SafeGuard Enterprise Administrator help

SafeGuard Enterprise Administrator help
SafeGuard Enterprise
Administrator help
Product version: 7
Document date: December 2014
Contents
1 About SafeGuard Enterprise 7.0..............................................................................................9
2 Security best practices ..........................................................................................................11
3 About the SafeGuard Management Center............................................................................14
4 Logging on to the SafeGuard Management Center................................................................15
4.1 Warning when company certificate expires..............................................................15
4.2 Log on in Single Tenancy mode................................................................................15
4.3 Log on in Multi Tenancy mode..................................................................................15
4.4 SafeGuard Management Center user interface.......................................................16
4.5 Language settings....................................................................................................17
5 Configuring the SafeGuard Management Center...................................................................19
5.1 Prerequisites.............................................................................................................19
5.2 Multi Tenancy configurations.....................................................................................19
5.3 Start initial SafeGuard Management Center configuration ......................................20
5.4 Configure the database server connection...............................................................20
5.5 Create or select a database......................................................................................21
5.6 Creating the Master Security Officer (MSO).............................................................21
5.7 Create the company certificate.................................................................................23
5.8 Complete initial SafeGuard Management Center configuration...............................23
5.9 Create further database configurations (Multi Tenancy)...........................................24
5.10 Configure additional instances of the SafeGuard Management Center.................24
6 Licenses.................................................................................................................................26
6.1 License file................................................................................................................26
6.2 Token licenses..........................................................................................................27
6.3 Evaluation and demo licenses..................................................................................27
6.4 License status overview............................................................................................28
6.5 Import license files....................................................................................................29
6.6 License exceeded.....................................................................................................30
7 Working with multiple database configurations.......................................................................32
7.1 Create further database configurations....................................................................32
7.2 Connect to an existing database configuration.........................................................33
7.3 Export a configuration to a file..................................................................................33
7.4 Import a configuration from a file..............................................................................33
2
7.5 Import a configuration with the SafeGuard Management Center.............................34
7.6 Import a configuration by double-clicking the configuration file (Single and Multi
Tenancy).....................................................................................................................34
7.7 Fast switching of database configurations................................................................35
7.8 Check database integrity..........................................................................................35
8 Registering and configuring SafeGuard Enterprise Server....................................................36
8.1 Register and configure SafeGuard Enterprise Server for the current computer.......36
8.2 Register and configure SafeGuard Enterprise Server for a different computer........37
8.3 Edit SafeGuard Enterprise Server properties ..........................................................38
8.4 Register SafeGuard Enterprise Server with Sophos firewall enabled......................39
9 Securing transport connections with SSL...............................................................................40
9.1 Set up SSL................................................................................................................40
9.2 Activate SSL encryption in SafeGuard Enterprise....................................................41
10 Creating the organizational structure...................................................................................42
10.1 Import from Active Directory...................................................................................42
10.2 Creating workgroups and domains.........................................................................44
10.3 Search for users, computers and groups in the SafeGuard Enterprise Database
....................................................................................................................................50
10.4 Display object properties in User and Computers..................................................51
11 SafeGuard Enterprise Security Officers...............................................................................52
11.1 Security officer roles...............................................................................................52
11.2 Create a role...........................................................................................................54
11.3 Assign a role to a security officer............................................................................55
11.4 Displaying officer and role properties.....................................................................55
11.5 Modifying a role......................................................................................................56
11.6 Copy a role.............................................................................................................57
11.7 Delete a role...........................................................................................................58
11.8 Create a Master Security Officer............................................................................58
11.9 Create a security officer..........................................................................................60
11.10 Assigning directory objects to a security officer....................................................63
11.11 Promoting security officers...................................................................................64
11.12 Demote Master Security Officers..........................................................................66
11.13 Change the security officer certificate..................................................................66
11.14 Arrange security officers in the tree view..............................................................66
11.15 Fast switching of security officers ........................................................................67
11.16 Delete a security officer........................................................................................67
12 Keys and Certificates............................................................................................................68
3
12.1 Keys for data encryption.........................................................................................69
12.2 Personal Keys for file-based encryption by File Encryption....................................70
12.3 Certificates..............................................................................................................73
12.4 Exporting company and Master Security Officer certificates..................................75
12.5 Virtual Clients..........................................................................................................76
13 Company Certificate Change Orders...................................................................................80
13.1 Renew the company certificate...............................................................................80
13.2 Replace the company certificate............................................................................81
13.3 Managing Company Certificate Change Orders.....................................................82
14 Working with policies............................................................................................................83
14.1 Create policies........................................................................................................83
14.2 Edit policy settings..................................................................................................83
14.3 Policy groups..........................................................................................................85
14.4 Back up policies and policy groups.........................................................................86
14.5 Restore policies and policy groups.........................................................................86
14.6 Assign policies........................................................................................................86
14.7 Manage policies in Users and Computers..............................................................87
14.8 Disabling policy deployment...................................................................................88
14.9 Rules for assigning and analyzing policies.............................................................88
15 Working with configuration packages...................................................................................93
15.1 Create configuration package for managed endpoints...........................................93
15.2 Create configuration package for unmanaged endpoints.......................................94
15.3 Create configuration package for Macs..................................................................95
16 SafeGuard Power-on Authentication (POA).........................................................................97
16.1 Logging on..............................................................................................................97
16.2 Register further SafeGuard Enterprise users.........................................................99
16.3 User types...............................................................................................................99
16.4 Configuring the SafeGuard Power-on Authentication...........................................100
16.5 Supported Hotkeys in the SafeGuard Power-on Authentication...........................104
16.6 Disabled SafeGuard POA and Lenovo Rescue and Recovery.............................106
17 Administrative access to Windows endpoints.....................................................................107
18 Service Account Lists for Windows logon...........................................................................108
18.1 Create service account lists and add users..........................................................108
18.2 Additional information for entering user and domain names................................109
18.3 Edit and delete service account lists....................................................................110
18.4 Assign a service account list in a policy...............................................................110
4
18.5 Transfer the policy to the endpoint........................................................................111
18.6 Log on to an endpoint using a service account....................................................111
18.7 Log events............................................................................................................111
19 POA users for SafeGuard POA logon................................................................................113
19.1 Create POA users.................................................................................................113
19.2 Change the password for a POA user..................................................................113
19.3 Delete POA users.................................................................................................114
19.4 Create POA groups..............................................................................................114
19.5 Add users to POA groups.....................................................................................114
19.6 Remove users from POA groups..........................................................................115
19.7 Assigning POA users to endpoints.......................................................................115
19.8 Log on to an endpoint with a POA user................................................................117
20 Policy settings.....................................................................................................................118
20.1 General settings....................................................................................................119
20.2 Authentication.......................................................................................................124
20.3 Create forbidden PIN lists for use in policies........................................................130
20.4 Syntax rules for PINs............................................................................................131
20.5 Create forbidden password list for use in policies.................................................133
20.6 Syntax rules for passwords...................................................................................134
20.7 Passphrase for SafeGuard Data Exchange..........................................................138
20.8 White Lists for Device Protection policies for file-based encryption......................139
20.9 Device Protection..................................................................................................141
20.10 Specific machine settings - basic settings..........................................................146
20.11 Logging for Windows endpoints .........................................................................154
21 Disk encryption...................................................................................................................155
21.1 SafeGuard full disk encryption..............................................................................155
21.2 BitLocker Drive Encryption...................................................................................158
21.3 FileVault 2 full disk encryption..............................................................................167
22 SafeGuard Configuration Protection...................................................................................169
23 File Encryption....................................................................................................................170
23.1 Configuring encryption rules in File Encryption policies.......................................171
23.2 Configuring File Encryption settings in General Settings policies........................176
23.3 Multiple File Encryption policies...........................................................................178
23.4 Evaluation of File Encryption rules on endpoints..................................................179
23.5 Conflicting File Encryption Rules..........................................................................179
23.6 File Encryption and SafeGuard Data Exchange...................................................179
5
24 SafeGuard Data Exchange.................................................................................................181
24.1 Group keys...........................................................................................................181
24.2 Local keys.............................................................................................................181
24.3 Media passphrase................................................................................................182
24.4 Best practice.........................................................................................................183
24.5 Configure trusted and ignored applications for SafeGuard Data Exchange.........187
24.6 Configure ignored devices for SafeGuard Data Exchange...................................188
24.7 Configure persistent encryption for SafeGuard Data Exchange...........................188
24.8 Track files accessed on removable media............................................................189
24.9 SafeGuard Data Exchange and File Encryption...................................................189
25 Cloud Storage.....................................................................................................................190
25.1 Requirements for Cloud Storage vendor software................................................190
25.2 Create Cloud Storage Definitions (CSDs)............................................................190
25.3 Create a device protection policy with a Cloud Storage Definition target.............195
25.4 Track files accessed in cloud storage...................................................................196
26 User Machine Assignment..................................................................................................197
26.1 User Machine Assignment in the SafeGuard Management Center......................197
26.2 Assignment of user and computer groups............................................................200
27 Tokens and smartcards......................................................................................................202
27.1 Token types...........................................................................................................203
27.2 Components.........................................................................................................203
27.3 Configure token use..............................................................................................206
27.4 Preparing for token use........................................................................................206
27.5 Issuing a token......................................................................................................208
27.6 Configuring logon mode.......................................................................................209
27.7 Assigning certificates ...........................................................................................211
27.8 Managing PINs.....................................................................................................214
27.9 Managing tokens and smartcards........................................................................215
28 Secure Wake on LAN (WOL)..............................................................................................218
28.1 Secure Wake on LAN example.............................................................................218
29 Recovery options................................................................................................................220
29.1 Recovery with Local Self Help..............................................................................220
29.2 Recovery with Challenge/Response.....................................................................225
29.3 Recovery for BitLocker..........................................................................................239
29.4 Recovery key for Mac endpoints...........................................................................241
29.5 System Recovery for SafeGuard full disk encryption...........................................242
6
30 Restore a corrupt SafeGuard Management Center installation..........................................246
31 Restore a corrupt database configuration..........................................................................247
32 Inventory and status data...................................................................................................248
32.1 Mac endpoints in the inventory.............................................................................248
32.2 View inventory data...............................................................................................248
32.3 Show hidden columns...........................................................................................249
32.4 Filter inventory data..............................................................................................249
32.5 Refresh inventory data..........................................................................................249
32.6 Overview...............................................................................................................250
32.7 Drives tab..............................................................................................................251
32.8 Users tab..............................................................................................................252
32.9 Features tab..........................................................................................................252
32.10 Company certificate tab......................................................................................253
32.11 Creating inventory data reports..........................................................................253
33 Reports...............................................................................................................................255
33.1 Application scenarios............................................................................................256
33.2 Prerequisite...........................................................................................................256
33.3 Destinations for logged events..............................................................................256
33.4 Configure logging settings....................................................................................257
33.5 View logged events...............................................................................................258
33.6 File access report for removable media and cloud storage..................................260
33.7 Print reports..........................................................................................................261
33.8 Connection of logged events................................................................................262
33.9 Check the integrity of logged events.....................................................................262
33.10 Delete selected or all events...............................................................................263
33.11 Create a backup file............................................................................................263
33.12 Open a backup file..............................................................................................263
33.13 Scheduled event cleanup by script.....................................................................263
33.14 Report Message Templates................................................................................266
34 Scheduling tasks................................................................................................................267
34.1 Create a new task.................................................................................................267
34.2 The Task Scheduler overview display...................................................................268
34.3 Edit tasks..............................................................................................................270
34.4 Delete tasks..........................................................................................................271
34.5 Working with scripts in the Task Scheduler...........................................................271
34.6 Restrictions concerning registered servers..........................................................275
7
34.7 Task Scheduler log events....................................................................................275
35 Managing Mac endpoints in the SafeGuard Management Center.....................................276
35.1 Inventory and status data of Macs........................................................................276
35.2 Create configuration package for Macs................................................................277
36 SafeGuard Enterprise and self-encrypting, Opal-compliant hard drives............................278
36.1 How does SafeGuard Enterprise integrate Opal-compliant hard drives?.............278
36.2 Enhancement of Opal-compliant hard drives with SafeGuard Enterprise............278
36.3 Manage endpoints with Opal-compliant hard drives with SafeGuard
Enterprise.................................................................................................................279
36.4 Encryption of Opal-compliant hard drives.............................................................279
36.5 Lock Opal-compliant hard drives..........................................................................279
36.6 Enable users to unlock Opal-compliant hard drives..............................................280
36.7 Logging of events for endpoints with Opal-compliant hard drives........................280
37 Events available for reports................................................................................................281
38 Error codes.........................................................................................................................294
38.1 SGMERR codes in Windows event log.................................................................294
38.2 BitLocker error codes............................................................................................311
39 Technical support................................................................................................................314
40 Legal notices......................................................................................................................315
8
Administrator help
1 About SafeGuard Enterprise 7.0
SafeGuard Enterprise provides powerful data protection through encryption and additional logon
authentication.
This version of SafeGuard Enterprise supports Windows 7 and Windows 8 on endpoints with
BIOS or UEFI.
■
For BIOS platforms you can choose between SafeGuard Enterprise full disk encryption and
BitLocker encryption managed by SafeGuard Enterprise. The BIOS version comes with the
BitLocker native recovery mechanism.
Note: If SafeGuard Power-on Authentication or SafeGuard full disk encryption is mentioned
in this manual, it refers to Windows 7 BIOS endpoints only.
■
For UEFI platforms, use BitLocker managed by SafeGuard Enterprise for disk encryption. For
these endpoints SafeGuard Enterprise offers enhanced Challenge/Response capabilities. For
details on the supported UEFI versions and restrictions to SafeGuard BitLocker
Challenge/Response support, please see the Release Notes at
http://downloads.sophos.com/readmes/readsgn_7_eng.html.
Note: Whenever the description only refers to UEFI, it is mentioned explicitly.
The table shows which components are available.
Windows 7 BIOS
SafeGuard full disk
encryption with SafeGuard
Power-on Authentication
(POA)
BitLocker with pre-boot
authentication (PBA)
managed by SafeGuard
YES
YES
Windows 7 UEFI
YES
Windows 8 BIOS
YES
Windows 8 UEFI
YES
Windows 8.1 BIOS
YES
Windows 8.1 UEFI
YES
SafeGuard C/R recovery
for BitLocker pre-boot
authentication (PBA)
YES
YES
YES
Note: SafeGuard C/R recovery for BitLocker pre-boot authentication (PBA) is only available
on 64-bit systems.
SafeGuard full disk encryption with SafeGuard Power-on Authentication (POA) is the Sophos
module for encrypting volumes on endpoints. It comes with a Sophos implemented pre-boot
9
SafeGuard Enterprise
authentication named SafeGuard Power-on Authentication (POA) which support logon options
like smartcard and fingerprint and a Challenge/Response mechanism for recovery.
BitLocker with pre-boot authentication (PBA) managed by SafeGuard is the component that
enables and manages the BitLocker encryption engine and the BitLocker pre-boot authentication.
It is available for BIOS and UEFI platforms:
■
The UEFI version additionally offers a SafeGuard Challenge/Response mechanism for BitLocker
recovery in case users forget their PINs. The UEFI version can be used when certain platform
requirement are met. For example the UEFI version must be 2.3.1. For details, see the Release
Notes.
■
The BIOS version does not offer the recovery enhancements by the SafeGuard Challenge /
Response mechanism and serves also as fallback option in case the requirements for the
UEFI version are not met. The Sophos installer checks whether the requirements are met,
and if not automatically installs the BitLocker version without Challenge/Response.
Mac endpoints
For Mac endpoints the following products are available. They are also managed by SafeGuard
Enterprise or at least report to the management center.
Sophos SafeGuard File Encryption Sophos SafeGuard Native Device
7.0
Encryption (FileVault 2
management) 7.0
OS X 10.8
YES
YES
OS X 10.9
YES
YES
OS X 10.10
YES
YES
The description in this manual refers to the Windows platform only. For the Mac versions, see
the respective product manuals.
Sophos Mobile Encryption
With Sophos Mobile Encryption you can read files encrypted by the SafeGuard Enterprise
modules SafeGuard Cloud Storage or SafeGuard Data Exchange. They allow you to encrypt
files using a local key. These local keys are derived from a passphrase that is entered by a user.
You can only decrypt a file when you know the passphrase that was used to encrypt the file. For
details of Sophos Mobile Encryption please visit www.sophos.com.
10
Administrator help
2 Security best practices
By following the simple steps described here, you can mitigate risks and keep your company's
data secure and protected at all times.
To operate SafeGuard Enterprise in a certification-compliant mode, see the SafeGuard Enterprise
Manual for certification-compliant operation.
Avoid sleep mode
On SafeGuard Enterprise protected endpoints, encryption keys might be accessible to attackers
in certain sleep modes where the endpoint's operating system is not shut down properly and
background processes are not terminated. Protection is enhanced when the operating system is
always shut down or hibernated properly.
Train users accordingly or consider centrally disabling sleep mode on endpoints that are unattended
or not in use:
■
Avoid sleep (stand-by/suspend) mode as well as hybrid sleep mode. Hybrid sleep mode
combines hibernation and sleep. Setting an additional password prompt after resume does
not provide full protection.
■
Avoid locking desktops and switching off monitors or closing laptop lids as modes of protection
when not followed by a proper shut down or hibernation. Setting an additional password prompt
after resume does not provide sufficient protection.
■
Always shut down or hibernate endpoints. SafeGuard Power-on Authentication is always
activated the next time the computer is used, thus providing full protection.
Note: It is important that the hibernation file resides on an encrypted volume. Typically it
resides on C:\.
You can configure the appropriate power management settings centrally using Group Policy
Objects or locally through the Power Options dialog on the endpoint's Control Panel. Set
the Sleep button action to Hibernate or Shut down.
Implement a strong password policy
Implement a strong password policy and force password changes at regular intervals, particularly
for endpoint logon.
Passwords should not be shared with anyone nor written down.
Train users to choose strong passwords. A strong password follows these rules:
■
It is long enough to be secure: A minimum of 10 characters is recommended.
■
It contains a mixture of letters (upper and lower case), numbers and special characters/symbols.
■
It does not contain a commonly used word or name.
■
It is hard to guess but easy to remember and type accurately.
11
SafeGuard Enterprise
Do not disable SafeGuard Power-on Authentication
SafeGuard Power-on Authentication provides additional logon protection on the endpoint. With
SafeGuard full disk encryption, it is installed and enabled by default. For full protection, do not
disable it. More information can be found in
http://www.sophos.com/en-us/support/knowledgebase/110282.aspx
Protect against code injection
Code injection, for example DLL pre-loading attacks might be possible when an attacker is able
to place malicious code, for example executables, in directories that may be searched for legitimate
code by the SafeGuard Enterprise encryption software. To mitigate this threat:
■
Install middleware loaded by the encryption software, for example token middleware in
directories that are inaccessible to external attackers. These are typically all sub-folders of the
Windows and Program Files directories.
■
The PATH environment variable should not contain components that point to folders accessible
to external attackers (see above).
■
Regular users should not have administrative rights.
Encryption best practices
■
Ensure that all drives have a drive letter assigned.
Only drives that have a drive letter assigned are considered for disk encryption/decryption.
Consequently, drives without a drive letter assigned may be abused to leak confidential data
in plaintext.
To mitigate this threat: Do not allow users to change drive letter assignments. Set their user
rights accordingly. Regular Windows users do not have this right by default.
■
Apply Fast Initial Encryption cautiously.
SafeGuard Enterprise offers Fast Initial Encryption to reduce the time for initial encryption of
volumes by only accessing the space that is actually in use. This mode leads to a less secure
state if a volume has been in use before it was encrypted with SafeGuard Enterprise. Due to
their architecture, Solid State Disks (SSD) are affected even more than regular hard disks.
This mode is disabled by default. For more information see
http://www.sophos.com/en-us/support/knowledgebase/113334.aspx.
■
Only use algorithm AES-256 for data encryption.
■
Use SSL/TLS (SSL version 3 or above) for protection of the client/server communication.
For further information, see the SafeGuard Enterprise installation guide.
■
Prevent uninstallation.
To provide extra protection for endpoints you can prevent local uninstallation of SafeGuard
Enterprise in a Specific machine settings policy. Set Uninstallation allowed to No and
12
Administrator help
deploy the policy on the endpoints. Uninstallation attempts are cancelled and the unauthorized
attempts are logged.
If you use a demo version, make sure that you set Uninstallation allowed to Yes before the
demo version expires.
Apply Sophos Tamper Protection to endpoints using Sophos Endpoint Security and Control.
13
SafeGuard Enterprise
3 About the SafeGuard Management Center
The SafeGuard Management Center is the console for managing computers encrypted with
SafeGuard Enterprise. With SafeGuard Management Center you can implement a company-wide
security strategy and apply it to the endpoints. SafeGuard Management Center enables you to:
■
Create or import the organizational structure.
■
Create security officers.
■
Define policies.
■
Export and import configurations.
■
Monitor computers through comprehensive logging functionality.
■
Recover passwords and access to encrypted endpoints.
With the SafeGuard Management Center you have Multi Tenancy support for managing multiple
domains and databases.You can manage different SafeGuard Enterprise Databases and maintain
different configurations.
Only privileged users - security officers - can access the SafeGuard Management Center. Several
security officers can work with the data simultaneously. The various security officers can perform
actions in accordance with the roles and rights assigned to them.
You can customize SafeGuard Enterprise policies and settings to your needs. After new settings
have been saved to the database, they can be transferred to the endpoints where they become
active.
Note: Some features are not included in all licenses. For information on what is included in your
license, contact your sales partner.
14
Administrator help
4 Logging on to the SafeGuard Management
Center
During SafeGuard Enterprise initial configuration, an account is created for a Master Security
Officer. This account is required the first time you log on to SafeGuard Management Center. To
start SafeGuard Management Center, the user must know the password for the certificate store
and have the certificate's private key.
For further information see the SafeGuard Enterprise installation guide.
The logon procedure varies depending on whether you run the SafeGuard Management Center
as connected to one database (Single Tenancy) or to multiple databases (Multi Tenancy).
Note: Two security officers must not use the same Windows account on the same computer.
Otherwise it is not possible to separate their access rights properly.
4.1 Warning when company certificate expires
At logon the SafeGuard Management Center starts to display a warning six months before the
company certificate will expire and prompts you to renew it and deploy it on the endpoints. Without
a valid company certificate an endpoint cannot connect to the server.
You can renew the company certificate at any time. Even if the company certificate has already
expired. An expired company certificate will also be indicated by a message box. For information
on how to renew the company certificate, see Renew the company certificate (page 80).
4.2 Log on in Single Tenancy mode
1. Start the SafeGuard Management Center from the product folder of the Start menu. A logon
dialog is displayed.
2. Log on as MSO (Master Security Officer) and enter the certificate store password specified
during initial configuration. Click OK.
The SafeGuard Management Center is opened.
Note: If you enter an incorrect password, an error message is displayed and a delay will be
imposed for the next logon attempt. The delay period is increased with each failed logon attempt.
Failed attempts are logged.
4.3 Log on in Multi Tenancy mode
The logon process to the SafeGuard Management Center is extended when you have configured
several databases (Multi Tenancy), see Working with multiple database configurations (page 32).
1. Start the SafeGuard Management Center from the product folder of the Start menu. The Select
Configuration dialog is displayed.
15
SafeGuard Enterprise
2. Select the database configuration you want to use from the drop-down list and click OK.
The selected database configuration is connected to the SafeGuard Management Center and
becomes active.
3. To authenticate at the SafeGuard Management Center, you are prompted to select the security
officer name for this configuration and enter their certificate store password. Click OK.
The SafeGuard Management Center is opened and connected to the selected database
configuration.
Note: If you enter an incorrect password, an error message is displayed and a delay is imposed
for the next logon attempt. The delay period is increased with each failed logon attempt. Failed
attempts are logged.
4.4 SafeGuard Management Center user interface
Navigation area
The navigation area contains buttons for all administrative actions:
■
Users and Computers
To import groups and users from an active directory, from the domain or from an individual
computer.
■
Policies
To create policies.
■
16
Keys and Certificates
Administrator help
To manage keys and certificates.
■
Tokens
To manage tokens and smartcards.
■
Security Officers
To create new security officers or roles and define actions which require additional authorization.
■
Reports
To create and manage records of all security-related events.
Navigation window
Objects which are to be processed or can be created are displayed in the navigation window
(Active Directory objects such as OUs, users and computers, policy items etc.). The objects
displayed depend on the selected task.
Note: In Users and Computers, the objects shown in the navigation window directory tree
depend on the security officer's access rights for directory objects. The directory tree only shows
objects the logged on security officer has access to. Objects that are denied are not shown, except
if there are nodes lower in the tree that the security officer has access rights for. In this case the
denied objects are greyed out. If the security officer has Full access rights, the object is displayed
in black. Objects with Read only access are displayed in blue.
Action area
In the action area, you define settings for the objects selected in the navigation window. The
action area contains various tabs for processing objects and specifying settings.
The action area also includes information about the selected objects.
Associated views
In these views, additional objects and information are displayed. They provide useful information
for system administration and make use of the system easier. You can for example assign keys
to objects by using drag-and-drop.
Toolbar
Contains symbols for the different SafeGuard Management Center actions. Symbols are displayed
as and when they are available for the selected object.
After logon, the SafeGuard Management Center always opens with the view in which it was closed.
4.5 Language settings
The language settings for the SafeGuard Management Center and SafeGuard Enterprise encryption
software on the endpoints are as follows:
17
SafeGuard Enterprise
SafeGuard Management Center language
You can set the language of the SafeGuard Management Center as follows:
■
In the SafeGuard Management Center menu bar, click Tools > Options > General. Select
Use user defined language and select an available language. English, German, French and
Japanese are supported.
■
Restart the SafeGuard Management Center. It is displayed in the selected language.
SafeGuard Enterprise language on endpoints
You set the language of SafeGuard Enterprise on the endpoint in a policy of type General Settings
in the SafeGuard Management Center, setting Customization > Language used on client:
18
■
If the language of the operating system is selected, SafeGuard Enterprise uses the language
setting of the operating system. If the operating system language is not available in SafeGuard
Enterprise, the SafeGuard Enterprise language defaults to English.
■
If one of the available languages is selected, SafeGuard Enterprise functions are displayed in
the selected language on the endpoint.
Administrator help
5 Configuring the SafeGuard Management
Center
After installation, you need to configure the SafeGuard Management Center. The SafeGuard
Management Center Configuration Wizard provides comfortable assistance for initial configuration
by helping to specify the basic SafeGuard Management Center settings and the connection to
the database. This wizard opens automatically when you start the SafeGuard Management Center
for the first time after installation.
You may configure the SafeGuard Management Center for use with a single database or with
multiple databases (Multi Tenancy).
Note: You need to carry out initial configuration using the Configuration Wizard for Single Tenancy
as well as for Multi Tenancy configurations.
5.1 Prerequisites
The following prerequisites must be met:
■
Make sure that you have Windows administrator rights.
■
Have the following information at hand. Where necessary, you can obtain this information from
your SQL administrator.
■
SQL credentials.
■
The name of the SQL Server which the SafeGuard Enterprise Database is to run on.
■
The name of the SafeGuard Enterprise Database, if it has already been created.
5.2 Multi Tenancy configurations
You are able to configure different SafeGuard Enterprise Databases and maintain them for one
instance of the SafeGuard Management Center. This is particularly useful when you want to have
different database configurations for different domains, organizational units or company locations.
Note: You need to set up a separate SafeGuard Enterprise Server instance for each database
(tenant).
To ease configuration, previously created configurations can also be imported from files or newly
created database configurations can be exported to be reused later.
To configure the SafeGuard Management Center for Multi Tenancy, first carry out initial
configuration and then proceed with further specific configuration steps for Multi Tenancy.
19
SafeGuard Enterprise
5.3 Start initial SafeGuard Management Center configuration
After installation of the SafeGuard Management Center, you need to carry out initial configuration.
You need to do so in Single Tenancy as well as in Multi Tenancy mode.
To start the SafeGuard Management Center Configuration Wizard:
1. Select SafeGuard Management Center from the Start menu. The Configuration Wizard is
launched and guides you through the necessary steps.
2. On the Welcome page, click Next.
5.4 Configure the database server connection
A database is used to store all SafeGuard Enterprise specific encryption policies and settings.
For the SafeGuard Management Center and the SafeGuard Enterprise Server to be able to
communicate with this database, you must specify an authentication method for the database
access, either Windows NT authentication or SQL authentication. If you want to connect to the
database server with SQL authentication, make sure that you have the respective SQL credentials
at hand. Where necessary, you may obtain this information from your SQL administrator.
1. On the Database Server Connection page, do the following:
■
Under Connection settings, select the SQL database server from the Database Server
list. All computers on a network on which a Microsoft SQL Server is installed are listed. If
you cannot select the server, enter the server name or IP address with the SQL instance
name manually.
■
Select Use SSL to secure the connection between SafeGuard Management Center and
SQL database server. We strongly recommend that you do so when you have selected
SQL Server Authentication because this setting will encrypt the transport of the SQL
credentials. SSL encryption requires a working SSL environment on the SQL database
server which you have to set up in advance, see Securing transport connections with SSL
(page 40).
2. Under Authentication, activate the type of authentication to be used to access the database
server instance. This is needed so that the SafeGuard Management Center is able to
communicate with the database:
■
Select Use Windows NT Authentication to use your Windows credentials.
Note:
Use this type when your computer is part of a domain. However, additional mandatory
configuration is required as the user needs to be authorized to connect to the database.
For further information see the SafeGuard Enterprise installation guide.
■
Select Use SQL Server Authentication to access the database with the respective SQL
credentials. Enter the credentials for the SQL user account that your SQL administrator
has created. Where necessary, you may obtain this information from your SQL administrator.
Note:
Use this type when your computer is not part of a domain. Make sure that you have selected
Use SSL to secure the connection to and from the database server.
20
Administrator help
3. Click Next.
The connection to the database server has been established.
5.5 Create or select a database
Note: If you use SafeGuard Enterprise and SafeGuard LAN Crypt in parallel, you need to use
separate databases.
On the Database Settings page, determine whether an existing or a new database is used to
store administration data.
1. Do one of the following:
■
If a database does not yet exist, select Create a new database named. Enter a name for
the new database. To do this, you need the relevant SQL access rights. For further
information see the SafeGuard Enterprise installation guide. SafeGuard Enterprise Database
names should only consist of the following characters to prevent localization issues:
characters (A-Z, a-z), numbers (0-9), underscores (_).
■
If a database has already been created or if you have already installed the SafeGuard
Management Center on a different computer, select Select an available database and
select the respective database from the list.
2. Click Next.
5.6 Creating the Master Security Officer (MSO)
As a security officer, you access the SafeGuard Management Center to create SafeGuard
Enterprise policies and configure the encryption software for the end users.
The Master Security Officer (MSO) is the top-level administrator with all the rights and a certificate
that does not expire.
1. On the Security Officer Data page under Master Security Officer ID, enter a name for the
Master Security Officer.
2. Under Certificate for Master Security Officer, do one of the following:
■
Click Create to create a new MSO certificate. You are prompted to enter and confirm a
password each for the certificate store and for the file the certificate are to be exported to
(private key file P12). The certificate is created and displayed under Certificate for Master
Security Officer.
■
Click Import to use a certificate for the MSO that is already available on the network. In
Import Authentication Certificate browse for the backed up key file. Under Password
for key file enter the password specified for this file. Enter the password for the certificate
store under Password for certificate store and confirm it. Click OK. The certificate is
imported and displayed under Certificate for Master Security Officer.
The MSO needs the certificate store password to log on to the SafeGuard Management Center.
Make a note of this password and keep it in a safe place! If you lose it, the MSO will not be
able to log on to the SafeGuard Management Center.
21
SafeGuard Enterprise
The MSO needs the private key file password for restoring a broken SafeGuard Management
Center installation.
3. Click Next.
The Master Security Officer is created.
5.6.1 Create the MSO certificate
In Create MSO Certificate, do the following:
1. Under Master Security Officer ID, confirm the Master Security Officer name.
2. Enter the password for the certificate store twice and click OK.
The MSO certificate is created and saved locally as a backup (<mso_name>.cer).
Note: Make a note of the password and keep it in a safe place. You need it to authenticate at
the SafeGuard Management Center.
5.6.2 Export the MSO certificate
The MSO certificate is exported to a file - the so-called private key file (P12) which is secured by
a password. Thus, the MSO certificate has additional protection. The private key file is needed
to restore a broken SafeGuard Management Center installation.
To export an MSO certificate:
1. In Export certificate, enter and confirm the password for the private key (P12 file). The
password must consist of 8 alphanumeric characters.
2. Click OK.
3. Enter a storage location for the private key file.
The private key is created and the file is stored in the defined location (mso_name.p12).
Note: Create a backup of the private key (p12 file) and store it in a safe place right after initial
configuration. In case of PC failure the key is otherwise lost and SafeGuard Enterprise has to be
reinstalled. This applies to all SafeGuard generated security officer certificates. For further
information, see the Administrator Help, chapter Exporting company and Master Security Officer
certificate.
5.6.3 Import the MSO certificate
If an MSO certificate is already available, you need to import it into the certificate store.
Note: A certificate cannot be imported from a Microsoft PKI. An imported certificate must have
a minimum of 1024 bits and a maximum of 4096 bits.
1.
2.
3.
4.
5.
22
In Import Authentication Key file, click [...] and select the key file.
Enter the password for the key file.
Enter the password for the certificate store.
Confirm the password for the certificate store.
Click OK.
Administrator help
Certificates and private keys are now contained in the certificate store. Logging on to the SafeGuard
Management Center then requires the password to the certificate store.
5.7 Create the company certificate
The company certificate is used to differentiate between SafeGuard Management installations.
In combination with the MSO certificate it allows for restoring a broken SafeGuard Enterprise
Database configuration.
1. On the Company Certificate page, select Create a new company certificate.
Note: Created company certificates always expire on December 31, 2199.
2. Enter a name of your choice.
Note: Certificates generated by SafeGuard Enterprise, such as the company, machine, security
officer and user certificates are signed with hash algorithm SHA-256 for enhanced security in
a first-time installation.
If you still need to manage SafeGuard Enterprise 6 or earlier endpoints with the SafeGuard
Management Center 7.0, you must select SHA-1 under Hash algorithm for generated
certificates. For further information, see section Change algorithm for self-signed certificates.
The selected algorithm is used to sign all certificates generated by SafeGuard Enterprise.
These are the company and machine certificates, security officer and user certificates.
3. Click Next.
The newly created company certificate is stored in the database.
Create a backup of the company certificate and store it in a safe place right after initial configuration.
To restore a broken database configuration, see Restore a corrupt database configuration (page
247).
5.8 Complete initial SafeGuard Management Center
configuration
1. Click Finish to complete the initial configuration of the SafeGuard Management Center.
A configuration file has been created:
■
A connection to the SafeGuard Enterprise Server.
■
A SafeGuard Enterprise Database.
■
A Master Security Officer account to log on to SafeGuard Management Center.
■
All necessary certificates to restore a corrupt database configuration or SafeGuard Management
Center installation.
SafeGuard Management Center is launched once the configuration wizard has closed.
23
SafeGuard Enterprise
5.9 Create further database configurations (Multi Tenancy)
Prerequisite: The feature Multi Tenancy must have been installed with an installation of type
Complete. SafeGuard Management initial configuration must have been carried out.
Note: You need to set up a separate SafeGuard Enterprise Server instance per database.
To create a further SafeGuard Enterprise Database configuration after initial configuration:
1. Start the SafeGuard Management Center. The Select Configuration dialog is displayed.
2. Click New. The SafeGuard Management Center Configuration Wizard starts automatically.
3. The Wizard guides you through the necessary steps of creating a new database configuration.
Make your settings as required. The new database configuration is generated.
4. To authenticate at the SafeGuard Management Center you are prompted to select the Security
Officer name for this configuration and to enter their certificate store password. Click OK.
The SafeGuard Management Center is launched and connected to the new database configuration.
When the SafeGuard Management Center is started for the next time, the new database
configuration can be selected from the list.
5.10 Configure additional instances of the SafeGuard
Management Center
You can configure additional instances of the SafeGuard Management Center to give security
officers access for carrying out administrative tasks on different computers. SafeGuard
Management Center can be installed on any computer on the network from which the databases
can be accessed.
SafeGuard Enterprise manages the access rights to the SafeGuard Management Center in its
own certificate directory.This directory must contain all certificates for all security officers authorized
to log on to the SafeGuard Management Center. Logging on to the SafeGuard Management
Center then requires only the password to the certificate store.
1. Install SGNManagementCenter.msi on a further computer with the required features.
2. Start the SafeGuard Management Center on the computer with the newly installed SafeGuard
Management Center. The Configuration Wizard is launched and guides you through the
necessary steps.
3. On the Welcome page, click Next.
4. On the Database Server Connection page, under Database Server, select the required SQL
database instance from the list. All database servers available on your computer or network
are displayed. Under Authentication, activate the type of authentication to be used to access
this database server instance. If you select Use SQL Server Authentication, enter the SQL
user account credentials that your SQL administrator has created. Click Next.
5. On the Database Settings page, click Select an available database and select the respective
database from the list. Click Next.
24
Administrator help
6. In SafeGuard Management Center Authentication, select an authorized person from the
list. If Multi Tenancy is enabled, the dialog shows to which configuration the user is going to
log on. Enter and confirm the password for the certificate store.
A certificate store is created for the current user account and is protected by this password.
You only need this password for any subsequent logon.
7. Click OK.
You see a message that the certificate and private key have not been found or cannot be
accessed.
8. To import the data, click Yes, and then click OK. This starts the import process.
9. In Import Authentication Key file, click [...] and select the key file. Enter the password for
key file. Enter the password for the certificate store previously defined in Cert. store password
or token PIN. Select Import to certificate store, or select Copy to token to store the certificate
on a token.
10. Enter the password once more to initialize the certificate store.
Certificates and private keys are now contained in the certificate store. Logging on to the SafeGuard
Management Center then requires the password to the certificate store.
25
SafeGuard Enterprise
6 Licenses
To use SafeGuard Enterprise with the SafeGuard Management Center as a live system, you need
a valid license. In the SafeGuard Enterprise Database for example, a valid license is a prerequisite
for sending policies to the endpoints. The appropriate token licenses are also required for token
management.
You can obtain license files from your sales partner. These files must be imported into the
SafeGuard Enterprise Database after installation.
The license file contains among other information:
■
The number of licenses purchased per module.
■
The name of the licensee.
■
A specified tolerance limit for exceeding the number of licenses.
If the number of available licenses or the tolerance limit is exceeded, relevant warning/error
messages are displayed when you start the SafeGuard Management Center.
In the Users and Computers area, the SafeGuard Management Center provides an overview
of the license status of the installed SafeGuard Enterprise system. The license status display is
available in the Licenses tab of the root node, for domains, OUs, container objects and workgroups.
Here, security officers find detailed information about the license status. If they have sufficient
rights, they can import licenses into the SafeGuard Enterprise Database.
6.1 License file
The license file you receive for importing into the SafeGuard Enterprise Database is an .XML file
with a signature. The file includes the following information:
26
■
Company name
■
Additional information (for example, department, subsidiary)
■
Date issued
■
Number of licenses per module
■
Token license information
■
License expiration date
■
License type (demo or full license)
■
Signature with license signature certificate
Administrator help
6.2 Token licenses
To manage tokens or smartcards, the appropriate token licenses are required. If the appropriate
licenses are not available, you cannot create policies for tokens in the SafeGuard Management
Center.
6.3 Evaluation and demo licenses
The default license file (evaluation license) or individual demo license files can be used for
evaluation or initial rollout. These licenses are only valid for a certain period of time and have an
expiration date, but there are no functional restrictions.
Note: Evaluation and demo licenses must not be used for normal working operation.
6.3.1 Default license files
When the SafeGuard Management Center is installed, a default license file is automatically loaded.
This evaluation license (named SafeGuard Enterprise Evaluation License) includes five licenses
for each module and has a time limit of two years as of the release date of the SafeGuard
Enterprise version in question.
Default license file for SafeGuard Cloud Storage and SafeGuard File
Encryption
When the SafeGuard Management Center 7 is installed, an additional default license for SafeGuard
Cloud Storage and SafeGuard File Encryption is automatically loaded. This evaluation license
includes five licenses for each of the two modules and has a time limit of two years as of the
release date of SafeGuard Enterprise 7.
Note: When upgrading from SafeGuard Enterprise 5.6 to SafeGuard Enterprise 7, you need to
import this license file manually into the SafeGuard Enterprise Database.
6.3.2 Individual demo license files
If you need more licences than included in the default license file for evaluation, you can also
obtain a demo license customized to your specific needs. To obtain an individual demo license
file, please contact your sales partner. This type of demo license is also subject to a time limit.
The license is also restricted to the number of licenses per module agreed upon with your sales
partner.
When you start the SafeGuard Management Center, a warning message indicates that you are
using demo licenses. If the number of available licenses specified in the demo license is exceeded,
or if the time limit is reached, an error message is displayed.
27
SafeGuard Enterprise
6.4 License status overview
To display the license status overview:
1. In the SafeGuard Management Center navigation area, click Users and Computers.
2. In the navigation window on the left-hand side, click the root node, the domain, the OU, the
container object or the workgroup.
3. In the action area, switch to the Licenses tab.
The license status is displayed.
The display is divided into three areas. The upper area shows the name of the customer for whom
the license has been issued, plus the issue date.
The middle area provides license details. The individual columns contain the following information:
Column
Explanation
Status (icon)
An icon shows the license status (validity, warning message, error
message) for the module in question.
Feature
Shows the installed module.
Purchased Licenses
Shows the number of licenses purchased for the installed module.
Used Licenses
Shows the number of licenses used for the installed module.
Expires
Shows the license's expiration date.
Type
Shows the license type, demo or regular license.
Tolerance Limit
Shows the tolerance limit specified for exceeding the number of
purchased licenses.
If you display the Licenses tab for a domain/OU, the overview shows the status based on the
computer in the relevant branch.
Beneath this overview are details of the licensed token modules.
In the lower area, a message with a status-specific background color (green = valid, yellow =
warning, red = error) and an icon show the global status of the license regardless of the domain
or OU selected. If this area shows a warning or error message, it also shows information on how
to regain a valid license status.
The icons shown in the Licences tab mean the following:
Valid license
28
Administrator help
Warning
A license for a module enters warning state if
the license limit is exceeded.
the license expired.
Error
A license for a module enters error state if
the tolerance limit is exceeded.
the license has expired more than a month ago.
To refresh the license status overview, click Recount used licenses.
6.5 Import license files
Prerequisite: To import a license file into the SafeGuard Enterprise Database, a security officer
needs the right "Import license file".
1.
2.
3.
4.
In the SafeGuard Management Center, click Users and Computers.
In the navigation window on the left-hand side, click the root node, the domain or the OU.
In the action area, switch to the Licenses tab.
Click the Import license file... button.
A window opens where you can select the license file.
5. Select the license file you want to import, and click Open.
The Apply license? dialog is displayed showing the license file contents.
6. Click Apply license.
The license file is imported into the SafeGuard Enterprise Database.
After you have imported the license file, the module licenses purchased are marked with the
license type regular. Any modules which no licenses were purchased for and which the evaluation
license (default license file) or individual demo licenses are used for will be marked with the license
type demo.
Note: Whenever a new license file is imported, only those modules that are included in that
license file are affected. All other module license information is retained as it was retrieved from
the database. This import functionality simplifies the evaluation of additional modules after
purchase.
29
SafeGuard Enterprise
6.6 License exceeded
In your license file, a tolerance value has been set for exceeding the number of licenses purchased
and the license validity period. If the number of available licenses per module or the validity period
is exceeded, first of all a warning message is displayed. This does not impact the system's live
operation and there is no restriction on functionality.You can review the license status and upgrade
or renew your license. The tolerance value is usually set to 10% of the number of licenses
purchased (the minimum value is 5, the maximum value is 5,000).
If the tolerance value is exceeded, an error message is displayed. In this case, functionality is
restricted. The deployment of policies to the endpoints is disabled. This cannot be manually
reversed in the SafeGuard Management Center. The license has to be upgraded or renewed
before you can use all the functions again. Apart from disabling policy deployment, the functional
restriction does not have an impact on the endpoints. Policies assigned remain active. Clients
can also be uninstalled.
The following sections describe how the system behaves if licenses are exceeded and how to
overcome the functional restriction.
6.6.1 Invalid license: Warning
If the number of available licenses is exceeded, a warning message is displayed when you start
the SafeGuard Management Center.
The SafeGuard Management Center opens and displays the license status overview in the
Licenses tab in the Users and Computers area.
A warning message tells you that the license is invalid. With the detailed information shown about
the license file you can identify the module for which the number of available licenses has been
exceeded. This license status can be changed by extending, renewing or upgrading the license.
6.6.2 Invalid License: Error
If the tolerance value for the number of licenses or the period of validity set in the license is
exceeded, the SafeGuard Management Center displays an error message.
In the SafeGuard Management Center, the deployment of policies to endpoint computers is
disabled.
An error message is displayed in the Licenses tab in the Users and Computers area.
With the detailed information shown about the license file you can identify the module for which
the number of available licenses has been exceeded.
To overcome the functionality restriction, you can:
■
Redistribute licenses
To make licenses available, you can uninstall the software on unused endpoints and thereby
remove them from the SafeGuard Enterprise Database.
■
30
Upgrade/renew licenses
Administrator help
Contact your sales partner to get your license upgraded or renewed. You will receive a new
license file for importing into the SafeGuard Enterprise Database.
■
Import a new license file
If you have renewed or upgraded your license, you need to import the license file into the
SafeGuard Enterprise Database. This newly imported file replaces the invalid license file.
As soon as you redistribute licenses or import a valid license file, the functional restriction is
reversed and the system runs normally again.
31
SafeGuard Enterprise
7 Working with multiple database
configurations
The SafeGuard Management Center allows the use of multiple database configurations (Multi
Tenants). If you want to use this feature, you need to enable it during installation. For further
information, see the SafeGuard Enterprise installation guide.
With Multi Tenancy, you can configure different SafeGuard Enterprise Database configurations
and maintain them for one instance of the SafeGuard Management Center. This is particularly
useful, if you want to maintain different configurations for different domains, organizational units
or company locations.
Prerequisite: The feature Multi Tenancy must have been installed by a Complete installation.
The SafeGuard Management Center initial configuration must have been carried out.
To ease configuration, you can:
■
Create several database configurations.
■
Select previously created database configurations.
■
Delete database configurations from the list.
■
Import a previously created database configuration from a file.
■
Export a database configuration to be reused later.
7.1 Create further database configurations
To create a further SafeGuard Enterprise Database configuration after initial configuration:
1. Start the SafeGuard Management Center.
The Select Configuration dialog is displayed.
2. Click New.
The SafeGuard Management Center Configuration Wizard starts automatically. The Wizard
guides you through the necessary steps of creating a new database configuration.
3. Specify your settings as required.
The new database configuration is created.
4. To authenticate at the SafeGuard Management Center, you are prompted to select the security
officer name for this configuration and enter their certificate store password. Click OK.
The SafeGuard Management Center is opened and connected to the new database configuration.
When the SafeGuard Management Center is started for the next time, the new database
configuration can be selected from the list.
32
Administrator help
7.2 Connect to an existing database configuration
To work with an existing SafeGuard Enterprise Database configuration:
1. Start the SafeGuard Management Center.
The Select Configuration dialog is displayed.
2. Select the required database configuration from the drop-down list and click OK.
The selected database configuration is connected to the SafeGuard Management Center and
becomes active.
3. To authenticate at the SafeGuard Management Center, you are prompted to select the security
officer name for this configuration and to enter their certificate store password. Click OK.
The SafeGuard Management Center is launched and connected to the selected database
configuration.
7.3 Export a configuration to a file
To save or reuse a database configuration, you can export it to a file:
1. Start the SafeGuard Management Center.
The Select Configuration dialog is displayed.
2. Select the respective configuration from the list and click Export...
3. To secure the configuration file, you are prompted to enter and confirm a password that encrypts
the parts configuration file. Click OK.
4. Specify a file name and storage location for the exported configuration file *.SGNConfig.
If this configuration already exists, you are asked if you want to overwrite the existing
configuration.
The database configuration file is saved to the specified storage location.
7.4 Import a configuration from a file
To use or change a database configuration, you can import a previously created configuration
into the SafeGuard Management Center. There are two ways to do so:
■
with the SafeGuard Management Center (for Multi Tenancy)
■
by double-clicking the configuration file (for Single and Multi Tenancy).
33
SafeGuard Enterprise
7.5 Import a configuration with the SafeGuard Management
Center
1. Start the SafeGuard Management Center.
The Select Configuration dialog is displayed.
2. Click Import..., locate the required configuration file and click Open.
3. Enter the password for the configuration file defined during the export and click OK.
The selected configuration is displayed.
4. To activate the configuration, click OK.
5. To authenticate at the SafeGuard Management Center, you are prompted to select the security
officer name for this configuration and to enter their certificate store password. Click OK.
The SafeGuard Management Center is opened and connected to the imported database
configuration.
7.6 Import a configuration by double-clicking the
configuration file (Single and Multi Tenancy)
Note: This task is available in the Single Tenancy and Multi Tenancy mode.
You can also export a configuration and distribute it to several security officers. The security
officers then only need to double-click the configuration file to open a fully configured SafeGuard
Management Center.
This is useful when you use SQL authentication for the database and want to avoid that every
administrator knows the SQL password. In this case, you only need to enter it once, create a
configuration file and distribute it to the respective security officers’ computers.
Prerequisite: The initial configuration of the SafeGuard Management Center must have been
carried out. For details see the SafeGuard Enterprise Installation guide.
1.
2.
3.
4.
5.
6.
7.
Start the SafeGuard Management Center.
Select Options from the Tools menu and select the Database tab.
Enter or confirm the credentials for the SQL Database Server connection.
Click Export configuration to export this configuration to a file.
Enter and confirm a password for the configuration file.
Enter a file name and select a storage location.
Distribute this configuration file to the security officers’ computers. Let them know the password
for this file as well as the certificate store password needed to authenticate at the SafeGuard
Management Center.
8. The security officers just need to double-click the configuration file.
9. They are prompted to enter the password for the configuration file.
10. To authenticate at the SafeGuard Management Center, they are prompted to enter their
certificate store password.
34
Administrator help
The SafeGuard Management Center starts with the imported configuration. This configuration is
the new default configuration.
7.7 Fast switching of database configurations
To ease administrative tasks for several tenants, the SafeGuard Management Center allows for
fast switching of database configurations.
Note: This task is also available in Single Tenancy mode.
1. In the SafeGuard Management Center, select Change configuration... from the File menu.
2. Select the database you want to switch to from the drop-down list and click OK.
The SafeGuard Management Center is automatically restarted with the selected configuration.
7.8 Check database integrity
When you log on to the database, database integrity is automatically verified. If this check results
in any errors, the Verify Database Integrity dialog is displayed.
You can also start the database integrity check manually any time after logon and display the
Verify Database Integrity dialog:
1. In the SafeGuard Management Center, select Tools > Database integrity from the menu bar.
2. Check the tables by clicking Check all or Check selected.
Erroneous tables are marked in the dialog. To repair them, click Repair.
Note: After a SafeGuard Enterprise backend update (SQL) the database integrity check will
always be started.The check only needs to be performed once per SafeGuard Enterprise Database
to finish the update.
35
SafeGuard Enterprise
8 Registering and configuring SafeGuard
Enterprise Server
The SafeGuard Enterprise Server needs to be registered and configured to implement the
communication information between IIS server, database, and SafeGuard protected endpoint.
The information is stored in a server configuration package.
You carry out this task in the SafeGuard Management Center. The workflow depends on whether
SafeGuard Enterprise Server is installed on the same computer as the SafeGuard Management
Center or on a different one.
You may set further properties such as add additional security officers for the selected server, or
configure the connection to the database.
8.1 Register and configure SafeGuard Enterprise Server for
the current computer
When the SafeGuard Management Center and SafeGuard Enterprise Server are installed on the
computer you are currently working on, register and configure SafeGuard Enterprise Server.
Note:
This option is not available if Multi Tenancy is installed.
1.
2.
3.
4.
Start the SafeGuard Management Center.
On the Tools menu, click Configuration Package Tool.
Select the Servers tab and then select Make this computer an SGN Server.
Select Servers and then click Options:
SafeGuard Enterprise Server Configuration setup is automatically started.
5. Accept the defaults in all subsequent dialogs.
The SafeGuard Enterprise Server is registered. A server configuration package called
<Server>.msi is created and directly installed on the current computer. The server information
is displayed in the Servers tab. You may carry out additional configuration.
Note: If you want to install a new server configuration package (MSI) on the SafeGuard Enterprise
Server, make sure that you uninstall the old one first. Additionally, manually delete the local cache
so that it can be updated correctly with new configuration data, such as SSL settings. Then install
the new configuration package on the server.
36
Administrator help
8.2 Register and configure SafeGuard Enterprise Server for
a different computer
When the SafeGuard Enterprise Server is installed on a different computer than the SafeGuard
Management Center, register and configure SafeGuard Enterprise Server:
1.
2.
3.
4.
Start the SafeGuard Management Center.
On the Tools menu, click Configuration Package Tool.
Select Servers tab and then click Add....
In Server Registration click [...] to select the server's machine certificate. This is generated
when the SafeGuard Enterprise Server is installed. By default it is located in the MachCert
directory of the SafeGuard Enterprise Server installation directory. Its file name is
<Computername>.cer. If the SafeGuard Enterprise Server is installed on a different computer
than the SafeGuard Management Center, this .cer file must be accessible as a copy or a
network permission.
Do not select the MSO certificate.
The fully qualified name (FQDN), for example server.mycompany.com and certificate
information is displayed.
Note:
If you connect a Mac endpoint to an SGN server, you must select SSL in column Transport
Encryption in order to secure the connection.
When using SSL as transport encryption between endpoint and server, the server name
specified here must be identical with the one specified in the SSL certificate. Otherwise they
cannot communicate.
When configuring the connection make sure to open https-port number 443.
5. Click OK.
The server information is displayed in the Servers tab.
6. Click the Server packages tab. The available servers are displayed. Select the required server.
Specify the output path for the server configuration package. Click Create Configuration
Package.
A server configuration package (MSI) called <Server>.msi is created in the specified location.
7. Confirm the success message with OK.
8. In the Servers tab, click Close.
You have finished registering and configuring SafeGuard Enterprise Server. Install the server
configuration package (MSI) on the computer running the SafeGuard Enterprise Server.You may
change the server configuration in the Servers tab any time.
Note: If you want to install a new server configuration package (MSI) on the SafeGuard Enterprise
Server, make sure that you uninstall the old one first. Additionally, manually delete the local cache
so that it can be updated correctly with new configuration data, such as SSL settings. Then install
the new configuration package on the server.
37
SafeGuard Enterprise
8.3 Edit SafeGuard Enterprise Server properties
You can edit the properties and settings for any registered server and its database connection at
any time.
1. In the SafeGuard Management Center Configuration Package Tool, in the Servers tab,
select the required server.
2. Carry out any of the following:
Element
Description
Scripting allowed
Click to enable use of the SafeGuard Enterprise Management API.
This allows for scripting administrative tasks.
Server roles
Click to select/deselect an available security officer role for the selected
server.
Win. Auth. WHD
This checkbox must be set to enable Windows Authentication for
SafeGuard Web Helpdesk on the selected server. If this checkbox is
not set, only Security Officers with the relevant Web Helpdesk rights
can access SafeGuard Web Helpdesk.
Refer to the SafeGuard Web Helpdesk manual for further Information
on Windows Authentication for SafeGuard Web Helpdesk.
Add server role...
Click to add further specific security officer roles for the selected server
if required. You are prompted to select the server certificate. The
security officer role is added and can be displayed under Server roles.
Database connection
Click [...] to configure a specific database connection for any registered
web server, including database credentials and transport encryption
between the web server and the database server. For further
information, see Configure the database server connection (page 20).
Even if the database connection check has not been successful, a new
server configuration package can be created.
Note:
You do not have to rerun the SafeGuard Management Center
Configuration Wizard to update the database configuration. Simply
make sure that you create a new server configuration package
afterwards and distribute it to the respective server. When the updated
server package is installed on the server, the new database connection
can be used.
3. Create a new server configuration package in the Server packages tab.
4. Uninstall the old server configuration package, then install the new one on the respective
server.
The new server configuration becomes active.
38
Administrator help
8.4 Register SafeGuard Enterprise Server with Sophos
firewall enabled
A SafeGuard Enterprise protected endpoint is unable to connect to SafeGuard Enterprise Server
when a Sophos firewall with default settings is installed on the endpoint. By default, the Sophos
firewall blocks NetBIOS connections which are needed for resolving the SafeGuard Enterprise
Server network name.
1. As a workaround, do one of the following:
■
Unblock NetBIOS connections in the firewall.
■
Include the fully qualified name of the SafeGuard Enterprise Server in the server
configuration package. For further information, see Register and configure SafeGuard
Enterprise Server for a different computer (page 37).
39
SafeGuard Enterprise
9 Securing transport connections with SSL
To enhance security SafeGuard Enterprise supports encrypting the transport connections between
its components with SSL:
■
The connection between the database server and the web server as well as the connection
between the database server and the computer on which the SafeGuard Management Center
resides may be encrypted with SSL.
■
The connection between the SafeGuard Enterprise Server and the SafeGuard Enterprise
managed computer may either be secured by SSL or by SafeGuard specific encryption. The
advantage of SSL is that it is a standard protocol and therefore a faster connection can be
achieved than by using SafeGuard transport encryption.
Mac: For securing the connection between the SafeGuard Enterprise Server and Mac endpoints,
SSL has to be used.
Note: We strongly recommend that you use SSL encrypted communication in this case,
except for demo or test setups. If, for some reason, this is not possible and SafeGuard-specific
encryption is used, there is an upper limit of 1000 clients that connect to a single server instance.
Before activating SSL in SafeGuard Enterprise, a working SSL environment needs to be set up.
For further information see the SafeGuard Enterprise Installation Guide.
9.1 Set up SSL
The following general tasks must be carried out for setting up the web server with SSL:
■
Certificate Authority must be installed for issuing certificates used by SSL encryption.
■
A certificate must be issued and the IIS server configured to use SSL and point to the certificate.
■
The server name specified when configuring the SafeGuard Enterprise Server must be the
same as the one specified in the SSL certificate. Otherwise client and server cannot
communicate. For each SafeGuard Enterprise Server a separate certificate is needed.
■
If you use Network Load Balancer make sure that the port range includes the SSL port.
For further information, contact our technical support or see:
■
http://msdn2.microsoft.com/en-us/library/ms998300.aspx
■
http://support.microsoft.com/default.aspx?scid=kb;en-us;316898
■
https://blogs.msdn.com/sql_protocols/archive/2005/11/10/491563.aspx
For further information see the SafeGuard Enterprise Installation Guide.
40
Administrator help
9.2 Activate SSL encryption in SafeGuard Enterprise
You may activate SSL encryption in SafeGuard Enterprise as follows:
■
Connection between web server and database server:
Activate SSL encryption when registering the SafeGuard Enterprise Server in the SafeGuard
Management Center Configuration Package Tool. For further information, see Configure the
database server connection (page 20) or see:
http://www.sophos.com/en-us/support/knowledgebase/109012.aspx.
■
Connection between the database server and SafeGuard Management Center
Activate SSL encryption in the SafeGuard Management Center Configuration Wizard, see
Configure the database server connection (page 20).
■
Connection between SafeGuard Enterprise Server and the SafeGuard Enterprise protected
endpoint:
Activate SSL encryption when creating the configuration package for the SafeGuard Enterprise
managed endpoints in the SafeGuard Management Center Configuration Package Tool, see
Create configuration package for managed endpoints (page 93). For information on how to
configure the SafeGuard Enterprise Server and the SafeGuard Enterprise protected endpoint
to use SSL for securing communication, see the SafeGuard Enterprise installation guide.
You can set SSL encryption for SafeGuard Enterprise during first-time configuration of the
SafeGuard Enterprise components or later at any time. Create a new configuration package
afterwards and deploy it on the respective server or managed computer.
For further informations see the SafeGuard Enterprise Installation Guide.
41
SafeGuard Enterprise
10 Creating the organizational structure
The organizational structure can be reflected in SafeGuard Management in two ways:
■
You can import an existing organizational structure into the SafeGuard Enterprise Database,
for example through an Active Directory.
■
You can manually create your organizational structure by creating workgroups and domains
along with a structure for managing policy items.
10.1 Import from Active Directory
You can import an existing organizational structure into the SafeGuard Enterprise Database, for
example through an Active Directory.
We recommend that you create one dedicated Windows service account that is used for all import
and synchronization tasks, to ensure correct import and to prevent accidental deletion of objects
in the SafeGuard Enterprise Database. To assign the necessary rights, see
http://www.sophos.com/en-us/support/knowledgebase/107979.aspx.
10.1.1 Import the organizational structure
Note: With the SafeGuard Management Task Scheduler, you can create periodic tasks for
automatic synchronization between Active Directory and SafeGuard Enterprise. Your product
delivery contains a predefined script template for this purpose. For further information, see
Scheduling tasks (page 267) and Predefined scripts for periodic tasks (page 273).
1. In the SafeGuard Management Center, select Tools > Options.
2. Select the Directory tab and click Add.
3. In LDAP Authentication, do the following:
a) For Server name or IP, enter the NetBIOS name of the domain controller or its IP address.
b) For User Credentials, enter your Windows user name and password for the environment.
c) Click OK.
Note: For Windows single computers, a directory must be shared to enable a connection
through LDAP.
4.
5.
6.
7.
Click Users and Computers.
In the left-hand navigation window, click the root directory Root [filter is active].
In the action area on the right, select the Synchronize tab.
Select the required directory from the Directory DSN list and click the magnifier icon (top
right).
A graphical representation of the Active Directory structure of the organizational units (OU) in
your company is displayed.
42
Administrator help
8. Check the organizational units (OU) to be synchronized. You do not need to import the entire
contents of the Active Directory.
9. To also synchronize memberships, select the check box Synchronize memberships. To also
synchronize the user enabled state, select the check box Synchronize user enabled state.
10. At the bottom of the action area, click Synchronize.
When synchronizing users and their group memberships, the membership to a "primary group"
is not synchronized as it is not visible for the group.
The domains are synchronized. Synchronization details are displayed. Click on the message
displayed in the status bar beneath the buttons on the left to view a synchronization protocol.
Click on the protocol, to copy it to the clipboard and paste it into an e-mail or file.
Note: If elements have been moved from one subtree to another in Active Directory, both subtrees
have to be synchronized with the SQL database. Synchronizing just one subtree will result in
deleting instead of moving the objects.
Note: We recommend that you divide the import of more than 400,000 objects from AD into
multiple operations. This may not be possible if there are more than 400,000 objects in a single
organizational unit.
10.1.2 Import a new domain from an Active Directory
1.
2.
3.
4.
In the left-hand navigation window, click the root directory Root [filter is active].
Select File > New > Import domain from Active Directory.
In the action area on the right, select Synchronize.
Select the required directory from the Directory DSN list and click the magnifier icon (top
right).
A graphical representation of the Active Directory structure of the organizational units (OU) in
your company is displayed.
5. Check the domain to be synchronized and click Synchronize at the bottom of the navigation
area.
Note: If elements have been moved from one subtree to another in Active Directory, then both
subtrees have to be synchronized with the SQL database. Synchronizing just one subtree results
in deleting instead of moving the objects.
Note: AD synchronization does not synchronize the pre-Windows 2000 (NetBIOS) name of the
domain, if the Domain Controller is configured with an IP address. Configure the Domain Controller
to use the server name (NetBIOS or DNS) instead. The client (on which the AD synchronization
is running) must be either part of the domain, or it must be able to resolve the DNS name to the
target Domain Controller.
43
SafeGuard Enterprise
10.1.3 Security officer access rights and Active Directory import
The following applies for importing the organizational structure from an Active Directory as far as
required access rights are concerned:
■
For Active Directory connection handling, the following applies, if you add an Active Directory
connection to a domain that already exists:
■
If you have Full access rights for the domain (DNS), the directory connection credentials
are updated.
■
If you have Read only rights or less for the domain (DNS), the credentials are not updated,
but you can use existing credentials for synchronization purposes.
■
For Active Directory import and synchronization, the access rights to a container or a domain
are projected to the domain tree you can import or synchronize. If you do not have Full access
rights for a sub-tree, it cannot be synchronized. If a sub-tree cannot be modified, it is not shown
in the synchronization tree.
■
Regardless of your security officer access rights for directory objects, you can import a new
domain from the Active Directory, if it does not exist in the SafeGuard Enterprise Database
yet. You and your superior security officers will be granted Full access rights to the new
domain automatically.
■
If you select a sub-container for synchronization, synchronization has to be done all the way
up to the root. In the synchronization tree, all relevant containers are selected automatically,
even if there are any containers above the sub-container that are Read only or Denied
according to your access rights. If you deselect a sub-container, you also may have to deselect
containers up to the root, depending on your access rights.
If a group with Read only or Denied access is included in a synchronization process the
following happens:
■
The group's memberships are not updated.
■
If the group was deleted in the Active Directory, it will nevertheless not be deleted from the
SafeGuard Enterprise Database.
■
If the group was moved in the Active Directory however, it will be moved within the
SafeGuard Enterprise Structure, even to a container you do not have Full access rights
for.
If a container with Read only or Denied access is included in the synchronization because it
is on the way up to the root and the container contains a group with Full access, this group
will be synchronized. Groups with Read only or Denied access will not.
10.2 Creating workgroups and domains
Security officers with the necessary rights can manually create workgroups or domains along with
a structure for managing policy items. It is also possible to assign policies and/or encryption
policies to local users.
You only have to manually create domains, if you do not want to or you cannot import a domain
from an Active Directory (AD), for example because there is no AD available.
44
Administrator help
10.2.1 Register as a new user
For information on users logging on to SafeGuard Enterprise for the first time, see SafeGuard
Power-on Authentication (POA) (page 97).
When a new user logs on to SafeGuard Enterprise once their endpoint has contacted the
SafeGuard Enterprise Server, they are registered and automatically displayed in the Users and
Computers area of the SafeGuard Management Center under their respective domain or
workgroup.
The directory for these users/computers (.Auto registered) is automatically created under the
root directory and under each domain/workgroup. It cannot be renamed nor moved. Objects in
this directory cannot be moved manually either. When the organizational unit (OU) is synchronized
with the next contact to the SafeGuard Enterprise Database, the object is moved to the respective
OU. Otherwise it remains under the .Auto registered directory of their domain/workgroup.
As a security officer you can then manage the auto-registered objects as usual.
Note: Local users cannot log on to SafeGuard Enterprise with an empty password. Local users
who log on to SafeGuard Enterprise with an empty password remain guest users and are not
saved to the database. If Windows Autologon is activated for these users, logon is denied. For a
successful logon at SafeGuard Enterprise, a new password must be created in this case and
Windows Autologon must be deactivated in the registry of the endpoint.
Note: Microsoft accounts are always handled as SafeGuard Enterprise guest users.
10.2.2 Examples for auto-registration
Below you find two examples for the behavior of auto-registered objects.
Users/computers not part of an Active Directory
In a company, not all user or computer objects may necessarily be part of an Active Directory
(AD), for example local users. A company may have one or several workgroups so that an AD is
not needed.
This company wants to deploy SafeGuard Enterprise and then add policies to its user/computer
objects. Therefore the company's organizational structure is created manually in the SafeGuard
Management Center as follows:
45
SafeGuard Enterprise
The objects remain in the .Auto registered folder. They can be properly managed with the
SafeGuard Management Center by applying policies to the .Auto registered folder.
SafeGuard Enterprise Database and Active Directory out of sync
A user is already part of the company's Active Directory (AD). But the SafeGuard Enterprise
Database and the AD are out of sync. The user (User 1) logs on to SafeGuard Enterprise and is
automatically displayed in the SafeGuard Management Center Users and Computers area under
the domain that is provided with the logon (Domain 1).
The user is now part of the .Auto registered folder. The object can be properly managed with the
SafeGuard Management Center by applying policies to the .Auto registered folder.
Upon the next synchronization between the AD and the SafeGuard Enterprise Database User 1
is automatically moved to their organizational unit (Users).
46
Administrator help
For policies to become active for User 1, they must be assigned to the organizational unit Users
from now on.
10.2.3 Keys and certificates for auto-registered objects
For each auto-registered object, a certificate is generated as required by the server.
A local user gets two keys:
■
the key to the .Auto registered container
■
the private key generated as required by the server
Local users neither get any other keys for their assigned container nor a root key.
Workgroups do not get a key.
10.2.4 Policies for auto-registered objects
For auto-registered objects, policies can be created without any restrictions.
Local users are added to the "Authenticated Users" group. Computers are added to the
"Authenticated Computers" group. The policies activated for these groups apply accordingly.
10.2.5 Create workgroups
Security officers with the required rights can create a container under the root directory which
represents a Windows workgroup. Workgroups do not have a key. They cannot be renamed.
1. In the SafeGuard Management Center, click Users and Computers.
2. In the navigation window on the left, right-click Root [Filter is active] and select New > Create
new workgroup (auto registration).
47
SafeGuard Enterprise
3. Under Common information, do the following:
a) Enter a Full name for the workgroup.
b) Optionally you can add a description.
c) The object type is displayed in the Connection state field, in this case Workgroup.
d) To prevent policy inheritance, you can select Block Policy Inheritance.
e) Click OK.
The workgroup is created. The default .Auto registered directory is automatically created under
the workgroup container. It cannot be renamed or deleted.
10.2.6 Delete workgroups
To delete workgroups you need Full access rights for the workgroup concerned. Members
assigned to the workgroup are also deleted. They are automatically re-registered at next logon.
To delete a workgroup, you need Full access rights for all objects involved.
1. In the SafeGuard Management Center, click Users and Computers.
2. In the navigation window on the left, right-click the workgroup you want to delete and select
Delete.
3. Click Yes to confirm.
The workgroup is deleted. Any members are also deleted.
Note: If you do not have Full access rights for all members of the workgroup, deleting the
workgroup fails and an error message is displayed.
10.2.7 Create a new domain
Security officers with the required rights can create a new domain under the root directory. You
only have to create a new domain, if you do not want to or you cannot import a domain from the
Active Directory (AD) (for example because there is no AD available).
1. In the SafeGuard Management Center, click Users and Computers.
2. In the navigation window on the left, right-click Root [Filter is active] and select New > Create
new domain (auto registration).
3. Under Common information, enter the following information about the domain controller.
48
Administrator help
All two name entries must be correct. Otherwise the domain will not be synchronized.
a) Full name: For example computer name.domain.com or the IP address of the domain
controller
b) Distinguished name (read-only): DNS name, for example
DC=computername3,DC=domain,DC=country
c) A domain description (optional)
d) Netbios name: Name of the domain controller
e) The object type is displayed under Connection state, in this case Domain.
f) To prevent policy inheritance, you can select Block Policy Inheritance.
g) Click OK.
The new domain is created. Users and/or computers are automatically assigned to this domain
during auto-registration. The default .Auto registered directory is automatically created under
the domain container. It cannot be renamed or deleted.
10.2.8 Rename a domain
Security officers with the required rights can rename a domain and define additional properties.
You need Full access rights for the relevant domain.
1. In the SafeGuard Management Center, click Users and Computers.
2. In the navigation window on the left, right-click the domain you want to rename and select
Properties.
3. In Common information under Full name, change the domain name and the description.
4. You can change the name of the domain controller in Netbios name.
5. You can also define the Wake on LAN mode for automatic restart in the Container Settings
tab.
6. Click OK to confirm.
The changes are now saved.
10.2.9 Delete a domain
Security officers with the required rights can delete domains. To delete a domain, you need Full
access rights for the domain concerned.
Note: Members assigned to the domain are also deleted.
1. In the SafeGuard Management Center, click Users and Computers.
2. In the navigation window on the left, right-click the domain you want to delete and select Delete.
3. Click Yes.
The domain is deleted. Any members are also deleted.
Note: If you have less than Full access rights for all members of the domain, deleting the domain
fails and an error message is displayed.
49
SafeGuard Enterprise
10.2.10 Delete auto registered computers
When an auto-registered computer is deleted, all local users of this computer are also deleted.
They are automatically re-registered the next time they log on to this computer.
10.2.11 Filter for local objects
10.2.11.1 Users and Computers
In Users and Computers, you can filter the view in the navigation area on the left according to
local users or search for specific local users.
1.
2.
3.
4.
In the SafeGuard Management Center, click Users and Computers.
In the bottom left of the navigation window, click Filter.
Select Local User as Type. If you are looking for a specific user, enter the name of this user.
Click the magnifier icon.
The Users and Computers view is filtered according to the criteria.
Note: Microsoft accounts are always handled as SafeGuard Enterprise guest user.
10.2.11.2 Logging
Successful/unsuccessful registrations of users, computers or workgroups are logged. You can
view a list of this information in the SafeGuard Management Center under Reports in the event
viewer.
10.3 Search for users, computers and groups in the
SafeGuard Enterprise Database
To display objects in the Find Users, Computers and Groups dialog, you need Read only or
Full access rights for the relevant objects.
Note: When you search for objects, you only get the search results within the areas (domain)
for which you have been granted access as a security officer. Only a Master Security Officer can
successfully perform a root search process.
In Users and Computers, you can search for objects using different filters. For example, you
can easily identify duplicates that may have been caused by an AD synchronization process with
the Duplicate users and computers filter. This filter shows all computers with the same name
in one domain and all users with the same name, logon name or pre-2000 logon name in one
domain.
To search for objects:
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the Users and Computers navigation area, select the required container.
3. In the SafeGuard Management Center menu bar, click Edit > Find.
The Find Users, Computers and Groups dialog is displayed.
50
Administrator help
4. Select the required filter from the Find drop-down list.
5. In the In field, the selected container is displayed.
You can change this by selecting a different option from the drop-down list.
6. If you search for a specific object, enter the required search name in the Search Name field.
7. With the Clear results after each search check box, specify whether results should be cleared
after each search process.
8. Click Find now.
The results are displayed in the Find Users, Computers and Groups dialog. If you click on one
of the results in this dialog, the relevant entry is marked in the Users and Computers tree structure.
If you have searched for duplicates for example, you can now easily delete them.
10.4 Display object properties in User and Computers
To display object properties, you need Full access or Read only rights for the objects concerned.
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the navigation window of Users and Computers, right-click the required object and select
Properties.
The properties of the selected object are displayed. If you have Read only access rights for the
relevant object, the properties information is greyed out in the dialog and you cannot edit them.
51
SafeGuard Enterprise
11 SafeGuard Enterprise Security Officers
SafeGuard Enterprise can be administered by one or more security officers. The role-based
management of SafeGuard Enterprise allows splitting administration among several users. Any
user may be assigned one or more roles. To enhance security, additional authorization of an
action can be assigned to an officer's role.
During initial configuration of the SafeGuard Management Center, a top-level administrator, the
Master Security Officer (MSO), with all the rights and a certificate is created by default. The MSO
certificate by default expires after 5 years and can be renewed in the Security Officers section
of the Management Center. Further security officers can be assigned for specific tasks such as
helpdesk or auditing.
In the SafeGuard Management Center navigation area, you can arrange security officers
hierarchically to reflect your company's organizational structure. However, this does not imply
any hierarchy in terms of rights and roles.
Note: Two security officers must not use the same Windows account on the same computer.
Otherwise it is not possible to separate their access rights properly. Additional authentication is
more secure when security officers must authenticate with cryptographic tokens/smartcards.
11.1 Security officer roles
For easy operation, SafeGuard Enterprise offers predefined security officer roles with a variety
of functions. Security officers with the necessary rights can define new roles from a list of
actions/rights and assign them to particular security officers.
The following types of roles are provided:
■
Master Security Officer (MSO) role
■
Predefined roles
■
Customized roles
11.1.1 Master Security Officer
After installing SafeGuard Enterprise, a Master Security Officer (MSO) is created by default during
initial configuration of the SafeGuard Management Center. The Master Security Officer is the
top-level security officer, possesses all rights and is able to access all objects (similar to a Windows
administrator). The Master Security Officer rights cannot be modified.
There may be several Master Security Officers created for one instance of the SafeGuard
Management Center. We strongly recommend to create at least one additional MSO for security
reasons. Additional MSOs may be deleted, but there must always remain one user with the role
of MSO who has been explicitly created as MSO in the SafeGuard Enterprise Database.
52
Administrator help
A Master Security Officer can delegate tasks to another person. There are two ways to do this:
■
A new security officer can be created in Security Officers.
■
A user or all members of a container imported from the Active Directory and visible in the
SafeGuard Management Center in the root directory can be promoted to security officer in
Users and Computers.
One or more roles and domains can then be assigned to them. For example, a user may be
assigned the role of Supervising Officer plus the role of Helpdesk Officer.
However, the Master Security Officer can also create custom roles and assign them to particular
users.
11.1.2 Predefined roles
In the SafeGuard Management Center, the following security officer roles (apart from the MSO)
are predefined. The assignment of rights to these predefined roles cannot be changed. For
example, if a predefined role has the right to "Create policy items and policy groups", this right
cannot be deleted from the role. Neither can a new right be added to a predefined role. Additional
officer authentication however, may be assigned to predefined roles at any time.
■
Supervising Officer
Supervising Officers can see their own node in the Security Officers area and have the right
to manage security officers belonging to their node.
■
Security Officer
Security Officers have extensive rights including SafeGuard Enterprise configuration, policy
and key management, permissions for monitoring and recovery.
■
Helpdesk Officer
Helpdesk Officers have the rights to perform recovery actions. Additionally, they can view most
function areas of the SafeGuard Management Center.
■
Audit Officer
To monitor SafeGuard Enterprise, Audit Officers may display most function areas of the
SafeGuard Management Center.
■
Recovery Officer
Recovery Officers have the rights to repair the SafeGuard Enterprise Database.
11.1.3 Customized roles
As a security officer with the required rights, you can define new roles from a list of actions/rights
and assign them to an existing or new security officer. As with predefined roles, you may enable
the additional officer authentication for a function of the role any time.
When you assign a new role, note the following regarding additional authentication:
53
SafeGuard Enterprise
Note: If a user has two roles with the same rights and additional authentication is assigned to
one of the roles, this automatically applies to the other role.
A security officer with the required rights may add or delete rights to or from a custom role. Unlike
predefined roles, custom roles can even be deleted as required. If the role is deleted, it is no
longer assigned to any user. If a user only has one role assigned and this role is deleted, the user
can no longer log on at the SafeGuard Management Center.
Note: The role and the actions defined within it determine what a user may and may not do. This
is also true if the user has been assigned more than one role. After the user has logged on to the
SafeGuard Management Center only those areas are activated and displayed that are needed
for the respective role. This also applies to the scripts and API areas. It is therefore important to
always activate the view in which the respective actions are defined. Actions are sorted by function
area and hierarchically structured. This structure shows which actions are required before certain
other actions can be performed.
11.1.4 Additional officer authentication
Additional officer authentication (also referred to as two persons rule) may be assigned to specific
actions of a role. This means that the user of this role is only permitted to perform a certain action
if a user of another role is present and confirms it. Each time the user performs this action another
user has to confirm it.
Additional authentication may be assigned to both predefined and custom roles. As soon as there
is at least one other officer with the same role, the own role can also be selected.
The role which is to perform the additional authorization must have been assigned to a user and
there need to be at least two security officers in the SafeGuard Enterprise Database. Once
additional authentication is required for an action, it is required even if the user owns another role
that does not require additional authentication for this action.
If an officer without the right to change the additional authentication creates a role, settings for
additional authentication of the new role will be pre-filled to match those set for the creating officer.
11.2 Create a role
Prerequisite: To create a new role, you need the right to display and create security officer roles.
To assign additional authentication you need the right to "Change additional authentication
settings".
1.
2.
3.
4.
In the SafeGuard Management Center, select Security Officers.
Right-click Custom Roles and select New > New custom role.
In New custom role, enter a name and description for the role.
Assign the actions to this role: Select the check boxes next to the required action in the Enabled
column.
Actions are sorted by function area and hierarchically structured. This structure shows which
actions are required before certain other actions can be performed.
54
Administrator help
5. If required, assign Additional officer authentication: Click the default setting None and select
the required role from the list.
If an officer without the right to change the additional authentication creates a role, then the
additional authentication is prefilled depending on the additional authentication set for the
officer's roles.
6. Click OK.
The new role is displayed in the navigation window under Custom Roles. When you click the
role, the permitted actions are displayed in the action area on the right.
11.3 Assign a role to a security officer
Prerequisite: To assign a role, you need the right to display and modify security officers.
1. Select the respective officer in the navigation window.
Their properties are displayed in the action area on the right.
2. Assign the required roles by selecting the relevant boxes next to the available roles.
Predefined roles are displayed in bold.
3. Click the double-headed arrow symbol Refresh in the toolbar.
The role is assigned to the security officer.
Note: Complex customized roles may cause slight performance issues in using the SafeGuard
Management Center.
11.4 Displaying officer and role properties
Prerequisite: To get an overview of the security officer properties or the role assignment, you
need the right to display security officers and security officer roles.
To display security officer and role properties:
1. In the SafeGuard Management Center, click Security Officers.
2. In the navigation area on the left, double-click the object you want to get an overview of.
The information displayed in the action area on the right depends on the object selected.
11.4.1 Display MSO properties
The general and modification information of the MSO is displayed.
11.4.2 Display security officers properties
The general and modification information for the security officer is displayed.
1. In Properties, select the Actions tab to display a summary of actions permitted and the roles
assigned to the security officer.
55
SafeGuard Enterprise
11.4.3 Display security officers rights and roles
A summary of actions of all roles assigned to the security officer is displayed. The tree view shows
what actions are required before certain other actions can be performed. Additionally, the assigned
roles can be displayed.
1. In the <Security officer name> properties dialog, on the Actions tab, select an action to
display all assigned roles that contain this action.
2. Double-click a role in the Assigned roles with selected action list. The <Security officer
name> properties dialog is closed and the role's properties are displayed.
11.4.4 Display role properties
The general and modification information for the role are displayed.
1. In Properties, select the Assignment tab to display the security officers assigned to this role.
11.4.5 Display role assignment
1. In the <Role name> Properties, on the Assignment tab, double-click a security officer. The
Properties dialog is closed and the security officer's general data and roles are displayed.
11.5 Modifying a role
You can do the following:
■
Modify additional authentication only.
■
Modify all properties of the role.
The icon next to the roles shows which action is available:
Icon
Description
The role can be modified (add/remove actions).
Additional authentication can be changed.
Both modifications are available.
56
Administrator help
Note: Predefined roles and the actions assigned to them cannot be modified. If additional
authentication is activated, it can be modified for any role, even for predefined roles.
11.5.1 Modify additional authentication only
Prerequisite: To assign additional authentication, you need the right to display security officer
roles and to "Change additional authentication settings".
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window under Custom Roles, click the role you want to change. In the action
area on the right, click the required setting in the Additional security officer authentication
column and select a different role from the list.
Predefined roles are displayed in bold.
3. Click the Save icon in the toolbar to save your changes to the database.
Additional officer authentication has been changed for this role.
11.5.2 Modify all properties of a role
Prerequisite: To change a custom role, you need the right to display and modify security officer
roles. To reassign additional authentication, you also need the right to "Change additional
authentication settings".
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window under Custom Roles, right-click the role you want to change and
select Modify custom role.
3. Change the properties as required. Change additional authentication properties by clicking
the value in this column and selecting the required role.
4. Click the Save icon in the toolbar to save your changes to the database.
The role has been modified.
11.6 Copy a role
To create a new role that has similar properties as an existing role, you can use the existing role
as a template for the new role. You can select a predefined or custom role as a template.
Prerequisite: You can only use existing roles as templates, if the currently authenticated security
officer has all the rights contained in the specific role template. So, this function may be disabled
for officers with a limited set of actions.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window, right-click the role you want to copy and select New > New copy
of role. In New custom role, all properties of the existing role are already preselected.
3. Enter a new name for this role and change the properties as required.
4. Click the Save icon in the toolbar to save your changes to the database.
The new role is created.
57
SafeGuard Enterprise
11.7 Delete a role
Note: Predefined roles cannot be deleted.
Prerequisite: To delete a role, you need the right to display and delete security officer roles.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window under Custom Roles, right-click the role you want to delete and
select Delete. Depending on the role's properties a corresponding warning message will be
displayed.
Note: When you delete a role, all security officers this role is assigned to lose it. If the role is
the only one assigned to a security officer, the security officer can no longer log on to the
SafeGuard Management Center unless a superior security officer assigns a new role to the
security officer. If the role is used for additional authentication, the MSO will be requested to
perform additional authentication.
3. To delete the role, click Yes in the warning message.
4. Click the Save icon in the toolbar to save your changes to the database.
The role is deleted from the navigation window and from the database.
11.8 Create a Master Security Officer
Prerequisite: To create a new Master Security Officer, you need the right to display and create
security officers.
Note: A quick way of creating new Master Security Officers is to promote a Security Officer. For
further information, see Promoting security officers (page 64).
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window, right-click the Master Security Officers node and select New >
New Master Security Officer.
58
Administrator help
3. Make the relevant entries in New master security officer:
Field/check box
Description
Enabled
The security officer can be deactivated until further notice. This means that the
security officer is in the system, but they cannot log on to the SafeGuard
Management Center yet. They can only log on and perform their administrative
tasks when another security officer activates them.
Name
Enter the name of the security officer as given in the certificates created by
SafeGuard Enterprise in cn =. The security officer is also displayed under this
name in the SafeGuard Management Center navigation window. This name
must be unique.
Maximum value: 256 characters
Description
Optional
Maximum value: 256 characters
Cell phone
Optional
Maximum value: 128 characters
E-Mail
Optional
Maximum value: 256 characters
Token logon
The logon can be done in the following way:
No token The security officer may not log on with a token. They have to log on
by entering the logon information (user name/password).
Optional Logon can be either with a token or by entering the logon information.
The security officer is free to choose.
Mandatory A token has to be used to log on. To do this, the private key that
belongs to the security officer's certificate must be on the token.
59
SafeGuard Enterprise
Field/check box
Description
Certificate
A security officer always needs a certificate to log on to the SafeGuard
Management Center. The certificate can either be created by SafeGuard
Enterprise or an existing one can be used. If token logon is essential, the
certificate has to be added to the security officer's token.
Create:
The certificate and key file are created and saved in a selected location. Enter
and confirm a password for the .p12 key file. The .p12 file must be available to
the security officer when logging on. The certificate created is automatically
assigned to the security officer and displayed in Certificate. If SafeGuard
Enterprise password rules are used, rules in the Active Directory should be
deactivated.
Note: Max. length of path and file name: 260 characters. When creating a
security officer, the certificate's public part is sufficient. When logging on to the
SafeGuard Management Center, however, the certificate's private section (the
key file) is also required. If it is not available in the database, it must be available
to the security officer (for example on a memory stick) and may be stored in the
certificate store during logon.
Certificate
Import:
An existing certificate is used which is assigned to the security officer during
import. If the import is from a .p12 key file, the certificate's password must be
known.
If a PKCS#12 certificate container is selected, all certificates are loaded into the
list of assignable certificates. The certificate is then assigned after the import,
by selecting the certificate from the drop-down list.
4. Click OK to confirm.
The new Master Security Officer is displayed in the navigation window under the Master Security
Officers node. Their properties can be displayed by selecting the respective security officer in
the navigation window. The MSO can log on to the SafeGuard Management Center with the name
displayed.
11.9 Create a security officer
Prerequisite: To create a security officer, you need the right to display and create security officers.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window right-click the security officer’s node where you want to locate the
new security officer and select New > New Security Officer.
60
Administrator help
3. Make the relevant entries in the New security officer dialog:
Field/check box
Description
Enabled
The security officer can be deactivated until further notice. This means
that the security officer is in the system, but they cannot log on to the
SafeGuard Management Center yet. They can only log on and perform
their administrative tasks when another security officer activates them.
Name
Enter the name of the security officer as provided in the certificates
created by SafeGuard Enterprise in cn =. The security officer is also
displayed under this name in the SafeGuard Management Center
navigation window. This name must be unique.
Maximum value: 256 characters
Description
Optional
Maximum value: 256 characters
Cell phone
Optional
Maximum value: 128 characters
E-Mail
Optional
Maximum value: 256 characters
Validity
Select from when and to when (date) the security officer should be able
to log on to the SafeGuard Management Center.
Token logon
The logon can be done in the following way:
No token The security officer may not log on with a token. They have to
log with their credentials (user name/password).
Optional Logon can be either with a token or with the credentials. The
security officer is free to choose.
Mandatory A token has to be used to log on. To do this, the private key
that belongs to the security officer's certificate must be on the token.
61
SafeGuard Enterprise
Field/check box
Description
Certificate
A security officer always needs a certificate to log on to the SafeGuard
Management Center. The certificate can either be created by SafeGuard
Enterprise or an existing one can be used. If token logon is essential,
the certificate has to be added to the security officer's token.
Create:
The certificate and key file are created as new and saved in a selected
location. Enter and confirm a password for the .p12 key file. The .p12 file
must be available to the security officer when logging on. The certificate
created is automatically assigned to the security officer and displayed in
Certificate. If SafeGuard Enterprise password rules are used, rules in
the Active Directory should be deactivated.
Note: Max. length of path and file name: 260 characters. When creating
a security officer, the certificate's public part is sufficient. When logging
on to the SafeGuard Management Center, however, the certificate’s
private section (the key file) is also required. If it is not available in the
database, it must be available to the security officer (for example on a
memory stick) and may be stored in the certificate store during logon.
Certificate
Import:
An existing certificate is used which is assigned to the security officer
during import. If the import is from a .p12 key file, the certificate's
password must be known.
If a PKCS#12 certificate container is selected, all certificates are loaded
into the list of assignable certificates. The certificate is then assigned
after the import, by selecting the certificate from the drop-down list.
Security Officer Roles
Roles
Predefined or custom roles can be assigned to the security officer. The
rights associated with each role are displayed under Action Permitted
in the action area when clicking the respective role or when right-clicking
the security officer and selecting Properties, Actions. More than one
role can be assigned to a user.
4. Click OK to confirm.
The new security officer is displayed in the navigation window under the respective Security
Officers node. Their properties can be displayed by selecting the respective security officer in
the navigation window. The security officer can log on to the SafeGuard Management Center with
the name displayed. Next you need to assign directory objects/domains to the security officer so
they can perform their tasks.
62
Administrator help
11.10 Assigning directory objects to a security officer
For security officers to be able to perform their tasks they need to have access rights to directory
objects. Access rights can be granted to domains, organizational units (OUs) and user groups as
well as to the ".Auto registered" node under the Root directory.
In Users and Computers, you can change the access rights of another security officer if you
have full access for the relevant container and are responsible for the security officer in question.
You cannot change your own access rights. If you assign a security officer to a directory object
for the first time, the security officer inherits your access rights for this container.
Note: You cannot grant higher access rights than your own access rights to other security officers.
Prerequisite: If you want to grant/deny a security officer the right to access and manage directory
objects, you need the "Users and Computers" rights "Display security officers access rights" and
"Grant/deny access rights to directory". In addition, you need Full access rights for the relevant
directory objects.
1. In the SafeGuard Management Center, select Users and Computers.
2. In the navigation window on the left, select the required directory objects.
Note: The navigation tree only shows the directory objects you have access rights for. If you
have Full access rights, the object is displayed in black. Objects with Read only access are
displayed in blue. A node that is greyed out cannot be accessed but is still shown, if there are
nodes below that you have access to.
3. In the action area on the right, click the Access tab.
4. To assign rights for the selected objects, drag the required officer from the far right into the
Access table.
5. In the Access Rights column, select the rights you want to grant the security officer for the
selected objects:
■
■
■
Full Access
Read only
Denied
To unassign the rights granted for the selected objects, drag the security officer back to the
Officers table.
6. Click the Save icon in the toolbar to save the changes to the database.
The selected objects are available to the relevant security officer.
Note: If two security officers are working on the same SafeGuard Enterprise Database at the
same time and one is changing access rights, a message is displayed to inform the other security
officer and any unsaved changes are lost. If a security officer loses the access rights for a node
completely, access is no longer granted and a relevant message is displayed. The navigation
window is refreshed accordingly.
11.10.1 View security officer rights for directory objects
The access rights assigned to security officers for directory objects are displayed in the Access
tab of the relevant objects in Users and Computers.
63
SafeGuard Enterprise
Note: The Access tab only shows the access rights for containers you have access rights for.
Likewise, it only shows the security officers you are responsible for.
The Access tab shows the following information:
■
The Officers column shows the types and names of the security officers assigned to the
directory objects.
■
The Assigned by column shows the security officer who has assigned the access rights.
■
The Assignment Date
■
The Access Rights column shows the rights granted: Full Access, Denied or Read only.
■
The Origin column shows the full name of the node where the access right was assigned to
the corresponding officer. For example: If the right was assigned to a parent node of the
directory object selected, the parent node is displayed here. In this case, the security officer
has inherited the access right for the selected directory object by the assignment to its parent
node.
■
The Status column shows how the security officer has received the access right:
■
Inherited (blue text color): The access right has been inherited from a parent node.
■
Overwritten (brown text color): The access right has been inherited from a parent node,
but changed at the selected node by direct assignment.
■
Directly assigned (black text color): The access right has been assigned directly at the
selected node.
For inherited rights, you can display a tooltip in the Status column showing the origin of the
relevant right.
11.11 Promoting security officers
You may do the following:
■
Promote a user to security officer in the Users and Computers area.
■
Promote a security officer to Master Security Officer in the Security Officers area.
11.11.1 Prerequisites for promoting a user
A security officer with the required rights can promote users to security officers and assign roles
to them.
Security officers created in this way can log on to the SafeGuard Management Center with their
Windows credentials or their token/smartcard PIN. They can operate and be administrated just
like any other security officers.
The following prerequisites must be met:
■
64
Users to be promoted must have been imported from an Active Directory and need to be visible
in the SafeGuard Management Center Users and Computers area.
Administrator help
■
To enable a promoted user to log on to the SafeGuard Management Center as a security
officer, a user certificate is required.You can create this certificate when you promote the user,
see Promote a user to security officer (page 65). For logon with the Windows credentials, the
.p12 file containing the private key must exist in the SafeGuard Enterprise Database. For logon
with token or smartcard PIN, the .p12 file containing the private key must reside on the token
or smartcard.
Note: If you create the certificate when you promote a user, they have to use the certificate
password to log on to the SafeGuard Management Center. They have to enter the certificate
password although they are prompted for the Windows password. This is also true when
logging on to the SafeGuard Enterprise Web Help Desk.
11.11.2 Promote a user to security officer
Prerequisite: To promote a user, you need to be a Master Security Officer or a security officer
with the required rights.
1. In the SafeGuard Management Center, select Users and Computers.
2. Right-click the user you want to promote to security officer and select Make this user a
Security Officer.
3. The next step depends on whether a user certificate is available for the selected user.
■
If a user certificate has already been assigned to this user, the Select role(s) dialog is
displayed. Continue with step 4.
■
If no user certificate is available, a message is displayed asking you whether a self-signed
key pair should be created for this user. Click Yes and enter and confirm a password in
the Password for new certificate dialog. Now the Select role(s) dialog is displayed.
4. In the Select role(s) dialog, select the required roles and click OK.
The user is now promoted and displayed in the Security Officers area with their user name.
Their properties can be displayed by selecting the respective officer in the navigation window. If
the user's private key is stored in the database, No token is activated. If the user's private key
resides on the token or smartcard, Optional is activated.
You may drag-and-drop the security officer to the required position in the Security Officers tree
view if required.
The security officer can log on to the SafeGuard Management Center with the name displayed.
11.11.3 Promote a security officer to Master Security Officer
Prerequisite: To promote a security officer, you need the right display and modify security officers.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window, right-click the security officer you want to promote and select Promote
to Master Security Officer.
3. If the promoted officer has children you are prompted to select a new parent node for the
children.
65
SafeGuard Enterprise
The security officer is promoted and displayed under the Master Security Officers node. As a
Master Security Officer, the promoted officer will receive all rights to all objects and thus lose all
assigned roles and all individually granted domain access in Users and Computers.
11.12 Demote Master Security Officers
Prerequisite: To demote Master Security Officers to security officers you need to be a Master
Security Officer.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window, right-click the Master Security Officer you want to demote and select
Demote to security officer.
3. You are prompted to select a parent node for the officer and to assign at least one role.
The security officer is demoted and displayed under the selected Security Officers node. The
demoted officer loses all rights to all objects and only receive those rights that are assigned to
their role(s). A demoted officer does not have any rights on domains. You need to individually
grant domain access rights in the Users and Computers area under the Access tab.
11.13 Change the security officer certificate
Prerequisite: To change the certificate of a security officer or Master Security Officer, you need
the right to display and modify security officers.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window, click the security officer you want to change the certificate for. The
current certificate assigned is displayed in the action area on the right in the Certificates field.
3. In the action area, click the Certificates drop-down list and select a different certificate.
4. Click the Save icon in the toolbar to save the changes to the database.
11.14 Arrange security officers in the tree view
Security officers can be hierarchically arranged in the Security Officers navigation window to
reflect the company's organizational structure.
The tree view can be arranged for all security officers, except for Master Security Officers. MSOs
are displayed in a flat list under the MSO node. The security officers node contains a tree view
where each node represents a security officer. However, this does not imply any hierarchy in
terms of rights and roles.
Prerequisite: To move a security officer in the tree view you need the right to display and modify
security officers.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window, drag-and-drop the officer you want to move to the respective node.
All children of the selected officer will also be moved.
66
Administrator help
11.15 Fast switching of security officers
For your convenience, you may quickly restart the SafeGuard Management Center, to log on as
a different officer.
1. In the SafeGuard Management Center, select File > Change Officer. The SafeGuard
Management Center is restarted and the logon dialog is displayed.
2. Select the security officer you want to use to log on to the SafeGuard Management Center
and enter their password. If you are working in Multi Tenancy mode, you are logged on to the
same database configuration.
The SafeGuard Management Center is restarted displaying the view assigned to the logged on
officer.
11.16 Delete a security officer
Prerequisite: To delete a security officer or Master Security Officer, you need the right to display
and delete security officers.
1. In the SafeGuard Management Center, select Security Officers.
2. In the navigation window, right-click the security officer or Master Security Officer you want to
delete and select Delete. Note that you cannot delete the officer you are logged on with.
3. If the officer has children, you are prompted to select a new parent node for the children.
The officer is deleted from the database.
Note: A Master Security Officer explicitly created as an officer and not only promoted to security
officer must always remain in the database. If a user promoted to security officer is deleted from
the database, their user account is deleted from the database as well.
Note: If the officer to be deleted has been assigned a role that includes additional authentication
and the officer is the only one this role is assigned to, the officer will be deleted nonetheless. It is
assumed that the Master Security Officer will be able to take over additional authorization.
67
SafeGuard Enterprise
12 Keys and Certificates
When importing the directory structure, SafeGuard Enterprise in its default setting automatically
generates keys for:
■
Domains
■
Containers/OUs
and assigns them to the corresponding objects. Computer and user keys are generated as required.
Keys for groups
In its default setting, SafeGuard Enterprise does not automatically generate keys for groups. This
behavior is deactivated by default. As a security officer, you can change this behavior on the Keys
tab by selecting Tools > Options. If Groups is checked on the Keys tab, SafeGuard Enterprise
automatically generates group keys, when the database is synchronized. At the bottom of the
Synchronization tab it is indicated for which items keys are generated when synchronization is
performed.
Keys cannot be deleted! They are retained permanently in the SafeGuard Enterprise Database.
The first time an endpoint is started, SafeGuard Enterprise generates a computer key for that
endpoint (defined machine key).
Note: The defined machine key is only generated when volume-based encryption is installed on
the endpoint.
Each user obtains all their keys at logon from their user key ring. The user key ring comprises
the following:
■
the keys of the groups of which the user is a member
■
the keys of the overall Container/OUs of the groups of which the user is a member.
The keys in the user key ring determine the data which that user can access. The user can only
access data for which they have a specific key.
Note: To avoid showing too many unused group keys in the user's key ring, you can specify keys
to be hidden. For further information, see Hide keys (page 70).
To display all keys for a user, click Users and Computers and select the Keys tab.
To display all keys, click Keys and Certificates in the SafeGuard Management Center and select
Keys. You can generate lists for Assigned Keys and Inactive Keys.
Note: The Assigned Keys list only shows the keys assigned to objects for which you have Read
only or Full access rights. The Keys view shows the number of all available keys, regardless of
your access rights. The Assigned Keys list shows the number of keys visible according to your
access rights.
1. Click Users and Computers to open the display.
2. The keys of a selected object are displayed in the action area and in the respective views.
68
Administrator help
3. The display in the action area depends on what is selected in the navigation area. All keys
assigned to the selected object are displayed.
4. Under Available Keys, all available keys are displayed. Keys already assigned to the selected
object are grayed out. Select Filter to switch between keys already assigned to an object
(active) and keys not yet assigned to an object (inactive).
After the import, each user receives a number of keys which can be used for data encryption.
12.1 Keys for data encryption
Users are assigned keys for the encryption of specific volumes when defining policies of the type
Device Protection.
In a policy of the type Device Protection, you can specify the setting Key to be used for
encryption for each media.
Here you decide which keys a user can or must use for encryption:
■
Any key in user key ring
After users have logged on to Windows, they can select the keys they would like to use to
encrypt a particular volume. A dialog is displayed in which users can select the required key.
■
Any key in user key ring, except user key
Users may not use their own personal key to encrypt data.
■
Any group key in user key ring
Users may only select one of the group keys in their user key ring.
■
Defined machine key
The defined machine key is the unique key generated exclusively for this computer by
SafeGuard Enterprise during the first startup. The user has no other options. A defined machine
key is typically used for the boot and system partition and for drives on which Documents and
Settings are located.
■
Defined key on list
This option allows you to define a specific key which the user must use for encryption. To
specify a key for a user in this way, you must define a key under Defined key for encryption.
This option is displayed once you select Defined key on list.
Click the [...] button next to Defined key for encryption to display a dialog in which you can
specify a key. Make sure that the user also has the corresponding key.
Mark the selected key and click OK. The selected key will be used for encryption on the
endpoint computer.
12.1.1 Assign keys in Users and Computers
To assign keys to users, you need Full access rights for the relevant object.
69
SafeGuard Enterprise
To assign a new key to users:
1.
2.
3.
4.
In the SafeGuard Management Center, click Users and Computers.
In the navigation area, select the required object (for example user, group or container).
Right-click in the Keys tab and select Assign new key from the context menu.
In the Assign New Key dialog:
a) Enter a Symbolic name and Description for the key.
b) To hide the key in the user's key ring, select the Hide key check box.
5. Click OK.
The key is assigned and displayed in the Key tab.
12.1.2 Hide keys
To avoid showing too many unused group keys in a user's key ring on the endpoint, you can
define keys to be hidden. Keys which are not shown in the user’s key ring can still be used to
access encrypted files, but not to encrypt new ones.
To hide keys:
1. In the SafeGuard Management Center, click Keys and Certificates.
2. In the navigation area, click Keys and select Assigned Keys.
The Assigned Keys view is displayed showing the Hide Key column.
3. There are two ways to specify that keys are to be hidden:
■
Select the check box in the Hide Key column for the required key.
■
Select one or several keys and right-click to open a context menu.
Select Hide Key From User.
4. Save your changes to the database.
The specified keys are not shown in the user's key ring.
For information on displaying the user's key ring on the endpoint, see the SafeGuard Enterprise
user help, chapter System Tray Icon and tool tips.
Note: If a policy specifies a hidden key to be used for encryption, the Hide Key setting does not
affect encryption on the endpoint.
12.2 Personal Keys for file-based encryption by File
Encryption
A Personal Key is a special type of encryption key that is created for a specific user and cannot
be shared with other users. A Personal Key that is active for a specific user is called an active
Personal Key. Active Personal Keys cannot be assigned to other users.
70
Administrator help
In File Encryption policies, you can define encryption rules that use the placeholder Personal
Key instead of a key name. For such rules, the encryption key to be used is the active Personal
Key of the user.
When you define an encryption rule for the path C:\encrypt to be encrypted with the Personal
Key, different keys are used for different users.You can thereby ensure that information in specific
folders is private for users. For further information see File Encryption (page 170).
If a File Encryption rule defines a Personal Key to be used for encryption, Personal Keys are
created automatically for the relevant users, if they do not have active Personal Keys yet.
As a security officer with the required rights, you can create Personal Keys for selected users or
all users in selected groups in the SafeGuard Management Center. You can also demote active
Personal Keys, for example when a user leaves the company.
12.2.1 Automatic creation of Personal Keys
If a File Encryption rule defines a Personal Key to be used for encryption and the user does not
have an active Personal Key yet, the SafeGuard Enterprise Server automatically creates it. During
the timeframe between policy receipt on the endpoint and the required active Personal Key
becoming available, the user is not allowed to create new files in the folders covered by the File
Encryption rule.
For initial deployment of File Encryption policies with encryption rules using Personal Keys to a
larger group of users (hundreds or more) who do not have active Personal Keys yet, we recommend
to create Personal Keys in the SafeGuard Management Center (see Create Personal Keys for
multiple users (page 72)). This reduces the load on the SafeGuard Enterprise Server.
12.2.2 Create a Personal Key for a single user
To create a Personal Key, you need the rights Create keys and Assign keys. In addition, you
need Full access rights for the object involved. To replace an active Personal Key, you need the
right Manage Personal Keys.
1.
2.
3.
4.
In the SafeGuard Management Center, select Users and Computers.
In the navigation area, select the required user.
Right-click in the Keys tab and select Assign new key from the context menu.
In the Assign new key dialog:
a) Enter a description for the Personal Key.
b) To hide the Personal Key in the user's key ring, select Hide key.
5. Depending on whether you are creating a Personal Key for a user who does not have an active
Personal Key yet, or for a user who does, the Assign new key dialog shows different check
boxes. Select the check box displayed, to define the newly created key as a Personal Key:
■
■
Personal Key: This check box is displayed for users who do not have an active Personal
Key yet.
Replace active Personal Key: This checkbox is displayed for users who already have an
active Personal Key.
6. Click OK.
71
SafeGuard Enterprise
The Personal Key is created for the selected user. In the Key tab, the key is shown as the Active
Personal Key for the user. For a user who already had an active Personal Key before, the existing
key is demoted and the user receives the new one. The demoted Personal Key remains in the
user's key ring. The active Personal Key cannot be assigned to other users.
12.2.3 Create Personal Keys for multiple users
To create Personal Keys, you need the rights Create keys and Assign keys. In addition, you
need Full access rights for the objects involved. To replace existing active Personal Keys, you
need the right Manage Personal Keys.
1. In the SafeGuard Management Center, click Users and Computers.
2. In the navigation area, right-click the node for which you want to create Personal Keys:
■
■
■
a domain node,
the .Auto registered node in the root or in domains or
an Organizational Unit node.
3. From the context menu, select Create Personal Keys for users.
4. In the Create Personal Key for Users dialog:
a) Enter a description for the Personal Keys.
b) To hide the Personal Keys in the users' key rings, select Hide key.
c) To replace existing active Personal Keys with the new ones, select Replace existing active
Personal Keys.
5. Click OK.
The Personal Keys are created as for all users in the selected node. In the Key tab, the keys are
shown as Active Personal Keys for the users. If users already had active Personal Keys before
and you have selected Replace existing active Personal Keys, the existing keys are demoted
and the users receive new ones. The demoted Personal Keys remain in the users' key rings. The
individual active Personal Keys cannot be assigned to other users.
12.2.4 Demote active Personal Keys
To demote active Personal Keys manually, you need the rights Modify Keys and Manage
Personal Keys. By default, the right Manage Personal Keys has been assigned to the predefined
role Master Security Officer, but it can also be assigned to new user-defined roles. In addition,
you need Full access rights for the object involved.
You can demote active Personal Keys manually, for example if a user leaves the company.
Provided that you have the right Manage Personal Keys you can assign the demoted Personal
Key of this user to other users to give them read-only access to files encrypted with this key. But
they cannot use this key for encrypting files.
Note: This cannot be undone. A demoted Personal Key can never become an active Personal
Key for any user again.
1. In the SafeGuard Management Center, select Users and Computers.
2. In the navigation area, select the required user.
72
Administrator help
3. In the Key tab, right-click the required Active Personal Key and select Demote Personal
Key from the context menu.
The key is demoted. It is still a Personal Key, but cannot be used as an active Personal Key
anymore. If a File Encryption rule defines a Personal Key to be used for encryption and the user
does not have an active Personal Key, the SafeGuard Enterprise Server automatically creates
it.
12.3 Certificates
■
A user can only have one certificate assigned. If this user certificate is stored on a token, then
users can only log on to their endpoint using this token (cryptographic token - Kerberos).
■
Note that, when importing a user certificate, the certificate's public and private sections are
both imported. If only the public part is imported, only token authentication is supported.
■
The combination of CA certificates and CRL (Certificate Revocation List) must match. Otherwise
users cannot log on to the respective endpoints. Please check that the combination is correct.
SafeGuard Enterprise does not carry out this check!
■
If Certification Authority (CA) certificates are deleted in the database and you do not wish to
use them again, you should remove these certificates manually from the local store of all
administrator computers.
SafeGuard Enterprise can then only communicate with expired certificates if old and new keys
are present on the same token.
■
CA certificates cannot be obtained from a token and stored in the database or certificate store.
If you use CA certificates, they need to be available as files, not just on a token. The same
applies to CRLs.
■
Certificates generated by SafeGuard Enterprise are signed with SHA-1 or SHA-256 for
verification. SHA-256 provides enhanced security and is used by default with first-time
installations. If SafeGuard Enterprise 6 or earlier endpoints still need to be managed or when
upgrading from a previous version, SHA-1 is used by default.
■
Certificates provided by the customer and imported into SafeGuard Enterprise are currently
not verified according to RFC3280. For example, we do not prevent using signature certificates
for encryption purposes.
■
The logon certificates for security officers must be located in the “MY”certificate store.
Note: The Assigned Certificates list in Keys and Certificates only shows the certificates
assigned to objects for which you have Read only or Full access rights. The Certificate view
indicates the number of all available certificates, regardless of your access rights. The Assigned
Certificates list shows the number of certificates available according to your access rights.
To modify certificates, you need Full access rights to the container the users resides in.
73
SafeGuard Enterprise
12.3.1 Import CA certificates and Certificate Revocation Lists
If CA certificates are in use, import the complete CA hierarchy including all CRLs into the SafeGuard
Database. CA certificates cannot be obtained from tokens, but need to be available as files so
that you can import them into the SafeGuard Enterprise Database. This also applies to Certificate
Revocation Lists (CRL).
1. In the SafeGuard Management Center, click Keys and Certificates.
2. Select Certificates and click the Import CA certificates icon in the toolbar. Browse for the
CA certificate files you want to import.
The imported certificates are displayed in the work area on the right.
3. Select Certificates and click the Import CRL icon in the toolbar. Browse for the CRL files you
want to import.
The imported CRLs are displayed in the work area on the right.
4. Check that CA and CRL are correct and match. CA certificates must match the CRL before
users can log on to the computers concerned. SafeGuard Enterprise does not carry out this
check.
12.3.2 Change algorithm for self-signed certificates
Prerequisites: All SafeGuard Enterprise components must have version 6.1 or later.
Certificates generated by SafeGuard Enterprise, such as the company, machine, security officer
and user certificates are signed with hash algorithm SHA-256 by default during the first-time
installation for enhanced security.
When upgrading from SafeGuard Enterprise 6 or earlier, hash algorithm SHA-1 is automatically
used for self-signed certificates. You can manually change it to SHA-256 for enhanced security
after the upgrade is completed.
Note: Only change the algorithm to SHA-256 if all SafeGuard Enterprise components and
endpoints have been upgraded to the current version. SHA-256 is not supported in mixed
environments where for example SafeGuard Enterprise 6 endpoints are managed by the SafeGuard
Management Center 7. If you have a mixed environment, you must not carry out this task and
must not change the algorithm to SHA-256.
Changing the algorithm for self-signed certificates involves the following steps:
■
Changing the hash algorithm.
■
Creating a Certificate Change Order (CCO).
■
Creating a configuration package including the CCO.
■
Restarting the SafeGuard Enterprise (database) servers.
■
Distributing and deploying the configuration packages on the endpoints.
To change the algorithm for self-signed certificates:
1. In the SafeGuard Management Center menu bar, select Tools > Options.
2. On the General tab, under Certificates, select the required algorithm from Hash algorithm
for generated certificates and click OK.
74
Administrator help
3. On the Certificates tab, under Request, click Update. In Update Company certificate, enter
a name for the CCO and specify a backup path. Enter a password for the P12 file and retype
it. Optionally enter a comment and click Create.
4. Confirm when prompted that this change cannot be reverted and that all configuration packages
created after this company certificate update need this CCO included to work on already
installed endpoints.
5. Confirm when prompted that the update was successful and that a CCO to be included in all
configuration packages has been created. Click OK.
6. On the Tools menu, click Configuration Package Tool.
7. Select the required type of endpoint configuration package: Managed client packages or
Standalone client packages.
8. Click Add Configuration Package and enter a name of your choice for the configuration
package.
9. Select the CCO you created beforehand.
10. Make further selections as appropriate.
11. Specify an output path for the configuration package (MSI).
12. Click Create Configuration Package.
The configuration package (MSI) has now been created in the specified directory.
13. Restart all SafeGuard Enterprise (database) servers.
14. Distribute and deploy this package to the SafeGuard Enterprise protected endpoints.
All certificates generated by SafeGuard Enterprise are signed with the new algorithm.
See also http://www.sophos.com/en-us/support/knowledgebase/116791.aspx.
12.4 Exporting company and Master Security Officer
certificates
In a SafeGuard Enterprise installation, the following two items are critical and must be backed up
in a safe location:
■
The company certificate stored in the SafeGuard Database.
■
The Master Security Officer (MSO) certificate residing in the certificate store of the computer
on which the SafeGuard Management Center is installed.
You can export both certificates in form of .p12 files for backup purposes. To restore installations,
you can import the relevant company and security officer certificate as .p12 files and use them
when you set up a new database. This avoids restoring the whole database.
Note: We recommend that you carry out this task right after initial configuration of the SafeGuard
Management Center.
75
SafeGuard Enterprise
12.4.1 Export the company certificates
Note: Only Master Security Officers are entitled to export company certificates for backup
purposes.
1. In the SafeGuard Management Center menu bar, select Tools > Options.
2. Select the Certificates tab and click Export in the Company Certificate section.
3. You are prompted to enter a password for securing the exported file. Enter a password, confirm
it and click OK.
4. Enter a file name and storage location for the file and click OK.
The company certificate is exported as a .p12 file to the defined location and can be used for
recovery purposes.
12.4.2 Export the Master Security Officer certificate
To back up the Master Security Officer certificate of the MSO logged on to the SafeGuard
Management Center:
1. In the SafeGuard Management Center menu bar, select Tools > Options.
2. Select the Certificates tab and click Export in the Certificate of <administrator> section.
3. You are prompted to enter a password for securing the exported file. Enter a password, confirm
it and click OK.
4. Enter a file name and storage location for the file to be exported and click OK.
The Master Security Officer certificate of the currently logged on MSO is exported as a .p12 file
to the defined location and can be used for recovery purposes.
12.5 Virtual Clients
Note: Virtual Clients can only be used for SafeGuard full disk encryption with SafeGuard
Power-on Authentication (POA).
Virtual Clients are specific encrypted key files that can be used for recovery in a
Challenge/Response procedure when the required user information is not available and
Challenge/Response would usually not be supported (for example when the SafeGuard POA is
corrupted).
To enable a Challenge/Response procedure in this complex recovery situation, specific files called
Virtual Clients can be created.They must be distributed to the user before the Challenge/Response
session is carried out. Using Virtual Clients, Challenge/Response can be initiated with a key
recovery tool on the endpoint computer. The user only needs to inform the helpdesk officer of the
required key or keys and enter the response code in order to regain access to encrypted volumes.
Recovery is either possible by using a single key or an encrypted key file containing several keys.
In the SafeGuard Management Center Keys and Certificates area you can:
76
■
Create and export Virtual Clients.
■
Create and export encrypted key files containing several keys.
Administrator help
■
Display and filter Virtual Clients and exported key files.
■
Delete Virtual Clients.
12.5.1 Create Virtual Clients
Virtual Client files can be used by different computers and for several Challenge/Response
sessions.
1.
2.
3.
4.
In the SafeGuard Management Center, click Keys and Certificates.
In the left-hand navigation window, click Virtual Clients.
In the toolbar, click Add Virtual Client.
Enter a unique name for the Virtual Client and click OK.
The Virtual Clients are identified in the database by these names.
5. In the toolbar, click the Save icon to save the Virtual Client to the database.
The new Virtual Client is displayed in the action area.
12.5.2 Export Virtual Clients
After you have created the Virtual Client you need to export it to a file. This file is always called
recoverytoken.tok and must be distributed to the help desk. This file must be available in
the endpoint environment to initiate a Challenge/Response session with a recovery tool (for
example when the SafeGuard POA is corrupted). The user must place the Virtual Client file
recoverytoken.tok in the same folder as the recovery tool so that a Challenge/Response can
be supported.
1. In the SafeGuard Management Center, click Keys and Certificates.
2. In the left-hand navigation window, click Virtual Clients.
3. In the action area, search for the respective Virtual Client by clicking the magnifier icon. The
available Virtual Clients are displayed.
4. Select the required entry in the action area and click Export Virtual Client in the toolbar.
5. Select a location to store the file recoverytoken.tok and click OK. A success message is
displayed.
6. Distribute this Virtual Client file recoverytoken.tok to the respective SafeGuard Enterprise
users.
Store the file in a safe place, for example on a memory stick. When a Challenge/Response is
initiated, this file needs to be located in the same folder as the recovery tool.
12.5.3 Create and export key files for Virtual Client recovery
When multiple keys are needed to recover access to encrypted volumes during a Virtual Client
recovery, the security officer can combine them in one exported file. This key file is encrypted
with a random password which is stored in the database. The password is unique for each created
key file.
77
SafeGuard Enterprise
The encrypted key file needs to be transferred to the user and must be available to the user when
starting a Challenge/Response session with a recovery tool.
In the Challenge/Response session, the password for the key file is transmitted with the response
code. The key file can be decrypted with the password and all volumes encrypted with the available
keys can be accessed again.
To export key files, you need Full access rights for the objects the relevant keys are assigned
to.
1.
2.
3.
4.
In the SafeGuard Management Center, click Keys and Certificates.
In the left-hand navigation window, click Virtual Clients and then Exported Key Files.
In the toolbar, click Export keys to a key file.
In Export keys to a key file, enter the following:
a) Directory: Click [...] to select a location for the key file.
b) File name: The key file is encrypted with a random password which is displayed here. You
cannot change this name.
c) Click Add key or Remove key to add or remove keys. A popup window is displayed to
search for and select the required keys. Click OK to confirm the selection.
d) Click OK to confirm all entries.
5. Distribute this key file to the respective endpoint environment. It must be available before the
response code is entered on the endpoint.
12.5.4 Display and filter Virtual Client views
To find the requested Virtual Client or keys more easily during a Challenge/Response, there are
several filter and search possibilities in the SafeGuard Management Center under Keys and
Certificates.
12.5.5 Views for Virtual Clients
1. Click Virtual Clients in the left-hand navigation window.
2. Click the magnifier icon to generate a complete list of all Virtual Clients.
3. Filter the Virtual Clients by Symbolic name or Key GUID.
12.5.6 Views for exported key files
1. In the SafeGuard Management Center, click Virtual Clients, then Exported Key Files.
2. Click the magnifier icon to generate a complete list of all exported key files.
3. Click the + icon next to the required key file to display the keys contained in the file.
12.5.7 Delete Virtual Clients
1. Open the SafeGuard Management Center and click Keys and Certificates.
2. Click Virtual Clients in the left-hand navigation window.
78
Administrator help
3. In the action area, search for the respective Virtual Client by clicking the magnifier icon. The
available Virtual Clients are displayed.
4. Select the required entry in the action area and click Delete Virtual Client in the toolbar.
5. Save the changes to the database by clicking the Save icon in the toolbar.
The Virtual Client is deleted from the database.
79
SafeGuard Enterprise
13 Company Certificate Change Orders
Company Certificate Change Orders (CCOs) are used in the following cases:
■
To renew the company certificate in case it will expire soon.
Renewing the company certificate is possible for managed and unmanaged endpoints but can
only be triggered from the management console.
■
To move unmanaged endpoints to a different environment, for example if you have two
different Sophos SafeGuard environments and want to merge them into one Sophos SafeGuard
environment where always one of the two environments has to be the target environment.
This is done by exchanging the company certificate of the endpoints of one environment with
the company certificate of the target environment.
Note: Only Master Security Officers are allowed to create CCOs. To give other security officers
the permission to create CCOs, the MSO must create a custom role and assign the right to
Manage CCOs to this role.
13.1 Renew the company certificate
A company certificate that is about to expire can be renewed in SafeGuard Management Center.
At logon, the SafeGuard Management Center starts to display a warning six months before the
company certificate expires. Without a valid company certificate an endpoint cannot connect to
the server. Renewing the company certificate involves three steps:
■
Creating a Certificate Change Order (CCO).
■
Creating a configuration package including the CCO.
■
Restarting the servers and distributing and deploying the configuration packages on the
endpoints.
To renew a company certificate:
1. In the SafeGuard Management Center menu bar, select Tools > Options.
2. Select the Certificates tab and click Update in the Request section.
3. In the Update Company certificate dialog, enter a name for the CCO and specify a backup
path. Enter a password for the P12 file and retype it. Optionally enter a comment and click
Create.
4. Confirm when prompted that this change cannot be reverted and that all configuration packages
created after this company certificate update need this CCO included to work on already
installed endpoints.
5. Confirm when prompted that the update was successful and that a CCO to be included in all
configuration packages has been created. Click OK.
6. On the Tools menu, click Configuration Package Tool.
7. Select Managed client packages.
80
Administrator help
8. Click Add Configuration Package and enter a name of your choice for the configuration
package.
9. Assign a Primary Server (the Secondary Server is not necessary).
10. Select the CCO you created beforehand to update the company certificate.
11. Select the Transport Encryption mode defining how the connection between SafeGuard
Enterprise Client and SafeGuard Enterprise Server is to be encrypted, either SafeGuard
transport encryption or SSL encryption.
The advantage of SSL is that it is a standard protocol and that a faster connection can be
achieved than when using SafeGuard transport encryption. SSL encryption is selected by
default. For further information on how to secure transport connections with SSL, see the
SafeGuard Enterprise Installation guide.
12. Specify an output path for the configuration package (MSI).
13. Click Create Configuration Package.
If you have selected SSL encryption as the Transport Encryption mode, the server connection
is validated. If the connection fails, a warning message is displayed.
The configuration package (MSI) has now been created in the specified directory. Make sure that
you restart all SGN servers.You now need to distribute and deploy this package to the SafeGuard
Enterprise managed endpoints.
13.2 Replace the company certificate
Replacing the company certificate is necessary when you want to move an endpoint from one
standalone environment to a different one. The endpoint to be moved needs to have the company
certificate of the environment it is to be moved to. Otherwise the endpoint does not accept policies
of the new environment. The tasks required to replace the company certificate can be carried out
in both the SafeGuard Management Center and the SafeGuard Policy Editor. In the following
description the term management tool is used to mean both the SafeGuard Management Center
and the SafeGuard Policy Editor, since the replacement of the company certificate is identical in
both cases.
The following prerequisites must be met:
Decide which is your source and which is your target Management Center/Policy Editor
environment. The source Management Center/Policy Editor is the one you used for creating the
configuration packages for the endpoints that are to be moved. The target Management
Center/Policy Editor is the one the endpoints will be moved to.
To replace the company certificate:
1. In the target management tool, export the company certificate: In the Tools menu, click
Options. Select the Certificates tab and click the Export button under Company Certificate.
Enter and confirm a password for the certificate backup when prompted and select a destination
directory and file name when prompted. The company certificate is exported (cer file).
81
SafeGuard Enterprise
2. In the source management tool, on the Tools menu, click Options.Then select the Certificates
tab and click Create... in the Request section. In the Create CCO dialog, browse for the target
company certificate you exported in the target management tool (step 1). Make sure that it is
the desired certificate. Click Create and select a destination directory and file name for the
.cco file. Confirm that you want to place a Company Certificate Change Order. Please note
that a CCO is not linked to specific endpoints. Using a CCO any client of the source environment
can be moved.
3. In the target management tool, you have to import the CCO created in the source management
tool. On the Tools menu, click Configuration Package Tool and select the CCOs tab. Click
Import.
4. In the Import CCO dialog select the CCO you created in the source management tool and
enter a CCO name and optionally a description. Click OK.
5. In the target management tool, create a configuration package: In the Tools menu, click
Configuration Package Tool > Standalone client packages and add a new configuration
package. Select the imported CCO from the drop-down menu in the CCO column. Specify a
location under Configuration Package output path. Click Create Configuration package.
The configuration package is created on the specified location.
6. Install this configuration package on all endpoints you want to move from the source
environment to the target environment.
13.3 Managing Company Certificate Change Orders
In the SafeGuard Management Center, on the Tools menu, click Configuration Package Tool.
All created CCOs are displayed on the CCOs tab.
Detailed information on the selected CCO are displayed in the lower part of the dialog.
If the CCO was created for updating the company certificate, the Source company certificate
is the one to be renewed. If the CCO was created to move endpoints, renew the company certificate
of the environment the endpoints are being moved to.
The Destination company certificate is the new company certificate if the CCO was created
for updating the company certificate or the company certificate of the environment the endpoints
are being moved to.
Below the certificate details, you can see the tasks the selected CCO can be used for.
Note: For managing CCOs you need the right to Manage CCOs.
13.3.1 Import
When creating configuration packages, in order to select the CCO created by a different
management tool to change the company certificate, you must first import it.
Clicking Import... opens a dialog in which you can select and name the CCO. The name you
enter here is displayed on the CCOs tab of the Configuration Package Tool.
13.3.2 Export
Using the Export functionality, CCOs stored in the database can be exported and are then
available as .cco files.
82
Administrator help
14 Working with policies
The following sections describe the administrative tasks concerning policies, for example creating,
grouping and backing up policies.
Note: For assigning, removing or editing policies, you need Full access rights to the relevant
objects as well as to any group that is activated for the policies involved.
For a description of all policy settings available with SafeGuard Enterprise, see Policy settings
(page 118).
14.1 Create policies
1.
2.
3.
4.
Log on to the SafeGuard Management Center with the password set during initial configuration.
In the navigation area, click Policies.
In the navigation window, right-click Policy Items and select New.
Select the policy type.
A dialog for naming the new policy is displayed.
5. Enter a name and optionally a description for the new policy.
Policies for Device Protection:
If you create a policy for device protection, you must also specify the target for device protection.
Possible targets are:
■
Mass storage (boot volumes/other volumes)
■
Removable media
■
Optical drives
■
Storage device models
■
Distinct storage devices
■
Cloud storage
For each target, a separate policy has to be created. Later on you can combine the individual
policies in a policy group named Encryption, for example.
6. Click OK.
The new policy is displayed in the navigation window below Policy Items. In the action area, all
settings for the selected policy type are displayed and can be changed.
14.2 Edit policy settings
When you select a policy in the navigation window, you can edit the policy settings in the action
area.
83
SafeGuard Enterprise
Note:
A red icon in front of a not configured setting indicates that for this policy setting a
value has to be defined. To be able to save the policy, you first have to select a setting
other than not configured.
Setting policy settings to default values
In the toolbar the following icons are available for setting policy settings:
Icon
Policy setting
Displays default values for policy settings that have not been configured (setting not
configured). The default values for policy settings are displayed by default. Click the
icon to hide the default values.
Sets the marked policy setting to not configured.
Sets all policy settings in an area to not configured.
Sets the default value for the marked policy.
Sets all policy settings in an area to the default value.
Differentiating between machine- and user-specific policies
84
Policy displayed in blue
Policy is applied to machines only, not users.
Policy displayed in black
Policy is applied to machines and users
Administrator help
14.3 Policy groups
SafeGuard Enterprise policies can be combined in policy groups. A policy group may contain
different policy types. In the SafeGuard Management Center, a Default policy group is available
that is assigned to Root under Users and Computers by default.
If you put policies of the same type in a group, the settings are merged automatically. In this case,
you can define priorities for using the settings. The settings of a policy with a higher priority
overwrite the settings of a policy with a lower priority.
A defined policy setting will overwrite settings from other policies, if
■
the policy with that setting has a higher priority.
■
the policy setting has not been defined yet (not configured).
Note: Overlapping policies assigned to a group might result in incorrect calculation of the priorities.
Ensure that you use disjunctive policy settings.
Exception concerning device protection:
Policies for device protection are only merged, if they were defined for the same target (for example
boot volume). If they are for different targets, the settings will be added.
14.3.1 Combine policies into groups
Prerequisite: The individual policies of different types must have been created beforehand.
1.
2.
3.
4.
5.
6.
7.
8.
In the navigation area, click Policies.
In the navigation window, right-click Policy Groups and select New.
Click New Policy Group. A dialog for naming the policy group is displayed.
Enter a name and optionally a description for the policy group. Click OK.
The new policy group is displayed in the navigation window under Policy Groups.
Select the policy group. The action area shows all elements required for grouping the policies.
To add the policies to the group, drag them from the list of available policies to the policy area.
You can define a priority for each policy by arranging the policies in order using the context
menu.
If you put policies of the same type in a group, the settings are merged automatically. In this
case, you can define priorities for using the settings. The settings of a policy with a higher
priority overwrite the settings of a policy with a lower priority. If an option is set to not
configured, the setting is not overwritten in a policy of a lower priority.
Exception concerning device protection:
Policies for device protection are only merged, if they were defined for the same target (for
example boot volume). If they are for different targets, the settings are added.
9. Save the policy with File > Save.
The policy group now contains the settings of all the individual policies.
85
SafeGuard Enterprise
14.3.2 Policy grouping results
The result of policy grouping is displayed separately.
To display the result, click the Resulting tab.
■
For each policy type a separate tab is shown.
The settings resulting from combining the individual policies into a group are displayed.
■
For policies for device protection, a tab is shown for each policy target (for example boot
volumes, drive X etc.).
14.4 Back up policies and policy groups
You can create backups of policies and policy groups as XML files. If necessary, the relevant
policies/policy groups can then be restored from these XML files.
1. In the navigation window, select the policy/policy group under Policy Items or Policy Groups.
2. Right-click to display the context menu and select Backup Policy.
Note: The Backup Policy command is also available in the Actions menu.
3. In the Save As dialog, enter a file name for the XML file and select the a storage location for
the file. Click Save.
The backup of the policy/policy group is stored as an XML file in the specified directory.
14.5 Restore policies and policy groups
To restore a policy/policy group from an XML file:
1. In the navigation window, select Policy Items/Policy Groups.
2. Right-click to display the context menu and select Restore Policy.
Note: The Restore Policy command is also available in the Actions menu.
3. Select the XML file from which the policy/policy group is to be restored and click Open.
The policy/policy group is restored.
14.6 Assign policies
To assign policies, you need Full access rights to the objects involved.
1. Click Users and Computers.
2. In the navigation window, select the required container object (for example OU or domain).
3. Switch to the Policies tab.
All items required for policy assignment are displayed in the action area.
4. To assign a policy, drag the policy from the list into the Policies tab.
86
Administrator help
5. You can define a Priority for each policy by arranging the policies in order using the context
menu. The settings of higher-ranked policies override those below. If you select No Override
for a policy, its settings will not be overridden by those from other policies.
Note: If you select No Override for a low-priority policy, this policy will take higher priority
than a higher-ranking policy.
To change the Priority or the No Override setting for policies in Users and Computers, you
need Full Access rights for all objects the policies are assigned to. If you do not have Full
Access rights for all objects, the settings are not editable. If you try to edit these fields, an info
message is displayed.
6. The .Authenticated users and .Authenticated computers are displayed in the activation area.
The policy applies to all groups within the OU and/or domain.
14.6.1 Activate policies for individual groups
Policies are always assigned to an OU, a domain or a workgroup. They apply by default to all
groups in those container objects (.Authenticated users and .Authenticated computers groups
are displayed in the activation area).
However, you can also define policies and activate them for one or more groups. These policies
then apply exclusively to these groups.
Note: To activate policies for individual groups, you need Full access rights for the relevant
group.
1. Assign the policy to the OU the group is contained in.
2. .Authenticated Users and .Authenticated Computers are displayed in the activation area.
3. Drag these two groups from the activation area to Available Groups list. In this constellation,
the policy is neither effective for users nor computers.
4. Now drag the required group (or multiple groups) from the Available Groups list into the
activation area.
This policy now applies exclusively to this group.
If policies have also been assigned to the higher-ranking OU, this policy applies to this group in
addition to those defined for the whole OU.
14.7 Manage policies in Users and Computers
Apart from the Policies area in the SafeGuard Management Center, you can also view and modify
the contents of a policy where policy assignment is done, in Users and Computers.
1. Click Users and Computers.
2. In the navigation area, select the required container object.
3. You can open policies for viewing/modifying them from two locations.
■
■
Switch to the Policies tab, or
switch to the RSOP tab.
87
SafeGuard Enterprise
4. Right-click the required assigned or available policy and select Open from the context menu.
The policy dialog is displayed and you can view and edit the policy settings.
5. Click OK to save your changes.
6. To display the policy properties, right-click the required policy and select Properties from the
context menu.
The Properties dialog for the policy is displayed. Here you can view General and Assignment
information.
14.8 Disabling policy deployment
As a security officer, you can disable the deployment of policies to the endpoints. To do so, click
the Enable/disable policy deployment button in the SafeGuard Management Center toolbar or
select Enable/disable policy deployment from the Edit menu. After disabling policy deployment,
no policies are sent to the endpoints. To reverse the disabling of policy deployment, click the
button or select the command again.
Note: To disable policy deployment, a security officer needs the right "Enable/disable policy
deployment". By default, this right has been assigned to the predefined roles Master Security
Officer and Security Officer, but it can also be assigned to new user-defined roles.
14.9 Rules for assigning and analyzing policies
The management and analysis of policies is carried out according to the rules described in this
section.
14.9.1 Assign and activate policies
To enable a policy to be implemented for a user/computer, you need to assign it to a container
object (root nodes, domain, OU, BuiltIn container or workgroup). For the policy assigned to the
user/computer to become effective, when you assign a policy anywhere in the hierarchy, all
computers (authenticated computers) and all users (authenticated users) are activated automatically
(assignment without activation is not enough). All users and all computers are combined into
these groups.
14.9.2 Policy inheritance
Policies can only be passed on between container objects. Policies can be activated within a
container provided it contains no further container objects (at group level). Inheritance between
groups is not possible.
14.9.3 Policy inheritance hierarchy
Where policies are assigned along a hierarchy chain, the policy closest to a target object
(user/computer) is the highest ranking. This means that as the distance to the target object
increases a policy will be superseded by any policies that are closer.
88
Administrator help
14.9.4 Direct assignment of policies
The user/computer obtains a policy which is assigned directly to the container object in which it
is located (membership as a user of a group located in another container object is not sufficient).
The container object did not inherit this policy!
14.9.5 Indirect assignment of policies
The user/computer obtains a policy which the container object it is located in (membership as a
user of a group located in another container object is not sufficient) has inherited from a
higher-ranking container object.
14.9.6 Activate/deactivate policies
For a policy to be effective for a computer/user, it has to be activated at group level (policies can
only be activated at group levels). It makes no difference if this group is in the same container
object or not. All that matters is that the user or computer has been directly or indirectly (through
inheritance) assigned to the policy.
If a computer or user is outside an OU or inheritance line and is a member of a group which is
inside this OU, this activation does not apply to this user/computer. Because there is no valid
assignment for this user or computer (directly or indirectly). The group was, indeed, activated but
an activation can only apply to users and machines for which there is also a policy assignment.
This means that the activation of policies cannot go beyond container boundaries if there is no
direct or indirect policy assignment for that object.
A policy becomes effective when it has been activated for user groups or computer groups. The
user groups and then the computer groups are analyzed (authenticated users and authenticated
computers are also groups). Both results are OR-linked. If this OR-link gives a positive value for
the computer/user relationship, the policy applies.
Note: If more than one policy is active for an object, the individual policies are, while complying
with the rules described, merged. This means that the actual settings for an object can be
composed of multiple different policies.
A group can have the following activation settings:
■
Activated
A policy has been assigned. The group is displayed in the activation area of the SafeGuard
Management Center.
■
Not activated
A policy has been assigned. The group is not in the activation area.
If a policy is assigned to a container, the activation setting for a group (activated) determines
whether that policy for that container feeds into the calculation of the resulting policy.
Inherited policies cannot be controlled by these activations. Block policy inheritance would have
to be set at the more local OU so the more global policy cannot be effective here.
89
SafeGuard Enterprise
14.9.7 User/group settings
Policy settings for users (shown in black in the SafeGuard Management Center) take priority over
policy settings for computers (shown in blue in the SafeGuard Management Center). If user
settings are specified in a policy for computers, those settings are overridden by the policy for the
user.
Note: Only the user settings are overridden. If a policy for users also includes machine settings
(shown in blue), they are not overridden by a user policy!
Example 1:
If password length 4 has been defined for a computer group, the user group is assigned value 3
for the same setting and this user is subject to password length 3 on a computer in the computer
group.
Example 2:
If a server interval of 1 minute is defined for a user group, and the value 3 for a machine group,
value 3 is used because value 1 minute is a machine setting which was defined in a policy for
users.
14.9.8 Contradictory encryption policies
Two policies (P1 and P2) are created. File-based encryption for drive E:\ was defined for P1, and
volume-based encryption for drive E:\ was defined for P2. P1 is assigned the OU FBE-User and
P2 the OU VBE-User.
Case 1: A user from OU FBE-User logs on first to the Client W7-100 (container computer). Drive
E:\ is encrypted with file-based encryption. If a user from the OU VBE-User then logs on to Client
W7-100, drive E:\ will be encrypted with volume-based encryption. If both users have the same
key, both can access the drives or files.
Case 2: A user from OU VBE-User logs on first to the computer W7-100 (container computer).
The drive is encrypted with volume-based encryption. If, now, a user from OU FBE-User logs on
and has the same key as users from OU VBE-User, drive E:\ will be encrypted with file-based
encryption within the volume-based encryption (the volume-based encryption is kept). However,
if the user from OU FBE-User does not have the same key, they cannot access drive E:\.
14.9.9 Priority within an assignment
Within an assignment, the policy with the highest priority (1) ranks above a policy with a lesser
priority.
Note: If a policy with a lesser priority, but with the property No Override is assigned to the same
level as a higher ranking policy, this policy will take priority despite its lower ranking.
14.9.10 Priority within a group
Within a group, the policy with the highest priority (1) ranks above a policy with a lesser priority.
90
Administrator help
14.9.11 Status indicators
Setting status indicators allows the standard rules for policies to be changed.
■
Block policy inheritance
Set for containers for which you do not want higher-ranking policies to apply (right-click the
object in the Properties navigation window).
If you do not want a container object to inherit a policy from a higher object, select Block
Policy Inheritance to prevent this. If Block Policy Inheritance has been selected for a
container object it will not be affected by higher-ranking policy settings (exception: No Override
activated when policy was assigned).
■
No Override
Set during assignment process this policy cannot be overridden by another policy.
The further away the policy assignment with No Override is from the target object, the stronger
the effect of this policy will be for all the lower-ranking container objects. This means that a
higher ranking container subject to No Override overrides the policy settings of a lower ranking
container. So, for example a domain policy can be defined and its settings cannot be overridden,
even if Block policy inheritance has been set for an OU!
Note: If a policy with a lesser priority but which has been designated No Override is assigned
to the same level as a higher ranking policy, this policy will take priority despite its lower ranking.
14.9.12 Settings in policies
14.9.12.1 Replay Machine Settings
You can find this setting under:
Policy Items > policy of the type General Settings > Loading of Settings > Policy Loopback.
If you select Replay Machine Settings in the field Policy Loopback of a policy of the type
General Settings and the policy comes from a computer (Replay Machine Settings does not
affect user policies), this policy is replayed at the end of the analysis. This then overrides any
user settings and the machine settings apply. All machine settings inherited directly or indirectly
by the machine (including policies which have not been applied by the Replay Machine Settings
policy loopback) are rewritten.
14.9.12.2 Ignore User
You can find this setting under:
Policy Items > policy of the type General Settings > Loading of Settings > Policy Loopback.
If you select Ignore User for a policy for a computer in the field Policy Loopback of a policy of
the type General Settings and the policy comes from a machine, only the machines settings are
analyzed. User settings are not analyzed.
91
SafeGuard Enterprise
14.9.12.3 No Loopback
You can find this setting under:
Policy Items > policy of the type General Settings > Loading of Settings > Policy Loopback.
No Loopback describes the standard behavior. User policies take priority over computer policies.
14.9.12.4 Analyze the settings "Ignore User" and "Replay Machine Settings"
If there are active policy assignments, the machine policies are analyzed and consolidated first.
If, with the Policy Loopback option, this amalgamation of individual policies results in the value
Ignore User, the policies that would have been fixed for the user will not be analyzed. This means
that the same policies apply both for the user and for the machine.
If, after merging the individual machine policies, the value with the Policy Loopback attribute is
Replay Machine Settings, the user policies are merged with the machine policies. After the
merge, the machine policies are rewritten and, where appropriate, override settings from the user
policies. If a setting is present in both policies, the machine policy value overrides the user policy
value.
If the consolidation of the individual machine policies results in the standard value (No Policy
Loopback), user settings take priority over machine settings.
14.9.12.5 Order of the execution of policies
Ignore User Computers
Replay Machine Settings Computer -> User -> Computer. The first "machine execution" is
required for the policies which are written before user logon (for example background image at
logon).
No Loopback (standard setting): Computer -> User
14.9.13 Other definitions
The decision as to whether it is a user or machine policy depends on the policy's origin. A user
object "brings" a user policy, while a computer "brings" a computer policy. The same policy can
be a machine or a user policy, depending on the perspective.
■
User policy
Any policy provided by the user for analysis. If a policy is implemented through only one user,
the machine-related settings of that policy are not applied, this means that computer-related
settings do not apply. Default values do.
■
Computer policy
Any policy provided by the machine for analysis. If a policy is implemented through just one
computer, the user-specific settings for this policy are also applied! The computer policy
therefore represents a policy "for all users".
92
Administrator help
15 Working with configuration packages
In the SafeGuard Management Center, you can create the following types of configuration
packages:
■
Configuration package for managed endpoints
Endpoints that have a connection to the SafeGuard Enterprise Server receive their policies
through this server. For successful operation after installation of the SafeGuard Enterprise
Client software, you need to create a configuration package for managed computers and
deploy it to them.
After the first configuration of the endpoint by the configuration package, the endpoint receives
policies through the SafeGuard Enterprise Server after you have assigned them in the Users
and Computers area of the SafeGuard Management Center.
■
Configuration package for unmanaged endpoints
Unmanaged endpoints are never connected to the SafeGuard Enterprise Server at any point
in time, they operate in standalone mode. They receive their policies by configuration packages.
For successful operation, you need to create a configuration package containing the relevant
policy groups and distribute it to the endpoints by company distribution mechanisms. Whenever
you change any policy settings, you have to create new configuration packages and distribute
them to the endpoints.
Note: Configuration packages for unmanaged endpoints can only be used on Windows
endpoints.
■
Configuration package for the SafeGuard Enterprise Server
For successful operation, you need to create a configuration package for the SafeGuard
Enterprise Server, defining the database and SSL connection, enabling the scripting API and
so on.
■
Configuration package for Macs
Macs receive the server address and the company certificate through this package. They
report their status information which is displayed in the SafeGuard Management Center. For
information on how to create configuration packages for Macs, see Create configuration
package for Macs (page 277).
Note: Check your network and computers in regular intervals for old or unused configuration
packages and make sure that you delete them for security reasons. Always make sure that you
uninstall the old configuration packages before installing the new one on the computer/server.
15.1 Create configuration package for managed endpoints
Prerequisites
■
In the Users and Computers navigation area, under the Inventory tab, check if a company
certificate change is required for the endpoints that should receive the new configuration
93
SafeGuard Enterprise
package. If the field Current Company Certificate is not checked, the currently active company
certificates in the SafeGuard Enterprise Database and on the computer differ and a company
certificate change is therefore required.
1. In the SafeGuard Management Center, on the Tools menu, click Configuration Package
Tool.
2. Select Managed client packages.
3. Click Add Configuration Package.
4. Enter a name of your choice for the configuration package.
5. Assign a primary SafeGuard Enterprise Server (the secondary server is not necessary).
6. If required, specify a policy group which must have been created beforehand in the SafeGuard
Management Center to be applied to the endpoints. If you want to use service accounts for
post-installation tasks on the endpoint, make sure that you include the respective policy setting
in this first policy group, see Service Account Lists for Windows logon (page 108).
7. If the currently active company certificate in the SafeGuard Enterprise Database differs from
the one on the endpoints that should receive the new configuration package, select the
appropriate CCO (Company Certificate Change Order). In Users and Computers, in the
Inventory tab of the relevant domain, OU or computer a missing check mark under Current
Company Certificate indicates that a company certificate change is required. You can find
information on the required CCO in the CCOs tab of the Configuration Package Tool in the
Tools menu.
Note: Deployment of the new configuration package on the endpoint will fail, if the currently
active company certificates in the SafeGuard Enterprise Database and on the endpoint do not
match and no appropriate CCO is included.
8. Select the Transport Encryption mode defining how the connection between SafeGuard
Enterprise Client and SafeGuard Enterprise Server is to be encrypted, either Sophos encryption
or SSL encryption.
The advantage of SSL is that it is a standard protocol and that a faster connection can be
achieved as when using SafeGuard transport encryption. SSL encryption is selected by default.
For further information on how to secure transport connections with SSL, see the SafeGuard
Enterprise Installation guide.
9. Specify an output path for the configuration package (MSI).
10. Click Create Configuration Package.
If you have selected SSL encryption as the Transport Encryption mode, the server connection
is validated. If the connection fails, a warning message is displayed.
The configuration package (MSI) has now been created in the specified directory. You now need
to distribute and deploy this package to the endpoints.
15.2 Create configuration package for unmanaged endpoints
1. In the SafeGuard Management Center, on the Tools menu, click Configuration Package
Tool.
2. Select Standalone client packages.
3. Click Add Configuration Package.
94
Administrator help
4. Enter a name of your choice for the configuration package.
5. Specify a Policy Group which must have been created beforehand in the SafeGuard
Management Center to be applied to the endpoints.
6. Under POA Group, you can select a POA user group to be assigned to the endpoint. POA
users can access the endpoint for administrative tasks after the SafeGuard Power-on
Authentication has been activated. To assign POA users, the POA group must have been
created beforehand in the Users and Computers area of the SafeGuard Management Center.
7. If the currently active company certificate in the SafeGuard Enterprise Database differs from
the one on the endpoints that should receive the new configuration package, select the
appropriate CCO (Company Certificate Change Order).
Note: Deployment of the new configuration package on the endpoint will fail, if the currently
active company certificates in the SafeGuard Enterprise Database and on the endpoint do not
match and no appropriate CCO is included.
8. Under Key Backup Location, specify or select a shared network path for storing the key
recovery file. Enter the share path in the following form: \\network computer\, for example
\\mycompany.edu\. If you do not specify a path here, the end user is prompted to name a
storage location for this file when first logging on to the endpoint after installation.
The key recovery file (XML) is needed to enable recovery of Sophos SafeGuard protected
endpoints and is generated on each Sophos SafeGuard protected endpoint.
Note: Make sure to save this key recovery file at a file location accessible to the helpdesk.
Alternatively, the files can be provided to the helpdesk by different mechanisms. This file is
encrypted by the company certificate. It can therefore be saved to any external media or to
the network to provide it to the helpdesk for recovery purposes. It can also be sent by e-mail.
9. Specify an output path for the configuration package (MSI).
10. Click Create Configuration Package.
The configuration package (MSI) has now been created in the specified directory. You now need
to distribute and deploy this package to the endpoints.
15.3 Create configuration package for Macs
A configuration package for a Mac contains the server information and the company certificate.
The Mac uses this information to report status information (SafeGuard POA on/off, encryption
state and so on). The status information is displayed in the SafeGuard Management Center.
1. In the SafeGuard Management Center, on the Tools menu, click Configuration Package
Tool.
2. Select Managed client packages.
3. Click Add Configuration Package.
4. Enter a name of your choice for the configuration package.
5. Assign a primary SafeGuard Enterprise Server (the secondary server is not necessary).
6. Select SSL as Transport Encryption for the connection between the endpoint and SafeGuard
Enterprise Server. Sophos as Transport Encryption is not supported for Mac.
7. Specify an output path for the configuration package (ZIP).
95
SafeGuard Enterprise
8. Click Create Configuration Package.
The server connection for the SSL Transport Encryption mode is validated. If the connection
fails, a warning message is displayed.
The configuration package (ZIP) has now been created in the specified directory. You now need
to distribute and deploy this package to your Macs. See also the manuals for Sophos SafeGuard
Native Device Encryption for Mac and Sophos SafeGuard File Encryption for Mac.
96
Administrator help
16 SafeGuard Power-on Authentication (POA)
Note: This description refers to Windows 7 endpoints with SafeGuard full disk encryption.
SafeGuard Enterprise identifies the user even before the operating system starts up. To do this,
SafeGuard Enterprise's own system core starts before this. It is protected against modifications
and is saved, hidden, on the hard disk. Only when the user has been properly authenticated in
the SafeGuard POA, is the actual operating system (Windows) started from the encrypted partition.
The user is logged on automatically to Windows later. The procedure is the same when the
endpoint is switched back on from hibernation (Suspend to Disk).
The SafeGuard Power-on Authentication offers:
■
A graphical user interface with mouse support and draggable windows, so it is easy to read
and use.
■
A graphical layout which, following guidelines, can be adapted by corporate computers
(background image, logon image, welcome message, etc.).
■
Support for many card readers and smartcards.
■
Support for Windows user accounts and passwords even pre-boot, no more separate credentials
which the user has to remember.
■
Support for Unicode and therefore also for foreign language passwords and user interfaces.
16.1 Logging on
SafeGuard Enterprise works with certificate-based logon. So users need keys and certificates to
successfully log on at the SafeGuard Power-on Authentication. However, user-specific key and
certificates are only created after a successful Windows logon. Only users who have successfully
logged on to Windows can also be authenticated in the SafeGuard Power-on Authentication.
To clarify how a user logs on in SafeGuard Enterprise, a brief introduction follows. For a detailed
description of the SafeGuard POA logon procedures, see the SafeGuard Enterprise user help.
97
SafeGuard Enterprise
SafeGuard Autologon
When logging on for the first time, SafeGuard Enterprise autologon appears after starting the
endpoint.
What happens?
1. An autouser is logged on.
2. The client is automatically registered on the SafeGuard Enterprise Server.
3. The machine key is sent to the SafeGuard Enterprise Server and stored in the SafeGuard
Enterprise Database.
4. Machine policies are sent to the endpoint.
Windows logon
The Windows logon dialog is displayed. The user logs on.
What happens?
1. User ID and a hash of the user’s credentials are sent to the server.
2. User policies, certificates and keys are created and sent to the endpoint.
3. The SafeGuard POA is activated.
SafeGuard POA logon
When the endpoint restarts, the SafeGuard POA appears.
What happens?
1. Certificates and keys are available for the user and they can log on at the SafeGuard POA.
2. All the data is securely encrypted with the user's public RSA key.
3. Any other users who want to log on must first be imported to the SafeGuard POA.
16.1.1 Logon delay
On a SafeGuard Enterprise protected endpoint, a logon delay applies if a user provides incorrect
credentials during authentication at Windows or at the SafeGuard Power-on Authentication. With
every failed logon attempt the delay is increased. After a failed logon a dialog displays the remaining
delay time.
Note: If a user enters an incorrect PIN during token logon, there is no delay.
You can specify the number of logon attempts allowed in a policy of the type Authentication
using the Maximum no. of failed logons option. When the maximum number of failed logon
attempts has been reached, the endpoint is locked. For unlocking their computer, users have to
initiate a Challenge/Response procedure.
98
Administrator help
16.2 Register further SafeGuard Enterprise users
The first user to log on in Windows is automatically registered in the SafeGuard POA. At first, no
other Windows user can log on at the SafeGuard POA.
Further users must be imported with the assistance of the first user. For a detailed description of
importing further users, see the SafeGuard Enterprise user help.
A policy setting specifies who is permitted to import a new user. You can find this policy in the
SafeGuard Management Center under
Policy items
■
Type: Specific Machine Settings
■
Field: Allow registration of new SGN users for
Default setting: Owner
An endpoint's owner is specified in the SafeGuard Management Center under
Users and Computers
■
Select <endpoint name>.
■
Users tab
16.3 User types
There are various types of user in SafeGuard Enterprise. For more information on how the default
behavior of these user types can be changed, see Policy settings (page 118).
■
Owner: The first user to log on to an endpoint after the installation of SafeGuard Enterprise
is not just entered as an SGN user, but also as the owner of that endpoint. Provided that the
default settings have not been changed, an owner has the right to enable other users to log
on to the endpoint and become SGN users.
■
SGN user: A "full" SGN user is allowed to log on at the SafeGuard Power-on Authentication,
is added to the UMA (User Machine Assignment) and is provided with a user certificate and
a key ring for accessing encrypted data.
■
SGN Windows user: A SGN Windows user is not added to the SafeGuard POA, but has a
key ring for accessing encrypted files, just as a SGN user. He is also added to the UMA, which
means that he is allowed to log on to Windows on that endpoint.
■
SGN guest user: A SGN guest user is not added to the UMA, is not provided with rights to
log on to the SafeGuard POA, is not assigned a certificate or a key ring and is not saved to
the database. See Specific machine settings - basic settings (page 146) for information on how
to prevent a SGN guest user from logging on to Windows.
■
Service account: With service accounts, users (for example rollout operators, members of
the IT team) can log on to endpoints after the installation of SafeGuard Enterprise without
99
SafeGuard Enterprise
activating the SafeGuard POA and without being added as SGN users (owners) to the
endpoints. Users included on a service account list are treated as SGN guest users after their
Windows logon at the endpoint.
■
POA user: After activation of the POA it might still be necessary to perform administrative
tasks. POA users are predefined local accounts that are allowed to pass the POA.There is no
automatic logon to Windows.The users logging on with POA user accounts log on to Windows
with their existing Windows accounts. The accounts are defined in the Users and Computers
area of the SafeGuard Management Center (user ID and password) and assigned to the
endpoint in POA groups. For further information, see POA users for SafeGuard POA logon
(page 113).
16.4 Configuring the SafeGuard Power-on Authentication
The SafeGuard POA dialog consists of these components:
■
Logon image
■
Dialog text
■
Language of the keyboard layout
You can change the look of the SafeGuard POA dialog to suit your preferences by using policy
settings in the SafeGuard Management Center.
16.4.1 Background and logon image
By default the background and logon images that appear in the SafeGuard POA are in SafeGuard
design. You can change these images to show a company logo, for example.
Background and logon images are defined in a policy of the type General Settings.
For usage in SafeGuard Enterprise, background and logon images must fulfill certain requirements:
Background image
Maximum file size for all background images: 500 KB
100
Administrator help
SafeGuard Enterprise supports two variants for background images:
■
1024x768 (VESA mode)
Colors: no restrictions
Policy of the type General Settings, option Background image in POA
■
640x480 (VGA mode)
Colors: 16
Policy of the type General Settings, option Background image in POA (low resolution)
Logon image
Maximum file size for all logon images: 100 KB
SafeGuard Enterprise supports two variants for logon images:
■
413x140
Colors: no restrictions
Policy of the type General Settings, option Logon image in POA
■
413x140
Colors: 16
Policy of the type General Settings, option Logon image in POA (low resolution)
Images have to be created as files (BMP, PNG, JPG) first and can then be registered in the
navigation window.
16.4.1.1 Register images
1.
2.
3.
4.
In the Policies navigation area, right-click Images and select New > Image.
Enter a name for the image in the Image name field.
Click [...] to select the previously created image.
Click OK.
The new image is shown as a subnode of Images in the policy navigation area. If you select the
image, it is displayed in the action area. The image can now be selected when creating policies.
Proceed as described to register further images. All registered images are shown as subnodes.
Note: You can use the Modify Image button to change the picture assigned.
16.4.2 User-defined information text in the SafeGuard POA
You can customize the SafeGuard POA to display the following user-defined information texts:
■
Information text to be displayed upon initiating a Challenge/Response procedure for logon
recovery (for example: “Please contact Support Desk on telephone number 01234-56789.”)
You can set an information text by using the option Texts in a policy of the type General
Settings.
101
SafeGuard Enterprise
■
Legal notices to be displayed after logging on to the SafeGuard POA
You can set a legal notice text by using the option Legal notice text in a policy of the type
Specific Machine Settings.
■
Text for additional information to be displayed after logging on to the SafeGuard POA
You can set an additional information text by using the option Additional information text in
a policy of the type Specific Machine Settings.
16.4.2.1 Register information texts
The text files containing the required information have to be created before registering them in
the SafeGuard Management Center. The maximum file size for information texts is 50 KB.
SafeGuard Enterprise only uses Unicode UTF-16 coded texts. If you do not create the text files
in this format, they will be automatically converted when they are registered. Special characters
should therefore be used with caution in the information texts created for the SafeGuard POA.
Some of these characters may not be displayed properly.
To register information texts:
1. In the Policies navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Texts in the policy navigation area. If you
select a text item, its contents will be displayed in the window on the right-hand side. The text
item can now be selected when creating policies.
Proceed as described to register further text items. All registered text items will be shown as
subnodes.
Note: You can use the Modify Text button to add new text to existing text. When you click this
button a dialog is displayed for selecting another text file. The text contained in this file is appended
to the existing text.
16.4.3 Language for SafeGuard POA dialog text
After installation of the SafeGuard Enterprise encryption software, the SafeGuard POA dialog
text is displayed in the default language set in the Windows Regions and Language Options on
the endpoint when SafeGuard Enterprise was installed.
You can change the language of the SafeGuard POA dialog text after SafeGuard Enterprise has
been installed by using one of the two following methods:
102
■
Change the default language in the Windows Regions and Language Options on the endpoint.
After the user has restarted the endpoint twice, the new language setting is active in the
SafeGuard POA.
■
Create a policy of the type General Settings, set the language in the field Language used
on client and deploy the policy to the endpoint.
Administrator help
Note: If you define a policy and deploy it to the endpoint, the language set in the policy applies
instead of the language specified by the Windows Regions and Language Options.
16.4.4 Keyboard layout
Almost every country has its own keyboard layout. The keyboard layout in the SafeGuard POA
is significant when entering user names, passwords and response codes.
By default, SafeGuard Enterprise adopts the keyboard layout in the SafeGuard POA which was
set in Windows Regional and Language Options for the Windows default user at the time
SafeGuard Enterprise was installed. If "German" is the keyboard layout set under Windows, the
German keyboard layout will be used in the SafeGuard POA.
The language of the keyboard layout being used is displayed in the SafeGuard POA, for example
"EN" for English. Apart from the default keyboard layout, the US keyboard layout (English) can
also be used.
There are certain exceptions:
■
The keyboard layout is supported, but the absence of a font (for example for Bulgarian) means
that only special characters are displayed in the User Name field.
■
No specific keyboard layout is available (for example Dominican Republic). In these cases,
the SafeGuard POA falls back on the original keyboard layout. For the Dominican Republic,
this is "Spanish".
■
When the user name and password consist of characters that are not supported by the chosen
keyboard layout or the fallback layout, the user cannot log on at the SafeGuard POA.
Note: All unsupported keyboard layouts use the US keyboard layout by default. This also means
that the only characters that are recognized and can be typed in are those which are supported
in the US keyboard layout. So users can only log on at the SafeGuard POA if their user name
and password is composed of characters that are supported by the US keyboard layout or the
respective fallback keyboard of their language.
Virtual keyboard
SafeGuard Enterprise provides a virtual keyboard which users can show/hide at the SafeGuard
POA and which allows them to use on-screen keys to enter credentials.
As a security officer, you can activate/deactivate the display of the virtual keyboard in a policy of
the type Specific Machine Settings using the Virtual Keyboard in POA option.
Virtual keyboard support must be activated/deactivated by policy setting.
The virtual keyboard supports different layouts and it will be possible to change the layout using
the same options as for changing the SafeGuard POA keyboard layout.
16.4.4.1 Change the keyboard layout
The SafeGuard Power-on Authentication keyboard layout, including the virtual keyboard layout,
can be changed retrospectively.
1. Select Start > Control Panel > Regional and Language Options > Advanced.
103
SafeGuard Enterprise
2. In the Regional Options tab, select the required language.
3. In the Advanced tab, select Apply all settings to the current user account and to the
default user profile under Default user account settings.
4. Click OK.
The SafeGuard POA remembers the keyboard layout used for the last successful logon and
automatically enables it for the next logon. This requires two restarts of the endpoint. If the
remembered keyboard layout is deactivated in Regional and Language Options, it is still used
until the user selects a different one.
Note: You must change the language of the keyboard layout for non-Unicode programs.
If the language you want is not available on the endpoint, Windows may prompt you to install it.
After you have done so, you must restart the endpoint twice so that the SafeGuard Power-on
Authentication can read in the new keyboard layout and can set it.
You can change the required keyboard layout for the SafeGuard Power-on Authentication using
the mouse or keyboard (Alt+Shift).
To see which languages are installed and available on the system, select Start > Run >
regedit > HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.
16.5 Supported Hotkeys in the SafeGuard Power-on
Authentication
Certain hardware settings and functionalities can lead to problems when starting endpoints,
causing the system to no longer respond. The SafeGuard Power-on Authentication supports a
number of hotkeys for modifying these hardware settings and deactivating functionalities.
Furthermore, grey and black lists covering functions known to cause problems are integrated in
the .msi file installed on the endpoint.
We recommend that you install an updated version of the SafeGuard POA configuration file before
any significant deployment of SafeGuard Enterprise. The file is updated on a monthly basis and
made available to download from:
http://www.sophos.com/en-us/support/knowledgebase/65700.aspx.
You can customize this file to reflect the hardware of a particular environment.
Note: When you define a customized file, only this will be used instead of the one integrated in
the .msi file. The default file will be applied only when no SafeGuard POA configuration file is
defined or found.
To install the SafeGuard POA configuration file, enter the following command:
MSIEXEC /i <Client MSI package> POACFG=<path of the SafeGuard POA
configuration file>
You can help us improve hardware compatibility by executing a tool that we provide to collect
hardware relevant information only. The tool is very easy to use. The collected information is
added to the hardware configuration file.
For further information, see http://www.sophos.com/en-us/support/knowledgebase/110285.aspx.
The following hotkeys are supported in the SafeGuard POA:
■
104
Shift F3 = USB Legacy Support (on/off)
Administrator help
■
Shift F4 = VESA graphic mode (off/on)
■
Shift F5 = USB 1.x and 2.0 support (off/on)
■
Shift F6 = ATA Controller (off/on)
■
Shift F7 = USB 2.0 support only (off/on)
USB 1.x support remains as set by Shift F5.
■
Shift F9 = ACPI/APIC (off/on)
USB Hotkeys dependency matrix
Shift F3
Shift F5
Shift F7
Legacy
USB 1.x
USB 2.0
Comment
off
off
off
on
on
on
3.
on
off
off
off
on
on
Default
off
on
off
on
off
off
1., 2.
on
on
off
on
off
off
1., 2.
off
off
on
on
on
off
3.
on
off
on
off
on
off
off
on
on
on
off
off
on
on
on
on
off
off
2.
1. Shift F5 disables both USB 1.x and USB2.0.
Note: Pressing Shift F5 during startup will considerably reduce the time it takes to launch the
SafeGuard POA. However, be aware that if the computer uses a USB keyboard or USB mouse,
they might be disabled when you press Shift F5.
2. If no USB support is active, the SafeGuard POA tries to use BIOS SMM instead of backing
up and restoring the USB controller. The Legacy mode may work in this scenario.
3. Legacy support is active, USB is active. The SafeGuard POA tries to back up and restore the
USB controller. The system might hang, depending on the BIOS version used.
You can specify changes that can be carried out using hotkeys when installing SafeGuard
Enterprise encryption software using a .mst file. This is done using the appropriate call in
combination with msiexec.
105
SafeGuard Enterprise
NOVESA
Defines whether VESA or VGA mode is used: 0 = VESA mode (standard); 1 = VGA
mode
NOLEGACY
Defines whether Legacy Support is activated after SafeGuard POA log on: 0 = Legacy
Support activated; 1 = Legacy Support not activated (standard)
ALTERNATE:
Defines whether USB devices are supported by the SafeGuard POA: 0 = USB support
is activated (standard); 1 = no USB support
NOATA
Defines whether int13 device driver is used: 0 = standard ATA device driver (default);
1 = Int13 device driver
ACPIAPIC
Defines whether ACPI/APIC support is used: 0 = no ACPI/APIC support (default); 1
= ACPI/APIC support active
16.6 Disabled SafeGuard POA and Lenovo Rescue and
Recovery
If the SafeGuard Power-on Authentication is disabled on the computer, the Rescue and Recovery
authentication should be enabled to protect against access to encrypted files from the Rescue
and Recovery environment.
For details on activating the Rescue and Recovery authentication, refer to the Lenovo Rescue
and Recovery documentation.
106
Administrator help
17 Administrative access to Windows
endpoints
Note: The following descriptions refer to Windows endpoints protected with SafeGuard Enterprise
with SafeGuard Power-on Authentication.
SafeGuard Enterprise uses two types of accounts to enable users to log on to endpoints and
carry out administrative tasks after SafeGuard Enterprise has been installed.
■
Service accounts for Windows logon
With service accounts, administrators can log on (Windows logon) to endpoints after the
installation of SafeGuard Enterprise without activating the SafeGuard Power-on Authentication
and without being added as users to the endpoints. Service accounts lists are defined in the
Policies area of the SafeGuard Management Center and assigned in policies to the endpoint.
Users included on a service account list are treated as guest users when logging on at the
endpoint.
Note: Service account lists are assigned to endpoints in policies. They should be assigned
in the first SafeGuard Enterprise configuration package you create for the configuration of
endpoints.
For further information, see Service Account Lists for Windows logon (page 108).
■
POA users for SafeGuard POA logon
POA users are predefined local accounts that enable users to log on (SafeGuard POA logon)
to endpoints after the SafeGuard Power-on Authentication has been activated to perform
administrative tasks. The accounts are defined in the Users and Computers area of the
SafeGuard Management Center (user ID and password) and assigned to the endpoints by
means of POA groups included in configuration packages.
For further information, see POA users for SafeGuard POA logon (page 113).
107
SafeGuard Enterprise
18 Service Account Lists for Windows logon
Note: Service accounts are only supported for Windows endpoints protected by SafeGuard
Enterprise with SafeGuard Power-on Authentication.
A typical scenario for most implementations is that a rollout team installs new computers in an
environment including the installation of SafeGuard Enterprise. For installation or verification
reasons, rollout operators may log on to the respective computer before the end user receives
the new machine and is able to activate the SafeGuard Power-on Authentication.
Thus, the scenario may be as follows:
1. SafeGuard Enterprise is installed on an endpoint.
2. After restarting the endpoint, the rollout operator logs on.
3. The rollout operator is added to the SafeGuard POA and the POA becomes active. The rollout
operator becomes owner of the endpoint.
When the end user receives the endpoint, they will not be able to log on to the SafeGuard POA.
The user needs to perform a Challenge/Response procedure.
To prevent that administrative operations on a SafeGuard Enterprise protected endpoint lead to
an activation of the SafeGuard Power-on Authentication and the addition of rollout operators as
users and machine owners to the endpoint, SafeGuard Enterprise allows you to create service
account lists for SafeGuard Enterprise protected endpoints. The users included in these lists are
treated as SafeGuard Enterprise guest users.
With service accounts the scenario is as follows:
1. SafeGuard Enterprise is installed on an endpoint.
2. After restarting the endpoint, a rollout operator included on a service account list logs on
(Windows logon).
3. According to the service account list applied to the computer the user is identified as a service
account and is treated as a guest user.
The rollout operator is not added to the SafeGuard POA and the POA does not become active.
The rollout operator does not become owner of the endpoint.The end user can log on and activate
the SafeGuard POA.
Note: Service account lists are assigned to endpoints in policies. They should be assigned in
the first SafeGuard Enterprise configuration package you create for the configuration of endpoints.
18.1 Create service account lists and add users
1.
2.
3.
4.
108
In the navigation area, click Policies.
In the policy navigation window, select Service Account Lists.
In the context menu of Service Account Lists, click New > Service account list.
Enter a name for the service account list and click OK.
Administrator help
5. Select the new list under Service account lists in the policy navigation window.
6. Right-click in the action area to open the context menu for the service account list. In the
context menu, select Add.
A new user line is added.
7. Enter the User Name and the Domain Name in the respective columns and press Enter. To
add further users, repeat this step.
8. Save your changes by clicking the Save icon in the toolbar.
The service account list is now registered and can be selected for assignment when creating a
policy.
18.2 Additional information for entering user and domain
names
There are different methods for specifying users in service account lists using the two fields User
Name and Domain Name. Restrictions also apply for valid input in these fields.
Covering different combinations for logging on
The two separate fields User Name and Domain Name per list entry allow you to cover all
available combinations for logging on, for example "[email protected]" or "domain\user".
To handle several user name/domain name combinations, you can use asterisks (*) as wildcards.
An asterisk is allowed as the first sign, the last sign and the only sign.
For example:
■
User Name: Administrator
■
Domain Name: *
This combination specifies all users with the user name "Administrator" who log on to any network
or local machine.
The predefined domain name [LOCALHOST] available in the drop-down list of the Domain Name
field stands for the logon on any local computer.
For example:
■
User Name: "*admin"
■
Domain Name: [LOCALHOST]
This combination specifies all users whose user names end on "admin" and who log on to any
local machine.
Users may log on in different ways.
For example:
■
user: test, domain: mycompany or
109
SafeGuard Enterprise
■
user: test, domain: mycompany.com.
As domain specifications in the service account lists are not automatically resolved, there are
three possible ways to specify the domain correctly:
■
You know exactly how the user is going to log on and enter the domain accordingly.
■
You create several service account list entries.
■
You use wildcards to cover all the different cases (user: test, domain: mycompany*).
Note: To avoid any problems caused by the fact that Windows may not use the same character
sequence, but truncate names, we recommend that you enter the FullQualifiedName and the
NetBIOS name or use wildcards.
Restrictions
Asterisks are only allowed as the first sign, the last sign and the only sign. Following are examples
for valid and invalid strings using asterisks:
■
Valid strings include admin*, *, *strator, *minis*.
■
Invalid strings include **, Admin*trator, Ad*minst*.
In addition, the following restrictions apply:
■
The character ? is not allowed in user logon names.
■
The characters / \ [ ] : ; | = , + * ? < > " are not allowed in domain names.
18.3 Edit and delete service account lists
As a security officer with the Modify service account lists right, you can edit or delete service
account lists at any time:
■
To edit a service account list, click it in the policy navigation window. The service account list
is opened in the action area and you can add, delete or modify user names on the list.
■
To delete a service account list, select it in the policy navigation window, open the context
menu and select Delete.
18.4 Assign a service account list in a policy
1. Create a new policy of the type Authentication or select an existing one.
110
Administrator help
2. Under Logon Options, select the required service account list from the Service Account
List drop-down list.
Note: The default setting is [No list], this means that no service account list applies. Rollout
operators logging on to the endpoint after installation of SafeGuard Enterprise are not treated
as guest users and may activate SafeGuard Power-on Authentication and be added to the
endpoint. To undo the assignment of a service account list, select the [No list] option.
3. Save your changes by clicking the Save icon in the toolbar.
You can now transfer the policy to the respective endpoints to make the service accounts available
on them.
Note: If you select different service account lists in different policies which are all relevant
according to the RSOP (Resulting Set of Policies, the settings valid for a specific computer/group),
the service account list assigned in the last policy applied overrules all previously assigned service
account lists. Service account lists are not merged. To view the RSOP in Users and Computers,
you need at least Read Only access rights for the relevant objects.
18.5 Transfer the policy to the endpoint
The service account list functionality is especially helpful and important during initial installation
in the rollout phase of an implementation. We therefore recommend that you transfer the service
account settings to the endpoint immediately after installation. To make the service account list
available on the endpoint at this point, include a policy of the type Authentication when you
create the initial configuration package for configuring the endpoint after installation.
You can change the service account list settings at any time, create a new policy and transfer it
to endpoint.
18.6 Log on to an endpoint using a service account
At the first Windows logon after restarting the endpoint, a user included on a service account list
logs on to the endpoint as a SafeGuard Enterprise guest user. This first Windows logon to the
endpoint neither triggers a pending SafeGuard Power-on Authentication nor adds the user to the
endpoint. The SafeGuard Enterprise System Tray icon balloon tool tip "Initial user synchronization
completed" is not displayed.
Service account status display on the endpoint
The guest user logon status is also available through the System Tray Icon. For further information,
see the SafeGuard Enterprise user help, chapter System Tray icon and tool tips (description of
the SGN user state field).
18.7 Log events
Actions performed regarding service account lists are reported by the following log events:
SafeGuard Management Center
■
Service account list <name> created
111
SafeGuard Enterprise
■
Service account list <name> modified
■
Service account list <name> deleted
SafeGuard Enterprise protected endpoint
112
■
Windows user <domain/user name> logged on at <timestamp> to machine <domain/workstation
name> as SGN service account.
■
New service account list <name> imported.
■
Service account list <name> deleted.
Administrator help
19 POA users for SafeGuard POA logon
Note: POA users are only supported for Windows endpoints protected by SafeGuard Enterprise
with SafeGuard Power-on Authentication.
After SafeGuard Enterprise has been installed and the SafeGuard Power-on Authentication (POA)
has been activated, access to endpoints to perform administrative tasks may be required. With
POA users, users (for example members of the IT team) can log on at the SafeGuard Power-on
Authentication on endpoints for administrative tasks without having to initiate a Challenge/Response
procedure.There is no automatic logon to Windows.The users logging on with POA user accounts
log on to Windows with their existing Windows accounts.
You can create POA users, group them into POA groups and assign groups to endpoints. The
users included in the POA group, are added to the SafeGuard POA and can log on using their
predefined user name and password.
Note: To manage POA users and POA groups you need Full access rights for the POA node
under Users and Computers.
19.1 Create POA users
To create POA users, you need Full access rights for the POA node under Users and Computers.
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the Users and Computers navigation window under POA, select POA Users.
3. In the context menu of POA Users, click New > Create new user.
The Create new user dialog is displayed.
4. In the Full name field, enter a name (the logon name) for the new POA user.
5. Optionally, enter a description for the new POA user.
6. Enter a password for the new POA user and confirm it.
Note: To enhance security, the password should adhere to certain minimum complexity
requirements, for example minimum length of 8 characters, mixture of numerical and
alphanumerical characters etc. If the password you have entered is too short, a warning
message is displayed.
7. Click OK.
The new POA user is created and displayed under POA Users in the Users and Computers
navigation area.
19.2 Change the password for a POA user
To edit POA users, you need Full access rights for the POA node under Users and Computers.
1. Click Users and Computers in the navigation area of the SafeGuard Management Center.
113
SafeGuard Enterprise
2. In the Users and Computers navigation window under POA, POA Users, select the relevant
POA user.
3. In the context menu of the POA user, select Properties.
The properties dialog for the POA user is displayed.
4. On the General tab under User Password, enter the new password and confirm it.
5. Click OK.
The new password applies for the relevant POA user.
19.3 Delete POA users
To delete POA users, you need Full access rights for the POA node under Users and Computers.
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the Users and Computers navigation window under POA, POA Users, select the relevant
POA user.
3. Right-click on the POA user and select Delete from the context menu.
The POA user is deleted. It is no longer displayed in the Users and Computers navigation
window.
Note: If the user is part of one or several POA groups, the POA user is also removed from all
groups. However, the POA user is still available on the endpoint until the POA group has been
unassigned.
19.4 Create POA groups
To create POA groups, you need Full access rights for the POA node under Users and
Computers.
To assign POA users to endpoints, the accounts must be arranged in groups.
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the Users and Computers navigation area under POA, select POA Groups.
3. In the context menu of POA Groups, click New > Create new group.
The Create new group dialog is displayed.
4. In the Full name field, enter a name for the new POA group.
5. Optionally, enter a description.
6. Click OK.
The new POA group is created. It is displayed under POA Groups in the Users and Computers
navigation area. You can now add POA users to the POA group.
19.5 Add users to POA groups
To edit POA groups, you need Full access rights for the POA node under Users and Computers.
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
114
Administrator help
2. In the Users and Computers navigation window under POA, POA Groups, select the relevant
POA group.
In the action area of the SafeGuard Management Center on the right-hand side, the Members
tab is displayed.
3. In the SafeGuard Management Center toolbar, click the Add icon (green plus sign).
The Select member object dialog is displayed.
4. Select the user you want to add to the group.
5. Click OK.
The POA user is added to the group and displayed in the Members tab.
19.6 Remove users from POA groups
To edit POA groups, you need Full access rights for the POA node under Users and Computers.
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the Users and Computers navigation window under POA, POA Group, select the relevant
POA group.
In the action area of the SafeGuard Management Center on the right-hand side, the Members
tab is displayed.
3. Select the user you want to remove from the group.
4. In the SafeGuard Management Center toolbar, click the Remove (Delete) icon (red cross
sign).
The user is removed from the group.
19.7 Assigning POA users to endpoints
Note: To assign POA users to endpoints, the accounts must be arranged in groups.
How you assign and unassign POA users to endpoints depends on the type of endpoint:
■
For managed endpoints, POA groups can be assigned in the POA Group Assignment tab
in Users and Computers.
■
For unmanaged endpoints which run in standalone mode and are not connected to the
SafeGuard Enterprise Server, a configuration package with a POA group must be created and
deployed.
19.7.1 Assign POA users to managed endpoints
To assign POA users to managed endpoints, you need Full access or Read only rights for the
relevant POA group and Full access rights for the relevant containers.
115
SafeGuard Enterprise
Note: Assignment of POA users is only valid for managed SafeGuard Enterprise endpoints from
version 5.60.
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the Users and Computers navigation window, select the required container.
3. In the action area of the SafeGuard Management Center, select the POA Group Assignment
tab.
Under POA Groups on the right-hand side, all available POA groups are displayed.
4. Drag the required POA group from POA Groups into the POA Group Assignment action
area.
The POA group’s GroupName and Group DSN are displayed in the work area.
5. Save your changes to the database.
All members of the POA group assigned are deployed to all endpoints in the container selected.
You can unassign a POA group or change the assigned POA group by proceeding as described
and dragging groups from and to the action area of the POA Group Assignment tab and the
POA Groups area.
After you have saved your changes in the database, the new assignment applies.
19.7.2 Assign POA users to unmanaged endpoints
To assign POA users to unmanaged endpoints, you need Read only or Full access rights for
the relevant POA group.
POA users are assigned to unmanaged endpoints (operating in standalone mode) in configuration
packages.
1. In the SafeGuard Management Center, select Configuration Package Tool from the Tools
menu.
2. Select an existing configuration package or create a new one.
3. Specify a POA Group created beforehand in the Users and Computers area of the SafeGuard
Management Center, to be applied to the endpoints.
A no list group is available for selection by default. This group can be used to delete a POA
group assignment on endpoints.
4. Specify an output path for the configuration package.
5. Click Create Configuration Package.
6. Deploy the configuration package to the endpoints.
By installing the configuration package, the users included in the group are added to the SafeGuard
POA on the endpoints. The POA users are available for POA logon.
Note: When you upgrade unmanaged endpoints to managed, the POA users remain active, if
they have also been assigned in the SafeGuard Management Center. The passwords set in the
POA groups deployed in configuration packages are set to the ones specified in the SafeGuard
Management Center. Passwords changed using F8 are overwritten. For further information on
upgrading unmanaged endpoints to managed, see the SafeGuard Enterprise upgrade guide.
116
Administrator help
19.7.3 Unassign POA users from unmanaged endpoints
POA users can be deleted from unmanaged endpoints by assigning an empty POA group:
1. In the SafeGuard Management Center, select the Configuration Package Tool from the
Tools menu.
2. Select an existing configuration package or create a new one.
3. Specify an empty POA Group created beforehand in the Users and Computers area of the
SafeGuard Management Center, or select the no list POA group that is available by default
in the Configuration Package Tool.
4. Specify an output path for the configuration package.
5. Click Create Configuration Package.
6. Deploy the configuration package to the endpoints.
By installing the configuration package, all POA users are removed from the endpoints, so all
relevant POA users are removed from the SafeGuard POA.
19.7.4 Change POA users assignments on unmanaged endpoints
1. Create a new POA group or modify an existing one.
2. Create a new configuration package and select the new or modified POA group.
3. Deploy the new configuration package to the endpoint.
The new POA group is available on the endpoint and all POA users included are added to the
POA. The new group overwrites the old one. POA groups are not merged.
19.8 Log on to an endpoint with a POA user
1. Switch on the endpoint.
The SafeGuard Power-on Authentication logon dialog is displayed.
2. Enter the User name and the Password of the predefined POA user.
You are not automatically logged on to Windows. The Windows logon dialog is displayed.
3. In the Domain field, select the domain <POA>.
4. Log on to Windows using your existing Windows user account.
19.8.1 Local password change
If the password of a POA user has been changed with F8, the change is not synchronized with
other endpoints. The administrator must change the password for this user centrally.
117
SafeGuard Enterprise
20 Policy settings
SafeGuard Enterprise policies include all settings needed to implement a company-wide security
policy on endpoints.
SafeGuard Enterprise policies can incorporate settings for the following areas (policy types):
■
General Settings
Settings for transfer rate, customization, logon recovery, background images, and so on.
■
Authentication
Settings for logon mode, device lock, etc.
■
PIN
Defines requirements for used PINs.
■
Passwords
Defines requirements for used passwords.
■
Passphrase
Defines requirements for passphrases used for SafeGuard Data Exchange.
■
Device Protection
Settings for volume- or file-based encryption (including settings for SafeGuard Data Exchange,
SafeGuard Cloud Storage and SafeGuard Portable): algorithms, keys, the drives on which
data is to be encrypted, and so on.
■
Specific Machine Settings
Settings for SafeGuard Power-on Authentication (activate/deactivate), secure Wake on LAN,
display options, and so on.
■
Logging
Defines events to be logged and their output destinations.
■
Configuration Protection
Note: Configuration Protection is only supported for SafeGuard Enterprise Clients up to
Version 6.0. This policy type is still available in the 7.0 SafeGuard Management Center to
support old clients that have Configuration Protection applied.
Settings (allow/block) for the usage of ports and peripheral devices (removable media, printers,
and so on.).
■
File Encryption
Settings for file-based encryption on local drives and network locations, especially for work
groups on network shares.
118
Administrator help
In the SafeGuard Management Center, default policies are available for all policy types. For
Device Protection policies, policies for full disk encryption (target: mass storage), Cloud Storage
(target: DropBox) and Data Exchange (target: removable media) are available. The options in
these default policies are set to the relevant values.You can modify the default settings according
to your requirements. The default policies are named <policy type> (Default).
Note: The names of the default policies depend on the language setting during installation. If
you change the language of the SafeGuard Management Center afterwards, the default policy
names remain in the language set during installation.
20.1 General settings
Policy setting
Explanation
LOADING OF SETTINGS
Policy Loopback
Replay Machine Settings
If Replay Machine Settings is selected in the field Policy Loopback,
and the policy originates from a machine (Replay Machine settings
in a user policy does not have any effect), this policy is implemented
again at the end. This then overrides any user settings and the
machine settings apply.
Ignore User
If you select Ignore User for a policy (machine policy) in the field
Policy Loopback and the policy originates from a machine, only the
machine settings are analyzed. User settings are not analyzed.
No Loopback
No Loopback is the standard behavior: User policies take priority
over machine policies.
How are the settings "Ignore User" and "Replay Machine
Settings" analyzed?
If there are active policy assignments, the machine policies are
analyzed and consolidated first. If consolidation of the various policies
results in the Ignore User attribute in policy loopback, policies that
would have been applied for the user are no longer analyzed. This
means that the same policies apply to the user as to the machine.
If the Replay Machine Settings value is applied in the case of the
policy loopback, once the individual machine policies have been
consolidated, the user policies are then merged with the machine
policies. After consolidation, the machine policies are re-written and
override any user policy settings. This means that if a setting is present
in both policies, the machine policy value overrides the user policy
value. If the consolidation of individual machine policies results in "not
configured", the following applies: User settings take priority over
machine settings.
119
SafeGuard Enterprise
Policy setting
Explanation
TRANSFER RATE
Connection interval to server
(minutes)
Determines the period in minutes after which a SafeGuard Enterprise
Client sends a policy (changes) enquiry to the SafeGuard Enterprise
Server.
Note: To prevent a large number of clients contacting the server at
the same time, communication is carried out during a period of +/50% of the interval you set. Example: If you set “90 minutes”,
communication occurs after an interval that can be from 45 to 135
minutes.
LOGGING
Feedback after number of events The log system, implemented as Win32 Service “SGM LogPlayer”,
collects log entries generated by SafeGuard Enterprise for the central
database and stores them in local log files. These are located in the
Local Cache in the “Auditing\SGMTransLog” directory. These files
are transferred to the transport mechanism which then sends them
to the database through the SGN Server. Transfer takes place as
soon as the transport mechanism has succeeded in creating a
connection to the server. The log file therefore increases in size until
a connection has been established. To limit the size of each log file,
it is possible to set a maximum number of log entries in the policy.
Once the preset number of entries has been reached the logging
system places the log file in the SGN Server transport queue and
starts a new log file.
CUSTOMIZATION
Language used on client
Language in which settings for SafeGuard Enterprise are displayed
on the endpoint:
You can select a supported language or the endpoint's operating
system language setting.
LOGON RECOVERY
Activate logon recovery after
The Windows Local Cache is the start and the end point for the data
Windows Local Cache corruption exchange between the endpoint and the server. It stores all keys,
policies, user certificates and audit files. All data stored in the local
cache are signed and cannot be changed manually.
By default, logon recovery after Local Cache corruption is deactivated.
This means the Local Cache will be restored automatically from its
backup. In this case, no Challenge/Response procedure is required
for repairing the Windows Local Cache. If the Windows Local Cache
120
Administrator help
Policy setting
Explanation
is to be repaired explicitly with a Challenge/Response procedure, set
this field to Yes.
Local Self Help
Enable Local Self Help
Determines whether users are permitted to log on to endpoints with
Local Self Help if they have forgotten their password. With Local Self
Help, users can log on by answering a specified number of previously
defined questions in the SafeGuard Power-on Authentication. They
can regain access to their computers even if neither telephone nor
internet connection are available.
Note: For the user to be able to use Local Self Help, automatic logon
to Windows must be enabled. Otherwise, Local Self Help will not work.
Minimum length of answers
Defines the minimum character length for Local Self Help answers.
Welcome text under Windows
Specify the custom text to be displayed in the first dialog when
launching the Local Self Help Wizard on the endpoint. Before you can
specify the text here, it has to be created and registered in the policy
navigation area under Texts.
Users can define their own
questions
As a security officer, you can define the set of questions to be
answered centrally and distribute it to the endpoint in the policy.
However, you can also grant the users the right to define their own
questions. To entitle users to define their own questions, select Yes.
Challenge / Response (C/R)
Enable logon recovery via C/R
Determines whether a user is permitted to generate a challenge in
the SafeGuard Power-on Authentication (POA) to regain access to
their computer with a Challenge/Response procedure.
Yes: User is permitted to generate a challenge. In this case, the user
can regain access to their computer with a C/R procedure in an
emergency.
No: User is not permitted to issue a challenge. In this case, the user
cannot initiate a C/R procedure to regain access to their computer in
an emergency.
Allow automatic logon to
Windows
Allows a user to log on to Windows automatically after authentication
with Challenge/Response.
Yes: User is automatically logged on to Windows.
No: Windows logon screen appears.
121
SafeGuard Enterprise
Policy setting
Explanation
Example: A user has forgotten their password. After the
Challenge/Response procedure, SafeGuard Enterprise logs the user
on at the endpoint without a SafeGuard Enterprise password. In this
case automatic Windows logon is switched off and the Windows logon
screen is displayed. The user cannot log on because they do not know
the SafeGuard Enterprise password (= Windows password). The
setting Yes allows automatic logon and the user is able to move on
from the Windows logon screen.
Information text
Display information text when a Challenge/Response procedure is
initiated in the SafeGuard POA. For example: "Please contact Support
Desk on telephone number 01234-56789".
Before you specify a text here, you must create it as a text file in the
Policies navigation area under Texts.
IMAGES
Prerequisite:
New images must be registered in the Policies navigation area of
the SafeGuard Management Center under Images. The images will
only be available after registration. Supported formats: .BMP, .PNG,
.JPEG.
Background image in POA
Background image in POA (low
resolution)
Replace the blue SafeGuard Enterprise background with a custom
background image. Customers may for example use the company
logo in SafeGuard POA and at Windows logon. Maximum file size for
all background bitmaps: 500 KB.
Normal:
Resolution: 1024x768 (VESA mode)
Colors: unlimited
Low:
Resolution: 640x480 (VGA mode)
Colors: 16 colors
Logon image in POA
Logon image in POA (low
resolution)
Replaces the SafeGuard Enterprise image displayed during SafeGuard
POA logon with a custom image, for example a company logo.
Normal:
Resolution: 413 x 140 pixels
Colors: unlimited
122
Administrator help
Policy setting
Explanation
Low:
Resolution: 413 x 140 pixels
Colors: 16 colors
File Encryption
Trusted Applications
For file-based encryption by File Encryption and SafeGuard Data
Exchange, you can specify applications as trusted to grant them
access to encrypted files. This is for example necessary to enable
antivirus software to scan encrypted files.
Enter the applications you want to define as trusted in the editor list
box of this field. Applications must be entered as fully qualified paths.
Ignored Applications
For file-based encryption by File Encryption and SafeGuard Data
Exchange, you can specify applications as ignored to exempt them
from transparent file encryption/decryption. For example, if you define
a backup program as an ignored application, encrypted data backed
up by the program remains encrypted.
Enter the applications you want to define as ignored in the editor list
box of this field. Applications must be entered as fully qualified paths.
Ignored Devices
For file-based encryption by File Encryption and SafeGuard Data
Exchange, you can exclude entire devices (for example disks) from
file-based encryption.
In the editor list box, select Network to select a predefined device,
or enter the required device names to exclude specific devices from
encryption.
Enable persistent encryption
For file-based encryption by File Encryption and SafeGuard Data
Exchange, you can configure persistent encryption. With persistent
encryption, copies of encrypted files will be encrypted, even when
they are saved in a location not covered by an encryption rule.
This policy setting is activated by default.
User is allowed to set default
keys
For file-based encryption by Cloud Storage you can configure whether
the user is allowed to set a default key for encryption or not. If allowed,
the Set default key command is added to the Windows Explorer
context menu of Cloud Storage synchronization folders. Users can
use the command to specify separate default keys to be used for
encryption of different synchronization folders.
123
SafeGuard Enterprise
20.2 Authentication
Policy Setting
Explanation
ACCESS
User may only boot from internal
hard disk
Note: This setting is only supported by endpoints with an earlier
SafeGuard Enterprise version than 6.1 installed. It was used to
enable recovery by allowing the user to start the endpoint from
external media. As of version 6.1 this setting does not have any
effect on endpoints. For the recovery scenario concerned, you can
use recovery with Virtual Clients, see Challenge/Response using
Virtual Clients (page 230).
Determines whether users may start the computer from the hard
drive and/or another medium.
YES: Users can only boot from the hard disk. The SafeGuard POA
does not offer the option to start the computer with a floppy disk or
other external media.
NO: Users may start the computer from hard disk, floppy disk or
external medium (USB, CD etc.)
LOGON OPTIONS
Logon mode
Determines how users need to authenticate themselves at the
SafeGuard POA.
User ID/Password
Users have to log on with their user name and password.
Token
The user can only log on to the SafeGuard POA using a token
or smartcard. This process offers a higher level of security. The
user is requested to insert the token at logon. User identity is
verified by token ownership and PIN presentation. After the
user has entered the correct PIN, SafeGuard Enterprise
automatically reads the data for user logon.
Note: Once this logon process has been selected, users can only
log on using a previously issued token.
You can combine the settings User ID/Password and Token. To
test whether logon using a token works, first select both settings.
Only deselect the User ID/Password logon mode, if authentication
using the token was successful. In order to switch between logon
modes, allow users to log on once while the two settings are
combined or they might run into a logon deadlock. You must also
124
Administrator help
Policy Setting
Explanation
combine the two settings, if you want to allow Local Self Help for
token logon.
Fingerprint
Select this setting to enable logon with Lenovo Fingerprint
Reader. Users to whom this policy applies can then log on with
a fingerprint or a user name and password. This procedure
provides the maximum level of security. When logging on, users
swipe their fingers over the fingerprint reader. Upon successful
recognition of the fingerprint, the SafeGuard Power-on
Authentication process reads the user’s credentials and logs
the user on to Power-on Authentication. The system then
transfers the credentials to Windows, and the user is logged
on to the computer.
Note: After selecting this logon procedure, the user can only
log on with a pre-enrolled fingerprint or a user name and
password. Token and fingerprint logon procedures cannot be
combined on the same computer.
Logon options using token
Determines the type of token or smartcard to be used at the
endpoint.
Non-cryptographic:
Authentication at the SafeGuard POA and Windows, based on
user credentials.
Kerberos:
Certificate-based authentication at the SafeGuard POA and
Windows.
For managed endpoints, the security officer issues a certificate
in a PKI and stores it on the token. This certificate is imported
as a user certificate into the SafeGuard Enterprise Database.
If an automatically generated certificate already exists in the
database, it is replaced by the imported certificate.
Cryptographic tokens cannot be used for unmanaged endpoints.
Note: In case of logon problems with a Kerberos token, neither
Challenge/Response nor Local Self Help is available for logon
recovery. Only the Challenge/Response procedure using Virtual
Clients is supported. It enables users to regain access to
encrypted volumes on their endpoints.
PIN used for autologon with token
Specify a default PIN to enable the user to automatically log on at
the SafeGuard Power-on Authentication using a token or smartcard.
The user is requested to insert the token at logon and is then
passed through the SafeGuard Power-on Authentication. Windows
will be started.
125
SafeGuard Enterprise
Policy Setting
Explanation
PIN rules do not need to be observed.
Note:
This option is only available, if Token has been selected as
Logon mode.
If this option is selected, then Pass through to Windows must
be set to Disable pass-through to Windows.
Display unsuccessful logons for
this user
If this is set to Yes: After logon at the SafeGuard POA and
Windows, a dialog is shown containing information on the last failed
logon (user name/date/time).
Display last user logon
If this is set to Yes: After logon at the SafeGuard POA and
Windows, a dialog is shown containing information on the
last successful logon (user name/date/time)
last user credentials of the logged on user
Disable 'forced logoff' in
workstation lock
Note: This setting only takes effect on endpoints with Windows
XP. Windows XP is no longer supported as of SafeGuard Enterprise
6.1. This policy setting is still available in the SafeGuard
Management Center to support SafeGuard Enterprise 6 clients
managed with a 7.0 Management Center.
If users wish to leave the endpoint for a short time only, they can
click Block workstation to lock the computer for other users and
unlock it with the user password. No: The user who has locked the
computer as well as an administrator can unlock it. If an
administrator unlocks the computer, the currently logged on user
is logged off automatically. Yes: Changes this behavior. In this
case, only the user can unlock the computer. The administrator
cannot unlock it and the user will not be logged off automatically.
Activate user/domain preselection
Yes: The SafeGuard POA saves the user name and domain of the
last logged on user. Users therefore do not need to enter their user
name every time they log on.
No: The SafeGuard POA does not save the user name and the
domain of the last logged on user.
Service Account List
126
To prevent administrative operations on a SafeGuard Enterprise
protected endpoint leading to an activation of the Power-on
Authentication and the addition of rollout operators as users to the
endpoint, SafeGuard Enterprise allows you to create service
Administrator help
Policy Setting
Explanation
account lists for Windows logon at SafeGuard Enterprise endpoints.
The users listed are treated as SafeGuard Enterprise guest users.
Before you select a list here you must first create the lists in the
Policies navigation area under Service Account Lists.
Pass through to Windows
Note: For the user to be able to grant other users access to their
computer, the user has to be permitted to deactivate logon
passthrough to Windows.
Let user choose freely
The user can decide by selecting/deselecting this option in the
SafeGuard POA logon dialog whether automatic logon at
Windows is to be performed.
Disable pass-through to Windows
After the SafeGuard POA logon, the Windows logon dialog will
be displayed. The user has to log on to Windows manually.
Enforce pass-through to Windows
The user will always be automatically logged on to Windows.
BITLOCKER OPTIONS
BitLocker Logon Mode for Boot
Volumes
The following options are available:
TPM: The key for logon is stored on the TPM (Trusted Platform
Module) chip.
TPM + PIN: The key for logon is stored on the TPM chip and
a PIN is also required for logon.
Startup Key: The key for logon is stored on a USB memory
stick.
TPM + Startup Key: The key for logon is stored on the TPM
chip and on a USB memory stick. Both are needed for logon.
Note: To be able to use TPM + PIN, TPM + Startup Key or
Startup Key enable the Group Policy Require additional
authentication at startup either in Active Directory or on
computers locally. In the Local Group Policy Editor (gpedit.msc)
the Group Policy can be found here: Local Computer
Policy\Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive
Encryption\Operating System Drive
To use Startup Key you must also activate Allow BitLocker
without a compatible TPM in the Group Policy.
127
SafeGuard Enterprise
Policy Setting
Explanation
Note: If the logon mode that is currently active on the system
is an allowed fallback logon mode, the logon mode set here is
not enforced.
BitLocker Fallback Logon Mode for If the setting defined as BitLocker Logon Mode for Boot Volumes
Boot Volumes
cannot be applied, SafeGuard Enterprise offers the following
alternatives for logon:
Password: The user will be required to enter a password.
Startup Key: The key for logon is stored on a USB memory
stick.
Password or Startup Key: USB memory sticks will be used
only if passwords are not supported on the client operating
system.
Error: An error message will be displayed and the volume will
not be encrypted.
Note: In the case of clients with version 6.1 or earlier the values
Password or Startup Key and Password will be mapped to
the old settings USB Memory Stick and Error.
Note: Passwords are only supported on Windows 8 or later.
BitLocker Logon Mode for Non-Boot For non-boot volumes (fixed data drives) the following options are
Volumes
available:
Auto-Unlock: If the boot volume is encrypted, an external key
is created and stored on the boot volume. The non-boot
volume(s) will then be encrypted automatically. They will be
unlocked automatically using the auto-unlock functionality
provided by BitLocker. Note that auto-unlock works only if the
boot volume is encrypted. Otherwise the fallback mode will be
used.
Password: The user will be prompted to enter a password for
each non-boot volume.
Startup Key: The keys for unlocking the non-boot volumes are
stored on a USB stick.
Note: Clients with version 6.1 or earlier ignore this policy setting
and they use the values defined for the logon mode for boot
volumes instead. As the TPM cannot be used for non-boot
volumes, USB memory stick or an error message will be used
in such cases.
Note: Passwords are only supported on Windows 8 or later.
128
Administrator help
Policy Setting
Explanation
Note: If the logon mode that is currently active on the system
is an allowed fallback logon mode, the logon mode set here is
not enforced.
BitLocker Fallback Logon Mode for If the setting defined as BitLocker Logon Mode for Non-Boot
Non-Boot Volumes
Volumes cannot be applied, SafeGuard Enterprise offers the
following alternatives:
Password: The user will be prompted to enter a password for
each non-boot volume.
Startup Key: The keys are stored on a USB memory stick.
Password or Startup Key: USB memory sticks will be used
only if passwords are not supported on the client operating
system.
Note: Clients with version 6.1 or earlier ignore this policy
setting. They instead use the values defined for the fallback
logon mode for boot volumes. As they cannot handle
passwords, USB memory stick or error message will be used
instead.
Note: Passwords are only supported on Windows 8 or later.
FAILED LOGONS
Maximum no. of failed logons
Determines how many times a user can attempt to log on using an
invalid user name or password. After incorrectly entering a user
name or password three times in a row for instance, a fourth attempt
will lock the computer.
Display "Logon failed" messages in Defines level of detail for messages on failed logons:
POA
Standard: Shows a short description.
Verbose: Displays more detailed information.
TOKEN OPTIONS
Action if token logon status is lost Defines behavior after removing the token from the computer:
Possible actions include:
Lock Computer
Present PIN dialog
No Action
129
SafeGuard Enterprise
Policy Setting
Explanation
Allow unblocking of token
Determines whether the token may be unblocked at logon.
LOCK OPTIONS
Lock screen after X minutes
inactivity
Determines the time after which an unused desktop is automatically
locked.
The default value is 0 minutes, and the desktop will not be locked
if this value is not changed.
Lock screen at token removal
Determines whether the screen is locked if a token is removed
during a session.
Lock screen after resume
Determines whether the screen is locked if the computer is
reactivated from standby mode.
20.3 Create forbidden PIN lists for use in policies
For policies of the type PIN a list of forbidden PINs can be created to define character sequences
which must not be used in PINs. PINs are used for token logon. For further information, see
Tokens and smartcards (page 202).
The text files containing the required information have to be created before you can register them
in the SafeGuard Management Center. The maximum file size for text files is 50 KB. SafeGuard
Enterprise only uses Unicode UTF-16 coded texts. If you create the text files in another format,
they will be automatically converted when they are registered.
Note: In the lists, forbidden PINs are separated by a line break.
To register text files:
1. In the policy navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Texts in the policy navigation area. If you
select a text item, its contents are displayed in the window on the right-hand side. The text item
can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
Note: Using the Modify Text button, you can add new text to existing text. When clicking this
button, a dialog is displayed for selecting another text file. The text contained in this file is appended
to the existing text.
130
Administrator help
20.4 Syntax rules for PINs
In policies of the type PIN, you define settings for token PINs. These settings do not apply to PINs
used for logon at BitLocker encrypted endpoints. For more information on BitLocker PINs see
PIN and passwords (page 159).
PINs can contain numbers, letters and special characters (for example + - ; etc.). However, when
issuing a new PIN, do not use any character with the combination ALT + < character > as this
input mode is not available at SafeGuard Power-on Authentication.
Note: Define PIN rules either in the SafeGuard Management Center or in the Active Directory,
not both.
Policy Setting
Explanation
PIN
Min. PIN length
Specifies the number of characters a PIN must comprise when
changed by the user. The required value can be entered directly or
increased/reduced using the arrow buttons.
Max. PIN length
Specifies the maximum number of characters a PIN may comprise
when changed by a user. The required value can be entered directly
or increased/reduced using the arrow buttons.
Min. number of letters
These settings specify that a PIN must not consist exclusively of letters,
numbers or special characters, but of a combination of at least two
(for example 15flower). These settings only make sense if a minimum
PIN length of greater than 2 has been defined.
Min. number of digits
Min. number of special
characters
Case sensitive
This setting is only effective with Use forbidden PIN list and User
name as PIN forbidden.
Example 1: You have entered "board" in the list of forbidden PINs. If
the Case sensitive option is set to Yes, additional PIN variants such
as BOARD, BoaRD will not be accepted and logon will be denied.
Example 2: "EMaier" is entered as a user name. If the Case sensitive
option is set to Yes and the User name as PIN forbidden option is
set to No, user EMaier cannot use any variant of this user name (for
example "emaier" or "eMaiER") as a PIN.
Keyboard row forbidden
Refers to keys arranged consecutively in rows on the keyboard such
as "123" or "qwe". A maximum of two adjacent characters on the
keyboard is allowed. Consecutive key sequences relate only to the
alphanumerical keyboard area.
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the keyboard
such as "xsw2" or "3edc" (but not "xdr5" or "cft6"!). A maximum of two
adjacent symbols in a single keyboard column is permitted. If you
131
SafeGuard Enterprise
Policy Setting
Explanation
disallow keyboard columns, combinations like these are rejected as
PINs. Consecutive key sequences relate only to the alphanumerical
keyboard area.
3 or more consecutive characters The activation of this option disallows key sequences
forbidden
which are consecutive series of ASCII code symbols in both
ascending and descending order ("abc" or "cba").
which consist of three or more identical characters ("aaa" or "111").
User name as PIN forbidden
Determines whether user name and PIN may be identical.
Yes: Windows user name and PIN must be different.
No: Users may use their Windows user names as PINs.
Use forbidden PIN list
Determines whether certain character sequences must not be used
for PINs. The character sequences are stored in the List of forbidden
PINs (for example .txt file).
List of forbidden PINs
Defines character sequences which must not be used for PINs. If a
user uses a forbidden PIN, an error message will be displayed.
Prerequisite:
A list (file) of forbidden PINs must be registered in the Management
Center in the policies navigation area under Texts. The list is only
available after registration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden PINs
In the list, forbidden PINs are separated by a line break.
Wildcard: Wildcard character "*" can represent any character and any
number of characters in a PIN. Therefore *123* means that any series
of characters containing 123 will be disallowed as a PIN.
Note:
If the list contains only a wildcard, the user will no longer be able
to log on to the system after a forced password change.
Users must not be permitted to access the file.
Option Use forbidden PIN list must be activated.
CHANGES
132
Administrator help
Policy Setting
Explanation
PIN change after min. (days)
Determines the period during which a PIN must not be changed. This
setting prevents the user from changing a PIN too many times within
a specific period.
Example:
User Miller defines a new PIN (for example "13jk56"). The minimum
change interval for this user (or group to which this user is assigned)
is set to five days. After two days the user wants to change the PIN
to "13jk56". The PIN change is rejected because Mr. Miller may only
define a new PIN after five days have passed.
PIN change after max. (days)
The user has to define a new PIN after the set period has expired. If
the period is set to 999 days, no PIN change is required.
Notify of forced change before
(days)
A warning message is displayed "n" days before PIN expiry reminding
the user to change their PIN in "n" days. Alternatively, the user may
change the PIN immediately.
GENERAL
Hide PIN in POA
Specifies whether the digits entered are hidden when entering PINs.
If enabled, nothing is shown when PINs are entered in the POA.
Otherwise, PINs are shown masked with asterisks.
PIN history length
Determines when previously used PINs can be reused. It makes sense
to define the history length in conjunction with the PIN change after
max. (days) setting.
Example:
The PIN history length for user Miller is set to 4, and the number of
days after which the user must change their PIN is 30. Mr. Miller is
currently logging on using the PIN "Informatics". After the 30 day period
expires, he is asked to change his PIN. Mr. Miller types in "Informatics"
as the new PIN and receives an error message that this PIN has
already been used and he needs to select a new PIN. Mr. Miller cannot
use the PIN "Informatics" until after the fourth request to change the
PIN (in other words PIN history length = 4).
20.5 Create forbidden password list for use in policies
For policies of the type Password, a list of forbidden passwords can be created to define character
sequences which must not be used in passwords.
Note: In the lists, forbidden passwords are separated by line breaks.
The text files containing the required information have to be created before you can register them
in the SafeGuard Management Center. The maximum file size for text files is 50 KB. SafeGuard
133
SafeGuard Enterprise
Enterprise only uses Unicode UTF-16 coded texts. If you create the text files in another format,
they will be automatically converted when they are registered.
If a file is converted, a message is displayed.
To register text files:
1. In the policy navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
will be displayed.
4. Click OK.
The new text item is displayed as a subnode below Texts in the policy navigation area. If you
select a text item, its contents are displayed in the window on the right-hand side. The text item
can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
Note: Using the Modify Text button, you can add new text to existing text. When clicking this
button, a dialog is displayed for selecting another text file. The text contained in this file is appended
to the existing text.
20.6 Syntax rules for passwords
In policies of the type Password, you define rules for passwords used to log on to the system.
These settings do not apply to passwords used for logon at BitLocker encrypted endpoints. For
more information on BitLocker passwords see PIN and passwords (page 159).
Passwords can contain numbers, letters and special characters (for example + - ; etc.). However,
when issuing a new password, do not use any character with the combination ALT + <character>
as this input mode is not available at SafeGuard Power-on Authentication. Rules for passwords
used to log on to the system are defined in policies of the type Password.
Note: To enforce a strong password policy, see Security best practices (page 11) as well as
the SafeGuard Enterprise manual for certification-compliant operation.
The enforcement of password rules and password history can only be guaranteed if the SGN
credential provider is used consistently. Define password rules either in the SafeGuard
Management Center or in the Active Directory, not both.
Policy setting
Explanation
PASSWORD
134
Min. password length
Specifies the number of characters a password must comprise
when changed by the user. The required value can be entered
directly or increased/reduced using the arrow buttons.
Max. password length
Specifies the maximum number of characters a password may
comprise when changed by a user. The required value can be
entered directly or increased/reduced using the arrow buttons.
Administrator help
Policy setting
Explanation
Min. number of letters
These settings specify that a password must not consist exclusively
of letters, numbers or special characters, but of a combination of
at least two (for example 15flower). These settings only make sense
if a minimum password length of greater than 2 has been defined.
Min. number of digits
Min. number of special characters
Case sensitive
This setting is only effective with Use forbidden password list
and User name as password forbidden.
Example 1: You have entered "board" in the list of forbidden
passwords. If the Case sensitive option is set to Yes, additional
password variants such as BOARD, BoaRD will not be accepted
and logon will be denied.
Example 2: "EMaier" is entered as a user name. If the Case
sensitive option is set to Yes and the User name as password
forbidden option is set to No, user EMaier cannot use any variant
of this user name (for example "emaier" or "eMaiER") as a
password.
Keyboard row forbidden
Refers to keys arranged consecutively in rows on the keyboard
such as "123" or "qwe". A maximum of two adjacent characters on
the keyboard is allowed. Consecutive key sequences relate only
to the alphanumerical keyboard area.
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the keyboard
such as "xsw2" or "3edc" (but not "xdr5" or "cft6"!). A maximum of
two adjacent symbols in a single keyboard column is permitted. If
you disallow keyboard columns, combinations like these are rejected
as passwords. Consecutive key sequences relate only to the
alphanumerical keyboard area.
3 or more consecutive characters
forbidden
The activation of this option disallows key sequences
which are consecutive series of ASCII code symbols in both
ascending and descending order ("abc" or "cba").
which consist of three or more identical characters ("aaa" or
"111").
User name as password forbidden Determines whether user name must not be used as a password.
Yes: Windows user name and password must be different.
No: Users may use their Windows user names as passwords.
Use forbidden password list
Determines whether certain character sequences must not be used
for passwords. The character sequences are stored in the List of
forbidden passwords (for example .txt file).
135
SafeGuard Enterprise
Policy setting
Explanation
List of forbidden passwords
Defines character sequences which must not be used for
passwords. If a user uses a forbidden password, an error message
will be displayed.
A list (file) of forbidden passwords must be registered in the
SafeGuard Management Center in the policies navigation area
under Texts. The list is only available after registration.
Maximum file size: 50 KB
Supported format: Unicode
Defining forbidden passwords
In the list, forbidden passwords are separated by a line break.
Wildcard: The wildcard character "*" can represent any character
and any number of characters in a password. Therefore *123*
means that any series of characters containing 123 will be
disallowed as a password.
Note:
If the list contains only a wildcard, the user will no longer be
able to log on to the system after a forced password change.
Users must not be permitted to access the file.
Option Use forbidden password list must be activated.
User password synchronization to This field determines the procedure of synchronizing passwords
other SGN Clients
when users, who work on several SafeGuard Enterprise endpoints
and are defined as users on these endpoints, change their
passwords. The following options are available:
Slow (wait for user to log on)
If a user changes their password on a SafeGuard Enterprise
endpoint and intends to log on to another endpoint on which
the user is also registered, they have to log on using their old
password at the SafeGuard Power-on Authentication first.
Password synchronization will only be performed after logging
on using the old password first.
Fast (wait for machine to connect)
If a user changes their password on a SafeGuard Enterprise
endpoint, password synchronization with other endpoints, on
which the user is also registered, will be performed as soon as
the other endpoint has established a connection to the server.
This is for example the case, when another user, who is also
registered as a user on the endpoint, logs on to the endpoint in
the meantime.
CHANGES
136
Administrator help
Policy setting
Explanation
Password change allowed after min. Determines the period during which a password may not be
(days)
changed. This setting prevents the user from changing a password
too many times within a specific period. If the user is forced to
change their password by Windows or if the user changes their
password after a warning message has been displayed stating that
the password will expire in x days, this setting will not be evaluated!
Example:
User Miller defines a new password (for example "13jk56"). The
minimum change interval for this user (or group to which this user
is assigned) is set to five days. After two days the user wants to
change the password to "13jk56".The password change is rejected
because user Miller may only define a new password after five days
have passed.
Password expires after (days)
If you set this option, the user has to define a new password after
the set period has expired.
Notify of forced change before
(days)
A warning message is displayed "n" days before password expiry
reminding the user to change their password in "n" days.
Alternatively, the user may change the password immediately.
GENERAL
Hide password in POA
Specifies whether the characters entered are hidden when entering
passwords. If enabled, nothing is shown when passwords are
entered in the POA. Otherwise, passwords are shown masked with
asterisks.
Password history length
Determines when previously used passwords can be reused. It
makes sense to define the history length in conjunction with the
Password expires after (days) setting.
Example:
The password history length for user Miller is set to 4, and the
number of days after which the user must change their password
is 30. Mr. Miller is currently logging on using the password
"Informatics". After the 30 day period expires, he is asked to change
his password. Mr. Miller types in "Informatics" as the new password
and receives an error message that this password has already been
used and he needs to select a new password. Mr. Miller cannot
use the password "Informatics" until after the fourth request to
change the password (in other words password history length = 4).
Note: If you set the password history length to 0, the user can set
the old password as the new password. This is not good practice
and should be avoided.
137
SafeGuard Enterprise
20.7 Passphrase for SafeGuard Data Exchange
The user must enter a passphrase which is used to generate local keys for secure data exchange
with SafeGuard Data Exchange. The keys generated on the endpoints are also stored in the
SafeGuard Enterprise Database. In policies of the type Passphrase, you define the relevant
requirements.
For details of SafeGuard Data Exchange, see SafeGuard Data Exchange (page 181).
For further details of SafeGuard Data Exchange and SafeGuard Portable on the endpoint refer
to the SafeGuard Enterprise user help, chapter SafeGuard Data Exchange.
Policy Setting
Explanation
PASSPHRASE
Min. passphrase length
Defines the minimum number of characters for the passphrase from
which the key is generated.The required value can be entered directly
or increased/reduced using the arrow keys.
Max. passphrase length
Defines the maximum number of characters for the passphrase. The
required value can be entered directly or increased/reduced using
the arrow keys.
Min. number of letters
This setting specifies that a passphrase must not consist exclusively
of letters, numbers or symbols, but of a combination of that least two
Min. number of digits
(for example 15flower).These settings only make sense if a minimum
Min. number of special characters passphrase length of greater than 2 has been defined.
Case sensitive
This setting is effective when User name as passphrase forbidden
is active.
Example: "EMaier" is entered as a user name. If the option Case
sensitive is set to YES and User name as passphrase forbidden
is set to NO, user EMaier cannot use any variant of this user name
(for example emaier or eMaiER) as a passphrase.
138
Keyboard row forbidden
Refers to keys arranged consecutively in rows on the keyboard such
as "123" or "qwe". A maximum of two adjacent characters on the
keyboard is allowed. Consecutive key sequences relate only to the
alphanumerical keyboard area.
Keyboard column forbidden
Refers to keys arranged consecutively in columns on the keyboard
such as "xsw2" or "3edc" (but not "xdr5" or "cft6"!). A maximum of
two adjacent characters in a single keyboard column is permitted. If
you disallow keyboard columns, these combinations are rejected for
passphrases. Consecutive key sequences relate only to the
alphanumerical keyboard area.
Administrator help
Policy Setting
Explanation
3 or more consecutive characters The activation of this option disallows key sequences
forbidden
which are consecutive series of ASCII code symbols in both
ascending and descending order ("abc" or "cba").
which consist of three or more identical characters ("aaa" or
"111").
User name as passphrase
forbidden
Determines whether the user name and passphrase may be identical.
Yes: Windows user name and passphrase must be different.
No: Users may use their Windows user names as passphrases.
20.8 White Lists for Device Protection policies for file-based
encryption
In the SafeGuard Management Center, you can select White Lists as targets for policies of the
type Device Protection for file-based encryption. This allows you to create encryption policies
for specific device models or even for distinct devices.
Before you select a White List as a target for a Device Protection policy, you have to create and
register it in the SafeGuard Management Center. You can define White Lists for specific storage
device models (for example iPod, USB devices from a specific vendor etc.) or for distinct storage
devices according to serial number. You can add the devices to White Lists manually or use the
results of a SafeGuard PortAuditor scan. For further information, refer to the SafeGuard PortAuditor
user guide.
Afterwards, you can select the White List as a target when you create a Device Protection policy.
Note: If you select a White List as a target for a policy of the type Device Protection, you can
only select File-Based or No Encryption as the Media encryption mode. If you select No
Encryption for a Device Protection policy with a White List, this policy does not exclude a device
from encryption, if another policy applies that specifies volume-based encryption.
Note: For SafeStick devices from BlockMaster special requirements apply. These devices have
different IDs for administrators and users without administrator privileges. For consistent handling
within SafeGuard Enterprise, you must add both IDs to White Lists. SafeGuard PortAuditor detects
both IDs, if a SafeStick device has been opened at least once on the computer scanned by
SafeGuard PortAuditor.
20.8.1 Create White Lists for Device Protection policies for file-based encryption
1. In the Policies navigation area, select White List.
2. In the context menu of White List, click New > White List.
139
SafeGuard Enterprise
3. Select the White List type:
■
To create a White List for specific device models, select Storage Device Models.
■
To create a White List for specific devices according to serial number, select Distinct
Storage Devices.
4. Under Source of White List, specify how you want to create the White List:
■
To enter devices manually, select Create White List manually.
When you click OK, an empty White List is opened in the SafeGuard Management Center.
In this empty White List, you can create entries manually. To add a new entry, click the
green Add (Insert) icon in the SafeGuard Management Center toolbar.
Note: To retrieve the relevant strings for a device with the Windows Device Manager, open
the Properties window for the device and look at the values for the Hardware Ids and
Device Instance Path properties. Only the following interfaces are supported: USB, 1394,
PCMCIA and PCI.
■
If you want to use the result of a scan of endpoints by SafeGuard PortAuditor as a source,
select Import from SafeGuard PortAuditor Result.
The results of the SafeGuard PortAuditor scan have to be available (XML file), if you want
to create the White List based on this source. To select the file, click the [...] button.
For further information refer to the SafeGuard PortAuditor user guide.
Click OK, to display the contents of the imported file in the SafeGuard Management Center.
The White List is displayed under White Lists in the Policies navigation area. You can select it
when you create policies of the type Device Protection for file-based encryption.
20.8.2 Select White Lists as targets for Device Protection policies for file-based
encryption
Prerequisite: The required White List must have been created in the SafeGuard Management
Center.
1. In the navigation area of the SafeGuard Management Center, click Policies.
2. In the navigation window, right-click Policy Items and select New.
3. Select Device Protection.
A dialog for naming the new policy is displayed.
4. Enter a name and optionally a description for the new policy.
5. Under Device protection target, select the relevant White List:
■
If you have created a White List for storage device models, it is displayed under Storage
Device Models.
■
If you have created a White List for distinct storage devices, it is displayed under Distinct
Storage Devices.
6. Click OK.
140
Administrator help
The White List has been selected as a target for the Device Protection policy. After the policy
has been transferred to the endpoint, the encryption mode selected in the policy applies.
20.9 Device Protection
Policies of the type Device Protection cover the settings for data encryption on different data
storage devices. Encryption can be volume- or file-based with different keys and algorithms.
Policies of the type Device Protection also include settings for SafeGuard Data Exchange,
SafeGuard Cloud Storage and SafeGuard Portable. For further information on SafeGuard Data
Exchange, see SafeGuard Data Exchange (page 181). For further information on SafeGuard Cloud
Storage, see Cloud Storage (page 190). For further details on SafeGuard Data Exchange,
SafeGuard Cloud Storage and SafeGuard Portable on the endpoint, refer to the SafeGuard
Enterprise user help.
When creating a policy for device protection, you first have to specify the target for device
protection. Possible targets are:
■
Mass storage (boot volumes/other volumes)
■
Removable media
■
Optical drives
■
Storage device models
■
Distinct storage devices
■
Cloud Storage definitions
For each target, create a separate policy.
Note: Target removable media: A policy that specifies volume-based encryption of removable
drives and allows the user to choose a key from a list (for example Any key in user key ring)
can be circumvented by the user by not choosing a key. To make sure that removable drives are
always encrypted, either use a file-based encryption policy, or explicitly set a key in the
volume-based encryption policy.
Policy Setting
Explanation
Media encryption mode
Used to protect devices (PCs, notebooks and so on) and all types of
removable media.
Note: This setting is mandatory.
The primary objective is to encrypt all data stored on local or external
storage devices. The transparent operating method enables users to
continue to use their usual applications, for example Microsoft Office.
Transparent encryption means that all encrypted data (whether in
encrypted directories or volumes) is automatically decrypted in the
main memory as soon as it is opened in a program. A file is
automatically re-encrypted when it is saved.
The following options are available:
No encryption
141
SafeGuard Enterprise
Policy Setting
Explanation
Volume-based (= transparent, sector-based encryption)
Ensures that all data is encrypted (incl. boot files, swapfiles, idle
files/hibernation files, temporary files, directory information etc.)
without the user having to change normal operating procedures
or consider security.
File-based (= transparent, file-based encryption, Smart Media
Encryption)
Ensures that all data is encrypted (apart from Boot Medium and
directory information) with the benefit that even optical media such
as CD/DVD can be encrypted or data can be swapped with external
computers on which SafeGuard Enterprise is not installed (provided
policies permit).
Note: For policies with White Lists, only No encryption or File-based
can be selected.
GENERAL SETTINGS
Algorithm to be used for
encryption
Sets the encryption algorithm.
List of all usable algorithms with respective standards:
AES256: 32 bytes (256 bits)
AES128: 16 bytes (128 bits)
Key to be used for encryption
Defines which key is used for encryption.You can define specific keys
(for example machine key or a defined key) or you can allow the user
to select a key. You can also restrict the keys which a user is allowed
to use.
The following options are available:
Any key in user key ring
All keys from a user's key ring are displayed and the user can
select any one of them.
Note: This option has to be selected, if you define a policy for
file-based encryption for an unmanaged endpoint protected by
SafeGuard Enterprise (standalone).
Any key in user key ring, except user key
All except user keys from a user's key ring are displayed and the
user can select any one of them.
Any group key in user key ring
All group keys from a user's key ring are displayed and the user
can select any one of them.
Defined machine key
142
Administrator help
Policy Setting
Explanation
The machine key is used - the user CANNOT select a key
Note: This option has to be selected, if you define a policy for
volume-based encryption for an unmanaged endpoint protected
by SafeGuard Enterprise (standalone mode). If you nevertheless
select Any key in user key ring and the user selects a locally
created key for volume-based encryption, access to this volume
will be denied.
Any key in key ring, except locally created keys
All except locally generated keys from a key ring are displayed
and the user can select any one of them.
Defined key on list
The administrator can select any available key when setting policies
in the Management Center.
The key has to be selected under Defined key for encryption.
If the option Defined machine key is used:
If only SafeGuard Data Exchange is installed on an endpoint (no
SafeGuard POA, no volume-based encryption), a policy defining the
Defined machine key as the key to be used for file-based encryption
will not become effective on this endpoint. The defined machine key
is not available on an endpoint of this type. The data cannot be
encrypted.
Policies for unmanaged endpoint protected by SafeGuard Enterprise
(standalone):
Note: Note that only the Any key in user key ring option can be
used when creating policies for unmanaged endpoint computers. In
addition, creating local keys must be allowed for this type of endpoint
computer.
If the media passphrase feature is activated for unmanaged endpoints,
the Media Encryption Key is automatically used as Defined key for
encryption, since no group keys are available on unmanaged
endpoints. Selecting another key under Defined key for encryption
when creating a removable media policy for unmanaged endpoints
will have no effect.
Defined key for encryption
This field only becomes active, if you have selected the option Defined
key on list in the Key to be used for encryption field. Click [...] to
display the Find Keys dialog. Click Find now, to search for keys and
select a key from the list displayed.
In case of a policy of the type Device protection with target
Removable Media this key is used to encrypt the Media Encryption
Key when the media passphrase functionality is enabled (User may
define a passphrase for devices set to Yes).
For Device Protection policies for removable media the settings
143
SafeGuard Enterprise
Policy Setting
Explanation
Key to be used for encryption
Defined key for encryption
therefore must be specified independently from each other.
Policies for unmanaged endpoints protected by SafeGuard
Enterprise (standalone):
If the media passphrase feature is activated for unmanaged endpoints,
the Media Encryption Key is automatically used as Defined key for
encryption, since no group keys are available on unmanaged
endpoints.
User is allowed to create a local This setting determines whether users can generate a local key on
key
their computers or not.
Local keys are generated on the endpoint based on a passphrase
entered by the user. The passphrase requirements can be set in
policies of the type Passphrase.
These keys are also saved in the database. The user can use them
on any endpoint they are logged on to.
Local keys can be used for secure data exchange with SafeGuard
Data Exchange (SG DX).
VOLUME-BASED SETTINGS
Users may add or remove keys
to or from encrypted volume
Yes: Endpoint users may add/remove keys to/from a key ring. The
dialog is displayed from the context menu command
Properties/Encryption tab.
No: Endpoint users may not add additional keys.
Reaction to unencrypted
volumes
Defines how SafeGuard Enterprise handles unencrypted media.
The following options are available:
Reject (= text medium is not encrypted)
Accept only blank media and encrypt
Accept all media and encrypt
User may decrypt volume
144
Allows the user to decrypt the volume with a context menu command
in Windows Explorer.
Administrator help
Policy Setting
Explanation
Fast initial encryption
Select this setting to enable the fast initial encryption mode for
volume-based encryption. This mode reduces the time needed for
initial encryption on endpoints.
Note: This mode may lead to a less secure state. For further
information, see Fast initial encryption (page 156).
Proceed on bad sectors
Specifies whether encryption should proceed or be stopped if bad
sectors are detected. The default setting is Yes.
FILE-BASED SETTINGS
Initial encryption of all files
Automatically starts initial encryption for a volume after user logon.
The user may need to select a key from the key ring beforehand.
User may cancel initial
encryption
Enables the user to cancel initial encryption.
User is allowed to access
unencrypted files
Defines whether a user may access unencrypted data on a volume.
User may decrypt files
Enables the user to decrypt individual files or whole directories (with
the Windows Explorer extension <right-click>).
User may define a media
passphrase for devices
Enables the user to define a media passphrase on their computers.
The media passphrase makes it possible to easily access all local
keys used on computers without SafeGuard Data Exchange with
SafeGuard Portable.
Removable media and Cloud
Storage only:
If this option is selected, SafeGuard Portable is copied to any
removable media connected to the endpoint and any synchronization
folder defined in a Cloud Storage Definition for SafeGuard Cloud
Storage as soon as content is written to the encrypted media or folder.
Copy SG Portable to target
SafeGuard Portable enables the exchange of encrypted data with
removable media or cloud storage without the recipient having
SafeGuard Enterprise installed.
The recipient can decrypt and re-encrypt the encrypted files using
SafeGuard Portable and the corresponding passphrase. The recipient
can re-encrypt files with SafeGuard Portable or use the original key
for encryption.
SafeGuard Portable does not have to be installed or copied to the
recipient's computer but can be used directly from the removable
media or cloud storage synchronization folder.
Default initial encryption key
This field offers a dialog for selecting a key which is used for file-based
initial encryption. If you select a key here, the user cannot select a key
when initial encryption starts. Initial encryption starts without user
interaction.
145
SafeGuard Enterprise
Policy Setting
Explanation
The key selected will always be used for initial encryption.
Example:
Prerequisite: A default key for initial encryption has been set.
When the user connects a USB device to the computer, initial
encryption automatically starts. The key defined is used. The user
does not have to interfere. If the user afterwards wants to re-encrypt
files or save new files on the USB device, they can select any key (if
allowed and available). If the user connects a different USB device,
the key defined for initial encryption will be used again. This key will
also be used for all encryption processes that follow until the user
explicitly selects a different key.
Note: If the media passphrase feature is activated, this option will be
deactivated. The Defined key for encryption will be used.
Plaintext folder
The folder specified here will be created on all removable media, mass
storage devices and cloud storage synchronization folder. Files that
are copied to this folder will always stay plaintext.
User is allowed to decide about
encryption
You can allow the user to decide about encryption of files on removable
media and mass storage devices:
If you set this option to Yes, users are prompted to decide whether
data should be encrypted. For mass storage devices, the prompt
is displayed after each logon, for removable media the prompt is
displayed when they plug in removable media.
If you set this option to Yes, remember user settings, users can
select the option Remember this setting and do not show this
dialog again to have their choice remembered for the relevant
device. In this case, the dialog will not be displayed for the relevant
device again.
If the user selects No in the dialog displayed on the endpoint, neither
initial nor transparent encryption occurs.
20.10 Specific machine settings - basic settings
Policy Settings
POWER-ON AUTHENTICATION (POA)
146
Explanation
Administrator help
Policy Settings
Explanation
Enable Power-on Authentication
Defines whether the SafeGuard POA is switched on
or off.
Important: For security reasons we strongly
recommend that you keep the SafeGuard POA
switched on. Deactivating the SafeGuard POA
reduces the system security to Windows logon
security and increases the risk of unauthorized
access to encrypted data.
Access denied if no connection to the server
(days) (0 = no check)
Refuses SafeGuard POA logon if there was no
connection between endpoint and server for longer
than the set period.
SECURE WAKE ON LAN (WOL)
With Secure Wake on LAN (WOL) settings you can
prepare endpoints for software rollouts. If the
relevant Wake on LAN settings apply to endpoints,
the necessary parameters (for example SafeGuard
POA deactivation and a time interval for Wake on
LAN) are transferred directly to the endpoints where
parameters are analyzed.
Important: Deactivating the SafeGuard POA - even
for a limited number of boot processes - reduces the
security of your system!
For further information on Secure Wake on LAN,
see Secure Wake on LAN (WOL) (page 218).
Number of auto logons
Defines the number of restarts while SafeGuard
Power-on Authentication is switched off for Wake
on LAN.
This setting temporarily overwrites the Enable
Power-on Authentication setting until the automatic
logons reach the preset number. SafeGuard
Power-on Authentication is then reactivated.
If you set the number of automatic logons to two and
Enable Power-on Authentication is active, the
endpoint starts twice without authentication through
the SafeGuard POA.
For Wake on LAN, we recommend that you allow
three more restarts than necessary for your
maintenance operations to overcome any
unforeseen problems.
Allow local Windows logon during WOL
Determines whether local Windows logons are
permitted during Wake on LAN.
147
SafeGuard Enterprise
Policy Settings
Explanation
Start of time slot for external WOL start
Date and time can be either selected or entered for
the start and end of the Wake on LAN (WOL).
End of time slot for external WOL start
Date format: MM/DD/YYYY
Time format: HH:MM
The following input combinations are possible:
Defined start and end of WOL.
End of WOL is defined, start is open.
No entries: no time interval has been set.
For a planned software rollout, you should set the
time frame for the WOL such that the scheduling
script can be started early enough to allow all
endpoints sufficient time for starting.
WOLstart: The starting point for the WOL in the
scheduling script must be within the time interval set
in the policy. If no interval is defined, WOL is not
locally activated on the SafeGuard Enterprise
protected endpoint. WOLstop: This command is
carried out irrespective of the final point set for the
WOL.
USER MACHINE ASSIGNMENT (UMA)
Forbid SGN Guest user to logon
Note: This setting only applies to managed
endpoints.
Defines whether guest users can log on to Windows
on the endpoint.
Note: Microsoft accounts are always handled as
SafeGuard Enterprise guest users.
Allow registration of new SGN users for
Defines who is able to import another SGN user into
the SafeGuard POA and/or UMA (by disabling the
pass-through to the operating system).
Note: For endpoints that do not have the Device
Encryption module installed the Allow registration
of new SGN users for setting must be set to
Everybody if it should be possible on the endpoint
to add more than one user to the UMA with access
to their key ring. Otherwise users can only be added
in the Management Center. This setting is only
evaluated on managed endpoints. See also New
SafeGuard Enterprise Data Exchange users do not
148
Administrator help
Policy Settings
Explanation
receive a certificate after logon on SafeGuard
Enterprise Data Exchange only clients.
Enable registration of SGN Windows Users
Enable manual UMA cleanup for standalone
endpoints
Defines whether SGN Windows users can be
registered on the endpoint. An SGN Windows user
is not added to the SafeGuard POA, but has a key
ring for accessing encrypted files, just as an SGN
user. If you select this setting, all users, that would
have otherwise become SGN guest users, will
become SGN Windows users. The users are added
to the UMA as soon as they have logged on to
Windows.
Note: This setting only applies to unmanaged
endpoints.
Defines whether users may delete SGN users and
SGN Windows users from the User Machine
Assignment. If you select Yes, the command User
Machine Assignments is available from the system
tray icon menu on the endpoint. This command
shows a list of users who can log on at the
SafeGuard Power-on Authentication as SGN users
and at Windows as SGN Windows users. In the
dialog displayed, users can be removed from the
list. After SGN users or SGN Windows users have
been removed, they can no longer log on at the
SafeGuard Power-on Authentication or at Windows.
Maximum number of SGN Windows users before
Note: This setting only applies to managed
automatic cleanup
endpoints.
With this setting you can activate an automatic
cleanup of SafeGuard Enterprise Windows users on
managed endpoints. As soon as the threshold you
set here is exceeded by one SafeGuard Enterprise
Windows user, all existing SafeGuard Enterprise
Windows users except the new one are removed
from the User Machine Assignment. The default
value is 10.
DISPLAY OPTIONS
Display machine identification
Displays either the computer name or a defined text
in the SafeGuard POA title bar.
If the Windows network settings include the computer
name, this is automatically incorporated into the
basic settings.
149
SafeGuard Enterprise
Policy Settings
Explanation
Machine identification text
The text to be displayed in the SafeGuard POA title
bar.
If you have selected Defined name in the Display
machine identification field, you can enter the text
in this input field.
Display legal notice
Displays a text box with a configurable content which
is displayed before authentication in the SafeGuard
POA. In some countries a text box with certain
content must be displayed by law.
The box needs to be confirmed by the user before
the system continues.
Before you specify a text, the text has to be
registered as a text item under Texts in the Policies
navigation area.
Legal notice text
The text to be displayed as a legal notice.
In this field, you can select a text item registered
under Texts in the Policies navigation area.
Display additional information
Displays a text box with a configurable content which
appears after the legal notice (if activated).
You can define whether the additional information
is displayed
Never
Every system start
Every logon
Before you specify a text, the text has to be
registered as a text item under Texts in the Policies
navigation area.
Additional information text
The text to be displayed as additional information.
In this field, you can select a text item registered
under Texts in the Policies navigation area.
Show for (sec.)
In this field you can define how long (in seconds)
additional information is to be displayed.
You can specify the number of seconds after which
the text box for additional information is closed
150
Administrator help
Policy Settings
Explanation
automatically. The user can close the text box at any
time by clicking OK.
Enable and show the system tray icon
The SafeGuard Enterprise System Tray Icon allows
the user to access all user functions quickly and
easily on the endpoint. In addition, information about
the endpoint status (new policies received etc.) can
be displayed in balloon tool tips.
Yes:
The system tray icon is displayed in the information
area of the taskbar and the user is continually
informed through balloon tool tips about the status
of the SafeGuard Enterprise protected endpoint.
No:
The system tray icon is not displayed. No status
information for the user by balloon tool tips.
Silent:
The system tray icon is displayed in the information
area of the taskbar but there is no status information
for the user through balloon tool tips.
Show overlay icons in Explorer
Defines whether Windows key symbols will be shown
to indicate the encryption status of volumes, devices,
folders and files.
Virtual Keyboard in POA
Defines whether a virtual keyboard can be shown
on request in the SafeGuard POA dialog for entering
the password.
INSTALLATION OPTIONS
Uninstallation allowed
Determines whether uninstallation of SafeGuard
Enterprise is allowed on the endpoints. When
Uninstallation allowed is set to No, SafeGuard
Enterprise cannot be uninstalled, even by a user
with administrator rights, while this setting is active
within a policy.
Enable Sophos tamper protection
Activates/deactivates Sophos Tamper Protection. If
you have allowed uninstallation of SafeGuard
Enterprise in the policy setting Uninstallation
allowed, you can set this policy setting to Yes, to
ensure that uninstallation attempts are checked by
151
SafeGuard Enterprise
Policy Settings
Explanation
Sophos Tamper Protection to prevent casual removal
of the software.
If Sophos Tamper Protection does not allow
uninstallation, any uninstallation attempts will be
canceled.
If Enable Sophos Tamper Protection is set to No,
uninstallation of SafeGuard Enterprise will not be
checked or prevented by Sophos Tamper Protection.
Note: This setting only applies to endpoints using
Sophos Endpoint Security and Control from version
9.5.
CREDENTIAL PROVIDER SETTINGS
Credential Provider Wrapping
You can configure SafeGuard Enterprise to use a
different Credential Provider than the Windows
Credential Provider. Templates for supported
Credential Providers can be downloaded from
Sophos.com. To get a list of templates for tested
Credential Providers and the location to download
please contact your Sophos support.
You can import a template and deploy it to endpoints
by using the Credential Provider policy setting. To
do so click Import template and browse for the
template file. The imported template and its content
is displayed in the Credential Provider multiline
field and set as policy.
To remove a template click Clear template.
Note: Do not edit the template files provided. If the
XML structure of these files is changed, the settings
may not be recognized on the endpoint and the
default Windows Credential Provider may be used
instead.
TOKEN SUPPORT SETTINGS
Token middleware module name
Registers the PKCS#11 Module of a token.
The following options are available:
ActiveIdentity ActivClient
ActiveIdentity ActivClient (PIV)
AET SafeSign Identity Client
Aladdin eToken PKI Client
152
Administrator help
Policy Settings
Explanation
a.sign Client
ATOS CardOS API
Charismatics Smart Security Interface
Estonian ID-Card
Gemalto Access Client
Gemalto Classic Client
Gemalto .NET Card
IT Solution trustware CSP+
Módulo PKCS#11 TC-FNMT
Nexus Personal
RSA Authentication Client 2.x
RSA Smart Card Middleware 3.x
Siemens CardOS API
T-Systems NetKey 3.0
Unizeto proCertum
Custom PKCS#11 settings...
If you select Custom PKCS#11 settings... the
Custom PKCS#11 settings are enabled.
You can then enter the module names to be
used:
PKCS#11 module for Windows
PKCS#11 module for SafeGuard Power-on
Authentication
Note: If you install Nexus Personal or Gemalto
.NET Card middleware, you also need to add their
installation path to the PATH environment variable
of your computer's System Properties.
Default installation path for Gemalto .NET Card:
C:\Program Files\ Gemalto\PKCS11 for
.NET V2 smart cards
Default installation path for Nexus Personal:
C:\Program Files\Personal\bin
Licenses:
153
SafeGuard Enterprise
Policy Settings
Explanation
Note that the use of the respective middleware for
the standard operating system requires a license
agreement with the relevant manufacturer. For
information on where to obtain the licenses from,
see How to obtain the necessary middleware
licenses for the operating system, as required by
SafeGuard Device Encryption.
For Siemens licenses contact:
Atos IT Solutions and Services GmbH
Otto-Hahn-Ring 6
D-81739 Muenchen
Germany
Services to wait for
This setting is used for problem solving with specific
tokens. Our Support team will provide corresponding
settings as required.
20.11 Logging for Windows endpoints
Events for SafeGuard Enterprise can be logged in the Windows Event Viewer or in the SafeGuard
Enterprise Database. To specify the events to be logged and their destination, create a policy of
the type Logging and select the required events by clicking on them.
Many different events from different categories (for example Authentication, Encryption, etc.) are
available for selection. We recommend that you define a strategy for logging, and determine the
events necessary according to reporting and auditing requirements.
For further information, see Reports (page 255).
154
Administrator help
21 Disk encryption
This version of SafeGuard Enterprise supports Windows 7 and Windows 8 on endpoints with
BIOS or UEFI.
■
For BIOS platforms you can choose between SafeGuard Enterprise full disk encryption and
BitLocker encryption managed by SafeGuard. The BIOS version comes with the BitLocker
native recovery mechanism.
Note: If SafeGuard Power-on Authentication or SafeGuard full disk encryption is mentioned
in this manual, it refers to Windows 7 BIOS endpoints only.
■
For UEFI platforms, use BitLocker managed by SafeGuard Enterprise for disk encryption. For
these endpoints SafeGuard Enterprise offers enhanced Challenge/Response capabilities. For
details on the supported UEFI versions and restrictions to SafeGuard BitLocker
Challenge/Response support, please see the Release Notes at
http://downloads.sophos.com/readmes/readsgn_7_eng.html.
Note: Whenever the description only refers to UEFI, it is mentioned explicitly.
The table shows which components are available.
SafeGuard disk
SafeGuard Power-on
encryption with
Authentication (POA)
SafeGuard Power-on
with C/R Recovery
Authentication (POA)
Windows 7
BIOS
YES
YES
BitLocker with
pre-boot
authentication (PBA)
managed by
SafeGuard
SafeGuard C/R
recovery for
BitLocker pre-boot
authentication (PBA)
YES
Windows 7
UEFI
YES
Windows 8
BIOS
YES
Windows 8
UEFI
YES
YES
YES
21.1 SafeGuard full disk encryption
The core of SafeGuard Enterprise is the encryption of data on different data storage devices. Full
disk encryption can be volume- or file-based with different keys and algorithms.
155
SafeGuard Enterprise
Files are encrypted transparently. When users open, edit and save files, they are not prompted
for encryption or decryption.
As a security officer, you specify the settings for encryption in a security policy of the type Device
Protection. For further information, see Working with policies (page 83), and see Device Protection
(page 141).
Note: The full disk encryption functionality described in the following sections can only be used
with Windows 7 BIOS-based systems. If you use other systems such as UEFI or Windows 8,
make use of the integrated Windows BitLocker Drive Encryption functionality. For more information
refer to BitLocker Drive Encryption (page 158).
21.1.1 Volume-based full disk encryption
With volume-based full disk encryption, all data on a volume (including boot files, pagefiles,
hibernation files, temporary files, directory information etc.) are encrypted. Users do not have to
change normal operating procedures or consider security.
To apply volume-based encryption to endpoint, create a policy of the type Device Protection
and set the Media encryption mode to Volume-based. For further information, see Device
Protection (page 141).
Note:
■
Volume-based encryption/decryption is not supported for drives without a drive letter assigned.
■
If an encryption policy exists for a volume or a volume type and encryption of the volume fails,
the user is not allowed to access it.
■
Endpoints can be shut down and restarted during encryption/decryption.
■
If decryption is followed by an uninstallation, we recommend that the endpoint is not suspended
or hibernated during decryption.
■
If after volume encryption a new policy is applied to an endpoint computer that allows decryption,
the following applies: After a complete volume-based encryption, the endpoint computer must
be restarted at least once before decryption can be started.
Note:
In contrast to SafeGuard BitLocker Drive Encryption, SafeGuard volume-based encryption does
not support GUID partition table (GPT) disks. Installation will be aborted if such a disk is found.
If a GPT disk is added to the system later, volumes on the disk will get encrypted. Please be
aware that the SafeGuard recovery tools - such as BE_Restore.exe and recoverkeys.exe - cannot
handle such volumes and Sophos highly recommends to avoid GPT disks to be encrypted. To
decrypt volumes that were accidentally encrypted, please change your SGN policies accordingly
and have the user decrypt them.
21.1.1.1 Fast initial encryption
SafeGuard Enterprise offers fast initial encryption as a special mode for volume-based encryption.
It reduces the time needed for initial encryption (or final decryption) of volumes on endpoints by
accessing only disk space that is actually in use.
For fast initial encryption, the following prerequisites apply:
■
156
Fast initial encryption only works on NTFS-formatted volumes.
Administrator help
■
NTFS-formatted volumes with a cluster size of 64 KB cannot be encrypted with the fast initial
encryption mode.
Note: This mode leads to a less secure state if a disk has been used before its current usage
with SafeGuard Enterprise. Unused sectors may still contain data. Fast initial encryption is therefore
disabled by default.
To enable fast initial encryption, select the setting Fast initial encryption in a policy of the type
Device Protection.
Note: For volume decryption, the fast initial encryption mode will always be used, regardless of
the specified policy setting. For decryption, the prerequisites listed also apply.
21.1.1.2 Volume-based encryption and Windows 7 system partition
For Windows 7 Professional, Enterprise and Ultimate, a system partition is created on endpoints
without a drive letter assigned.This system partition cannot be encrypted by SafeGuard Enterprise.
21.1.1.3 Volume-based encryption and Unidentified File System Objects
Unidentified File System Objects are volumes that cannot be clearly identified as plaintext or
device-encrypted by SafeGuard Enterprise. If an encryption policy exists for an Unidentified File
System Object, access to this volume will be denied. If no encryption policy exists, the user can
access the volume.
Note: If an encryption policy with Key to be used for encryption set to an option that enables
key selection (for example, Any key in user key ring) exists for an Unidentified File System
Object volume, there is a period of time between the key selection dialog being displayed and
access being denied. During this time period the volume can be accessed. As long as the key
selection dialog is not confirmed, the volume is accessible. To avoid this, specify a preselected
key for encryption. For further information on the relevant policy settings, see Device Protection
(page 141). This period of time also occurs for Unidentified File System Object volumes connected
to an endpoint, if the user has already opened files on the volume when an encryption policy takes
effect. In this case, it cannot be guaranteed that access to the volume will be denied as this could
lead to data loss.
21.1.1.4 Encryption of volumes with enabled Autorun functionality
If you apply an encryption policy to volumes for which Autorun is enabled, the following can occur:
■
The volume is not encrypted.
■
If the volume is an Unidentified File System Object, access is not denied.
21.1.1.5 Access to BitLocker To Go encrypted volumes
If SafeGuard Enterprise is used with BitLocker To Go support enabled and a SafeGuard Enterprise
encryption policy exists for a BitLocker To Go encrypted volume, access to the volume will be
denied. If no SafeGuard Enterprise encryption policy exists, the user can access the volume.
For further information on BitLocker To Go, see BitLocker To Go (page 166).
157
SafeGuard Enterprise
21.1.2 File-based full disk encryption
File-based encryption ensures that all data is encrypted, apart from the boot medium and directory
information. With file-based encryption, even optical media such as CD/DVD can be encrypted.
Also, data can be exchanged with external computers on which SafeGuard Enterprise is not
installed, if policies permit, see SafeGuard Data Exchange (page 181).
Note: Data encrypted using “file-based encryption” cannot be compressed. Nor can compressed
data be file-based encrypted.
Note: Boot volumes are never file-based encrypted. They are automatically exempted from
file-based encryption, even if a corresponding rule is defined.
To apply file-based encryption to endpoints, create a policy of the type Device Protection and
set the Media encryption mode to File-based.
21.1.2.1 Default behavior when saving files
Since applications behave differently when saving files, SafeGuard Enterprise offers two ways
for handling encrypted files, that have been modified.
If a file is encrypted with a different key than the default key of the volume and you edit the file
and save it, you may expect the original encryption key to be preserved, since you are editing a
file, not creating a new one. But many applications save files by performing a combination of save,
delete, and rename operations (for example Microsoft Office). If they do so, the default SafeGuard
Enterprise setting is to use the default key for this encryption task and therefore change the key
used for encryption.
If you want to change this behavior and preserve the key used for encryption in any case, you
can modify a registry key on the endpoint.
To always use the same key as before when saving modified files:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]
"ActivateEncryptionTunneling"=dword:00000001
To allow the use of a different key (default key) when saving modified files. This is the default
setting after installation:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UTIMACO\SGLCENC]
"ActivateEncryptionTunneling"=dword:00000000
Note: Changes in this setting require a restart of the endpoint to become active.
21.2 BitLocker Drive Encryption
BitLocker Drive Encryption is a full disk encryption feature with pre-boot authentication included
with Microsoft's Windows operating systems. It is designed to protect data by providing encryption
for boot and data volumes. For Windows 8 and later, only BitLocker Drive Encryption (not
SafeGuard full disk encryption) can be used for full disk encryption.
158
Administrator help
SafeGuard Enterprise can manage BitLocker encryption on a computer. BitLocker encryption can
be activated and the management of drives already encrypted with BitLocker can be taken over.
During installation on the endpoint and the first reboot, SafeGuard Enterprise determines whether
the hardware meets the requirements for BitLocker with SafeGuard Challenge/Response. If not,
SafeGuard Enterprise BitLocker management is run without Challenge/Response. In this case
the BitLocker recovery key can be retrieved using the SafeGuard Management Center.
21.2.1 Authentication with BitLocker Drive Encryption
BitLocker Drive Encryption offers a range of authentication options, for boot volumes as well as
for non-boot volumes.
The security officer can set the various logon modes in a policy in the SafeGuard Management
Center and distribute it to the BitLocker endpoints.
The following logon modes exist for SafeGuard Enterprise BitLocker users:
■
TPM (boot volumes only)
■
TPM + PIN (boot volumes only)
■
TPM + Startup Key (boot volumes only)
■
Password (without TPM)
■
Startup Key (without TPM)
■
Auto-Unlock (non-boot volumes only)
For more information on setting logon modes in a policy, please see Authentication (page 124).
21.2.1.1 Trusted Platform Module (TPM)
TPM is a smartcard-like module on the motherboard performing cryptographic functions and digital
signature operations. It can create, store and manage user keys. It is protected against attacks.
21.2.1.2 PIN and passwords
Requirements for BitLocker PINs and passwords are defined by Windows Group Policies, not by
SafeGuard Enterprise settings.
The relevant settings for passwords can be found in the Local Group Policy Editor (gpedit.msc):
Local Computer Policy - Computer Configuration - Administrative Templates - Windows
Components - BitLocker Drive Encryption - Operating System Drives - Configure use of
passwords for operating system drives and
Local Computer Policy - Computer Configuration - Administrative Templates - Windows
Components - BitLocker Drive Encryption - Fixed Data Drives - Configure use of passwords
for fixed data drives.
The settings can also be applied via Active Directory.
159
SafeGuard Enterprise
PINs usually consist of numbers only, but it is possible to allow the use of all keyboard characters
(numbers, letters as well as special characters/symbols). The setting to allow these enhanced
PINs can be found in the Local Group Policy Editor (gpedit.msc) at Local Computer Policy Computer Configuration - Administrative Templates - Windows Components - BitLocker
Drive Encryption - Operating System Drives:
If "Allow enhanced PINs for startup" is set to "enabled", enhanced PINs are allowed.
If "Allow enhanced PINs for startup" is set to "not configured", SafeGuard Enterprise will allow
enhanced PINs.
If "Allow enhanced PINs for startup" is set to "disabled", enhanced PINs are not allowed.
Note: BitLocker supports the EN-US keyboard layout only. Therefore users might have problems
when entering enhanced PINs or complex passwords. Unless they changed their keyboard layout
to EN-US before they specified their new BitLocker PIN or password, users may need to press
a different key to what is displayed on their keyboard in order to enter the character they want.
Therefore, before encrypting the boot volume, a reboot is performed to ensure that the user can
enter the PIN or password correctly at boot time.
21.2.1.3 USB memory stick
The external keys can be stored on an unprotected USB memory stick.
21.2.2 Best practice: Policy settings and user experience
The security officer configures encryption policies for the drives to be encrypted as well as an
authentication policy. The TPM should be used whenever possible, but even without a TPM the
boot volume should be encrypted. User interaction should be kept to a minimum.
According to these requirements, the security officer chooses the following authentication settings
(these are also the default settings):
■
BitLocker Logon Mode for Boot Volumes: TPM + PIN
■
BitLocker Fallback Logon Mode for Boot Volumes: Password or Startup Key
■
BitLocker Logon Mode for Non-Boot Volumes: Auto-Unlock
■
BitLocker Fallback Logon Mode for Non-Boot Volumes: Password or Startup Key
The security officer creates a device protection policy with the target Internal Storage and sets
the encryption mode to Volume based. Afterwards both policies are applied to the endpoints to
be encrypted.
For SafeGuard Enterprise BitLocker users the following scenarios exist:
Case 1: A user logs on to an endpoint with a TPM.
1. The user is asked to enter a PIN for the boot volume (for example drive C: ).
2. The user enters the PIN and clicks Restart and Encrypt.
3. The system tests the hardware and checks whether the user can enter the PIN correctly. It
reboots and asks the user to enter the PIN.
■
160
If the user enters the PIN correctly, the endpoint starts.
Administrator help
■
If the user does not enter the PIN correctly (for example because of a wrong keyboard
layout) the user can press the Esc key in the BitLocker pre-boot environment to cancel the
test and the endpoint starts.
■
If there is any problem with the hardware (for example if the TPM is not working), the test
aborts and the endpoint starts.
4. The user logs on again.
5. If the hardware test was passed successfully (the user could enter the PIN correctly and there
was no problem with the TPM), the encryption of the boot volume starts. Otherwise (if the test
failed), an error is shown and the volume is not encrypted. If the test failed because the user
pressed Esc in the pre-boot environment, the user is asked to enter a PIN again and to do a
restart (as in step 2; steps 3, 4, 5 will be repeated).
6. The encryption of the boot volume starts.
7. The encryption of the data volumes starts as well, without requiring any user interaction.
Case 2: A user logs on to a Windows 8 endpoint without a TPM.
1. The user is asked to enter a password for the boot volume.
2. The user enters the password and clicks Restart and Encrypt.
3. The system reboots, tests the hardware and the user logs on again as in the case above
(exactly as in steps 3 to 6 of case 1, but the references to the TPM are not relevant, and a
password is required rather than a PIN).
4. The encryption of the boot volume starts.
5. The encryption of the data volumes starts as well, without requiring any user interaction.
Case 3: A user logs on to a Windows 7 endpoint without a TPM.
1. The user is asked to save the encryption key for the boot volume to a USB memory stick.
2. The user attaches a USB memory stick and presses Save and Restart.
3. The system reboots, performs the hardware test and the user logs on again. (Same procedure
as in the previous cases, but the user has to provide the USB memory stick at boot time. An
additional hardware error could be that the USB memory stick cannot be read from the BitLocker
pre-boot environment.)
4. The encryption of the boot volume starts.
5. The encryption of the data volumes starts as well, without requiring any user interaction.
Case 4: The security officer changes the policy setting BitLocker Fallback Logon Mode for
Boot Volumes to Password. A user logs on to a Windows 7 endpoint without a TPM.
1. Since the endpoint has no TPM and Windows 7 does not allow passwords for boot volumes,
the boot volume will not be encrypted.
2. For each non-boot volume, the user is asked to store the external key on a USB memory stick.
Encryption of the respective volume starts when the user clicks Save.
3. When the user reboots the endpoint, the USB key has to be plugged in to be able to unlock
the non-boot volumes.
21.2.3 Prerequisites for managing BitLocker on endpoints
■
To be able to use logon methods TPM + PIN, TPM + Startup Key, Startup Key or Password
the Group Policy Require additional authentication at startup either in Active Directory or
on computers locally must be enabled. In the Local Group Policy Editor (gpedit.msc) the Group
Policy can be found here:
161
SafeGuard Enterprise
Local Computer Policy\Computer Configuration\Administrative Templates\Windows
Components\BitLocker Drive Encryption\Operating System Drive.
To use Startup Key, you must activate Allow BitLocker without a compatible TPM in the
Group Policy.
■
To use TPM + PIN on tablets, you must also activate the Group Policy Enable use of BitLocker
authentication requiring preboot keyboard input on slates.
Note: These Group Policies are enabled automatically at installation on the endpoint. Make
sure that the settings are not overwritten by different Group Policies.
■
A BitLocker device protection policy which triggers the configuration of a TPM-based
authentication mechanism (for example TPM, TPM + PIN, TPM + Startup Key) will automatically
initiate TPM activation. The user is informed that the TPM needs to be activated and is informed
if the system needs to be rebooted or shut down, depending on the TPM in use.
Note: If SafeGuard BitLocker management is installed on an endpoint Not prepared may be
displayed as the encryption state of a drive. This indicates that the drive currently cannot be
encrypted with BitLocker since necessary preparations have not been done yet. This only
applies to managed endpoints since unmanaged endpoints cannot report inventory data.
See also Drives tab (page 251).
The system state can be checked with the command line tool SGNState (administrative rights
necessary). For details see the SafeGuard Enterprise Tools guide. Volume info: indicates
whether the endpoint is prepared appropriately for BitLocker encryption or not. In some cases
the Windows BitLocker Drive Preparation Tool must be executed.
SafeGuard Challenge/Response for BitLocker
In order to use SafeGuard Enterprise BitLocker Challenge/Response the following requirements
must be met:
■
64-bit Windows
■
UEFI version 2.3.1 or newer
■
Microsoft UEFI certificate is available or Secure Boot is disabled
■
NVRAM boot entries accessible from Windows
■
Windows installed in GPT mode
■
The hardware is not listed in the POACFG.xml file.
Sophos delivers a default POACFG.xml file embedded in the setup. It is recommended to
download the newest file and provide it to the installer.
During installation on the endpoint and the first reboot, SafeGuard Enterprise determines whether
the hardware meets the requirements for BitLocker with SafeGuard Challenge/Response. If not,
SafeGuard Enterprise BitLocker management is run without Challenge/Response. In this case
the BitLocker recovery key can be retrieved using the SafeGuard Policy Editor.
162
Administrator help
21.2.4 Manage BitLocker Drive Encryption with SafeGuard Enterprise
With SafeGuard Enterprise you can manage BitLocker Drive Encryption from the SafeGuard
Management Center, like a native SafeGuard Enterprise Client. As a security officer you can set
encryption and authentication policies and distribute them to the BitLocker endpoints.
During installation of the SafeGuard Enterprise Client on Windows 7, the BitLocker feature needs
to be explicitly selected to enable BitLocker management.
Once a BitLocker endpoint is registered at SafeGuard Enterprise, information on user, computer,
logon mode and encryption status is displayed. Events are logged for BitLocker clients as well.
Management of the BitLocker clients in SafeGuard Enterprise is transparent, which means that
management functions work in general the same for BitLocker and native SafeGuard Enterprise
Clients. You can find out the type of a computer in the Inventory of a container in Users and
Computers. The column Encryption Type tells you if the respective computer is a BitLocker
client.
SafeGuard Enterprise’s central and fully transparent management of BitLocker can be used in
heterogeneous IT environments. SafeGuard Enterprise enhances BitLocker capabilities
significantly. Security policies for BitLocker can be centrally rolled out thanks to SafeGuard
Enterprise. Even critical processes such as key management and key recovery are available
when BitLocker is managed with SafeGuard Enterprise.
For SafeGuard Enterprise support of the BitLocker To Go enhancement in Windows 7 and 8, see
BitLocker To Go (page 166).
21.2.5 Encrypting with BitLocker managed by SafeGuard Enterprise
With BitLocker Drive Encryption support in SafeGuard Enterprise you can encrypt boot volumes
as well as non-boot volumes with BitLocker encryption and keys. Additionally, any data, for
example removable media, can be encrypted with SafeGuard Enterprise file-based encryption
and SafeGuard Enterprise keys. This is not a BitLocker feature but provided by SafeGuard
Enterprise.
21.2.5.1 BitLocker encryption keys
When encrypting the boot volume or other volumes with BitLocker through SafeGuard Enterprise,
the encryption keys are always generated by BitLocker. A key is generated by BitLocker for each
volume and cannot be reused for any other purpose.
When using BitLocker with SafeGuard Enterprise, a recovery key is stored in the SafeGuard
Enterprise Database. This allows for setting up a helpdesk and recovery mechanism similar to
the SafeGuard Enterprise Challenge/Response.
However, it is not possible to select keys globally or reuse them as with SafeGuard Enterprise
native clients. The keys are not displayed in the SafeGuard Management Center either.
Note: BitLocker also allows you to back up recovery keys to Active Directory. If this is enabled
in the group policy objects (GPOs), this is done automatically when a volume is encrypted with
BitLocker. If a volume is already encrypted, the administrator can back up the BitLocker recovery
keys manually with Windows Manage-BDE tool (see "manage-bde -protectors -adbackup -?").
163
SafeGuard Enterprise
21.2.5.2 BitLocker algorithms in SafeGuard Enterprise
BitLocker supports the following Advanced Encryption Standard (AES) algorithms:
■
AES-128
■
AES-256
AES-128 with diffuser and AES-256 with diffuser are no longer supported. Drives already encrypted
using an algorithm with diffuser can be managed by SafeGuard Enterprise.
21.2.5.3 Encryption policies for BitLocker Drive Encryption
The security officer can create a policy for (initial) encryption in the SafeGuard Management
Center and distribute it to the BitLocker endpoints where it is executed. It triggers the BitLocker
encryption of the drives specified in the policy.
As the BitLocker clients are managed transparently in the SafeGuard Management Center, the
security officer does not have to specify any special BitLocker settings for encryption. SafeGuard
Enterprise knows the client status and selects the BitLocker encryption accordingly. When a
BitLocker client is installed with SafeGuard Enterprise and volume encryption is activated, the
volumes are encrypted by BitLocker Drive Encryption.
A BitLocker endpoint processes policies of type Device Protection and Authentication.
The following settings are evaluated on the endpoint:
■
Settings in a policy of type Device Protection:
■
Target: Local Storage Devices | Internal Storage | Boot Volumes | Non-boot Volumes
| Drive Letters A: - Z:
■
Media Encryption Mode: Volume based | No encryption
■
Algorithm to be used for encryption: AES128 | AES256
■
Fast initial encryption: Yes | No
For details see Device Protection (page 141).
■
Settings in a policy of type Authentication:
■
BitLocker Logon Mode for Boot Volumes: TPM | TPM + PIN | TPM + Startup Key |
Startup Key |
■
BitLocker Fallback Logon Mode for Boot Volumes: Startup Key | Password | Password
or Startup Key | Error
■
BitLocker Logon Mode for Non-Boot Volumes: Auto-Unlock | Password | Startup Key
■
BitLocker Fallback Logon Mode for Non-Boot Volumes: Startup Key | Password or
Startup Key | Password
For details see Authentication (page 124).
All other settings are ignored by the BitLocker endpoint.
164
Administrator help
21.2.5.4 Encryption on a BitLocker-protected computer
Before the encryption starts, the encryption keys are generated by BitLocker. Depending on the
system used the behaviour differs slightly.
Endpoints with TPM
If the security officer defines a logon mode for BitLocker that involves the TPM (TPM, TPM + PIN
or TPM + Startup Key), TPM activation is automatically initiated.
The TPM (Trusted Platform Module) is a hardware device BitLocker uses to store its encryption
keys. The keys are not stored on the computer’s hard disk. The TPM must be accessible by the
basic input/output system (BIOS) during startup. When the user starts the computer, BitLocker
will get these keys from the TPM automatically.
Endpoints without TPM
If an endpoint is not equipped with a TPM, either a BitLocker startup key or, if the endpoint is
running Windows 8 or later, a password can be used as the logon mode.
A BitLocker startup key can be created using a USB memory stick to store the encryption keys.
The user will have to insert the memory stick each time when starting the computer.
When SafeGuard Enterprise activates BitLocker, users are prompted to save the BitLocker startup
key. A dialog appears displaying the valid target drives in which to store the startup key.
Note: For boot volumes it is essential that you have the startup key available when you start
your endpoint. Therefore the startup key can only be stored on removable media.
For data volumes the BitLocker startup key can be stored on an encrypted boot volume. This is
done automatically if Auto-Unlock is defined in the policy.
BitLocker recovery keys
For BitLocker recovery, SafeGuard Enterprise offers a Challenge/Response procedure that allows
information to be exchanged confidentially and allows the BitLocker recovery key to be retrieved
from the helpdesk, see Response for BitLocker encrypted SafeGuard Enterprise Clients - UEFI
endpoints (page 240) and Recovery key for BitLocker encrypted SafeGuard Enterprise Clients BIOS endpoints (page 240).
To enable recovery with Challenge/Response or retrieval of the recovery key, the required data
has to be available to the helpdesk. The data required for recovery is saved in specific key recovery
files.
Note: If SafeGuard BitLocker management without Challenge/Response in standalone mode is
used, the recovery key is not changed after a recovery procedure.
Note: If a BitLocker-encrypted hard disk in a computer is replaced by a new BitLocker-encrypted
hard disk, and the new hard disk is assigned the same drive letter as the previous hard disk,
SafeGuard Enterprise only saves the recovery key of the new hard disk.
165
SafeGuard Enterprise
Managing drives already encrypted with BitLocker
If there are any drives already encrypted with BitLocker on your computer when SafeGuard
Enterprise is installed, SafeGuard Enterprise takes over the management of these drives.
Encrypted boot drives
■
Depending on the SafeGuard Enterprise BitLocker support used, you may be prompted to
reboot the computer. It is important that you reboot the computer as early as possible.
■
If a SafeGuard Enterprise encryption policy applies for the encrypted drive:
■
■
SafeGuard Enterprise BitLocker Challenge/Response is installed: Management is taken
over and SafeGuard Enterprise Challenge/Response is possible.
■
SafeGuard Enterprise BitLocker is installed: Management is taken over and recovery is
possible.
If no SafeGuard Enterprise encryption policy applies for the encrypted drive:
■
SafeGuard Enterprise BitLocker Challenge/Response is installed: Management is not
taken over and SafeGuard Enterprise Challenge/Response is not possible.
■
SafeGuard Enterprise BitLocker is installed: recovery is possible.
Encrypted data drives
■
If a SafeGuard Enterprise encryption policy applies for the encrypted drive:
Management is taken over and recovery is possible.
■
If no SafeGuard Enterprise encryption policy applies for the encrypted drive:
SafeGuard Enterprise recovery is possible.
21.2.5.5 Decryption with BitLocker
Computers encrypted with BitLocker cannot be decrypted automatically. Decryption can be carried
out using either the BitLocker Drive Encryption item in the Control Panel or the Microsoft
command-line tool "Manage-bde".
To allow users to decrypt BitLocker encrypted drives manually, a policy without an encryption
rule for a BitLocker encrypted drive has to be applied on the endpoint. The user can then trigger
decryption by deactivating BitLocker for the desired drive in the BitLocker Drive Encryption
Control Panel item.
21.2.6 BitLocker To Go
As of Windows 7, BitLocker Drive Encryption functionality has been extended with BitLocker To
Go so that users can also encrypt volumes on removable media. BitLocker To Go cannot be
managed by SafeGuard Enterprise.
BitLocker To Go can be used when the client components for SafeGuard Enterprise BitLocker
support have been deployed.
166
Administrator help
When the client components for SafeGuard Enterprise volume-based encryption have been
deployed, encryption with BitLocker To Go is not compatible and is disabled. Volumes and
removable media that have been encrypted with BitLocker To Go before SafeGuard Enterprise
was installed remain readable. SafeGuard file-based encryption can still be used.
21.2.6.1 Deactivate BitLocker To Go encryption
1. In the Windows Group Policy Editor, select Local Computer Policy\Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive
Encryption\Removable Data Drives.
2. Under Removable Data Drives, select the following policy: Control use of BitLocker on
removable drives. Set the options as follows:
a) Select Enabled.
b) Under Options, clear Allow users to apply BitLocker protection to removable data
drives.
c) Under Options, select Allow users to suspend and decrypt BitLocker protection on
removable data drives.
3. Click OK.
BitLocker To Go encryption is deactivated on the endpoints. Users cannot encrypt new volumes
with BitLocker To Go anymore. Volumes encrypted with BitLocker To Go before the deployment
of the native SafeGuard Enterprise Device Encryption client components remain readable.
The resulting Registry settings on the client side are as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"RDVConfigureBDE"=dword:00000001
"RDVAllowBDE"=dword:00000000
"RDVDisableBDE"=dword:00000001
These Registry keys are also set during the installation of the SafeGuard Enterprise Device
Encryption client components so that BitLocker To Go is also deactivated on computers without
domain management (endpoints in a workgroup) or standalone endpoints.
21.2.7 Logging
Events reported by the BitLocker Client are logged, just as for any other SafeGuard Enterprise
Client. It is not especially mentioned that the event refers to a BitLocker Client. The events reported
are the same as for any SafeGuard Enterprise Client.
21.3 FileVault 2 full disk encryption
FileVault 2 is an encryption technology built into OS X that protects an entire volume and can be
managed by SafeGuard Enterprise.
167
SafeGuard Enterprise
21.3.1 Manage FileVault 2 full disk encryption with SafeGuard Enterprise
With SafeGuard Enterprise you can manage FileVault 2 full disk encryption from the SafeGuard
Management Center, like a native SafeGuard Enterprise Client.
The SafeGuard Enterprise Client installation does not contain the component for FileVault 2
management. It has to be installed separately. For details see your Sophos SafeGuard Native
Device Encryption for Mac documentation.
SafeGuard Enterprise’s central and fully transparent management of FileVault 2 allows the use
in heterogeneous IT environments. Security policies for different platforms can be centrally rolled
out.
21.3.2 Manage FileVault 2 endpoints with SafeGuard Management Center
In the SafeGuard Management Center, FileVault 2 endpoints can be managed just like any native
SafeGuard Enterprise endpoints. As a security officer you can set encryption policies for the
FileVault 2 endpoints and distribute them.
Once a FileVault 2 endpoint is registered at SafeGuard Enterprise, information on user, computer,
logon mode and encryption status is displayed. Events are logged for FileVault 2 clients as well.
Management of the FileVault 2 in SafeGuard Enterprise is transparent, which means that
management functions generally work the same way for FileVault 2 and native SafeGuard
Enterprise clients. You can find out on the type of a computer in the Inventory of a container in
Users and Computers. The column POA Type tells you if the respective computer is a FileVault
2 client.
21.3.3 Encryption policies for FileVault 2 full disk encryption
The security officer can create a policy for encryption in the SafeGuard Management Center and
distribute it to the FileVault 2 endpoints where it is executed.
As the FileVault 2 endpoints are managed transparently in the SafeGuard Management Center,
the security officer does not necessarily have to specify any special FileVault 2 settings for
encryption. SafeGuard Enterprise knows the client status and selects the FileVault 2 encryption
accordingly.
A FileVault 2 endpoint only processes policies of type Device Protection with target Boot Volumes
and Media encryption mode set to Volume-based or No encryption. All other policy settings
are ignored.
168
■
Volume-based activates FileVault 2 on the endpoint.
■
No encryption allows the user to decrypt the Mac.
Administrator help
22 SafeGuard Configuration Protection
The module SafeGuard Configuration Protection is no longer available as of SafeGuard Enterprise
6.1. The corresponding policy as well as the Suspension Wizard are still available in the SafeGuard
Management Center 7.0 to support SafeGuard Enterprise 6 or even 5.60 clients with Configuration
Protection installed and managed with a 7.0 Management Center.
For further information on SafeGuard Configuration Protection, refer to the SafeGuard Enterprise
6 Administrator help:
http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sgn_60_h_eng_admin_help.pdf.
169
SafeGuard Enterprise
23 File Encryption
The SafeGuard Enterprise module File Encryption offers file-based encryption on local drives and
network locations, mainly for work groups on network shares.
In the SafeGuard Management Center, you define the rules for file-based encryption in File
Encryption policies. In these File Encryption rules, you specify the folders that are to be handled
by File Encryption, the encryption mode and the key to be used for encryption. In General Settings
policies, you can define how specific applications and file systems are handled on endpoints in
the context of File Encryption.You can specify ignored and trusted applications as well as ignored
devices. You can also enable persistent encryption for File Encryption.
For encryption, Personal Keys can be used. A Personal Key that is active for a user only applies
to this particular user and cannot be shared with or assigned to any other users. You can create
Personal Keys in the SafeGuard Management Center under Users and Computers.
After a File Encryption policy has been assigned to endpoints, files in the locations covered by
the policy are transparently encrypted without user interaction:
■
New files in the relevant locations are encrypted automatically.
■
If users have the key for an encrypted file, they can read and modify the content.
■
If users do not have the key for an encrypted file, access is denied.
■
If a user accesses an encrypted file on an endpoint where File Encryption is not installed, the
encrypted content is shown.
Already existing files in the locations covered by the encryption policy are not encrypted
automatically. Users have to carry out an initial encryption in the SafeGuard File Encryption
Wizard on the endpoint. For further information, see the SafeGuard Enterprise user help.
Note:
SafeGuard File Encryption is not compatible with Windows built-in EFS encryption and file
compression. If EFS is enabled, it has priority over any applicable file encryption rule and files
that are created in the relevant folder cannot be encrypted by File Encryption. If compression is
enabled, File Encryption has a higher priority and files are encrypted but not compressed. To
encrypt the files by File Encryption, EFS encryption or data compression has to be removed
beforehand. This can be done manually or by running the SafeGuard Enterprise Initial Encryption
Wizard.
Note:
For details when using Mac endpoints and SafeGuard File Encryption for Mac refer to the following
documents:
■
SafeGuard File Encryption for Mac - Quick startup guide.
This document is intended for Mac users.
■
SafeGuard File Encryption for Mac - Administrator help.
This document is intended for Administrators working with both platforms, Mac and Windows.
170
Administrator help
23.1 Configuring encryption rules in File Encryption policies
You define the rules for file-based encryption on network locations in a policy of the type File
Encryption.
Note: Certain folders (for example c:\program files) may prevent the operating system or
applications from running when encrypted. When you define encryption rules, make sure that
these folders are not encrypted.
1. In the Policies navigation area, create a new policy of the type File Encryption or select an
existing one.
The File Encryption policy rules table is displayed.
2. In the Path column, set the path (that is the folder) to be handled by File Encryption:
■
Click the drop-down button and select a folder name placeholder from the list of available
placeholders.
Note: By hovering your cursor over the list entries, you can display tooltips telling you how
a placeholder is typically presented on an endpoint. You can only enter valid placeholders.
For a description of all available placeholders, see Placeholders for paths in File Encryption
rules (page 173).
Note: Encrypting the whole user profile with the placeholder <User Profile> may result in
an unstable Windows desktop on the endpoint.
■
■
Click the Browse button to browse the file system and select the required folder.
Alternatively, just enter a path name.
Note: For useful information on configuring paths in File Encryption rules, see Additional
information for configuring paths in File Encryption rules (page 172).
3. In the Scope column, select
■
■
Only this folder to apply the rule only to the folder indicated by the Path column, or
Include subfolders to also apply the rule to all its subfolders.
4. In the Mode column, define how File Encryption should handle the folder indicated in the Path
column:
■
■
■
Select Encrypt to encrypt new files in the folder. The contents of the existing encrypted
files are decrypted transparently when a user with the required key accesses them. If the
user does not have the required key, access is denied.
If you select Exclude, new files in the folder are not encrypted. You might use this option
to exclude a subfolder from encryption if the parent folder is already covered by a rule with
the Encrypt option.
If you select Ignore, files in the folder are not handled by File Encryption at all. New files
are saved in plaintext. If a user accesses already encrypted files in this folder, the encrypted
content is displayed, regardless whether the user has the required key or not.
171
SafeGuard Enterprise
5. In the Key column, select the key to be used for the Encrypt mode. You can use keys created
and applied in Users and Computers:
■
Click the Browse button to open the Find Keys dialog. Click Find now to display a list of
all available keys and select the required key.
Note: Machine keys are not shown in the list. They cannot be used by File Encryption as
they are only available on a single machine and can therefore not be used to enable groups
of users to access the same data.
■
Click the Personal Key button with the key icon, to insert the Personal Key placeholder
in the Key column. On the endpoint, this placeholder will be resolved to the active Personal
Key of the logged on SafeGuard Enterprise user. If the relevant users do not have active
Personal Keys yet, they are created automatically. You can create Personal Keys for single
or multiple users in Users and Computers. For further information, see Personal Keys for
file-based encryption by File Encryption (page 70).
6. The System type (Windows, Mac OS X or All systems for Windows and Mac OSX systems)
will be assigned automatically.
7. Add further encryption rules as required and save your changes.
Note: All File Encryption rules that are assigned by policies and activated for users/computers
at different nodes in Users and Computers are cumulated. The order of encryption rules
within a File Encryption policy is not relevant for their evaluation on the endpoint. Within a
File Encryption policy, you can drag the rules into order to gain a better overview.
23.1.1 Additional information for configuring paths in File Encryption rules
When configuring paths in File Encryption rules, consider the following.
■
A path can only contain characters that can also be used in file systems. Characters like <, >,
* and $ are not allowed.
■
You can only enter valid placeholders. For a list of all supported placeholders, see Placeholders
for paths in File Encryption rules (page 173).
Note: Names of environment variables are not checked by the SafeGuard Management
Center. They only need to be present on the endpoint.
■
The Path field always indicates a folder. You cannot specify a rule for a single file or use
wildcards for folder names, file names or file extensions.
■
Absolute and relative rules
You can define absolute and relative rules. An absolute rule exactly defines a specific folder,
for example C:\encrypt. A relative rule does not include UNC server/share information,
drive letter information or parent folder information. An example for a path used in a relative
rule is encrypt_sub. In this case, all files on all drives (including network locations) that
reside in a folder encrypt_sub (or one of its subfolders) are covered by the rule.
■
Long folder names and 8.3 notation
Always enter the long folder names for File Encryption rules since 8.3 names for long folder
names may differ from computer to computer. 8.3 name rules are detected automatically by
the endpoint protected by SafeGuard Enterprise when the relevant policies are applied. Whether
172
Administrator help
applications use long folder names or 8.3 names for accessing files - the result should be the
same. For relative rules, use the short folder names to make sure that the rule can be enforced
regardless of an application that uses long folder names or 8.3 notation.
■
UNC and/or mapped drive letters
Whether you administer rules in UNC notation or based on mapped drive letters depends on
your specific requirements:
■
Use UNC notation if your server and share names are not likely to change, but drive letter
mappings vary between users.
■
Use mapped drive letters, if drive letters stay the same, but server names may change.
If you use UNC, specify a server name and a share name, for example \\server\share.
File Encryption matches UNC names and mapped drive letters internally. In a rule, a path
therefore needs to be defined either as a UNC path or with mapped drive letters.
Note: Since users may be able to change their drive letter mappings, we recommend to use
UNC paths in File Encryption rules for security reasons.
■
Offline folders
If the Windows feature Make Available Offline is used, you do not have to create special
rules for local (offline) copies of folders. New files in the local copy of a folder that has been
made available for offline use are encrypted according to the rule for the original (network)
location.
Note: For further information on naming files and paths, see
http://msdn.microsoft.com/en-us/library/aa365247.aspx.
23.1.2 Placeholders for paths in File Encryption rules
The following placeholders can be used when specifying paths in encryption rules in File
Encryption policies. You can select these placeholders by clicking the dropdown button of the
Path field.
Path placeholder
Operating System Results in the following value on the endpoint
(All=Windows and
Mac OS X)
<%environment_variable_name%>
All
The value of environment variable. Example:
<%USERNAME%>.
Note: If environment variables contain several
locations (for example the PATH environment
variable), the paths will not be separated into
multiple rules. This causes an error and the
encryption rule is invalid.
<Desktop>
Windows
The virtual folder that represents the Microsoft
Windows desktop.
173
SafeGuard Enterprise
Path placeholder
Operating System Results in the following value on the endpoint
(All=Windows and
Mac OS X)
<Documents>
All
This is the virtual folder that represents the My
Documents desktop item (equivalent to
CSIDL_MYDOCUMENTS). Typical path:
C:\Documents and Settings\username\My
Documents.
<Downloads>
All
The folder where downloads are stored by
default. A typical path for Windows is
C:\Users\username\Downloads.
<Music>
All
The file system directory that serves as a data
repository for music files. Typical path:
C:\Documents and Settings\User\My
Documents\My Music.
<Pictures>
All
The file system directory that serves as a data
repository for image files. Typical path:
C:\Documents and Settings\username\My
Documents\My Pictures.
<Public>
All
The file system directory that serves as a
common repository for document files for all
users. Typical path:
C:\Users\<username>\Public.
<User Profile>
All
The user's profile folder. Typical path:
C:\Users\username.
Note: Encrypting the whole user profile with
this placeholder may result in an unstable
Windows desktop on the endpoint.
174
<Videos>
All
The file system directory that serves as a
common repository for video files for all users.
Typical path: C:\Documents and Settings\All
Users\Documents\My Videos.
<Cookies>
Windows
The file system directory that serves as a
common repository for internet cookies. Typical
path: C:\Documents and
Settings\username\Cookies.
<Favorites>
Windows
The file system directory that serves as a
common repository for the user's favorite items.
Typical path: \Documents and
Settings\username\Favorites.
Administrator help
Path placeholder
Operating System Results in the following value on the endpoint
(All=Windows and
Mac OS X)
<Local Application Data>
Windows
The file system directory that serves as a data
repository for local (non-roaming) applications.
Typical path: C:\Documents and
Settings\username\Local Settings\Application
Data.
<Program Data>
Windows
The file system directory that contains
application data for all users. Typical path:
C:\Documents and Settings\All
Users\Application Data.
<Program Files>
Windows
The Program Files folder. Typical path:
\Program Files. For 64-bit systems, this will be
expanded into two rules - one for 32-bit
applications and one for 64-bit applications.
<Public Music>
Windows
The file system directory that serves as a
common repository for music files for all users.
Typical path: C:\Documents and Settings\All
Users\Documents\My Music.
<Public Pictures>
Windows
The file system directory that serves as a
common repository for image files for all users.
Typical path: C:\Documents and Settings\All
Users\Documents\My Pictures
<Public Videos>
Windows
The file system directory that serves as a
common repository for video files for all users.
Typical path: C:\Documents and Settings\All
Users\Documents\My Videos.
<Roaming>
Windows
The file system directory that serves as a
common repository for application-specific data.
Typical path: C:\Documents and
Settings\username\Application Data.
<System>
Windows
The Windows System folder. Typical path:
C:\Windows\System32. For 64-bit systems, this
will be expanded to two rules - one for 32-bit
and one for 64-bit.
<Temporary Burn Folder>
Windows
The file system directory that is used as a
staging area for files waiting to be written on a
CD. Typical Path: C:\Documents and
Settings\username\Local Settings\Application
Data\Microsoft\CD Burning.
175
SafeGuard Enterprise
Path placeholder
Operating System Results in the following value on the endpoint
(All=Windows and
Mac OS X)
<Temporary Internet Folder>
Windows
The file system directory that serves as a
common repository for temporary internet files.
Typical path: C:\Documents and
Settings\username\Local Settings\Temporary
Internet Files.
<Windows>
Windows
The Windows directory or SYSROOT. This
corresponds to the environment variables
%windir% or %SYSTEMROOT%.Typical path:
C:\Windows.
<Removables>
Mac OS X
Points to the root folders of all Mac OS X
removable media.
<Root>
Mac OS X
The Mac OS X root folder. It is not
recommended to specify policies for the root
folder, even if it is technically possible.
Note: Always use backslashes as path separator, even when creating File Encryption rules for
Mac OS X. This allows you to apply rules on both operating systems, Windows and Mac OS X.
Note: On Mac OS X client side, backslashes will automatically be transformed to slashes in order
to match the requirements of the Mac OS X operating system. Any errors in placeholders are
logged. Invalid File Encryption rules are logged and then discarded on the endpoint.
Example for a path conversion
The following Windows path
<User Profile>\Dropbox\personal
is converted on Mac side into
/Users/<Username>/Dropbox/personal
23.2 Configuring File Encryption settings in General Settings
policies
In addition to the encryption rules defined in File Encryption policies, you can configure the
following File Encryption settings in policies of the type General Settings:
176
■
Trusted Applications
■
Ignored Applications
■
Ignored Devices
■
Enable persistent encryption
Administrator help
23.2.1 Configure trusted and ignored applications for File Encryption
You can define applications as trusted to grant them access to encrypted files. This is for example
necessary to enable antivirus software to scan encrypted files.
You can also define applications as ignored to exempt them from transparent file
encryption/decryption. For example, if you define a backup program as an ignored application,
encrypted data backed up by the program remains encrypted.
Note: Child processes will not be trusted/ignored.
1. In the Policies navigation area, create a new policy of the type General Settings or select
an existing one.
2. Under File Encryption, click the dropdown button of the Trusted Applications or Ignored
Applications field.
3. In the editor list box, enter the applications to be defined as trusted/ignored.
■
You can define multiple trusted/ignored applications in one policy. Each line in the editor
list box defines one application.
■
Application names must end with .exe.
■
Application names must be specified as fully qualified paths including drive/directory
information, for example "c:\dir\example.exe". Entering the file name only (for example
"example.exe") is not sufficient. For better usability the single line view of the application
list only shows the file names separated by semicolons.
■
Application names can contain the same placeholder names for Windows shell folders and
environment variables as encryption rules in File Encryption policies. For a description of
all available placeholders, see Placeholders for paths in File Encryption rules (page 173).
4. Save your changes.
Note: The Trusted Applications and Ignored Applications policy settings are machine settings.
The policy must therefore be assigned to machines, not to users. Otherwise the settings do not
become active.
23.2.2 Configuring ignored devices for File Encryption
You can define devices as ignored to exclude them from the file encryption process. You can only
exclude entire devices.
1. In the Policies navigation area, create a new policy of the type General Settings or select
an existing one.
2. Under File Encryption, click the dropdown button of the Ignored Devices field.
3. In the editor list box:
a) Select Network if you don't want to encrypt any data on the network.
b) Enter the required device names to exclude specific devices from encryption. This may be
useful when you need to exclude systems from third party suppliers.
Note: You can display the names of the devices currently used in the system by using
third party tools (for example OSR's Device Tree). SafeGuard Enterprise logs all devices
it attaches to and you can display a list of attached and ignored devices by using registry
177
SafeGuard Enterprise
keys. For further information, see Displaying ignored and attached devices for File Encryption
configuration (page 178).
You can exclude individual (network) disk drives from encryption by creating a File Encryption
rule in a File Encryption policy and set the encryption Mode to Ignore. You can apply this
setting only to Windows administered drives and not to Mac OS X volumes.
23.2.2.1 Displaying ignored and attached devices for File Encryption configuration
To help you when defining ignored devices, you can use registry keys to show which devices are
being considered for encryption (attached devices) and which devices are currently being ignored.
The list of ignored devices shows only devices that are actually available on the computer and
are being ignored. If a device is set to be ignored in a policy and the device is not available on
the computer, the device is not listed.
Use the following registry keys to display attached and ignored devices:
■
HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\AttachedDevices
■
HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\IgnoredDevices
23.2.3 Configure persistent encryption for File Encryption
The content of files encrypted by File Encryption are decrypted on-the-fly, if the user owns the
required key. When the content is saved as a new file in a location that is not covered by an
encryption rule, the resulting file will not be encrypted.
With persistent encryption, copies of encrypted files will be encrypted, even when they are saved
in a location not covered by an encryption rule.
You can configure persistent encryption in policies of the type General Settings. The policy
setting Enable persistent encryption is activated by default.
Note: If files are copied or moved to an ignored device or to a folder to which a policy with
encryption mode Ignore applies, the Enable persistent encryption setting has no effect.
23.3 Multiple File Encryption policies
All File Encryption rules that are assigned by policies and activated for users/computers at different
nodes in Users and Computers in the SafeGuard Management Center are cumulated.
You can assign a general File Encryption policy at the root node that includes rules relevant for
all users, and more specific policies at specific subnodes. All rules in all policies assigned to
users/computers are cumulated and enforced on the endpoint.
23.3.1 File Encryption policies in the RSOP
If several File Encryption policies apply to a user/computer, the RSOP (Resulting Set of Policies)
tab in Users and Computers shows the sum of all File Encryption rules of all File Encryption
policies. The rules are sorted in the order of encryption rule evaluation on the endpoint computer
(see Evaluation of File Encryption rules on endpoints (page 179)).
178
Administrator help
The Policy Name column shows where the individual rules originate from.
For duplicate rules, the second (and third etc.) rule is marked by an icon. This icon also provides
a tooltip informing you that the rule will be discarded on the endpoint as it is a duplicate of a rule
with a higher priority.
23.4 Evaluation of File Encryption rules on endpoints
On endpoints, File Encryption rules are sorted in an order that causes the more specifically defined
locations to be evaluated first:
■
If two rules with the same Path and Scope settings originate from policies that are assigned
to different nodes, the rule from the policy nearest to the user object in Users and Computers
is applied.
■
If two rules with the same Path and Scope settings originate from policies that are assigned
to the same node, the rule from the policy with the highest priority is applied.
■
Absolute rules are evaluated before relative rules, for example c\encrypt before encrypt.
For further information, see Additional information for configuring paths in File Encryption rules
(page 172).
■
Rules with a path containing more subdirectories are evaluated before rules with a path
containing less subdirectories.
■
Rules defined with UNC are evaluated before rules with drive letter information.
■
Rules with Only this folder activated are evaluated before rules without this option.
■
Rules using the Ignore mode are evaluated before rules using Encrypt or Exclude mode.
■
Rules using the Exclude mode are evaluated before rules using Encrypt mode.
■
If two rules are equal regarding the criteria listed, the one that comes first in alphabetical order
is evaluated before the other rule.
23.5 Conflicting File Encryption Rules
As multiple File Encryption policies can be assigned to a user/computer, conflicts may occur. Two
rules are considered as conflicting, if they have the same values for path, mode and subdirectory,
but the key to be used is different. In this case the rule from the File Encryption policy with the
higher priority applies. The other rule is discarded.
23.6 File Encryption and SafeGuard Data Exchange
SafeGuard Data Exchange is used to encrypt data stored on removable media connected to a
computer and to exchange this data with other users. For SafeGuard Data Exchange file-based
encryption is used.
If both SafeGuard Data Exchange and File Encryption are installed on an endpoint, it may occur
that a SafeGuard Data Exchange encryption policy is defined for a drive on the computer and
File Encryption policies are defined for folders on the same drive. If this is the case, the SafeGuard
179
SafeGuard Enterprise
Data Exchange encryption policy overrules the File Encryption policies. New files are encrypted
according to the SafeGuard Date Exchange encryption policy.
For further information on SafeGuard Data Exchange, see SafeGuard Data Exchange (page 181).
180
Administrator help
24 SafeGuard Data Exchange
SafeGuard Data Exchange is used to encrypt data stored on removable media connected to a
computer and to exchange this data with other users. All encryption and decryption processes
run transparently and involve minimum user interaction.
Only users who have the appropriate keys can read the contents of the encrypted data. All
subsequent encryption processes run transparently.
In central administration, you define how data on removable media are handled.
As a security officer you define the specific settings in a policy of the type Device Protection with
Removable media as Device protection target.
For SafeGuard Data Exchange file-based encryption has to be used.
24.1 Group keys
To exchange encrypted data between users, SafeGuard Enterprise group keys have to be used.
If the group key is in the users’ key rings, the users get full transparent access to removable media
connected to their computers.
On computers without SafeGuard Enterprise, it is not possible to access encrypted data on
removable media, except the centrally defined domain/group key which can be used together
with the media passphrase.
Note: To use/share encrypted data on removable media also on/with computers/users that do
not have SafeGuard Enterprise, SafeGuard Portable can be used. SafeGuard Portable requires
the usage of local keys or a media passphrase.
24.2 Local keys
SafeGuard Data Exchange supports encryption using local keys. Local keys are created on the
computers and can be used to encrypt data on removable media. They are created by entering
a passphrase and are backed up in the SafeGuard Enterprise Database.
Note: By default a user is allowed to create local keys. If users should not be able to do so, you
have to disable this option explicitly. This has to be done in a policy of the type Device Protection
with Local Storage Devices as Device protection target (General Settings > User is allowed
to create a local key > No).
If local keys are used to encrypt files on removable media, these files can be decrypted using
SafeGuard Portable on a computer without SafeGuard Data Exchange. When the files are opened
with SafeGuard Portable, the user is prompted to enter the passphrase that was specified when
the key was created. If the user knows the passphrase, they can open the file.
Using SafeGuard Portable every user who knows the passphrase can get access to an encrypted
file on removable media. This way it is also possible to share encrypted data with partners who
do not have SafeGuard Enterprise installed. They only need to be provided with SafeGuard
Portable and the passphrase for the files they should have access to.
181
SafeGuard Enterprise
If different local keys are used to encrypt files on removable media, you can even restrict access
to files. For example: You encrypt the files on a USB memory stick using a key with passphrase
my_localkey and encrypt a single file named ForMyPartner.doc using the passphrase
partner_localkey. If you give the USB memory stick to a partner and provide them with the
passphrase partner_localkey, they will only have access to ForMyPartner.doc.
Note: By default SafeGuard Portable is automatically copied to removable media connected to
the system as soon as content is written to media covered by an encryption rule. If you do not
want SafeGuard Portable to be copied to removable media, deactivate the Copy SG Portable
to target option in a policy of the type Device Encryption.
24.3 Media passphrase
SafeGuard Data Exchange allows you to specify that one single media passphrase for all removable
media - except optical media - has to be created on the endpoints. The media passphrase provides
access to the centrally defined domain/group key as well as to all local keys used in SafeGuard
Portable. The user only has to enter one single passphrase and gets access to all encrypted files
in SafeGuard Portable, regardless of the local key used for encryption.
On every endpoint, a unique Media Encryption Key for data encryption is automatically created
for each device. This key is protected with the media passphrase and a centrally defined
domain/group key. On a computer with SafeGuard Data Exchange it is therefore not necessary
to enter the media passphrase to access encrypted files on the removable media. Access is
granted automatically if the appropriate key is part of the user's key ring.
The domain/group key to be used has to be specified under Defined key for encryption.
Media passphrase functionality is available when the User may define a media passphrase for
devices option is activated in a policy of the type Device Protection.
When this setting becomes active on the endpoint, the user is automatically prompted to enter a
media passphrase, when he connects removable media for the first time. The media passphrase
is valid on every computer the user is allowed to log on to. The user may also change the media
passphrase and it will be synchronized automatically when the passphrase known on the computer
and the media passphrase of the removable media are out of sync.
If the user forgets the media passphrase, it can be recovered by the user without any need of a
helpdesk.
Note: To enable the media passphrase, activate the User may define a media passphrase for
devices option in a policy of the type Device Protection. This is only available, if you have
selected Removable media as Device protection target.
24.3.1 Media passphrase and unmanaged endpoints
On an unmanaged endpoint (operating in standalone mode) without an activated media passphrase
feature, no keys are available after installation since unmanaged endpoints only use local keys.
Before encryption can be used, the user has to create a key.
If the media passphrase feature is activated in a removable media policy for these endpoints, the
media encryption key is created automatically on the endpoint and can be used for encryption
immediately after installation has been completed. It is available as a predefined key in the user's
key ring and displayed as <user name> in dialogs for key selection.
182
Administrator help
If available, the media encryption keys is also used for all initial encryption tasks.
24.4 Best practice
This section describes some typical use cases for SafeGuard Data Exchange and how to implement
them by creating the appropriate policies.
Bob and Alice are two employees of the same company and have SafeGuard Data Exchange
installed, Joe is an external partner and does not have SafeGuard Enterprise installed on his
computer.
24.4.1 Company internal use only
Bob wants to share encrypted data on removable media with Alice. Both belong to the same
group and therefore have the appropriate group key in their SafeGuard Enterprise key ring. As
they are using the group key, they can access the encrypted files transparently without the need
to enter a passphrase.
You have to specify the settings in a policy of the type Device Protection\Removable media:
■
Media encryption mode: File-based
■
Key to be used for encryption: Defined key on list
■
Defined key on list: <group/domain key > (for example, [email protected]=...)
to ensure that both share the same key
If company policies additionally define that all files on removable media have to be encrypted in
any situation, add the following settings:
■
Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to
the system for the first time.
■
User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.
■
User is allowed to access unencrypted files: No
If plaintext files on removable media are detected, access to them will be denied.
■
User may decrypt files: No
The user is not permitted to decrypt files on removable media.
■
Copy SG Portable to target: No
As long as data on removable media are shared within the workgroup, SafeGuard Portable is
not necessary. Also, SafeGuard Portable would allow to decrypt files on computers without
SafeGuard Enterprise.
The users can share data just by exchanging their devices. When they connect the devices to
their computers they have transparent access to encrypted files.
183
SafeGuard Enterprise
Note: This use case can be fulfilled by using SafeGuard Enterprise Device Encryption where the
whole removable media is sector-based encrypted.
24.4.2 Home office or personal use on 3rd party computers
■
Home office:
Bob wants to use his encrypted removable media on his home computer, where SafeGuard
Enterprise is not installed. On his home computer, Bob decrypts files using SafeGuard Portable.
By defining one media passphrase for all of Bob's removable media, he only has to open
SafeGuard Portable and enter the media passphrase. Afterwards, Bob has transparent access
to all encrypted files regardless of the local key used to encrypt them.
■
Personal use on 3rd party computers
Bob plugs in the removable media on Joe's (external partner) computer and enters the media
passphrase to get access to the encrypted files stored on the device. Bob can now copy the
files, either encrypted or unencrypted, to Joe's computer.
Behavior on endpoint:
■
Bob plugs in the removable media for the first time.
■
The Media Encryption Key, which is unique for each device, is created automatically.
■
Bob is prompted to enter the media passphrase for offline use with SafeGuard Portable.
■
There is no need to bother the user with knowledge about the keys to be used or the key ring.
The Media Encryption Key will always be used for data encryption without any user interaction.
The Media Encryption Key is not even visible to the user, but only the centrally defined
group/domain key.
■
Bob and Alice within the same group or domain have transparent access since they share the
same group/domain key.
■
If Bob wants to access encrypted files on a removable media device on a computer without
SafeGuard Data Exchange, he can use the media passphrase within SafeGuard Portable.
You have to specify the settings in a policy of the type Device Protection\Removable media:
■
Media encryption mode: File-based
■
Key to be used for encryption: Defined key on list
Defined key on list: <group/domain key > (for example [email protected]=...)
to ensure that both share the same key.
■
User may define a media passphrase for devices: Yes
The user defines one media passphrase on their computer which is valid for all their removable
media.
■
184
Copy SG Portable to target: Yes
Administrator help
SafeGuard Portable gives the user access to all encrypted files on the removable media by
entering a single media passphrase on the system without SafeGuard Data Exchange.
If the company policies additionally define that all files on removable media have to be encrypted
in any situation, add the following settings:
■
Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to
the system for the first time.
■
User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.
■
User is allowed to access unencrypted files: No
If plaintext files on removable media are detected, access to them will be denied.
■
User may decrypt files: No
The user is not permitted to decrypt files on removable media.
At work, Bob and Alice have transparent access to encrypted files on removable media. At home
or on 3rd party computers, they can use SafeGuard Portable to open encrypted files. The users
only have to enter the media passphrase to access all encrypted files. This is a simple but effective
way to encrypt data on all removable media. The goal of this configuration is to reduce user
interaction to a minimum while encrypting each and every file on removable media and giving the
user access to the encrypted files in offline mode. The user is not permitted to decrypt files on
removable media.
Note: In this configuration, users are not allowed to create local keys since it is not necessary
for that use case. This has to be specified in a policy of the type Device Protection with Local
Storage Devices as Device protection target (General Settings > User is allowed to create
a local key > No).
■
Copy SG Portable to removable media: No.
As long as data on removable media are shared in the workgroup SafeGuard Portable is not
necessary. Also, SafeGuard Portable would allow to decrypt files without SafeGuard Enterprise.
At work, the user has transparent access to encrypted files on removable media. At home, they
use SafeGuard Portable to open encrypted files. The user only has to enter the media passphrase
to access all encrypted files, regardless of the key used for encrypting them.
24.4.3 Share removable media with external party
Note: This example applies only for Windows endpoints.
Bob wants to hand out an encrypted device to Joe (external party) who does not have SafeGuard
Data Exchange installed and therefore has to use SafeGuard Portable. Under the assumption
that Bob does not want to give Joe access to all encrypted files on the removable media, he can
create a local key and encrypt the files with this local key. Joe can now use SafeGuard Portable
and open the encrypted files with the passphrase of the local key, whereas Bob still can use the
media passphrase to access any encrypted file on the removable device.
185
SafeGuard Enterprise
Behavior on the computer
■
Bob plugs in the removable media for the first time. The Media Encryption Key, which is unique
for each device, is created automatically.
■
Bob is prompted to enter the media passphrase for offline use.
■
The Media Encryption Key is used for data encryption without any user interaction, but…
■
Bob can now create or select a local key (for example JoeKey) for the encryption of specific
files that shall be exchanged with Joe.
■
Bob and Alice within the same group or domain have transparent access since they share the
same group/domain key.
■
If Bob wants to access encrypted files on a removable media device on a computer without
SafeGuard Data Exchange, he can use the media passphrase within SafeGuard Portable.
■
Joe can access the specific files by entering the passphrase of the JoeKey without having
access to the whole removable media.
You have to specify the settings in a policy of the type Device Protection\Removable Media:
■
Media encryption mode: File-based
■
Key to be used for encryption: Any key in user key ring
Allows the user to choose different keys for encrypting files on their removable media
Defined key for encryption: <group/domain key > (for example
[email protected]=...). To ensure that the user can share data in their work
group and to give them transparent access to removable media when they connect them
to their computer at work.
■
User may define a media passphrase for devices: Yes
The user defines one media passphrase on their computer which is valid for all their removable
media.
■
Copy SG Portable to target: Yes
SafeGuard Portable gives the user access to all encrypted files on the removable media by
entering a single media passphrase on the system without SafeGuard Data Exchange.
If the company policies additionally define that all files on removable media have to be encrypted
in any situation, add the following settings:
■
Initial encryption of all files: Yes
Ensures that files on removable media are encrypted as soon as the media is connected to
the system for the first time.
■
User may cancel initial encryption: No
The user cannot cancel initial encryption, for example to postpone it.
186
Administrator help
■
User is allowed to access unencrypted files: No
If plaintext files on removable media are detected, access to them will be denied.
■
User may decrypt files: No
The user is not permitted to decrypt files on removable media.
At work, Bob and Alice have transparent access to encrypted files on removable media. At home,
they can use SafeGuard Portable to open encrypted files by entering the media passphrase. If
Bob or Alice wants to hand out the removable media to a 3rd party computer that does not have
SafeGuard Data Exchange installed, they can use local keys to ensure that the external party
can access only some specific files. This is an advanced configuration, which means more
interaction for the user by allowing them to create local keys on their computer.
Note: A prerequisite for this example is that the user is allowed to create local keys (default
setting in SafeGuard Enterprise).
24.5 Configure trusted and ignored applications for SafeGuard
Data Exchange
You can define applications as trusted to grant them access to encrypted files. This is for example
necessary to enable antivirus software to scan encrypted files.
You can also define applications as ignored to exempt them from transparent file
encryption/decryption. For example, if you define a backup program as an ignored application,
encrypted data backed up by the program remains encrypted.
Note: Child processes will not be trusted/ignored.
1. In the Policies navigation area, create a new policy of the type General Settings or select
an existing one.
2. Under File Encryption, click the dropdown button of the Trusted Applications or Ignored
Applications field.
3. In the editor list box, enter the applications to be defined as trusted/ignored.
■
You can define multiple trusted/ignored applications in one policy. Each line in the editor
list box defines one application.
■
Application names must end with .exe.
■
Application names must be specified as fully qualified paths including drive/directory
information. Entering the file name only (for example "example.exe") is not sufficient. For
better usability the single line view of the application list only shows the file names separated
by semicolons.
4. Save your changes.
Note: The Trusted Applications and Ignored Applications policy settings are machine settings.
The policy must therefore be assigned to machines, not to users. Otherwise the settings do not
become active.
187
SafeGuard Enterprise
24.6 Configure ignored devices for SafeGuard Data Exchange
You can define devices as ignored to exclude them from the file encryption process. You can only
exclude entire devices.
1. In the Policies navigation area, create a new policy of the type General Settings or select
an existing one.
2. Under File Encryption, click the dropdown button of the Ignored Devices field.
3. In the editor list box, enter the required device names to exclude specific devices from
encryption. This may be useful when you need to exclude systems from third party suppliers.
Note: You can display the names of the devices currently used in the system by using third
party tools (for example OSR's Device Tree). SafeGuard Enterprise logs all devices it attaches
to and you can display a list of attached and ignored devices by using registry keys.
24.6.1 Display attached and ignored devices for SafeGuard Data Exchange
configuration
To help you when defining ignored devices, you can use registry keys to show which devices are
being considered for encryption (attached devices) and which devices are currently being ignored.
The list of ignored devices shows only devices that are actually available on the computer and
are being ignored. If a device is set to be ignored in a policy and the device is not available on
the computer, the device is not listed.
Use the following registry keys to display attached and ignored devices:
■
HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\AttachedDevices
■
HKLM\System\CurrentControlSet\Control\Utimaco\SGLCENC\Log\IgnoredDevices
24.7 Configure persistent encryption for SafeGuard Data
Exchange
The content of files encrypted by SafeGuard Data Exchange is being decrypted on-the-fly, if the
user owns the required key. When the content is saved as a new file in a location that is not
covered by an encryption rule, the resulting file will be not be encrypted.
With persistent encryption, copies of encrypted files will be encrypted, even when they are saved
in a location not covered by an encryption rule.
You can configure persistent encryption in policies of the type General Settings. The policy
setting Enable persistent encryption is activated by default.
Note:
188
■
If files are copied or moved to an ignored device or to a folder to which a policy with encryption
Mode Ignore applies, the Enable persistent encryption setting has no effect.
■
Copy operations are detected based on file names. When a user saves an encrypted file with
Save As under a different file name in a location not covered by an encryption rule, the file
will be plaintext.
Administrator help
24.8 Track files accessed on removable media
You can track files accessed on removable media by using the Reports function of the SafeGuard
Management Center. Files accessed can be tracked regardless of any encryption policy applying
to files on removable media.
In a policy of the type Logging you can define the following:
■
An event to be logged when a file or directory is created on a removable media device.
■
An event to be logged when a file or directory is renamed on a removable media device.
■
An event to be logged when a file or directory is deleted from a removable media device.
For further information, see File access report for removable media and cloud storage (page 260).
24.9 SafeGuard Data Exchange and File Encryption
The SafeGuard Enterprise module File Encryption offers file-based encryption on network locations,
especially for work groups on network shares.
If both SafeGuard Data Exchange and File Encryption are installed on an endpoint, it may occur
that a SafeGuard Data Exchange encryption policy is defined for a drive on the computer and
File Encryption policies are defined for folders on the same drive. If this is the case, the SafeGuard
Data Exchange encryption policy overrules the File Encryption policies. New files are encrypted
according to the SafeGuard Data Exchange encryption policy.
For further information see File Encryption (page 170).
189
SafeGuard Enterprise
25 Cloud Storage
The SafeGuard Enterprise module Cloud Storage offers file-based encryption of data stored in
the cloud.
It does not change the way users work with data stored in the cloud. Users are still using the
same vendor specific synchronization applications to send data to or receive data from the cloud.
The purpose of Cloud Storage is to make sure that the local copies of data stored in the cloud is
encrypted transparently and will therefore always be stored in the cloud in encrypted form.
In the SafeGuard Management Center, you create Cloud Storage Definitions (CSDs) and use
them as targets in Device Protection policies. Predefined Cloud Storage Definitions are available
for several cloud storage providers, for example Dropbox or Egnyte.
After a Cloud Storage policy has been assigned to endpoints, files in locations covered by the
policy are transparently encrypted without user interaction:
■
Encrypted files will be synchronized into the cloud.
■
Encrypted files received from the cloud can be modified by applications as usual.
To access Cloud Storage encrypted files on endpoints without SafeGuard Enterprise Cloud
Storage, SafeGuard Portable can be used to read encrypted files.
Note: Cloud Storage only encrypts new data stored in the cloud. If data is already stored in the
cloud before installing Cloud Storage, this data will not automatically be encrypted. If you want
to encrypt this data, you have to remove it from the cloud first and then enter it again.
25.1 Requirements for Cloud Storage vendor software
To enable encryption of data stored in the cloud, the software provided by the cloud storage
vendor must:
■
Run on the computer where Cloud Storage is installed.
■
Have an application (or system service) that is stored on the local file system and synchronizes
data between the cloud and the local system.
■
Store the synchronized data on the local file system.
25.2 Create Cloud Storage Definitions (CSDs)
In the SafeGuard Management Center, predefined Cloud Storage Definitions are available for
several cloud storage providers, for example Dropbox or Egnyte.You can modify the paths defined
in predefined Cloud Storage Definitions according to your requirements or create a new one and
copy values from a predefined one as a basis. This is for example useful, if you only want to
encrypt part of the data in cloud storage.You can also create your own Cloud Storage Definitions.
190
Administrator help
Note: Certain folders (for example the Dropbox installation folder) may prevent the operating
system or applications from running when encrypted. When you create Cloud Storage Definitions
for Device Protection policies, make sure that these folders are not encrypted.
1. In the Policies navigation area, select Cloud Storage Definitions.
2. In the context menu of Cloud Storage Definitions, click New > Cloud Storage Definition.
3. The New Cloud Storage Definition dialog appears. Enter a name for the Cloud Storage
Definition.
4. Click OK. The Cloud Storage Definition appears with the entered name under the Cloud
Storage Definitions root node in the Policies navigation area.
5. Select the Cloud Storage Definition. In the work area on the right-hand side the content of a
Cloud Storage Definition is displayed:
■
■
■
Target name:
This is the name you entered initially. It is used for referencing the Cloud Storage Definition
as a target in a policy of the type Device Protection.
Synchronization application:
Enter path and application that synchronizes the data with the cloud (for example:
<Desktop>\dropbox\dropbox.exe). The application must reside on a local drive.
Synchronization folders:
Enter the folder(s) that will be synchronized with the cloud. Only local paths are supported.
Note: For paths in the Synchronization application and Synchronization folder settings,
the same placeholders as for File Encryption are supported, see Placeholders for paths
in File Encryption rules (page 173).
25.2.1 Placeholders for cloud storage providers
As a security officer you can use placeholders for cloud storage providers to define synchronization
application and synchronization folders. These placeholders represent supported 3rd party cloud
storage applications. You can use the placeholder to specify a certain 3rd party application as
synchronization application and even use the same placeholder to point the synchronization
folders the 3rd party application actually uses for synchronization.
Placeholders for cloud storage providers are encapsulated by <! and !>.
Note: SafeGuard Enterprise version 7.0 only supports Dropbox and Google Drive for OS X
endpoints.
Currently supported placeholders
Provider
Placeholder
Can be used in CSD setting
Resolves to
Dropbox
<!Dropbox!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
191
SafeGuard Enterprise
Provider
Placeholder
Can be used in CSD setting
Resolves to
synchronization application
used by the Dropbox
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the Dropbox
software
Egnyte
<!Egnyte!>
Synchronization Application The fully qualified path of
the synchronization
application used by the
Egnyte software.
<!EgnytePrivate!>
Synchronization folders
All private folders in the
Egnyte cloud storage. For
standard Egnyte users this
is usually a single folder.
For Egnyte administrators
this placeholder typically
resolves to multiple folders.
<!EgnyteShared!>
Synchronization folders
All shared folders in the
Egnyte cloud storage.
Note:
Changes to the Egnyte folder structure (including adding or removing private and shared
folders) are detected automatically. The policies concerned are adjusted automatically.
Note: As Egnyte synchronization folders may reside on network locations you can enter
network paths in the Synchronization folders setting. The SafeGuard Enterprise Cloud
Storage module therefore attaches to network file systems by default. If this is not
required, you can deactivate this behavior by defining a General Settings policy and
selecting Network under Ignored Devices.
Google Drive
<!GoogleDrive!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the Google Drive
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the Google
Drive software.
192
Administrator help
Provider
Placeholder
Can be used in CSD setting
Resolves to
OneDrive
<!OneDrive!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the OneDrive
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the
OneDrive software.
Note: SafeGuard Enterprise does not support Microsoft accounts. Under Windows 8.1,
OneDrive can only be used if the Windows user is a domain user. Under Windows 8.1
SafeGuard Enterprise does not support OneDrive for local users.
OneDrive for
Business
<!OneDriveForBusiness!> Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the OneDrive
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the
OneDrive software.
Note: OneDrive for Business only supports storing encrypted files in local folders and
synchronizing them with the cloud. Storing encrypted files from Microsoft Office 2013
applications directly in the OneDrive for Business cloud or directly on the SharePoint
Server is not supported. These files are stored unencrypted in the cloud.
SafeGuard Enterprise encrypted files in the OneDrive for Business cloud cannot be
opened by Microsoft Office 365.
SkyDrive
<!SkyDrive!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the OneDrive
software.
For synchronization
folders: The fully qualified
path of the synchronization
193
SafeGuard Enterprise
Provider
Placeholder
Can be used in CSD setting
Resolves to
folder used by the
OneDrive software.
Since Microsoft renamed SkyDrive to OneDrive, the <!SkyDrive!> placeholder is still
available.
This way older policies using the placeholder and SafeGuard Enterprise endpoints
before version 7 which cannot handle the <!OneDrive!> placeholder can be used
without any changes. SafeGuard Enterprise endpoints version 7 can handle both
placeholders.
Media Center
<!Mediacenter!>
Synchronization application, For synchronization
Synchronization folders
applications: The fully
qualified path of the
synchronization application
used by the Media Center
software.
For synchronization
folders: The fully qualified
path of the synchronization
folder used by the Media
Center software.
Example
If you use Dropbox as your cloud storage provider you can simply enter <!Dropbox!> in
Synchronization application. If you do not explicitly specify a synchronization folder,
<!Dropbox!> is also copied into the list of folders under Synchronization folders.
Assuming
■
You used the placeholders <!Dropbox!> as synchronization application and
<!Dropbox!>\encrypt as synchronization folder in the Cloud Storage Definition
■
Dropbox is installed on the endpoint
■
The user has d:\dropbox configured as folder to be synchronized with Dropbox:
When the SafeGuard Enterprise endpoint receives a policy with a CSD like this, it will automatically
translate the placeholders in the CSD to match the path of Dropbox.exe for the synchronization
application and it will read the Dropbox configuration and set the encryption policy on the folder
d:\dropbox\encrypt.
194
Administrator help
25.2.2 Export and import Cloud Storage Definitions
As a security officer you can export and import Cloud Storage Definitions (CSD). A CSD will be
exported as an XML file.
■
To export a CSD click Export Cloud Storage Definition... in the context menu of the desired
Cloud Storage Definition in the Policy area.
■
To import a CSD click Import Cloud Storage Definition... in the context menu of the Cloud
Storage Definition node in the Policy area.
Both commands are also available in the Actions menu of the SafeGuard Management Center.
25.3 Create a device protection policy with a Cloud Storage
Definition target
The Cloud Storage Definitions must have been created beforehand. Predefined Cloud Storage
Definitions are available for several cloud storage providers, for example Dropbox or Egnyte.
You define the settings to encrypt cloud storage data in a policy of the type Device Protection.
1. In the Policies navigation area, create a new policy of the type Device Protection.
2. Select a Cloud Storage Definition as a target.
3. Click OK. The new policy is displayed in the navigation window below Policy Items. In the
action area, all settings for the Device Protection policy are displayed and can be changed.
4. For the Media encryption mode setting select File-based. Volume-based encryption is not
supported.
5. Under Algorithm to be used for encryption select the algorithm to be used for encrypting
the data in the synchronization folders defined in the CSD.
6. Settings Key to be used for encryption and Defined key for encryption are used to define
the key or the keys that shall be used for encryption. For further information, see Device
Protection (page 141).
7. If you activate the Copy SG Portable to target setting, SafeGuard Portable is copied to each
synchronization folder as soon as content is written to it. SafeGuard Portable is an application
that can be used to read encrypted files on Windows computers that do not have SafeGuard
Enterprise installed.
Note: To share encrypted data stored in the cloud with users that do not have SafeGuard
Enterprise installed, users should be allowed to create local keys, see Local keys (page 181).
8. The Plaintext folder setting allows you to define a folder that will be excluded from encryption.
Data stored in subfolders of the defined plaintext folder will also be excluded from encryption.
SafeGuard Cloud Storage automatically creates empty plaintext folders in all synchronization
folders defined in the Cloud Storage Definition.
195
SafeGuard Enterprise
25.4 Track files accessed in cloud storage
You can track files accessed in cloud storage by using the Reports function of the SafeGuard
Management Center. Files accessed can be tracked regardless of any encryption policies applied
to them.
In a policy of the type Logging you can define the following:
■
To log an event when a file or directory is created on a removable media device.
■
To log an event when a file or directory is renamed on a removable media device.
■
To log an event when a file or directory is deleted from a removable media device.
For further information, see File access report for removable media and cloud storage (page 260).
196
Administrator help
26 User Machine Assignment
SafeGuard Enterprise manages the information about the users who are allowed to log on to a
particular machine in a list which is referred to as the User Machine Assignment (UMA).
For a user to be included in the UMA, they must have logged on once to a computer on which
SafeGuard Enterprise has been installed and be registered in the SafeGuard Management Center
as a "full" user in terms of SafeGuard Enterprise. A "full" user is one for whom a certificate has
been generated after the first logon and for whom a key ring has been created. Only then can
this user data be replicated on other computers. After replication, the user can log on to this
computer at the SafeGuard POA.
If the default setting applies, the first user to log on to the computer after the installation of
SafeGuard Enterprise is entered as the owner of that computer in the UMA.
This attribute allows the user, after they have authenticated at SafeGuard Power-on Authentication,
to enable other users to log on to that computer (see Register further SafeGuard Enterprise users
(page 99)). They will also be added to the UMA for this computer.
An automatic list is generated which determines which user is allowed to log on to which computer.
This list can be edited in the SafeGuard Management Center.
26.1 User Machine Assignment in the SafeGuard
Management Center
Users can be allocated to specific computers in the SafeGuard Management Center. If a user is
assigned to a computer in the SafeGuard Management Center (or vice versa) this allocation is
incorporated into the UMA. The user data (certificate, key, etc.) is replicated on this computer
and the user can log on to this computer. When a user is removed from the UMA, all user data
is automatically deleted from the SafeGuard POA.The user can no longer log on at the SafeGuard
POA with their user name and password.
Note: In Users and Computers, to view the assignment of users and computers you need at
least Read only access rights for one of the objects (user or computer) involved. To define or
change the assignment, you need Full access rights for both of the objects involved. The UMA
display showing available users/machines is filtered according to your access rights. In the UMA
grid display, which shows the users assigned to computers and vice versa, objects for which you
do not have the required access rights are shown for your information, but the assignment cannot
be modified.
When you assign a user to a computer, you can also specify who can allow other users to log on
to this computer.
Under Type the SafeGuard Management Center indicates how the user was added to the
SafeGuard Enterprise Database. Adopted means that the user has been added to the UMA on
an endpoint.
Note: If no one is assigned in the SafeGuard Management Center and no user is specified as
the owner, the first user to log on after the installation of SafeGuard Enterprise on the computer
is entered as the owner. This user can allow further users to log on to this computer, see Register
197
SafeGuard Enterprise
further SafeGuard Enterprise users (page 99). If users are assigned to this computer in the
SafeGuard Management Center at a later date, they can log on at the SafeGuard Power-on
Authentication. Nevertheless, such users must be full users (with existing certificate and key).
The owner of the computer does not need to assign access entitlements in this case.
The following settings are used to specify who is allowed to add users to the UMA:
■
Can Become Owner: If this setting is selected, the user can be registered as the owner of a
computer.
■
User is Owner: This setting means that this user is entered in the UMA as the owner. Only
one user per computer can be entered in the UMA as the owner.
The Allow registration of new SGN users for policy setting in policies of the type Specific
Machine Settings determines who is allowed to add further users to the UMA. The Enable
registration of SGN Windows users setting in Specific Machine Settings policies determines
whether SGN Windows users may be registered on the endpoint and added to the UMA.
■
Allow registration of new SGN users for
Nobody
Even the user entered as the owner cannot add more users to the UMA. The option for an
owner to add further users is deactivated.
Owner (default setting)
Note: A security officer can always add users in the SafeGuard Management Center.
Everybody
Lifts the restriction that users may only be added by the owner.
Note: For endpoints that do not have the Device Encryption module installed the Allow
registration of new SGN users for setting must be set to Everybody if it should be possible
on the endpoint to add more than one user to the UMA with access to their key ring. Otherwise
users can only be added in the Management Center. This setting is only evaluated on managed
endpoints. See also New SafeGuard Enterprise Data Exchange users do not receive a certificate
after logon on SafeGuard Enterprise Data Exchange only clients.
■
Enable registration of SGN Windows users
If you select Yes, SGN Windows users can be registered on the endpoint. An SGN Windows
user is not added to the SafeGuard POA, but has a key ring for accessing encrypted files, just
as an SGN user. If you select this setting, all users, that would have otherwise become SGN
guest users, will become SGN Windows users. The users are added to the UMA as soon as
they have logged on to Windows. SGN Windows users can be removed from the UMA
automatically on managed endpoints and manually on unmanaged endpoints. For further
information, see Specific machine settings - basic settings (page 146).
Example:
The following example shows how you can assign logon entitlements in the SafeGuard
Management Center to just three users (User_a, User_b, User_c) for Computer_ABC.
First: Specify the response you require in the SafeGuard Management Center. SafeGuard
Enterprise is installed on all endpoints during the night. In the morning, the users should be able
to log on to the computer with their credentials.
198
Administrator help
1. In the SafeGuard Management Center, assign User_a, User_b and User_c to Computer_ABC.
(Users and Computers -> Select computer_ABC -> Assign user by drag-and-drop). By doing
this, you have specified a UMA.
2. In a policy of the type Specific Machine Settings, set Allow registration of new SGN users
for to Nobody. Since User_a, User_b and User_c are not allowed to add new users is not
necessary to specify a user as an owner.
3. Assign the policy to the computer and/or to a point within the directory structure at which it will
be active for the computer.
When the first user logs on to Computer_ABC, an autologon is implemented for the SafeGuard
POA. The computer policies are sent to the endpoint. Since User_a is included in the UMA and
will become a full user when logging on to Windows. The user's policies, certificates and keys
are sent to the endpoint. The SafeGuard POA is activated.
Note: The user can check the status message in the SafeGuard System Tray Icon (balloon tool
tip) when this process has completed.
User_a is now a full user in terms of SafeGuard Enterprise and after the first logon can authenticate
at the SafeGuard POA and is automatically logged on.
User_a now leaves the computer and User_b wants to log on. As the SafeGuard POA is activated,
there is no more autologon.
User_b and User_c have two options for gaining access to this computer.
■
User_a deactivates the Pass through to Windows option in the SafeGuard POA logon dialog
and logs on.
■
User_b uses Challenge/Response to log on at the SafeGuard POA.
In both cases, the Windows logon dialog is displayed.
User_b can enter their Windows credentials. The user's policies, certificates and keys are sent
to the endpoint. The user is activated in the SafeGuard POA. User_b is now a full user in terms
of SafeGuard Enterprise and after the first logon can authenticate themselves at the SafeGuard
POA and will be automatically logged on.
While the computer policy specifies that no one can import users to this computer, since these
users are already in the UMA, User_b and User_c nevertheless gain "full" user status at the
Windows logon and are activated in the SafeGuard POA.
No other users will be added to the UMA or will ever be able to authenticate themselves at the
SafeGuard Power-on Authentication. Any users logging on to Windows who are not User_a,
User_b or User_c are excluded from the UMA in this scenario and will never be active in the
SafeGuard POA.
Users can always be added later on in the SafeGuard Management Center. However, their key
ring will not be available after the first logon as synchronization will only be triggered by this first
logon. After logging on again, the key ring will be available and the users can access their
computers according to policies applying. If they have never successfully logged on to an endpoint,
they can be added as described above.
Note: If the last valid user certificate is removed from the UMA by an SO or MSO, any user can
pass the SafeGuard POA of the corresponding computer. The same applies if the domain of the
199
SafeGuard Enterprise
endpoint changes. Then only Windows credentials are necessary to log on to the computer, to
reactivate the SafeGuard POA and to be added as the new owner.
26.1.1 Block User
If you select the check box in the Block User column, the user is no longer allowed to log on to
the relevant computer. If the relevant user is logged on when the policy with this setting becomes
active on the computer, the user is logged off.
26.1.2 Groups
In the SafeGuard Management Center, computer groups can be assigned to a user (account)
and/or user groups can be assigned to a computer.
To create a group: In Users and Computers, right-click the relevant object node where you want
to create the group and select New, Create new group. In Create new group, in Full name,
enter the name of the group and optionally a description. Click OK.
Example: Maintenance account
It is for example possible to use a single maintenance account to service a large number of
computers. For this purpose the computers concerned must be in a single group. This group is
then assigned to a maintenance account (user). The owner of the maintenance account can log
on to all computers within this group
Also, by assigning a group containing different users, these users can log on to a specific computer
in a single step.
26.2 Assignment of user and computer groups
In Users and Computers, to view the assignment of user and computer groups you need at least
Read only access rights for one of the objects (user or computer group) involved. To define or
change the assignment, you need Full access rights for both of the objects involved. The UMA
display showing available users/machines is filtered according to your access rights.
Note: You can assign individual users to a computer or vice versa using the same process as
for groups.
1. Click Users and Computers.
2. To assign a group of computers to single user, select the user.
3. Click the Computer tab in the action area.
All computers and computer groups are displayed under Available computers.
4. Drag the selected groups from the Available Groups list into the action area.
5. A dialog is displayed asking whether the user should be the owner of all computers.
If there is no specified owner in the SafeGuard Management Center, the first user to log on
to this computer is automatically entered as the owner. The user is the entitled to allow other
users to access this computer. The condition is that the user Can Become Owner.
■
200
If you answer Yes, the first user to log on to this computer becomes the owner and can
allow access to other users.
Administrator help
■
If you answer No, the user is not the owner of this computer.
It is not generally necessary for a service account owner to be the owner of the computer. This
setting can be changed after initial assignment.
All computers from the assigned group are displayed in the action area.
The user can log on to all computers assigned in this way.
A user group can be assigned to a single computer in the same way.
201
SafeGuard Enterprise
27 Tokens and smartcards
Note: Tokens and smartcards cannot be configured for Mac OS X endpoints.
SafeGuard Enterprise provides enhanced security by supporting tokens and smartcards for
authentication. Token/smartcards can store certificates, digital signatures and biometric details.
Token authentication is based on the principle of a two-stage authentication: A user has a token
(ownership), but can only use the token, if they know the specific token password (knowledge).
When a token or smartcard is used, users only need the token and a PIN for authentication.
Note: From SafeGuard Enterprise's perspective, smartcards and tokens are treated in the same
way. So the terms “token” and “smartcard” refer to the same thing in the product and in the help.
The use of tokens and smartcards needs to be enabled in the license, see Token licenses (page
27).
Note: Windows 8 and later offers a feature called virtual smartcard. A virtual smartcard simulates
the functionality of a physical smartcard using the TPM chip as basis, but cannot be used with
SafeGuard Enterprise.
Tokens are supported in SafeGuard Enterprise:
■
in the SafeGuard Power-on Authentication (not applicable for Windows 8 and Windows 8.1)
■
at operating system level
■
to log on to the SafeGuard Management Center
When a token is issued to a user in SafeGuard Enterprise, data such as the manufacturer, type,
serial number, logon data and certificates are stored in the SafeGuard Enterprise Database.
Tokens are identified by the serial number and then recognized in SafeGuard Enterprise.
There are significant benefits:
■
You know which tokens are in circulation and which users they are assigned to.
■
You know when they were issued.
■
If a token is lost, the security officer can identify it and block it. This prevents the misuse of
data.
■
The security officer can nevertheless use Challenge/Response to temporarily allow logon
without a token, for example, if a user has forgotten the PIN.
Note: With SafeGuard volume-based encryption this recovery option is not supported with
cryptographic token logon (Kerberos).
202
Administrator help
27.1 Token types
The term "token" refers to all technologies used and does not depend on a particular form of the
device. This includes all devices that can store and transfer data for the purpose of identification
and authentication, like smartcards and USB tokens.
SafeGuard Enterprise supports the following types of tokens/smartcards for authentication:
■
Non-cryptographic
Authentication at the SafeGuard POA and Windows is based on user credentials (user
ID/password) stored on the token.
■
Cryptographic - Kerberos
Authentication at the SafeGuard POA and Windows is based on certificates stored on the
token.
Note: Cryptographic tokens cannot be used for unmanged endpoints.
27.1.1 Cryptographic tokens - Kerberos
With cryptographic tokens, the user is authenticated at the SafeGuard POA by the certificate
stored on the token. To log on to the system, users only have to enter the token PIN.
Note: Cryptographic tokens cannot be used for unmanaged endpoints.
You have to provide users with fully issued tokens. For further information, see Configure token
use (page 206).
Basic certificate requirements:
■
Algorithm: RSA
■
Key length: minimum 1024
■
Key usage: data encipherment or key encipherment. This can be overruled by policy.
■
Self-signed: No. This can be overruled by policy.
Note: In case of logon problems with a Kerberos token, neither Challenge/Response nor Local
Self Help is available for logon recovery. Only the Challenge/Response procedure using Virtual
Clients is supported. It enables users to regain access to encrypted volumes on their endpoints.
27.2 Components
To use tokens/smartcards with SafeGuard Enterprise, the following is required:
■
Token/smartcard
■
Token/smartcard reader
■
Token/smartcard driver
■
Token/smartcard middleware (PKCS#11 module)
USB tokens
203
SafeGuard Enterprise
Like smartcards, USB tokens consist of a smartcard and a smartcard reader, both units being
located in a single casing. The use of USB tokens requires a USB port.
27.2.1 Token/smartcard readers and drivers
■
Windows
On the Windows operating system level, PC/SC-compatible card readers are supported. The
PC/SC interface regulates the communication between computer and smartcard. Many of
these card readers are already part of the Windows installation. Smartcards require PKCS#11
compatible smartcard drivers if they are to be supported by SafeGuard Enterprise.
■
SafeGuard Power-on Authentication
With SafeGuard Power-on Authentication, the PC/SC interface is supported which regulates
the communication between PC and smartcard. The supported smartcard drivers are a fixed
implementation and users may not add other drivers. The appropriate smartcard drivers have
to be enabled by means of a policy in SafeGuard Enterprise.
The interface for smartcard readers is standardized and many card readers have a USB
interface or an ExpressCard/54 interface and implement the CCID standard. In SafeGuard
Enterprise, this is a prerequisite to be supported with SafeGuard Power-on Authentication.
Plus, on the driver side, the PKCS#11 module has to be supported.
27.2.2 Supported tokens/smartcards with SafeGuard Power-on Authentication
SafeGuard Enterprise supports a wide range of smartcards/smartcard readers, USB tokens plus
respective drivers and middleware with SafeGuard Power-on Authentication. With SafeGuard
Enterprise, tokens/smartcards which support 2.048-bit RSA operations are supported.
As support for tokens/smartcards is enhanced from release to release, the tokens and smartcards
supported in whatever is the current version of SafeGuard Enterprise are listed in the Release
Notes.
27.2.3 Supported middleware
The middleware in the list below is supported by the relevant PKCS#11 module. PKCS#11 is a
standardized interface for connecting cryptographic tokens/smartcards to different software. Here,
it is used for the communication between cryptographic token/smartcard, the smartcard reader
and SafeGuard Enterprise. See also
http://www.sophos.com/en-us/support/knowledgebase/112781.aspx.
204
Manufacturer
Middleware
ActivIdentity
ActivClient, ActivClient (PIV)
AET
SafeSign Identity Client
Administrator help
Manufacturer
Middleware
Aladdin
eToken PKI Client
A-Trust
a.sign Client
Charismatics
Smart Security Interface
Gemalto
Gemalto Access Client, Gemalto Classic Client, Gemalto .NET
Card
IT Solution GmbH
IT Solution trustWare CSP+
Nexus
Nexus Personal
RSA
RSA Authentication Client 2.x, RSA Smart Card Middleware
3.x
Sertifitseerimiskeskus AS
Estonian ID Card
Siemens
CardOS API TC-FNMT
ATOS
CardOS API TC-FNMT
FNMT
Módulo PCKS#11 TC-FNMT TC-FNMT
T-Systems
NetKey 3.0
Unizeto
proCertum
Licenses
Note that the use of the respective middleware for the standard operating system requires a
license agreement with the relevant manufacturer. For information on how to obtain the licenses,
see http://www.sophos.com/en-us/support/knowledgebase/116585.aspx.
For Siemens licenses, contact
Atos IT Solutions and Services GmbH
Otto-Hahn-Ring 6
81739 Muenchen
Germany
The middleware is set in a SafeGuard Enterprise policy of the type Specific Machine Settings
under Custom PKCS#11 Settings in the field PKCS#11 Module for Windows or PKCS#11
Module for Power-on Authentication. The relevant configuration package must also be installed
on the computer on which the SafeGuard Management Center is running.
205
SafeGuard Enterprise
27.3 Configure token use
Carry out these steps if you want to provide tokens to the following users for authentication:
■
Users of managed endpoints
■
Security officers of the SafeGuard Management Center
1. Initialize empty tokens.
For further information, see Initialize a token (page 207).
2. Install the middleware.
For further information, see Install middleware (page 207).
3. Activate the middleware.
For further information, see Activate middleware (page 207).
4. Issue tokens for users and security officers.
For further information, see Issuing a token (page 208).
5. Configure the logon mode.
For further information, see Configuring logon mode (page 209).
6. Configure further token settings, for example syntax rules for PINs.
For further information, see Managing PINs (page 214) and Managing tokens and smartcards
(page 215).
7. Assign certificates and keys to tokens/users.
For further information, see Assigning certificates (page 211).
You can also use tokens that have data from a different application for authentication, provided
that there is enough storage space for the certificates and logon information on them.
For easy token administration, SafeGuard Enterprise offers the following features:
■
Display and filter token information
■
Initialize, change, reset and block PINs
■
Read and delete token data
■
Block tokens
Note: To issue and manage tokens or modify data on issued tokens you need Full access rights
to the relevant users. The Issued Tokens view only shows tokens for users for whom you have
Read only or Full access rights.
27.4 Preparing for token use
To prepare for token/smartcard support in SafeGuard Enterprise:
206
■
Initialize empty tokens.
■
Install the middleware.
Administrator help
■
Activate the middleware.
27.4.1 Initialize a token
Before an "empty", unformatted token can be used, it needs to be prepared for use (initialized)
according to the instructions provided by the token manufacturer. When it is initialized, basic
information, for example the standard PIN, is written to it.This is done with the token manufacturer's
initialization software.
For further information, refer to the token manufacturer concerned.
27.4.2 Install middleware
Install the correct middleware, both on the computer with SafeGuard Management Center installed
as well as on the relevant endpoint, if not already done. For supported middleware, see Supported
middleware (page 204).
Restart the computers where you installed the new middleware.
Note: If you install Gemalto .NET Card or Nexus Personal middleware, you also need to add
their installation path to the PATH environment variable of your computer's System Properties.
■
Default installation path for Gemalto .NET Card: C:\Program Files\Gemalto\PKCS11
for .NET V2 smart cards
■
Default installation path for Nexus Personal: C:\Program Files\Personal\bin
27.4.3 Activate middleware
You need to assign the correct middleware in form of the PKCS#11 module by defining a policy
in the SafeGuard Management Center. You should do this both for the computer which the
SafeGuard Management Center is running on and for the endpoint. Only then can SafeGuard
Enterprise communicate with the token. You can define the setting for PKCS#11 module, using
a policy, as follows.
Prerequisite: The middleware is installed on the relevant computer and the token has been
initialized. The SafeGuard Enterprise Client configuration package must also be installed on the
computer on which the SafeGuard Management Center is running.
1. In the SafeGuard Management Center, click Policies.
2. Create a new policy of the type Specific Machine Settings or select an existing policy of this
type.
3. In the work area on the right-hand side, select the appropriate middleware under Token
support settings > Module Name. Save the settings.
4. Assign the policy.
SafeGuard Enterprise can now communicate with the token.
207
SafeGuard Enterprise
27.5 Issuing a token
When a token is issued in SafeGuard Enterprise, data which is used for authentication is written
on the token. This data consists of credentials and certificates.
In SafeGuard Enterprise, tokens can be issued for these user roles:
■
Tokens for end users of managed endpoints
■
Tokens for security officers (SO)
Both user and security officers (SO) can access the token. The user is the one who should use
the token. Only the user can access private objects and keys. The SO can only access public
objects, but can reset the user's PIN.
27.5.1 Issue a token or smartcard to a user
Prerequisites:
■
The token must be initialized and the relevant PKCS#11 module must be activated.
■
The SafeGuard Enterprise Client configuration package must also be installed on the computer
on which the SafeGuard Management Center is running.
■
You need Full access rights for the relevant user.
1. In the SafeGuard Management Center, click Users and Computers.
2. Connect the token to the USB interface. SafeGuard Enterprise reads in the token.
3. Select the user for whom the token is to be issued, and open the Token Data tab in the work
area on the right-hand side.
4. In the Token Data tab, do the following:
a) Select the User ID and Domain of the relevant user and enter your Windows Password.
b) Click Issue Token.
The Issue Token dialog is displayed.
5. Select the appropriate slot for the token from the Available slots drop-down list.
6. Issue a new User PIN and repeat the entry.
7. Under SO PIN, enter the standard PUK received from the manufacturer or the PIN issued
when the token was initialized.
Note: If you only fill in the User PIN (required) field, the user PIN must match the PIN which
was issued when the token was initialized. In this case, you do not have to repeat the user
PIN and enter an SO PIN.
8. Click Issue token now.
The token is issued, the logon information written on the token and the token information saved
in the SafeGuard Enterprise Database. You can display the data in the Token area in the Token
Information tab.
208
Administrator help
27.5.2 Issue a token or smartcard to a security officer
When SafeGuard Enterprise is installed for the first time, the first security officer (SO) can issue
a token for themselves and specify the logon mode (see SafeGuard Enterprise installation guide).
For all other security officers, tokens are issued in the SafeGuard Management Center.
Prerequisite:
■
The token must be initialized and the relevant PKCS#11 module must be activated.
■
You need the rights to make entries for the SO.
1. In the SafeGuard Management Center, click Security Officers.
2. Connect the token to the USB interface. SafeGuard Enterprise reads in the token.
3. In the navigation window on the left, mark Security Officer and select New > New security
officer from the context menu.
The New security officer dialog is displayed.
4. With the Token logon field, specify the type of logon for the SO:
■
To enable the SO to authenticate either with or without a token, select Optional.
■
To make token logon mandatory for the SO, select Mandatory.
With this setting, the private key remains on the token. The token must always be plugged
in, or the system will need to be restarted.
5. Next you specify the SO certificate.
■
To create a new certificate, click the Create button next to the Certificate drop-down list.
Enter the password for the certificate twice and click OK to confirm it.
Specify the location for saving the certificate.
■
To import certificates, click the Import next to the Certificate drop-down list and open the
relevant certificate file.
Searching is first done in a certificate file, then on the token. The certificates may remain
in whatever the storage location is.
6. Under Roles, activate the roles that are to be assigned to the SO.
7. Confirm the entries with OK.
The SO is created, the token is issued, the logon data is written on the token (depending on the
setting), and the token information is saved in the SafeGuard Enterprise Database. You can
display the data in the Token area in the Token Information tab.
27.6 Configuring logon mode
There are two ways for end users of logging on with a token. A combination of both logon methods
is possible.
■
Logging on with user ID/password
209
SafeGuard Enterprise
■
Logging on with token
When logging on with token/smartcard, you can either select the non-cryptographic method
or the Kerberos (cryptographic) method.
As a security officer, you specify the logon mode to be used in a policy of the type Authentication.
If you select the token logon option Kerberos:
■
You need to issue a certificate in a PKI and store it on the token. This certificate is imported
as a user certificate into the SafeGuard Enterprise Database. If an automatically generated
certificate already exists in the database, it is replaced by the imported certificate.
27.6.1 Enable SafeGuard POA autologon with default token PINs
A default token PIN that is distributed by policy enables automatic user logon at the SafeGuard
Power-on Authentication. This avoids the need to issue each single token separately and enables
users to automatically log on at the SafeGuard Power-on Authentication without any user
interaction.
When a token is used at logon and a default PIN is assigned to the computer, the user is passed
through at the SafeGuard Power-on Authentication without having to enter a PIN.
As a security officer you can set the specific PIN in a policy of the type Authentication and assign
it to different computers or computer groups, for example to all computers residing in the same
location.
To enable autologon with a default token PIN:
1.
2.
3.
4.
In the SafeGuard Management Center, click Policies.
Select a policy of the type Authentication.
Under Logon Options in Logon mode, select Token.
In PIN used for autologon with token, specify the default PIN to be used for autologon. PIN
rules do not need to be observed in this case.
Note: This setting is only available if you select Token as possible Logon Mode.
5. In Pass through to Windows set Disable pass-through to Windows. If you do not select
this setting when a default PIN is specified, you will not be able to save the policy.
If you want to enable the Pass through to Windows option, you can later create another
policy of the type Authentication with this option enabled and assign it to the same computer
group, so that the RSOP has both policies active.
6. Optionally specify further token settings.
7. Save your settings and assign the policy to the relevant computers or computer groups.
If the autologon on the endpoint has been successful, Windows is started.
If the autologon on the endpoint has failed, the user is prompted to enter the token PIN at the
SafeGuard Power-on Authentication.
210
Administrator help
27.7 Assigning certificates
Not only logon information but also certificates can be written to a token. Just the private part of
the certificate (.p12 file) can be saved on the token. However, users then can only log on with the
token. We recommend that you use PKI certificates.
You can assign authentication data to tokens as follows:
■
by generating certificates directly on the token
■
by assigning data which is already on the token
■
by importing certificates from a file
Note: CA certificates cannot be obtained from a token and stored in the database or certificate
store. If you use CA certificates, these need to be available as files and not just on a token. This
also applies to CRLs (Certificate Revocation List). Moreover, the CA certificates must match the
CRL before users can log on to the computers concerned. Check that the CA and corresponding
CRL are correct. SafeGuard Enterprise does not carry out this check! SafeGuard Enterprise can
then only communicate with expired certificates if old and new keys are present on the same
card.
27.7.1 Generate certificates from tokens
To generate certificates from tokens, you need Full access rights for the relevant user.
You can generate new certificates straight from the token if, for example, there is no certificate
structure present.
Note: If only the private part of the certificate is written on to the token, the user can only access
their private key with the token. The private key then only resides on the token. If the token is lost,
the private key can no longer be accessed.
Prerequisite: The token is issued.
1. In the SafeGuard Management Center, click Users and Computers.
2. Plug the token into the USB interface.
SafeGuard Enterprise reads in the token.
3. Mark the user for whom a certificate is to be generated, and open the Certificate tab in the
work area on the right-hand side.
4. Click Generate and assign certificate by token. Note that the length of the key must match
the size of the token.
5. Select the slot and enter the token PIN.
6. Click Create.
The token generates the certificate and assigns it to the user.
211
SafeGuard Enterprise
27.7.2 Assign token certificates to a user
Prerequisites:
■
The token is issued.
■
You have Full access rights for the relevant user.
To assign a certificate available on the token to a user:
1. In the SafeGuard Management Center, click Users and Computers.
2. Plug the token into the USB interface.
SafeGuard Enterprise reads in the token.
3. Select the user to whom you want to assign a certificate, and open the Certificate tab in the
work area on the right-hand side.
4. Click the Assign a certificate from a token icon in the SafeGuard Management Center
toolbar.
5. Select the relevant certificate from the list and enter the token's PIN.
6. Click OK.
The certificate is assigned to the user. A user can only have one certificate assigned.
27.7.3 Change a user's certificate
You can change or renew certificates required for logon by assigning a new certificate in the
SafeGuard Management Center. The certificate is assigned as a standby certificate alongside
the existing certificate. By logging on with the new certificate, the user changes the certificate on
the endpoint.
Note: If users have lost their tokens or tokens have been compromised, do not exchange tokens
by assigning new certificates as described here. Otherwise problems may occur. For example,
the old token certificate may still be valid for Windows logon. As long as the old certificate is still
valid, logon to Windows is still possible and the computer can be unlocked. Instead, block the
token to prevent logon.
Standby certificates can be used in the following cases:
■
Change (cryptographic) token generated certificates.
■
Switch from auto-generated certificates to token-generated certificates.
■
Switch from user name/password authentication to cryptographic token (Kerberos)
authentication.
Prerequisites:
■
The new token is issued.
■
Only one certificate is assigned to the user.
■
You have Full access rights for the relevant user.
To change a user's certificate for token logon:
1. In the SafeGuard Management Center, click Users and Computers.
212
Administrator help
2. Plug the token into the USB interface.
SafeGuard Enterprise reads in the token.
3. Select the user for whom you want to change the certificate and open the Certificate tab in
the work area on the right-hand side.
4. On the toolbar, click the appropriate icon for the action you want to perform.
5. Select the relevant certificate and enter the token's PIN.
6. Click OK.
7. Provide the user with the new token.
The certificate is assigned to the user as a standby certificate. This is indicated by a tick in the
Standby column of the user's Certificates tab.
After synchronization between the endpoint and the SafeGuard Enterprise Server, the status
dialog on the endpoint indicates that it is Ready for certificate change.
The user now has to initiate a certificate change on the endpoint computer. For further information,
see the SafeGuard Enterprise user help.
After the user has changed the certificate on the endpoint the certificate is also renewed on the
SafeGuard Enterprise Server during the next synchronization. This removes the old token from
the user's Certificates tab in the SafeGuard Management Center. The new token becomes the
standard token for the user.
Note: In the SafeGuard Management Center, both certificates can be deleted separately. If only
a standby certificate is available, the next certificate is assigned as the standard certificate.
27.7.4 Import certificate from a file onto the token
Prerequisite: The token is issued.
You need to select this procedure for a token with Kerberos support for managed endpoints. The
certificate must be recognized by SafeGuard Enterprise and added to the token. If there is already
an auto-generated certificate, the imported certificate will overwrite it.
To add the private part of the certificate (.p12 file) from a file to the token:
1. In the SafeGuard Management Center, click Tokens.
2. Plug the token into the USB interface.
SafeGuard Enterprise reads in the token.
3. Mark the token to which you want to add the private part of the certificate and, in the work area
on the right, open the Logon Information & Certificates tab.
4. Click the P12 to token icon in the SafeGuard Management Center toolbar.
5. Select the relevant certificate file.
6. Enter the token PIN and the password for the .p12 file and click OK to confirm.
The private part of the certificate is added to the token. Now you need to assign it to a user, see
Assign token certificates to a user (page 212). Users can then only log on with this token.
213
SafeGuard Enterprise
27.8 Managing PINs
As a security officer, you can change both the user PIN and the SO PIN, and also force the user
PIN to be changed. This is usually required when a token is first issued. You can also initialize
PINs (issue them as new and block them).
Note: To initialize, change and block PINs, you need Full access rights for the relevant users.
You can use policies to specify other PIN options for the endpoint.
Note: When you change a PIN, note that some token manufacturers specify their own PIN rules
which may contradict SafeGuard Enterprise PIN rules. So it may not be possible to change a PIN
in the way you want, even if it complies with the SafeGuard Enterprise PIN rules. You should
always refer to the token manufacturer's PIN rules. These are displayed in the Token area under
Token Information in the SafeGuard Management Center.
PINs are managed in the SafeGuard Management Center under Tokens. The token is plugged
in and marked in the navigation window on the left.
27.8.1 Initialize user PIN
Prerequisites:
■
The SO PIN must be known.
■
You need Full access rights for the relevant user.
1. In the SafeGuard Management Center toolbar, click the Initialize user PIN icon.
2. Enter the SO PIN.
3. Enter the new user PIN, repeat the entry and click OK to confirm.
The user PIN is initialized.
27.8.2 Change an SO PIN
Prerequisite: The previous SO PIN must be known.
1. In the SafeGuard Management Center toolbar, click the Change SO PIN icon.
2. Enter the old SO PIN.
3. Enter the new SO PIN, repeat the entry and click OK.
The SO PIN has been changed.
27.8.3 Change a user PIN
Prerequisite:
■
The user PIN must be known.
■
You need Full access rights for the relevant user.
1. In the SafeGuard Management Center toolbar, click the Change user PIN icon.
2. Enter the old and the new user PIN, repeat the new user PIN, and click OK.
214
Administrator help
The user PIN is changed. If you have changed the PIN for another user, inform them about the
change.
27.8.4 Force PIN change
To force a PIN change, you need Full access rights for the relevant user.
1. In the SafeGuard Management Center toolbar, click the Force PIN change icon.
The next time the user logs on with the token, they have to change their user PIN.
27.8.5 PIN history
The PIN history can be deleted. To do this, click the Delete PIN history icon in the SafeGuard
Management Center toolbar.
27.9 Managing tokens and smartcards
In the Tokens area of the SafeGuard Management Center, the security officer can:
■
Get an overview of tokens and certificates that have been issued.
■
Filter overviews.
■
Block tokens for authentication
■
Read or delete the data on a token.
27.9.1 Display token/smartcard information
As a security officer, you can display information about all or individual tokens that have been
issued. You can also filter overviews.
Prerequisite: The token must be plugged in.
1. In the SafeGuard Management Center, click Tokens.
2. To display information about an individual token, select the relevant token in the navigation
area under Token Slots.
The manufacturer, type, serial number, hardware details and PIN rules are displayed under
Token Information. You can also see which user the token is assigned to.
Note: Under Token Slots, issued tokens are displayed regardless of your access rights to
the relevant users, so you can see, if the token is in use or not. If you have no or Read only
access rights to the assigned user, all token data in the Token Information and Credentials
and Certificates tabs are greyed out and you cannot manage this token.
215
SafeGuard Enterprise
3. To display an overview on tokens, select Issued Tokens. You can display all the tokens that
have been issued or filter the overview by user.
The token's serial number, the assigned users and the issue date are displayed. You can also
see if the token is blocked.
Note: The Issued Tokens view shows the tokens for all users you have Read only or Full
access rights for.
27.9.2 Block token or smartcard
As a security officer you can block tokens. This is for example useful if a token has been lost.
To block a token, you need Full access rights for the relevant user.
1. In the SafeGuard Management Center, click Tokens.
2. In the navigation area on the left, select Issued Tokens on the left of the navigation area.
3. Select the token to be blocked and click the Block token icon in the SafeGuard Management
Center toolbar.
The token is blocked for authentication and the assigned user can no longer use it to log on. The
token can only be unblocked with the SO PIN.
27.9.3 Delete token/smartcard information
As a security officer, you can delete the information that has been written on the token by
SafeGuard Enterprise.
Prerequisite:
■
The token must be plugged in.
■
You need Full access rights for the relevant user.
1.
2.
3.
4.
In the SafeGuard Management Center, click Tokens.
In the navigation area on the left, select the token concerned under Token Slots.
In the SafeGuard Management Center toolbar, click the Wipe token icon.
Enter the SO Pin that was assigned to the token and click OK to confirm.
All data managed by SafeGuard Enterprise is deleted. Certificates remain on the token.
The user PIN is reset to 1234.
Deleted tokens are thus automatically deleted from the list of issued tokens.
27.9.4 Read token/smartcard information
As a security officer you can read the data on the token by using the user PIN.
Prerequisite:
■
216
The token must be plugged in. The security officer must know the PIN. Or it must be initialized,
see Initialize user PIN (page 214).
Administrator help
■
You need Read only or Full access rights for the relevant user.
1. In the SafeGuard Management Center, click Tokens.
2. On the left of the navigation area select the relevant token under Token Slots and select the
Credentials & Certificates tab.
3. Click the Get user credentials icon and enter the user PIN for the token.
The data on the token is displayed.
217
SafeGuard Enterprise
28 Secure Wake on LAN (WOL)
In the SafeGuard Management Center, you can define policy settings for Secure Wake on LAN
(WOL) to prepare endpoints for software rollouts. If a relevant policy applies to endpoints, the
necessary parameters (for example SafeGuard POA deactivation and a time interval for Wake
on LAN) are transferred directly to the endpoints where parameters are analyzed.
The rollout team can design a scheduling script using the commands provided to guarantee
maximum endpoint protection despite the deactivation of the SafeGuard POA.
Note: Deactivating the SafeGuard POA - even for a limited number of boot processes - reduces
the security of your system!
You define the settings for Secure Wake on LAN (WOL) in a policy of the type Specific Machine
Settings.
28.1 Secure Wake on LAN example
The software rollout team informs the SafeGuard Enterprise security officer about a software
rollout planned for September 25th, 2014 between 03:00 and 06:00 am. Two reboots are required.
The local software rollout agent must be able to log on to Windows.
In the SafeGuard Management Center, the security officer creates a policy of the type Specific
Machine Settings with the following settings and assigns it to the relevant endpoints.
Policy Setting
Value
Number of auto logons (0 = no WOL)
5
Windows logon allowed during WOL
Yes
Start of time slot for external WOL Start
24th Sept., 2014, 12:00
End of time slot for external WOL Start
25th Sept., 2014, 06:00
For further information on the individual settings, see Specific machine settings - basic settings
(page 146).
As the number of autologons is set to 5, the endpoint starts 5 times without authentication through
the SafeGuard POA.
Note: For Wake on LAN, we recommend that you allow three more restarts than necessary
to overcome any unforeseen problems.
The security officer sets the time interval to 12 o'clock midday on the day before the software
rollout. In this way, the scheduling script SGMCMDIntn.exe is started in time and WOL starts no
later than the 25th September at 3:00 am.
218
Administrator help
The software rollout team creates two commands for the scheduling script:
■
Starting 24th Sept.2014, 12:15 am, SGMCMDIntn.exe -WOLstart
■
Starting 26th Sept.2014, 09.00 am SGMCMDIntn.exe -WOLstop
The software rollout script is dated 25.09.2014, 03:00. WOL can be explicitly deactivated again
at the end of the script by using SGMCMDIntn.exe -WOLstop.
All endpoints which log on before the 24th of September 2014 and which connect to the rollout
servers will receive the new policy and the scheduling commands.
Any endpoint on which the schedule triggers the command SGMCMDIntn -WOLstart between
24th Sept. 2014, 12:00 midday and 26th Sept. 2014, 09:00 am falls within the WOL time interval
and therefore Wake on LAN will be activated.
219
SafeGuard Enterprise
29 Recovery options
For recovery, SafeGuard Enterprise offers different options that are tailored to different scenarios:
■
Logon recovery with Local Self Help
Local Self Help enables users who have forgotten their password to log on to their computers
without the assistance of a helpdesk. Even in situations where neither telephone nor network
connections are available (for example aboard an aircraft), users can regain access to their
computers. To log on, they answer a predefined number of questions in the SafeGuard
Power-on Authentication.
Local Self Help reduces the number of calls concerning logon recovery, thus freeing the
helpdesk staff from routine tasks and allowing them to concentrate on more complex support
requests.
For further information, see Recovery with Local Self Help (page 220).
■
Recovery with Challenge/Response
The Challenge/Response recovery mechanism is a secure and efficient recovery system that
helps users who cannot log on to their computers or access encrypted data. During the
Challenge/Response procedure, the user provides a challenge code generated on the endpoint
to the helpdesk officer who in turn generates a response code that authorizes the user to
perform a specific action on the computer.
With recovery with Challenge/Response, SafeGuard Enterprise offers different workflows for
typical recovery scenarios requiring helpdesk assistance.
For further information, see Recovery with Challenge/Response (page 225).
■
System recovery for SafeGuard full disk encryption
SafeGuard Enterprise offers different methods and tools for recovery from problems with crucial
system components and SafeGuard Enterprise components, for example:
■
Corrupted MBR
■
SafeGuard Enterprise kernel problems
■
Volume access problems
■
Windows boot problems
For further information, see System Recovery for SafeGuard full disk encryption (page 242).
29.1 Recovery with Local Self Help
Note: Local Self Help is only available for Windows 7 endpoints with SafeGuard Power-on
Authentication (POA).
220
Administrator help
SafeGuard Enterprise offers Local Self Help to enable users who have forgotten their password
to log on to their computers without the assistance of the help desk. Local Self Help reduces the
number of calls concerning logon recovery, thus freeing the help desk staff from routine tasks
and allowing them to concentrate on more complex support requests.
With Local Self Help, users can, for example, regain access to their laptops in situations where
neither telephone nor network connections are available and where they cannot use a
Challenge/Response procedure (for example, aboard an aircraft). Users can log on to their
computer by answering a predefined number of questions in the SafeGuard Power-on
Authentication.
As a security officer, you can define the set of questions to be answered centrally and distribute
it to the endpoints in a policy. We provide you with a predefined question theme as a template.
You can use this question theme as it is or modify it. In the relevant policy, you can also grant the
users the right to define their own questions.
When Local Self Help has been enabled by the policy, a Local Self Help Wizard is available to
guide the end users through providing initial answers and editing the questions.
For a detailed description of Local Self Help on the endpoint see the SafeGuard Enterprise user
help, chapter Recovery with Local Self Help.
29.1.1 Define Local Self Help settings in a policy
You define the settings for Local Self Help in a policy of the type General Settings under Logon
Recovery - Local Self Help. This is where you enable the function to be used on the endpoints
and define further rights and parameters.
Enabling Local Self Help
To activate Local Self Help for use on endpoints, select Yes in the Enable Local Self Help field.
After the policy has become effective on the endpoints, this setting entitles the users to use Local
Self Help for logon recovery. To be able to use Local Self Help, the users now have to activate
this recovery method by answering a specified number of questions from the set of questions
received or by creating and answering their own questions, depending on permission.
For this purpose, the Local Self Help Wizard is available from the System Tray Icon in the Windows
taskbar after the computer has received the policy and been restarted.
Configuring Local Self Help
You can set the following options for Local Self Help in a policy of the type General Settings:
■
Minimal length of answers
Define the minimum length of the answers in characters. The default is 1.
■
Welcome text under Windows
You can specify the individual information text to be displayed in the first dialog when the Local
Self Help Wizard is launched on the endpoint. Before you specify the text here, it has to be
created and registered.
■
Users can define their own questions
221
SafeGuard Enterprise
There are the following possible scenarios for the definition of questions for Local Self Help:
■
As a security officer, you define the questions and distribute them to the users. The users
are not permitted to define their own questions.
■
As a security officer, you define the questions and distribute them to the users. In addition,
the users are permitted to define their own questions. When answering the minimum number
of questions required for activating Local Self Help, the users can choose between
predefined questions and their own questions or use a combination of both.
■
You entitle the users to define their own questions. The users activate Local Self Help on
their computers by defining and answering their own questions.
To entitle users to define their own questions, select Yes in the Users can define their own
questions field.
29.1.2 Define questions
To be able to use Local Self Help on the endpoint, the user has to answer and save a predefined
number of questions. As a security officer with the required rights, you can specify how many
questions the user has to answer to activate Local Self Help on the endpoint.You can also specify
how many questions will be selected randomly in the SafeGuard POA. To log on at the SafeGuard
POA with Local Self Help, the user has to answer all questions displayed in the POA correctly.
As a security officer with the required rights, you can register and edit Local Self Help questions
in the SafeGuard Management Center.
Note:
Not all characters that can be entered in Windows can be handled by the SafeGuard POA, for
example Hebrew or Arabic characters cannot be used.
29.1.3 Define the number of questions to be answered
You can define the number of questions to be answered during Local Self Help configuration and
in the SafeGuard POA.
1. In the Policies navigation area, select Local Self Help questions.
2. In the action area under Local Self Help parameters, you can specify two different values
for the number of Local Self Help questions:
a) In the Minimum number of available questions/answers field, specify the number of
questions the user has to answer in the Local Self Help Wizard to activate Local Self Help
on the endpoint.
The number of questions specified in this field must be available with answers on the
endpoint for Local Self Help to be active.
b) In the Number of questions presented in POA field, specify the number of questions the
user has to answer in the SafeGuard POA when logging on with Local Self Help.
The questions displayed in the SafeGuard POA are selected randomly from the questions
the user has answered in the Local Self Help Wizard.
222
Administrator help
The number specified in Minimum number of available questions/answers field must be
higher than the number specified in Number of questions presented in POA field. If this is
not the case, an error message is displayed when you save your changes.
The defaults are:
■
Minimum number of available questions/answers: 10
■
Number of questions presented in POA: 5
3. Save your changes to the database.
The number of questions applies to the Local Self Help configuration deployed to endpoints.
29.1.4 Use the template
A predefined question theme is available for Local Self Help. You find this question theme in the
SafeGuard Management Center under Local Self Help questions.
You can use the predefined question theme as it is, edit it or delete it.
29.1.5 Import question themes
Using the import procedure, you can import your own question lists created as .XML files.
1. Create a new question theme (see Create a new question theme and add questions (page
223)).
2. In the Policies navigation area, select the new question theme under Local Self Help
questions.
3. Right-click in the action area to open the context menu for the question theme. In the context
menu, select Import.
4. Select the required directory and question theme and click Open.
The imported questions are displayed in the action area. You can now save the question theme
as it is or edit it.
29.1.6 Create a new question theme and add questions
You can create new question themes covering different topics, to provide users with several
different question themes to suite their preferences.
1.
2.
3.
4.
In the Policies navigation area, select Local Self Help questions.
Right-click Local Self Help questions and select New > Question Theme.
Enter a name for the question theme and click OK.
In the Policies navigation area, select the new question theme under Local Self Help
questions.
5. Right-click in the action area to open the context menu for the question theme. In the context
menu, select Add.
A new question line is added.
223
SafeGuard Enterprise
6. Enter your question and press Enter. To add further questions, repeat this step.
7. To save your changes, click the Save icon in the toolbar.
Your question theme is registered. It is automatically transferred with the policy of the type General
Settings that enables Local Self Help on the endpoints.
29.1.7 Edit question themes
1. In the Policies navigation area, select the required question theme under Local Self Help
questions.
2. You can now add, modify or delete questions.
■
To add questions, right-click in the action area, to display the context menu. In the context
menu, click Add. A new line is added to the question list. Enter your question on the line.
■
To modify questions, click the required question text in the action area. The question is
marked by a pencil icon. Enter your changes on the question line.
■
To delete questions, select the required question by clicking on the grey box at the beginning
of the question line in the action area and click Remove in the context menu of the question.
3. To save your changes, click the Save icon in the toolbar.
The modified question theme is registered. It is transferred with the policy of the type General
Settings that enables Local Self Help on the endpoints.
29.1.8 Delete question themes
To delete an entire question theme, right-click the required theme under Local Self Help questions
in the Policies navigation area, and select Delete.
Note: If you delete a question theme after users have answered some of these questions to
activate Local Self Help on their computers, the users’ answers become invalid, as the questions
no longer exist.
29.1.9 Register welcome texts
You can register a welcome text to be displayed in the first dialog of the Local Self Help Wizard.
The text files containing the required information have to be created before registering them in
the SafeGuard Management Center. The maximum file size for information texts is 50 KB.
SafeGuard Enterprise only uses Unicode UTF-16 coded texts. If you do not create the text files
in this format, they will be automatically converted when they are registered.
1. In the Policies navigation area, right-click Texts and select New > Text.
2. Enter a name for the text to be displayed in the Text item name field.
3. Click [...] to select the text file previously created. If the file needs to be converted, a message
is displayed.
4. Click OK.
224
Administrator help
The new text item is displayed as a subnode below Texts in the Policies navigation area. If you
select a text item, its contents are displayed in the window on the right-hand side. The text item
can now be selected when creating policies.
Proceed as described to register further text items. All registered text items are shown as subnodes.
29.2 Recovery with Challenge/Response
To smoothen the workflow and to reduce helpdesk costs, SafeGuard Enterprise provides a
Challenge/Response recovery solution. SafeGuard Enterprise offers help to users who fail to log
on or to access encrypted data by providing a user-friendly Challenge/Response mechanism.
This functionality is integrated in the SafeGuard Management Center as a Recovery Wizard.
Benefits of Challenge/Response
The Challenge/Response mechanism is a secure and efficient recovery system to fall back on.
■
No confidential data is exchanged in unencrypted form throughout the entire process.
■
There is no point in third parties eavesdropping on this procedure because the data they spy
out cannot be used at any later point in time or on any other devices.
■
The computer to be accessed does not need an online network connection. The Response
Code Wizard for the helpdesk also runs on an unmanaged endpoint without any SafeGuard
Enterprise Server connection. There is no need for a complex infrastructure.
■
The user can start working again quickly. No encrypted data is lost just because the password
has been forgotten.
Typical situations requiring helpdesk assistance
■
A user has forgotten the password for logging on and the computer has been locked.
■
A user has forgotten or lost the token/smartcard.
■
The SafeGuard Power-on Authentication local cache is partly damaged.
■
A user is not available at the moment due to illness or vacation but the data on the computer
must be accessible to a colleague.
■
A user wants to access a volume encrypted with a key that is not available on the computer.
SafeGuard Enterprise offers different recovery workflows for these typical scenarios enabling the
users to access their computers again.
225
SafeGuard Enterprise
29.2.1 Challenge/Response workflow
The Challenge/Response procedure is based on two components:
■
The endpoint on which the Challenge code is generated.
■
The SafeGuard Management Center where, as a helpdesk officer with sufficient rights, you
create a response code that authorizes the user to perform the requested action on their
computer.
Note: For a Challenge/Response process, you need Full access rights for the computers/users
involved.
1. On the endpoint, the user requests the challenge code. Depending on the recovery type, this
is either requested in the SafeGuard Power-on Authentication or in the KeyRecovery Tool.
A challenge code in form of an ASCII character string is generated and displayed.
2. The user contacts the helpdesk and provides them with the necessary identification and the
challenge code.
3. The helpdesk launches the Recovery Wizard in the SafeGuard Management Center.
4. The helpdesk selects the appropriate recovery type, confirms the identification information
and the challenge code and selects the required recovery action.
A response code in form of an ASCII character string is generated and displayed.
5. The helpdesk provides the user with the response code, for example by phone or text message.
6. The user enters the response code. Depending on the recovery type, this is either done in the
SafeGuard POA or in the KeyRecovery Tool.
The user is then permitted to perform the authorized action, for example resetting the password,
and can resume working.
29.2.2 User password change requirements
As part of the SafeGuard Enterprise recovery process users may be forced to change their
Windows passwords. The following table provides details on when changing the password will
be required. The first four columns show specific conditions which can occur during the
Challenge/Response procedure. The last column indicates whether the user is forced to change
the Windows password based on the conditions indicated in the previous columns.
226
Condition: C/R
issued with user
logon and show
password option
Condition: C/R
issued with user
logon
Condition: Domain
controller available
Condition: Show
password option
declined by user
Result: User is
forced to change
Windows password
Yes
Yes
Yes
No
No
Yes
Yes
Yes
Yes
Yes
Administrator help
Condition: C/R
issued with user
logon and show
password option
Condition: C/R
issued with user
logon
Condition: Domain
controller available
Condition: Show
password option
declined by user
Result: User is
forced to change
Windows password
Yes
Yes
No
Yes
No
No
Yes
Yes
n/a
Yes
No
Yes
No
n/a
No
No
No
No
n/a
No
29.2.3 Launch the Recovery Wizard
To be able to perform a recovery procedure, make sure you have the required rights and
permissions.
1. Log on to the SafeGuard Management Center.
2. Click Tools > Recovery in the menu bar.
The Recovery Wizard is started. You can select which type of recovery you want to use.
29.2.4 Recovery types
Select which type of recovery you want to use. The following recovery types are provided:
■
SafeGuard Enterprise Clients (managed)
Challenge/Response for endpoints that are centrally managed by the SafeGuard Management
Center. They are listed in the Users and Computers area in the SafeGuard Management
Center.
■
Virtual Clients
For complex recovery situations, for example when the SafeGuard POA is corrupted, access
to encrypted data can easily be regained with Challenge/Response. Specific files called Virtual
Clients are used in this case. This type is available for managed and unmanaged endpoints.
■
Sophos SafeGuard Clients (standalone)
Challenge/Response for unmanaged endpoints. They never have any connection to the
SafeGuard Enterprise Server. The required recovery information is based on the key recovery
file. On each endpoint this file is generated during deployment of the Sophos SafeGuard
encryption software. To provide Challenge/Response in this case, the key recovery file must
be accessible to the SafeGuard Enterprise helpdesk, for example on a shared network path.
Note: Also see the logon recovery method Local Self Help that does not require any helpdesk
assistance.
227
SafeGuard Enterprise
29.2.5 Challenge/Response for SafeGuard Enterprise Clients (managed)
SafeGuard Enterprise offers recovery for SafeGuard Enterprise protected endpoints registered
in the database in various recovery scenarios, for example password recovery.
Challenge/Response is supported for both SafeGuard Enterprise native endpoints and BitLocker
encrypted endpoints. The system dynamically determines which type of computer is in use. The
recovery workflow is adjusted accordingly.
29.2.5.1 Recovery actions for SafeGuard Enterprise Clients
The recovery workflow depends on the type of endpoint that recovery is requested for.
Note: For BitLocker encrypted computers the only recovery action is to recover the key used to
encrypt a specific volume. No password recovery is provided.
29.2.5.1.1 Recover the password at SafeGuard POA level
One of the most common scenarios is that users have forgotten their password. By default,
SafeGuard Enterprise is installed with an activated SafeGuard Power-on Authentication (POA).
The SafeGuard POA password for accessing the computer is the same as the Windows password.
If the user has forgotten the password at SafeGuard POA level, the SafeGuard Enterprise helpdesk
officer will generate a response for Boot SGN client with user logon, but without displaying the
user password. However, in this case, after entering the response code the computer will boot
into the operating system. The user has to change the password at Windows level provided that
the domain is accessible. The user can then log on to Windows as well as to the SafeGuard
Power-on Authentication with the new password.
29.2.5.1.2
Best practice for recovering the password at SafeGuard POA level
We recommend that you use the following methods when the user has forgotten their password
to avoid that the password has to be centrally reset:
■
Use Local Self Help.
With recovery with Local Self Help the user can have the current password displayed and may
continue using this password without having to reset it and without any helpdesk assistance.
■
When using Challenge/Response on SafeGuard Enterprise Clients (managed):
We recommend that you avoid to reset the password in the Active Directory before the
Challenge/Response procedure. Avoiding this ensures that the password remains synchronized
between Windows and SafeGuard Enterprise. Make sure that the Windows helpdesk is educated
accordingly.
As a SafeGuard Enterprise helpdesk officer, generate a response for Boot SGN client with user
logon with the Display user password option. This is useful as the password does not have to
be reset in the Active Directory. The user can continue working with the old password and change
it locally afterwards.
29.2.5.1.3 Display the user password
SafeGuard Enterprise offers users to have their password displayed during Challenge/Response.
This is useful as the password does not have to be reset in the Active Directory. The option is
only available if Boot SGN client with user logon is requested.
228
Administrator help
29.2.5.1.4 A different user needs to start the SafeGuard Enterprise protected endpoint
In this case, the user who needs to access the endpoint starts it and enters their user name. The
user then requests a Challenge. The SafeGuard helpdesk generates a Response of the type
Booting SGN client without user logon and Passthrough to Windows enabled. The user is
logged on and can use the computer.
29.2.5.1.5 Restore the SafeGuard Enterprise policy cache
This procedure is necessary, if the SafeGuard policy cache is damaged. The local cache stores
all keys, policies, user certificates and audit files. By default, logon recovery is deactivated when
the local cache is corrupted. It is restored automatically from its backup. In this case, no
Challenge/Response procedure is required for repairing the local cache. If the local cache is to
be repaired by using a Challenge/Response procedure, logon recovery can be activated by policy.
In this case, the user is automatically prompted to initiate a Challenge/Response procedure, if
the local cache is corrupted.
29.2.5.1.6
SafeGuard Data Exchange: Recover a forgotten password
SafeGuard Data Exchange without Device Encryption does not provide Challenge/Response
recovery, when the user has forgotten their password. In this case, you must change the password
in the Active Directory. Log on to the endpoint without a Sophos Credential Provider and restore
the user configuration on the endpoint.
29.2.5.2 Response for SafeGuard Enterprise Clients
1. On the Recovery type page, select SafeGuard Enterprise Client (managed).
2. Under Domain, select the required domain from the list.
3. Under Computer enter or select the required computer name. There are several ways to do
so:
■
To select a name, click [...]. Then click Find now. A list of computers is displayed. Select
the required computer and click OK. The computer name is displayed on the Recovery
type page.
■
Type the short name of the computer directly into the field. When you click Next, the
database is searched for this name. If it is found, the distinguished computer name is
displayed.
■
Enter the computer name directly in the distinguished name format, for example:
CN=Desktop1,OU=Development,OU=Headquarter,DC=Sophos,DC=edu
4. Click Next.
5. Select the domain of the user.
6. Enter the required user name. There are several possibilities to do so:
■
To select the user name click [...] in the User information section of the Logon recovery
page. Then click Find now. A list of users is displayed. Select the required name and click
OK. The user name is displayed on the Recovery type page.
■
Enter the name of the user directly. Make sure the name is spelled correctly.
229
SafeGuard Enterprise
7. Click Next.
A page is displayed where you can enter the challenge code.
8. Enter the challenge code the user has passed on to you and click Next. The challenge code
is verified. If the code has been entered incorrectly, Invalid challenge is displayed below the
block containing the error.
9. If the challenge code has been entered correctly, the recovery action requested by the
SafeGuard Enterprise Client and the possible recovery actions on the client are displayed.
The possible actions for response depend on the actions requested on the client side when
calling the challenge. For example, if Crypto token requested is required on the client side,
the available actions for response are Boot SGN client with user logon and Boot SGN client
without user logon.
10. Select the action the user needs to perform.
11. If Boot SGN client with user logon has been selected, you can additionally select Show
user password to have the password displayed on the target computer.
12. Click Next.
13. A response code is generated. Provide the response code to the user. A spelling aid is provided.
You can also copy the response code to the clipboard.
The user can enter the response code on the endpoint and perform the authorized action.
29.2.6 Challenge/Response using Virtual Clients
With Virtual Client recovery SafeGuard Enterprise offers recovery of encrypted volumes even in
complex disaster situations, for example when the SafeGuard POA is corrupted. It can be applied
to managed endpoints as well as to unmanaged endpoint.
Note: Virtual Client recovery should only be used to resolve complex disaster situations. If for
example only a key is missing to recover a volume, the best way to recover the volume would
simply be to assign the missing key to the respective user’s key ring.
29.2.6.1 Recovery workflow using Virtual Clients
To access the encrypted endpoint, the following general workflow applies:
1. Obtain the SafeGuard Enterprise recovery disk from technical support.
The helpdesk may download the Windows PE recovery disk with the latest SafeGuard Enterprise
filter drivers from the Sophos support site. For further information, see:
http://www.sophos.com/en-us/support/knowledgebase/108805.aspx.
2. Create the Virtual Client in the SafeGuard Management Center, see Create Virtual Clients
(page 77).
3. Export the Virtual Client to a file, see Export Virtual Clients (page 77).
4. Optionally, export several Virtual Client keys to a file, see Create and export key files for Virtual
Client recovery (page 77).
5. Boot the endpoint from the recovery disk.
6. Import the Virtual Client file into the KeyRecovery Tool.
230
Administrator help
7. Initiate the Challenge in the KeyRecovery Tool.
8. Confirm the Virtual Client in the SafeGuard Management Center.
9. Select the required recovery action.
10. Enter the challenge code in the SafeGuard Management Center.
11. Generate the response code in the SafeGuard Management Center.
12. Enter the response code into the KeyRecovery tool.
The computer can be accessed again.
29.2.6.2 Boot the computer from the recovery disk
Prerequisite: Make sure that the boot sequence in the BIOS settings allows booting from CD.
1. Obtain the SafeGuard Enterprise Windows PE disk from Sophos technical support.
The helpdesk may download the Windows PE recovery disk with the latest SafeGuard Enterprise
filter drivers from the Sophos support site. For further information, see
http://www.sophos.com/en-us/support/knowledgebase/108805.aspx.
2. On the endpoint, insert the recovery disk and start the computer. The integrated file manager
opens. At a glance, you can see the mounted volumes and drives.
The contents of the encrypted drive are not visible in the file manager. Neither the file system,
nor the capacity and used/free space are indicated in the properties of the encrypted drive.
231
SafeGuard Enterprise
3. At the bottom of the file manager in the Quick Launch section, click the KeyRecovery icon to
open the KeyRecovery Tool. The Key Recovery Tool displays the key ID of the encrypted
drives.
4. Find the key ID of the drives that you need to access. The key ID will be requested later on.
Next import the Virtual Client into the Key Recovery Tool.
29.2.6.3 Import the Virtual Client into the KeyRecovery Tool
Prerequisite:
■
The computer has been booted from the recovery disk.
■
Ensure that the USB drive with the Virtual Client file recoverytoken.tok stored on it has
been mounted successfully.
1. In the Windows PE file manager, select the drive on which the Virtual Client is stored. The file
recoverytoken.tok is displayed on the right.
232
Administrator help
2. Select the file recoverytoken.tok and drag it to the drive in which the KeyRecovery Tool is
located. There, drop it into the Tools\SGN-Tools directory.
29.2.6.4 Initiate the Challenge in the KeyRecovery Tool
1. At the bottom of the Windows PE file manager in the Quick Launch section, click the
KeyRecovery icon to open the KeyRecovery Tool. The KeyRecovery Tool displays the key ID
of the encrypted drives.
The tool is started displaying a list of all volumes and their corresponding encryption information
(key ID).
2. Select the volume you want to decrypt and click Import by C/R to generate the challenge
code.
As reference in the SafeGuard Enterprise Database the Virtual Client file is used and stated
in the challenge. The challenge code is generated and displayed.
233
SafeGuard Enterprise
3. Communicate the Virtual Client name and the challenge code to the help desk, for example
by phone or text message. A spelling aid is provided.
29.2.6.5 Confirm the Virtual Client
Prerequisite: The Virtual Client must have been created in the SafeGuard Management Center
in Virtual Clients and must be available in the database.
1. In the SafeGuard Management Center, click Tools > Recovery to open the Recovery Wizard.
2. In Recovery type, select Virtual Client.
3. Enter the name of the Virtual Client the user has given to you. There are different ways to do
so:
■
Enter the unique name directly.
■
Select a name by clicking [...] in the Virtual Client section of the Recovery type dialog.
Then click Find now. A list of Virtual Clients is displayed. Select the required Virtual Client
and click OK. The Virtual Client name is then displayed on the Recovery type page below
Virtual Client.
4. Click Next to confirm the name of the Virtual Client file.
Next select the requested recovery action.
29.2.6.6 Select required recovery action
1. On the Virtual Client, Requested Action page, select one of the following options:
■
Select Key requested to recover a single key for accessing an encrypted volume on the
computer.
This option is available for unmanaged and managed endpoints.
■
Select Password for key file requested to recover multiple keys for accessing encrypted
volumes on the computer. The keys are stored in one file which is encrypted with a random
password stored in the database. The password is unique for each created key file. Within
the response code the password is transferred to the target computer.
This option is only available for managed endpoints.
2. Click Next.
29.2.6.7 Select the requested key (single key)
Prerequisite:
234
Administrator help
You must have selected the required Virtual Client in the SafeGuard Management Center Recovery
Wizard and the recovery action Key requested.
1. In the Recovery Wizard, on the Virtual Client page, select if the action is requested by a
managed or unmanaged endpoint:
■
For managed endpoints, select Recovery key for SafeGuard Enterprise Client managed.
Click [...]. In Find Keys, you can either display the keys by key ID or by symbolic name.
Click Find now, select the key and click OK.
Note: A response can only be initiated for assigned keys. If a key is inactive, this means
that the key is not assigned to at least one user, a Virtual Client Response is not possible.
In this case, the inactive key can be reassigned to any other user and a response for this
key can be generated again.
■
For unmanaged endpoints, select Recovery key for Sophos SafeGuard Client standalone.
Click [...] next to this option to browse for the respective file. For easier identification the
recovery files carry the name of the computer: computername.GUID.xml. Select the file
and click Open.
Note: The required key recovery file needed to regain access to the computer must be
accessible to the helpdesk, for example on a network share.
2. Click Next. The page for entering the challenge code is displayed.
The requested key is transferred to the user environment within the response code.
29.2.6.8 Select the requested key file (several keys)
Prerequisite:
This option is only available for managed endpoints.
You must have created the key file beforehand in the SafeGuard Management Center in Keys
and Certificates and the password encrypting the key file must have been stored in the database.
You must have selected the required Virtual Client file in the SafeGuard Management Center
Recovery Wizard and the recovery action Password for key file requested.
1. To select a key file, click [...] next to this option. In Key file, click Find now. Select the key
file and click OK.
2. Click Next to confirm.
The page for entering the challenge code is displayed.
29.2.6.9 Enter the challenge code and generate the response code
Prerequisite:
You must have selected the required Virtual Client in the SafeGuard Management Center Recovery
Wizard and the required recovery action.
1. Enter the challenge code the user has passed on to you and click Next. The challenge code
is verified.
If the challenge code has been entered correctly, the response code is generated. If the code
has been entered incorrectly, Invalid challenge is displayed below the block containing the
error.
235
SafeGuard Enterprise
2. Pass the response code on to the user. A spelling aid is provided. You can also copy the
response code to the clipboard.
When you have selected Key requested as recovery action, the requested key is transferred to
the user environment within the response code.
When you have selected Password for key file requested as recovery action, the password for
the encrypted key file is transferred within the response code. The key file is then deleted.
29.2.6.10 Enter the response code in the KeyRecovery Tool
1. In the KeyRecovery Tool on the endpoint, enter the response code the helpdesk has given to
you.
Within the response code the required key or password for the key file is transported.
2. Click OK. The drive selected for Challenge/Response has been decrypted.
236
Administrator help
3. To ensure that description has been successful, select the decrypted drive in the Windows
PE file manager:
The contents of the decrypted drive are now displayed in the file manager. The file system as
well as the capacity and used/free space are now indicated in the properties of the decrypted
drive.
Access to the data stored on this partition is recovered. As a result of the successful decryption
you can read, write and copy data from or to the drive.
29.2.7 Challenge/Response for Sophos SafeGuard Clients (standalone)
SafeGuard Enterprise also provides Challenge/Response for unmanaged endpoints (Sophos
SafeGuard Clients standalone), when the user has forgotten the password or entered the password
incorrectly too often. Unmanaged endpoints never have any connection to the SafeGuard Enterprise
Server, not even temporarily. They operate in standalone mode.
Recovery information needed for a Challenge/Response is in this case based on the key recovery
file. On each unmanaged endpoint, this key recovery file is generated during deployment of the
SafeGuard Enterprise encryption software. The key recovery file must be accessible to the
SafeGuard Enterprise helpdesk, for example on a shared network path.
To facilitate searching and grouping of the recovery files the files will carry the name of the
computer: computername.GUID.xml in their file names. This allows for wild card search with
asterisks (*), for example: *.GUID.xml.
Note: When a computer is renamed, it will not be renamed accordingly in the computer's local
cache.The local cache stores all keys, policies, user certificates and audit files.The new computer
name therefore has to be removed from the local cache so that only the previous name will remain,
even if a computer is renamed under Windows.
237
SafeGuard Enterprise
29.2.7.1 Recovery actions for Sophos SafeGuard Clients (standalone)
Challenge/Response for an unmanaged endpoint can be initiated in the following situations:
■
The user has entered the password incorrectly too often.
■
The user has forgotten the password.
■
A corrupted local cache needs to be repaired.
For an unmanaged endpoint no user key is available in the database. Therefore, the only recovery
action possible in a Challenge/Response session is Boot SGN client without user logon.
The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on
Authentication. The user is then able to log on to Windows
Potential recovery use cases:
The user has entered the password incorrectly too often at the SafeGuard POA level and
the computer has been locked. But the user still knows the password.
The computer is locked, and the user is prompted to initiate a Challenge/Response procedure to
unlock the computer. As the user still knows the correct password, there is no need to reset it.
The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on
Authentication. The user can then type the password correctly into the Windows logon dialog and
is logged on to Windows.
The user has forgotten the password
Note: We recommend that you use Local Self Help to recover a forgotten password. Local Self
Help allows users to have the current password displayed and to continue using it. This avoids
the need to reset the password or to involve the helpdesk.
When recovering a forgotten password with Challenge/Response a password reset is required.
1. The Challenge/Response procedure enables the computer to boot through SafeGuard Power-on
Authentication.
2. In the Windows logon dialog, the user does not know the correct password. The password
needs to be reset at Windows level. This requires further recovery actions outside the scope
of SafeGuard Enterprise, using standard Windows means.
Note: We recommend that you avoid resetting the password centrally before to the
Challenge/Response procedure. Avoiding this ensures that the password remains synchronized
between Windows and SafeGuard Enterprise. Make sure that the Windows helpdesk is educated
accordingly.
We recommend the following methods to reset the password at Windows level.
■
By using a service or administrator account available on the endpoint with the required
Windows rights.
■
By using a Windows password reset disk on the endpoint.
As a helpdesk officer, you can inform the user which procedure should be used and either
provide the additional Windows credentials or the required disk.
238
Administrator help
3. The user enters the new password that the helpdesk has reset at Windows level. The user
then needs to change this password immediately to a value only known to the user. A new
user certificate is created based on the newly chosen Windows password. This enables the
user to log on to the computer again and to log on at SafeGuard Power-on Authentication with
the new password.
Note: Keys for SafeGuard Data Exchange: When a password is reset and a new certificate
is created, local keys previously created for SafeGuard Data Exchange can still be used if the
endpoint is a member of a domain. If the endpoint is a member of a workgroup, the user has
to remember the SafeGuard Data Exchange passphrase to reactivate these local keys.
The local cache needs to be repaired
The local cache stores all keys, policies, user certificates and audit files. By default, logon recovery
is deactivated when the local cache is corrupted, which means that it is restored automatically
from its backup. In this case, no Challenge/Response procedure is required to repair the local
cache. However, logon recovery can be activated by policy, if the local cache is to be repaired
explicitly with a Challenge/Response procedure. In this case, the user is prompted automatically
to initiate a Challenge/Response procedure, if the local cache is corrupted.
29.2.7.2 Generate a response for unmanaged endpoints using the key recovery file
Note: The key recovery file generated during installation of the SafeGuard Enterprise encryption
software needs to be stored in a location that a helpdesk officer is able to access and the name
of the file must be known.
1. In the SafeGuard Management Center, select Tools > Recovery from the menu bar to open
the Recovery Wizard.
2. In Recovery type, select Sophos SafeGuard Client (standalone).
3. Locate the required key recovery file by clicking the [...] button next to the Key recovery file
field. For easier identification, the recovery files carry the name of the computer:
computername.GUID.xml.
4. Enter the challenge code the user has passed on to you and click Next. The challenge code
is verified.
If the challenge code has been entered correctly, the recovery action requested by the computer
as well as the possible recovery actions are displayed. If the code has been entered incorrectly,
Invalid challenge is displayed below the block containing the error.
5. Select the action to be taken by the user and click Next.
6. A response code is generated. Communicate the response code to the user. A spelling aid is
provided. You may also copy the response code to the clipboard.
The user can enter the response code, perform the requested action and resume working.
29.3 Recovery for BitLocker
Depending on the system used SafeGuard Enterprise offers a Challenge / Response procedure
for recovery or the possibility of obtaining the recovery key from the helpdesk. For the requirements
for SafeGuard Enterprise Challenge/Response see Prerequisites for managing BitLocker on
endpoints (page 161).
239
SafeGuard Enterprise
29.3.1 Response for BitLocker encrypted SafeGuard Enterprise Clients - UEFI
endpoints
For UEFI endpoints that meet certain requirements, SafeGuard Enterprise offers Challenge /
Response for recovery. On UEFI endpoints that do not fulfill the requirements SafeGuard BitLocker
management without Challenge/Response is installed automatically. To recover these endpoints
see Recovery key for BitLocker encrypted SafeGuard Enterprise Clients - BIOS endpoints (page
240).
1. On the Recovery type page, select SafeGuard Enterprise Client (managed).
2. Under Domain, select the required domain from the list.
3. Under Computer enter or select the required computer name. There are several ways to do
so:
■
To select a name, click [...]. Then click Find now. A list of computers is displayed. Select
the required computer and click OK. The computer name is displayed on the Recovery
type page.
■
Type the short name of the computer directly into the field. When you click Next, the
database is searched for this name. If it is found, the distinguished computer name is
displayed.
■
Enter the computer name directly in the distinguished name format, for example:
CN=Desktop1,OU=Development,OU=Headquarter,DC=Sophos,DC=edu
4. Click Next.
5. Select the volume to be accessed from the list and click Next.
6. Click Next.
A page is displayed where you can enter the challenge code.
7. Enter the challenge code the user has passed on to you and click Next.
8. A response code is generated. Provide the response code to the user. A spelling aid is provided.
You can also copy the response code to the clipboard.
The user can enter the response code and get access to the endpoint.
29.3.2 Recovery key for BitLocker encrypted SafeGuard Enterprise Clients BIOS endpoints
For BitLocker encrypted BIOS computers a volume that cannot be accessed any more may be
recovered.
1. On the Recovery type page, select SafeGuard Enterprise Client (managed).
2. Under Domain, select the required domain from the list.
240
Administrator help
3. Under Computer enter or select the required computer name. There are several ways to do
so:
■
To select a name, click [...]. Then click Find Now. A list of computers is displayed. Select
the required computer and click OK. The computer name is displayed in the Recovery
type window under Domain.
■
Type the short name of the computer directly into the field. When you click Next, the
database is searched for this name. If it is found, the distinguished computer name is
displayed.
■
Enter the computer name directly in distinguished name format, for example:
CN=Desktop1,OU=Development,OU=Headquarter,DC=Utimaco,DC=edu
4.
5.
6.
7.
Click Next.
Select the volume to be accessed from the list and click Next.
The Recovery Wizard displays the corresponding 48-digit recovery key.
Provide this key to the user.
The user can enter the key to recover the BitLocker encrypted volume on the endpoint.
29.4 Recovery key for Mac endpoints
Access to FileVault 2 encrypted SafeGuard Enterprise Clients can be regained with the following
procedure:
1. On the Recovery type page, select SafeGuard Enterprise Client (managed).
2. Under Domain, select the required domain from the list.
3. Under Computer enter or select the required computer name. There are several ways to do
so:
■
To select a name, click [...]. Then click Find Now. A list of computers is displayed. Select
the required computer and click OK. The computer name is displayed in the Recovery
type window under Domain.
■
Type the short name of the computer directly into the field. When you click Next, the
database is searched for this name. If it is found, the distinguished computer name is
displayed.
■
Enter the computer name directly in distinguished name format, for example:
CN=Desktop1,OU=Development,OU=Headquarter,DC=Utimaco,DC=edu
4. Click Next.
5. The Recovery Wizard displays the corresponding 24-digit recovery key.
6. Provide this key to the user.
The user can enter the recovery key to get logged on to the Mac endpoint and reset the password.
241
SafeGuard Enterprise
29.5 System Recovery for SafeGuard full disk encryption
SafeGuard Enterprise encrypts files and drives transparently. Boot drives can also be encrypted,
so decryption functionalities such as code, encryption algorithms and encryption key must be
available very early in the boot phase. Therefore encrypted information cannot be accessed if the
crucial SafeGuard Enterprise modules are unavailable or do not work.
The following sections cover possible problems and recovery methods.
29.5.1 Recover data by booting from an external medium
This recovery type can be applied when the user cannot access the encrypted volume any more.
In this case, access to the encrypted data can be regained by booting the computer from a
Windows PE recovery disk customized for SafeGuard Enterprise.
Prerequisites:
■
The user booting from the external medium must have the right to do so. This has to be
configured in the computer's BIOS.
■
The computer must support booting from different media than the fixed hard drive.
To regain access to encrypted data on the computer, do the following:
1. Obtain the SafeGuard Enterprise Windows PE disk from Sophos technical support.
The helpdesk may download the Windows PE recovery disk with the latest SafeGuard Enterprise
filter drivers from the Sophos support site. For further information, see
http://www.sophos.com/en-us/support/knowledgebase/108805.aspx.
2. Insert the Windows PE recovery disk into the computer.
3. Boot the computer from the recovery disk and carry out a Challenge/Response procedure with
a Virtual Client. For further information, see Challenge/Response using Virtual Clients (page
230).
Access to the data stored on this partition is recovered.
Note: Depending on the BIOS in use, booting from the disk may not work.
29.5.2 Corrupted MBR
For resolving problems with a corrupted MBR, SafeGuard Enterprise offers the tool
BE_Restore.exe.
For a detailed description of how to restore a corrupted MBR with this tool refer to the SafeGuard
Enterprise tools guide.
29.5.3 Damaged kernel boot code
It is possible to access a hard disk with damaged kernel boot code as keys are stored separately
from the kernel in the so-called KSA (Key Storage Area). By separating the kernel and the keys,
this type of drive can be decrypted when hooked up to another computer.
242
Administrator help
To do this, the user logging on to the other computer needs a key for the KSA of the unbootable
partition on their key ring.
In the worst case, the partition is only encrypted using the other computer's Boot_Key. In such a
case, the Master Security Officer or the Recovery Officer must assign this Boot_Key to the user.
For further information, see "Slaving" a hard disk (page 244).
29.5.4 Volumes
SafeGuard Enterprise provides volume-based encryption. This includes saving encryption
information consisting of the boot sector, primary and backup KSA and the original boot sector
on each drive itself.
If one of the following conditions applies, the volume cannot be accessed any longer:
■
Both Key Storage Areas (KSA) are damaged at the same time.
■
The original MBR is damaged.
29.5.4.1 Boot sector
During the encryption process a volume's boot sector is swapped for the SafeGuard Enterprise
boot sector.
The SafeGuard Enterprise boot sector holds information about
■
The location of the primary and backup KSA in clusters and sectors in relation to the start of
the partition
■
The size of the KSA
If the SafeGuard Enterprise boot sector is damaged, encrypted volumes cannot be accessed.
The tool BE_Restore can restore the damaged boot sector. For further information, see the
SafeGuard Enterprise tools guide.
29.5.4.2 Original boot sector
The original boot sector is the one that is run after the DEK (Data Encryption Key) has been
decrypted and the algorithm and the key have been loaded to the BE filter driver.
If this boot sector is defective, Windows is unable to access the volume. Normally the common
error message "Device is not formatted. Would you like to format it now? Yes/No" is displayed.
Nonetheless, SafeGuard Enterprise will load the DEK for this volume. A tool that is used to repair
the boot sector needs to be compatible with the SafeGuard Enterprise Upper Volume Filter.
29.5.5 Windows boot problems
Its cryptographic design of the volume-specific key (boot sector, Key Storage Area KSA) makes
SafeGuard Enterprise extremely flexible.
243
SafeGuard Enterprise
You can save a damaged system by booting a restore medium from the SafeGuard Power-on
Authentication (Windows PE with the SafeGuard Enterprise encryption subsystem installed).
These media have transparent en-/decryption access to volumes encrypted with SafeGuard
Enterprise. The cause of the unbootable system can be remedied from there.
29.5.5.1 Encryption subsystem
Encryption subsystems are for example BEFLT.sys. Carry out the procedure described under
Windows boot problems and repair the system.
29.5.6 Setting up WinPE for SafeGuard Enterprise
To get access to encrypted drives with a computer's BOOTKEY within a WinPE environment,
SafeGuard Enterprise offers WinPE with the required SafeGuard Enterprise function modules
and drivers. To start SetupWinPE, enter the following command:
SetupWinPE -pe2 <WinPE image file>
WinPE image file being the full path name of a WinPE image file
SetupWinPE makes all the changes needed.
Note: With this type of WinPE environment, only encrypted drives that are encrypted with the
BOOTKEY can be accessed. Drives that are encrypted with a user key cannot be accessed
because the keys are not available in this environment.
29.5.7 "Slaving" a hard disk
SafeGuard Enterprise allows encrypted volumes or hard disks to be enslaved. It permits the end
user, the Windows administrator and the SafeGuard Enterprise Security Officer to connect or
remove new volumes or hard disks in spite of sector-based encryption.
A volume's Key Storage Area (KSA) holds all the information required, this means:
■
The randomly generated DEK (Data Encryption Key).
■
An ID for the encryption algorithm used to encrypt the volume.
■
The list of GUIDs for the KEKs (Key Encryption Keys) that can encrypt and decrypt the DEK.
■
The volume itself contains its size.
A volume encrypted with SafeGuard Enterprise can be accessed from all SafeGuard Enterprise
protected endpoints, provided that the user or computer possess a KEK for the KSA of the volume
on their key ring.
Users or computers must be able to decrypt the DEK encrypted by the KEK.
Many users and computers can access a volume that has been encrypted with a distributable
KEK such as an OU, group or domain key, because many users/computers of a domain have
this key on their key ring.
However, a volume that is only encrypted with the individual boot key ("Boot_machinename") of
the SafeGuard Enterprise protected endpoint can only be accessed by that particular computer.
244
Administrator help
If a volume does not boot on its original computer, it may be "enslaved" on another SafeGuard
Enterprise protected endpoint. However, the correct boot key cannot be accessed then. It has to
be made accessible.
Whenever the user attempts to access the volume from another computer, this can be done,
because the KEKs in the KSA and the key rings of the other users or computers match again.
29.5.7.1 Example
Alice has her own personal user key. Whenever she is logged on to her other computer
("Laptop_Alice"), she cannot access the volume that is encrypted with the boot key of the
"SGNCLT" computer.
The SafeGuard Enterprise protected endpoint "SGMCLT" only has its own boot key
BOOT_SGMCLT.
The Security Officer assigns the boot key "BOOT_SGNCLT" to Alice as follows:
1. Select user Alice
2. Click the "Binocular" icon in the SafeGuard Enterprise toolbar. This opens the search dialog
which can also display boot keys.
3. Select the "BOOT_SGMCLT" key.
Now Alice has two keys - "User_Alice" and "BOOT_SGMCLT". This can be verified under Keys
& Certificates.
The "BOOT_SGMCLT" has been assigned twice - to the SGMCLT computer and to user Alice.
Alice can now access the encrypted volume of any other SafeGuard Enterprise protected endpoint
computer which she is able to log on to.
She can then easily use tools such as Windows Explorer and regedit.exe to resolve the reason
for the boot problem.
If, in the worst case, the problem is not resolved, she can save data on another drive, reformat
the volume or set it up as new again.
245
SafeGuard Enterprise
30 Restore a corrupt SafeGuard Management
Center installation
If the installation of the SafeGuard Management Center is corrupted, but the database is still
intact, the installation can be easily restored by installing the SafeGuard Management Center
afresh and using the existing database as well as the backed up Security Officer certificate.
■
The Master Security Officer certificate of the relevant database configuration must have been
exported to .p12 file and must be available and valid.
■
The passwords for the .p12 file as well as for the certificate store must be known to you.
To restore a corrupt SafeGuard Management Center installation:
1. Install the SafeGuard Management Center installation package afresh. Open the SafeGuard
Management Center. The Configuration Wizard is started automatically.
2. In Database Connection, select the relevant database server and configure the connection
to the database if required. Click Next.
3. In Database Settings click Select an available database and select the relevant database
from the list.
4. In Security Officer Data, do either of the following:
■
If the backed up certificate file can be found on the computer, it is displayed. Enter the
password you use for authenticating at the SafeGuard Management Center.
■
If the backed up certificate file cannot be found on the computer, select Import. Browse
for the backed up certificate file and click Open. Enter the password for the selected
certificate file. Click Yes. Enter and confirm a password for authenticating at the SafeGuard
Management Center.
5. Click Next, and then Finish to complete the SafeGuard Management Center configuration.
The corrupt SafeGuard Management Center installation is restored.
246
Administrator help
31 Restore a corrupt database configuration
A corrupt database configuration can be restored by installing SafeGuard Management Center
afresh to create a new instance of the database based upon the backed up certificate files. This
guarantees that all existing SafeGuard Enterprise endpoints still accept policies from the new
installation.
■
The company and Master Security Officer certificates of the relevant database configuration
must have been exported to .p12 files and must be available and valid.
■
The passwords for the two .p12 files as well as for the certificate store must be known to you.
Note: We only recommend this type of restore if there is no valid database backup available. All
computers that are connecting to a backend that was restored in this way will lose their User
Machine Assignment, resulting in a temporarily switched off SafeGuard Power-on Authentication.
Challenge/Response mechanisms will not be available until the corresponding endpoint has
successfully sent its key information again.
To restore a corrupt database configuration:
1. Reinstall the SafeGuard Management Center installation package. Open the SafeGuard
Management Center. The Configuration Wizard is started automatically.
2. In Database Connection, check Create a new database. Under Database settings, configure
the connection to the database. Click Next.
3. In Security Officer Data, select the relevant MSO and click Import.
4. In Import Authentication Certificate browse for the backed up certificate file. Under Key file
enter and confirm the password specified for this file. Click OK.
5. The MSO certificate is imported. Click Next.
6. In Company Certificate, check Restore using an existing company certificate. Click Import
to browse for the backed up certificate file that contains the valid company certificate. You are
prompted to enter the password specified for the certificate store. Enter the password and
click OK to confirm it. Click Yes in the message displayed.
The company certificate is imported.
7. Click Next, then Finish.
The database configuration is restored.
247
SafeGuard Enterprise
32 Inventory and status data
SafeGuard Enterprise reads an extensive amount of inventory and status data from the endpoints.
This data shows the current global state of each computer. The data is displayed in the SafeGuard
Management Center in Users and Computer in the Inventory tab.
As a security officer, you can view, export and print out inventory and status data. For example,
you can create compliance reports to show that endpoints have been encrypted. Wide-ranging
sort and filter features are available to help you select the relevant data.
The Inventory provides for example the following data about each machine:
■
The policy applied.
■
The last server contact.
■
The encryption status of all media.
■
The POA status and type.
■
The installed SafeGuard Enterprise modules.
■
The WOL status.
■
User data.
32.1 Mac endpoints in the inventory
The Inventory provides status data for Macs managed in the SafeGuard Management Center.
For further information, see Inventory and status data of Macs (page 276)
32.2 View inventory data
1. In the navigation area of the SafeGuard Management Center, click Users and Computers.
2. In the navigation window, click the relevant container (domain, workgroup or computer) on the
left-hand side.
3. In the action area, switch to the Inventory tab on the right-hand side.
4. In the Filter area, select the filter to be applied on the inventory display, see Filter inventory
data (page 249).
Note: If you are selecting a particular computer, you receive the inventory data as soon as
you switch to the Inventory tab. The Filter area is not available here.
5. In the Filter area, click the magnifier icon.
The inventory and status data appears in a summarized table for all the machines in the container
selected. The tabs Drives, Users and Features are also available for each machine.
248
Administrator help
By clicking a column header you can sort the inventory data based on the values of the selected
column. The context menu for each column offers a number of features for sorting, grouping and
customizing the display. Depending on your access rights, items in the inventory are shown in
different colors:
■
Items for objects for which you have Full access rights are shown in black.
■
Items for objects for which you have Read only access rights are shown in blue.
■
Items for objects for which you have no access rights are greyed out.
32.3 Show hidden columns
Some columns in the inventory data display are hidden by default.
1. In the inventory data display, right-click the column header bar.
2. From the context menu, select Runtime Column Customization.
The Customization window is displayed showing the hidden columns.
3. Drag the required column from the Customization window to the column header bar.
The column is shown in the inventory data display. To hide it again, drag it back to the
Customization window.
32.4 Filter inventory data
When working from an OU, filters can be defined to limit the display based on a particular criteria.
The following fields are available for defining filters in the Filter area of the Inventory tab:
Field
Description
Computer name
To display the inventory and status data for a particular computer,
enter the computer's name in this field.
Including subcontainers
Activate this field, if you want to include subcontainers in the display.
Show last modified
Use this field to specify the number of last changes to be displayed.
You can also use the Filter Editor to create user-defined filters. You can open the Filter Editor
from the context menu for each column. In the Filter Builder window, you can define your own
filters and apply them to the column concerned.
32.5 Refresh inventory data
The endpoints usually send an update of the inventory data when the data have changed.
249
SafeGuard Enterprise
The Request Inventory Refresh command can be used to manually request a refresh of the
computer's current inventory data. This command is available for a particular computer or for all
the computers in a node (optionally including sub-nodes) from the context menu and the Actions
menu in the SafeGuard Management Center menu bar. The command can also be selected using
the context menu for the list entries.
If you select this command or click the Request Inventory Refresh icon in the toolbar, the relevant
computers send their current inventory data.
As is the case with other areas in the SafeGuard Management Center, you can use the Refresh
command to refresh the display.You can select this command from the context menu for individual
computers or all the computers in a node and from the View menu in the menu bar. You can also
use the Refresh double-headed arrow icon in the toolbar to refresh the display.
32.6 Overview
The individual columns in the overview show the following information.
Note: Some columns are hidden by default. You can customize the display to show them. For
further information, see Show hidden columns (page 249).
250
Column
Explanation
Machine name
Shows the computer's name.
Domain
Shows the computer domain name.
Domain Pre 2000
Shows the pre-Windows 2000 domain name.
User name (owner)
Shows the user name of the computer's owner, if available.
First name
Shows the owner's first name, if available.
Last name
Shows the owner's last name, if available.
Email address
Shows the owner's Email address, if available
Other registered users
Shows the names of other registered users of the computer, if available.
Operating system
Shows the computer's operating system.
Last server contact
Shows when (date and time) the computer communicated last with the
server.
Last policy received
Shows when (date and time) the computer received the last policy.
Encrypted drives
Shows the computer's encrypted drives.
Administrator help
Column
Explanation
Unencrypted drives
Shows the computer's unencrypted drives.
POA type
Specifies whether the computer is a native SafeGuard Enterprise endpoint,
a BitLocker endpoint with SafeGuard Challenge/Response, a BitLocker
endpoint with native recovery mechanism, a FileVault 2 endpoint or an
endpoint with a self-encrypting Opal-compliant hard drive.
POA
Specifies whether SafeGuard Power-on Authentication is activated for
the computer.
WOL
Specifies whether Wake on LAN is activated for the computer.
Modification date
Shows the date when the inventory data changed due to an inventory
refresh request or the computer sending new inventory data.
Refresh requested
Shows the date of the last refresh request. The value displayed in this
field will be deleted, when the request is processed by the computer.
Parent DSN
Shows the Distinguished Name of the container object the computer is
subordinated to. This column is only displayed, if the field Including
subcontainers has been activated in the Filter area.
Current Company certificate
Specifies whether the computer uses the current company certificate.
32.7 Drives tab
The Drives tab shows the inventory and status data for the drives on the computer concerned.
Column
Explanation
Drive name
Shows the name of the drive.
Label
Shows the label of a Mac drive.
Type
Shows the drive type, for example Fixed, Removable Medium or
CD-ROM/DVD.
State
Shows the encryption state of a drive.
Note: If SafeGuard BitLocker management is installed on an
endpoint Not prepared may be displayed as the encryption state
of a drive. This indicates that the drive currently cannot be encrypted
with BitLocker since necessary preparations have not been done
251
SafeGuard Enterprise
Column
Explanation
yet. This only applies to managed endpoints since unmanaged
endpoints cannot report inventory data.
For prerequisites to manage and encrypt BitLocker drives see
Prerequisites for managing BitLocker on endpoints (page 161).
The encryption state of an unmanaged endpoint can be checked
with the command line tool SGNState. For details see theSafeGuard
Enterprise Tools guide.
Algorithm
For encrypted drives, this field shows the algorithm used for
encryption.
32.8 Users tab
The Users tab shows the inventory and status data for the users on the computer.
Column
Explanation
User name
Shows the user name of the user.
Distinguished Name
Shows the DNS name for the user, for example:
CN=Administrator,CN=Users,DC=domain,DC=mycompany,DC=net
User is owner
Indicates whether the user is defined as the computer's owner.
User is locked
Indicates whether the user is locked.
SGN Windows user
Indicates whether the user is an SGN Windows user. An SGN Windows
user is not added to the SafeGuard POA, but has a key ring for
accessing encrypted files, just as a SGN user. You can activate the
registration of SGN Windows users on endpoints by policies of the type
Specific Machine Settings.
32.9 Features tab
The Features tab provides an overview of all the SafeGuard Enterprise modules installed on the
computer.
252
Administrator help
Column
Explanation
Module name
Shows the name of the SafeGuard Enterprise module installed.
Version
Shows the software version of the SafeGuard Enterprise module installed.
32.10 Company certificate tab
The Company Certificate tab shows the properties of the currently used company certificate
and indicates whether a newer company certificate is available.
Column
Explanation
Subject
Shows the distinguished name of the subject of the company certificate.
Serial
Shows the serial number of the company certificate.
Issuer
Shows the distinguished name of the issuer of the company certificate.
Valid from
Shows date and time when the company certificate becomes valid.
Valid to
Shows date and time when the company certificate expires.
Newer company certificate
available
Indicates whether a newer company certficate than the endpoint's
current one is available.
32.11 Creating inventory data reports
As a security officer, you can create inventory data reports in different formats. For example, you
can create compliance reports to show that endpoints have been encrypted. Reports can be
printed or exported to a file.
32.11.1 Print inventory reports
1. In the SafeGuard Management Center menu bar, click File.
2. You can either print the report directly or display a print preview.
The print preview provides various features, for example for editing the page layout (header
and footer etc.).
■
To get a print preview, select Print > Preview.
■
To print the document without a print preview, select Print.
253
SafeGuard Enterprise
32.11.2 Export inventory reports to files
1. In the SafeGuard Management Center menu bar, click File.
2. Select Print > Preview.
The inventory report Preview is displayed.
The preview provides various features, for example for editing the page layout (header and
footer etc.).
3. In the toolbar of the Preview window, select the drop-down list of the Export Document...
icon.
4. Select the required file type from the list.
5. Specify the required export options and click OK.
The inventory report is exported to a file of the file type specified.
254
Administrator help
33 Reports
Recording security-related incidents is a prerequisite for detailed system analysis. The events
logged facilitate the exact tracking of processes on a specific workstation or within a network. By
logging events, you can for example verify security breaches committed by third parties. By using
the logging functionality, administrators and security officers can also detect errors in granting
user rights and correct them.
SafeGuard Enterprise logs all endpoint activities and status information as well as administrator
actions and security-related events and saves them centrally. The logging functionality records
events triggered by installed SafeGuard products. The type of logs is defined in policies of the
type Logging. This is also where you specify the output and saving location for the logged events:
the Windows Event Log of the endpoint or the SafeGuard Enterprise Database.
As a security officer with the necessary rights, you can view, print and archive status information
and log reports displayed in the SafeGuard Management Center. The SafeGuard Management
Center offers comprehensive sorting and filter functions which are very helpful when selecting
the relevant events from the information available.
Automated analyses of the log database, for example with Crystal Reports or Microsoft System
Center Operations Manager, are also possible. SafeGuard Enterprise protects the log entries
against unauthorized manipulation using signatures on the client and on the server side.
Depending on the logging policy, events of the following categories can be logged:
■
Authentication
■
Administration
■
System
■
Encryption
■
Client
■
Access control
■
For SafeGuard Data Exchange, you can track files accessed on removable media by logging
the relevant events. For further information on this report type, see File access report for
removable media and cloud storage (page 260).
■
For SafeGuard Cloud Storage, you can track files accessed in your cloud storage by logging
the relevant events. For further information on this report type, see File access report for
removable media and cloud storage (page 260).
255
SafeGuard Enterprise
33.1 Application scenarios
The SafeGuard Enterprise logging functionality is a user-friendly and comprehensive solution for
recording and analyzing events. The following examples show typical application scenarios for
SafeGuard Enterprise Reports.
33.1.1 Central monitoring of endpoints within a network
The security officer wants to be informed about critical events (for example, unauthorized data
access, a number of failed logon attempts within a specified time frame) on a regular basis. Using
a logging policy, the security officer can configure logging processes to log all security-related
events occurring on the endpoints in a local log file. This log file is transferred to the SafeGuard
Enterprise Database by the SafeGuard Enterprise Server after a number of events has been
reached. The security officer can retrieve, view and analyze the events in the Event Viewer of
the SafeGuard Management Center. The processes performed on different endpoints can be
audited without staff being able to influence logging.
33.1.2 Monitor mobile users
In general, mobile users are not constantly connected to the company network. Sales
representatives may for example disconnect their notebooks for a meeting. As soon as they log
on to the network again, the SafeGuard Enterprise events logged during the offline period are
transferred. The logging functionality provides an exact overview on the user's activities during
the time that the computer was not connected to the network.
33.2 Prerequisite
Events are handled by the SafeGuard Enterprise Server. If you want to activate reports on
computers on which no SafeGuard Enterprise client is installed (SafeGuard Management Center
computers or the SafeGuard Enterprise Server itself), you need to make sure that events are sent
to the SafeGuard Enterprise Server. You therefore have to install a client configuration package
on the computer. By doing so, the computer is activated as a client at the SafeGuard Enterprise
Server and the Windows or SafeGuard Enterprise logging functionality is enabled.
For further information on client configuration packages, see Working with configuration packages
(page 93).
33.3 Destinations for logged events
There are two possible destinations for logged events: the Windows Event Viewer or the SafeGuard
Enterprise Database. Only events related to a SafeGuard product are written to the relevant
destination.
The output destinations for events to be logged are specified in the logging policy.
256
Administrator help
33.3.1 Windows Event Viewer
Events for which you define the Windows Event Viewer as a destination in the logging policy are
logged in the Windows Event Viewer. The Windows Event Viewer can be used to display and
manage logs for system, security and application events. You can also save these event logs.
For these procedures, an administrator account for the relevant endpoint is required. In the
Windows Event Viewer, an error code is displayed instead of a descriptive event text.
Note: A prerequisite for viewing SafeGuard Enterprise events in the Windows Event Viewer is
that a client configuration package is installed on the endpoint.
Note: This chapter describes the processes of viewing, managing and analyzing event logs in
the SafeGuard Management Center. For further information on the Windows Event Viewer, refer
to your Microsoft Documentation.
33.3.2 SafeGuard Enterprise Database
Events for which you define the SafeGuard Enterprise Database as a destination in the logging
policy are collected in a local log file in the local cache of the relevant endpoint in the following
directory: auditing\SGMTranslog. Log files are submitted to a transport mechanism which transfers
them to the database through the SafeGuard Enterprise Server. By default, the file is submitted
as soon as the transport mechanism has successfully established a connection to the server. To
limit the size of a log file, you can define a maximum number of log entries in a policy of the type
General Settings.The log file will be submitted to the transport queue of the SafeGuard Enterprise
Server when the number of entries specified has been reached. The events logged in the central
database can be displayed in the SafeGuard Enterprise Event Viewer or File Tracking Viewer.
As a security officer, you need the relevant rights to view, analyze and manage the events logged
in the database.
33.4 Configure logging settings
Report settings are defined in two policies:
■
General Settings policy
In a General Settings policy, you can specify a maximum number of logged entries after which
the log file containing the events destined for the central database is to be transferred to the
SafeGuard Enterprise Database. This reduces the size of the individual log files to be
transferred. This setting is optional.
■
Logging policy
The events to be logged are specified in a logging policy. In this policy, a security officer with
the required policy rights defines which events will be logged to which output destination.
33.4.1 Define the number of events for feedback
1. Click the Policies button in the SafeGuard Management Center.
2. Create a new General Settings policy or select an existing one.
257
SafeGuard Enterprise
3. Under Logging in the Feedback after number of events field, specify the maximum number
of events for a log file.
4. Save your settings.
After assigning the policy, the number of events specified applies.
33.4.2 Select events
1. In the SafeGuard Management Center, select the Policies.
2. Create a new Logging policy or select an existing one.
In the action area on the right-hand side under Logging, all predefined events which can be
logged are displayed. By default, the events are grouped by Level, for example Warning or
Error. But you can change the grouping. By clicking on the column headers you can sort the
events by ID, Category etc.
3. To specify that an event is to be logged in the SafeGuard Enterprise Database, select the
event by clicking in the column showing the database icon Log events in database. For
events to be logged in the Windows Event Viewer, click in the column showing the event log
icon Log in event log.
By clicking repeatedly you can deselect the event or set it to null. If you do not define a setting
for an event, the relevant default value applies.
4. For all events selected, a green check mark is displayed in the relevant column. Save your
settings.
After assigning the policy the selected events are logged in the relevant output destination.
Note: For a list of all events available for logging, see Events available for reports (page 281).
33.5 View logged events
As a security officer with the necessary rights, you can view the events logged in the central
database in the SafeGuard Management Center Event Viewer.
To retrieve the entries logged in the central database:
1. In the navigation area of the SafeGuard Management Center, click Reports.
2. In the Reports navigation area, select Event Viewer.
3. In the Event Viewer action area on the right-hand side, click the magnifier icon.
All events logged in the central database are shown in the Event Viewer.
The individual columns show the following information concerning the events logged:
258
Column
Description
ID
Shows a number identifying the event.
Event
Shows an event text, this means a description of the event.
Administrator help
Column
Description
Category
Classification of the event by the source, for example Encryption,
Authentication, System.
Application
Shows the software area the event originated from, for example
SGMAuth, SGBaseENc, SGMAS.
Computer
Shows the name of the computer on which the logged event
occurred.
Computer domain
Shows the domain of the computer on which the logged event
occurred.
User
Shows the user who was logged on at the time of the event.
User domain
Shows the domain of the user who was logged on at the time of
the event.
Log time
Shows the system date and system time at which the event was
logged on the endpoint.
By clicking the relevant column headers you can sort the events by Level, Category etc.
In addition, the context menu of the relevant columns offers a number of functions for sorting,
grouping and customizing the Event Viewer.
By double-clicking an entry in the Event Viewer you can display event details concerning the
logged event.
33.5.1 Apply filters to the SafeGuard Enterprise Event Viewer
The SafeGuard Management Center offers comprehensive filter functions. Using these functions
you can quickly retrieve the relevant events from the events displayed.
The Filter area of the Event Viewer offers the following fields for defining filters:
Field
Description
Categories
Using this field you can filter the Event Viewer according to the source
classification (for example Encryption, Authentication, System)
shown in the Category column. Select the required categories from
the drop-down list of the field.
Error level
Using this field you can filter the Event Viewer according to the
Windows event classification (for example warning, error) shown in
259
SafeGuard Enterprise
Field
Description
the Level column. Select the required levels from the drop-down list
of the field.
Show last
In this field, you can define the number of events to be displayed. The
events logged last will be displayed (by default the last 100 events).
In addition, you can create user-defined filters using the Filter Editor. You can display the Filter
Editor from the context menu of the individual report columns. In the Filter Builder window you
can define filters and apply them to the relevant column.
33.6 File access report for removable media and cloud
storage
For SafeGuard Data Exchange and SafeGuard Cloud Storage, you can track files accessed
on removable media or in your cloud storage. Regardless of any encryption policy applying to
files stored on removable media or cloud storage, events can be logged for the following:
■
A file or directory is created on a removable media device or in cloud storage.
■
A file or directory is renamed on a removable media device or in cloud storage.
■
A file or directory is deleted from a removable media device or in cloud storage.
File access tracking events can be viewed in the Windows Event Viewer or in the SafeGuard
Enterprise File Tracking Viewer depending on the destination you specify when you define the
logging policy.
33.6.1 Configure file access tracking
1. In the SafeGuard Management Center, select Policies.
2. Create a new Logging policy or select an existing one.
In the action area on the right-hand side under Logging, all predefined events which can be
logged are displayed. By clicking on the column headers you can sort the events by ID,
Category etc.
260
Administrator help
3. To activate file access tracking select the following log events depending on your requirements:
■
■
for files stored on removable media:
■
ID 3020 File tracking for removable media: a file has been created.
■
ID 3021 File tracking for removable media: a file has been renamed.
■
ID 3022 File tracking for removable media: a file has been deleted.
for files stored in cloud storage:
■
ID 3025 File tracking for cloud storage: a file has been created.
■
ID 3026 File tracking for cloud storage: a file has been renamed.
■
ID 3027 File tracking for cloud storage: a file has been deleted.
To specify that an event is to be logged in the SafeGuard Enterprise Database, select the
event by clicking in the column showing the database icon Log events in database. For
events to be logged in the Windows Event Viewer, click in the column showing the event log
icon Log in event log.
For all events selected, a green check mark is displayed in the relevant column.
4. Save your settings.
After assigning the policy, file access tracking is activated and the selected events are logged in
the relevant output destination.
Note: Be aware that enabling file access tracking significantly increases the server load.
33.6.2 View file access tracking events
To view file access tracking logs, you need the right Display file tracking events.
1. In the navigation area of the SafeGuard Management Center, click Reports.
2. In the Reports navigation area, select File Tracking Viewer.
3. In the File Tracking Viewer action area on the right-hand side, click the magnifier icon.
All events logged in the central database are shown in the File Tracking Viewer. The display is
identical to the Event Viewer display. For further details, see View logged events (page 258).
33.7 Print reports
You can print the event reports displayed in the SafeGuard Management Center Event Viewer
or File Tracking Viewer from the File menu in the menu bar of the SafeGuard Management
Center.
■
To display a print preview before printing the report, select File > Print Preview. The print
preview offers different functions, for example for exporting the relevant document into a
number of output formats (for example .PDF) or editing the page layout (for example header
and footer).
261
SafeGuard Enterprise
■
To print the document without a print preview, select File > Print.
33.8 Connection of logged events
The events destined for the central database are logged in the EVENT table of the SafeGuard
Enterprise Database. For this table, integrity protection can be applied. The events can be logged
as a connected list in the EVENT table. Due to the connection, each entry in the list is dependent
on the previous entry. If an entry is removed from the list, this is evident and can be verified by
an integrity check.
To enhance performance, the connection of events in the EVENT table is deactivated by default.
You can activate the connection of logged events to check integrity (see Check the integrity of
logged events (page 262)).
Note: When the connection of logged events is deactivated, integrity protection does not apply
to the EVENT table.
Note: Too many events may lead to performance issues. For further information on how to avoid
performance issues by cleaning up events, see Scheduled event cleanup by script (page 263).
33.8.1 Activate the connection of logged events
1. Stop web service SGNSRV at the Web Server.
2. Delete all events from the database and create a backup during deletion (see Delete selected
or all events (page 263)).
Note: If you do not delete all old events from the database, the connection will not work
correctly as the remaining old events did not have it activated.
3. Set the following registry key to 0 or delete it:
HKEY_LOCAL_MACHINE\SOFTWARE\Utimaco\SafeGuard Enterprise DWORD:
DisableLogEventChaining = 0
4. Restart the web service.
The connection of logged events is activated.
Note: To deactivate the connection of events again, set the registry key to 1.
33.9 Check the integrity of logged events
Prerequisite: To check the integrity of logged events, the concatenation of events in the EVENT
table has to be activated.
1. In the SafeGuard Management Center, click the Reports.
2. In the SafeGuard Management Center menu bar, select Actions > Check integrity.
A message shows information about the integrity of the events logged.
Note: If the connection of events is deactivated, an error is returned.
262
Administrator help
33.10 Delete selected or all events
1. In the SafeGuard Management Center, click Reports.
2. In the Event Viewer, select the events to be deleted.
3. To delete selected events, select Actions > Delete events or click the Delete events icon
in the toolbar. To delete all events, select Actions > Delete all events or click the Delete all
events icon in the toolbar.
4. Before deleting the selected events, the system displays the Back up events as window for
creating a backup file (see Create a backup file (page 263)).
The events are deleted from the event log.
33.11 Create a backup file
When you are deleting events, you can create a backup file of the report displayed in the SafeGuard
Management Center Event Viewer.
1. When you select Actions > Delete events or Actions > Delete all events the Back up events
as window for creating a backup file is displayed before events are deleted.
2. To create an .XML backup file of the event log, enter a file name and a file location and click
OK.
33.12 Open a backup file
1. In the SafeGuard Management Center, click Reports.
2. In the SafeGuard Management Center menu bar, select Actions > Open backup file.
The Open Event Backup window is displayed.
3. Select the backup file to be opened and click Open.
The backup file is opened and the events are shown in the SafeGuard Management Center Event
Viewer. To return to the regular view of the Event Viewer, click the Open backup file icon in the
toolbar again.
33.13 Scheduled event cleanup by script
Note: The SafeGuard Management Center offers the Task Scheduler to create and schedule
periodic tasks based on scripts. The tasks are automatically run by a service on the SafeGuard
Enterprise Server to execute the scripts specified.
For automatic and efficient cleanup of the EVENT table, four SQL scripts are available in the
\tools directory of your SafeGuard Enterprise software delivery:
■
spShrinkEventTable_install.sql
■
ScheduledShrinkEventTable_install.sql
263
SafeGuard Enterprise
■
spShrinkEventTable_uninstall.sql
■
ScheduledShrinkEventTable_uninstall.sql
The two scripts spShrinkEventTable_install.sql and
ScheduledShrinkEventTable_install.sql install a stored procedure and a scheduled
job at the database server. The scheduled job runs the stored procedure at defined regular
intervals. The stored procedure moves events from the EVENT table to the backup log table
EVENT_BACKUP leaving a defined number of latest events in the EVENT table.
The two scripts spShrinkEventTable_uninstall.sql and
ScheduledShrinkEventTable_uninstall.sql uninstall the stored procedure and the
scheduled job. These two scripts also delete the EVENT_BACKUP table.
Note: If you use the stored procedure to move events from the EVENT table to the backup log
table, event connection no longer applies. To activate connection while also using the stored
procedure for event cleanup does not make sense. For further information, see Connection of
logged events (page 262).
33.13.1 Create the stored procedure
The script spShrinkEventTable_install.sql creates a stored procedure which moves data
from the EVENT table to a backup log table EVENT_BACKUP. If the EVENT_BACKUP table
does not exist, it is created automatically.
The first line is "USE SafeGuard". If you have selected a different name for your SafeGuard
Enterprise database, modify the name accordingly.
The stored procedure leaves the <n> latest events in the EVENT table and moves the rest of the
events to the EVENT_BACKUP table. The number of events to be left in the EVENT table is
specified by a parameter.
To execute the stored procedure, initiate the following command in SQL Server Management
Studio (New Query):
exec spShrinkEventTable 1000
This command example moves all events except for the latest 1000 events.
33.13.2 Create a scheduled job for running the stored procedure
To automatically clean up the EVENT table at regular intervals, you can create a job at the SQL
Server. The job can be created with the script ScheduledShrinkEventTable_install.sql
or using the SQL Enterprise Manager.
Note: The scheduled job does not work on SQL Express databases. For the job to be executed,
the SQL Server Agent has to be running. As there is no SQL Server Agent on SQL Server Express
installations jobs are in this case not supported.
■
The script has to be executed in the msdb. If you have selected a different name for your
SafeGuard Enterprise Database than SafeGuard, modify the name accordingly.
/* Default: Database name 'SafeGuard' change if required*/
SELECT @SafeGuardDataBase='SafeGuard'
264
Administrator help
■
You can also specify the number of events to be left in the EVENT table.The default is 100,000.
/* Default: keep the latest 100000 events, change if required*/
SELECT @ShrinkCommand='exec spShrinkEventTable 100000'
■
You can specify whether a job run is to be logged in the NT Event Log.
exec sp_add_job
@job_name='AutoShrinkEventTable',
@enabled=1,
@notify_level_eventlog=3
The following values are available for parameter notify_level_eventlog:
■
Value
Result
3
Log every time the job runs.
2
Log if the job fails.
1
Log if the job was carried out successfully.
0
Do not log job run in NT Event Log.
You can specify how often the job run should be repeated in case it fails.
exec sp_add_jobstep
■
@retry_attempts=3
This example defines 3 job run attempts in case of failure.
■
@retry_interval=60
This example defines a retry interval of 60 minutes.
■
You can specify a time schedule for running the job.
exec sp_add_jobschedule
■
@freq_type=4
This example defines that the job is run daily.
■
@freq_interval=1
This example defines that the job is run once per day.
■
@active_start_time=010000
This example defines that the job is run at 1 a.m.
265
SafeGuard Enterprise
Note: Besides the example values stated above, you can define a number of different schedule
options with sp_add-jobschedule. For example, the job can be run every two minutes or only
once per week. For further information, see the Microsoft Transact SQL Documentation.
33.13.3 Clean up stored procedures, jobs and tables
The script spShrinkEventTable_uninstall.sql deletes the stored procedure and the
EVENT_BACKUP table.The script ScheduledShrinkEventTable_uninstall.sql deregisters
the scheduled job.
Note: When you execute spShrinkEventTable_uninstall.sql, the EVENT_BACKUP
table will be deleted with all data contained in it.
33.14 Report Message Templates
Events are not logged with their complete event texts in the SafeGuard Enterprise Database.
Only ID and the relevant parameter values are written to the database table. When the logged
events are retrieved in the SafeGuard Management Center Event Viewer, the parameter values
and the text templates contained in the .dll are converted into the complete event text in the current
SafeGuard Management Center system language.
The templates used for event texts can be edited and processed, for example by using SQL
queries. To do so, you can generate a table containing all text templates for event messages.
Afterwards you can customize the templates according to your specific requirements.
To create a table containing the text templates for the individual event IDs:
1. In the menu bar of the SafeGuard Management Center, select Tools > Options.
2. In the Options window, go to tab Database.
3. In the Report Message Templates area, click Create Table.
The table containing the templates for the event ID is created in the current system language and
can be customized.
Note: Before the templates are generated, the table is cleared. If the templates have been
generated for a specific language and a user generates the templates for a different language,
the templates for the first language are deleted.
266
Administrator help
34 Scheduling tasks
The SafeGuard Management Center offers the Task Scheduler to create and schedule periodic
tasks based on scripts. The tasks are automatically run by a service on the SafeGuard Enterprise
Server to execute the scripts specified.
Periodic tasks are for example useful for
■
automatic synchronization between Active Directory and SafeGuard Enterprise.
■
automatic deletion of event logs.
For these two procedures, predefined script templates are available with SafeGuard Enterprise.
You can use these scripts as they are or modify them according to your requirements. For further
information, Predefined scripts for periodic tasks (page 273).
As a security officer with the required rights, you can specify scripts, rules and intervals for tasks
in the Task Scheduler.
Note: Make sure that the appropriate SQL permissions are set for the account that is used to
run the SafeGuard Enterprise Task Scheduler. For further information, see the knowledgebase
article: http://www.sophos.com/en-us/support/knowledgebase/113582.aspx.
Note: The API cannot process more than one task at the same time. If you use more than one
account per task, this will lead to database access violations.
34.1 Create a new task
To create tasks in the Task Scheduler, you need the security officer rights Use task scheduler
and Manage tasks.
1. In the menu bar of the SafeGuard Management Center, select Tools > Task Scheduler.
The Task Scheduler dialog is displayed.
2. Click the Create... button.
The New task dialog is displayed.
3. In the Name field, enter a unique task name.
If the task name is not unique, a warning is displayed when you click OK to save the task.
4. In the drop-down list of the SGN Server field, select the server the task should run on.
The drop-down list only shows servers for which scripting is allowed. You allow scripting for
a specific server when you register it in the Configuration Package Tool in the SafeGuard
Management Center. For further information on registering servers, see the SafeGuard
Enterprise installation guide.
If you select None, the task is not executed.
267
SafeGuard Enterprise
5. Click the Import... button next to the Script field.
The Select script file to import dialog is displayed.
Note: Two predefined scripts are available in the Script Templates directory of your SafeGuard
Management Center installation. The Select script file to import dialog automatically shows
this directory. For further information, see Predefined scripts for periodic tasks (page 273).
In the Task Scheduler, you can import, export and edit scripts. For further information, see
Working with scripts in the Task Scheduler (page 271).
6. Select the script you want to run with the task and click OK.
If the script selected is empty, the OK button in the dialog remains disabled and a warning
symbol is displayed.
7. In the Start Time field, specify when the task should be run on the selected server.
The start time displayed is rendered using the local time of the computer on which the
SafeGuard Management Center is running. Internally, the start time is stored as Coordinated
Universal Time (UTC). This allows tasks to be executed at the same moment, even if servers
are in different time zones. All servers use the current time of the database server to determine
when to start tasks. To allow better monitoring of tasks, the database reference time is displayed
in the Task Scheduler dialog.
8. Under Recurrence, specify how often the task should be run on the selected server.
■
To run the task once, select One time and specify the required Date.
■
To run the task daily, select Daily followed by Every day (including Saturday and Sunday)
or Every weekday (Monday - Friday).
■
To run the task weekly, select Weekly and specify the required day of the week.
■
To run the task monthly, select Monthly and specify the required day of the month in a
range from 1 to 31. To run the task at the end of each month, select Last from the drop-down
list.
After you have filled in all mandatory fields, the OK button becomes available.
9. Click OK.
The task is saved in the database and displayed in the Task Scheduler overview. It is run on the
selected server according to the schedule specified.
34.2 The Task Scheduler overview display
After you have created tasks to be run on a SafeGuard Enterprise Server, they are displayed in
the Task Scheduler dialog you open by selecting Tools > Task Scheduler.
This dialog shows the following columns for each task:
268
Column
Description
Task Name
Shows the unique task name.
Administrator help
Column
Description
SGN Server
Indicates on which server the task is executed.
Schedule
Shows the schedule specified for the task with
recurrence and time.
Next Run Time
Shows the next time the task will be executed (date
and time). If there are no more run times specified for
the task, this column shows None.
Last Run Time
Shows the last time the task was executed (date and
time). If it has not been executed yet, this column shows
None.
Last Run Result
Shows the result of the last task run:
Success
The task's script was executed successfully.
Failure
Execution of the task has failed. An error number
is shown, if available.
Running
The script is running.
Insufficient Rights
The task has failed due to insufficient rights for
script execution.
Aborted
The execution of the task was aborted because the
execution time exceeded 24 hours.
Lost control
Control of the task's script execution was lost, for
example because the SGN scheduler service was
stopped.
Script is corrupt
The script to be executed is corrupt.
The script was deleted in the meantime
While the task was queued for execution, the
corresponding script was removed from the
SafeGuard Enterprise Database.
Runtime errors
269
SafeGuard Enterprise
Column
Description
A runtime error was detected during the processing
of the scheduler service.
Under the columns, the following buttons are displayed:
Button
Description
Create...
Click this button to create a new task.
Delete
Click this button to delete a selected task.
Properties
Click this button to display the <task name>
properties dialog for a selected task. In this dialog,
you can edit the task or import, export and edit
scripts.
Refresh
Click this button to refresh the task list in the Task
Scheduler dialog. If another user has added or
deleted tasks in the meantime, the task list is
updated.
All servers use the current time of the database server to determine when to start tasks. Therefore,
to allow better monitoring of tasks, the time of the database server is displayed here. It is rendered
using the local time zone of the computer on which the SafeGuard Management Center runs.
34.3 Edit tasks
To edit tasks in the Task Scheduler, you need the security officer rights Use task scheduler
and Manage tasks.
1. In the menu bar of the SafeGuard Management Center, select Tools > Task Scheduler.
The Task Scheduler dialog is displayed showing an overview on the scheduled tasks.
2. Select the required task and click the Properties button.
The <task name> properties dialog is displayed showing the task properties.
3. Make the required changes.
Note: The task name must be unique. If you change the name to an existing task name, an
error message is displayed.
4. Click OK.
The changes become effective.
270
Administrator help
34.4 Delete tasks
To delete tasks from the Task Scheduler, you need the security officer rights Use task scheduler
and Manage tasks.
1. In the menu bar of the SafeGuard Management Center, select Tools > Task Scheduler.
The Task Scheduler dialog is displayed showing an overview of the scheduled tasks.
2. Select the required task.
The Delete button becomes available.
3. Click the Delete button and confirm that you want to delete the task.
The task is removed from the Task Scheduler overview dialog and will no longer be run on the
SafeGuard Enterprise Server.
Note: If the task has been started in the meantime, it is removed from the Task Scheduler
overview dialog, but it will still be completed.
34.5 Working with scripts in the Task Scheduler
With the Task Scheduler you can import, edit and export scripts. To work with scripts in the Task
Scheduler, you need the security officer rights Use Task scheduler and Manage tasks.
34.5.1 Import scripts
To specify a script to be executed by a task, the script must be imported.You can import the script
when you first create the task. You can also import scripts for existing tasks.
1. In the menu bar of the SafeGuard Management Center, select Tools > Task Scheduler.
The Task Scheduler dialog is displayed showing an overview on the scheduled tasks.
2. Select the required task and click the Properties button.
The <task name> properties dialog is displayed showing the task properties.
3. Click the Import... button next to the Script field.
The Select script file to import dialog is displayed.
Note: Two predefined scripts are available in the Script Templates directory of your SafeGuard
Management Center installation. The Select script file to import dialog automatically shows
this directory. For further information, see Predefined scripts for periodic tasks (page 273).
4. Select the script you want to import and click OK.
The script name is displayed in the Script field.
271
SafeGuard Enterprise
5. Click OK.
If the script has already been imported, you are prompted to confirm that you want to overwrite
the old script.
If the size of the file to be imported exceeds 10 MB, an error message is displayed and the
import process is rejected.
The script is saved in the database.
34.5.2 Edit scripts
1. In the menu bar of the SafeGuard Management Center, select Tools > Task Scheduler.
The Task Scheduler dialog is displayed showing an overview on the scheduled tasks.
2. Select the required task and click the Properties button.
The <task name> properties dialog is displayed showing the task properties.
3. Click the Edit drop-down button next to the Script field.
The drop-down list shows all editors available for editing the script.
4. Select the editor you want to use.
The script is opened in the selected editor.
5. Make your changes and save them.
The editor is closed and the <task name> properties dialog is displayed again.
6. Click OK.
The changed script is saved in the database.
34.5.3 Export scripts
1. In the menu bar of the SafeGuard Management Center, select Tools > Task Scheduler.
The Task Scheduler dialog is displayed showing an overview on the scheduled tasks.
2. Select the required task and click the Properties button.
The <task name> properties dialog is displayed showing the task properties.
3. Click the Export... button besides the Script field.
A Save as dialog is displayed.
4. Select the file location for saving the script and click Save.
The script is saved to the specified file location.
272
Administrator help
34.5.4 Predefined scripts for periodic tasks
The following predefined scripts are available with SafeGuard Enterprise:
■
ActiveDirectorySynchronization.vbs
You can use this script for automatic synchronization between Active Directory and SafeGuard
Enterprise.
■
EventLogDeletion.vbs
You can use this script for automatic event log deletion.
The scripts are installed automatically in the Script Templates subfolder of the SafeGuard
Management Center installation.
To use these scripts in periodic tasks, import them into the Task Scheduler and make the
necessary parameter changes before you use them.
34.5.4.1 Predefined script for Active Directory synchronization
You can import an existing organizational structure into the SafeGuard Enterprise Database from
an Active Directory. For further information, see Import the organizational structure (page 42).
After you have imported the directory structure, you can schedule a periodic task for automatic
synchronization between the Active Directory and SafeGuard Enterprise. For this task, you can
use the predefined script ActiveDirectorySynchronization.vbs.
The script synchronizes all existing containers in the SafeGuard Enterprise Database with an
Active Directory.
Before you use the script in a periodic task, you can edit the following parameters:
Parameter
Description
logFileName
Specify a path for the script log file. This parameter is
mandatory. If it is empty or invalid, synchronization does not
work and an error message is displayed. By default, this
parameter is empty. If a log file already exists, new logs are
appended to the end of the file.
synchronizeMembership
Set this parameter to 1 to also synchronize memberships. If
this parameter is set to 0, memberships are not synchronized.
The default setting is 1.
synchronizeAccountState
Set this parameter to 1 to also synchronize the user enabled
state. If this parameter is set to 0, the user enabled state is
only synchronized at first synchronization. The default setting
is 0.
Note: Make sure that you have the necessary access rights for Active directory synchronization
and that the appropriate SQL permissions are set for the account that is used to run the SafeGuard
273
SafeGuard Enterprise
Enterprise Task Scheduler. For further information, see Security officer access rights and Active
Directory import (page 44). For information on how to set the Active Directory access rights, see
http://www.sophos.com/en-us/support/knowledgebase/107979.aspx. For information on how to
set the SQL permissions, see http://www.sophos.com/en-us/support/knowledgebase/113582.aspx.
Once the rights are set correctly, apply the changes and restart the service: Switch to the server
hosting the SafeGuard Enterprise web page. Open the Services interface by clicking Start> Run
> Services.msc. Right-click SafeGuard ® Scheduler Service and click All Tasks > Restart.
Note: We recommended that you synchronize the Active Directory in a timely moderate interval,
maximum twice a day so that server performance is not significantly decreased. New objects will
be displayed in the SafeGuard Management Center under .Auto registered between these intervals
where they can be managed just as normal.
34.5.4.2 Predefined script for automatic event log deletion
Events logged in the SafeGuard Enterprise Database are stored in the EVENT table. For further
information on logging, see Reports (page 255).
With the Task Scheduler, you can create a periodic task for automatic event log deletion. For
this task, you can use the predefined script EventLogDeletion.vbs.
The script deletes events from the EVENT table. If you specify the relevant parameter, it also
moves events to the backup log table EVENT_BACKUP leaving a defined number of latest events
in the EVENT table.
Before you use the script in a periodic task, you can edit the following parameters:
Parameter
Description
maxDuration
With this parameter, you specify how long (in days) events
should be kept in the EVENT table. The default is 0. If this
parameter is set to 0, there is no time limit for events kept in
the EVENT table.
maxCount
With this parameter, you specify how many events should
remain in the EVENT table. The default is 5000. If this
parameter is set to 0, there is no limit for the number of events
to be kept in the EVENT table.
keepBackup
With this parameter, you specify whether deleted events
should be backed up in the EVENT_BACKUP table. The
default is 0. If this parameter is set to 0, events are not backed
up. Set this parameter to 1 to create a backup of deleted
events.
Note: If you use the script to move events from the EVENT table to the backup log table, event
connection no longer applies. To activate event connection while also using the stored procedure
for event cleanup does not make sense. For further information, see Connection of logged events
(page 262).
274
Administrator help
34.6 Restrictions concerning registered servers
When you register servers in the Configuration Package Tool in the SafeGuard Management
Center, it is possible to register more than one server template with the same machine certificate.
But you can only install one template at a time on the real machine.
If the Scripting allowed check box is selected for both servers, the Task Scheduler displays
both servers for selection in the SGN Server drop-down list of the New task dialog and the <task
name> properties dialog. The Task Scheduler cannot determine which of the two templates
was installed on the machine.
To avoid this, do not select the check box Scripting allowed for templates that are not installed
on the server. Also, avoid duplicate templates with the same machine certificate.
For further information on registering servers, see the SafeGuard Enterprise installation guide.
34.7 Task Scheduler log events
Events concerning task execution can be logged to provide useful information, for example for
troubleshooting. You can define the following events to be logged:
■
Scheduler task executed successfully
■
Scheduler task failed
■
Scheduler service thread stopped due to an exception.
The events include the script console output to facilitate troubleshooting.
For further information on logging, see Reports (page 255).
275
SafeGuard Enterprise
35 Managing Mac endpoints in the SafeGuard
Management Center
Macs that have the following Sophos products installed can be managed by SafeGuard Enterprise
and/or report status information.The status information is displayed in the SafeGuard Management
Center:
■
Sophos SafeGuard File Encryption for Mac 6.1 and later
■
Sophos SafeGuard Disk Encryption for Mac 6.1 / Sophos SafeGuard Native Device Encryption
7.0
■
Sophos SafeGuard Disk Encryption for Mac 6 - only reporting
Note:
For recommendations, particularities and limitations when using SafeGuard File Encryption or
Disk / Native Device Encryption for Mac refer to the Administrator helps of these products.
35.1 Inventory and status data of Macs
For Macs the Inventory provides the following data about each machine. The data displayed can
differ, depending on the installed Sophos product:
276
■
The name of the Mac
■
The operating system
■
The POA type
■
The POA status
■
The number of encrypted drives
■
The number of unencrypted drives
■
The last server contact
■
The modification date
■
Whether the current company certificate is used or not
Administrator help
35.2 Create configuration package for Macs
A configuration package for a Mac contains the server information and the company certificate.
The Mac uses this information to report status information (SafeGuard POA on/off, encryption
state and so on). The status information is displayed in the SafeGuard Management Center.
1. In the SafeGuard Management Center, on the Tools menu, click Configuration Package
Tool.
2. Select Managed client packages.
3. Click Add Configuration Package.
4. Enter a name of your choice for the configuration package.
5. Assign a primary SafeGuard Enterprise Server (the secondary server is not necessary).
6. Select SSL as Transport Encryption for the connection between the endpoint and SafeGuard
Enterprise Server. Sophos as Transport Encryption is not supported for Mac.
7. Specify an output path for the configuration package (ZIP).
8. Click Create Configuration Package.
The server connection for the SSL Transport Encryption mode is validated. If the connection
fails, a warning message is displayed.
The configuration package (ZIP) has now been created in the specified directory. You now need
to distribute and deploy this package to your Macs.
277
SafeGuard Enterprise
36 SafeGuard Enterprise and self-encrypting,
Opal-compliant hard drives
Self-encrypting hard drives offer hardware-based encryption of data when they are written to the
hard disk. The Trusted Computing Group (TCG) has published the vendor-independent Opal
standard for self-encrypting hard drives. Different hardware vendors offer Opal-compliant hard
drives. SafeGuard Enterprise supports the Opal standard and offers management of endpoints
with self-encrypting, Opal-compliant hard drives. See also
http://www.sophos.com/en-us/support/knowledgebase/113366.aspx.
36.1 How does SafeGuard Enterprise integrate
Opal-compliant hard drives?
With SafeGuard Enterprise, endpoints with self-encrypting, Opal-compliant hard drives can be
managed from the SafeGuard Management Center, like any other endpoint protected by SafeGuard
Enterprise.
Central and fully transparent management of Opal-compliant hard drives by SafeGuard Enterprise
allows for the use in heterogeneous IT environments. By supporting the Opal standard, we offer
the full set of SafeGuard Enterprise features to corporate users of self-encrypting, Opal-compliant
hard drives. In combination with SafeGuard Enterprise, Opal-compliant hard drives offer enhanced
security features.
36.2 Enhancement of Opal-compliant hard drives with
SafeGuard Enterprise
SafeGuard Enterprise offers the following benefits in combination with self-encrypting,
Opal-compliant hard drives:
278
■
Central management of endpoints
■
SafeGuard Power-on Authentication with graphical user interface
■
Multi-user support
■
Token/smartcard logon support
■
Fingerprint logon support
■
Recovery (Local Self Help, Challenge/Response)
■
Central auditing
Administrator help
■
Encryption of removable media (for example USB memory sticks) with SafeGuard Data
Exchange
36.3 Manage endpoints with Opal-compliant hard drives with
SafeGuard Enterprise
In the SafeGuard Management Center, you can manage endpoints with self-encrypting,
Opal-compliant hard drives just like any other endpoint protected by SafeGuard Enterprise. As a
security officer, you can define security policies, for example authentication policies, and deploy
them to endpoints.
Once an endpoint with an Opal-compliant hard drive is registered at SafeGuard Enterprise,
information on user, computer, logon mode and encryption status is displayed. In addition, events
are logged.
Management of endpoints with Opal-compliant hard drives in SafeGuard Enterprise is transparent,
which means that management functions in general work the same as for other endpoints protected
by SafeGuard Enterprise. The type of a computer is shown in Inventory of a container in Users
and Computers. The column POA Type tells you if the respective computer is encrypted by
SafeGuard Enterprise or uses a self-encrypting, Opal-compliant hard drive.
36.4 Encryption of Opal-compliant hard drives
Opal-compliant hard drives are self-encrypting. Data are encrypted automatically when they are
written to the hard disk.
The hard drives are locked by an AES 128/256 key used as an Opal password. This password
is managed by SafeGuard Enterprise through an encryption policy, see Lock Opal-compliant hard
drives (page 279).
36.5 Lock Opal-compliant hard drives
To lock Opal-compliant hard drives, the machine key has to be defined for at least one volume
on the hard drive in an encryption policy. In case the encryption policy includes a boot volume,
the machine key is defined automatically.
1.
2.
3.
4.
5.
In the SafeGuard Management Center, create a policy of the type Device Protection.
In the field Media encryption mode, select Volume-based.
In the field Key to be used for encryption, select Defined machine key.
Save your changes in the database.
Deploy the policy to the relevant endpoint.
The Opal-compliant hard drive is locked and can only be accessed by logging on to the computer
at the SafeGuard Power-on Authentication.
279
SafeGuard Enterprise
36.6 Enable users to unlock Opal-compliant hard drives
As a security officer, you can enable users to unlock Opal-compliant hard drives on their endpoints
by using the Decrypt command from the Windows Explorer context menu.
Prerequisite: In the Device Protection policy that applies to the Opal-compliant hard drive, the
option User may decrypt volume must be set to Yes.
1. In the SafeGuard Management Center, create a policy of the type Device Protection and
include all volumes on the Opal-compliant hard drive.
2. In the field Media encryption mode, select No encryption.
3. Save your changes in the database.
4. Deploy the policy to the relevant endpoint.
The user can unlock the Opal-compliant hard drive on the endpoint. In the meantime, the hard
drive remains locked.
36.7 Logging of events for endpoints with Opal-compliant
hard drives
Events reported by endpoints with self-encrypting, Opal-compliant hard drives are logged, just
as for any other endpoint protected by SafeGuard Enterprise. The events do not especially mention
the computer type. Events reported are the same as for any other endpoint protected by SafeGuard
Enterprise.
For further information, see Reports (page 255).
280
Administrator help
37 Events available for reports
The following table provides an overview on all events which can be selected for logging.
Category
Event ID
Description
System
1005
Service started.
System
1006
Service start failed.
System
1007
Service stopped.
System
1016
Integrity test of data files failed.
System
1017
Logging destination not available.
System
1018
Unauthorized attempt to uninstall SafeGuard Enterprise
Authentication
2001
External GINA identified and integrated successfully.
Authentication
2002
External GINA identified, integration failed.
Authentication
2003
Power-on Authentication active.
Authentication
2004
Power-on Authentication deactivated.
Authentication
2005
Wake on LAN activated.
Authentication
2006
Wake on LAN deactivated.
Authentication
2007
Challenge created.
Authentication
2008
Response created.
Authentication
2009
Log on successful.
Authentication
2010
Log on failed.
Authentication
2011
User imported during log on and marked as owner.
Authentication
2012
User imported by owner and marked as non-owner.
Authentication
2013
User imported by non-owner and marked as non-owner.
281
SafeGuard Enterprise
282
Category
Event ID
Description
Authentication
2014
User removed as owner.
Authentication
2015
Import of user during log on failed.
Authentication
2016
User logged off.
Authentication
2017
User was forced to log off.
Authentication
2018
Action performed on device.
Authentication
2019
User started a Password/PIN change.
Authentication
2020
User changed their Password/PIN after logon.
Authentication
2021
Password/PIN Quality.
Authentication
2022
Password/PIN policy violated.
Authentication
2023
LocalCache was corrupted and has been restored
Authentication
2024
Invalid Password Black List Configuration
Authentication
2025
Response Code received that allows the user to display the
password.
Authentication
2030
Logged on user is a Service Account
Authentication
2035
Service Account List imported.
Authentication
2036
Service Account List deleted.
Authentication
2056
Add SGN Windows user
Authentication
2057
Delete SGN Windows users from a machine.
Authentication
2058
UMA user removal
Authentication
2061
Computrace check return code.
Authentication
2062
Computrace check could not be executed.
Authentication
2071
Kernel initialization was successfully completed.
Authentication
2071
Kernel initialization has failed.
Administrator help
Category
Event ID
Description
Authentication
2073
Machine keys were successfully generated on the client.
Authentication
2074
Machine keys could not be generated successfully on the client.
Internal code: 0x%1.
Authentication
2075
Querying disk properties or Opal disk initialization has failed. Internal
code: 0x%1.
Authentication
2079
Importing user into the kernel was successfully completed.
Authentication
2080
Removing user from the kernel was successfully completed.
Authentication
2081
Importing user into the kernel has failed.
Authentication
2082
Removing user from the kernel has failed.
Authentication
2083
Response with "display user password" created.
Authentication
2084
Response for virtual client created.
Authentication
2085
Response for standalone client created.
Authentication
2095
Wake on LAN could not be activated.
Authentication
A certificate was assigned to a standalone client user.
Authentication
2096
Wake on LAN could not be deactivated.
Authentication
2097
The user has logged in to the client using the standby token for the
first time. The standby token was set as standard token.
Authentication
2098
A successful standby certificate activation has been reported to the
server.
Authentication
2099
The user has logged in to the client using the standby token for the
first time. The standby certificate could not be activated because of
an error.
Authentication
2100
The standby certificate activation has failed on the server.
Administration
2500
SafeGuard Enterprise Administration started.
Administration
2501
Log on to SafeGuard Enterprise Administration failed.
Administration
2502
Authorization for SafeGuard Enterprise Administration failed.
283
SafeGuard Enterprise
284
Category
Event ID
Description
Administration
2504
Additional authorization for action granted.
Administration
2505
Additional authorization failed.
Administration
2506
Data import from directory successful.
Administration
2507
Data import from directory cancelled.
Administration
2508
Failed to import data from directory.
Administration
2511
User created.
Administration
2513
User changed.
Administration
2515
User deleted.
Administration
2518
Application of user failed
Administration
2522
Failed to delete user.
Administration
2525
Machine applied.
Administration
2529
Machine deleted.
Administration
2532
Application of machine failed.
Administration
2536
Failed to delete machine.
Administration
2539
OU applied.
Administration
2543
OU deleted.
Administration
2546
Application of OU failed.
Administration
2547
Import of OU failed.
Administration
2550
Failed to delete OU.
Administration
2553
Group applied.
Administration
2555
Group modified.
Administration
2556
Group renamed.
Administration
2557
Group deleted.
Administrator help
Category
Event ID
Description
Administration
2560
Application of group failed.
Administration
2562
Failed to change group.
Administration
2563
Failed to rename group.
Administration
2564
Failed to delete group.
Administration
2573
Members added to group.
Administration
2575
Members deleted from group.
Administration
2576
Failed to add members to group.
Administration
2578
Failed to delete members from group.
Administration
2580
Group switched from OU to OU.
Administration
2583
Failed to switch group from OU to OU.
Administration
2591
Objects added to group.
Administration
2593
Objects deleted from group.
Administration
2594
Failed to add objects to group.
Administration
2596
Failed to delete objects from group.
Administration
2603
Key generated. Algorithm.
Administration
2607
Key assigned.
Administration
2608
Key assignment cancelled.
Administration
2609
Failed to generate key.
Administration
2613
Failed to assign key.
Administration
2614
Failed to delete assignment of key.
Administration
2615
Certificate generated.
Administration
2616
Certificate imported.
Administration
2619
Certificate deleted.
285
SafeGuard Enterprise
286
Category
Event ID
Description
Administration
2621
Certificate assigned to user.
Administration
2622
Certificate assignment to user cancelled.
Administration
2623
Failed to create certificate.
Administration
2624
Failed to import certificate.
Administration
2627
Failed to delete certificate.
Administration
2628
Extension of certificate failed.
Administration
2629
Failed to assign certificate to user.
Administration
2630
Failed to delete assignment of certificate to user.
Administration
2631
Token plugged in.
Administration
2632
Token removed.
Administration
2633
Token issued to user.
Administration
2634
Change user PIN on token.
Administration
2635
Change SO PIN on token.
Administration
2636
Token locked.
Administration
2637
Token unlocked.
Administration
2638
Token deleted.
Administration
2639
Token assignment for user removed.
Administration
2640
Failed to issue token for user.
Administration
2641
Failed to change user PIN on token.
Administration
2642
Failed to change SO PIN on token.
Administration
2643
Failed to lock token
Administration
2644
Failed to unlock token.
Administration
2645
Failed to delete token.
Administrator help
Category
Event ID
Description
Administration
2647
Policy created.
Administration
2648
Policy changed.
Administration
2650
Policy deleted.
Administration
2651
Policy assigned and activated to OU.
Administration
2652
Assigned policy removed from OU.
Administration
2653
Failed to create policy.
Administration
2654
Failed to change policy.
Administration
2657
Failed to assign and activate a policy to OU.
Administration
2658
Removing of assigned policy from OU failed.
Administration
2659
Policy group created.
Administration
2660
Policy group changed.
Administration
2661
Policy group deleted.
Administration
2662
Failed to create policy group.
Administration
2663
Failed to change policy group.
Administration
2665
Following policy has been added to policy group.
Administration
2667
Following policy has been deleted from policy group.
Administration
2668
Failed to add policy to policy group.
Administration
2670
Failed to delete policy from policy group.
Administration
2678
Recorded event exported.
Administration
2679
Export of recorded events failed.
Administration
2680
Recorded events deleted.
Administration
2681
Failed to delete recorded events.
Administration
2684
Security Officer allows renewal of certificate
287
SafeGuard Enterprise
288
Category
Event ID
Description
Administration
2685
Security Officer denies renewal of certificate
Administration
2686
Failed to alter renewal settings for certificate
Administration
2687
Officer certificate changed
Administration
2688
Failed to change officer certificate
Administration
2692
Creation of workgroups.
Administration
2693
Failed creation of workgroups
Administration
2694
Deletion of workgroups.
Administration
2695
Failed deletion of workgroups
Administration
2696
Creation of users.
Administration
2697
Failed creation of users.
Administration
2698
Creation of machines.
Administration
2699
Failed creation of machines.
Administration
2700
License is violated
Administration
2701
Key file has been created.
Administration
2702
Key for key file has been deleted.
Administration
2703
Security Officer disabled Power-on Authentication in policy.
Administration
2704
LSH Question Theme created.
Administration
2705
LSH Question Theme changed.
Administration
2706
LSH Question Theme deleted.
Administration
2707
Question changed.
Administration
2753
Read Only Access to container '%1' granted for Security Officer '%2'.
Administration
2755
Full access to container '%1' granted for Security Officer '%2'.
Administration
2757
Access to container '%1' revoked for Security Officer '%2'.
Administrator help
Category
Event ID
Description
Administration
2766
Access to container '%1' explicitly denied for Security Officer '%2'.
Administration
2767
Explicitly denied access to container '%1' revoked for Security Officer
'%2'.
Administration
2768
Read access to container '%1' revoked for Security Officer '%2'.
Administration
2810
POA user "%1" created.
Administration
2811
POA user "%1" modified.
Administration
2812
POA user "%1" deleted.
Administration
2815
Creation of POA user "%1" failed.
Administration
2816
Modification of POA user "%1" failed.
Administration
2817
Deletion of POA user "%1" failed.
Administration
2820
POA group "%1" created.
Administration
2821
POA group "%1" modified.
Administration
2822
POA group "%1" deleted.
Administration
2825
Creation of POA group "%1" failed.
Administration
2826
Modification of POA group "%1" failed.
Administration
2827
Deletion of POA group "%1" failed.
Administration
2850
Scheduler service stopped due to an exception.
Administration
2851
Scheduler task executed successfully.
Administration
2852
Scheduler task failed.
Administration
2853
Scheduler task created or modified.
Administration
2854
Scheduler task deleted.
Client
3003
Kernel backup succeeded
Client
3005
Kernel restore first chance succeeded
289
SafeGuard Enterprise
290
Category
Event ID
Description
Client
3006
Kernel restore second chance succeeded
Client
3007
Kernel backup failed
Client
3008
Kernel restore failed
Client
3020
File tracking for removable media: a file has been created.
Client
3021
File tracking for removable media: a file has been renamed.
Client
3022
File tracking for removable media: a file has been deleted.
Client
3025
File tracking for cloud storage: a file has been created.
Client
3026
File tracking for cloud storage: a file has been renamed.
Client
3027
File tracking for cloud storage: a file has been deleted.
Client
3030
User has changed his LSH secrets after login.
Client
3035
LSH was activated.
Client
3040
LSH was deactivated
Client
3045
LSH is available - Enterprise Client
Client
3046
LSH is available - Standalone Client
Client
3050
LSH is disabled - Enterprise Client
Client
3051
LSH is not available - Standalone Client
Client
3055
The QST list (LSH questions) was changed.
Client
3405
Configuration Protection client failed to uninstall.
Client
3070
Key backup was saved to the specified network share.
Client
3071
Key backup could not be saved to the specified network share.
Client
3110
POA user "%1" imported into POA
Client
3111
POA user "%1" deleted from POA
Client
3115
POA user "%1" changed password via 'F8'
Administrator help
Category
Event ID
Description
Client
3116
Import of POA user "%1" into POA failed
Client
3117
Deletion of POA user "%1" from POA failed
Client
3118
POA user "%1" - change of password via 'F8' failed
Client
3406
Configuration Protection client experienced an internal error
Client
3407
Configuration Protection client detected a possible tampering event
Client
3408
Configuration Protection client detected a possible tampering with
event logs.
Encryption
3501
Access denied to medium on drive.
Encryption
3502
Access denied to data file.
Encryption
3503
Sector-based initial encryption of drive started.
Encryption
3504
Sector-based initial encryption of drive started. (quick mode).
Encryption
3505
Sector-based initial encryption of drive completed successfully.
Encryption
3506
Sector-based initial encryption of drive failed and closed.
Encryption
3507
Sector-based initial encryption of drive cancelled.
Encryption
3508
Sector-based initial encryption of drive failed.
Encryption
3509
Sector-based decryption of drive started.
Encryption
3510
Sector-based decryption of drive closed successfully.
Encryption
3511
Sector-based decryption of drive failed and closed.
Encryption
3512
Sector-based decryption of drive cancelled.
Encryption
3513
Sector-based decryption of drive failed.
Encryption
3514
File based initial encryption on a drive started.
Encryption
3515
File based initial encryption on a drive completed successfully.
Encryption
3516
File based initial encryption on a drive failed and closed.
291
SafeGuard Enterprise
292
Category
Event ID
Description
Encryption
3517
File based decryption on a drive cancelled.
Encryption
3519
File based encryption of a file started.
Encryption
3520
File based encryption on a drive closed successfully.
Encryption
3521
File based decryption on a drive failed and closed.
Encryption
3522
File based decryption on a drive cancelled.
Encryption
3524
Encryption of a file started.
Encryption
3525
Encryption of a file completed successfully.
Encryption
3526
Encryption of a file failed.
Encryption
3540
Decryption of a file started.
Encryption
3541
Decryption of a file completed successfully.
Encryption
3542
Decryption of a file failed.
Encryption
3543
Backup of boot key successful
Encryption
3544
Maximum count of boot algorithms exceeded.
Encryption
3545
Read errors on KSA
Encryption
3546
Disabling volumes according to the defined policies.
Encryption
3547
Warning: NTFS boot sector backup is missing on the volume %1.
Encryption
3548
The user has set new BitLocker credentials for starting up the
computer.
Encryption
3549
The user tried to set new BitLocker credentials for starting up the
computer but the operation failed.
Encryption
3560
Access Protection
Encryption
3600
General encryption error
Encryption
3601
Encryption error - Engine: Volume missing.
Encryption
3602
Encryption error - Engine: Volume offline.
Administrator help
Category
Event ID
Description
Encryption
3603
Encryption error - Engine: Volume removed.
Encryption
3604
Encryption error - Engine: Volume bad.
Encryption
3607
Encryption error - Encryption key missing.
Encryption
3610
Encryption error - Origin KSA area corrupt.
Encryption
3611
Encryption error - Backup KSA area corrupt.
Encryption
3612
Encryption error - Origin ESA area corrupt.
Access Control
4400
Port successfully approved
Access Control
4401
Device successfully approved
Access Control
4402
Storage successfully approved
Access Control
4403
WLAN successfully approved
Access Control
4404
Port removed successfully
Access Control
4405
Device removed successfully
Access Control
4406
Storage device removed successfully
Access Control
4407
WLAN disconnected successfully
Access Control
4408
Port restricted
Access Control
4409
Device restricted
Access Control
4410
Storage device restricted
Access Control
4411
WLAN restricted
Access Control
4412
Port blocked
Access Control
4413
Device blocked
Access Control
4414
Storage device blocked
Access Control
4415
WLAN blocked
293
SafeGuard Enterprise
38 Error codes
38.1 SGMERR codes in Windows event log
You will see the following message in the Windows event log:
"Authorization for SafeGuard Enterprise Administration failed for user... Reason:
SGMERR[536870951]"
See the table below for the definition of number "536870951". Number "536870951" means for
example "Incorrect PIN entered. Unable to authenticate user".
294
Error ID
Display
0
OK
21
Internal error found
22
Module not initialized
23
File I/O Error detected
24
Cache cannot be assigned
25
File I/O Read error
26
File I/O Write error
50
No operation carried out
101
General error
102
Access denied
103
File already exists
1201
Registry entry could not be opened.
1202
Registry entry could not be read.
1203
Registry entry could not be written.
1204
Registry entry could not be removed.
Administrator help
Error ID
Display
1205
Registry entry could not be created.
1206
Access to a system service or driver was not possible.
1207
A system service or driver could not be added in the registry.
1208
A system service or driver could not be removed from the registry.
1209
An entry for a system service or driver already exists in the registry.
1210
No access to the Service Control Manager.
1211
An entry in the registry for a session could not be found.
1212
A registry entry is invalid or wrong
1301
Access to a drive has failed.
1302
No information about a volume available.
1303
Access to a volume failed.
1304
Invalid option defined.
1305
Invalid file system type.
1306
Existing file system on a volume and the defined file system differ.
1307
Existing cluster size used by a file system and the defined cluster size differ.
1308
Invalid sector size used by a file system defined.
1309
Invalid start sector defined.
1310
Invalid partition type defined.
1311
An unfragmented, unused area of required size could not be found on a volume.
1312
File system cluster could not be marked as used.
1313
File system cluster could not be marked as used.
1314
File system cluster could not be marked as GOOD.
1315
File system cluster could not be marked as BAD.
295
SafeGuard Enterprise
296
Error ID
Display
1316
No information about clusters of a file system available.
1317
Area marked as BAD could not be found on a volume.
1318
Invalid size of a volume area defined.
1319
MBR sector of a hard disk could not be replaced.
1330
Wrong command for an allocation or deallocation defined.
1351
Invalid algorithm defined.
1352
Access to system kernel has failed.
1353
No system kernel is installed.
1354
An error occurred accessing the system kernel.
1355
Invalid change of system settings.
1401
Writing data to a drive has failed
1402
Reading data from a drive has failed.
1403
Access to a drive has failed.
1404
Invalid drive defined.
1405
Changing position on a drive has failed.
1406
Drive is not ready.
1407
Unmount of a drive has failed.
1451
File could not be opened.
1452
File could not be found.
1453
Invalid file path defined.
1454
File could not be created.
1455
File could not be copied.
1456
No information about a volume available.
Administrator help
Error ID
Display
1457
Position in a file could not be changed.
1458
Reading data from a file has failed.
1459
Writing data to a file has failed.
1460
A file could not be removed.
1461
Invalid file system
1462
File could not be closed.
1463
Access to a file is not allowed.
1501
Not enough memory available.
1502
Invalid or wrong parameter defined.
1503
Data buffer size exceeded
1504
A DLL module could not be loaded.
1505
A function or process was aborted.
1506
No access allowed.
1510
No system kernel installed.
1511
A program could not be started.
1512
A function, an object or data are not available.
1513
Invalid entry detected.
1514
An object already exists.
1515
Invalid function call.
1516
An internal error has occurred.
1517
An access violation has occurred.
1518
Function or mode is not supported.
1519
Uninstallation has failed.
297
SafeGuard Enterprise
298
Error ID
Display
1520
An exception error has occurred.
1550
The MBR sector of the hard disk could not be replaced.
2850
Scheduler service stopped due to an exception.
2851
Scheduler task executed successfully.
2852
Scheduler task failed.
2853
Scheduler task created or modified.
2854
Scheduler task deleted.
20001
Unknown
20002
Process terminated
20003
File not verified
20004
Invalid policy
30050
Failed to open command.
30051
Not enough memory
30052
General failure of process communication
30053
A resource is temporarily unavailable.This is a temporary condition and later attempts
to access it may complete normally.
30054
General communication failure
30055
Unexpected return value
30056
No card reader attached
30057
Buffer overflow
30058
Card has no power
30059
A timeout has occurred
30060
Invalid card type
Administrator help
Error ID
Display
30061
The requested functionality is not supported at this time / under this OS / in this
situation etc
30062
Invalid driver
30063
This software cannot use the firmware of the connected hardware.
30064
Failed to open file
30065
File not found
30066
Card not inserted
30067
Invalid argument
30068
The semaphore is currently in use
30069
Semaphore is temporarily in use
30070
General failure.
30071
You currently do not have the rights to perform the requested action. Usually a
password has to be presented in advance
30072
The service is currently not available
30073
An item (for example a key with a specific name) could not be found
30074
The password presented is incorrect.
30075
The password has been presented incorrectly several times, and is therefore locked.
Usually use a suitable administrator tool to unblock it.
30076
The identity does not match a defined cross-check identity
30077
Multiple errors have occurred. Use this error code if it is the only way of obtaining
an error code when various different errors have occurred.
30078
There are still items left, therefore for example the directory structure etc. cannot be
deleted.
30079
Error during consistency check
30080
The ID is on a blacklist, so the requested action is not allowed.
30081
Invalid handle
299
SafeGuard Enterprise
300
Error ID
Display
30082
Invalid configuration file
30083
Sector not found.
30084
Entry not found.
30085
No more sections
30086
End of file reached.
30087
The specified item already exists.
30088
The password is too short.
30089
The password is too long.
30090
An item (for example a certificate) has expired.
30091
The password is not locked.
30092
Path not be found.
30093
The directory is not empty.
30094
No more data
30095
The disk is full
30096
An operation has been aborted.
30097
Read only data; a write operation failed
12451840
The key is unavailable.
12451842
The key is not defined.
12451842
Access to unencrypted medium denied.
12451843
Access to unencrypted medium denied unless it is empty.
352321637
The file is not encrypted.
352321638
The key is unavailable.
352321639
The correct key is unavailable.
Administrator help
Error ID
Display
352321640
Checksum error in file header
352321641
Error in CBI function.
352321642
Invalid file name.
352321643
Error when reading/writing temporary file.
352321644
Access to unencrypted data is not allowed.
352321645
Key Storage Area (KSA) full.
352321646
The file has already been encrypted with another algorithm.
352321647
The file has been compressed with NTFS and so cannot be encrypted.
352321648
File is encrypted with EFS!
352321649
Invalid file owner!
352321650
Invalid file encryption mode!
352321651
Error in CBC operation!
385875969
Integrity breached.
402653185
The token contains no credentials.
402653186
Credentials cannot be written to the token.
402653187
TDF tag could not be created.
402653188
TDF tag does not contain the required data.
402653189
The object already exists on the token.
402653190
No valid slot found.
402653191
Unable to read serial number
402653192
Token encryption has failed.
402653193
Token decryption has failed.
536870913
The key file contains no valid data.
301
SafeGuard Enterprise
302
Error ID
Display
536870914
Parts of the RSA key pair are invalid.
536870915
Failed to import the key pair.
536870916
The key file format is invalid.
536870917
No data available.
536870918
Certificate import failed.
536870919
The module has already been initialized.
536870920
The module has not been initialized.
536870921
The ASN.1 encryption is corrupt.
536870922
Incorrect data length.
536870923
Incorrect signature.
536870924
Incorrect encryption mechanism applied.
536870925
This version is not supported.
536870926
Padding error.
536870927
Invalid flags.
536870928
The certificate has expired and is no longer valid.
536870929
Incorrect time entered. Certificate not yet valid.
536870930
The certificate has been withdrawn.
536870931
The certificate chain is invalid.
536870932
Unable to create the certificate chain.
536870933
Unable to contact CDP.
536870934
A certificate which can be used only as the final data unit has been used as CA or
vice versa.
536870935
Problems with validity of certificate length in the chain.
Administrator help
Error ID
Display
536870936
Error opening file.
536870937
Error reading a file.
536870938
Error or several parameters which have been assigned to the function are incorrect.
536870939
Function output exceeds cache.
536870940
Token problem and/or slot breached.
536870941
Token has insufficient memory to perform the required function.
536870942
Token was removed from slot while function being performed.
536870943
The required function could be performed but information on the cause of this error
is not available.
536870945
The computer on which the CBI compilation is taking place has insufficient memory
to perform the required function. This function may be only partly completed.
536870946
A required function is not supported by the CBI compilation.
536870947
An attempt has been made to set a value for an object which cannot be set or altered.
536870948
Invalid value for object.
536870949
An attempt to obtain the value of an object has failed because the object is either
sensitive or inaccessible.
536870950
The PIN entered has expired. (Whether a normal user's PIN runs on an issued token
varies from one to another).
536870951
The PIN entered is incorrect. Unable to authenticate user.
536870952
The PIN entered contains invalid characters. This response code is applied only for
those attempting to set up a PIN.
536870953
The PIN entered is too long/short. This response code is applied only for those
attempting to set up a PIN.
536870954
The selected PIN is blocked and cannot be used. This happens when a certain
number of attempts are made to authenticate a user and the token refuses any
further attempts.
536870955
Invalid Slot ID.
303
SafeGuard Enterprise
304
Error ID
Display
536870956
The token was not in the slot at the time of the request.
536870957
The CBI archive/slot failed to recognize the token in the slot.
536870958
The requested action cannot be carried out because the token is write-protected.
536870959
The entered user cannot be logged on because this user is already logged onto a
session.
536870960
The entered user cannot be logged on because another user is already logged onto
the session.
536870961
The required action cannot be performed because there is no matching user logged
on. One example is that a session cannot be logged off while one is still logged on.
536870962
The normal user PIN has not been initialized with CBIInitPin.
536870963
An attempt made by several different users to log on to the same token
simultaneously has been allowed.
536870964
Invalid value entered as CBIUser. Valid types are defined in user types.
536870965
An object with the designated ID could not be found on the token.
536870966
Operation has timed out.
536870967
This version of IE is not supported.
536870968
Authentication failed.
536870969
The basic certificate is secured.
536870970
No CRL found.
536870971
No active internet connection.
536870972
Certificate time-value error.
536870973
Unable to verify the selected certificate.
536870974
Certificate expiry status unknown.
536870975
The module has exited. No further requests.
536870976
An error has occurred during request for network function.
Administrator help
Error ID
Display
536870977
An invalid request for a function has been received.
536870978
Unable to find an object.
536870979
A terminal server session has been interrupted.
536870980
Invalid operation.
536870981
The object is in use.
536870982
The random number generator has not been initialized. (CBIRNDInit ( ) not
requested.)
536870983
Unknown command (see CBIControl ( ) ).
536870984
UNICODE is not supported.
536870985
More seed needed for random number generator.
536870986
Object already exists
536870987
Incorrect algorithm combination. (See CBIRecrypt ( ) ).
536870988
The Cryptoki module (PKCS#11) has not been initialized.
536870989
The Cryptoki module (PKCS#11) has been initialized.
536870990
Unable to load Cryptoki module (PKCS#11).
536870991
Certificate not found.
536870992
Not trusted.
536870993
Invalid key.
536870994
The key cannot be exported.
536870995
The algorithm entered is temporarily not supported.
536870996
The decryption mode entered is not supported.
536870997
GSENC compilation error.
536870998
Data request format not recognized.
305
SafeGuard Enterprise
306
Error ID
Display
536870999
The certificate has no private key.
536871000
Bad system setting.
536871001
There's an operation active
536871002
A certificate in the chain is not properly time nested.
536871003
The CRL could not be replaced
536871004
The USER pin has already been initialized
805306369
You do not have sufficient rights to perform this action. Access denied!
805306370
Invalid operation
805306371
Invalid parameter in use
805306372
Object already exists
805306373
The object could not be found.
805306374
Database Exception
805306375
The action has been cancelled by the user.
805306376
The token is not assigned to a specific user.
805306377
The token is assigned to more than one user.
805306378
The token could not be found in the database.
805306379
The token has been successfully deleted and removed from the database.
805306380
Unable to identify the token in the database.
805306381
The policy is assigned to a policy group. Remove assignment before deleting policy.
805306382
The policy is assigned to an OU. Please remove assignment first.
805306383
The certificate is invalid for this Officer.
805306384
The certificate has expired for this Officer.
805306385
The Officer could not be found in the database.
Administrator help
Error ID
Display
805306386
The selected Officer is not unique.
805306387
The Officer is blocked and cannot be authenticated.
805306388
The Officer is no longer or not yet valid.
805306389
Unable to authorize Officer - request outside office hours.
805306390
Responsible party cannot delete self.
805306391
The Master Security Officer cannot be deleted because a second Master Security
Officer is needed for additional authentication.
805306392
The Security Officer cannot be deleted because a second Security Officer is required
for additional authentication.
805306393
The checking Officer cannot be deleted because a second checking Officer is
required for additional authentication.
805306394
The recovery Officer cannot be deleted because a second recovery Officer is required
for additional authentication.
805306395
The advisory Officer cannot be deleted because a second advisory Officer is required
for additional authentication.
805306396
The Master Security Officer function cannot be deleted because a second Master
Security Officer is needed for additional authentication.
805306397
The Security Officer function cannot be deleted because a second Security Officer
is needed for additional authentication.
805306398
The checking Officer function cannot be deleted because a second checking Officer
is needed for additional authentication.
805306399
The recovery Officer function cannot be deleted because a second recovery Officer
is needed for additional authentication.
805306400
The advisory Officer function cannot be deleted because a second advisory Officer
is needed for additional authentication.
805306401
There is no additional Officer with the required function available for additional
authentication.
805306402
Event log
805306403
Integrity of central event log successfully verified.
307
SafeGuard Enterprise
308
Error ID
Display
805306404
Integrity breached! One or more events have been removed from the start of the
chain.
805306405
Integrity breached! One or more events have been removed from the chain. The
message at which point the break in the chain was discovered has been highlighted.
805306406
Integrity breached! One or more events have been removed from the end of the
chain.
805306407
Failed to export events to file. Reason:
805306408
The current view contains unsaved data. Do you want to save changes before exiting
this view?
805306409
The file could not be loaded or the file is damaged. Reason:
805306410
The integrity of the log has been breached! One or more events have been removed.
805306411
Save events to a file before deleting?
805306412
Job display
805306413
Several CRL found in database: Unable to delete CRL.
805306414
CRL not found in database:
805306415
Unable to find the user to whom the certificate should have been assigned to in the
database.
805306416
A P7 Blob is urgently required for a certificate assignment.
805306417
The user to whom the certificate should have been assigned is not uniquely named.
805306418
Unfortunately unable to find certificate assignment.
805306419
Certificate assignment not unique. Unclear which certificate to remove.
805306420
Unable to find the user for whom the certificate is to be produced in the database.
805306421
The user to whom the certificate is to be assigned cannot be uniquely named.
805306422
The certificate has already been assigned to another user. A certificate can only be
assigned to one user.
805306423
Unable to find the machine to which the certificate is to be assigned in the database.
Administrator help
Error ID
Display
805306424
The machine to assign the certificate could not be uniquely identified.
805306425
Imported certificates cannot be extended by SGN.
805306426
Inconsistent certificate data
805306427
The extension of the certificate has not been approved by a Security Officer.
805306428
Error deleting token
805306429
Certificate cannot be deleted by the token because it has been used to authorize
the present user.
805306430
System access already exists with this name. Please select another name.
805306431
The Security Officer does not have any roles assigned. Logon not possible.
805306432
The license is violated.
805306433
No license was found.
805306435
Missing or invalid log file path.
2415919104
No policy found.
2415919105
No configuration file available!
2415919106
No connection to server.
2415919107
No more data.
2415919108
Invalid priority used for sending to server!
2415919109
More data pending.
2415919110
Auto registration pending.
2415919111
Database authentication failed!
2415919112
Wrong session ID!
2415919113
Data packet dropped!
3674210305
Domain not found.
309
SafeGuard Enterprise
310
Error ID
Display
3674210306
Machine not found.
3674210307
User not found.
3758096385
The password does not contain enough letters
3758096386
The password does not contain enough numbers
3758096387
The password does not contain enough special characters
3758096388
The password is the same as the user name
3758096389
The password contains consecutive characters
3758096390
The password is too similar to the user name
3758096391
The password has been found in a list of prohibited passwords
3758096392
The password is too similar to the old password
3758096393
The password includes a keyboard sequence with more than two characters
3758096394
The password includes a keyboard column with more than two characters
3758096395
The password is not yet valid
3758096396
A password has expired
3758096397
The password has not yet reached its minimum validity period
3758096398
The password has exceeded its maximum validity period
3758096399
Information must be displayed about an impending change to the password
3758096400
Must be changed at first log on
3758096401
The password has been found in the history
3758096402
Error when verifying against specified blacklist.
4026531840
No "platform" found.
4026531841
No document.
4026531842
XML Parse Error.
Administrator help
Error ID
Display
4026531843
Document Object Model (XML) Error
4026531844
No <DATAROOT> tag found.
4026531845
XML tag not found.
4026531846
"nostream" error.
4026531847
"printtree" error.
38.2 BitLocker error codes
BitLocker errors are reported using the following SafeGuard events:
■
2072: Kernel initialization has failed. Internal code: <Error code>.
■
3506: Sector-based initial encryption of drive <drive letter> failed and closed. Reason: <Error
code>
The following table provides a list of error codes for BitLocker:
Error code (Hex) Error code (Dec) Description
0x00000000 –
0x000032C8
0 – 15999
See Microsoft System Error Codes
0x00BEB001
12496897
Encryption not possible due to error during kernel initialization.
0x00BEB002
12496898
Boot manager must not be on the system volume to be encrypted.
0x00BEB003
12496899
Found an unsupported Windows version on the HDD. Minimum is
Windows Vista.
0x00BEB004
12496900
The configured authentication method is not supported.
0x00BEB005
12496901
The PIN dialog has not been completed successfully.
0x00BEB006
12496902
The path dialog has not been completed successfully.
0x00BEB007
12496903
Error in inter-process communication in PIN or path dialog.
0x00BEB008
12496904
Unhandled exception in PIN or path dialog.The dialog was displayed,
but the user logged off or stopped it with the Task Manager.
311
SafeGuard Enterprise
312
0x00BEB009
12496905
The encryption algorithm defined in the policy does not match the
one of the encrypted drive. By default (if not modified) native
BitLocker uses AES-128 whereas the SGN policies define AES-256.
0x00BEB00A
12496906
The volume is a dynamic volume. Dynamic volumes are not
supported.
0x00BEB00B
12496907
The hardware test failed because of a hardware problem.
0x00BEB00C
12496908
An error occurred during TPM initialization and activation.
0x00BEB00D
12496909
The Encryption-Algorithm in the SGN-Policy conflicts with the
Encryption-Algorithm settings in the GPO.
0x00BEB00E
12496910
Sector-based initial encryption of drive <drive letter> failed.
0x00BEB00F
12496911
Active Directory backup of recovery keys is required but no domain
controller is available.
0x00BEB010
12496912
Active Directory backup of recovery keys is not compatible with
BitLocker Challenge/Response.
0x00BEB102
12497154
UEFI version could not be validated and therefore BitLocker will be
executed in legacy mode.
0x00BEB202
12497410
Client configuration package has not yet been installed.
0x00BEB203
12497411
UEFI version not supported and therefore BitLocker will be executed
in legacy mode. Minimum requirement is 2.3.1.
0x80280006
-2144862202
The TPM is inactive.
0x80280007
-2144862201
The TPM is disabled.
0x80280014
-2144862188
The TPM already has an owner.
0x80310037
-2144272329
The Group Policy setting requiring FIPS compliance prevents a local
recovery password from being generated and written to the key
backup file. Encryption will nevertheless continue.
0x8031005B
-2144272293
The Group Policy for the specified authentication method is not set.
Please enable the Group Policy "Require additional authentication
at startup".
0x8031005E
-2144272290
The Group Policy for encryption without TPM is not set. Please
enable the Group Policy "Require additional authentication at startup"
and set the checkbox "Allow BitLocker without a compatible TPM"
within it.
Administrator help
0x80280000 –
0x803100CF
-2144862208 –
-2144272177
See Microsoft COM Error Codes (TPM, PLA, FVE).
313
SafeGuard Enterprise
39 Technical support
You can find technical support for Sophos products in any of these ways:
314
■
Visit the SophosTalk community at community.sophos.com/ and search for other users who
are experiencing the same problem.
■
Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.
■
Download the product documentation at www.sophos.com/en-us/support/documentation/.
■
Open a ticket with our support team at
https://secure2.sophos.com/support/contact-support/support-query.aspx.
Administrator help
40 Legal notices
Copyright © 1996 - 2014 Sophos Limited. All rights reserved. SafeGuard is a registered trademark
of Sophos Limited and Sophos Group.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you
are either a valid licensee where the documentation can be reproduced in accordance with the
license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.
You find copyright information on third party suppliers in the Disclaimer and Copyright for 3rd
Party Software document in your product directory.
315
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement