. Service account lists can be updated
by creating a new configuration package with changed settings and deploying them to the endpoints
before activation of the SafeGuard POA.
12.1.1 Creating service account lists and add users
1. In the navigation area, click Policies.
2. In the policy navigation window, select Service account lists.
52
Administrator help
3.
4.
5.
6.
In the context menu of Service account lists, click New > Service account list.
Enter a name for the service account list and click OK.
Select the new list under Service account lists in the policy navigation window.
Right-click in the action area to open the context menu for the service account list. In the
context menu, select Add.
A new user line is added.
7. Enter the User Name and the Domain Name in the respective columns and press Enter. To
add further users, repeat this step.
8. Save your changes by clicking the Save icon in the toolbar.
The service account list is now registered and can be selected for assignment when creating a
policy.
12.1.1.1 Additional information for entering user and domain names
There are different methods for specifying users in service account lists using the two fields User
Name and Domain Name. Restrictions also apply for valid input in these fields.
Covering different combinations for logging on
The two separate fields User Name and Domain Name per list entry allow you to cover all
available combinations for logging on, for example "[email protected]" or "domain\user".
To handle several user name/domain name combinations, you can use asterisks (*) as wildcards.
An asterisk is allowed as the first sign, the last sign and the only sign.
For example:
■
User Name: Administrator
■
Domain Name: *
This combination specifies all users with the user name "Administrator" who log on to any network
or local machine.
The predefined domain name [LOCALHOST] available in the drop-down list of the Domain Name
field stands for the logon on any local computer.
For example:
■
User Name: "*admin"
■
Domain Name: [LOCALHOST]
This combination specifies all users whose user names end on "admin" and who log on to any
local machine.
Users may log on in different ways, for example:
■
user: test, domain: mycompany or
■
user: test, domain: mycompany.com.
53
SafeGuard Easy
As domain specifications in the service account lists are not automatically resolved, there are
three ways to specify the domain correctly:
■
You know exactly how the user is going to log on and enter the domain accordingly.
■
You create several service account list entries.
■
You use wildcards to cover all the different cases (user: test, domain: mycompany*).
Note: To avoid any problems caused by the fact that Windows may not use the same character
sequence, but truncate names, we recommend that you enter the FullQualifiedName and the
NetBIOS name or use wildcards.
Restrictions
Asterisks are only allowed as the first sign, the last sign and the only sign. Following are examples
of valid and invalid strings using asterisks:
■
Valid strings include admin*, *, *strator, *minis*.
■
Invalid strings include **, Admin*trator, Ad*minist*.
The following restrictions also apply:
■
The character ? is not allowed in user logon names.
■
The characters / \ [ ] : ; | = , + * ? < > " are not allowed in domain names.
12.1.2 Edit and delete service account lists
As a security officer with the Modify service account lists right, you can edit or delete service
account lists at any time:
■
To edit a service account list, click it in the policy navigation window. The service account list
is opened and you can add, delete or modify user names on the list.
■
To delete a service account list, select it in the policy navigation window, open the context
menu and select Delete.
12.1.3 Assign a service account list with a policy
1. Create a new policy of the type Authentication or select an existing one.
2. Under Logon Options, select the required service account list from the Service Account
List drop-down list.
Note: The default setting is [No List], this means no service account list applies. Rollout
operators logging on to the computer after installation of Sophos SafeGuard are not treated
as guest users and may activate SafeGuard Power-on Authentication and be added to the
computer. To undo the assignment of a service account list, select the option [No List].
3. Save your changes by clicking the Save icon in the toolbar.
54
Administrator help
You can now deploy the policy to the respective endpoints to make the service accounts available
on the computer.
Note: If you select different service account lists in different policies which are all relevant
according to the RSOP (Resulting Set of Policies, the settings valid for a specific computer/group),
the service account list assigned in the last policy applied overrules all previously assigned service
account lists. Service account lists are not merged.
12.1.4 Transfer the policy to the endpoint
Sophos SafeGuard protected computers receive policies by configuration packages created
through Tools > Configuration Package Tool in the SafeGuard Policy Editor.
The configuration file can be distributed using company software distribution mechanisms or the
configuration package can be installed manually on the endpoints.
Note:
The service account list functionality is especially helpful and important during initial installation
in the rollout phase of an implementation. We therefore recommend that you include an
Authentication policy with the required service account list settings in the policy group transferred
with the first Sophos SafeGuard configuration package.
Note: To change the policy settings for a Sophos SafeGuard protected computer, create a new
configuration package including the changed policies and distribute it to the endpoint.
12.1.5 Log on to an endpoint using a service account
At the first Windows logon after restarting the computer, a user included on a service account list
logs on to the computer as a Sophos SafeGuard guest user. This first Windows logon to the
computer neither triggers a pending SafeGuard Power-on Authentication nor adds the user to the
computer. The Sophos SafeGuard System Tray icon balloon tool tip "Initial user synchronization
completed" is not displayed.
Service account status display on the endpoint
The guest user logon status can also be displayed through the System Tray Icon. For further
information, see the SafeGuard Easy user help, chapter System Tray icon and balloon tool tip
(description of the user state field).
12.1.6 Log events
Actions performed regarding service account lists are reported by the following log events:
SafeGuard Policy Editor
■
Service account list <name> created
■
Service account list <name> modified
■
Service account list <name> deleted
55
SafeGuard Easy
Sophos SafeGuard endpoint
■
Windows user <domain/user name> logged on at <timestamp> to machine <domain/workstation
name> as SGN service account.
■
New service account list <name> imported.
■
Service account list <name> deleted.
12.2 POA users for SafeGuard POA logon
Note: POA users are only supported for Windows endpoints protected by Sophos SafeGuard
with SafeGuard Power-on Authentication.
After Sophos SafeGuard has been installed and the SafeGuard Power-on Authentication (POA)
has been activated, access to endpoints to perform administrative tasks may be required. With
POA users, users (for example, members of the IT team) can log on at the SafeGuard Power-on
Authentication on endpoints for administrative tasks without having to initiate a Challenge/Response
procedure. There is no automatic logon to Windows; users have to log on to Windows with their
existing Windows accounts.
You can create POA users in the SafeGuard Policy Editor, group them into POA groups, and
assign groups to endpoints using Sophos SafeGuard configuration packages. The users included
in the POA group assigned, are added to the SafeGuard POA and can log on using their predefined
user name and password.
12.2.1 Create POA users
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, select POA Users.
3. In the context menu of POA Users, click New > Create new user.
The Create new user dialog is displayed.
4. In the Full name field, enter a name (the logon name) for the new POA user.
5. Optionally, enter a description for the new POA user.
6. Enter a password for the new POA user and confirm it.
Note:
To enhance security, the password should adhere to certain minimum complexity requirements,
for example, minimal length of 8 characters, mixture of numerical and alphanumerical characters
etc. If the password you have entered is too short, a warning message is displayed.
7. Click OK.
The new POA user is created and displayed under POA Users in the Users navigation area.
12.2.2 Change the password for a POA user
1. In the navigation area of the SafeGuard Policy Editor, click Users.
56
Administrator help
2. In the Users navigation window under POA, POA Users, select the relevant POA user.
3. In the context menu of the POA user, select Properties.
The properties dialog for the POA user is displayed.
4. On the General tab under User Password, enter the new password and confirm it.
5. Click OK.
The new password applies for the relevant POA user.
12.2.3 Delete POA users
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, POA Users, select the relevant POA user.
3. Right-click on the POA user and select Delete from the context menu.
The POA user is deleted. It is no longer displayed in the Users navigation window.
Note:
If the user is part of one or several POA groups, the POA user is also removed from all groups.
However, the POA user is still available on the endpoint until a new configuration package has
been created and assigned.
12.2.4 Create POA groups
To assign POA users to endpoints using configuration packages, they must be arranged in groups.
When creating configuration packages, you can select a POA group for assignment.
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation under POA, select POA Groups.
3. In the context menu of POA Groups, click New > Create new group.
The Create new group dialog is displayed.
4. In the Full name field, enter a name for the new POA group.
5. Optionally, enter a description for the new POA group.
6. Click OK.
The new POA group is created. It is displayed under POA Groups in the Users navigation area.
You can now add users to the POA group.
12.2.5 Add users to POA groups
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, POA Group, select the relevant POA group.
In the action area of the SafeGuard Policy Editor on the right-hand side, the Members tab is
displayed.
3. In the SafeGuard Policy Editor toolbar, click the Add icon (green plus sign).
The Select member object dialog is displayed.
57
SafeGuard Easy
4. Select the user you want to add to the group.
5. Click OK.
The POA user is added to the group and displayed in the Members tab.
12.2.6 Remove users from POA groups
1. In the navigation area of the SafeGuard Policy Editor, click Users.
2. In the Users navigation window under POA, POA Group, select the relevant POA group.
In the action area of the SafeGuard Policy Editor on the right-hand side, the Members tab is
displayed.
3. Select the user you want to delete from the group.
4. In the SafeGuard Policy Editor toolbar, click the Remove icon (red cross sign).
The user is removed from the group.
12.2.7 Assign POA users to endpoints
1. In the SafeGuard Policy Editor, select Configuration Package Tool from the Tools menu.
2. Select an existing configuration package or create a new one.
For details on creating a new configuration package, see Publish policies to a configuration
package (page 43).
3. Specify a POA Group created beforehand in the Users area of the SafeGuard Policy Editor,
to be applied to the endpoints.
A no list group is available for selection by default. This group can be used to delete a POA
group assignment on endpoints.
4. Specify an output path for the configuration package (MSI).
5. Click Create Configuration Package.
6. Deploy the configuration package (MSI) to the endpoints.
By installing the configuration package, the users included in the group are added to the SafeGuard
POA on the endpoints. The POA users are available for SafeGuard POA logon.
12.2.8 Change POA user assignment on endpoints
1. Create a new POA group or modify an existing one.
2. Create a new configuration package and select the new or modified POA group.
The new POA group is available on the endpoints, all users included are added to the SafeGuard
POA. The new group overwrites the old one. POA groups are not merged.
58
Administrator help
12.2.9 Delete POA users from endpoints
POA users can be deleted from endpoints by assigning an empty POA group.
1. In the SafeGuard Policy Editor, select the Configuration Package Tool from the Tools menu.
2. Select an existing configuration package or create a new one.
3. Specify an empty POA Group created beforehand in the Users area of the SafeGuard Policy
Editor, or select the no list POA group that is available by default in the Configuration Package
Tool.
4. Specify an output path for the configuration package (MSI).
5. Click Create Configuration Package.
6. Deploy the configuration package to the endpoint computers.
By installing the configuration package, all POA users are removed from the endpoint computers.
This removes all relevant users from the SafeGuard POA.
12.2.10 Log on to an endpoint with a POA user
1. Switch on the computer.
The SafeGuard Power-on Authentication logon dialog is displayed.
2. Enter the User name and the Password of the predefined POA user.
You are not automatically logged on to Windows. The Windows logon dialog is displayed.
3. In the Domain field, select the domain <POA>.
4. Log on to Windows using your existing Windows user account.
59
SafeGuard Easy
13 SafeGuard Power-on Authentication (POA)
Note: This description refers to Windows 7 endpoints with SafeGuard full disk encryption.
Sophos SafeGuard identifies the user even before the operating system starts up. To do this, the
Sophos SafeGuard specific system core starts before this. It is protected against modifications
and is saved, hidden, on the hard disk. Only when the user has been properly authenticated in
the SafeGuard POA, is the actual operating system (Windows) started from the encrypted partition.
The user is logged on automatically to Windows later. The procedure is the same when the
endpoint is switched back on from hibernation (Suspend to Disk).
The Sophos SafeGuard Power-on Authentication offers:
■
A graphical user interface with mouse support and draggable windows, so it is easy to read
and use.
■
A graphical layout which, following guidelines, can be adapted by corporate computers
(background image, logon image, welcome message, etc.).
■
Support for Windows user accounts and passwords even pre-boot, no more separate credentials
which the user has to remember
■
Support for Unicode and therefore also foreign language passwords and user interfaces
13.1 Logon delay
On a Sophos SafeGuard protected endpoint, a logon delay applies if a user provides incorrect
credentials during authentication at Windows or at the SafeGuard Power-on Authentication. With
every failed logon attempt the delay is increased. After a failed logon a dialog displays the remaining
delay time.
60
Administrator help
You can specify the number of logon attempts allowed in a policy of the type Authentication
using the Maximum no. of failed logons option. When the maximum number of failed logon
attempts has been reached, the computer is locked. For unlocking their computer, users have to
initiate a Challenge/Response procedure.
13.2 Configuring the SafeGuard Power-on Authentication
The SafeGuard POA dialog consists of these components:
■
Logon image
■
Dialog text
■
Language of the keyboard layout
You can change the look of the SafeGuard POA dialog to suit your preferences by using policy
settings in the SafeGuard Policy Editor.
13.2.1 Background and logon image
By default the background and logon images that appear in the SafeGuard POA are in SafeGuard
design. However, different images can be shown, for example the company's logo.
Background and logon images are defined in a policy of the type General Settings.
For usage in Sophos SafeGuard, background and logon images must fulfill certain requirements:
Background image
Maximum file size for all background images: 500 KB
Sophos SafeGuard supports two variants for background images:
■
1024x768 (VESA mode)
Colors: no restrictions
Option in policy type General Settings: Background image in POA
■
640x480 (VGA mode)
Colors: 16
61
SafeGuard Easy
Option in policy type General Settings: Background image in POA (low resolution)
Logon image
Maximum file size for all logon images: 100 KB
Sophos SafeGuard supports two variants for logon images:
■
413x140
Colors: no restrictions
Option in policy type General Settings: Logon image in POA
■
413x140
Colors: 16
Option in policy type General Settings: Logon image in POA (low resolution)
Images, information texts and lists have to be created as files (BMP, PNG, JPG or text files) first
and can then be registered in the navigation window.
13.2.1.1 Register images
1.
2.
3.
4.
In the Policies navigation area, right-click Images and select New > Image.
Enter a name for the image in the Image name field.
Click [...] to select the previously created image.
Click OK.
The new image is shown as a subnode of Images in the policy navigation area. If you select the
image, it is be displayed in the action area. The image can now be selected when creating policies.
Proceed as described to register further images. All registered images are shown as subnodes.
Note: You can use the Modify Image button to change the picture assigned.
13.2.2 User defined information text in the SafeGuard POA
You can customize the SafeGuard POA to display the following user-defined information texts:
■
Information text to be displayed upon initiating a Challenge/Response procedure for logon
recovery (for example: “Please contact Support Desk on telephone number 01234-56789.”)
You can set an information text by using the option Texts in policy of the type General Settings
■
Legal notices to be displayed after logging on to the SafeGuard POA
You can set a legal notice text by using the option Display legal notice in policy of the type
Specific Machine Settings
■
Text for additional information to be displayed after logging on to the SafeGuard POA
You can set an additional information text by using the option Display additional information
in policy of the type Specific Machine Settings.
62
Administrator help
13.2.2.1 Register information texts
The text files containing the required information have to be created before registering them in
the SafeGuard Policy Editor. The maximum files size for information texts is 50 KB. Sophos
SafeGuard only uses Unicode UTF-16 coded texts. If you do not create the text files in this format,
they will be automatically converted when they are registered. Special characters should therefore
be used with caution in the legal notice text created for the SafeGuard POA. Some of these
characters may not be displayed properly.
To register information texts:
1. In the Policies navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Texts in the policy navigation area. If you
select a text item, its contents will be displayed in the window on the right-hand side. The text
item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items will be shown as
subnodes.
Note: You can use the Modify Text button to add new text to existing text. When you click this
button, a dialog is displayed for selecting another text file. The text contained in this file is appended
to the existing text.
13.2.3 Language for SafeGuard POA dialog text
After installation of the Sophos SafeGuard encryption software, the SafeGuard POA dialog text
is displayed in the default language set in Windows' Regions and Language Options on the
endpoint when Sophos SafeGuard was installed.
You can change the language of the SafeGuard POA dialog text after Sophos SafeGuard has
been installed by using one of the two following methods:
■
Change the default language in the Windows Regions and Language Options on the endpoint.
After the user has restarted the computer twice, the new language setting is active in the
SafeGuard POA.
■
Create a policy of the type General Settings, set the language in the field Language used
on client and deploy the policy to the endpoint.
Note: If you define a policy and deploy them to the endpoint, the language set in the policy applies
instead of the language specified by Windows' Regions and Language Options.
13.2.4 Keyboard Layout
Almost every country has its own keyboard layout. The keyboard layout in the SafeGuard POA
is significant when entering user names, passwords, and response codes.
63
SafeGuard Easy
By default, Sophos SafeGuard adopts the keyboard layout in the SafeGuard POA which was set
in Windows' Regional and Language Options for the Windows default user at the time Sophos
SafeGuard was installed. If “German” is the keyboard layout set under Windows, the German
keyboard layout will be used in the SafeGuard POA.
The language of the keyboard layout being used is displayed in the SafeGuard POA, for example
“EN” for English. Apart from the default keyboard layout, the US keyboard layout (English) can
also be used.
There are certain exceptions:
■
The keyboard layout is supported, but the absence of a font (for example for Bulgarian) means
that only special characters are displayed in the User Name field.
■
No specific keyboard layout is available (for example Dominican Republic). In these cases,
the SafeGuard POA falls back on the original keyboard layout. For the Dominican Republic,
this is “Spanish”.
■
When the user name and password consist of characters that are not supported by the chosen
keyboard layout or the fallback layout, the user cannot log on at the SafeGuard POA.
Note: All the unsupported keyboard layouts use the US keyboard layout by default. This also
means that the only characters that are recognized and can be typed in are those which are
supported in the US keyboard layout. So users can only log on to the SafeGuard POA if their user
name and password is composed of characters that are supported by the US keyboard layout or
the respective fallback keyboard of their language.
Virtual keyboard
Sophos SafeGuard provides a virtual keyboard which users can show/hide at the SafeGuard POA
and which allows them to use on-screen keys to enter credentials.
As a security officer, you can activate/deactivate the display of the virtual keyboard in a policy of
the type Specific Machine Settings using the Virtual Keyboard in POA option.
Virtual keyboard support must be activated/deactivated by policy setting.
The virtual keyboard supports different layouts and it is possible to change the layout using the
same options as for changing the SafeGuard POA keyboard layout.
13.2.4.1 Change the keyboard layout
The SafeGuard Power-on Authentication keyboard layout, including the virtual keyboard layout,
can be changed retrospectively.
1. Select Start > Control Panel > Regional and Language Options > Advanced.
2. In the Regional Options tab, select the required language.
3. In the Advanced tab, select Apply all settings to the current user account and to the
default user profile under Default user account settings.
4. Click OK.
The SafeGuard POA remembers the keyboard layout used for the last successful logon and
automatically enables it for the next logon. This requires two restarts of the endpoint. If the
64
Administrator help
remembered keyboard layout is deactivated in Regional and Language Options, it is still used
until the user selects a different one.
Note: You must change the language of the keyboard layout for non-Unicode programs.
If the language you want is not available on the computer, Windows may prompt you to install it.
After you have done so, you must restart the computer twice so that the SafeGuard Power-on
Authentication can read in the new keyboard layout and can set it.
You can change the required keyboard layout for the SafeGuard Power-on Authentication using
the mouse or keyboard (Alt+Shift).
To see which languages are installed and available on the system, select Start > Run >
regedit > HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.
13.3 Supported Hotkeys in SafeGuard Power-on
Authentication
Certain hardware settings and functionalities can lead to problems when starting endpoints,
causing the system to no longer respond. The SafeGuard Power-on Authentication supports a
number of hotkeys for modifying these hardware settings and deactivating functionalities.
Furthermore, grey and black lists covering functions known to cause problems are integrated in
the .msi file installed on the computer.
We recommend that you install an updated version of the SafeGuard POA configuration file before
any significant deployment of Sophos SafeGuard. The file is updated on a monthly basis and
made available to download from:
http://www.sophos.com/en-us/support/knowledgebase/65700.aspx .
You can customize this file to reflect the hardware of a particular environment.
Note: When you define a customized file, only this will be used instead of the one integrated in
the .msi file. The default file will be applied only when no SafeGuard POA configuration file is
defined or found.
To install the SafeGuard POA configuration file, enter the following command:
MSIEXEC /i <Client MSI package> POACFG=<path of the SafeGuard POA
configuration file>
You can help us improve hardware compatibility by executing a tool that we provide to collect
hardware relevant information only. The tool is very easy to use. The collected information is
added to the hardware configuration file.
For further information, see http://www.sophos.com/en-us/support/knowledgebase/110285.aspx
.
The following hotkeys are supported in the SafeGuard POA:
■
Shift F3 = USB Legacy Support (off/on)
■
Shift F4 = VESA graphic mode (off/on)
■
Shift F5 = USB 1.x and 2.0 support (off/on)
■
Shift F6 = ATA Controller (off/on)
65
SafeGuard Easy
■
Shift F7 = USB 2.0 support only (off/on)
USB 1.x support remains as set by Shift F5.
■
Shift F9 = ACPI/APIC (off/on)
USB Hotkeys dependency matrix
Shift F3
Shift F5
Shift F7
Legacy
USB 1.x
USB 2.0
Comment
off
off
off
on
on
on
3.
on
off
off
off
on
on
Default
off
on
off
on
off
off
1., 2.
on
on
off
on
off
off
1., 2.
off
off
on
on
on
off
3.
on
off
on
off
on
off
off
on
on
on
off
off
on
on
on
on
off
off
2.
1. Shift F5 disables both USB 1.x and USB 2.0.
Note: Pressing Shift F5 during startup time will considerably reduce the time it takes to launch
the SafeGuard POA. However, please be aware that if the computer uses a USB keyboard or
USB mouse, they might be disabled when you press Shift F5.
2. If no USB support is active, the SafeGuard POA tries to use BIOS SMM instead of backing
up and restoring the USB controller. The Legacy mode may work in this scenario.
3. Legacy support is active, USB is active. The SafeGuard POA tries to back up and restore the
USB controller. The system might hang depending on the BIOS version used.
You can specify changes that can be carried out using hotkeys when installing Sophos SafeGuard
encryption software using a .mst file. This is done using the appropriate call in combination with
msiexec.
66
NOVESA
Defines whether VESA or VGA mode is used: 0 = VESA mode (standard); 1 = VGA
mode
NOLEGACY
Defines whether Legacy Support is activated after SafeGuard POA log on: 0 = Legacy
Support activated; 1 = Legacy Support not activated (standard)
Administrator help
ALTERNATE:
Defines whether USB devices are supported by the SafeGuard POA: 0 = USB support
is activated (standard); 1 = no USB support
NOATA
Defines whether int13 device driver is used: 0 = standard ATA device driver (default);
1 = Int13 device driver
ACPIAPIC
Defines whether ACPI/APIC support is used: 0 = no ACPI/APIC support (default); 1
= ACPI/APIC support active
13.4 Disabled SafeGuard POA and Lenovo Rescue and
Recovery
If the SafeGuard Power-on Authentication is disabled on the computer, the Rescue and Recovery
authentication should be enabled to protect against access to encrypted files from the Rescue
and Recovery environment.
For details on activating the Rescue and Recovery authentication, refer to the Lenovo Rescue
and Recovery documentation.
67
SafeGuard Easy
14 Default policies
During first-time configuration within SafeGuard Policy Editor, a default policy with pre-defined
encryption and authentication settings is automatically created.
After installation, the default policy with all individual policy items is displayed in the Policies
navigation area of the SafeGuard Policy Editor.
Note:
The default policy can only be created during first-time configuration within the SafeGuard Policy
Editor Configuration Wizard.
The following section lists the default policies available.
For a detailed description of the policy settings, see Policy Settings (page 73).
14.1 Available default policies
Note: For options listed in the following table with the setting not configured, default values
automatically apply. The relevant default values are indicated in brackets.
For a detailed description of the policy settings, see Policy Settings (page 73).
Policy
Default General Settings Policy
Policy type: General Settings
Settings
Customization:
Language used on client: Use OS language
settings
Logon recovery:
Activate logon recovery after Windows Local
Cache corruption: No
Local Self Help:
Enable Local Self Help: Yes
Minimal length of answers: 3
Users can define their own questions: Yes
Challenge/Response (C/R):
Enable logon recovery via C/R: Yes
Allow automatic logon to Windows: Yes
68
Administrator help
Policy
Settings
Default Authentication Policy
Access:
Policy type: Authentication
User may only boot from internal hard disk:Yes
Logon Options:
Logon mode: User ID/Password
Display unsuccessful logons for this user: No
Display last user logon: No
Disable 'forced logoff' in workstation lock: No
Active user/domain preselection: Yes
Pass through to Windows: Let user choose
freely
Failed Logons:
Maximum no. of failed logons: 16
Display "Logon failed" messages in POA:
Standard
Lock Options:
Lock screen after X minutes inactivity: 0
Lock screen after resume: No
Default Password Policy
Policy type: Password
Password:
Min. password length: 4
Max. password length: 128
Min. number of letters: 0
Min. number of digits: 0
Min. number of special characters: 0
Case sensitive: No
Keyboard row forbidden: No
Keyboard column forbidden: No
3 or more consecutive characters forbidden:
No
User name as password forbidden: No
69
SafeGuard Easy
Policy
Settings
Use forbidden password list: No
Changes:
Password change allowed after min. (days): Not
configured (Default value 0 applies.)
Password expires after (days): Not configured
(Default value 999 applies.)
Notify of forced change before (days): Not
configured (Default value 10 applies.)
General:
Password history length: 0
Default Device Encryption Policy
Policy type: Device Protection
Encrypt all internal disks.
Media encryption mode: Volume-based
General Settings:
Algorithm to be used for encryption: AES256
Key to be used for encryption: Defined machine
key
Volume-based Settings:
User may add or remove keys to or from
encryption: Not configured (Default value No
applies.)
Reaction to unencrypted volumes: Accept all
media and encrypt
User may decrypt volume: No
Proceed on bad sectors: Yes
Default Data Exchange Policy
Policy type: Device Protection
Encrypt removable media
Media encryption mode: File-based
General Settings:
Algorithm to be used for encryption: AES256
Key to be used for encryption: Any key in user
key ring
70
Administrator help
Policy
Settings
File-based Settings:
Initial encryption of all files: Not configured
(Default value Yes applies.)
User may cancel initial encryption: Not
configured (Default value No applies.)
User is allowed to access unencrypted files:
Not configured (Default value Yes applies.)
User may decrypt files: Not configured (Default
value No applies.)
User may define a media passphrase for
devices: Yes
Copy SG Portable to target: Yes
User is allowed to decide about encryption: No
Default Machine Settings Policy
Policy type: Specific Machine Settings
Power-on Authentication (POA):
Enable Power-on Authentication: Yes
Forbid guest user: Not configured (Default value
No applies.)
Secure Wake on LAN (WOL):
Number of autologons: 0
Windows logon allowed during WOL: No
Display Options:
Display machine identification: Workstation
name
Display legal notice: No
Display additional information: Never
Enable and show the system tray icon: Yes
Show overlay icons in Explorer: Yes
Virtual Keyboard in POA: Yes
Installation Options:
Uninstallation allowed: Yes
Enable Sophos tamper protection: Yes
71
SafeGuard Easy
Policy
Settings
Note: This setting only applies to endpoints where
Sophos Endpoint Security and Control version 9.5
or later is installed.
Default Logging Policy
Policy type: Logging
72
Only log errors in the event log, discard others.
Administrator help
15 Policy Settings
Sophos SafeGuard policies include all settings needed to implement a company-wide security
policy on endpoints.
Sophos SafeGuard policies can incorporate settings for the following areas (policy types):
■
General Settings
Settings for customization, logon recovery, background images, etc.
■
Authentication
Settings for logon mode, device lock, etc.
■
PIN
Defines requirements for used PINs.
■
Passwords
Defines requirements for user passwords.
■
Passphrases for SafeGuard Data Exchange
Defines the requirements for passphrases. Passphrases are used for secure data exchange
with SafeGuard Data Exchange during key generation.
■
Device Protection
Settings for volume- or file-based encryption (including settings for SafeGuard Data Exchange,
SafeGuard Cloud Storage and SafeGuard Portable): algorithms, keys, the drives on which
data is to be encrypted, and so on.
■
Specific Machine Settings
Settings for SafeGuard Power-on Authentication (activate/deactivate), secure Wake on LAN,
display options, and so on.
■
Logging
Defines events to be logged.
15.1 General settings
Policy setting
Explanation
CUSTOMIZATION
73
SafeGuard Easy
Policy setting
Explanation
Language used on client
Language in which settings for Sophos SafeGuard are
displayed on an endpoint. You can select a supported
language or the endpoint's operating system language
setting.
LOGON RECOVERY
Activate logon recovery after Windows Local The Windows Local Cache stores all keys, policies, user
Cache corruption
certificates and audit files. All data stored in the local
cache are signed and cannot be changed manually. By
default, logon recovery is deactivated when the Windows
Local Cache is corrupted, this means it will be restored
automatically from its backup. In this case, no
Challenge/Response procedure is required for repairing
the Windows Local Cache. If the Windows Local Cache
is to be repaired explicitly using a Challenge/Response
procedure, set this field to Yes.
Local Self Help
Enable Local Self Help
Determines whether users are permitted to log on to their
computers with Local Self Help if they have forgotten their
password. With Local Self Help, users can log on by
answering a specified number of previously defined
questions in the SafeGuard Power-on Authentication.
They can regain access to their computers even if neither
telephone nor internet connection are available.
Note: For the user to be able to use Local Self Help,
automatic logon to Windows must be enabled. Otherwise,
Local Self Help will not work.
Minimal length of answers
Defines minimum character length for Local Self Help
answers.
Welcome text under Windows
In this field, you can specify the individual information text
to be displayed in the first dialog when launching the Local
Self Help Wizard on the endpoint. Before specifying the
text here, it has to be created and registered.
Users can define their own questions
As a security officer you can define the set of questions
to be answered centrally and distribute it to the endpoint
in the policy. However, you can also grant the users the
right to define their own questions. To entitle users to
define their own questions, select Yes.
Challenge / Response (C/R)
Enable Logon Recovery via C/R
74
Determines whether for logon recovery, a user is permitted
to generate a challenge in the SafeGuard Power-on
Administrator help
Policy setting
Explanation
Authentication (POA) to regain access to their computer
with a Challenge/Response procedure.
Yes: User is permitted to generate a challenge and
the Challenge button in the SafeGuard POA is active.
In this case, the user can regain access to their
computer with a C/R procedure.
No: User is not permitted to issue a challenge and the
Challenge button in the SafeGuard POA is inactive.
In this case, the user cannot initiate a C/R procedure
to regain access to their computer.
Sophos SafeGuard also offers the logon recovery method
Local Self Help. It can be activated with the policy setting
Enable Local Self Help.
Allow automatic logon to Windows
Allows a user to log on to Windows automatically after
authentication using Challenge/Response.
Yes: User is automatically logged on to Windows.
No: Windows logon screen appears.
Example: A user has forgotten their password. After the
Challenge/Response procedure, Sophos SafeGuard logs
the user on at the computer without a Sophos SafeGuard
password. In this case automatic Windows logon is
switched off and the Windows logon screen is displayed.
The user cannot log on because they do not know the
Sophos SafeGuard password (= Windows password).
Yes allows automatic logon and the user is able to move
on from the Windows logon screen.
Information text
Displays information text when a Challenge/Response
procedure is initiated in the SafeGuard POA. For example:
“Please contact Support Desk on telephone number
01234-56789.” Before you specify a text here, you must
create it as a text file in the Policies navigation area under
Texts.
IMAGES
Prerequisite: New images must be registered in the policy
navigation area of the SafeGuard Policy Editor under
Images. The images will only be available after
registration. Supported formats: .BMP, .PNG, .JPEG.
Background image in POA
Background image in POA (low resolution)
Replaces the blue background bitmap with the SafeGuard
design for the background of your choice. Customers
might for example use the company logo in the SafeGuard
75
SafeGuard Easy
Policy setting
Explanation
POA and at Windows logon. Maximum file size for all
background bitmaps: 500 KB
Normal:
Resolution: 1024x768 (VESA mode)
Colors: unlimited
Low:
Resolution: 640x480 (VGA mode)
Colors: 16 colors
Logon image in POA
Logon image in POA (low resolution)
Replaces the Sophos SafeGuard bitmap displayed in the
SafeGuard POA logon dialog. For example, the company
logo can be displayed in this dialog.
Normal:
Resolution: 413 x 140 pixels
Colors: unlimited
Low:
Resolution: 413 x 140 pixels
Colors: 16 colors
FILE ENCRYPTION
Trusted Applications
For file-based encryption by SafeGuard Data Exchange,
you can specify applications as trusted to grant them
access to encrypted files. This is for example necessary
to enable antivirus software to scan encrypted files.
Enter the applications you want to define as trusted in the
editor list box of this field. Applications must be entered
as fully qualified paths.
Ignored Applications
For file-based encryption by SafeGuard Data Exchange,
you can specify applications as ignored to exempt them
from transparent file encryption/decryption. For example,
if you define a backup program as an ignored application,
encrypted data backed up by the program remains
encrypted.
Enter the applications you want to define as ignored in
the editor list box of this field. Applications must be
entered as fully qualified paths.
76
Administrator help
Policy setting
Explanation
Ignored Devices
For file-based encryption by SafeGuard Data Exchange,
you can exclude entire devices (for example disks) from
file-based encryption.
In the editor list box, select Network to select a predefined
device, or enter the required device names to exclude
specific devices from encryption. For further information,
see Display attached and ignored devices for SafeGuard
Data Exchange configuration (page 117).
Enable persistent encryption
For file-based encryption by SafeGuard Data Exchange,
you can configure persistent encryption. With persistent
encryption, copies of encrypted files will be encrypted,
even when they are saved in a location not covered by
an encryption rule.
This policy setting is activated by default.
User is allowed to set default keys
For file-based encryption by Cloud Storage you can
configure whether the user is allowed to set a default key
for encryption or not. If allowed, the Set default key
command is added to the Windows Explorer context menu
of Cloud Storage synchronization folders. Users can use
the command to specify separate default keys to be used
for encryption for different synchronization folders.
15.2 Authentication
The way users log on to their computer is defined in the policy of the type Authentication.
Policy Setting
Explanation
ACCESS
Users may only boot from internal
Note: This setting is only supported by endpoints with an earlier
hard disk
Sophos SafeGuard version than 6.1 installed. It was used to enable
recovery by allowing the user to start the endpoint from external
media. As of version 6.1 this setting does not have any effects on
endpoints. For the recovery scenario concerned, you can use
recovery with Virtual Clients, see Regaining access to encrypted
data with Challenge/Response (page 149).
Determines whether users may start the computer from the hard
drive and/or another medium.Yes: Users can only boot from the
hard disk. The SafeGuard POA does not offer the option to start
the computer with a floppy disk or other external media. No: Users
77
SafeGuard Easy
Policy Setting
Explanation
may start the computer from hard disk, floppy disk or external
medium (USB, CD etc.)
LOGON OPTIONS
Logon mode
Determines how users need to authenticate themselves at the
SafeGuard POA.
User ID/Password: Users have to log on with their user name
and password.
Token
The user can only log on to the SafeGuard POA using a token
or smartcard. This process offers a higher level of security. The
user is requested to insert the token at logon. User identity is
verified by token ownership and PIN presentation. After the user
has entered the correct PIN, Sophos SafeGuard automatically
reads the data for user logon.
Note: Once this logon process has been selected, users can
only log on using a previously issued token.
You can combine the settings User ID/Password and Token.
To test whether logon using a token works, first select both
settings. Only deselect the User ID/Password logon mode, if
authentication using the token was successful. In order to switch
between logon modes, allow users to logon once while the two
settings are combined or they might run into a logon deadlock.
You must also combine the two settings, if you want to allow
Local Self Help for token logon.
Fingerprint: Select this setting to enable logon with Lenovo
Fingerprint Reader. Users to whom this policy applies can then
log on with a fingerprint or a user name and password. This
procedure provides the maximum level of security. When logging
on, users swipe their fingers over the fingerprint reader. Upon
successful recognition of the fingerprint, the SafeGuard Power-on
Authentication process reads the user's credentials and logs the
user on to Power-on Authentication. The system then transfers
the credentials to Windows, and the user is logged on to the
computer.
Note: After selecting this logon procedure, the user can log on only
with a pre-enrolled fingerprint or a user name and password.
Logon options using token
Determines the type of token or smartcard to be used at the
endpoint.
Non-cryptographic:
Authentication at the SafeGuard POA and Windows, based on
user credentials. In Sophos SafeGuard only non-cryptographic
tokens can be used.
78
Administrator help
Policy Setting
Explanation
PIN used for autologon with token Specify a default PIN to enable the user to automatically log on at
the SafeGuard Power-on Authentication using a token or smartcard.
The user is requested to insert the token at logon and is then passed
through the SafeGuard Power-on Authentication. Windows will be
started.
PIN rules do not need to be observed.
Note:
This option is only available, if Token has been selected as
Logon mode.
If this option is selected, then Pass through to Windows must
be set to Disable pass-through to Windows.
Display unsuccessful logons for
this user
Displays (setting: Yes) after logon at the SafeGuard POA and
Windows a dialog showing information on the last failed logon (user
name/date/time).
Display last user logon
Displays (setting: Yes) after logon at the SafeGuard POA and
Windows a dialog showing information on the
last successful logon (user name/date/time)
last user credentials of the logged on user
Disable 'forced logoff' in
workstation lock
Note: This setting only takes effect on endpoints with Windows
XP. Windows XP is no longer supported as of Sophos SafeGuard
6.1. This policy setting is still available in the SafeGuard Policy
Editor to support Sophos SafeGuard 6 clients managed with a 7.0
Policy Editor.
If users wish to exit the endpoint for a short time only, they can click
Block workstation to block the computer for other users and unlock
it with the user password.
No: The user who has locked the computer as well as an
administrator can unlock it. If an administrator unlocks the computer,
the currently logged on user is logged off automatically. Yes:
Changes this behavior. In this case, only the user can unlock the
computer. The administrator cannot unlock it and the user will not
be logged off automatically.
Activate user/domain preselection Yes: The SafeGuard POA saves the user name and domain of the
last logged on user. Users therefore do not need to enter their user
names every time they log on.
No: The SafeGuard POA does not save the user name and the
domain of the last logged on user.
79
SafeGuard Easy
Policy Setting
Service Account List
Explanation
To prevent administrative operations on a Sophos SafeGuard
protected endpoint leading to an activation of the Power-on
Authentication and the addition of rollout operators as users to the
computer, Sophos SafeGuard offers service account lists for Sophos
SafeGuard endpoint. The users included in these lists are treated
as Sophos SafeGuard guest users.
Before you select a list here you must first create the lists in the
Policies navigation area under Service Account Lists.
Pass through to Windows
Note:
For the user to be able to grant other users access to their computer,
the user has to be permitted to deactivate logon pass-through to
Windows.
Let user choose freely
The user can decide by selecting/deselecting this option in the
SafeGuard POA logon dialog whether automatic logon at
Windows is to be performed.
Enforce pass-through to Windows
The user will always be automatically logged on to Windows.
Disable pass-through to Windows
After the SafeGuard POA logon, the Windows logon dialog will
be displayed. The user has to log on to Windows manually.
BITLOCKER OPTIONS
BitLocker Logon Mode for Boot
Volumes
The following options are available:
TPM: The key for logon is stored on the TPM (Trusted Platform
Module) chip.
TPM + PIN: The key for logon is stored on the TPM chip and a
PIN is also required for logon.
Startup Key: The key for logon is stored on a USB memory
stick.
TPM + Startup Key: The key for logon is stored on the TPM
chip and on a USB memory stick. Both are needed for logon.
Note: To be able to use TPM + PIN, TPM + Startup Key or
Startup Key enable the Group Policy Require additional
authentication at startup either in Active Directory or on
computers locally. In the Local Group Policy Editor (gpedit.msc)
the Group Policy can be found here: Local Computer
Policy\Computer Configuration\Administrative
80
Administrator help
Policy Setting
Explanation
Templates\Windows Components\BitLocker Drive
Encryption\Operating System Drive
To use USB Memory Stick you must also activate Allow
BitLocker without a compatible TPM in the Group Policy.
Note: If the logon mode that is currently active on the system
is an allowed fallback logon mode, the logon mode set here is
not enforced.
BitLocker Fallback Logon Mode for In case the setting defined as BitLocker Logon Mode for Boot
Boot Volumes
Volumes cannot be applied, Sophos SafeGuard offers the following
alternatives for logon:
Password: The user will be required to enter a password.
Startup Key: The key for logon is stored on a USB memory
stick.
Password or Startup Key: USB memory sticks will be used
only if passwords are not supported on the client operating
system.
Error: An error message will be displayed and the volume will
not be encrypted.
Note: In the case of clients with version 6.1 or earlier the values
Password or USB Memory Stick and Password will be
mapped to Startup Key and Error.
Note: Passwords are only supported on Windows 8 or later.
BitLocker Logon Mode for
Non-Boot Volumes
For non-boot volumes (fixed data drives) the following options are
available:
Auto-Unlock: If the boot volume is encrypted, an external key
is created and stored on the boot volume. The non-boot
volume(s) will then be encrypted automatically. They will be
unlocked automatically using the auto-unlock functionality
provided by BitLocker. Note that auto-unlock works only if the
boot volume is encrypted. Otherwise the fallback mode will be
used.
Password: The user will be prompted to enter a password for
each non-boot volume.
Startup Key: The keys for unlocking the non-boot volumes are
stored on a USB memory stick.
Note: Clients with version 6.1 or earlier ignore this policy setting
and they use the values defined for the logon mode for boot
volumes instead. As the TPM cannot be used for non-boot
volumes, USB memory stick or an error message will be used
in such cases.
81
SafeGuard Easy
Policy Setting
Explanation
Note: Passwords are only supported on Windows 8 or later.
Note: If the logon mode that is currently active on the system
is an allowed fallback logon mode, the logon mode set here is
not enforced.
BitLocker Fallback Logon Mode for In case the setting defined as BitLocker Logon Mode for Non-Boot
Non-Boot Volumes
Volumes cannot be applied, Sophos SafeGuard offers the following
alternatives:
Password: The user will be prompted to enter a password for
each non-boot volume.
Startup Key: The keys are stored on a USB memory stick.
Password or Startup Key: Startup Key will be used only if
passwords are not supported on the client operating system.
Note: Clients with version 6.1 or earlier ignore this policy setting.
They instead use the values defined for the fallback logon mode
for boot volumes, but they cannot handle passwords (Startup
Key or error message will be used instead).
Note: Passwords are only supported on Windows 8 or later.
FAILED LOGONS
Maximum no. of failed logons
Determines how many times a user can attempt to log on using an
invalid user name or password. After incorrectly entering a user
name or password three times in a row for instance, a fourth attempt
will lock the computer.
Display "Logon failed" messages
in POA
Defines level of detail for messages on failed logons:
Standard: Shows a short description.
Verbose: Displays more detailed information.
TOKEN OPTIONS
Action if token logon status is lost Defines behavior after removing the token from the computer:
Possible actions include:
Lock Computer
Present PIN dialog
No Action
Allow unblocking of token
82
Determines whether the token may be unblocked at logon.
Administrator help
Policy Setting
Explanation
LOCK OPTIONS
Lock screen after X minutes
inactivity
Determines the time after which an unused desktop is automatically
locked. The default value is 0 minutes, and the desktop will not be
locked if this value is not changed.
Lock screen at token removal
Determines whether the screen is locked if a token is removed
during a session.
Lock screen after resume
Determines whether the screen is locked if the computer is
reactivated from standby mode.
15.3 Create forbidden PIN lists for use in policies
For policies of the type PIN a list of forbidden PINs can be created to define character sequences
which must not be used in PINs. PINs are used for token logon. For further information, see
Tokens and smartcards (page 133).
Note: In the lists, forbidden PINs are separated by a line break.
The text files containing the required information have to be created before you can register them
in the SafeGuard Policy Editor. The maximum file size for text files is 50 KB. Sophos SafeGuard
only uses Unicode UTF-16 coded texts. If you create the text files in another format, they will be
automatically converted when they are registered.
To register text files:
1. In the policy navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Texts in the policy navigation area. If you
select a text item, its contents are displayed in the window on the right-hand side. The text item
can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
Note: Using the Modify Text button, you can add new text to existing text. When clicking this
button, a dialog is displayed for selecting another text file. The text contained in this file is appended
to the existing text.
83
SafeGuard Easy
15.4 Syntax rules for PINs
In policies of the type PIN, you define settings for token PINs. These settings do not apply to PINs
used for logon at BitLocker encrypted endpoints. For more information on BitLocker PINs see
PIN and passwords (page 107).
PINs can contain numbers, letters and special characters (for example + - ; etc.). However, when
issuing a new PIN, do not use any character with the combination ALT + < character > as this
input mode is not available at SafeGuard Power-on Authentication.
Note: Define PIN rules either in the SafeGuard Policy Editor or in the Active Directory, not both.
Policy Setting
Explanation
Min. PIN length
Specifies the number of characters a PIN must contain
when changed by the user. The required value can be
entered directly or increased/reduced using the arrow
buttons.
Max. PIN length
Specifies the maximum number of characters a PIN may
contain when changed by a user. The required value can
be entered directly or increased/reduced using the arrow
buttons.
Min. number of letters
These settings specify the minimum number of characters
from each of the three categories - letters, digits and special
characters - that a PIN may contain. A PIN must contain
characters from at least two categories (for example,
15flower). These settings only make sense if the minimum
PIN length is greater than 2.
Min. number of digits
Min. number of special characters
Case sensitive
This setting is only effective with Use forbidden PIN list
and User name as PIN forbidden.
Example 1: You have entered "board" in the list of forbidden
PINs. If the Case sensitive option is set to Yes, additional
password variants such as BOARD, BoaRD will not be
accepted and logon will be denied.
Example 2: "EMaier" is entered as a user name. If option
Case sensitive is set to Yes and option User name as PIN
forbidden is set to No, user EMaier cannot use any variant
of this user name (for example "emaier" or "eMaiER") as a
PIN.
84
Keyboard row forbidden
Consecutive key sequences include for example "123" or
"qwe". A maximum of two adjacent characters on the
keyboard is allowed. Consecutive key sequences relate
only to the alphanumerical keyboard area.
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the
keyboard such as "yaq1", "xsw2" or "3edc" (but not "yse4",
Administrator help
Policy Setting
Explanation
"xdr5" or "cft6"!). A maximum of two adjacent symbols in a
single keyboard column is permitted. If you disallow
keyboard columns, combinations like these are rejected as
PINs. Consecutive key sequences relate only to the
alphanumerical keyboard area.
3 or more consecutive characters forbidden The activation of this option disallows key sequences
which are consecutive series of ASCII code symbols in
both ascending and descending order (“abc” or “cba”).
which consist of three or more identical characters ("aaa"
or "111").
User name as PIN forbidden
Determines whether user name and PIN may be identical.
Yes: Windows user name and PIN must be different.
No: Users may use their Windows user names as PINs.
Use forbidden PIN list
Determines whether certain character sequences must not
be used for PINs. The character sequences are stored in
the list of forbidden PINs (for example .txt file).
List of forbidden PINs
Defines character sequences which must not be used for
PINs. If a user uses a forbidden PIN, an error message will
be displayed.
Prerequisite:
A list (file) of forbidden PINs must be registered in the
SafeGuard Policy Editor in the Policies navigation area
under Texts. The list is only available after registration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden PINs
In the list, forbidden PINs are separated by a space or line
break.
Wildcard: Wildcard character "*" can represent any character
and any number of characters in a PIN. Therefore *123*
means that any series of characters containing 123 will be
disallowed as a PIN.
Note:
If the list contains only a wildcard, the user will no longer
be able to log on to the system after a forced password
change.
Users must not be permitted to access the file.
85
SafeGuard Easy
Policy Setting
Explanation
The Use forbidden PIN list option must be activated.
CHANGES
PIN change after min. (days)
Determines the period during which a PIN must not be
changed. This setting prevents the user from changing a
PIN too many times within a specific period.
Example:
User Miller defines a new PIN (for example "13jk56"). The
minimum change interval for this user (or group to which
this user is assigned) is set to five days. After two days the
user wants to change the PIN to "13jk56". The PIN change
is rejected because Mrs. Miller may only define a new PIN
after five days have passed.
PIN change after max. (days)
The user has to define a new PIN after the set period has
expired. If the period is set to 999 days, no PIN change is
required.
Notify of forced change before (days)
A warning message is displayed "n" days before PIN expiry
reminding the user to change their PIN in "n" days.
Alternatively, the user may change the PIN immediately.
GENERAL
Hide PIN in POA
Specifies whether the digits entered are hidden when
entering PINs. If enabled, nothing is shown when PINs are
entered in the POA. Otherwise, PINs are shown masked
with asterisks.
PIN history length
Determines when previously used PINs can be reused.
It makes sense to define the history length in conjunction
with the PIN change after max. (days) setting.
Example:
The PIN history length for user Miller is set to 4, and the
number of days after which the user must change their PIN
is 30. Mr. Miller is currently logging on using the PIN
"Informatics". After the 30 day period expires, he is asked
to change his PIN. Mr. Miller types in "Informatics" as the
new PIN and receives an error message that this PIN has
already been used and he needs to select a new PIN. Mr.
Miller cannot use PIN "Informatics" until after the fourth
request to change the PIN (in other words PIN history length
= 4).
86
Administrator help
15.5 Create forbidden password list for use in policies
For policies of the type Password, a list of forbidden passwords can be created to define character
sequences which must not be used in passwords.
In the lists, forbidden passwords are separated by line breaks.
The text files containing the required information have to be created before registering them in
the SafeGuard Policy Editor. The maximum file size for text files is 50 KB. Sophos SafeGuard
only uses Unicode UTF-16 coded texts. If you create the text files in a different format, they will
be automatically converted when they are registered.
To register text files:
1. In the policy navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Texts in the policy navigation area. If you
select a text item, its contents are displayed in the window on the right-hand side. The text item
can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
Note: Using the Modify Text button, you can add new text to existing text. When clicking this
button a dialog is displayed for selecting another text file. The text contained in this file is appended
to the existing text.
15.6 Syntax rules for passwords
In policies of the type Password, you define rules for passwords used to log on to the system.
These settings do not apply to passwords used for logon at BitLocker encrypted endpoints. For
more information on BitLocker passwords see PIN and passwords (page 107).
Passwords can contain numbers, letters and special characters (for example + - ; etc.). However,
when issuing a new password, do not use any character with the combination ALT + < character>
as this input mode is not available at SafeGuard Power-on Authentication.
Note: The enforcement of password rules and password history can only be guaranteed if the
SGN credential provider is used consistently. Define password rules either in the SafeGuard
Policy Editor or in the Active Directory, not both.
Policy Setting
Explanation
PASSWORD
Min. password length
Specifies the number of characters a password must
comprise when changed by the user. The required value
87
SafeGuard Easy
Policy Setting
Explanation
can be entered directly or increased/reduced using the
arrow keys.
Max. password length
Specifies the maximum number of characters a password
must comprise when changed by a user. The required value
can be entered directly or increased/reduced using the
arrow keys.
Min. number of letters
These settings specify the minimum number of characters
from each of the three categories - letters, digits and special
characters - that a password may contain. A password must
contain characters from at least two categories (for example,
15flower). These settings only make sense if the minimum
password length is greater than 2.
Min. number of digits
Min. number of special characters
Case sensitive
This setting is only effective with Use forbidden password
list and User name as password forbidden.
Example 1: You have entered “board” in the list of forbidden
passwords. If Case sensitive is set to Yes, additional
password variants such as BOARD, BoaRD will not be
accepted and logon will be denied.
Example 2: "EMaier" is entered as a user name. If option
Case sensitive is set to Yes and option User name as
password forbidden is set to NO, user EMaier cannot use
any variant of this user name (for example “emaier“ or
“eMaiER“) as a password.
Keyboard row forbidden
Consecutive key sequences include for example “123” or
“qwe”. A maximum of two adjacent characters on the
keyboard is allowed. Consecutive key sequences relate
only to the alphanumerical keyboard area.
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the
keyboard such as “yaq1”, “xsw2” or “3edc” (but not “yse4”,
“xdr5” or “cft6”!). A maximum of two adjacent symbols in a
single keyboard column is permitted. If you disallow
keyboard columns, combinations like these are rejected as
passwords. Consecutive key sequences relate only to the
alphanumerical keyboard area.
3 or more consecutive characters forbidden The activation of this option disallows key sequences
which are consecutive series of ASCII code symbols in
both ascending and descending order (“abc” or “cba”).
which consist of three or more identical characters (“aaa”
or “111”).
88
Administrator help
Policy Setting
Explanation
User name as password forbidden
Determines whether user name and password may be
identical.
Yes: Windows user name and password must be different.
No: Users may use their Windows user names as
passwords.
Use forbidden password list
Determines whether certain character sequences must not
be used for passwords.The character sequences are stored
in the list of forbidden passwords (for example .txt file).
List of forbidden passwords
Defines character sequences which must not be used for
passwords. If a user uses a forbidden password, an error
message will be displayed.
Important prerequisite:
A list (file) of forbidden passwords must be registered in the
SafeGuard Policy Editor in the policies navigation area
under Texts. The list is only available after registration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden passwords
In the list, forbidden passwords are separated by a line
break. Wildcard: The wildcard character “*” can represent
any character and any number of characters in a password.
Therefore *123* means that any series of characters
containing 123 will be disallowed as a password.
If the list contains only a wildcard, the user will no longer
be able to log on to the system after a forced password
change.
Users must not be permitted to access the file.
Option Use forbidden password list must be activated.
CHANGES
Password change allowed after min. (days) Determines the period during which a password may not
be changed. This setting prevents the user from changing
a password too many times within a specific period.
Example:
User Miller defines a new password (for example “13jk56”).
The minimum change interval for this user (or group to which
this user is assigned) is set to five days. After two days the
user wants to change the password to “74jk56”. The
password change is rejected because user Miller may only
define a new password after five days have passed.
89
SafeGuard Easy
Policy Setting
Explanation
Password expires after (days)
If the maximum period of validity is activated, the user has
to define a new password after the set period has expired.
Notify of forced change before (days)
A warning message is displayed "n" days before password
expiry reminding the user to change their password in "n"
days. Alternatively, the user may change the password
immediately.
GENERAL
Hide password in POA
Specifies whether the characters entered are hidden when
entering passwords. If enabled, nothing is shown when
passwords are entered in the POA. Otherwise, passwords
are shown masked with asterisks.
Password history length
Determines when previously used passwords can be
reused. It makes sense to define the history length in
conjunction with the Password expires after (days) setting.
Example:
The password history length for user Miller is set to 4, and
the number of days after which the user must change their
password is 30. Mr Miller is currently logging on using the
password “Informatics”. After the 30 day period expires, he
is asked to change his password. Mr Miller types in
“Informatics” as the new password and receives an error
message that this password has already been used and he
needs to select a new password. Mr Miller cannot use
password “Informatics” until after the fourth request to
change the password (in other words password history
length = 4).
Note: If you set the password history length to 0, the user
can set the old password as the new password. This is not
good practice and should be avoided.
15.7 Passphrase rules for SafeGuard Data Exchange
The user must enter a passphrase which is used to generate local keys for secure data exchange
in SafeGuard Data Exchange. In policies of the type Passphrase, you define the relevant
requirements.
For further information of SafeGuard Data Exchange, see SafeGuard Data Exchange (page 115).
For further details of SafeGuard Data Exchange and SafeGuard Portable on the endpoint refer
to the SafeGuard Easy user help, chapter SafeGuard Data Exchange.
90
Administrator help
Policy Setting
Explanation
Min. passphrase length
Defines the minimum number of characters for the
passphrase from which the key is generated. The required
value can be entered directly or increased/reduced using
the arrow keys.
Max. passphrase length
Defines the maximum number of characters for the
passphrase. The required value can be entered directly or
increased/reduced using the arrow keys.
Min. number of letters
These settings specify the minimum number of characters
from each of the three categories - letters, digits and special
characters - that a passphrase may contain. A passphrase
must contain characters from at least two categories (for
example, 15flower). These settings only make sense if the
minimum passphrase length is greater than 2.
Min. number of digits
Min. number of special characters
Case sensitive
This setting is effective when User name as passphrase
forbidden is active.
Example: “EMaier” is entered as a user name. If the option
Case sensitive is set to Yes and User name as
passphrase forbidden is set to No, user EMaier cannot
use any variant of this user name (for example emaier or
eMaiER) as a passphrase.
Keyboard row forbidden
Consecutive key sequences include for example “123” or
“qwe”. A maximum of two adjacent characters on the
keyboard is allowed. Consecutive key sequences relate
only to the alphanumerical keyboard area.
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the
keyboard such as “yaq1”, “xsw2” or “3edc” (but not “yse4”,
“xdr5” or “cft6”!). A maximum of two adjacent characters in
a single keyboard column is permitted. If you disallow
keyboard columns, these combinations are rejected for
passphrases. Consecutive key sequences relate only to
the alphanumerical keyboard area.
3 or more consecutive characters forbidden The activation of this option disallows key sequences
which are consecutive series of ASCII code symbols in
both ascending and descending order (“abc” or “cba”).
which consist of three or more identical characters (“aaa”
or “111”).
User name as passphrase forbidden
Determines whether the user name and passphrase may
be identical.
Yes: Windows user name and passphrase must be different.
91
SafeGuard Easy
Policy Setting
Explanation
No: Users may use their Windows user names as
passphrases.
15.8 Device Protection
The core of Sophos SafeGuard is the encryption of data on different data storage devices.
Encryption can be volume- or file-based with different keys and algorithms. In policies of the type
Device Protection, you define the settings for data encryption on different data storage devices.
These policies also include settings for SafeGuard Data Exchange, SafeGuard Cloud Storage
and SafeGuard Portable. For further information on SafeGuard Data Exchange, see SafeGuard
Data Exchange (page 115). For further information on SafeGuard Cloud Storage, see Cloud Storage
(page 120). For further details on SafeGuard Data Exchange, SafeGuard Cloud Storage and
SafeGuard Portable on the endpoint, see the SafeGuard Easy user help.
When creating a policy for device protection, you first have to specify the target for device
protection. Possible targets are:
■
Mass storage (boot volumes/other volumes)
■
Removable media
■
Optical drives
■
Cloud Storage Definitions
For each target, create a separate policy.
Policy Setting
Description
Media encryption mode
Used to protect devices (PCs, notebooks) and all types of
removable media.
The primary objective is to encrypt all data stored on local
or external storage devices. The transparent operating
method enables users to continue to use their usual
applications, for example Microsoft Office.
Transparent encryption means that all encrypted data
(whether in encrypted directories or volumes) is
automatically decrypted in the main memory as soon as it
is opened in a program. A file is automatically re-encrypted
when it is saved.
The following options are available:
No Encryption
Volume-based (= transparent, sector-based encryption)
92
Administrator help
Policy Setting
Description
Ensures that all data is encrypted (incl. boot files,
swapfiles, idle files/hibernation files, temporary files,
directory information etc.) without the user having to
change normal operating procedures or consider
security.
For further information, see Volume-based full disk
encryption (page 104).
File-based (= transparent, file-based encryption (Smart
Media Encryption)
Ensures that all data is encrypted (apart from Boot
Medium and directory information) with the benefit that
even optical media such as CD/DVD can be encrypted
or data can be swapped with external computers on
which SafeGuard is not installed (provided policies
permit).
For further information, see File-based full disk
encryption (page 105).
GENERAL SETTINGS
Algorithm to be used for encryption
Sets the encryption algorithm.
List of all usable algorithms with respective standards:
AES256: 32 bytes (256 bits)
AES128: 16 bytes (128 bits)
Key to be used for encryption
Defines which key is used for encryption. For Sophos
SafeGuard encryption, only an automatically generated
machine key is used for volume-based encryption. For
file-based encryption only local keys created by the user
can be used.
The following option is available:
Defined machine key:
The machine key is used - the user CANNOT select a key.
User is allowed to create a local key
This setting determines whether the user can generate a
local key on their computer or not.
Local keys are generated on the endpoint based on a
passphrase entered by the user. The passphrase
requirements can be set in policies of the type Passphrase.
Note: As only local keys are used for file-based encryption,
the user has to be able to create local keys, if policies for
file-based encryption are to become effective.
93
SafeGuard Easy
Policy Setting
Description
Local keys are not backed up and cannot be used for
recovery. Only the defined machine key can be used in this
case.
The default setting of this field allows the user to create
local keys.
VOLUME-BASED SETTINGS
User may add or remove keys to or from
encrypted volume
Yes: Sophos SafeGuard users may add/remove keys
to/from a key ring. The dialog is displayed from the context
menu command Properties/Encryption tab.
No: Sophos SafeGuard users may not add additional keys.
Reaction to unencrypted volumes
Defines how Sophos SafeGuard handles unencrypted
media.
The following options are available:
Reject (= text medium is not encrypted)
Accept only blank media and encrypt
Accept all media and encrypt
User may decrypt volume
Allows the Sophos SafeGuard user to decrypt the volume
with a context menu command in Windows Explorer.
Fast initial encryption
Select this setting to enable the fast initial encryption mode
for volume-based encryption. This mode reduces the time
needed for initial encryption on endpoints.
Note: This mode may lead to a less secure state.
For further information, see Fast initial encryption (page
104).
Proceed on bad sectors
Specifies whether encryption should proceed or be stopped
if bad sectors are detected. The default setting is Yes.
FILE-BASED SETTINGS
94
Initial encryption of all files
Automatically starts initial encryption for a volume after
user logon. The user may need to select a key from the
key ring beforehand.
User may cancel initial encryption
Enables the user to cancel initial encryption.
Administrator help
Policy Setting
Description
User is allowed to access unencrypted files Defines whether a user may access unencrypted data on
a volume.
User may decrypt files
Enables the user to decrypt individual files or whole
directories (with the Windows Explorer extension
<right-click>).
User may define a media passphrase for
devices
Enables the user to define a media passphrase on their
computer. The media passphrase makes it possible to
easily access all local keys used on computers without
SafeGuard Data Exchange by using SafeGuard Portable.
Removable media and Cloud Storage only
Copy SG Portable to target
If this option is selected, SafeGuard Portable is copied to
any removable media connected to the endpoint and any
synchronization folder defined in a Cloud Storage Definition
for SafeGuard Cloud Storage as soon as content is written
to the encrypted media or folder.
SafeGuard Portable enables the exchange of encrypted
data with removable media without the recipient having
Sophos SafeGuard installed.
The recipient can decrypt and re-encrypt the encrypted
files using SafeGuard Portable and the corresponding
passphrase. The recipient can re-encrypt files with
SafeGuard Portable or use the original key for encryption.
SafeGuard Portable does not have to be installed or copied
to the recipient's computer but can be used directly from
the removable media.
Plaintext folder
The folder specified here will be created on all removable
media and mass storage devices. Files that are copied to
this folder will always stay plaintext.
User is allowed to decide about encryption With this policy setting, you can allow the user to decide
about encryption of files on removable media and mass
storage devices:
If you set this option to Yes, a dialog is displayed on
the endpoint when users plug in removable media. In
this dialog, they can decide whether data should be
encrypted. Users have to make this decision everytime
the plug in removable media.
If you set this option to Yes, remember user settings,
users can select the option Remember this setting
and do not show this dialog again to have their
choice remembered for the relevant device. In this case,
the dialog will not be displayed for the relevant device
again.
95
SafeGuard Easy
Policy Setting
Description
If the user selects No in the dialog displayed on the
endpoint, neither initial nor transparent encryption occurs.
15.9 Specific machine settings - basic settings
Policy Setting
Explanation
POWER-ON AUTHENTICATION (POA)
Enable Power-on Authentication
Defines whether the SafeGuard POA is permanently
switched on or off.
Important:
For security reasons we strongly recommend that you
keep the SafeGuard POA switched on. Deactivating
the SafeGuard POA reduces the system security to
Windows logon security and increases the risk of
unauthorized access to encrypted data.
Secure Wake on LAN (WOL)
With Secure Wake on LAN (WOL) settings you can
prepare endpoints for software rollouts. If the relevant
Wake on LAN settings apply to endpoints, the
necessary parameters (for example SafeGuard POA
deactivation and a time interval for Wake on LAN) are
transferred directly to the endpoints where parameters
are analyzed.
Important: Deactivating the SafeGuard POA - even
for a limited number of boot processes - reduces the
level of security of your system!
For further information on Wake on LAN, see Secure
Wake on LAN (WOL) (page 131).
Number of auto logons
Defines the number of restarts while SafeGuard
Power-on Authentication is switched off for Wake on
LAN.
This setting temporarily overwrites the Enable
Power-on Authentication setting until the automatic
logons reach the preset number. SafeGuard Power-on
Authentication is then reactivated. Example: the
number of automatic logons is set to two, “Enable
Power-on Authentication” is switched on. The
computer starts twice without authentication through
the SafeGuard POA.
96
Administrator help
Policy Setting
Explanation
For Wake on LAN, we recommend allowing three
more restarts than necessary for your
maintenance operations to overcome any
unforeseen problems.
Allow local Windows logon during WOL
Determines whether local Windows logons are
permitted during Wake on LAN.
Start of time slot for external WOL start
Date and time can be either selected or input for the
start and end of the Wake on LAN (WOL).
End of time slot for external WOL start
Date format: MM/DD/YYYY Time format: HH:MM
The following input combinations are possible:
Defined start and end of WOL.
End of WOL is defined, start is open.
No entries: no time interval has been set for the
endpoint.
For a planned software rollout, you should set the
time frame for the WOL such that the scheduling script
can be started early enough to allow all endpoints
sufficient time for starting.
WOLstart: The starting point for the WOL in the
scheduling script must be within the time interval set
in the policy. If no interval is defined, WOL is not
locally activated on the Sophos SafeGuard endpoint.
WOLstop: This command is carried out irrespective
of the final point set for the WOL.
USER MACHINE ASSIGNMENT (UMA)
Forbid SGN Guest user to logon
Note: This setting only applies to managed
endpoints.
Defines whether guest users can log on to Windows
on the endpoint.
Enable registration of SGN Windows users
Defines whether Sophos SafeGuard Windows users
can be registered on the endpoint. A Sophos
SafeGuard Windows user is not added to the
SafeGuard POA, but has a key ring for accessing
encrypted files, just as an SGN user. If you select this
setting, all users, that would have otherwise become
Sophos SafeGuard guest users, will become Sophos
SafeGuard Windows users. The users are added to
the UMA as soon as they have logged on to Windows.
97
SafeGuard Easy
Policy Setting
Enable manual UMA cleanup for standalone
endpoints
Explanation
Defines whether users may delete Sophos SafeGuard
users and Sophos SafeGuard Windows users from
the User Machine Assignment. If you select Yes, the
command User Machine Assignments is available
from the system tray icon menu on the endpoint. This
command shows a list of users who can log on at the
SafeGuard Power-on Authentication as Sophos
SafeGuard users and at Windows as Sophos
SafeGuard Windows users. In the dialog displayed,
users can be removed from the list. After Sophos
SafeGuard users or Sophos SafeGuard Windows
users have been removed, they can no longer log on
at the SafeGuard Power-on Authentication or at
Windows.
DISPLAY OPTIONS
Display machine identification
Displays either the computer name or a defined text
in the SafeGuard POA title bar.
If the Windows network settings include the computer
name this is automatically incorporated into the basic
settings.
Machine identification text
The text to be displayed in the SafeGuard POA title
bar.
If you have selected Defined name in the Display
machine identification field, you can enter the text
in this input field.
Display legal notice
Displays a text box with configurable content which
is displayed before authentication in the SafeGuard
POA. In some countries a text box with certain content
must be displayed by law.
The box needs to be confirmed by the user before
the system continues.
Before specifying a text, the text has to be registered
as a text item under Texts in the policy navigation
area.
Legal notice text
The text to be displayed as a legal notice.
In this field, you can select a text item registered under
Texts in the policy navigation area.
98
Administrator help
Policy Setting
Explanation
Display additional information
Displays a text box with a configurable content which
appears after the legal notice (if activated).
You can define whether the additional information is
to be displayed
Never
Every system start
Every logon
Additional information text
The text to be displayed as additional information.
In this field, you can select a text item registered under
Texts in the policy navigation area.
Show for (sec.)
In this field you can define how long (in seconds)
additional information is to be displayed.
You can specify the number of seconds after which
the text box for additional information are closed
automatically. The user can close the text box at any
time by clicking OK.
Enable and show the system tray icon
Through the Sophos SafeGuard System Tray Icon
the user can access all user functions quickly and
easily on their computer. In addition, information about
the Sophos SafeGuard status (new policies received
etc.) can be displayed in balloon tool tips.
Yes:
The system tray icon is displayed in the information
area of the taskbar and the user is continually
informed in the balloon tool tips about the status of
Sophos SafeGuard.
No: The system tray icon is not displayed. No status
information for the user via the balloon tool tips.
Silent:
The system tray icon is displayed in the information
area of the taskbar but there is no status information
for the user in the balloon tool tips.
Show overlay icons in Explorer
Defines whether Windows key symbols will be shown
to indicate the encryption status of volumes, devices,
folders and files.
99
SafeGuard Easy
Policy Setting
Explanation
Virtual Keyboard in POA
Defines whether a virtual keyboard can be shown on
request in the SafeGuard POA dialog for entering the
password.
INSTALLATION OPTIONS
Uninstallation allowed
Enable Sophos tamper protection
Determines whether uninstallation of Sophos
SafeGuard is allowed on the endpoints. When
Uninstallation allowed is set to No, Sophos
SafeGuard cannot be uninstalled, even by a user with
administrator rights, while this setting is active within
a policy.
Activates/deactivates Sophos Tamper Protection. If
you have allowed uninstallation of Sophos SafeGuard
in the policy setting Uninstallation allowed, you can
set this policy setting to Yes, to ensure that
uninstallation attempts are checked by Sophos
Tamper Protection to prevent casual removal of the
software.
If Sophos Tamper Protection does not allow
uninstallation, any uninstallation attempts will be
canceled.
If Enable Sophos tamper protection is set to No,
uninstallation of Sophos SafeGuard will not be
checked or prevented by Sophos Tamper Protection.
Note: This setting only applies to endpoints where
Sophos Endpoint Security and Control version 9.5 or
later is installed.
CREDENTIAL PROVIDER SETTINGS
Credential provider wrapping
You can configure Sophos SafeGuard to use a
different Credential Provider than the Windows
Credential Provider. Templates for supported
Credential Providers can be downloaded from
Sophos.com. To get a list of templates for tested
Credential Providers and the location to download
please contact your Sophos support.
You can import a template and deploy it to endpoints
by using the Credential Provider policy setting. To
do so, click Import template and browse for the
template file. The imported template and its content
is displayed in the Credential provider multiline field
and set as policy.
To remove a template, click Clear template.
100
Administrator help
Policy Setting
Explanation
Note: Do not edit the template files provided. If the
XML structure of these files is changed, the settings
may not be recognized on the endpoint and the default
Windows Credential Provider may be used instead.
TOKEN SUPPORT SETTINGS
Token middleware module name
Registers the PKCS#11 Module of a token.
The following options are available:
ActiveIdentity ActivClient
ActiveIdentity ActivClient (PIV)
AET SafeSign Identity Client
Aladdin eToken PKI Client
a.sign Client
ATOS CardOS API
Charismatics Smart Security Interface
Estonian ID-Card
Gemalto Access Client
Gemalto Classic Client
Gemalto .NET Card
IT Solution trustware CSP+
Módulo PKCS#11 TC-FNMT
Nexus Personal
RSA Authentication Client 2.x
RSA Smart Card Middleware 3.x
Siemens CardOS API
T-Systems NetKey 3.0
Unizeto proCertum
Custom PKCS#11settings...
If you select Custom PKCS#11 settings... the
Custom PKCS#11 settings are enabled.
101
SafeGuard Easy
Policy Setting
Explanation
You can then enter the module names to be used:
PKCS#11 module for Windows
PKCS#11 module for SafeGuard Power-on
Authentication
Note: If you install Nexus Personal or Gemalto .NET
Card middleware, you also need to add their
installation path to the PATH environment variable of
your computer's System Properties.
Default installation path for Gemalto .NET Card:
C:\Program Files\ Gemalto\PKCS11 for
.NET V2 smart cards
Default installation path for Nexus Personal:
C:\Program Files\Personal\bin
Licenses
Note that the use of the respective middleware for the
standard operating system requires a license
agreement with the relevant manufacturer. For
information on where to obtain the licenses from, see
How to obtain the necessary middleware licenses for
the operating system, as required by SafeGuard
Device Encryption.
For Siemens licences, contact
Atos IT Solutions and Services GmbH
Otto-Hahn-Ring 6
D-81739 Muenchen
Germany
Services to wait for
This setting is used for problem solving with specific
tokens. Our Support team will provide corresponding
settings as required.
15.10 Logging
Events for Sophos SafeGuard are logged in the Windows Event Viewer. To specify the events to
be logged in the Windows Event Viewer, create a policy of the type Logging and select the
required events by clicking on them.
Many different events from different categories (for example Authentication, Encryption, etc.) are
available for selection. We recommend that you define a strategy for logging, and determine the
events necessary according to reporting and auditing requirements.
102
Administrator help
16 Disk encryption
This version of Sophos SafeGuard supports Windows 7 and Windows 8 on endpoints with BIOS
or UEFI.
■
For BIOS platforms you can choose between Sophos SafeGuard full disk encryption and
BitLocker encryption managed by Sophos SafeGuard. The BIOS version comes with the
BitLocker-native recovery mechanism.
Note: If Sophos SafeGuard Power-on Authentication or Sophos SafeGuard full disk encryption
is mentioned in this manual, it refers to Windows 7 BIOS endpoints only.
■
For UEFI platforms, use BitLocker managed by Sophos SafeGuard for disk encryption. For
these endpoints Sophos SafeGuard offers enhanced Challenge/Response capabilities. For
details on the supported UEFI versions and restrictions to SafeGuard BitLocker
Challenge/Response support, please see the Release Notes at
http://downloads.sophos.com/readmes/readsgeasy_7_eng.html.
Note: Whenever the description only refers to UEFI, it is mentioned explicitly.
The table shows which components are available.
SafeGuard disk
SafeGuard Power-on
encryption with
Authentication (POA)
SafeGuard Power-on
with C/R Recovery
Authentication (POA)
Windows 7
BIOS
YES
YES
BitLocker with
pre-boot
authentication (PBA)
managed by
SafeGuard
SafeGuard C/R
recovery for
BitLocker pre-boot
authentication (PBA)
YES
Windows 7
UEFI
YES
Windows 8
BIOS
YES
Windows 8
UEFI
YES
YES
YES
16.1 SafeGuard full disk encryption
The core of Sophos SafeGuard is the encryption of data on different data storage devices. Full
disk encryption can be volume- or file-based with different keys and algorithms.
103
SafeGuard Easy
Files are encrypted transparently. When users open, edit and save files, they are not prompted
for encryption or decryption.
You can specify settings for full disk encryption in a security policy of the type Device Protection.
For further information, see Working with policies (page 39) and Device Protection (page 92).
Note: The full disk encryption functionality described in the following sections can only be used
with Windows 7 BIOS-based systems. If you use other systems such as UEFI or Windows 8,
make use of the integrated Windows BitLocker Drive Encryption functionality. For more information
refer to BitLocker Drive Encryption (page 106).
16.1.1 Volume-based full disk encryption
With volume-based full disk encryption, all data on a volume (including boot files, pagefiles,
hibernation files, temporary files, directory information etc.) are encrypted. Users do not have to
change normal operating procedures or consider security.
Note:
■
Volume-based encryption/decryption is not supported for volumes without a drive letter assigned.
■
For Windows 7 Professional, Enterprise and Ultimate, a system partition is created on endpoints
without a drive letter assigned.This system partition cannot be encrypted by Sophos SafeGuard.
■
If an encryption policy exists for a volume or a volume type and encryption of the volume fails,
the user is not allowed to access it.
■
Endpoints can be shut down and restarted during encryption/decryption.
■
If decryption is followed by an uninstallation, we recommend that the endpoint is not suspended
or hibernated during decryption.
■
If after volume encryption a new policy is applied to an endpoint that allows decryption, the
following applies: After a complete volume-based encryption, the endpoint must be restarted
at least once before decryption can be started.
Note:
In contrast to SafeGuard BitLocker Drive Encryption, SafeGuard volume-based encryption does
not support GUID partition table (GPT) disks. Installation will be aborted if such a disk is found.
If a GPT disk is added to the system later, volumes on the disk will get encrypted. Please be
aware that the SafeGuard recovery tools - such as BE_Restore.exe and recoverkeys.exe - cannot
handle such volumes and Sophos highly recommends to avoid GPT disks to be encrypted. To
decrypt volumes that were accidentally encrypted, please change your SGN policies accordingly
and have the user decrypt them.
16.1.1.1 Fast initial encryption
Sophos SafeGuard offers fast initial encryption as a special mode for volume-based encryption.
It reduces the time needed for initial encryption (or final decryption) of volumes on endpoints by
accessing only disk space that is actually in use.
For fast initial encryption, the following prerequisites apply:
■
104
Fast initial encryption only works on NTFS-formatted volumes.
Administrator help
■
NTFS-formatted volumes with a cluster size of 64 KB cannot be encrypted with the fast initial
encryption mode.
Note: This mode leads to a less secure state if a disk has been employed before its current
usage with Sophos SafeGuard. Unused sectors may still contain data. Fast initial encryption is
therefore disabled by default.
To enable fast initial encryption, select the volume-based setting Fast initial encryption in a
policy of the type Device Protection, see Device Protection (page 92).
Note: For volume decryption, the fast initial encryption mode will always be used, regardless of
the specified policy setting. For decryption, the prerequisites listed also apply.
16.1.1.2 Volume-based encryption and Windows 7 system partition
For Windows 7 Professional, Enterprise and Ultimate, a system partition is created on endpoints
without a drive letter assigned. This system partition cannot be encrypted by Sophos SafeGuard.
16.1.1.3 Volume-based encryption and Unidentified File System Objects
Unidentified File System Objects are volumes that cannot be clearly identified as plaintext or
device-encrypted by Sophos SafeGuard. If an encryption policy exists for an Unidentified File
System Object, access to this volume will be denied. If no encryption policy exists, the user can
access the volume.
Note: If an encryption policy with Key to be used for encryption set to an option that enables
key selection (for example, Any key in user key ring) exists for an Unidentified File System
Object volume, there is a period of time between the key selection dialog being displayed and
access being denied. During this time period the volume can be accessed. As long as the key
selection dialog is not confirmed, the volume is accessible. To avoid this, specify a preselected
key for encryption. For further information on the relevant policy settings, see Device Protection
(page 92). This period of time also occurs for Unidentified File System Object volumes connected
to an endpoint, if the user has already opened files on the volume when an encryption policy takes
effect. In this case, it cannot be guaranteed that access to the volume will be denied as this could
lead to data loss.
16.1.1.4 Encryption of volumes with enabled Autorun functionality
If you apply an encryption policy to volumes for which Autorun is enabled, the following can occur:
■
The volume is not encrypted.
■
If the volume is an Unidentified File System Object, access is not denied.
16.1.2 File-based full disk encryption
File-based full disk encryption ensures that all data is encrypted, apart from the boot medium and
directory information. With file-based encryption, even optical media such as CD/DVD can be
encrypted. Also, data can be exchanged with external computers on which Sophos SafeGuard
is not installed, if policies permit.
Note: Data encrypted using “file-based encryption” cannot be compressed. Nor can compressed
data be file-based encrypted.
105
SafeGuard Easy
Note: Boot volumes are never file-based encrypted. They are automatically exempted from
file-based encryption, even if a corresponding rule is defined.
To apply file-based encryption to endpoints, create a policy of the type Device Protection and
set the Media encryption mode to File-based. For further information, see Device Protection
(page 92).
16.1.2.1 Default behavior when saving files
Since applications behave differently when saving files, Sophos SafeGuard offers two ways for
handling encrypted files, that have been modified.
If a file is encrypted with a different key than the default key of the volume and you edit the file
and save it, you may expect the original encryption key to be preserved, since you are editing a
file, not creating a new one. But many applications save files by performing a combination of save,
delete, and rename operations (for example Microsoft Office). If they do so, the default Sophos
SafeGuard setting is to use the default key for this encryption task and therefore change the key
used for encryption.
If you want to change this behavior and preserve the key used for encryption in any case, you
can modify a registry key on the endpoint computer.
To always use the same key as before when saving modified files:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]
"ActivateEncryptionTunneling"=dword:00000001
To allow the use of a different key (default key) when saving modified files. This is the default
setting after installation:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]
"ActivateEncryptionTunneling"=dword:00000000
Note:
Changes in this setting require a restart of the endpoint to become active.
16.2 BitLocker Drive Encryption
BitLocker Drive Encryption is a full disk encryption feature with pre-boot authentication included
with Microsoft's Windows operating systems. It is designed to protect data by providing encryption
for boot and data volumes. For Windows 8 and later, only BitLocker Drive Encryption (not
SafeGuard full disk encryption) can be used for full disk encryption.
Sophos SafeGuard can manage BitLocker encryption on a computer. BitLocker encryption can
be activated and the management of volumes already encrypted with BitLocker can be taken
over.
During installation on the endpoint and the first reboot, Sophos SafeGuard determines whether
the hardware meets the requirements for BitLocker with SafeGuard Challenge/Response. If not,
106
Administrator help
Sophos SafeGuard BitLocker management is run without Challenge/Response. In this case the
BitLocker recovery key can be retrieved using the SafeGuard Policy Editor.
16.2.1 Authentication with BitLocker Drive Encryption
BitLocker Drive Encryption offers a range of authentication options, for boot volumes as well as
for non-boot volumes.
The security officer can set the various logon modes in a policy in the SafeGuard Policy Editor
and distribute it to the BitLocker endpoints.
The following logon modes exist for Sophos SafeGuard BitLocker users:
■
TPM (boot volumes only)
■
TPM + PIN (boot volumes only)
■
TPM + Startup Key (boot volumes only)
■
Password (without TPM)
■
Startup Key (without TPM)
■
Auto-Unlock (non-boot volumes only)
For more information on setting logon modes in a policy, please see Authentication (page 77).
16.2.1.1 Trusted Platform Module (TPM)
TPM is a smartcard-like module on the motherboard performing cryptographic functions and digital
signature operations. It can create, store and manage user keys. It is protected against attacks.
16.2.1.2 PIN and passwords
Requirements for BitLocker PINs and passwords are defined by Windows Group Policies, not by
Sophos SafeGuard settings.
The relevant settings for passwords can be found in the Local Group Policy Editor (gpedit.msc):
Local Computer Policy - Computer Configuration - Administrative Templates - Windows
Components - BitLocker Drive Encryption - Operating System Drives - Configure use of
passwords for operating system drives and
Local Computer Policy - Computer Configuration - Administrative Templates - Windows
Components - BitLocker Drive Encryption - Fixed Data Drives - Configure use of passwords
for fixed data drives.
The settings can also be applied via Active Directory.
PINs usually consist of numbers only, but it is possible to allow the use of all keyboard characters
(numbers, letters as well as special characters/symbols). The setting to allow these enhanced
PINs can be found in the Local Group Policy Editor (gpedit.msc) at Local Computer Policy Computer Configuration - Administrative Templates - Windows Components - BitLocker
Drive Encryption - Operating System Drives:
107
SafeGuard Easy
If "Allow enhanced PINs for startup" is set to "enabled", enhanced PINs are allowed.
If "Allow enhanced PINs for startup" is set to "not configured", Sophos SafeGuard will allow
enhanced PINs.
If "Allow enhanced PINs for startup" is set to "disabled", enhanced PINs are not allowed.
Note: BitLocker supports the EN-US keyboard layout only. Therefore users might have problems
when entering enhanced PINs or complex passwords. Unless they changed their keyboard layout
to EN-US before they specified their new BitLocker PIN or password, users may need to press
a different key to what is displayed on their keyboard in order to enter the character they want.
Therefore, before encrypting the boot volume, a reboot is performed to ensure that the user can
enter the PIN or password correctly at boot time.
16.2.1.3 Startup Key
The external keys can be stored on an unprotected USB stick.
16.2.2 Best practice: Policy settings and user experience
The security officer configures encryption policies for the volumes to be encrypted as well as an
authentication policy. The TPM should be used whenever possible, but even without a TPM the
boot volume should be encrypted. User interaction should be kept to a minimum.
According to these requirements, the security officer chooses the following authentication settings
(these are also the default settings):
■
BitLocker Logon Mode for Boot Volumes: TPM + PIN
■
BitLocker Fallback Logon Mode for Boot Volumes: Password or Startup Key
■
BitLocker Logon Mode for Non-Boot Volumes: Auto-Unlock
■
BitLocker Fallback Logon Mode for Non-Boot Volumes: Password or Startup Key
The security officer creates a device protection policy with the target Internal Storage and sets
the encryption mode to Volume-based. Afterwards both policies are applied to the endpoints to
be encrypted.
For the users the following scenarios exist. They apply to SafeGuard Enterprise as well as to
Sophos SafeGuard. The only difference is that with Sophos SafeGuard the user might be asked
for a storage location for the recovery keys if the storage location (for example a network path)
has not already been specified in the client configuration package. Then the user experience is
as follows:
Case 1: A user logs on to an endpoint with a TPM.
1. The user is asked to enter a PIN for the boot volume (for example drive C:).
2. The user enters the PIN and clicks Save and Restart.
3. The system tests the hardware and checks whether the user can enter the PIN correctly. It
reboots and asks the user to enter the PIN.
108
■
If the user enters the PIN correctly, the endpoint starts.
■
If the user does not enter the PIN correctly (for example because of a wrong keyboard
layout) the user can press the Esc key in the BitLocker pre-boot environment to cancel the
test and the endpoint starts.
Administrator help
■
If there is any problem with the hardware (for example if the TPM is not working), the test
aborts and the endpoint starts.
4. The user logs on again.
5. If the hardware test was passed successfully (the user could enter the PIN correctly and there
was no problem with the TPM), the encryption of the boot volume starts. Otherwise (if the test
failed), an error is shown and the volume is not encrypted. If the test failed because the user
pressed Esc in the pre-boot environment, the user is asked to enter a PIN again and to do a
restart (as in step 2; steps 3, 4, 5 will be repeated).
6. When the encryption of the boot volume starts, the encryption of the data volumes starts as
well, without requiring any user interaction.
Case 2: A user logs on to a Windows 8 endpoint without a TPM.
1. The user is asked to enter a password for the boot volume.
2. The user enters the password and clicks Save and Restart.
3. The system reboots, tests the hardware and the user logs on again as in the case above
(exactly as in steps 3 to 6 of case 1, but the references to the TPM are not relevant, and a
password is required rather than a PIN.)
4. The encryption of the boot volume starts.
5. The encryption of the data volumes starts as well, without requiring any user interaction.
Case 3: A user logs on to a Windows 7 endpoint without a TPM.
1. The user is asked to save the encryption key for the boot volume to a USB memory stick.
2. The user attaches a USB memory stick and presses Save and Restart.
3. The system reboots, performs the hardware test and the user logs on again. (Same procedure
as in the previous cases, but the user has to provide the USB memory stick at boot time. An
additional hardware error could be that the USB memory stick cannot be read from the BitLocker
pre-boot environment.)
4. The encryption of the boot volume starts.
5. The encryption of the data volumes starts as well, without requiring any user interaction.
Case 4: The security officer changes the policy setting BitLocker Fallback Logon Mode for
Boot Volumes to Password. A user logs on to a Windows 7 endpoint without a TPM.
1. Since the endpoint has no TPM and Windows 7 does not allow passwords for boot volumes,
the boot volume will not be encrypted.
2. For each non-boot volume, the user is asked to store the external key on a USB memory stick.
Encryption of the respective volume starts when the user clicks Save.
3. When the user reboots the endpoint, the USB key has to be plugged in to be able to unlock
the non-boot volumes.
16.2.3 Prerequisites for managing BitLocker on endpoints
■
To be able to use logon methods TPM + PIN, TPM + Startup Key, Startup Key or Password
enable the Group Policy Require additional authentication at startup either in Active Directory
or on computers locally. In the Local Group Policy Editor (gpedit.msc) the Group Policy can
be found here:
Local Computer Policy\Computer Configuration\Administrative Templates\Windows
Components\BitLocker Drive Encryption\Operating System Drive.
109
SafeGuard Easy
To use Startup Key, you must activate Allow BitLocker without a compatible TPM in the
Group Policy.
■
To use TPM + PIN on tablets, you must also activate the Group Policy Enable use of BitLocker
authentication requiring preboot keyboard input on slates.
Note: These Group Policies are enabled automatically at installation on the endpoint. Make
sure that the settings are not overwritten by different Group Policies.
■
A BitLocker device protection policy which triggers the configuration of a TPM-based
authentication mechanism (i.e., "TPM-only", "TPM + PIN", "TPM + Startup Key") will
automatically initiate TPM activation. The user is informed that the TPM needs to be activated
and is (optionally) told if the system needs to be rebooted or shut down, depending on the
TPM in use.
Note: The system state can be checked with the command line tool SGNState (administrative
rights necessary). For details see the SafeGuard Easy Tools guide. Volume info: indicates
whether the endpoint is prepared appropriately for BitLocker encryption or not. In some cases
the Windows BitLocker Drive Preparation Tool must be executed.
Sophos SafeGuard Challenge/Response for BitLocker
In order to use Sophos SafeGuard BitLocker Challenge/Response the following requirements
must be met:
■
64-bit Windows
■
UEFI version 2.3.1 or newer
■
Microsoft UEFI certificate is available or Secure Boot is disabled
■
NVRAM boot entries accessible from Windows
■
Windows installed in GPT mode
■
The hardware is not listed in the POACFG.xml file.
Sophos delivers a default POACFG.xml file embedded in the setup. It is recommended to
download the newest file and provide it to the installer.
During installation on the endpoint and the first reboot, Sophos SafeGuard determines whether
the hardware meets the requirements for BitLocker with Sophos SafeGuard Challenge/Response.
If not, Sophos SafeGuard BitLocker management is run without Challenge/Response. In this case
the BitLocker recovery key can be retrieved using the SafeGuard Policy Editor.
16.2.4 Manage BitLocker Drive Encryption with Sophos SafeGuard
With Sophos SafeGuard you can manage BitLocker Drive Encryption from the SafeGuard Policy
Editor, like a native Sophos SafeGuard Client. As a security officer you can set encryption and
authentication policies and distribute them to the BitLocker endpoints.
110
Administrator help
During installation of the Sophos SafeGuard Client on Windows 7, the BitLocker feature needs
to be explicitly selected to enable BitLocker management.
Management of the BitLocker clients in Sophos SafeGuard is transparent, which means that
management functions work in general the same for BitLocker and native Sophos SafeGuard
Clients.
16.2.5 Encrypting with BitLocker managed by Sophos SafeGuard
With BitLocker Drive Encryption support in Sophos SafeGuard you can encrypt boot volumes as
well as non-boot volumes with BitLocker encryption and keys.
16.2.5.1 BitLocker encryption keys
When encrypting the boot volume or other volumes with BitLocker through Sophos SafeGuard,
the encryption keys are always generated by BitLocker. A key is generated by BitLocker for each
volume and cannot be reused for any other purpose. It needs to be stored in a safe place.
The key recovery file generated during installation of the Sophos SafeGuard encryption software
needs to be stored in a location that is accessible to a helpdesk officer and the name of the file
must be known.
16.2.5.2 BitLocker algorithms in Sophos SafeGuard
BitLocker supports the following Advanced Encryption Standard (AES) algorithms:
■
AES-128
■
AES-256
AES-128 with diffuser and AES-256 with diffuser are no longer supported. Drives already encrypted
using an algorithm with diffuser can be managed by Sophos SafeGuard.
16.2.5.3 Encryption policies for BitLocker Drive Encryption
You can create a policy for encryption in the SafeGuard Policy Editor and distribute it to the
BitLocker endpoints where it is executed. It triggers the BitLocker encryption of the volumes
specified in the Sophos SafeGuard policy.
A BitLocker endpoint processes policies of type Device Protection and Authentication.
The following settings are evaluated on the endpoint:
■
Settings in a policy of type Device Protection:
■
Target: Local Storage Devices | Internal Storage | Boot Volumes | Non-boot Volumes
| Drive Letters A: - Z:
■
Media Encryption Mode: Volume-based | No encryption
■
Algorithm to be used for encryption: AES128 | AES256
■
Fast initial encryption: Yes | No
111
SafeGuard Easy
For details see Device Protection (page 92).
■
Setting in a policy of type Authentication:
■
BitLocker Logon Mode for Boot Volumes: TPM | TPM + PIN | TPM + Startup Key |
Startup Key |
■
BitLocker Fallback Logon Mode for Boot Volumes: Startup Key | Password | Password
or Startup Key | Error
■
BitLocker Logon Mode for Non-Boot Volumes: Auto-Unlock | Password | Startup Key
■
BitLocker Fallback Logon Mode for Non-Boot Volumes: Startup Key | Password or
Startup Key | Password
For details see Authentication (page 77).
All other settings are ignored by the BitLocker endpoint.
16.2.5.4 Encryption on a BitLocker-protected computer
Before the encryption starts, the encryption keys are generated by BitLocker. Depending on the
system used the behaviour differs slightly.
Endpoints with TPM
If the security officer defines a logon mode for BitLocker that involves the TPM (TPM, TPM + PIN
or TPM + Startup Key), TPM activation is automatically initiated.
The TPM (Trusted Platform Module) is a hardware device BitLocker uses to store its encryption
keys. The keys are not stored on the computer’s hard disk. The TPM must be accessible by the
basic input/output system (BIOS) during startup. When the user starts the computer, BitLocker
will get these keys from the TPM automatically.
Endpoints without TPM
If an endpoint is not equipped with a TPM, either a BitLocker startup key or, if the endpoint is
running Windows 8 or later, a password can be used as the logon mode.
A BitLocker startup key can be created using a USB memory stick to store the encryption keys.
Users will have to insert the memory stick each time they start the computer.
When Sophos SafeGuard activates BitLocker, users are prompted to save the BitLocker startup
key. A dialog appears displaying the valid target drives in which to store the startup key.
Note: For boot volumes it is essential that users have the startup key available when they start
their endpoints. Therefore the startup key can only be stored on removable media.
For data volumes the BitLocker startup key can be stored on an encrypted boot volume. This is
done automatically if Auto-Unlock is defined in the policy.
BitLocker recovery keys
For BitLocker recovery, Sophos SafeGuard offers a Challenge/Response procedure that allows
information to be exchanged confidentially and allows the BitLocker recovery key to be retrieved
112
Administrator help
from the helpdesk, see also the SafeGuard Easy User help, chapters Challenge/Response for
BitLocker users and BitLocker recovery key.
To enable recovery with Challenge/Response or retrieval of the recovery key, the required data
has to be available to the helpdesk. The data required for recovery is saved in specific key recovery
files.
Note: If Sophos SafeGuard without Challenge/Response is used, the recovery key is not changed
after a recovery procedure.
When the Sophos SafeGuard configuration is applied to a computer the key recovery file is created
automatically at a location specified by the security officer. Usually the file location is a shared
path. The key recovery file is created automatically at this location. If the security officer has not
specified a file location, users are prompted to save the file manually. The recovery file for each
volume to be encrypted has to be saved separately.
If the specified file location is not accessible when Sophos SafeGuard tries to create the file, a
balloon tip pops up, a message is written into the system event log and Sophos SafeGuard will
try to save the file again later. Sophos SafeGuard keeps prompting you, until you save the file.
Recovery files can be saved manually. A new key backup can be created from the Sophos
SafeGuard System Tray icon at any time. Creating a new key recovery file may, for example, be
necessary if existing key files have been corrupted or are no longer available to the helpdesk.
Note: If a BitLocker-encrypted hard disk in a computer is replaced by a new BitLocker-encrypted
hard disk, and the new hard disk is assigned the same drive letter as the previous hard disk,
Sophos SafeGuard only saves the recovery key of the new hard disk.
If a volume has already been encrypted with BitLocker before installing the BitLocker support of
Sophos SafeGuard, you need to back up the keys of the previously encrypted volume by using
the backup mechanisms offered by Microsoft.
Managing drives already encrypted with BitLocker
If there are any drives already encrypted with BitLocker on your computer when Sophos SafeGuard
is installed, Sophos SafeGuard takes over the management of these drives.
Encrypted boot drives
■
Depending on the Sophos SafeGuard BitLocker support used, you may be prompted to reboot
the computer. It is important that you reboot the computer as early as possible.
■
If a Sophos SafeGuard encryption policy applies for the encrypted drive:
■
■
Sophos SafeGuard BitLocker Challenge/Response is installed: Management is taken
over and Sophos SafeGuard Challenge/Response is possible.
■
Sophos SafeGuard BitLocker is installed: Management is taken over and Sophos
SafeGuard recovery is possible.
If no Sophos SafeGuard encryption policy applies for the encrypted drive:
■
Sophos SafeGuard BitLocker Challenge/Response is installed: Management is not
taken over and Sophos SafeGuard Challenge/Response is not possible.
■
Sophos SafeGuard BitLocker is installed: Sophos SafeGuard recovery is possible.
113
SafeGuard Easy
Encrypted data drives
■
If a Sophos SafeGuard encryption policy applies for the encrypted drive:
Management is taken over and Sophos SafeGuard recovery using the SafeGuard Policy Editor
is possible.
■
If no Sophos SafeGuard encryption policy applies for the encrypted drive:
Sophos SafeGuard recovery using the SafeGuard Policy Editor is possible.
Note: Sophos SafeGuard may not be able to take over the management of an encrypted drive.
SafeGuard recovery for a BitLocker drive like this is then not possible. In this case contact your
security officer.
16.2.5.5 Decryption with BitLocker
Computers encrypted with BitLocker cannot be decrypted automatically. Decryption can be carried
out using either the BitLocker Drive Encryption item in the Control Panel or the Microsoft
command-line tool "Manage-bde".
To allow users to decrypt BitLocker encrypted volumes manually, a policy without an encryption
rule for a BitLocker encrypted volume has to be applied on the endpoint. The user can then trigger
decryption by deactivating BitLocker for the desired volume in the BitLocker Drive Encryption
Control Panel item.
114
Administrator help
17 SafeGuard Data Exchange
SafeGuard Data Exchange is used to encrypt data stored on removable media connected to a
Sophos SafeGuard endpoint and to exchange these data with other users. All encryption and
decryption processes run transparently and involve minimum user interaction.
Only users who have the appropriate keys can read the contents of the encrypted data. All
subsequent encryption processes run transparently.
As a security officer, you define the specific settings in a policy of the type Device Protection
with Removable Media as the Device protection target.
17.1 Local Keys
SafeGuard Data Exchange supports encryption with local keys. Local keys are created on the
endpoints and can be used to encrypt data on removable media. They are created by entering a
passphrase.
If local keys are used to encrypt files on removable media, these files can be decrypted using
SafeGuard Portable on a computer without SafeGuard Data Exchange. When the files are opened
with SafeGuard Portable, the user is prompted to enter the passphrase that was specified when
the key was created. If the user knows the passphrase, they can open the file.
Using SafeGuard Portable every user who knows the passphrase can get access to an encrypted
file on removable media. This way it is also possible to share encrypted data with partners who
do not have Sophos SafeGuard. They only need to be provided with SafeGuard Portable and the
passphrase for the files they should have access to.
If different local keys are used to encrypt files on removable media, you can even restrict access
to files. For example: You encrypt the files on a USB memory stick using a key with passphrase
my_localkey and encrypt a single file named ForMyPartner.doc using the passphrase
partner_localkey. If you give the USB memory stick to a partner and provide them with the
passphrase partner_localkey, they only have access to ForMyPartner.doc.
Note: By default SafeGuard Portable is automatically copied to removable media connected to
the system as soon as content is written to media covered by an encryption rule. If you do not
want SafeGuard Portable to be copied to removable media, deactivate the Copy SG Portable
to target option in a policy of the type Device Encryption.
Local keys are not backed up and cannot be used for recovery.
17.2 Media passphrase
SafeGuard Data Exchange allows you to specify that one single media passphrase for all removable
media - except optical media - has to be created on the endpoints.
The media passphrase provides access to all local keys used in SafeGuard Portable. The user
only has to enter one single passphrase and gets access to all encrypted files in SafeGuard
Portable, regardless of the local key used for encryption.
115
SafeGuard Easy
On every computer, a unique Media Encryption Key for data encryption is automatically created
for each device. This key is protected with the media passphrase. On a computer with SafeGuard
Data Exchange, it is therefore not necessary to enter the media passphrase to access encrypted
files on the removable media. Access is granted automatically if the appropriate key is part of the
user's key ring.
Media passphrase functionality is available when the User may define a media passphrase for
devices option is activated in a policy of the type Device Protection.
When this setting becomes active on the computer, the user is automatically prompted to enter
a media passphrase, when they connect removable media for the first time. The user may also
change the media passphrase and it will be synchronized automatically when the passphrase
known on the computer and the media passphrase of the removable media are out of sync.
If the user forgets the media passphrase, it can be recovered by the user without any need of a
helpdesk.
Note: To enable the media passphrase, activate the User may define a media passphrase for
devices option in a policy of the type Device Encryption. This is only available, if you have
selected Removable Media as Device Protection target.
On a Sophos SafeGuard protected endpoint without an activated media passphrase feature no
keys are available after installation has been completed since Sophos SafeGuard endpoint only
use local keys. Before encryption can be used, the user has to create a key.
If the media passphrase feature is activated in a removable media policy for Sophos SafeGuard
protected endpoints, the media encryption key is created automatically on the endpoint and can
be used for encryption immediately after installation has been completed. It is available as
"predefined key" in the users key ring and is displayed as <user name> in dialogs for key
selection.
If available, the media encryption keys will also be used for all initial encryption tasks.
17.3 Configure trusted and ignored applications for SafeGuard
Data Exchange
You can define applications as trusted to grant them access to encrypted files. This is for example
necessary to enable antivirus software to scan encrypted files.
You can also define applications as ignored to exempt them from transparent file
encryption/decryption. For example, if you define a backup program as an ignored application,
encrypted data backed up by the program remains encrypted.
Note: Child processes will not be ignored.
1. In the Policies navigation area, create a new policy of the type General Settings or select
an existing one.
2. Under File Encryption, click the dropdown button of the Trusted Applications or Ignored
Applications field.
116
Administrator help
3. In the editor list box, enter the applications to be defined as trusted/ignored.
■
You can define multiple trusted/ignored applications in one policy. Each line in the editor
list box defines one application.
■
Application names must end with .exe.
■
Application names must be specified as fully qualified paths including drive/directory
information. Entering the file name only (for example "example.exe") is not sufficient. For
better usability the single line view of the application list only shows the file names separated
by semicolons.
4. Save your changes.
17.4 Configure ignored devices for SafeGuard Data Exchange
You can define devices as ignored to exclude them from the file encryption process. You can only
exclude entire devices.
1. In the Policies navigation area, create a new policy of the type General Settings or select
an existing one.
2. Under File Encryption, click the dropdown button of the Ignored Devices field.
3. In the editor list box, enter the required device names to exclude specific devices from
encryption. This may be useful when you need to exclude systems from third party suppliers.
Note: You can display the names of the devices currently used in the system by using third
party tools (for example OSR's Device Tree). Sophos SafeGuard logs all devices it attaches
to and you can display a list of attached and ignored devices by using registry keys. For further
information, see Display attached and ignored devices for SafeGuard Data Exchange
configuration (page 117).
17.4.1 Display attached and ignored devices for SafeGuard Data Exchange
configuration
To help you when defining ignored devices, you can use registry keys to show which devices are
being considered for encryption (attached devices) and which devices are currently being ignored.
The list of ignored devices shows only devices that are actually available on the computer and
are being ignored. If a device is set to be ignored in a policy and the device is not available on
the computer, the device is not listed.
Use the following registry keys to display attached and ignored devices:
■
HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\AttachedDevices
■
HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\IgnoredDevices
117
SafeGuard Easy
17.5 Configure persistent encryption for SafeGuard Data
Exchange
The contents of files encrypted by SafeGuard Data Exchange is being decrypted on-the-fly, if the
user owns the required key. When the content is saved as a new file in a location that is not
covered by an encryption rule, the resulting file will not be encrypted.
With persistent encryption, copies of encrypted files will be encrypted, even when they are saved
in a location not covered by an encryption rule.
You can configure persistent encryption in policies of the type General Settings. The policy
setting Enable persistent encryption is activated by default.
Note:
■
If files are copied or moved to an ignored device or to a folder to which a policy with encryption
Mode Ignore applies, the Enable persistent encryption setting has no effect.
■
Copy operations are detected based on file names. When a user saves an encrypted file with
Save As under a different file name in a location not covered by an encryption rule, the file
will be plaintext.
17.6 Tracking files accessed on removable media
You can track files accessed on removable media. File access can be tracked regardless of any
encryption policy applying to files on removable media.
In a policy of the type Logging you can define the following:
■
An event to be logged when a file or directory is created on a removable media device.
■
An event to be logged when a file or directory is renamed on a removable media device.
■
An event to be logged when a file or directory is deleted from a removable media device.
You can view the events logged in the Windows Event Viewer.
17.6.1 Configure file access tracking for removable media
1. In the SafeGuard Policy Editor, select Policies.
2. Create a new Logging policy or select an existing one.
In the action area on the right-hand side under Logging, all predefined events which can be
logged are displayed. By clicking on the column headers you can sort the events by ID,
Category etc.
3. To activate file access tracking for files stored on removable media, select the following log
events depending on your requirements:
■
■
■
ID 3020 File tracking for removable media: a file has been created.
ID 3021 File tracking for removable media: a file has been renamed.
ID 3022 File tracking for removable media: a file has been deleted.
For all events selected, a green check mark is displayed in the Log in event log icon column.
118
Administrator help
4. Save your settings.
After assigning the policy the file access tracking on removable media is activated and the selected
events are logged. You can view them in the Windows Event Viewer.
119
SafeGuard Easy
18 Cloud Storage
The module Cloud Storage offers file-based encryption of data stored in the cloud.
It does not change the way users work with data stored in the cloud. Users are still using the
same vendor specific synchronization applications to send data to or receive data from the cloud.
The purpose of Cloud Storage is to make sure that the local copies of data stored in the cloud is
encrypted transparently and will therefore always be stored in the cloud in encrypted form.
In the SafeGuard Policy Editor, you create Cloud Storage Definitions (CSDs) and use them as
target in Device Protection policies. Predefined Cloud Storage Definitions are available for
several cloud storage providers, for example Dropbox or Egnyte.
After a Cloud Storage policy has been assigned to endpoints, files in locations covered by the
policy are transparently encrypted without user interaction:
■
Encrypted files will be synchronized to the cloud.
■
Encrypted files received from the cloud can be modified by applications as usual.
To access Cloud Storage encrypted files on endpoints without Cloud Storage, SafeGuard Portable
can be used to read encrypted files.
Note: Cloud Storage only encrypts new data stored in the cloud. If data is already stored in the
cloud before installing Cloud Storage, this data will not automatically be encrypted. If you want
to encrypt this data, you have to remove it from the cloud first and then add it again.
18.1 Requirements for Cloud Storage vendor software
To enable encryption of data stored in the cloud, the software provided by the cloud storage
vendor must:
■
Run on the computer where Cloud Storage is installed.
■
Have an application (or system service) that is stored on the local file system and synchronizes
data between the cloud and the local system.
■
Store the synchronized data on the local file system.
18.2 Create Cloud Storage Definitions (CSDs)
In the SafeGuard Policy Editor, predefined Cloud Storage Definitions are available for several
cloud storage providers, for example Dropbox or Egnyte. You can modify the paths defined in
predefined Cloud Storage Definitions according to your requirements or create a new definition
based on the predefined one, if you only want to encrypt part of the data in cloud storage. You
can also create your own Cloud Storage Definitions.
Note: Certain folders (for example the Dropbox installation folder) may prevent the operating
system or applications from running when encrypted. When you create Cloud Storage Definitions
for Device Protection policies, make sure that these folders are not encrypted.
1. In the Policies navigation area, select Cloud Storage Definitions.
120
Administrator help
2. In the context menu of Cloud Storage Definitions, click New > New cloud storage definition.
3. The New Cloud Storage definition dialog appears. Enter a name for the Cloud Storage
Definition.
4. Click OK. The Cloud Storage Definition appears with the entered name under the Cloud
Storage Definitions root node in the Policies navigation area.
5. Select the Cloud Storage Definition. In the work area on the right-hand side the content of a
Cloud Storage Definition is displayed:
■
Target name:
This is the name you entered initially. It is used for referencing the Cloud Storage Definition
as target in a policy of the type Device Protection.
■
Synchronization application:
Enter path and application that synchronizes the data with the cloud here (for example:
<Desktop>\dropbox\dropbox.exe). The application must reside on a local drive.
■
Synchronization folder:
Enter the folder(s) that will be synchronized with the cloud here. Only local paths are
supported.
SafeGuard Cloud Storage supports placeholders for paths in the Synchronization
application and Synchronization folder.
18.2.1 Supported Placeholders
The following placeholders can be used when specifying paths for Synchronization application
and Synchronization folders.You can select these placeholders by clicking the dropdown button
of the Path field.
Placeholder
Results in the following value on the endpoint
<%environment_variable_name%>
The value of environment variable. Example:
<%USERNAME%>.
Note: If environment variables contain several
locations (for example the PATH environment
variable), the paths will not be separated into multiple
rules. This causes an error and the encryption rule
is invalid.
<Cookies>
The file system directory that serves as a common
repository for internet cookies. Typical path:
C:\Documents and Settings\username\Cookies.
<Desktop>
The virtual folder that represents the Microsoft
Windows desktop.
121
SafeGuard Easy
122
Placeholder
Results in the following value on the endpoint
<Documents>
This is the virtual folder that represents the My
Documents desktop item (equivalent to
CSIDL_MYDOCUMENTS). Typical path:
C:\Documents and Settings\username\My
Documents.
<Favorites>
The file system directory that serves as a common
repository for the user's favorite items. Typical path:
\Documents and Settings\username\Favorites.
<Local Application Data>
The file system directory that serves as a data
repository for local (non-roaming) applications.
Typical path: C:\Documents and
Settings\username\Local Settings\Application Data.
<Music>
The file system directory that serves as a data
repository for music files. Typical path: C:\Documents
and Settings\User\My Documents\My Music.
<Pictures>
The file system directory that serves as a data
repository for image files. Typical path: C:\Documents
and Settings\username\My Documents\My Pictures.
<Program Data>
The file system directory that contains application
data for all users. Typical path: C:\Documents and
Settings\All Users\Application Data.
<Program Files>
The Program Files folder. Typical Path: \Program
Files. For 64-bit systems, this will be expanded to
two rules - one for 32-bit applications and one for
64-bit applications.
<Public Music>
The file system directory that serves as a common
repository for music files for all users. Typical path:
C:\Documents and Settings\All Users\Documents\My
Music.
<Public Pictures>
The file system directory that serves as a common
repository for image files for all users. Typical path:
C:\Documents and Settings\All Users\Documents\My
Pictures.
<Public Videos>
The file system directory that serves as a common
repository for video files for all users. Typical path:
C:\Documents and Settings\All Users\Documents\My
Videos.
<Roaming>
The file system directory that serves as a common
repository for application-specific data. Typical path:
Administrator help
Placeholder
Results in the following value on the endpoint
C:\Documents and Settings\username\Application
Data.
<System>
The Windows System folder. Typical path:
C:\Windows\System32. For 64-bit systems, this will
be expanded to two rules - one for 32-bit and one for
64-bit.
<Temporary Burn Folder>
The file system directory that is used as a staging
area for files waiting to be written on a CD. Typical
Path: C:\Documents and Settings\username\Local
Settings\Application Data\Microsoft\CD Burning.
<Temporary Internet Files>
The file system directory that serves as a common
repository for temporary internet files. Typical path:
C:\Documents and Settings\username\Local
Settings\Temporary Internet Files.
<User Profile>
The user's profile folder. Typical path:
C:\Users\username.
<Videos>
The file system directory that serves as a common
repository for video files. Typical path: A typical path
is C:\Documents and Settings\username\My
Documents\My Videos.
<Windows>
The Windows directory or SYSROOT. This
corresponds to the environment variables %windir%
or %SYSTEMROOT%. Typical path: C:\Windows.
Any errors in placeholders are logged.
18.2.2 Placeholders for cloud storage providers
As a security officer you can use placeholders for cloud storage providers to define synchronization
application and synchronization folders. These placeholders represent supported 3rd party cloud
storage applications. You can use the placeholder to specify a certain 3rd party application as
synchronization application and even use the same placeholder to point the synchronization
folders the 3rd party application actually uses for synchronization.
Placeholders for cloud storage provider are encapsulated by <! and !>.
Note: OS X endpoints only support Dropbox and Google Drive in version 7.0.
123
SafeGuard Easy
Currently supported placeholders
Provider
Placeholder
Can be used in CSD setting
Resolves to
Dropbox
<!Dropbox!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the Dropbox
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the Dropbox
software
Egnyte
<!Egnyte!>
Synchronization application
The fully qualified path of
the synchronization
application used by the
Egnyte software.
<!EgnytePrivate!>
Synchronization folders
All private folders in the
Egnyte cloud storage. For
standard Egnyte users this
is usually a single folder.
For Egnyte administrators
this placeholder typically
resolves to multiple folders.
<!EgnyteShared!>
Synchronization folders
All shared folders in the
Egnyte cloud storage.
Note:
Changes to the Egnyte folder structure (including adding or removing private and shared
folders) are detected automatically. The policies concerned are adjusted automatically.
Note: As Egnyte synchronization folders may reside on network locations, you can
enter network paths in the Synchronization folders setting. The Sophos SafeGuard
Cloud Storage module therefore attaches to network file systems by default. If this is
not required, you can deactivate this behavior by defining a General Settings policy
and selecting Network under Ignored Devices.
Google Drive
124
<!GoogleDrive!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
Administrator help
Provider
Placeholder
Can be used in CSD setting
Resolves to
used by the Google Drive
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the Google
Drive software.
OneDrive
<!OneDrive!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the OneDrive
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the
OneDrive software.
Note: SafeGuard Enterprise does not support Microsoft accounts. Under Windows 8.1,
OneDrive can only be used if the Windows user is a domain user. Under Windows 8.1
SafeGuard enterprise does not support OneDrive for local users.
OneDrive for
Business
<!OneDriveForBusiness!> Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the OneDrive
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the
OneDrive software.
Note: OneDrive for Business only supports storing encrypted files in local folders and
synchronizing them with the cloud. Storing encrypted files from Microsoft Office 2013
applications directly in the OneDrive for Business cloud or directly on the SharePoint
Server is not supported. These files are stored unencrypted in the cloud.
SafeGuard Enterprise encrypted files in the OneDrive for Business cloud cannot be
opened by Microsoft Office 365.
125
SafeGuard Easy
Provider
Placeholder
Can be used in CSD setting
Resolves to
SkyDrive
<!SkyDrive!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the OneDrive
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the
OneDrive software.
Since Microsoft renamed SkyDrive to OneDrive, the <!SkyDrive!> placeholder is still
available.
This way older policies using the placeholder and SafeGuard Enterprise endpoints
before version 7 which cannot handle the <!OneDrive!> placeholder can be used
without any changes. SafeGuard Enterprise endpoints version 7 can handle both
placeholders.
Media Center
<!Mediacenter!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the Media Center
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the Media
Center software.
Example
If you use Dropbox as your cloud storage provider you can simply enter <!Dropbox!> in
Synchronization application. If you do not explicitly specify a synchronization folder,
<!Dropbox!> is also copied into the list of folders under Synchronization folders.
Assuming
126
■
you used the placeholders <!Dropbox!> as synchronization application and
<!Dropbox!>\encrypt as synchronization folder in the Cloud Storage Definition
■
Dropbox is installed on the endpoint
■
the user has d:\dropbox configured as folder to be synchronized with Dropbox:
Administrator help
When the Sophos SafeGuard endpoint receives a policy with CSD like this, it will automatically
translate the placeholders in the CSD to match the path of Dropbox.exe for the synchronization
application and it will read the Dropbox configuration and set the encryption policy on the folder
d:\dropbox\encrypt.
18.2.3 Export and import Cloud Storage Definitions
As a security officer you can export and import Cloud Storage Definitions. A CSD will be exported
as a XML file.
■
To export a CSD click Export Cloud Storage Definition... from the context menu of the
desired Cloud Storage Definition in the Policy area.
■
To import a CSD click Import Cloud Storage Definition... from the context menu of the desired
Cloud Storage Definition in the Policy area.
Both commands can also be found in the Actions menu of the Policy Editor.
18.3 Create a device protection policy with a Cloud Storage
Definition target
The Cloud Storage Definitions must have been created beforehand. Predefined Cloud Storage
Definitions are available for several cloud storage providers, for example Dropbox or Egnyte.
You define the settings to encrypt cloud storage data in a policy of the type Device Protection.
1. In the Policies navigation area, create a new policy of the type Device Protection.
2. Select a Cloud Storage Definition as target.
3. Click OK. The new policy is displayed in the navigation window below Policy Items. In the
action area, all settings for the Device Protection policy are displayed and can be changed.
4. For the Media encryption mode setting select File-based. Volume-based encryption is not
supported.
5. Under Algorithm to be used for encryption select the algorithm to be used for encrypting
the data in the synchronization folders defined in the CSD.
6. Set Key to be used for encryption to Any key in user key ring to define the key or the keys
that shall be used for encryption.
7. Set User is allowed to create a local key to Yes.
Note: Users should use the local keys for Cloud Storage encryption. This is particularly
important to share encrypted data stored in the cloud with users that do not have Sophos
SafeGuard installed. To create local keys, see Local Keys (page 115).
8. If you activate the Copy SG Portable to target setting, SafeGuard Portable is copied to each
synchronization folder as soon as content is written to it. SafeGuard Portable is an application
that can be used to read encrypted files on Windows computers that do not have Sophos
SafeGuard installed.
9. The Plaintext folder setting allows you to define a folder that will be excluded from encryption.
Data stored in subfolders of the defined plaintext folder will also be excluded from encryption.
SafeGuard Cloud Storage automatically creates empty plaintext folders in all synchronization
folders defined in the Cloud Storage Definition.
127
SafeGuard Easy
18.4 Tracking files accessed in cloud storage
You can track files accessed in cloud storage. File access can be tracked regardless of any
encryption policies applied to them.
In a policy of the type Logging you can define the following:
■
To log an event when a file or directory is created in cloud storage.
■
To log an event when a file or directory is renamed in cloud storage.
■
To log an event when a file or directory is deleted from cloud storage.
You can view the events logged in the Windows Event Viewer.
18.4.1 Configure file access tracking for cloud storage
1. In the SafeGuard Policy Editor, select Policies.
2. Create a new Logging policy or select an existing one.
In the action area on the right-hand side under Logging, all predefined events which can be
logged are displayed. By clicking on the column headers you can sort the events by ID,
Category etc.
3. To activate file access tracking for files stored in cloud storage, select the following log events
depending on your requirements:
■
■
■
ID 3020 File tracking for cloud storage - CREATE
ID 3021 File tracking for cloud storage - RENAME
ID 3022 File tracking for cloud storage - DELETE
For all events selected, a green check mark is displayed in the Log in event log icon column.
4. Save your settings.
After assigning the policy the file access tracking for files in cloud storage is activated and the
selected events are logged. You can view them in the Windows Event Viewer.
128
Administrator help
19 Sophos SafeGuard and self-encrypting,
Opal-compliant hard drives
Self-encrypting hard drives offer hardware-based encryption of data when they are written to the
hard disk. The Trusted Computing Group (TCG) has published the vendor-independent Opal
standard for self-encrypting hard drives. Different hardware vendors offer Opal-compliant hard
drives. Sophos SafeGuard supports the Opal standard. For more information on supported drives
see http://www.sophos.com/en-us/support/knowledgebase/113366.aspx
19.1 How does Sophos SafeGuard integrate Opal-compliant
hard drives?
In the SafeGuard Policy Editor, you can create security policies and deploy them to endpoints
with self-encrypting Opal-compliant hard drives, just as for any other endpoint protected by Sophos
SafeGuard.
By supporting the Opal standard, we offer the full set of Sophos SafeGuard features to corporate
users of self-encrypting, Opal-compliant hard drives. In combination with Sophos SafeGuard,
Opal-compliant hard drives offer enhanced security features.
19.2 Enhancement of Opal-compliant hard drives with Sophos
SafeGuard
Sophos SafeGuard offers the following benefits in combination with self-encrypting, Opal-compliant
hard drives:
■
SafeGuard Power-on Authentication with graphical user interface
■
Support of non-cryptographic tokens and smartcards
■
Fingerprint logon support
■
Recovery (Local Self Help, Challenge/Response)
■
Encryption of removable media (for example USB memory sticks) with SafeGuard Data
Exchange
19.3 Encryption of Opal-compliant hard drives
Opal-compliant hard drives are self-encrypting. Data is encrypted automatically when it is written
to the hard disk.
129
SafeGuard Easy
The hard drives are locked by an AES 128/256 key used as an Opal password. This password
is managed by Sophos SafeGuard through an encryption policy.
19.4 Lock Opal-compliant hard drives
To lock Opal-compliant hard drives, the machine key has to be defined for at least one volume
on the hard drive in an encryption policy. In case the encryption policy includes a boot volume,
the machine key is defined automatically.
1.
2.
3.
4.
5.
In the SafeGuard Policy Editor, create a policy of the type Device Protection.
In the field Media encryption mode, select Volume-based.
In the field Key to be used for encryption, select Defined machine key.
Save your changes in the database.
Deploy the policy to the relevant endpoint.
The Opal-compliant hard drive is locked and can only be accessed by logging on to the computer
at the SafeGuard Power-on Authentication.
19.5 Enable users to unlock Opal-compliant hard drives
As a security officer, you can enable users to unlock Opal-compliant hard drives on their endpoint
computers by using the Decrypt command from the Windows Explorer context menu.
1. In the SafeGuard Policy Editor, create a policy of the type Device Protection and include all
volumes on the Opal-compliant hard drive.
2. In the field Media encryption mode, select No encryption.
3. In the field User may decrypt volume, select Yes.
4. Save your changes in the database.
5. Deploy the policy to the relevant endpoint.
The user can permanently unlock the Opal-compliant hard drive on the endpoint. Data is still
encrypted when written to the hard drive.
19.6 Logging of events for endpoints with Opal-compliant
hard drives
Events reported by endpoint computers with self-encrypting, Opal-compliant hard drives are
logged, just as for any other endpoint protected by Sophos SafeGuard.The events do not especially
mention the computer type. Events reported are the same as for any other endpoint protected by
Sophos SafeGuard.
For further information, see Logging (page 102).
130
Administrator help
20 Secure Wake on LAN (WOL)
In the SafeGuard Policy Editor, you can define policy settings for Secure Wake on LAN (WOL)
to prepare endpoints for software rollouts. If a relevant policy applies to endpoints, the necessary
parameters (for example SafeGuard POA deactivation and a time interval for Wake on LAN) are
transferred directly to the endpoints where parameters are analysed.
The rollout team can design a scheduling script using the commands provided to guarantee
maximum endpoint protection despite the deactivation of the SafeGuard POA.
Note: Deactivating the SafeGuard POA - even for a limited number of boot processes - reduces
the security of your system!
You define the settings for Secure Wake on LAN (WOL) in a policy of the type Specific Machine
Settings.
20.1 Secure Wake on LAN example
The software rollout team informs the Sophos SafeGuard security officer about a software rollout
planned for September 25th, 2014 between 03:00 and 06:00 am. Two reboots are required. The
local software rollout agent must be able to log on to Windows.
In the SafeGuard Policy Editor, the security officer creates a policy of the type Specific Machine
Settings with the following settings and deploys it to the relevant endpoints.
Policy Setting
Value
Number of auto logons (0 = no WOL)
5
Windows logon permitted during WOL
Yes
Start of time slot for external WOL start
24th Sept. 2014, 12:00
End of time slot for external WOL start
25th Sept. 2014, 06:00
For further information on the individual settings, see Specific machine settings - basic settings
(page 96).
As the number of autologons is set to 5, the endpoint starts 5 times without authentication through
the SafeGuard POA.
Note: For Wake on LAN, we recommend allowing three more restarts than necessary for
your maintenance operations to overcome any unforeseen problems.
The security officer sets the time interval to 12 o'clock midday on the day before the software
rollout. In this way, the scheduling script SGMCMDIntn.exe is started in time and WOL starts no
later than the 25th September at 3:00 am.
131
SafeGuard Easy
The software rollout team produces two commands for the scheduling script:
■
Starting 24th Sept.2014, 12:15 am, SGMCMDIntn.exe -WOLstart
■
Starting 26th Sept.2014, 09.00 am SGMCMDIntn.exe -WOLstop
The software rollout script is dated 25.09.2014, 03:00. WOL can be explicitly deactivated again
at the end of the script by using SGMCMDIntn.exe -WOLstop.
All endpoints which log on before the 24th of September 2014 and which connect to the rollout
servers will receive the new policy and the scheduling commands.
Any endpoint on which the schedule triggers the command SGMCMDIntn -WOLstart between
24th Sept. 2014, 12:00 midday and 25th Sept. 2014, 06:00 am falls within the WOL time interval
and therefore Wake on LAN will be activated.
132
Administrator help
21 Tokens and smartcards
Sophos SafeGuard provides enhanced security by supporting tokens and smartcards for
authentication. Token/smartcards can store certificates, digital signatures and biometric details.
Token logon is based on the principle of a two-stage authentication: A user has a token (ownership),
but can only use the token, if they know the specific token password (knowledge). When a token
or smartcard is used, users only need the token and a PIN for authentication.
Note: From Sophos SafeGuard's perspective, smartcards and tokens are treated in the same
way. So the terms “token” and “smartcard” refer to the same thing in the product and in the manual.
In the SafeGuard Policy Editor, you can specify policy settings for token logon, provided the use
of tokens and smartcards is enabled in your license, see Token licenses (page 37).
Note: Windows 8 and later offers a feature called virtual smartcard. A virtual smartcard simulates
the functionality of a physical smartcard using the TPM chip as basis, but cannot be used with
Sophos SafeGuard.
21.1 Token types
The term "token" refers to all technologies used and does not depend on a particular form of the
device. This includes all devices that can store and transfer data for the purpose of identification
and authentication, like smartcards and USB tokens.
Sophos SafeGuard supports the following types of tokens/smartcards for authentication:
■
non-cryptographic
Authentication at the SafeGuard POA and Windows is based on user credentials (user
ID/password) stored on the token.
■
cryptographic - Kerberos
Cryptographic token cannot be used with Sophos SafeGuard.
21.2 Components
To use tokens/smartcards with Sophos SafeGuard, the following is required:
■
Token/smartcard
■
Token/smartcard reader
■
Token/smartcard driver
■
Token/smartcard middleware (PKCS#11 module)
USB tokens
Like smartcards, USB tokens consist of a smartcard and a smartcard reader, both units being
located in a single casing. The use of USB tokens requires a USB port.
133
SafeGuard Easy
21.2.1 Token/smartcard readers and drivers
■
Windows
On the Windows operating system level, PC/SC-compatible card readers are supported. The
PC/SC interface regulates the communication between computer and smartcard. Many of
these card readers are already part of the Windows installation. Smartcards require PKCS#11
compatible smartcard drivers if they are to be supported by Sophos SafeGuard.
■
SafeGuard Power-on Authentication
With SafeGuard Power-on Authentication, the PC/SC interface is supported which regulates
the communication between PC and smartcard. The supported smartcard drivers are a fixed
implementation and users may not add other drivers. The appropriate smartcard drivers have
to be enabled by means of a policy in Sophos SafeGuard.
The interface for smartcard readers is standardized and many card readers have a USB
interface or an ExpressCard/54 interface and implement the CCID standard. In Sophos
SafeGuard, this is a prerequisite to be supported with SafeGuard Power-on Authentication.
Plus, on the driver side, the PKCS#11 module has to be supported.
21.2.2 Supported tokens/smartcards with SafeGuard Power-on Authentication
Sophos SafeGuard supports a wide range of smartcards/smartcard readers, USB tokens plus
respective drivers and middleware with SafeGuard Power-on Authentication. With Sophos
SafeGuard, tokens/smartcards which support 2.048-bit RSA operations are supported.
As support for tokens/smartcards is enhanced from release to release, the tokens and smartcards
supported in whatever is the current version of Sophos SafeGuard are listed in the Release Notes.
21.2.3 Supported middleware
The middleware in the list below is supported by the relevant PKCS#11 module. PKCS#11 is a
standardized interface for connecting cryptographic tokens/smartcards to different software. Here,
it is used for the communication between cryptographic token/smartcard, the smartcard reader
and Sophos SafeGuard.
134
Manufacturer
Middleware
ActivIdentity
ActivClient, ActivClient (PIV)
AET
SafeSign Identity Client
Aladdin
eToken PKI Client
A-Trust
a.sign Client
Administrator help
Manufacturer
Middleware
Charismatics
Smart Security Interface
Gemalto
Gemalto Access Client, Gemalto Classic Client, Gemalto .NET
Card
IT Solution GmbH
IT Solution trustWare CSP+
Nexus
Nexus Personal
RSA
RSA Authentication Client 2.x, RSA Smart Card Middleware
3.x
Sertifitseerimiskeskus AS
Estonian ID Card
Siemens
CardOS API
T-Systems
NetKey 3.0
Unizeto
proCertum
Licenses
Note that the use of the respective middleware for the standard operating system requires a
license agreement with the relevant manufacturer. For information on how to obtain the licenses,
see http://www.sophos.com/en-us/support/knowledgebase/116585.aspx.
For Siemens licenses, contact
Atos IT Solutions and Services GmbH
Otto-Hahn-Ring 6
81739 Muenchen
Germany
The middleware is set in a Sophos SafeGuard policy of the type Specific Machine Settings
under Custom PKCS#11 Settings in the field PKCS#1 Module for Windows or PKCS#1
Module for Power-on Authentication. The relevant configuration package must also be installed
on the computer on which the SafeGuard Policy Editor is running.
21.3 Configure non-cryptographic token use
Carry out these steps if you want to enable users to log on with their existing non-cryptographic
tokens.
135
SafeGuard Easy
Prerequisite: Empty tokens must have been initialized using the manufacturer's software.
1. Install the middleware.
For further information, see Install middleware (page 136).
2. Activate the middleware.
For further information, see Activate middleware (page 136).
3. Configure the logon mode.
For further information, see Configuring token logon mode (page 137).
4. Configure further token settings, for example syntax rules for PINs.
For further information, see Further token settings (page 138).
21.4 Preparing for token use
To prepare for token/smartcard support in Sophos SafeGuard:
■
Install the middleware.
■
Activate the middleware.
Note: Empty tokens must have been initialized using the manufacturer's software.
21.4.1 Install middleware
Install the correct middleware, both on the computer with the SafeGuard Policy Editor installed
as well as on the relevant endpoint, if not already done. For supported middleware, see Supported
middleware (page 134).
Restart the computers where you installed the new middleware.
Note: If you install Gemalto .NET Card or Nexus Personal middleware, you also need to add
their installation path to the PATH environment variable of your computer's System Properties.
■
Default installation path for Gemalto .NET Card: C:\Program Files\Gemalto\PKCS11
for .NET V2 smart cards
■
Default installation path for Nexus Personal: C:\Program Files\Personal\bin
21.4.2 Activate middleware
You need to assign the correct middleware in form of the PKCS#11 module by defining a policy
in the Sophos SafeGuard Policy Editor. You should do this both for the computer which the
SafeGuard Policy Editor is running on and for the endpoint. Only then can Sophos SafeGuard
communicate with the token. You can define the setting for PKCS#11 module, using a policy, as
follows.
Prerequisite: The middleware is installed on the relevant computer and the token has been
initialized. The Sophos SafeGuard client configuration package must also be installed on the
computer on which the SafeGuard Policy Editor is running.
1. In the SafeGuard Policy Editor, click Policies.
136
Administrator help
2. Create a new policy of the type Specific Machine Settings or select an existing policy of this
type.
3. In the work area on the right-hand side, select the appropriate middleware under Token
support settings > Module Name. Save the settings.
4. Assign the policy.
Sophos SafeGuard can now communicate with the token.
21.5 Configuring token logon mode
There are two ways for end users of logging on with a token. A combination of both logon methods
is possible.
■
Logging on with user ID/password
■
Logging on with token
As a security officer, you specify the logon mode to be used in a policy of the type Authentication.
21.5.1 Enable SafeGuard POA autologon with default token PINs
A default token PIN that is distributed by policy enables automatic user logon at the SafeGuard
Power-on Authentication. This avoids the need to issue each single token separately and enables
users to automatically log on at the SafeGuard Power-on Authentication without any user
interaction.
When a token is used at logon and a default PIN is assigned to the computer, the user is
passed-through at the SafeGuard Power-on Authentication without having to enter a PIN.
As a security officer you can set the specific PIN in a policy of the type Authentication and assign
it to different computers or computer groups, for example to all computers residing in the same
location.
To enable autologon with a default token PIN:
1.
2.
3.
4.
In the SafeGuard Policy Editor, click Policies.
Select a policy of the type Authentication.
Under Logon Options in Logon mode, select Token.
In PIN used for autologon with token, specify the default PIN to be used for autologon. PIN
rules do not need to be observed in this case.
Note:
This setting is only available, if you select Token as possible Logon Mode.
5. In Pass through to Windows set Disable pass-through to Windows. If you do not select
this setting when a default PIN is specified, you will not be able to save the policy.
If you want to enable the Pass through to Windows option, you can later create another
policy of the type Authentication with this option enabled and also deploy it on the relevant
endpoints, so that the RSOP finally has both policies active.
6. Optionally specify further token settings.
137
SafeGuard Easy
7. Save your settings and deploy the policy on the relevant endpoints.
If the autologon on the endpoint has been successful, Windows will be started.
If the autologon on the endpoint has failed, the user will be prompted to enter the token PIN at
the SafeGuard Power-on Authentication.
21.6 Further token settings
When you configure policies for token use you can specify further settings. These relate to:
138
■
Defining syntax rules for PINs
■
Defining token PINs for SafeGuard POA autologon
■
What happens when the status of the token is no longer recognized
■
Unblocking tokens
Administrator help
22 Recovery options
For recovery, Sophos SafeGuard offers different options that are tailored to different scenarios:
■
Logon recovery using Local Self Help
Local Self Help enables users who have forgotten their password to log on to their computers
without the assistance of a helpdesk. Even in situations where neither telephone nor network
connections are available (for example aboard an aircraft), users can regain access to their
computers. To log on, they answer a predefined number of questions in the SafeGuard
Power-on Authentication.
Local Self Help reduces the number of calls concerning logon recovery, thus freeing the
helpdesk staff from routine tasks and allowing them to concentrate on more complex support
requests.
For further information, see Recovery with Local Self Help (page 140).
■
Recovery using Challenge/Response
The Challenge/Response recovery mechanism is a secure and efficient recovery system that
helps users who cannot log on to their computers or access encrypted data. During the
Challenge/Response procedure, the user provides a challenge code generated on the endpoint
to the helpdesk officer who in turn generates a response code that authorizes the user to
perform a specific action on the computer.
With recovery using Challenge/Response, Sophos SafeGuard offers different workflows for
typical recovery scenarios requiring helpdesk assistance.
For further information, see Recovery with Challenge/Response (page 145).
■
System recovery
Sophos SafeGuard offers different methods and tools for recovery regarding crucial system
components and Sophos SafeGuard components, for example:
■
Corrupted MBR
■
Sophos SafeGuard kernel problems
■
Volume access problems
■
Windows boot problems
For further information, see System Recovery for SafeGuard full disk encryption (page 159).
139
SafeGuard Easy
23 Recovery with Local Self Help
Note: Local Self Help is only available for Windows 7 endpoints with SafeGuard Power-on
Authentication (POA).
Sophos SafeGuard offers Local Self Help to enable users who have forgotten their password to
log on to their computers without the assistance of the helpdesk. Local Self Help reduces the
number of calls concerning logon recovery, thus freeing the helpdesk staff from routine tasks and
allowing them to concentrate on more complex support requests.
With Local Self Help, users can, for example, regain access to their computers in situations where
neither telephone nor network connections are available and where they cannot use a
Challenge/Response procedure (for example, aboard an aircraft). Users can log on to their
computer by answering a predefined number of questions in the SafeGuard Power-on
Authentication.
As a security officer, you can define the set of questions to be answered centrally and distribute
it to the endpoint in a policy. We provide you with a predefined question theme as a template.
You can use this question theme as it is or modify it. In the relevant policy, you can also grant the
users the right to define their own questions.
When Local Self Help has been enabled by the policy, a Local Self Help Wizard is available to
guide the end users through providing initial answers and editing the questions.
For a detailed description of Local Self Help on the endpoint see the SafeGuard Easy user help,
chapter Recovery with Local Self Help.
23.1 Define Local Self Help settings in a policy
You define the settings for Local Self Help in a policy of the type General Settings under Logon
recovery - Local Self Help. This is where you enable the function to be used on the endpoints
and define further rights and parameters.
Enabling Local Self Help
To activate Local Self Help for use on endpoints, select Yes in the Enable Local Self Help field.
After the policy has become effective on the endpoints, this setting entitles the users to use Local
Self Help for logon recovery. To be able to use Local Self Help, the users now have to activate
this recovery method by answering a specified number from the set of questions received or by
creating and answering their own questions, depending on permission.
For this purpose, the Local Self Help Wizard is available through the System Tray Icon in the
Windows taskbar after the endpoint has received the policy and has been restarted.
Configuring Local Self Help
You can set the following options for Local Self Help in a policy of the type General Settings:
■
140
Minimal length of answers
Administrator help
Define the minimum length of the answers in characters. The default is 1.
■
Welcome text under Windows
You can specify the individual information text to be displayed in the first dialog when the Local
Self Help Wizard is launched on the computer. Before specifying the text here, it has to be
created and registered.
■
Users can define their own questions
There are the following possible scenarios for the definition of questions for Local Self Help:
■
As a security officer, you define the questions and distribute them to the users. The users
are not permitted to define their own questions.
■
As a security officer, you define the questions and distribute them to the users. In addition,
the users are permitted to define their own questions. When answering the minimum number
of questions required for activating Local Self Help, the users can choose between
predefined questions and their own questions or use a combination of both.
■
You entitle the users to define their own questions. The users activate Local Self Help on
their computers by defining and answering their own questions.
To entitle users to define their own questions, select Yes in the Users can define their own
questions field.
23.2 Define questions
To be able to use Local Self Help on the endpoint, the user has to answer and save a predefined
number of questions. As a security officer with the required rights, you can specify how many
questions the user has to answer to activate Local Self Help on the endpoint.You can also specify
how many questions will be selected randomly in the SafeGuard POA. To log on at the SafeGuard
POA with Local Self Help, the user has to answer all questions displayed in the POA correctly.
As a security officer with the required rights, you can register and edit Local Self Help questions
in the SafeGuard Policy Editor.
Note:
Not all characters that can be entered in Windows can be handled by the SafeGuard POA, for
example Hebrew or Arabic characters cannot be used.
23.3 Define the number of questions to be answered
You can define the number of questions to be answered during Local Self Help configuration and
in the SafeGuard POA.
1. In the Policies navigation area, select Local Self Help questions.
141
SafeGuard Easy
2. In the action area under Local Self Help parameters, you can specify two different values
for the number of Local Self Help questions:
a) In the Minimum number of available questions/answers field, specify the number of
questions the user has to answer in the Local Self Help Wizard to activate Local Self Help
on the endpoint.
The number of questions specified in this field must be available with answers on the
endpoint for Local Self Help to be active.
b) In the Number of questions presented in POA field, specify the number of questions the
user has to answer in the SafeGuard POA when logging on with Local Self Help.
The questions displayed in the SafeGuard POA are selected randomly from the questions
the user has answered in the Local Self Help Wizard.
The number specified in Minimum number of available questions/answers field must be
higher than the number specified in Number of questions presented in POA field. If this is
not the case, an error message is displayed when you save your changes.
The defaults are:
■
Minimum number of available questions/answers: 10
■
Number of questions presented in POA: 5
3. Save your changes to the database.
The number of questions applies to the Local Self Help configuration deployed to endpoints.
23.4 Use the template
A predefined question theme is available for Local Self Help. By default, this question theme is
available in German and English in the policy navigation area under Local Self Help questions.
Optionally, the question theme is also available in other languages, for example French and
Spanish. You can import these language versions into the policy navigation area.
Note: When end users enter answers in Japanese to activate Local Self Help on endpoints, they
must use Romaji (Roman) characters. Otherwise the answers will not match when users enter
them in the SafeGuard Power-on Authentication.
You can use the predefined question theme as it is, edit it or delete it.
23.5 Import question themes
Using the import procedure, you can import additional language versions of the predefined question
theme or your own question lists created as .XML files.
1. Create a new question theme (see Create a new question theme and add questions (page
143)).
2. In the Policies navigation area, select the new question theme under Local Self Help
questions.
142
Administrator help
3. Right-click in the action area to open the context menu for the question theme. In the context
menu, select Import.
4. Select the required directory and question theme and click Open.
The imported questions are displayed in the action area. You can now save the question theme
as it is or edit it.
23.6 Create a new question theme and add questions
You can create new question themes covering different topics, to provide users with several
different question themes to suite their preferences.
1. In the Policies navigation area, select Local Self Help questions.
2. Right-click Local Self Help questions and select New > Question Theme.
3. Enter a name for the question theme and click OK.
4. In the Policies navigation area, select the new question theme under Local Self Help
questions.
5. Right-click in the action area to open the context menu for the question theme. In the context
menu, select Add.
A new question line is added.
6. Enter your question and press Enter. To add further questions, repeat this step.
7. To save your changes, click the Save icon in the toolbar.
Your question theme is registered. It is automatically transferred with the policy of the type General
Settings that enables Local Self Help on the endpoints.
23.7 Edit question themes
1. In the Policies navigation area, select the required question theme under Local Self Help
questions
2. You can now add, modify or delete questions.
■
To add questions, right-click in the action area, to display the context menu. In the context
menu, click Add. A new line is added to the question list. Enter your question on the line.
■
To modify questions, click the required question text in the action area. The question is
marked by a pencil icon. Enter your changes on the question line.
■
To delete questions, select the required question by clicking on the grey box at the beginning
of the question line in the action area and click Delete in the context menu of the question.
3. To save your changes, click the Save icon in the toolbar.
The modified question theme is registered. It is transferred with the policy of the type General
Settings that enables Local Self Help on the endpoints.
143
SafeGuard Easy
23.8 Delete question themes
To delete an entire question theme, right-click the required theme Local Self Help questions in
the Policies navigation area, and select Delete.
Note: If you delete a question theme after users have answered some of these questions to
activate Local Self Help on their computers, the users’ answers become invalid, as the questions
no longer exist.
23.9 Register welcome texts
You can register a welcome text to be displayed in the first dialog of the Local Self Help Wizard.
The text files containing the required information have to be created before registering them in
the SafeGuard Policy Editor. The maximum file size for information texts is 50 KB. Sophos
SafeGuard only uses Unicode UTF-16 coded texts. If you do not create the text files in this format,
they will be automatically converted when they are registered.
1. In the Policies navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
is displayed.
4. Click OK.
The new text item is displayed as a subnode below Texts in the Policies navigation area. If you
select a text item, its contents will be displayed in the window on the right-hand side. The text
item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
144
Administrator help
24 Recovery with Challenge/Response
To smoothen the workflow and to reduce helpdesk costs, Sophos SafeGuard provides a
Challenge/Response recovery solution. Sophos SafeGuard offers help to users who fail to log on
or to access encrypted data by providing a user-friendly Challenge/Response mechanism.
This functionality is integrated in the SafeGuard Policy Editor as a Recovery Wizard.
Benefits of Challenge/Response
The challenge/response mechanism is a secure and efficient recovery system.
■
No confidential data is exchanged in unencrypted form throughout the entire process.
■
There is no point in third parties eavesdropping on this procedure because the data cannot
be used later or on any other devices.
■
The user can start working again quickly. No encrypted data is lost just because the password
has been forgotten.
Typical situations requiring helpdesk assistance
■
A user has forgotten the password at SafeGuard POA level and the computer has been locked.
Note: Local Self Help allows you to have the current password displayed and to continue
using it. This avoids the need to reset the password or to involve the helpdesk.
■
The SafeGuard Power-on Authentication local cache is partly damaged.
Sophos SafeGuard offers different recovery workflows for these typical scenarios enabling the
users to access their computers again.
24.1 Challenge/Response workflow
The Challenge/Response procedure is based on two components:
■
The endpoint on which the Challenge code is generated.
■
The SafeGuard Policy Editor where, as a helpdesk officer with sufficient rights, you create a
response code that authorizes the user to perform the requested action on their computer.
1. On the endpoint, the user requests the challenge code. Depending on the recovery type, this
is either requested in the SafeGuard Power-on Authentication or using the KeyRecovery Tool.
A challenge code in form of an ASCII character string is generated and displayed.
2. The user contacts the helpdesk and provides the necessary identification as well as the
challenge code to the helpdesk.
145
SafeGuard Easy
3. The helpdesk launches the Recovery Wizard in the SafeGuard Policy Editor.
4. The helpdesk selects the appropriate recovery type, confirms the identification information
and the challenge code and selects the required recovery action.
A response code in form of an ASCII character string is generated and displayed.
5. The helpdesk provides the user with the response code, for example by phone or text message.
6. The user enters the response code. Depending on the recovery type, this is either done in the
SafeGuard POA or using the KeyRecovery Tool.
The user is then permitted to perform the authorized action, for example resetting the password,
and can resume working.
24.2 Launch the Recovery Wizard
To be able to perform a recovery procedure, make sure you have the required rights and
permissions.
1. Log on to the SafeGuard Policy Editor.
2. Click Tools > Recovery in the menu bar.
The SafeGuard Recovery Wizard is started. You can select which type of recovery you want to
use.
24.3 Recovery types
Select which type of recovery you want to use. The following recovery types are provided:
■
Challenge/Response for password recovery
Sophos SafeGuard provides Challenge/Response when the user has forgotten their password
or entered the password incorrectly too often.
Select recovery type Sophos SafeGuard Client.
Note: Also see the logon recovery method Local Self Help, which does not require any
helpdesk assistance.
■
Challenge/Response for regaining access to encrypted data
For complex recovery situations, for example when the SafeGuard POA is corrupted, access
to encrypted data can easily be regained with Challenge/Response. Specific files called Virtual
Clients are used in this case.
Select recovery type Virtual Client.
24.4 Recovering a password with Challenge/Response
Sophos SafeGuard provides Challenge/Response for example when the user has forgotten the
password or entered the password incorrectly too often.
146
Administrator help
Recovery information needed for a Challenge/Response is based on the key recovery file. On
each endpoint this file is generated during deployment of the Sophos SafeGuard encryption
software.The key recovery file must be accessible to the Sophos SafeGuard helpdesk, for example
on a shared network path.
To facilitate searching and grouping of the key recovery files, the computer name is provided in
the file name: computername.GUID.xml. This allows for wildcard search with asterisks (*), for
example: *.GUID.xml.
Note:
When a computer is renamed, it will not be renamed accordingly in the computer's local cache.
The local cache stores all keys, policies, user certificates and audit files. The new computer name
therefore has to be removed from the local cache so that only the previous name will remain,
even if a computer is renamed under Windows.
SafeGuard POA recovery actions
Challenge/Response for an endpoint can be initiated in the following situations:
■
The user has entered the password incorrectly too often at SafeGuard POA level and the
computer has been locked.
■
The user has forgotten the password.
■
A corrupted local cache needs to be repaired.
The Challenge/Response procedure will enable the computer to boot through SafeGuard Power-on
Authentication. The user is then able to log on to Windows.
Potential recovery use cases:
The user has typed the password incorrectly too often at SafeGuard POA level and the
computer has been locked. But the user still knows the password.
The computer is locked, and the user is prompted to initiate a Challenge/Response procedure to
unlock the computer. As the user still knows the correct password, there is no need to reset it.
The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on
Authentication. The user can then type the password correctly into the Windows logon dialog and
is logged on to Windows.
The user has forgotten the password.
Note: We recommend that you use Local Self Help to recover a forgotten password. Local Self
Help allows users to have the current password displayed and to continue using it. This avoids
the need to reset the password or to involve the helpdesk.
When recovering a forgotten password with Challenge/Response a password reset is required.
1. The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on
Authentication.
2. In the Windows logon dialog, the user does not know the correct password. The password
needs to be reset at Windows level. This requires further recovery actions outside the scope
of Sophos SafeGuard, using standard Windows means.
147
SafeGuard Easy
We recommend using the following methods to reset the password at Windows level.
■
Using a service or administrator account available on the endpoint with the required Windows
rights.
■
Using a Windows password reset disk on the endpoint.
As a helpdesk officer, you can inform the user which procedure should be used and either
provide the additional Windows credentials or the required disk.
3. The user enters the new password that the helpdesk has reset at Windows level. The user
then needs to change this password immediately to a value only known to the user. A new
user certificate is created based on the newly chosen Windows password. This enables the
user to log on to the computer again and to log on at SafeGuard Power-on Authentication with
the new password.
Keys for SafeGuard Data Exchange:
When a password is reset and a new certificate is created, local keys previously created for
SafeGuard Data Exchange can still be used if the endpoint is a member of a domain. If the endpoint
is a member of a workgroup, the user has to remember the SafeGuard Data Exchange passphrase
to reactivate these local keys.
The local cache needs to be repaired
The local cache stores all keys, policies, user certificates and audit files. By default, logon recovery
is deactivated when the local cache is corrupted, this means that it is restored automatically from
its backup. In this case, no Challenge/Response procedure is required to repair the local cache.
However, logon recovery can be activated by policy, if the local cache is to be repaired explicitly
with a Challenge/Response procedure. In this case, the user is prompted automatically to initiate
a Challenge/Response procedure, if the local cache is corrupted.
24.4.1 Generate a response using the key recovery file
The key recovery file generated during installation of the Sophos SafeGuard encryption software
needs to be stored in a location that a helpdesk officer is able to access and the name of the file
must be known.
1. In the SafeGuard Policy Editor, select Tools > Recovery from the menu bar to open the
Recovery Wizard.
2. In Recovery type, select Sophos SafeGuard Client.
3. Locate the required key recovery file by clicking the [...] button. For easier identification, the
recovery files carry the name of the computer: computername.GUID.xml.
4. Enter the challenge code the user has passed on to you and click Next. The challenge code
is verified.
If the challenge code has been entered correctly, the recovery action requested by the Sophos
SafeGuard endpoint as well as the possible recovery actions are displayed. If the code has
been entered incorrectly, Invalid challenge is displayed below the block containing the error.
5. Select the action to be taken by the user and click Next.
6. A response code is generated. Communicate the response code to the user. A spelling aid is
provided. You may also copy the response code to the clipboard.
148
Administrator help
The user can enter the response code, perform the requested action and resume working.
24.5 Regaining access to encrypted data with
Challenge/Response
For complex recovery situations, for example when the SafeGuard POA is corrupted, access to
encrypted data can easily be regained with Challenge/Response. Specific files called Virtual
Clients and additional tools are used in this case:
■
Key Recovery file
On each endpoint the key recovery file is generated during deployment of the Sophos
SafeGuard encryption software. It needs to be accessible to the helpdesk, for example on a
shared network path.
■
Virtual Client file
Specific files called Virtual Clients are created in the SafeGuard Policy Editor and are used
as reference information in the database.
■
Sophos SafeGuard modified Windows PE recovery disk
The recovery disk is used for starting the endpoint from BIOS.
■
KeyRecovery Tool
The tool is used to start the Challenge/Response procedure. It is already available on the
Sophos SafeGuard modified Windows PE recovery disk. Additionally, you find it in the Tools
directory of your Sophos SafeGuard software delivery.
24.5.1 Virtual Clients
Virtual Clients are specific encrypted key files that are used for recovering an encrypted volume
when no reference information on the computer is available in the database and
Challenge/Response would usually not be supported. The Virtual Client is used as identification
and reference information during the Challenge/Response and is stored in the database.
To enable a Challenge/Response procedure in complex recovery situations, the Virtual Clients
need to be created and distributed to the user before the Challenge/Response procedure. Access
to the computer can then be regained with the help of these Virtual Clients, a KeyRecovery Tool
and a SafeGuard modified Windows PE recovery disk available with your product.
24.5.2 Recovery workflow using Virtual Clients
To access the encrypted computer, the following general workflow applies:
1. Obtain the Sophos SafeGuard recovery disk from technical support.
The helpdesk may download the Windows PE recovery disk with the latest Sophos SafeGuard
filter drivers from the Sophos support site. For further information, see:
http://www.sophos.com/en-us/support/knowledgebase/108805.aspx.
149
SafeGuard Easy
2. Create the Virtual Client in the SafeGuard Policy Editor.
3. Export the Virtual Client to a file.
4. Start the computer from the recovery disk.
5. Import the Virtual Client file into the KeyRecovery Tool.
6. Initiate the Challenge in the KeyRecovery Tool.
7. Confirm the Virtual Client in the SafeGuard Policy Editor.
8. Select the required recovery action.
9. Enter the challenge code in the SafeGuard Policy Editor.
10. Generate the response code in the SafeGuard Policy Editor.
11. Enter the response code into the KeyRecovery tool.
The computer can be accessed again.
24.5.3 Create a Virtual Client
Virtual Clients are specific encrypted key files that can be used for recovery in a
Challenge/Response procedure as reference information on the computer.
Virtual Client files can be used by different computers and for several Challenge/Response
sessions.
1.
2.
3.
4.
In the SafeGuard Policy Editor, select the Virtual Clients area.
In the left-hand navigation window, click Virtual Clients.
In the toolbar, click Add Virtual Client.
Enter a unique name for the Virtual Client and click OK. Virtual Clients are identified in the
database by these names.
5. Click the Save icon in the toolbar to save your changes to the database.
The new Virtual Client is displayed in the action area. Next you export it to a file.
24.5.4 Export a Virtual Client
Virtual Clients need to be exported to files in order to distribute them to the endpoints and use
them for recovery. These files are always called recoverytoken.tok.
1. In the SafeGuard Policy Editor, select the Virtual Clients area.
2. In the left-hand navigation window, click Virtual Clients.
3. In the action area, search for the respective Virtual Client by clicking the magnifier icon. The
available Virtual Clients are displayed.
4. Select the respective entry in the action area and click Export Virtual Client in the toolbar.
5. Select a storage location for the Virtual Client file recoverytoken.tok and click OK.
Choose a safe place to store the file.
The Virtual Client has been exported to the file recoverytoken.tok.
150
Administrator help
6. Copy the Virtual Client file recoverytoken.tok to a removable medium. We recommend
using a memory stick.
Make sure that you keep the storage medium in a safe place. Make the files available to the
helpdesk and on the endpoints as they are needed for a Challenge/Response with Virtual
Clients.
24.5.5 Start the computer from the recovery disk
Make sure that the boot sequence in the BIOS settings allows booting from CD.
1. Obtain the SafeGuard Enterprise Windows PE disk from Sophos technical support.
The helpdesk may download the Windows PE recovery disk with the latest Sophos SafeGuard
filter drivers from the Sophos support site. For further information, see
http://www.sophos.com/en-us/support/knowledgebase/108805.aspx.
2. On the endpoint, insert the recovery disk and start the computer. The integrated file manager
opens. At a glance, you can see the mounted volumes and drives.
The contents of the encrypted drive are not visible in the file manager. Neither the file system,
nor the capacity and used/free space are indicated in the properties of the encrypted drive.
151
SafeGuard Easy
3. At the bottom of the file manager in the Quick Launch section, click the KeyRecovery icon to
open the KeyRecovery Tool. The Key Recovery Tool displays the key ID of the encrypted
drives.
4. Find the key ID of the drives that you need to access. The key ID will be requested later on.
Next import the Virtual Client into the Key Recovery Tool.
24.5.6 Import the Virtual Client into the KeyRecovery Tool
Prerequisites:
■
The computer has been started from the recovery disk.
■
Make sure that the USB drive with the Virtual Client file recoverytoken.tok stored on it
has been mounted successfully.
1. In the Windows PE file manager, select the drive on which the Virtual Client is stored. The file
recoverytoken.tok is displayed on the right.
152
Administrator help
2. Select the file recoverytoken.tok and drag it to the drive in which the KeyRecovery Tool is
located. There, drop it into the Tools\SGN-Tools directory.
24.5.7 Initiate the Challenge in the KeyRecovery Tool
1. At the bottom of the Windows PE file manager in the Quick Launch section, click the
KeyRecovery icon to open the KeyRecovery Tool. The KeyRecovery Tool displays the key ID
of the encrypted drives.
The tool is started displaying a list of all volumes and their corresponding encryption information
(key ID).
2. Select the volume you want to decrypt and click Import By C/R to generate the challenge
code.
For confirmation in the Sophos SafeGuard Database the Virtual Client file is used and stated
in the challenge. The challenge code is generated and displayed.
153
SafeGuard Easy
3. Communicate the Virtual Client name and the challenge code to the helpdesk, for example
by phone or text message. A spelling aid is provided.
24.5.8 Generate a response using Virtual Clients
To access a Sophos SafeGuard protected endpoint and to generate a response using Virtual
Clients two actions are required:
1. Confirm the Virtual Client in the SafeGuard Policy Editor database.
2. Select the requested recovery action. As only the key recovery file is available for decryption,
this file needs to be selected so that a response code can be generated.
24.5.8.1 Confirm the Virtual Client
Prerequisite:
The Virtual Client must have been created in the SafeGuard Policy Editor in Virtual Clients and
must be available in the database.
1. In the SafeGuard Policy Editor, click Tools > Recovery to open the Recovery Wizard.
2. On the Recovery type page, select Virtual Client.
3. Enter the name of the Virtual Client the user has given to you. There are different ways to do
so:
■
Enter the unique name directly.
■
Select a name by clicking [...] in the Virtual Client section of the Recovery type dialog.
Then click Find now. A list of Virtual Clients is displayed. Select the required Virtual Client
and click OK. The Virtual Client name is then displayed in Recovery type under Virtual
Client.
4. Click Next to confirm the name of the Virtual Client file.
Next select the requested recovery action.
24.5.8.2 Select the key recovery file
Prerequisite:
You must have selected the required Virtual Client in the SafeGuard Policy Editor Recovery
Wizard.
The required key recovery file needed to regain access to the computer must be accessible to
the helpdesk, for example on a network share.
1. In the Recovery Wizard, on the Virtual Client page, select the requested recovery action
Key requested and click Next.
2. Activate Select key recovery file containing recovery key.
3. Click [...] next to this option to browse for the respective file. For easier identification, the
recovery files carry the name of the computer: computername.GUID.xml.
4. Confirm with Next. The window for entering the challenge code is displayed.
154
Administrator help
5. Enter the challenge code the user has passed on to you and click Next. The challenge code
is verified.
If the challenge code has been entered correctly, the response code is generated. If the code
has been entered incorrectly, Invalid challenge is displayed below the block containing the
error.
6. Pass the response code on to the user. A spelling aid is provided. You can also copy the
response code to the clipboard.
24.5.9 Enter the response code in the KeyRecovery Tool
1. In the KeyRecovery Tool on the endpoint, enter the response code the helpdesk has given to
you.
The required recovery key is transferred within the response code.
2. Click OK. The drive selected for Challenge/Response has been decrypted.
155
SafeGuard Easy
3. To ensure that decryption has been successful, select the decrypted drive in the Windows PE
file manager:
The contents of the decrypted drive are now displayed in the file manager. The file system as
well as the capacity and used/free space are now indicated in the properties of the decrypted
drive.
Access to the data stored on this partition is recovered. As a result of the successful decryption
you can read, write and copy data from or to the drive.
24.5.10 Delete Virtual Clients
Virtual Clients that are no longer needed can be deleted from the Sophos SafeGuard Database.
1. In the SafeGuard Policy Editor, select the Virtual Clients area.
2. In the left-hand navigation window, click Virtual Clients.
3. In the action area on the right, click the magnifier icon to search for the respective Virtual
Client. The available Virtual Clients are displayed.
4. Select the required entry and click Delete Virtual Client in the toolbar.
5. Click the Save icon in the toolbar to save your changes to the database.
The Virtual Client is deleted from the database and can no longer be used in a Challenge/Response
procedure.
156
Administrator help
25 Recovery for BitLocker
Depending on the system used Sophos SafeGuard offers a Challenge / Response procedure for
recovery or the possibility of obtaining the recovery key from the helpdesk. For the requirements
for Sophos SafeGuard Challenge/Response see Prerequisites for managing BitLocker on endpoints
(page 109).
25.1 Response for BitLocker encrypted Sophos SafeGuard
Clients - UEFI endpoints
For UEFI endpoints that meet certain requirements, Sophos SafeGuard offers Challenge /
Response for recovery. On UEFI endpoints that do not fulfill the requirements Sophos SafeGuard
BitLocker management without Challenge/Response is installed automatically. To recover these
endpoints see Recovery key for BitLocker encrypted Sophos SafeGuard Clients - BIOS endpoints
(page 157),
The key recovery file generated during installation of the Sophos SafeGuard encryption software
needs to be stored in a location that a helpdesk officer is able to access and the name of the file
must be known.
1. In the SafeGuard Policy Editor, select Tools > Recovery from the menu bar to open the
Recovery Wizard.
2. In Recovery type, select Sophos SafeGuard Client.
3. Locate the required key recovery file by clicking the [...] button. For easier identification, the
recovery files carry the name of the computer: computername.GUID.xml.
4. Enter the challenge code the user has passed on to you and click Next. The challenge code
is verified.
If the challenge code has been entered correctly, the recovery action requested by the Sophos
SafeGuard endpoint as well as the possible recovery actions are displayed. If the code has
been entered incorrectly, Invalid challenge is displayed below the block containing the error.
5. Select the action to be taken by the user and click Next.
6. A response code is generated. Communicate the response code to the user. A spelling aid is
provided. You may also copy the response code to the clipboard.
The user can enter the response code, perform the requested action and resume working.
25.2 Recovery key for BitLocker encrypted Sophos SafeGuard
Clients - BIOS endpoints
For BitLocker encrypted BIOS computers a volume that cannot be accessed any more may be
recovered.
1. On the Recovery type page, select Sophos SafeGuard Client.
157
SafeGuard Easy
2. Click Next.
3. Locate the required key recovery file by clicking the [...] button. For easier identification, the
recovery files carry the name of the computer and the drive name : computername.blc.xml.
4. Select the drive to be accessed from the list and click Next.
5. The Recovery Wizard displays the corresponding 48-digit recovery key.
6. Provide this key to the user.
The user can enter the key to recover the BitLocker encrypted volume on the endpoint.
158
Administrator help
26 System Recovery for SafeGuard full disk
encryption
Sophos SafeGuard encrypts files and drives transparently. Boot drives can also be encrypted,
so decryption functionalities such as code, encryption algorithms and encryption key must be
available very early in the startup phase. Therefore encrypted information cannot be accessed if
the crucial Sophos SafeGuard modules are unavailable or do not work.
The following sections cover possible problems and recovery methods.
26.1 Recover data by starting from an external medium
This recovery type can be applied when the user can still log on at the SafeGuard POA but cannot
access the encrypted volume any more. In this case, access to the encrypted data can be regained
by starting the computer using a Windows PE recovery disk customized for Sophos SafeGuard.
Prerequisites:
■
The user starting the computer from the external medium must have the right to do so. This
right can either be configured in the SafeGuard Policy Editor within a policy of type
Authentication (User may only boot from internal hard disk set to No) or can be obtained
for a one-time use with a Challenge/Response procedure.
■
The computer must support starting from different media than the fixed hard drive.
To regain access to encrypted data on the computer:
1. Obtain the Sophos SafeGuard Windows PE disk from Sophos technical support.
The helpdesk may download the Windows PE recovery disk with the latest Sophos SafeGuard
filter drivers from the Sophos support site. For further information, see:
http://www.sophos.com/en-us/support/knowledgebase/108805.aspx.
2. Log on at the SafeGuard Power-on Authentication with your credentials.
3. Insert the Windows PE recovery disk into the computer.
4. In the SafeGuard POA logon dialog under Continue booting from, select external medium.
The computer is started.
Access to the data stored on this partition is recovered.
Note: Depending on the BIOS in use, booting from the disk may not work.
26.2 Corrupted MBR
For resolving problems with a corrupted MBR, Sophos SafeGuard offers the tool
BE_Restore.exe.
For further information, see the SafeGuard Easy tools guide.
159
SafeGuard Easy
26.3 Volumes
Sophos SafeGuard provides drive-based encryption. This includes saving encryption information
consisting of the boot sector, primary and backup KSA and the original boot sector on each drive
itself.
As soon as one of the units below is damaged, the volume cannot be accessed any longer:
■
either of the two Key Storage Areas (KSA)
■
original MBR
26.3.1 Boot sector
During the encryption process a volume's boot sector is swapped for the Sophos SafeGuard boot
sector.
The Sophos SafeGuard boot sector holds information about
■
the location of the primary and backup KSA in clusters and sectors in relation to the start of
the partition
■
the size of the KSA
If the Sophos SafeGuard boot sector is damaged, encrypted volumes cannot be accessed.
The tool BE_Restore can restore the damaged boot sector. For further information, see the
Tools Guide.
26.3.2 Original boot sector
The original boot sector is the one that is run after the DEK (Data Encryption Key) has been
decrypted and the algorithm and the key have been loaded to the BE filter driver.
If this boot sector is defective, Windows is unable to access the volume. Normally the common
error message “Device is not formatted. Would you like to format it now? Yes/No” is displayed.
Nonetheless, Sophos SafeGuard will load the DEK for this volume. A tool that is used to repair
the boot sector needs to be compatible with the Sophos SafeGuard Upper Volume Filter.
26.4 Set up WinPE for Sophos SafeGuard
To get access to encrypted drives with a computer's BOOTKEY within a WinPE environment,
Sophos SafeGuard offers WinPE with the required Sophos SafeGuard function modules and
drivers. To start SetupWinPE for WinPE enter the following command:
SetupWinPE -pe2 <WinPE image file>
WinPE image file being the full path name of a WinPE image file
SetupWinPE makes all the changes needed.
160
Administrator help
Note: Note that, with this type of WinPE environment, only encrypted drives that are encrypted
with the BOOTKEY can be accessed.
161
SafeGuard Easy
27 Restore a Sophos SafeGuard Database
To restore a Sophos SafeGuard Database you can create a new instance of the database based
upon the backed up security officer and company certificates by reinstalling SafeGuard Policy
Editor.
This ensures that all Sophos SafeGuard endpoints still accept policies from the new instance and
avoids the need to set up and restore the whole database. Additionally, backed up policies can
be reimported.
27.1 Restore a database configuration by reinstalling the
SafeGuard Policy Editor
The following prerequisites must be met:
■
The company and security officer certificates of the relevant database configuration must have
been exported to .p12 files and must be available and valid.
■
The passwords for the two .p12 files as well as for the certificate store must be known to you.
■
Make sure that you export the policies to back up files so that you can restore them afterwards.
This will avoid that you have to set up your policy configuration from scratch.
To restore a corrupt database configuration:
1. Install the SafeGuard Policy Editor installation package afresh.
2. Start the SafeGuard Policy Editor. The Configuration Wizard is started automatically.
3. On the Database page, select Create a new database. Under Database settings, configure
the connection to the database. Click Next.
4. On the Security Officer page, select the relevant security officer. Clear Automatically create
certificate. Click Import to browse for the backed up certificate file. Enter the respective
password for the security officer certificate store. Click Yes in the message that is displayed.
The certificate is imported. Enter and confirm the security officer password to be used to
authenticate at the SafeGuard Policy Editor. Click Next.
5. On the Company page, clear Automatically create certificate. Click Import to browse for
the backed up certificate file that contains the valid company certificate. You are prompted to
enter the password specified for the certificate store. Enter the password and click OK to
confirm it. Click Yes in the message that is displayed. The company certificate is imported.
6. On the Security officer and company certificate backup page, specify a storage location
for the certificate backups. Click Next.
7. On the Recovery Keys page, clear Create network share, click Next, then Finish.
The database configuration is restored. If you have backed up the previously created policies to
a file, you may now import them back into the SafeGuard Policy Editor.
162
Administrator help
28 Restore a corrupt SafeGuard Policy Editor
installation
If the installation of the SafeGuard Policy Editor is corrupted, but the database is still intact, the
installation can be easily restored by reinstalling the SafeGuard Policy Editor using the existing
database as well as the backed up security officer certificate.
To restore the SafeGuard Policy Editor installation:
1. Reinstall the SafeGuard Policy Editor installation package. Start the SafeGuard Policy Editor.
The Configuration Wizard is started automatically.
2. On the Database page, select Use an existing database. Under Database name, select the
name of the database from the list. Under Database settings, configure the connection to the
database if required. Click Next.
3. On the Security Officer page, do one of the following:
■
If the backed up certificate file can be found on the computer, it is displayed. Enter the
password you use for authenticating at the SafeGuard Policy Editor.
■
If the backed up certificate file cannot be found on the computer, click Import. Browse for
the backed up certificate file and confirm with Open. Enter the password for the selected
certificate file. Click Yes. Enter and confirm a password for authenticating at the SafeGuard
Policy Editor.
4. Click Next and then Finish to complete the SafeGuard Policy Editor configuration.
The corrupt SafeGuard Policy Editor installation is restored.
163
SafeGuard Easy
29 About uninstallation
This section covers the following topics:
■
Uninstallation best practices
■
Uninstalling Sophos SafeGuard encryption software
■
Preventing uninstallation of Sophos SafeGuard encryption software on endpoints
■
Sophos Tamper Protection
29.1 Uninstallation best practice
When the Sophos SafeGuard encryption software is installed on the same computer as SafeGuard
Policy Editor, make sure that you follow this uninstallation procedure to be able to continue using
one of them:
1.
2.
3.
4.
Uninstall the SafeGuard Policy Editor.
Uninstall the Sophos SafeGuard configuration package.
Uninstall the Sophos SafeGuard encryption software.
Install the package afresh that you want to continue using.
29.2 Uninstalling Sophos SafeGuard encryption software
Uninstalling the Sophos SafeGuard encryption software from endpoints involves the following
steps:
■
Decrypt encrypted data.
■
Uninstall the encryption software.
The appropriate policies must be effective on the endpoints to allow for decryption and
uninstallation.
29.2.1 Prevent uninstallation of Sophos SafeGuard encryption software
To provide extra protection for endpoints, we recommend that you prevent local uninstallation of
Sophos SafeGuard. In a Specific Machine Settings policy, set Uninstallation allowed to No
and deploy the policy on the endpoints. Uninstallation attempts then are cancelled and the
unauthorized attempts are logged.
Note: If you use a demo version, you should not activate this policy setting or in any case
deactivate it before the demo version expires to ensure easy uninstallation.
164
Administrator help
29.2.2 Decrypt encrypted data
The following prerequisites must be met:
■
To decrypt encrypted volumes, all volume-based encrypted volumes must have a drive letter
assigned to them.
1. In the SafeGuard Policy Editor, edit the current policy of the type Device Protection that is
assigned to the computers you want to decrypt. Select the targets and set User may decrypt
volume to Yes.
2. Create a decryption policy of the type Device Protection, select the targets that are to be
decrypted and set the Media encryption mode to No encryption.
3. Create a configuration package that includes the updated policies and deploy it on the endpoints
that you want to decrypt.
4. On the endpoint that is to be decrypted, open Windows Explorer. Right-click the volume that
should be decrypted and click Encryption > Decryption.
Make sure that the decryption is completed successfully.
Note: When decryption is followed by an uninstallation, we recommend that the endpoint is
not hibernated or suspended during decryption. We support but do not recommend that the
endpoint is shut down and restarted during decryption.
29.2.3 Start uninstallation
The following prerequisites must be met:
■
Encrypted data has to be decrypted properly before uninstallation to be able to access it
afterwards. The decryption process must be completed. Proper decryption is particularly
important when uninstallation is triggered by Active Directory.
All encrypted removable media must be decrypted before uninstalling the last accessible
Sophos SafeGuard protected endpoint. Otherwise users may not be able to access their
data any more. As long as the Sophos SafeGuard Database is available, data on removable
media can be recovered.
■
To uninstall SafeGuard full disk encryption, all volume-based encrypted volumes must have
a drive letter assigned to them.
■
Make sure that you always uninstall the complete package with all features installed.
1. In the SafeGuard Policy Editor, edit the policy of the type Specific Machine Settings. Set
Uninstallation allowed to Yes.
2. Create a configuration package that includes the uninstallation policy and deploy it on the
endpoints that you want to uninstall.
3. To start uninstallation, use one of the following methods:
■
■
To uninstall locally on the endpoint, select Start > Control Panel > Add or Remove
Programs > Sophos SafeGuard Client > Remove.
To uninstall centrally, use the software distribution mechanism of your choice. Make sure
that all required data has been decrypted properly before uninstallation starts.
165
SafeGuard Easy
29.3 Sophos Tamper Protection
Sophos Tamper Protection prevents casual removal of Sophos SafeGuard, even if the option
Uninstallation allowed in the Specific Machine Settings policy that applies to the endpoint is
set to Yes or not configured.
Note: Sophos Tamper Protection only applies to endpoints using Sophos Endpoint Security and
Control from version 9.5.
You can activate Sophos Tamper Protection in a policy of the type Specific Machine Settings.
If the Uninstallation allowed option in this policy is set to Yes or not configured, the option
Enable Sophos tamper protection becomes available for selection.
If you set Enable Sophos tamper protection to Yes, any uninstallation attempt is explicitly
checked by Sophos Tamper Protection. If Sophos Tamper Protection does not allow uninstallation,
the process will be canceled.
If you set Enable Sophos tamper protection to No, uninstallation of Sophos SafeGuard will not
be prevented.
If Enable Sophos tamper protection is set to not configured, the default value Yes applies.
166
Administrator help
30 Technical support
You can find technical support for Sophos products in any of these ways:
■
Visit the SophosTalk community at community.sophos.com/ and search for other users who
are experiencing the same problem.
■
Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.
■
Download the product documentation at www.sophos.com/en-us/support/documentation/.
■
Open a ticket with our support team at
https://secure2.sophos.com/support/contact-support/support-query.aspx.
167
SafeGuard Easy
31 Legal notices
Copyright © 1996 - 2014 Sophos Limited. All rights reserved. SafeGuard is a registered trademark
of Sophos Limited and Sophos Group.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you
are either a valid licensee where the documentation can be reproduced in accordance with the
license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.
You find copyright information on third party suppliers in the Disclaimer and Copyright for 3rd
Party Software document in your product directory.
168
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement